[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)
Nathan Kinder
nkinder at redhat.com
Thu May 3 15:31:17 UTC 2012
On 05/03/2012 08:18 AM, Martin Kosek wrote:
> On Thu, 2012-04-26 at 15:18 +0200, Martin Kosek wrote:
>> On Fri, 2012-04-20 at 08:39 +0200, Martin Kosek wrote:
>>> On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote:
>>>> On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote:
>>>>> Hi Martin!
>>>>>
>>>>> On Thu, 12 Apr 2012, Martin Kosek wrote:
>>>> ...
>>>>>> 3) I would not try to import ipaserver.dcerpc every time the command is
>>>>>> executed:
>>>>>> + try:
>>>>>> + import ipaserver.dcerpc
>>>>>> + except Exception, e:
>>>>>> + raise errors.NotFound(name=_('AD Trust setup'),
>>>>>> + reason=_('Cannot perform join operation without Samba
>>>>>> 4 python bindings installed'))
>>>>>>
>>>>>> I would rather do it once in the beginning and set a flag:
>>>>>>
>>>>>> try:
>>>>>> import ipaserver.dcerpc
>>>>>> _bindings_installed = True
>>>>>> except Exception:
>>>>>> _bindings_installed = False
>>>>>>
>>>>>> ...
>>>>> The idea was that this code is only executed on the server. We need to
>>>>> differentiate between:
>>>>> - running on client
>>>>> - running on server, no samba4 python bindings
>>>>> - running on server with samba4 python bindings
>>>>>
>>>>> By making it executed all time you are affecting the client code as
>>>>> well while with current approach it only affects server side.
>>>> Across our code base, this situation is currently solved with this
>>>> condition:
>>>>
>>>> if api.env.in_server and api.env.context in ['lite', 'server']:
>>>> # try-import block
>>>>
>>>>>
>>>>>> + def execute(self, *keys, **options):
>>>>>> + # Join domain using full credentials and with random trustdom
>>>>>> + # secret (will be generated by the join method)
>>>>>> + trustinstance = None
>>>>>> + if not _bindings_installed:
>>>>>> + raise errors.NotFound(name=_('AD Trust setup'),
>>>>>> + reason=_('Cannot perform join operation without Samba
>>>>>> 4 python bindings installed'))
>>>>>>
>>>>>>
>>>>>> 4) Another import inside a function:
>>>>>> + def arcfour_encrypt(key, data):
>>>>>> + from Crypto.Cipher import ARC4
>>>>>> + c = ARC4.new(key)
>>>>>> + return c.encrypt(data)
>>>>> Same here, it is only needed on server side.
>>>>>
>>>>> Let us get consensus over 3) and 4) and I'll fix patches altogether (and
>>>>> push).
>>>>>
>>>> Yeah, I would fix in the same way as 3).
>>>>
>>> I am running another run of test to finish my review of your patches,
>>> but I stumbled in 389-ds error when I was installing IPA server from
>>> package built from your git tree:
>>> git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git
>>>
>>> # rpm -q freeipa-server 389-ds-base
>>> freeipa-server-2.99.0GITc30f375-0.fc17.x86_64
>>> 389-ds-base-1.2.11-0.1.a1.fc17.x86_64
>>> # ipa-server-install -p kokos123 -a kokos123
>>> ...
>>> [16/18]: issuing RA agent certificate
>>> [17/18]: adding RA agent as a trusted user
>>> [18/18]: Configure HTTP to proxy connections
>>> done configuring pki-cad.
>>> Configuring directory server: Estimated time 1 minute
>>> [1/35]: creating directory server user
>>> [2/35]: creating directory server instance
>>> [3/35]: adding default schema
>>> [4/35]: enabling memberof plugin
>>> [5/35]: enabling referential integrity plugin
>>> [6/35]: enabling winsync plugin
>>> [7/35]: configuring replication version plugin
>>> [8/35]: enabling IPA enrollment plugin
>>> [9/35]: enabling ldapi
>>> [10/35]: configuring uniqueness plugin
>>> [11/35]: configuring uuid plugin
>>> [12/35]: configuring modrdn plugin
>>> [13/35]: enabling entryUSN plugin
>>> [14/35]: configuring lockout plugin
>>> [15/35]: creating indices
>>> [16/35]: configuring ssl for ds instance
>>> [17/35]: configuring certmap.conf
>>> [18/35]: configure autobind for root
>>> [19/35]: configure new location for managed entries
>>> [20/35]: restarting directory server
>>> [21/35]: adding default layout
>>> [22/35]: adding delegation layout
>>> ipa : CRITICAL Failed to load delegation.ldif: Command
>>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
>>> -f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned
>>> non-zero exit status 255
>>> [23/35]: adding replication acis
>>> ipa : CRITICAL Failed to load replica-acis.ldif: Command
>>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
>>> -f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned
>>> non-zero exit status 255
>>> [24/35]: creating container for managed entries
>>> ipa : CRITICAL Failed to load managed-entries.ldif: Command
>>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
>>> -f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned
>>> non-zero exit status 255
>>> [25/35]: configuring user private groups
>>> ipa : CRITICAL Failed to load user_private_groups.ldif: Command
>>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
>>> -f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned
>>> non-zero exit status 255
>>> [26/35]: configuring netgroups from hostgroups
>>> ipa : CRITICAL Failed to load host_nis_groups.ldif: Command
>>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
>>> -f /tmp/tmphxoVQf -x -D cn=Directory Manager -y /tmp/tmpsAhhwd' returned
>>> non-zero exit status 255
>>> [27/35]: creating default Sudo bind user
>>> ipa : CRITICAL Failed to load sudobind.ldif: Command
>>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
>>> -f /tmp/tmpCVpYqT -x -D cn=Directory Manager -y /tmp/tmp97b_6d' returned
>>> non-zero exit status 255
>>> [28/35]: creating default Auto Member layout
>>> ipa : CRITICAL Failed to load automember.ldif: Command
>>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
>>> -f /tmp/tmpvcFbwK -x -D cn=Directory Manager -y /tmp/tmpSUownE' returned
>>> non-zero exit status 255
>>> [29/35]: creating default HBAC rule allow_all
>>> ipa : CRITICAL Failed to load default-hbac.ldif: Command
>>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
>>> -f /tmp/tmpYoYkBy -x -D cn=Directory Manager -y /tmp/tmp_9le4C' returned
>>> non-zero exit status 255
>>> [30/35]: initializing group membership
>>> ipa : CRITICAL Failed to load memberof-task.ldif: Command
>>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
>>> -f /tmp/tmpD9mIxC -x -D cn=Directory Manager -y /tmp/tmpeTqozO' returned
>>> non-zero exit status 255
>>> Unexpected error - see ipaserver-install.log for details:
>>> {'desc': "Can't contact LDAP server"}
>>>
>>>
>>> # tail /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors
>>> [20/Apr/2012:02:19:16 -0400] - 389-Directory/1.2.11.a1 B2012.090.2135
>>> starting up
>>> [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
>>> cipher AES in backend userRoot, attempting to create one...
