[Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users

Martin Babinsky mbabinsk at redhat.com
Thu Jun 9 16:07:40 UTC 2016 

On 06/07/2016 07:35 PM, Alexander Bokovoy wrote:
> On Tue, 07 Jun 2016, Martin Babinsky wrote:
>> On 06/07/2016 06:38 PM, Alexander Bokovoy wrote:
>>> On Tue, 07 Jun 2016, Martin Babinsky wrote:
>>>> On 06/06/2016 12:34 PM, Alexander Bokovoy wrote:
>>>>> Hi,
>>>>>
>>>>> Add support for additional user name principal suffixes from
>>>>> trusted Active Directory forests. UPN suffixes are property
>>>>> of the forest and as such are associated with the forest root
>>>>> domain.
>>>>>
>>>>> FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
>>>>> attribute of ipaNTTrustedDomain object class.
>>>>>
>>>>> In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
>>>>> LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.
>>>>>
>>>>> For more details on UPN and naming in Active Directory see
>>>>> https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5354
>>>>>
>>>>>
>>>>>
>>>>
>>>> Hi Alexander,
>>>>
>>>> a few comments:
>>>>
>>>> 1.)
>>>>
>>>> there are some PEP8 violations in the patch. Not all of them need to
>>>> be fixed, though (line overhangs < 5 characters are OK by me).
>>>>
>>>> """
>>>> ./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 characters)
>>>> ./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 characters)
>>>> ./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':'
>>>> ./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 characters)
>>>> ./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 characters)
>>>> ./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters)
>>>> ./ipaserver/plugins/trust.py:490:9: E128 continuation line
>>>> under-indented for visual indent
>>>> ./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79
>>>> characters)
>>>> ./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']'
>>>> ./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79
>>>> characters)
>>>> ./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79
>>>> characters)
>>>> ./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']'
>>>> ./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines,
>>>> found 1
>>>> ./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines,
>>>> found 1
>>>> """
>>> I've fixed trust.py part, the dcerpc.py fixes in 0201 should be enough
>>> now -- breaking following line is not giving any reasonable benefit:
>>>
>>>           res['ipantflatname'] =
>>> unicode(t.forest_trust_data.netbios_domain_name.string)
>>>
>>
>> Looking at the code, it would be IMHO more readable to directly append
>> dict literals to the result like so:
>>
>> """
>> --- a/ipaserver/dcerpc.py
>> +++ b/ipaserver/dcerpc.py
>> @@ -1269,18 +1269,20 @@ def fetch_domains(api, mydomain, trustdomain,
>> creds=None, server=None):
>>             tname = unicode(t.forest_trust_data.dns_domain_name.string)
>>             if tname == trustdomain:
>>                 continue
>> -            res = dict()
>> -            res['cn'] = tname
>> -            res['ipantflatname'] =
>> unicode(t.forest_trust_data.netbios_domain_name.string)
>> -            res['ipanttrusteddomainsid'] =
>> unicode(t.forest_trust_data.domain_sid)
>> -            result['domains'][tname] = res
>> +
>> +            result['domains'][tname] = {
>> +                'cn': tname,
>> +                'ipantflatname': unicode(
>> +                    t.forest_trust_data.netbios_domain_name.string),
>> +                'ipanttrusteddomainsid': unicode(
>> +                    t.forest_trust_data.domain_sid)
>> +            }
>>         elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME:
>>             tname = unicode(t.forest_trust_data.string)
>>             if tname == trustdomain:
>>                 continue
>> -            res = dict()
>> -            res['cn'] = tname
>> -            result['suffixes'][tname] = res
>> +
>> +            result['suffixes'][tname] = {'cn': tname}
>>     return result
>> """
> Makes sense. Fixed.
>
>>
>> Also there is a whitespace before colon here:
>> """
>> +    result = {'domains': {}, 'suffixes' : {}}
>>                                        ^
>> """
>> Please fix that and I will be a happy engineer.
> Fixed.
>
>>
>>>> 2.)
>>>>
>>>> Should the ipaNTAdditionalSuffixes attribute be case insensitive? It
>>>> makes sense but I'm just asking so that we don't end changing the
>>>> schema later.
>>> ipaNTAdditionalSuffixes is defined as
>>>
>>> attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME
>>> 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name
>>> associated with the domain' EQUALITY caseIgnoreMatch SYNTAX
>>> 1.3.6.1.4.1.1466.115.121.1.15)
>>>
>>> There should be no problem with case sensitivity already.
>>>
>> OK I presume that the UPN suffixes on AD are also case-insensitive so
>> everything should be alright.
> Yes, as everything realm-related on AD side, they are case-insensitive.
>
> Updated patch attached.

1.) there is one unused import that makes pylint choke:

"""
************* Module com.redhat.idm
install/oddjob/com.redhat.idm.trust-fetch-domains:6: 
[W0611(unused-import), ] Unused errors imported from ipalib)
Makefile:137: recipe for target 'lint' failed
make: *** [lint] Error 1
"""

2.) The UPN suffixes are added during trust establishment and I can also 
kinit as the enterprise principal using one of UPNs, but only when using 
two-way trust. Is this expected? I was not able to find any clue in the 
design page but maybe I was just not looking hard enough.

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list