[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

Martin Kosek mkosek at redhat.com
Fri May 4 06:41:58 UTC 2012 

On Thu, 2012-05-03 at 08:31 -0700, Nathan Kinder wrote:
> On 05/03/2012 08:18 AM, Martin Kosek wrote:
> > On Thu, 2012-04-26 at 15:18 +0200, Martin Kosek wrote:
> >> On Fri, 2012-04-20 at 08:39 +0200, Martin Kosek wrote:
> >>> On Thu, 2012-04-12 at 17:16 +0200, Martin Kosek wrote:
> >>>> On Thu, 2012-04-12 at 18:08 +0300, Alexander Bokovoy wrote:
> >>>>> Hi Martin!
> >>>>>
> >>>>> On Thu, 12 Apr 2012, Martin Kosek wrote:
> >>>> ...
> >>>>>> 3) I would not try to import ipaserver.dcerpc every time the command is
> >>>>>> executed:
> >>>>>> +        try:
> >>>>>> +            import ipaserver.dcerpc
> >>>>>> +        except Exception, e:
> >>>>>> +            raise errors.NotFound(name=_('AD Trust setup'),
> >>>>>> +                  reason=_('Cannot perform join operation without Samba
> >>>>>> 4 python bindings installed'))
> >>>>>>
> >>>>>> I would rather do it once in the beginning and set a flag:
> >>>>>>
> >>>>>> try:
> >>>>>>     import ipaserver.dcerpc
> >>>>>>      _bindings_installed = True
> >>>>>> except Exception:
> >>>>>>     _bindings_installed = False
> >>>>>>
> >>>>>> ...
> >>>>> The idea was that this code is only executed on the server. We need to
> >>>>> differentiate between:
> >>>>> - running on client
> >>>>> - running on server, no samba4 python bindings
> >>>>> - running on server with samba4 python bindings
> >>>>>
> >>>>> By making it executed all time you are affecting the client code as
> >>>>> well while with current approach it only affects server side.
> >>>> Across our code base, this situation is currently solved with this
> >>>> condition:
> >>>>
> >>>> if api.env.in_server and api.env.context in ['lite', 'server']:
> >>>>      # try-import block
> >>>>
> >>>>>
> >>>>>> +    def execute(self, *keys, **options):
> >>>>>> +        # Join domain using full credentials and with random trustdom
> >>>>>> +        # secret (will be generated by the join method)
> >>>>>> +        trustinstance = None
> >>>>>> +        if not _bindings_installed:
> >>>>>> +            raise errors.NotFound(name=_('AD Trust setup'),
> >>>>>> +                  reason=_('Cannot perform join operation without Samba
> >>>>>> 4 python bindings installed'))
> >>>>>>
> >>>>>>
> >>>>>> 4) Another import inside a function:
> >>>>>> +        def arcfour_encrypt(key, data):
> >>>>>> +            from Crypto.Cipher import ARC4
> >>>>>> +            c = ARC4.new(key)
> >>>>>> +            return c.encrypt(data)
> >>>>> Same here, it is only needed on server side.
> >>>>>
> >>>>> Let us get consensus over 3) and 4) and I'll fix patches altogether (and
> >>>>> push).
> >>>>>
> >>>> Yeah, I would fix in the same way as 3).
> >>>>
> >>> I am running another run of test to finish my review of your patches,
> >>> but I stumbled in 389-ds error when I was installing IPA server from
> >>> package built from your git tree:
> >>> git://fedorapeople.org/home/fedora/abbra/public_git/freeipa.git
> >>>
> >>> # rpm -q freeipa-server 389-ds-base
> >>> freeipa-server-2.99.0GITc30f375-0.fc17.x86_64
> >>> 389-ds-base-1.2.11-0.1.a1.fc17.x86_64
> >>> # ipa-server-install -p kokos123 -a kokos123
> >>> ...
> >>>    [16/18]: issuing RA agent certificate
> >>>    [17/18]: adding RA agent as a trusted user
> >>>    [18/18]: Configure HTTP to proxy connections
> >>> done configuring pki-cad.
> >>> Configuring directory server: Estimated time 1 minute
> >>>    [1/35]: creating directory server user
> >>>    [2/35]: creating directory server instance
> >>>    [3/35]: adding default schema
> >>>    [4/35]: enabling memberof plugin
> >>>    [5/35]: enabling referential integrity plugin
> >>>    [6/35]: enabling winsync plugin
> >>>    [7/35]: configuring replication version plugin
> >>>    [8/35]: enabling IPA enrollment plugin
> >>>    [9/35]: enabling ldapi
> >>>    [10/35]: configuring uniqueness plugin
> >>>    [11/35]: configuring uuid plugin
> >>>    [12/35]: configuring modrdn plugin
> >>>    [13/35]: enabling entryUSN plugin
> >>>    [14/35]: configuring lockout plugin
> >>>    [15/35]: creating indices
> >>>    [16/35]: configuring ssl for ds instance
> >>>    [17/35]: configuring certmap.conf
> >>>    [18/35]: configure autobind for root
> >>>    [19/35]: configure new location for managed entries
> >>>    [20/35]: restarting directory server
> >>>    [21/35]: adding default layout
> >>>    [22/35]: adding delegation layout
> >>> ipa         : CRITICAL Failed to load delegation.ldif: Command
