[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
Martin Kosek
mkosek at redhat.com
Thu May 3 15:18:48 UTC 2012
On Thu, 2012-04-26 at 15:18 +0200, Martin Kosek wrote:
> On Fri, 2012-04-20 at 08:39 +0200, Martin Kosek wrote:
> > On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote:
> > > On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote:
> > > > Hi Martin!
> > > >
> > > > On Thu, 12 Apr 2012, Martin Kosek wrote:
> > > ...
> > > > >3) I would not try to import ipaserver.dcerpc every time the command is
> > > > >executed:
> > > > >+ try:
> > > > >+ import ipaserver.dcerpc
> > > > >+ except Exception, e:
> > > > >+ raise errors.NotFound(name=_('AD Trust setup'),
> > > > >+ reason=_('Cannot perform join operation without Samba
> > > > >4 python bindings installed'))
> > > > >
> > > > >I would rather do it once in the beginning and set a flag:
> > > > >
> > > > >try:
> > > > > import ipaserver.dcerpc
> > > > > _bindings_installed = True
> > > > >except Exception:
> > > > > _bindings_installed = False
> > > > >
> > > > >...
> > > > The idea was that this code is only executed on the server. We need to
> > > > differentiate between:
> > > > - running on client
> > > > - running on server, no samba4 python bindings
> > > > - running on server with samba4 python bindings
> > > >
> > > > By making it executed all time you are affecting the client code as
> > > > well while with current approach it only affects server side.
> > >
> > > Across our code base, this situation is currently solved with this
> > > condition:
> > >
> > > if api.env.in_server and api.env.context in ['lite', 'server']:
> > > # try-import block
> > >
> > > >
> > > >
> > > > >+ def execute(self, *keys, **options):
> > > > >+ # Join domain using full credentials and with random trustdom
> > > > >+ # secret (will be generated by the join method)
> > > > >+ trustinstance = None
> > > > >+ if not _bindings_installed:
> > > > >+ raise errors.NotFound(name=_('AD Trust setup'),
> > > > >+ reason=_('Cannot perform join operation without Samba
> > > > >4 python bindings installed'))
> > > > >
> > > > >
> > > > >4) Another import inside a function:
> > > > >+ def arcfour_encrypt(key, data):
> > > > >+ from Crypto.Cipher import ARC4
> > > > >+ c = ARC4.new(key)
> > > > >+ return c.encrypt(data)
> > > > Same here, it is only needed on server side.
> > > >
> > > > Let us get consensus over 3) and 4) and I'll fix patches altogether (and
> > > > push).
> > > >
> > >
> > > Yeah, I would fix in the same way as 3).
> > >
> >
> > I am running another run of test to finish my review of your patches,
> > but I stumbled in 389-ds error when I was installing IPA server from
> > package built from your git tree:
> > git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git
> >
> > # rpm -q freeipa-server 389-ds-base
> > freeipa-server-2.99.0GITc30f375-0.fc17.x86_64
> > 389-ds-base-1.2.11-0.1.a1.fc17.x86_64
> > # ipa-server-install -p kokos123 -a kokos123
> > ...
> > [16/18]: issuing RA agent certificate
> > [17/18]: adding RA agent as a trusted user
> > [18/18]: Configure HTTP to proxy connections
> > done configuring pki-cad.
> > Configuring directory server: Estimated time 1 minute
> > [1/35]: creating directory server user
> > [2/35]: creating directory server instance
> > [3/35]: adding default schema
> > [4/35]: enabling memberof plugin
> > [5/35]: enabling referential integrity plugin
> > [6/35]: enabling winsync plugin
> > [7/35]: configuring replication version plugin
> > [8/35]: enabling IPA enrollment plugin
> > [9/35]: enabling ldapi
> > [10/35]: configuring uniqueness plugin
> > [11/35]: configuring uuid plugin
> > [12/35]: configuring modrdn plugin
> > [13/35]: enabling entryUSN plugin
> > [14/35]: configuring lockout plugin
> > [15/35]: creating indices
> > [16/35]: configuring ssl for ds instance
> > [17/35]: configuring certmap.conf
> > [18/35]: configure autobind for root
> > [19/35]: configure new location for managed entries
> > [20/35]: restarting directory server
> > [21/35]: adding default layout
> > [22/35]: adding delegation layout
> > ipa : CRITICAL Failed to load delegation.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned
> > non-zero exit status 255
> > [23/35]: adding replication acis
> > ipa : CRITICAL Failed to load replica-acis.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned
> > non-zero exit status 255
> > [24/35]: creating container for managed entries
> > ipa : CRITICAL Failed to load managed-entries.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned
> > non-zero exit status 255
> > [25/35]: configuring user private groups
> > ipa : CRITICAL Failed to load user_private_groups.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned
> > non-zero exit status 255
> > [26/35]: configuring netgroups from hostgroups
> > ipa : CRITICAL Failed to load host_nis_groups.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmphxoVQf -x -D cn=Directory Manager -y /tmp/tmpsAhhwd' returned
> > non-zero exit status 255
> > [27/35]: creating default Sudo bind user
> > ipa : CRITICAL Failed to load sudobind.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpCVpYqT -x -D cn=Directory Manager -y /tmp/tmp97b_6d' returned
> > non-zero exit status 255
> > [28/35]: creating default Auto Member layout
> > ipa : CRITICAL Failed to load automember.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpvcFbwK -x -D cn=Directory Manager -y /tmp/tmpSUownE' returned
> > non-zero exit status 255
> > [29/35]: creating default HBAC rule allow_all
> > ipa : CRITICAL Failed to load default-hbac.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpYoYkBy -x -D cn=Directory Manager -y /tmp/tmp_9le4C' returned
> > non-zero exit status 255
> > [30/35]: initializing group membership
> > ipa : CRITICAL Failed to load memberof-task.ldif: Command
> > '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> > -f /tmp/tmpD9mIxC -x -D cn=Directory Manager -y /tmp/tmpeTqozO' returned
> > non-zero exit status 255
> > Unexpected error - see ipaserver-install.log for details:
> > {'desc': "Can't contact LDAP server"}
> >
> >
> > # tail /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors
> > [20/Apr/2012:02:19:16 -0400] - 389-Directory/1.2.11.a1 B2012.090.2135
> > starting up
> > [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
> > cipher AES in backend userRoot, attempting to create one...
