[Freeipa-devel] [PATCH] 0118 add support for subdomains

Tomas Babej tbabej at redhat.com
Mon Sep 30 11:05:15 UTC 2013 

On 09/28/2013 10:01 PM, Alexander Bokovoy wrote:
> On Fri, 27 Sep 2013, Sumit Bose wrote:
>> On Fri, Sep 27, 2013 at 03:53:08PM +0300, Alexander Bokovoy wrote:
>>> On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
>>> >On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
>>> >>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
>>> >>>On Mon, 23 Sep 2013, Martin Kosek wrote:
>>> >>>>>>However, we don't have trust type available so it needs to 
>>> discovered
>>> >>>>>>every time. This doesn't play well with the framework, it is 
>>> simply not
>>> >>>>>>expecting dynamic containers.
>>> >>>>>
>>> >>>>>This doesn't sound like a big obstacle to me. Right now the 
>>> trust_type lookup
>>> >>>>>is done in trust_show.execute() for some reason, which is not 
>>> the best place to
>>> >>>>>do it IMHO. Doing it in trust.get_dn() instead should simplify 
>>> things enough to
>>> >>>>>make parent_object work.
>>> >>>>
>>> >>>>Yup, get_dn() is the method where object DN lookup should be 
>>> done. See for
>>> >>>>example host.py plugin get_dn method, we also do a dynamic 
>>> lookup for correct
>>> >>>>host name.
>>> >>>I'll see if that would work.
>>> >>>
>>> >>>>the best way to implement dynamic DN gathering is the get_dn() 
>>> method. That
>>> >>>>way, it could be implemented in one place and all commands could 
>>> take advantage
>>> >>>>of it instead of re-implementing it several times in 
>>> pre_callback - this is
>>> >>>>just hackish.
>>> >>>I'd suggest you look into the code. The commands use pre_callback 
>>> for a
>>> >>>different purpose than implementing dynamic DN gathering.
>>> >>>
>>> >>>>I think it would have been very useful to have a design page 
>>> before sending a
>>> >>>>patch. It is then easier to make design decisions without having 
>>> to dig into
>>> >>>>the patch.
>>> >>>The design page is there for long time:
>>> >>>http://www.freeipa.org/page/V3/Transitive_Trusts
>>> >>Ok, here is new version of the patch and updated version of my 0117
>>> >>patch as Sumit noticed I've sent wrong version.
>>> >Ok, here is updated 0118 which fixes API.txt change for 
>>> trustdomain_add
>>> >-- I renamed trustdomain_create to trustdomain_add but forgot to rerun
>>> >makeapi.
>>> New edition attached for all subdomain-related patches:
>>
>> I did some tests and all is working as expected.
>>
>>>
>>> freeipa-abbra-0117-ipaserver-dcerpc.py-populate-forest-trust-informatio-3.patch 
>>>
>>>   Use realmdomains to report name suffix routes at the time we 
>>> establish trust
>>>
>>> freeipa-abbra-0118-trusts-support-subdomains-in-a-forest-3.patch
>>>   Introduce trustdomain-* commands to fetch list of domains associated
>>>   with a forest trust and allow filtering them off
>>
>> We talked on irc that ipaNTSupportedEncryptionTypes in the filter
>> for the trusted domains should be replace by a different attribute.
>> Because of an error in ipasam the ipaNTSupportedEncryptionTypes is only
>> set in recent versions and might not be present in the directory 
>> trees of
>> older versions.
> Fixed in the attached patch 0118 version 4.
>
> Also attached first attempt to implement transiting through trusted
> domains, as patch 0123. In this patch we grant transition only if all
> three realms (client, transited realm, and server realm) match any of
> our trusted domains and our domain. This is probably a bit wider but it
> worked for me bidirectionally, from a child domain to a service in IPA,
> and from IPA realm to a service in a child domain of a forest trust.
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

Hi,

here are my comments:

*PATCH 117*

+    def get_realmdomains(self):
+        """
+        Generate list of records for forest trust information about
+        our realm domains. Note that the list generated currently
+        includes only top level domains, no exclusion domains, and no 
TDO objects
+        as we handle the latter in a separte way
+        """

A nitpick typo: separte -> separate.

Also, there's trailing whitespace in the patch:

Applying: ipaserver/dcerpc.py: populate forest trust information using 
realmdomains
/home/tbabej/dev/freeipa/.git/rebase-apply/patch:62: trailing whitespace.
         Only top level name and top level name exclusions are handled here.
/home/tbabej/dev/freeipa/.git/rebase-apply/patch:174: trailing whitespace.

warning: 2 lines add whitespace errors.