>>> [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher AES successfully
>>> generated and stored
>>> [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
>>> cipher 3DES in backend userRoot, attempting to create one...
>>> [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher 3DES
>>> successfully generated and stored
>>> [20/Apr/2012:02:19:16 -0400] - slapd started. Listening on All
>>> Interfaces port 389 for LDAP requests
>>> [20/Apr/2012:02:19:16 -0400] - Listening on All Interfaces port 636 for
>>> LDAPS requests
>>> [20/Apr/2012:02:19:16 -0400] - Listening
>>> on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
>>> [20/Apr/2012:02:19:17 -0400] - Skipping CoS Definition cn=Password
>>> Policy,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com--no CoS
>>> Templates found, which should be added before the CoS Definition.
>>> [20/Apr/2012:02:19:17 -0400] entryrdn-index - _entryrdn_put_data: Adding
>>> the self link (62) failed: BDB0068 DB_LOCK_DEADLOCK: Locker killed to
>>> resolve a deadlock (-30993)
>>>
>>> Martin
>>>
>> I reproduced this issue even on another clean VM, I filed a BZ for that:
>> https://bugzilla.redhat.com/show_bug.cgi?id=816590
>>
>> Martin
>>
> With the development version of the fix for DS issue, I was able to
> continue with the review. I found the following issues:
Please start using 389-ds-base-1.2.11.1-1.fc17, which is in testing
now. Karma would be much appreciated.
>
> 1) You add cifs s4u2proxy record twice. This leads to an error message
> during ipa-adtrust-install:
>
> # ipa-server-install --setup-dns
> # ipa-adtrust-install
> ...
> [6/13]: setting password for the samba user
> [7/13]: adding cifs Kerberos principal
> ipa : CRITICAL Failed to add key for
> cifs/vm-109.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM
> [8/13]: adding admin(group) SIDs
> [9/13]: activating CLDAP plugin
> ...
>
>
> 2) Typo in ipa-adtrust-install info text:
>
> Additionally you have to make sure the FreeIPA LDAP server cannot reached
> by any domain controller in the Active Directory domain by closing the
>
> s/reached/cannot be reached/
>
> 3) Another s4u2proxy error in ipa-replica-install:
>
> # ipa-replica-install INFO_FILE
> ...
> [20/30]: restarting directory server
> [21/30]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress
> Update in progress
> Update in progress
> Update succeeded
> [22/30]: adding replication acis
> [23/30]: setting Auto Member configuration
> [24/30]: enabling S4U2Proxy delegation
> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command
> '/usr/bin/ldapmodify -h vm-098.idm.lab.bos.redhat.com -v
> -f /tmp/tmpGFqASL -x -D cn=Directory Manager -y /tmp/tmpBuxVf4' returned
> non-zero exit status 247
> [25/30]: initializing group membership
>
> This is an error from ipareplica-install log:
>
> 2012-05-03T14:54:05Z DEBUG args=/usr/bin/ldapmodify -h
> vm-098.idm.lab.bos.redhat.com -v -f /tmp/ tmpGFqASL -x -D
> cn=Directory Manager -y /tmp/tmpBuxVf4
> 2012-05-03T14:54:05Z DEBUG stdout=
> 2012-05-03T14:54:05Z DEBUG
> stderr=ldap_initialize( ldap://vm-098.idm.lab.bos.redhat.com )
> ldapmodify: wrong attributeType at line 5, entry
> "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
> dc=lab,dc=bos,dc=redhat,dc=com"
>
> 4) When I run ipa-adtrust-install on the replica, I received the same
> error as in 1)
>
> 5) Removal of cifs S4U2Proxy records does not work because the removal
> code does not specify the right service name (s/ldap/cifs):
>
> dn3 = DN(u'cn=ipa-cifs-delegation-targets', api.env.container_s4u2proxy, self.suffix)
> member_principal3 = "ldap/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm)
>
> 6) I miss some help or examples in trust help:
>
> # ipa help trust
> Manage trust relationship between realms
>
> Topic commands:
>
> But I suppose it can be added as an enhancement later.
>
> This is all for now, I don't have an environment to test the trusts
> itselves. But fixing these basic issues should be sufficient for us to
> be able to at least push this work to master.
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list