[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
Martin Kosek
mkosek at redhat.com
Fri Apr 20 06:39:40 UTC 2012
On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote:
> On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote:
> > Hi Martin!
> >
> > On Thu, 12 Apr 2012, Martin Kosek wrote:
> ...
> > >3) I would not try to import ipaserver.dcerpc every time the command is
> > >executed:
> > >+ try:
> > >+ import ipaserver.dcerpc
> > >+ except Exception, e:
> > >+ raise errors.NotFound(name=_('AD Trust setup'),
> > >+ reason=_('Cannot perform join operation without Samba
> > >4 python bindings installed'))
> > >
> > >I would rather do it once in the beginning and set a flag:
> > >
> > >try:
> > > import ipaserver.dcerpc
> > > _bindings_installed = True
> > >except Exception:
> > > _bindings_installed = False
> > >
> > >...
> > The idea was that this code is only executed on the server. We need to
> > differentiate between:
> > - running on client
> > - running on server, no samba4 python bindings
> > - running on server with samba4 python bindings
> >
> > By making it executed all time you are affecting the client code as
> > well while with current approach it only affects server side.
>
> Across our code base, this situation is currently solved with this
> condition:
>
> if api.env.in_server and api.env.context in ['lite', 'server']:
> # try-import block
>
> >
> >
> > >+ def execute(self, *keys, **options):
> > >+ # Join domain using full credentials and with random trustdom
> > >+ # secret (will be generated by the join method)
> > >+ trustinstance = None
> > >+ if not _bindings_installed:
> > >+ raise errors.NotFound(name=_('AD Trust setup'),
> > >+ reason=_('Cannot perform join operation without Samba
> > >4 python bindings installed'))
> > >
> > >
> > >4) Another import inside a function:
> > >+ def arcfour_encrypt(key, data):
> > >+ from Crypto.Cipher import ARC4
> > >+ c = ARC4.new(key)
> > >+ return c.encrypt(data)
> > Same here, it is only needed on server side.
> >
> > Let us get consensus over 3) and 4) and I'll fix patches altogether (and
> > push).
> >
>
> Yeah, I would fix in the same way as 3).
>
I am running another run of test to finish my review of your patches,
but I stumbled in 389-ds error when I was installing IPA server from
package built from your git tree:
git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git
# rpm -q freeipa-server 389-ds-base
freeipa-server-2.99.0GITc30f375-0.fc17.x86_64
389-ds-base-1.2.11-0.1.a1.fc17.x86_64
# ipa-server-install -p kokos123 -a kokos123
...
[16/18]: issuing RA agent certificate
[17/18]: adding RA agent as a trusted user
[18/18]: Configure HTTP to proxy connections
done configuring pki-cad.
Configuring directory server: Estimated time 1 minute
[1/35]: creating directory server user
[2/35]: creating directory server instance
[3/35]: adding default schema
[4/35]: enabling memberof plugin
[5/35]: enabling referential integrity plugin
[6/35]: enabling winsync plugin
[7/35]: configuring replication version plugin
[8/35]: enabling IPA enrollment plugin
[9/35]: enabling ldapi
[10/35]: configuring uniqueness plugin
[11/35]: configuring uuid plugin
[12/35]: configuring modrdn plugin
[13/35]: enabling entryUSN plugin
[14/35]: configuring lockout plugin
[15/35]: creating indices
[16/35]: configuring ssl for ds instance
[17/35]: configuring certmap.conf
[18/35]: configure autobind for root
[19/35]: configure new location for managed entries
[20/35]: restarting directory server
[21/35]: adding default layout
[22/35]: adding delegation layout
ipa : CRITICAL Failed to load delegation.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned
non-zero exit status 255
[23/35]: adding replication acis
ipa : CRITICAL Failed to load replica-acis.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned
non-zero exit status 255
[24/35]: creating container for managed entries
ipa : CRITICAL Failed to load managed-entries.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned
non-zero exit status 255
[25/35]: configuring user private groups
ipa : CRITICAL Failed to load user_private_groups.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned
non-zero exit status 255
[26/35]: configuring netgroups from hostgroups
ipa : CRITICAL Failed to load host_nis_groups.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmphxoVQf -x -D cn=Directory Manager -y /tmp/tmpsAhhwd' returned
non-zero exit status 255
[27/35]: creating default Sudo bind user
ipa : CRITICAL Failed to load sudobind.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpCVpYqT -x -D cn=Directory Manager -y /tmp/tmp97b_6d' returned
non-zero exit status 255
[28/35]: creating default Auto Member layout
ipa : CRITICAL Failed to load automember.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpvcFbwK -x -D cn=Directory Manager -y /tmp/tmpSUownE' returned
non-zero exit status 255
[29/35]: creating default HBAC rule allow_all
ipa : CRITICAL Failed to load default-hbac.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpYoYkBy -x -D cn=Directory Manager -y /tmp/tmp_9le4C' returned
non-zero exit status 255
[30/35]: initializing group membership
ipa : CRITICAL Failed to load memberof-task.ldif: Command
'/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
-f /tmp/tmpD9mIxC -x -D cn=Directory Manager -y /tmp/tmpeTqozO' returned
non-zero exit status 255
Unexpected error - see ipaserver-install.log for details:
{'desc': "Can't contact LDAP server"}
# tail /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors
[20/Apr/2012:02:19:16 -0400] - 389-Directory/1.2.11.a1 B2012.090.2135
starting up
[20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
cipher AES in backend userRoot, attempting to create one...
[20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher AES successfully
generated and stored
[20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
cipher 3DES in backend userRoot, attempting to create one...
[20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher 3DES
successfully generated and stored
[20/Apr/2012:02:19:16 -0400] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[20/Apr/2012:02:19:16 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[20/Apr/2012:02:19:16 -0400] - Listening
on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
[20/Apr/2012:02:19:17 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com--no CoS
Templates found, which should be added before the CoS Definition.
[20/Apr/2012:02:19:17 -0400] entryrdn-index - _entryrdn_put_data: Adding
the self link (62) failed: BDB0068 DB_LOCK_DEADLOCK: Locker killed to
resolve a deadlock (-30993)
Martin
More information about the Freeipa-devel
mailing list