[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

Sumit Bose sbose at redhat.com
Tue Jun 5 10:19:47 UTC 2012 

On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote:
> On Mon, 04 Jun 2012, Martin Kosek wrote:
> >I did another round of testing and this is what I found so far:
> >
> >1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed
> >that)
> >
> >2) Unit tests need to be updated, currently there is about a dozen test
> >case errors, e.g. extra ipakrbprincipalalias attribute in services or
> >new ipakrbprincipal objectclass for hosts
> Ok, will fix.
> 
> >3) Replication did not work too well for me this time.
> >ipa-replica-install reported just one issue during installation process:
> >
> >2012-06-04T09:42:51Z DEBUG   [24/30]: enabling S4U2Proxy delegation
> >2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h
> >vm-057.idm.lab.bos.redhat.com -v -f /tmp/       tmpifHccf -x -D
> >cn=Directory Manager -y /tmp/tmppqaAdV
> >2012-06-04T09:42:51Z DEBUG stdout=
> >2012-06-04T09:42:51Z DEBUG
> >stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com )
> >ldapmodify: wrong attributeType at line 5, entry
> >"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
> >dc=lab,dc=bos,dc=redhat,dc=com"
> >
> >2012-06-04T09:42:51Z CRITICAL Failed to load replica-s4u2proxy.ldif:
> >Command '/usr/bin/ldapmodify -h   vm-057.idm.lab.bos.redhat.com -v
> >-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV'
> >returned non-zero exit status 247
> Found and fixed. The issue was in not following RFC2849 when specifying
> multiple changetype operations, you need to split their definitions by a
> single line with '-' on it.
> 
> I squashed the fix back to the original patch.
> 
> >But this may be just a symptom of some bigger issue. After the
> >installation finished, DS did not start, it kept reporting Kerberos
> >issues:
> >
> >[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get initial
> >credentials for principal
> >[ldap/vm-057.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] in keytab
> >[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
> >[04/Jun/2012:05:46:00 -0400] - slapd started.  Listening on All
> >Interfaces port 389 for LDAP requests
> >[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port 636 for
> >LDAPS requests
> >[04/Jun/2012:05:46:00 -0400] - Listening
> >on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests
> >[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind - Error:
> >could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
> >-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> >GSS failure.  Minor code may provide more information (Credentials cache
> >file '/tmp/krb5cc_498' not found)) errno 0 (Success)
> >[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not perform
> >interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> >[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin -
> >agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389): Replication
> >bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1):
> >generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
> >provide more information (Credentials cache file '/tmp/krb5cc_498' not
> >found))
> >
> >When I run "ipactl restart", dirsrv started and I was able to kinit.
> Maybe it is timing issue?
> 
> 
> >4) Patch "Add separate attribute to store trusted domain SID" still has
> >a wrong service part of the principal to be removed (s/ldap/cifs):
> >
> >+        dn3 = DN(u'cn=ipa-cifs-delegation-targets',
> >api.env.container_s4u2proxy, self.suffix)
> >+        member_principal3 = "ldap/%(fqdn)s@%(realm)s" %
> >dict(fqdn=replica, realm=realm)
> >+
> >
> >This leaves CIFS entry in the S4U2Proxy configuration even after replica
> >uninstallation.
> Fixed and squashed back to the original patch.
> 
> >Btw. these are the packages I use:
> >389-ds-base-1.2.10.4-2.fc17.x86_64
> >krb5-server-1.10-5.fc17.x86_64
> >samba4-4.0.0-123alpha21.fc17.x86_64
> Same here. For me anything newer 1.2.10.4-2 will blow 389-ds.


I tested your latest tree against w2k8r2 and was able to create an
validate the trust. So ACK to the functional part.

bye,
Sumit

> 
> -- 
> / Alexander Bokovoy
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list