*PATCH 119*

We also need to change the frontend tests that cover this functionality:

======================================================================
FAIL: Test the ``ipalib.frontend.Command.args`` instance attribute.
----------------------------------------------------------------------
Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in 
runTest
     self.test(*self.arg)
   File 
"/home/tbabej/dev/freeipa/ipatests/test_ipalib/test_frontend.py", line 
283, in test_args
     assert str(e) == 'arg2: required argument after optional'
AssertionError

See ipatests/test_ipalib/test_frontend.py, line 281:

         # Test ValueError, required after optional:
         e = raises(ValueError, self.get_instance, args=('arg1?', 'arg2'))
         assert str(e) == 'arg2: required argument after optional'


*PATCH 120*

When I try to add a trust, I get internal error:

echo $AD_PASSWORD | ipa trust-add --type=ad $AD_DOMAIN --admin 
Administrator --password

[Wed Sep 25 10:28:53.978664 2013] [:error] [pid 7905] ipa: ERROR: 
non-public: IndexError: tuple index out of range
[Wed Sep 25 10:28:53.978702 2013] [:error] [pid 7905] Traceback (most 
recent call last):
[Wed Sep 25 10:28:53.978708 2013] [:error] [pid 7905]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, in 
wsgi_execute
[Wed Sep 25 10:28:53.978713 2013] [:error] [pid 7905]     result = 
self.Command[name](*args, **options)
[Wed Sep 25 10:28:53.978720 2013] [:error] [pid 7905]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__
[Wed Sep 25 10:28:53.978725 2013] [:error] [pid 7905]     ret = 
self.run(*args, **options)
[Wed Sep 25 10:28:53.978730 2013] [:error] [pid 7905]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run
[Wed Sep 25 10:28:53.978734 2013] [:error] [pid 7905]     result = 
self.execute(*args, **options)
[Wed Sep 25 10:28:53.978739 2013] [:error] [pid 7905]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 338, in 
execute
[Wed Sep 25 10:28:53.978744 2013] [:error] [pid 7905] 
self.add_range(range_name, dom_sid, *keys, **options)
[Wed Sep 25 10:28:53.978748 2013] [:error] [pid 7905]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 549, in 
add_range
[Wed Sep 25 10:28:53.978755 2013] [:error] [pid 7905] quiet=True)
[Wed Sep 25 10:28:53.978759 2013] [:error] [pid 7905]   File 
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 507, in 
search_in_dc
[Wed Sep 25 10:28:53.978764 2013] [:error] [pid 7905]     info = 
self.__retrieve_trusted_domain_gc_list(domain)
[Wed Sep 25 10:28:53.978769 2013] [:error] [pid 7905]   File 
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 595, in 
__retrieve_trusted_domain_gc_list
[Wed Sep 25 10:28:53.978774 2013] [:error] [pid 7905] info['auth'] = 
self._domains[domain][2]
[Wed Sep 25 10:28:53.978778 2013] [:error] [pid 7905] IndexError: tuple 
index out of range
[Wed Sep 25 10:28:53.979248 2013] [:error] [pid 7905] ipa: INFO: 
admin at DOM006.TBAD.IPA.COM: trust_add(u'tbad.ipa.com', trust_type=u'ad', 
realm_admin=u'Administrator', realm_passwd=u'********', all=False, 
raw=False, version=u'2.65'): IndexError

I think we need to do the following changes here:

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index fa5c449..4ac0a5f 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -565,7 +565,6 @@ class DomainValidator(object):
          Returns dictionary with following keys
               name       -- NetBIOS name of the trusted domain
               dns_domain -- DNS name of the trusted domain
-             auth       -- encrypted credentials for trusted domain account
               gc         -- array of tuples (server, port) for Global 
Catalog
          """
          if domain in self._info:
@@ -592,7 +591,6 @@ class DomainValidator(object):
              self._domains = self.get_trusted_domains()

          info = dict()
-        info['auth'] = self._domains[domain][2]
          servers = []

          if result:

After applying this fix, I get:

tbabej at vm-006 freeipa]$ echo $AD_PASSWORD | ipa trust-add --type=ad 
$AD_DOMAIN --admin Administrator --password
ipa: ERROR: CIFS server communication error: code "-1073741811",
                   message "Unexpected information received" (both may 
be "None")

I was unable to track this one down in a reasonable timeframe, I suggest 
we continue on IRC.

-- 
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130930/05d8b854/attachment.htm>

More information about the Freeipa-devel mailing list