Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 05:33 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. Well, as we don't have other means to show this information right now, that's good too. Maybe notification message timer could be possible to tune per instance? Then we could have, say, 5 seconds timeout here and keep 3 seconds as default one... I tuned it. Updated patch attached. ACK. Worked fine for me. Pushed 073 and 215.1 to ipa-3-0 and master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 05:33 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. Well, as we don't have other means to show this information right now, that's good too. Maybe notification message timer could be possible to tune per instance? Then we could have, say, 5 seconds timeout here and keep 3 seconds as default one... I tuned it. Updated patch attached. ACK. Worked fine for me. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On 09/18/2012 05:33 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. Well, as we don't have other means to show this information right now, that's good too. Maybe notification message timer could be possible to tune per instance? Then we could have, say, 5 seconds timeout here and keep 3 seconds as default one... I tuned it. Updated patch attached. -- Petr Vobornik From 4ec95483604c22119f3fa1405103558176e07784 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Tue, 18 Sep 2012 17:12:59 +0200 Subject: [PATCH] Show trust status in add success notification Web UI notification of 'Add verification step after trust creation' https://fedorahosted.org/freeipa/ticket/2763 --- install/ui/add.js | 13 + install/ui/ipa.js | 4 ++-- install/ui/trust.js | 18 ++ 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/install/ui/add.js b/install/ui/add.js index d855879452e5812c8c7fbae7bc9d1ff9035f1a6e..a5e30092f10495266351674b37fc8fa912af0fbe 100644 --- a/install/ui/add.js +++ b/install/ui/add.js @@ -52,7 +52,7 @@ IPA.entity_adder_dialog = function(spec) { var facet = IPA.current_entity.get_facet(); facet.refresh(); that.close(); -IPA.notify_success(that.get_success_message()); +that.notify_success(data); }, that.on_error); } @@ -66,7 +66,7 @@ IPA.entity_adder_dialog = function(spec) { that.add( function(data, text_status, xhr) { that.added.notify(); -that.show_message(that.get_success_message()); +that.show_message(that.get_success_message(data)); var facet = IPA.current_entity.get_facet(); facet.refresh(); that.reset(); @@ -86,7 +86,7 @@ IPA.entity_adder_dialog = function(spec) { that.close(); var result = data.result.result; that.show_edit_page(that.entity, result); -IPA.notify_success(that.get_success_message()); +that.notify_success(data); }, that.on_error); } @@ -102,11 +102,15 @@ IPA.entity_adder_dialog = function(spec) { }); }; -that.get_success_message = function() { +that.get_success_message = function(data) { var message = IPA.m
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. Well, as we don't have other means to show this information right now, that's good too. Maybe notification message timer could be possible to tune per instance? Then we could have, say, 5 seconds timeout here and keep 3 seconds as default one... -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On 09/18/2012 03:22 PM, Alexander Bokovoy wrote: On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. I created a patch which uses it. See attached screenshots. It may be useful but, as I wrote, the message is displayed only for 3s, so some users might not have time to read it whole - message is too long. It would be nice if it can be saved to ldap and return in show/find commands? That way we can show it in search or details page. Or we can implement trust-status $TRUST --admin $ADMIN --$password $PASSWORD command to check the actual status anytime in a future. We don't have an attribute to store the status. Neither it exists in Windows. I'll talk to Simo if we can have one attribute like that but the price of maintaining it up to date might be too much. On the other hand, we can always invalidate value in the attribute when ipasam cannot use shared trust account against trusted domain... Running validation/verification as a separate command is possible but it would be relatively resource-hungry and makes little use on its own. We may couple it together with future multiple suffixes support (tickets #2848, #2593) as fetching additional suffixes depends on validated trust relationship. -- Petr Vobornik From 7835f62bccefe69abc6122d4ddd6aa7c571f59b2 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Tue, 18 Sep 2012 17:12:59 +0200 Subject: [PATCH] Show trust status in add success notification Web UI notification of 'Add verification step after trust creation' https://fedorahosted.org/freeipa/ticket/2763 --- install/ui/add.js | 9 + install/ui/trust.js | 14 ++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/install/ui/add.js b/install/ui/add.js index d855879452e5812c8c7fbae7bc9d1ff9035f1a6e..06c9b325a58e31e3366529b552df29109117f847 100644 --- a/install/ui/add.js +++ b/install/ui/add.js @@ -52,7 +52,7 @@ IPA.entity_adder_dialog = function(spec) { var facet = IPA.current_entity.get_facet(); facet.refresh(); that.close(); -IPA.notify_success(that.get_success_message()); +IPA.notify_success(that.get_success_message(data)); }, that.on_error); } @@ -66,7 +66,7 @@ IPA.entity_adder_dialog = function(spec) { that.add( function(data, text_status, xhr) { that.added.notify(); -that.show_message(that.get_success_message()); +that.show_message(that.get_success_message(data)); var facet = IPA.current_entity.get_facet(); facet.refresh(); that.reset(); @@ -86,7 +86,7 @@ IPA.entity_adder_dialog = function(spec) { that.close();
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Tue, 18 Sep 2012, Petr Vobornik wrote: On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It is displayed as part of the output, truststatus property: # ipa trust-add --type=ad --admin Administrator@ad.local --password ad.local Active directory domain adminstrator's password: - Added Active Directory trust for realm "ad.local" - Realm name: ad.local Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Would be good if you could take it in use. It would be nice if it can be saved to ldap and return in show/find commands? That way we can show it in search or details page. Or we can implement trust-status $TRUST --admin $ADMIN --$password $PASSWORD command to check the actual status anytime in a future. We don't have an attribute to store the status. Neither it exists in Windows. I'll talk to Simo if we can have one attribute like that but the price of maintaining it up to date might be too much. On the other hand, we can always invalidate value in the attribute when ipasam cannot use shared trust account against trusted domain... Running validation/verification as a separate command is possible but it would be relatively resource-hungry and makes little use on its own. We may couple it together with future multiple suffixes support (tickets #2848, #2593) as fetching additional suffixes depends on validated trust relationship. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On 09/18/2012 02:15 PM, Sumit Bose wrote: On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. It shouldn't break Web UI but Web UI won't use it. In add command Web UI uses only the command state (success/error). If the truststatus text would be a part of command summary text, it can be displayed in notification message (which fades after 3s) when comment 8 of https://fedorahosted.org/freeipa/ticket/2977#comment:8 is implemented. It would be nice if it can be saved to ldap and return in show/find commands? That way we can show it in search or details page. Or we can implement trust-status $TRUST --admin $ADMIN --$password $PASSWORD command to check the actual status anytime in a future. bye, Sumit bye, Sumit -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: > On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: > > Hi, > > > > Following patch adds trust verification sequence to the case when we > > establish trust with knowledge of AD administrative credentials. > > > > As we found out, in order to validate/verify trust, one has to have > > administrative credentials for the trusted domain, since there are > > few RPCs that should be performed against trusted domain's DC's LSA > > and NetLogon pipes and these are protected by administrative credentials. > > > > Thus, when we know admin credentials for the remote domain, we can > > perform the trust validation. > > > > https://fedorahosted.org/freeipa/ticket/2763 > > > > Just a short feedback. The patch is working as expected, for a newly > created trust Windows will send a TGS request to the IPA KDC without > explicit validation on the windows side. Currently I have some issues > in my test setup so that I can not give a full ACK atm. > ok, ACK. Nevertheless it would be nice if Petr can check for any implications to the web UI with respect to the status of the trust. bye, Sumit > bye, > Sumit > > > > > -- > > / Alexander Bokovoy > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code