> > [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher AES successfully
> > generated and stored
> > [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
> > cipher 3DES in backend userRoot, attempting to create one...
> > [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher 3DES
> > successfully generated and stored
> > [20/Apr/2012:02:19:16 -0400] - slapd started. Listening on All
> > Interfaces port 389 for LDAP requests
> > [20/Apr/2012:02:19:16 -0400] - Listening on All Interfaces port 636 for
> > LDAPS requests
> > [20/Apr/2012:02:19:16 -0400] - Listening
> > on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
> > [20/Apr/2012:02:19:17 -0400] - Skipping CoS Definition cn=Password
> > Policy,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com--no CoS
> > Templates found, which should be added before the CoS Definition.
> > [20/Apr/2012:02:19:17 -0400] entryrdn-index - _entryrdn_put_data: Adding
> > the self link (62) failed: BDB0068 DB_LOCK_DEADLOCK: Locker killed to
> > resolve a deadlock (-30993)
> >
> > Martin
> >
>
> I reproduced this issue even on another clean VM, I filed a BZ for that:
> https://bugzilla.redhat.com/show_bug.cgi?id=816590
>
> Martin
>
With the development version of the fix for DS issue, I was able to
continue with the review. I found the following issues:
1) You add cifs s4u2proxy record twice. This leads to an error message
during ipa-adtrust-install:
# ipa-server-install --setup-dns
# ipa-adtrust-install
...
[6/13]: setting password for the samba user
[7/13]: adding cifs Kerberos principal
ipa : CRITICAL Failed to add key for
cifs/vm-109.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM
[8/13]: adding admin(group) SIDs
[9/13]: activating CLDAP plugin
...
2) Typo in ipa-adtrust-install info text:
Additionally you have to make sure the FreeIPA LDAP server cannot reached
by any domain controller in the Active Directory domain by closing the
s/reached/cannot be reached/
3) Another s4u2proxy error in ipa-replica-install:
# ipa-replica-install INFO_FILE
...
[20/30]: restarting directory server
[21/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
[22/30]: adding replication acis
[23/30]: setting Auto Member configuration
[24/30]: enabling S4U2Proxy delegation
ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command
'/usr/bin/ldapmodify -h vm-098.idm.lab.bos.redhat.com -v
-f /tmp/tmpGFqASL -x -D cn=Directory Manager -y /tmp/tmpBuxVf4' returned
non-zero exit status 247
[25/30]: initializing group membership
This is an error from ipareplica-install log:
2012-05-03T14:54:05Z DEBUG args=/usr/bin/ldapmodify -h
vm-098.idm.lab.bos.redhat.com -v -f /tmp/ tmpGFqASL -x -D
cn=Directory Manager -y /tmp/tmpBuxVf4
2012-05-03T14:54:05Z DEBUG stdout=
2012-05-03T14:54:05Z DEBUG
stderr=ldap_initialize( ldap://vm-098.idm.lab.bos.redhat.com )
ldapmodify: wrong attributeType at line 5, entry
"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
dc=lab,dc=bos,dc=redhat,dc=com"
4) When I run ipa-adtrust-install on the replica, I received the same
error as in 1)
5) Removal of cifs S4U2Proxy records does not work because the removal
code does not specify the right service name (s/ldap/cifs):
dn3 = DN(u'cn=ipa-cifs-delegation-targets', api.env.container_s4u2proxy, self.suffix)
member_principal3 = "ldap/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm)
6) I miss some help or examples in trust help:
# ipa help trust
Manage trust relationship between realms
Topic commands:
But I suppose it can be added as an enhancement later.
This is all for now, I don't have an environment to test the trusts
itselves. But fixing these basic issues should be sufficient for us to
be able to at least push this work to master.
Martin
More information about the Freeipa-devel
mailing list