[Freeipa-devel] [PATCH] 0118 add support for subdomains

Alexander Bokovoy abokovoy at redhat.com
Mon Sep 30 12:31:43 UTC 2013 

On Mon, 30 Sep 2013, Tomas Babej wrote:
>On 09/28/2013 10:01 PM, Alexander Bokovoy wrote:
>>On Fri, 27 Sep 2013, Sumit Bose wrote:
>>>On Fri, Sep 27, 2013 at 03:53:08PM +0300, Alexander Bokovoy wrote:
>>>>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
>>>>>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
>>>>>>On Mon, 23 Sep 2013, Alexander Bokovoy wrote:
>>>>>>>On Mon, 23 Sep 2013, Martin Kosek wrote:
>>>>>>>>>>However, we don't have trust type available so it needs 
>>>>to discovered
>>>>>>>>>>every time. This doesn't play well with the framework, it 
>>>>is simply not
>>>>>>>>>>expecting dynamic containers.
>>>>>>>>>
>>>>>>>>>This doesn't sound like a big obstacle to me. Right now 
>>>>the trust_type lookup
>>>>>>>>>is done in trust_show.execute() for some reason, which is 
>>>>not the best place to
>>>>>>>>>do it IMHO. Doing it in trust.get_dn() instead should 
>>>>simplify things enough to
>>>>>>>>>make parent_object work.
>>>>>>>>
>>>>>>>>Yup, get_dn() is the method where object DN lookup should 
>>>>be done. See for
>>>>>>>>example host.py plugin get_dn method, we also do a dynamic 
>>>>lookup for correct
>>>>>>>>host name.
>>>>>>>I'll see if that would work.
>>>>>>>
>>>>>>>>the best way to implement dynamic DN gathering is the 
>>>>get_dn() method. That
>>>>>>>>way, it could be implemented in one place and all commands 
>>>>could take advantage
>>>>>>>>of it instead of re-implementing it several times in 
>>>>pre_callback - this is
>>>>>>>>just hackish.
>>>>>>>I'd suggest you look into the code. The commands use 
>>>>pre_callback for a
>>>>>>>different purpose than implementing dynamic DN gathering.
>>>>>>>
>>>>>>>>I think it would have been very useful to have a design 
>>>>page before sending a
>>>>>>>>patch. It is then easier to make design decisions without 
>>>>having to dig into
>>>>>>>>the patch.
>>>>>>>The design page is there for long time:
>>>>>>>http://www.freeipa.org/page/V3/Transitive_Trusts
>>>>>>Ok, here is new version of the patch and updated version of my 0117
>>>>>>patch as Sumit noticed I've sent wrong version.
>>>>>Ok, here is updated 0118 which fixes API.txt change for 
>>>>trustdomain_add
>>>>>-- I renamed trustdomain_create to trustdomain_add but forgot to rerun
>>>>>makeapi.
>>>>New edition attached for all subdomain-related patches:
>>>
>>>I did some tests and all is working as expected.
>>>
>>>>
>>>>freeipa-abbra-0117-ipaserver-dcerpc.py-populate-forest-trust-informatio-3.patch
>>>>
>>>>  Use realmdomains to report name suffix routes at the time we 
>>>>establish trust
>>>>
>>>>freeipa-abbra-0118-trusts-support-subdomains-in-a-forest-3.patch
>>>>  Introduce trustdomain-* commands to fetch list of domains associated
>>>>  with a forest trust and allow filtering them off
>>>
>>>We talked on irc that ipaNTSupportedEncryptionTypes in the filter
>>>for the trusted domains should be replace by a different attribute.
>>>Because of an error in ipasam the ipaNTSupportedEncryptionTypes is only
>>>set in recent versions and might not be present in the directory 
>>>trees of
>>>older versions.
>>Fixed in the attached patch 0118 version 4.
>>
>>Also attached first attempt to implement transiting through trusted
>>domains, as patch 0123. In this patch we grant transition only if all
>>three realms (client, transited realm, and server realm) match any of
>>our trusted domains and our domain. This is probably a bit wider but it
>>worked for me bidirectionally, from a child domain to a service in IPA,
>>and from IPA realm to a service in a child domain of a forest trust.
>>
>>
>>
>>_______________________________________________
>>Freeipa-devel mailing list
>>Freeipa-devel at redhat.com
>>https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>Hi,
>
>here are my comments:
>
>*PATCH 117*
>
>+    def get_realmdomains(self):
>+        """
>+        Generate list of records for forest trust information about
>+        our realm domains. Note that the list generated currently
>+        includes only top level domains, no exclusion domains, and 
>no TDO objects
>+        as we handle the latter in a separte way
>+        """
>
>A nitpick typo: separte -> separate.
Fixed.

>
>Also, there's trailing whitespace in the patch:
>
>Applying: ipaserver/dcerpc.py: populate forest trust information 
>using realmdomains
>/home/tbabej/dev/freeipa/.git/rebase-apply/patch:62: trailing whitespace.
>        Only top level name and top level name exclusions are handled here.
>/home/tbabej/dev/freeipa/.git/rebase-apply/patch:174: trailing whitespace.
>
>warning: 2 lines add whitespace errors.
Fixed.