On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: > Hi, > > Following patch adds trust verification sequence to the case when we > establish trust with knowledge of AD administrative credentials. > > As we found out, in order to validate/verify trust, one has to have > administrative credentials for the trusted domain, since there are > few RPCs that should be performed against trusted domain's DC's LSA > and NetLogon pipes and these are protected by administrative credentials. > > Thus, when we know admin credentials for the remote domain, we can > perform the trust validation. > > https://fedorahosted.org/freeipa/ticket/2763 > Just a short feedback. The patch is working as expected, for a newly created trust Windows will send a TGS request to the IPA KDC without explicit validation on the windows side. Currently I have some issues in my test setup so that I can not give a full ACK atm. bye, Sumit > > -- > / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0073 Add trust verification code
Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative credentials for the trusted domain, since there are few RPCs that should be performed against trusted domain's DC's LSA and NetLogon pipes and these are protected by administrative credentials. Thus, when we know admin credentials for the remote domain, we can perform the trust validation. https://fedorahosted.org/freeipa/ticket/2763 -- / Alexander Bokovoy >From ddf4205c8b3182cbb19328dc9f8b21ede5de3c65 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 13 Sep 2012 20:01:55 +0300 Subject: [PATCH] Add verification of the AD trust Since we only can perform verification when AD admin credentials are available, report that trust should be verified from the AD side in other cases, including unsuccessful verification. Once trust is added, status of it is never stored anywhere. https://fedorahosted.org/freeipa/ticket/2763 --- ipalib/plugins/trust.py | 12 +++- ipaserver/dcerpc.py | 31 --- 2 files changed, 35 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 074560dc27eb121b5035ba9a8260e5ab24b2b4b5..2e20725e6343dfd7ea602dd7903745cd0a0e0c62 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -60,8 +60,8 @@ _trust_type_dict = {1 : _('Non-Active Directory domain'), _trust_direction_dict = {1 : _('Trusting forest'), 2 : _('Trusted forest'), 3 : _('Two-way trust')} -_trust_status = {1 : _('Established and verified'), - 2 : _('Waiting for confirmation by remote side')} +_trust_status_dict = {True : _('Established and verified'), + False : _('Waiting for confirmation by remote side')} _trust_type_dict_unknown = _('Unknown') def trust_type_string(level): @@ -84,7 +84,7 @@ def trust_direction_string(level): return unicode(string) def trust_status_string(level): -string = _trust_direction_dict.get(int(level), _trust_type_dict_unknown) +string = _trust_status_dict.get(level, _trust_type_dict_unknown) return unicode(string) class trust(LDAPObject): @@ -190,6 +190,8 @@ class trust_add(LDAPCreate): result['result'] = trusts[0][1] result['result']['trusttype'] = [trust_type_string(result['result']['ipanttrusttype'][0])] result['result']['trustdirection'] = [trust_direction_string(result['result']['ipanttrustdirection'][0])] +result['result']['truststatus'] = [trust_status_string(result['verified'])] +del result['verified'] return result @@ -272,14 +274,14 @@ class trust_add(LDAPCreate): if result is None: raise errors.ValidationError(name=_('AD Trust setup'), error=_('Unable to verify write permissions to the AD')) -return dict(result=dict(), value=trustinstance.remote_domain.info['dns_domain']) +return dict(value=trustinstance.remote_domain.info['dns_domain'], verified=result['verified']) # 2. We don't have access to the remote domain and trustdom password # is provided. Do the work on our side and inform what to do on remote # side. if 'trust_secret' in options: result = trustinstance.join_ad_ipa_half(keys[-1], realm_server, options['trust_secret']) -return dict(result=dict(), value=trustinstance.remote_domain.info['dns_domain']) +return dict(value=trustinstance.remote_domain.info['dns_domain'], verified=result['verified']) raise errors.ValidationError(name=_('AD Trust setup'), error=_('Not enough arguments specified to perform trust setup')) class trust_del(LDAPDelete): diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index b7ccd15d3e9008fddb6dc5419fc05c50ede39d26..86cf01dbac9aca21c35d2db65ef4d4c56e313709 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -35,7 +35,7 @@ import os, string, struct, copy import uuid from samba import param from samba import credentials -from samba.dcerpc import security, lsa, drsblobs, nbt +from samba.dcerpc import security, lsa, drsblobs, nbt, netlogon from samba.ndr import ndr_pack from samba import net import samba @@ -217,6 +217,7 @@ class TrustDomainInstance(object): if self._pipe is None: raise errors.RemoteRetrieveError( reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host)) +self.binding = binding def __gen_lsa_bindings(self, remote_host): """ @@ -251,6 +252,7 @@ class TrustDomainInstance(object): self.info['dns_domain'] = unicode(result.dns_domain) self.info['dns_forest'] = unicode(result.forest) self.info['guid'] = unicode(result.domain_uuid) +self.inf