[Freeipa-devel] [PATCHES 523-525] replica install: add remote connection check over API

Martin Basti mbasti at redhat.com
Mon Dec 14 09:27:15 UTC 2015 


On 14.12.2015 07:23, Jan Cholasta wrote:
> On 11.12.2015 18:49, Tomas Babej wrote:
>>
>>
>> On 12/11/2015 05:37 PM, Martin Basti wrote:
>>>
>>>
>>> On 11.12.2015 15:40, Jan Cholasta wrote:
>>>> On 11.12.2015 08:03, Jan Cholasta wrote:
>>>>> On 11.12.2015 07:08, Jan Cholasta wrote:
>>>>>> On 10.12.2015 15:56, Martin Babinsky wrote:
>>>>>>> On 12/10/2015 09:48 AM, Jan Cholasta wrote:
>>>>>>>> On 9.12.2015 16:38, Jan Cholasta wrote:
>>>>>>>>> On 9.12.2015 14:52, Jan Cholasta wrote:
>>>>>>>>>> On 9.12.2015 10:02, Jan Cholasta wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> the attached patches fix
>>>>>>>>>>> <https://fedorahosted.org/freeipa/ticket/5497>.
>>>>>>>>>>
>>>>>>>>>> Note that this needs selinux-policy fix to work, so put SELinux
>>>>>>>>>> into
>>>>>>>>>> permissive mode for testing:
>>>>>>>>>> <https://bugzilla.redhat.com/show_bug.cgi?id=1289930>.
>>>>>>>>>
>>>>>>>>> Updated patches attached.
>>>>>>>>
>>>>>>>> I screwed up a change in patch 524 and accidentally included a
>>>>>>>> chunk of
>>>>>>>> code in patch 525 that doesn't belong in it.
>>>>>>>>
>>>>>>>> Updated patches attached.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Patches work as expected and I was not able to find any functional
>>>>>>> problem.
>>>>>>>
>>>>>>> I have a question about the naming of the oddjob helper script: the
>>>>>>> one
>>>>>>> related to trusts is named 'com.redhat.idm.trust-fetch-domains',
>>>>>>> and the
>>>>>>> conncheck runner is named 'org.freeipa.server.conncheck'. I 
>>>>>>> don't want
>>>>>>> to start another bikeshedding conversation but shouldn't we 
>>>>>>> named them
>>>>>>> in a consistent fashion (either rename the first one in separate 
>>>>>>> patch
>>>>>>> or rename the new helper to com.redhat.idm.server.conncheck)?
>>>>>>>
>>>>>>> I understand that as an upstream, we should go with the
>>>>>>> 'org.freeipa.*'
>>>>>>> convention, but having two helpers with different prefixes makes me
>>>>>>> sad.
>>>>>>
>>>>>> If you look at the larger picture, org.freeipa is the consistent 
>>>>>> name.
>>>>>> It makes me sad as well, but mistakes should be corrected. This is
>>>>>> similar to how we use PEP8 in new code, but do not fix it in old 
>>>>>> code
>>>>>> just for the sake of fixing it.
>>>>>>
>>>>>>>
>>>>>>> That is a nitpick though, it does not affect the overall 
>>>>>>> functionality
>>>>>>> of the patches so ACK.
>>>>>>
>>>>>> Thanks for the review. The current patch 523 breaks the trusts 
>>>>>> oddjob
>>>>>> with SELinux in enforcing mode, I will send an update which corrects
>>>>>> that, until bug 1289930 is fixed.
>>>>>
>>>>> Updated patches attached.
>>>>
>>>> Rebased on top of current master.
>>>>
>>>>
>>>>
>>> Just question, should be any kinited user allowed to run conncheck 
>>> via rpc?
>>>
>>> Martin^2
>>
>> I guess there's is little harm, any kinited user that was allowed to
>> access the machine could perform the conncheck even without these 
>> patches:
>
> In the RPC check, the user must have the Replication Administrators 
> privilege, which by default only admins have.

I tried to install replica with a regular user and conncheck passed.
Martin^2
>
>>
>> # ipa-replica-conncheck --master master.ipa.test -p random at IPA.TEST -w
>> ratarata -a -r IPA.TEST
>> Check connection from replica to remote master 'master.ipa.test':
>>     Directory Service: Unsecure port (389): OK
>>     Directory Service: Secure port (636): OK
>>     Kerberos KDC: TCP (88): OK
>>     Kerberos Kpasswd: TCP (464): OK
>>     HTTP Server: Unsecure port (80): OK
>>     HTTP Server: Secure port (443): OK
>>
>> The following list of ports use UDP protocol and would need to be
>> checked manually:
>>     Kerberos KDC: UDP (88): SKIPPED
>>     Kerberos Kpasswd: UDP (464): SKIPPED
>>
>> Connection from replica to master is OK.
>> Start listening on required ports for remote master check
>> Get credentials to log in to remote master
>> Check SSH connection to remote master
>> Execute check on remote master
>> Check connection from master to remote replica 'replica.ipa.test':
>>     Directory Service: Unsecure port (389): OK
>>     Directory Service: Secure port (636): OK
>>     Kerberos KDC: TCP (88): OK
>>     Kerberos KDC: UDP (88): OK
>>     Kerberos Kpasswd: TCP (464): OK
>>     Kerberos Kpasswd: UDP (464): OK
>>     HTTP Server: Unsecure port (80): OK
>>     HTTP Server: Secure port (443): OK
>>
>> Connection from master to replica is OK.
>>
>
>

More information about the Freeipa-devel mailing list