> >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> >>> -f /tmp/tmpdXcWF3 -x -D cn=Directory Manager -y /tmp/tmp8qtnOS' returned
> >>> non-zero exit status 255
> >>>    [23/35]: adding replication acis
> >>> ipa         : CRITICAL Failed to load replica-acis.ldif: Command
> >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> >>> -f /tmp/tmptivfJ_ -x -D cn=Directory Manager -y /tmp/tmpr_Z1lp' returned
> >>> non-zero exit status 255
> >>>    [24/35]: creating container for managed entries
> >>> ipa         : CRITICAL Failed to load managed-entries.ldif: Command
> >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> >>> -f /tmp/tmpNkmoDk -x -D cn=Directory Manager -y /tmp/tmpXU0lbx' returned
> >>> non-zero exit status 255
> >>>    [25/35]: configuring user private groups
> >>> ipa         : CRITICAL Failed to load user_private_groups.ldif: Command
> >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> >>> -f /tmp/tmp7uDqaG -x -D cn=Directory Manager -y /tmp/tmp6E_uPl' returned
> >>> non-zero exit status 255
> >>>    [26/35]: configuring netgroups from hostgroups
> >>> ipa         : CRITICAL Failed to load host_nis_groups.ldif: Command
> >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> >>> -f /tmp/tmphxoVQf -x -D cn=Directory Manager -y /tmp/tmpsAhhwd' returned
> >>> non-zero exit status 255
> >>>    [27/35]: creating default Sudo bind user
> >>> ipa         : CRITICAL Failed to load sudobind.ldif: Command
> >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> >>> -f /tmp/tmpCVpYqT -x -D cn=Directory Manager -y /tmp/tmp97b_6d' returned
> >>> non-zero exit status 255
> >>>    [28/35]: creating default Auto Member layout
> >>> ipa         : CRITICAL Failed to load automember.ldif: Command
> >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> >>> -f /tmp/tmpvcFbwK -x -D cn=Directory Manager -y /tmp/tmpSUownE' returned
> >>> non-zero exit status 255
> >>>    [29/35]: creating default HBAC rule allow_all
> >>> ipa         : CRITICAL Failed to load default-hbac.ldif: Command
> >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> >>> -f /tmp/tmpYoYkBy -x -D cn=Directory Manager -y /tmp/tmp_9le4C' returned
> >>> non-zero exit status 255
> >>>    [30/35]: initializing group membership
> >>> ipa         : CRITICAL Failed to load memberof-task.ldif: Command
> >>> '/usr/bin/ldapmodify -h vm-079.idm.lab.bos.redhat.com -v
> >>> -f /tmp/tmpD9mIxC -x -D cn=Directory Manager -y /tmp/tmpeTqozO' returned
> >>> non-zero exit status 255
> >>> Unexpected error - see ipaserver-install.log for details:
> >>>   {'desc': "Can't contact LDAP server"}
> >>>
> >>>
> >>> # tail /var/log/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/errors
> >>> [20/Apr/2012:02:19:16 -0400] - 389-Directory/1.2.11.a1 B2012.090.2135
> >>> starting up
> >>> [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
> >>> cipher AES in backend userRoot, attempting to create one...
> >>> [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher AES successfully
> >>> generated and stored
> >>> [20/Apr/2012:02:19:16 -0400] attrcrypt - No symmetric key found for
> >>> cipher 3DES in backend userRoot, attempting to create one...
> >>> [20/Apr/2012:02:19:16 -0400] attrcrypt - Key for cipher 3DES
> >>> successfully generated and stored
> >>> [20/Apr/2012:02:19:16 -0400] - slapd started.  Listening on All
> >>> Interfaces port 389 for LDAP requests
> >>> [20/Apr/2012:02:19:16 -0400] - Listening on All Interfaces port 636 for
> >>> LDAPS requests
> >>> [20/Apr/2012:02:19:16 -0400] - Listening
> >>> on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
> >>> [20/Apr/2012:02:19:17 -0400] - Skipping CoS Definition cn=Password
> >>> Policy,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com--no CoS
> >>> Templates found, which should be added before the CoS Definition.
> >>> [20/Apr/2012:02:19:17 -0400] entryrdn-index - _entryrdn_put_data: Adding
> >>> the self link (62) failed: BDB0068 DB_LOCK_DEADLOCK: Locker killed to
> >>> resolve a deadlock (-30993)
> >>>
> >>> Martin
> >>>
> >> I reproduced this issue even on another clean VM, I filed a BZ for that:
> >> https://bugzilla.redhat.com/show_bug.cgi?id=816590
> >>
> >> Martin
> >>
> > With the development version of the fix for DS issue, I was able to
> > continue with the review. I found the following issues:
> Please start using 389-ds-base-1.2.11.1-1.fc17, which is in testing 
> now.  Karma would be much appreciated.

Will do! I just tested it and it works so far - karma+1 from me.

Martin

More information about the Freeipa-devel mailing list