>
>
>*PATCH 119*
>
>We also need to change the frontend tests that cover this functionality:
>
>======================================================================
>FAIL: Test the ``ipalib.frontend.Command.args`` instance attribute.
>----------------------------------------------------------------------
>Traceback (most recent call last):
>  File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in 
>runTest
>    self.test(*self.arg)
>  File 
>"/home/tbabej/dev/freeipa/ipatests/test_ipalib/test_frontend.py", 
>line 283, in test_args
>    assert str(e) == 'arg2: required argument after optional'
>AssertionError
>
>See ipatests/test_ipalib/test_frontend.py, line 281:
>
>        # Test ValueError, required after optional:
>        e = raises(ValueError, self.get_instance, args=('arg1?', 'arg2'))
>        assert str(e) == 'arg2: required argument after optional'
Ok, will fix. This patch is not essential, of course, so we can decide
what to do with it later.

>
>
>*PATCH 120*
>
>When I try to add a trust, I get internal error:
>
>echo $AD_PASSWORD | ipa trust-add --type=ad $AD_DOMAIN --admin 
>Administrator --password
>
>[Wed Sep 25 10:28:53.978664 2013] [:error] [pid 7905] ipa: ERROR: 
>non-public: IndexError: tuple index out of range
>[Wed Sep 25 10:28:53.978702 2013] [:error] [pid 7905] Traceback (most 
>recent call last):
>[Wed Sep 25 10:28:53.978708 2013] [:error] [pid 7905]   File 
>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, 
>in wsgi_execute
>[Wed Sep 25 10:28:53.978713 2013] [:error] [pid 7905]     result = 
>self.Command[name](*args, **options)
>[Wed Sep 25 10:28:53.978720 2013] [:error] [pid 7905]   File 
>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in 
>__call__
>[Wed Sep 25 10:28:53.978725 2013] [:error] [pid 7905]     ret = 
>self.run(*args, **options)
>[Wed Sep 25 10:28:53.978730 2013] [:error] [pid 7905]   File 
>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in 
>run
>[Wed Sep 25 10:28:53.978734 2013] [:error] [pid 7905]     result = 
>self.execute(*args, **options)
>[Wed Sep 25 10:28:53.978739 2013] [:error] [pid 7905]   File 
>"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 338, 
>in execute
>[Wed Sep 25 10:28:53.978744 2013] [:error] [pid 7905] 
>self.add_range(range_name, dom_sid, *keys, **options)
>[Wed Sep 25 10:28:53.978748 2013] [:error] [pid 7905]   File 
>"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 549, 
>in add_range
>[Wed Sep 25 10:28:53.978755 2013] [:error] [pid 7905] quiet=True)
>[Wed Sep 25 10:28:53.978759 2013] [:error] [pid 7905]   File 
>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 507, in 
>search_in_dc
>[Wed Sep 25 10:28:53.978764 2013] [:error] [pid 7905]     info = 
>self.__retrieve_trusted_domain_gc_list(domain)
>[Wed Sep 25 10:28:53.978769 2013] [:error] [pid 7905]   File 
>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 595, in 
>__retrieve_trusted_domain_gc_list
>[Wed Sep 25 10:28:53.978774 2013] [:error] [pid 7905] info['auth'] = 
>self._domains[domain][2]
>[Wed Sep 25 10:28:53.978778 2013] [:error] [pid 7905] IndexError: 
>tuple index out of range
>[Wed Sep 25 10:28:53.979248 2013] [:error] [pid 7905] ipa: INFO: 
>admin at DOM006.TBAD.IPA.COM: trust_add(u'tbad.ipa.com', 
>trust_type=u'ad', realm_admin=u'Administrator', 
>realm_passwd=u'********', all=False, raw=False, version=u'2.65'): 
>IndexError
>
>I think we need to do the following changes here:
>
>diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
>index fa5c449..4ac0a5f 100644
>--- a/ipaserver/dcerpc.py
>+++ b/ipaserver/dcerpc.py
>@@ -565,7 +565,6 @@ class DomainValidator(object):
>         Returns dictionary with following keys
>              name       -- NetBIOS name of the trusted domain
>              dns_domain -- DNS name of the trusted domain
>-             auth       -- encrypted credentials for trusted domain account
>              gc         -- array of tuples (server, port) for Global 
>Catalog
>         """
>         if domain in self._info:
>@@ -592,7 +591,6 @@ class DomainValidator(object):
>             self._domains = self.get_trusted_domains()
>
>         info = dict()
>-        info['auth'] = self._domains[domain][2]
>         servers = []
>
>         if result:
>
>After applying this fix, I get:
>
>tbabej at vm-006 freeipa]$ echo $AD_PASSWORD | ipa trust-add --type=ad 
>$AD_DOMAIN --admin Administrator --password
>ipa: ERROR: CIFS server communication error: code "-1073741811",
>                  message "Unexpected information received" (both may 
>be "None")
>
>I was unable to track this one down in a reasonable timeframe, I 
>suggest we continue on IRC.
I've fixed this. At the time we establish trust, there could be a race
condition when cross-realm TGT is not yet ready so we cannot rely on it
when fetching domains. As we have administrator's credentials here, I've
added use of them in addition to Kerberos.


I'll send new patchset shortly.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list