[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

Martin Kosek mkosek at redhat.com
Mon Jun 4 11:43:46 UTC 2012 

On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote:
> On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote:
> > Hi Martin!
> > 
> > On Thu, 12 Apr 2012, Martin Kosek wrote:
> ...
> > >3) I would not try to import ipaserver.dcerpc every time the command is
> > >executed:
> > >+        try:
> > >+            import ipaserver.dcerpc
> > >+        except Exception, e:
> > >+            raise errors.NotFound(name=_('AD Trust setup'),
> > >+                  reason=_('Cannot perform join operation without Samba
> > >4 python bindings installed'))
> > >
> > >I would rather do it once in the beginning and set a flag:
> > >
> > >try:
> > >    import ipaserver.dcerpc
> > >     _bindings_installed = True
> > >except Exception:
> > >    _bindings_installed = False
> > >
> > >...
> > The idea was that this code is only executed on the server. We need to
> > differentiate between:
> > - running on client
> > - running on server, no samba4 python bindings
> > - running on server with samba4 python bindings
> > 
> > By making it executed all time you are affecting the client code as
> > well while with current approach it only affects server side.
> 
> Across our code base, this situation is currently solved with this
> condition:
> 
> if api.env.in_server and api.env.context in ['lite', 'server']:
>     # try-import block
> 
> > 
> > 
> > >+    def execute(self, *keys, **options):
> > >+        # Join domain using full credentials and with random trustdom
> > >+        # secret (will be generated by the join method)
> > >+        trustinstance = None
> > >+        if not _bindings_installed:
> > >+            raise errors.NotFound(name=_('AD Trust setup'),
> > >+                  reason=_('Cannot perform join operation without Samba
> > >4 python bindings installed'))
> > >
> > >
> > >4) Another import inside a function:
> > >+        def arcfour_encrypt(key, data):
> > >+            from Crypto.Cipher import ARC4
> > >+            c = ARC4.new(key)
> > >+            return c.encrypt(data)
> > Same here, it is only needed on server side.
> > 
> > Let us get consensus over 3) and 4) and I'll fix patches altogether (and
> > push).
> > 
> 
> Yeah, I would fix in the same way as 3).
> 
> Martin
> 

I did another round of testing and this is what I found so far:

1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed
that)

2) Unit tests need to be updated, currently there is about a dozen test
case errors, e.g. extra ipakrbprincipalalias attribute in services or
new ipakrbprincipal objectclass for hosts

3) Replication did not work too well for me this time.
ipa-replica-install reported just one issue during installation process:

2012-06-04T09:42:51Z DEBUG   [24/30]: enabling S4U2Proxy delegation
2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h
vm-057.idm.lab.bos.redhat.com -v -f /tmp/       tmpifHccf -x -D
cn=Directory Manager -y /tmp/tmppqaAdV
2012-06-04T09:42:51Z DEBUG stdout=
2012-06-04T09:42:51Z DEBUG
stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com )
ldapmodify: wrong attributeType at line 5, entry
"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
dc=lab,dc=bos,dc=redhat,dc=com"

2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif:
Command '/usr/bin/ldapmodify -h   vm-057.idm.lab.bos.redhat.com -v
-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV'
returned non-zero exit status 247


But this may be just a symptom of some bigger issue. After the
installation finished, DS did not start, it kept reporting Kerberos
issues:

[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial
credentials for principal
[ldap/vm-057.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[04/Jun/2012:05:46:00 -0400] - slapd started.  Listening on All
Interfaces port 389 for LDAP requests
[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[04/Jun/2012:05:46:00 -0400] - Listening
on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Credentials cache
file '/tmp/krb5cc_498' not found)) errno 0 (Success)
[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin -
agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication
bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
provide more information (Credentials cache file '/tmp/krb5cc_498' not
found))

When I run "ipactl restart", dirsrv started and I was able to kinit.

4) Patch "Add separate attribute to store trusted domain SID" still has
a wrong service part of the principal to be removed (s/ldap/cifs):

+        dn3 = DN(u'cn=ipa-cifs-delegation-targets',
api.env.container_s4u2proxy, self.suffix)
+        member_principal3 = "ldap/%(fqdn)s@%(realm)s" %
dict(fqdn=replica, realm=realm)
+

This leaves CIFS entry in the S4U2Proxy configuration even after replica
uninstallation.

Btw. these are the packages I use:
389-ds-base-1.2.10.4-2.fc17.x86_64
krb5-server-1.10-5.fc17.x86_64
samba4-4.0.0-123alpha21.fc17.x86_64

Martin

More information about the Freeipa-devel mailing list