[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 12 15:08:03 UTC 2012
Hi Martin!
On Thu, 12 Apr 2012, Martin Kosek wrote:
>Hello Alexander,
>
>I read the patches with focus on Python parts, please check my
>comments.
>
>freeipa-abbra-0042-ticket-2192.patch:
>1) s4u2proxy records that you add for new replicas should also be
>removed
>during replica uninstall. Otherwise you will get a warning when the
>replica is being re-installed.
>
>You can find the clean up code in replication.py in ipaserver/install in
>function replica_cleanup()
thanks.
>freeipa-abbra-0044-ticket-1821.patch:
>1) Missing i18n:
>
>+trust_output_params = (
>+ Str('ipantflatname',
>+ label='Domain NetBIOS name'),
>+ Str('ipantsecurityidentifier',
>+ label='Domain Security Identifier'),
>+ Str('trustdirection',
>+ label='Trust direction'),
>+ Str('trusttype',
>+ label='Trust type'),
>+)
Ok, will fix.
>2) This does not look nice (and returns False (i.e. not str) when level
>is out of bounds):
>+def trust_type_string(level):
>+ return int(level) in (1,2,3) and (u'Forest',u'Cross-Forest',u'MIT')[int(level)-1]
>+
>+def trust_direction_string(level):
>+ return int(level) in (1,2,3) and (u'Downlevel',u'Uplevel',u'Both directions')[int(level)-1]
>
>Maybe something like this would be better (and i18n-ed):
>_trust_type_dict = {1 : _('Forest'),
> 2 : _('Cross-Forest'),
> 3 : _('MIT')}
>_trust_type_dict_unknown = _('Unknown')
>def trust_type_string(level):
> string = _trust_type_dict.get(int(level), _trust_type_dict_unknown)
> return unicode(string)
ok, makes sense. We'll need to do it to both directions later (not now).
>3) I would not try to import ipaserver.dcerpc every time the command is
>executed:
>+ try:
>+ import ipaserver.dcerpc
>+ except Exception, e:
>+ raise errors.NotFound(name=_('AD Trust setup'),
>+ reason=_('Cannot perform join operation without Samba
>4 python bindings installed'))
>
>I would rather do it once in the beginning and set a flag:
>
>try:
> import ipaserver.dcerpc
> _bindings_installed = True
>except Exception:
> _bindings_installed = False
>
>...
The idea was that this code is only executed on the server. We need to
differentiate between:
- running on client
- running on server, no samba4 python bindings
- running on server with samba4 python bindings
By making it executed all time you are affecting the client code as
well while with current approach it only affects server side.
>+ def execute(self, *keys, **options):
>+ # Join domain using full credentials and with random trustdom
>+ # secret (will be generated by the join method)
>+ trustinstance = None
>+ if not _bindings_installed:
>+ raise errors.NotFound(name=_('AD Trust setup'),
>+ reason=_('Cannot perform join operation without Samba
>4 python bindings installed'))
>
>
>4) Another import inside a function:
>+ def arcfour_encrypt(key, data):
>+ from Crypto.Cipher import ARC4
>+ c = ARC4.new(key)
>+ return c.encrypt(data)
Same here, it is only needed on server side.
Let us get consensus over 3) and 4) and I'll fix patches altogether (and
push).
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list