[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
Martin Kosek
mkosek at redhat.com
Mon Jun 4 11:43:46 UTC 2012
On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote:
> On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote:
> > Hi Martin!
> >
> > On Thu, 12 Apr 2012, Martin Kosek wrote:
> ...
> > >3) I would not try to import ipaserver.dcerpc every time the command is
> > >executed:
> > >+ try:
> > >+ import ipaserver.dcerpc
> > >+ except Exception, e:
> > >+ raise errors.NotFound(name=_('AD Trust setup'),
> > >+ reason=_('Cannot perform join operation without Samba
> > >4 python bindings installed'))
> > >
> > >I would rather do it once in the beginning and set a flag:
> > >
> > >try:
> > > import ipaserver.dcerpc
> > > _bindings_installed = True
> > >except Exception:
> > > _bindings_installed = False
> > >
> > >...
> > The idea was that this code is only executed on the server. We need to
> > differentiate between:
> > - running on client
> > - running on server, no samba4 python bindings
> > - running on server with samba4 python bindings
> >
> > By making it executed all time you are affecting the client code as
> > well while with current approach it only affects server side.
>
> Across our code base, this situation is currently solved with this
> condition:
>
> if api.env.in_server and api.env.context in ['lite', 'server']:
> # try-import block
>
> >
> >
> > >+ def execute(self, *keys, **options):
> > >+ # Join domain using full credentials and with random trustdom
> > >+ # secret (will be generated by the join method)
> > >+ trustinstance = None
> > >+ if not _bindings_installed:
> > >+ raise errors.NotFound(name=_('AD Trust setup'),
> > >+ reason=_('Cannot perform join operation without Samba
> > >4 python bindings installed'))
> > >
> > >
> > >4) Another import inside a function:
> > >+ def arcfour_encrypt(key, data):
> > >+ from Crypto.Cipher import ARC4
> > >+ c = ARC4.new(key)
> > >+ return c.encrypt(data)
> > Same here, it is only needed on server side.
> >
> > Let us get consensus over 3) and 4) and I'll fix patches altogether (and
> > push).
> >
>
> Yeah, I would fix in the same way as 3).
>
> Martin
>
I did another round of testing and this is what I found so far:
1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed
that)
2) Unit tests need to be updated, currently there is about a dozen test
case errors, e.g. extra ipakrbprincipalalias attribute in services or
new ipakrbprincipal objectclass for hosts
3) Replication did not work too well for me this time.
ipa-replica-install reported just one issue during installation process:
2012-06-04T09:42:51Z DEBUG [24/30]: enabling S4U2Proxy delegation
2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h
vm-057.idm.lab.bos.redhat.com -v -f /tmp/ tmpifHccf -x -D
cn=Directory Manager -y /tmp/tmppqaAdV
2012-06-04T09:42:51Z DEBUG stdout=
2012-06-04T09:42:51Z DEBUG
stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com )
ldapmodify: wrong attributeType at line 5, entry
"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
dc=lab,dc=bos,dc=redhat,dc=com"
2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif:
Command '/usr/bin/ldapmodify -h vm-057.idm.lab.bos.redhat.com -v
-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV'
returned non-zero exit status 247
But this may be just a symptom of some bigger issue. After the
installation finished, DS did not start, it kept reporting Kerberos
issues:
[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial
credentials for principal
[ldap/vm-057.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[04/Jun/2012:05:46:00 -0400] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[04/Jun/2012:05:46:00 -0400] - Listening
on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Credentials cache
file '/tmp/krb5cc_498' not found)) errno 0 (Success)
[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin -
agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication
bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Credentials cache file '/tmp/krb5cc_498' not
found))
When I run "ipactl restart", dirsrv started and I was able to kinit.
4) Patch "Add separate attribute to store trusted domain SID" still has
a wrong service part of the principal to be removed (s/ldap/cifs):
+ dn3 = DN(u'cn=ipa-cifs-delegation-targets',
api.env.container_s4u2proxy, self.suffix)
+ member_principal3 = "ldap/%(fqdn)s@%(realm)s" %
dict(fqdn=replica, realm=realm)
+
This leaves CIFS entry in the S4U2Proxy configuration even after replica
uninstallation.
Btw. these are the packages I use:
389-ds-base-1.2.10.4-2.fc17.x86_64
krb5-server-1.10-5.fc17.x86_64
samba4-4.0.0-123alpha21.fc17.x86_64
Martin
More information about the Freeipa-devel
mailing list