[Freeipa-devel] [PATCH] 0154-0158 improve trust operations

Martin Kosek mkosek at redhat.com
Fri Aug 29 14:24:34 UTC 2014 

On 08/29/2014 11:35 AM, Alexander Bokovoy wrote:
> On Fri, 29 Aug 2014, Sumit Bose wrote:
>> On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote:
>>> Hi!
>>>
>>> Attached patchset improves trust operations:
>>>
>>> 1. Ensures we only allow establishing trust to forest root domain
>>> 2. Ensures that we select primary domain controllers
>>> 3. Ensures first create trust and later set it to transitive state and
>>>   update forest topology
>>> 4. Relaxes filtering of domains obtained from AD side to allow some of
>>>   possible topology combinations which were not accounted for
>>>   previously
>>> 5. Reverts to any PDC rather than a closest one if closest one is not
>>>   available due to site mismanagement.
>>>
>>> Affected tickets:
>>>  https://fedorahosted.org/freeipa/ticket/4463
>>>  https://fedorahosted.org/freeipa/ticket/4479
>>>  https://fedorahosted.org/freeipa/ticket/4458
>>>
>>> The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1
>>> branches).
>>>
>>> They were tested with Windows Server 2008R2 and Windows Server 2012
>>> environments.
>>
>> Patches are looking good and I didn't found any issue in my tests, ACK.
>>
>> I only have a question about 158. I wonder if the admin calling ipa
>> trust-add would be interested to see that setting the transitive
>> attribute failed? Currently it is buried in the logs so chances are the
>> nobody will recognise it.
> Unfortunately, we don't have means in the framework to return warnings
> nicely formatted and separated from the original output.

What about http://www.freeipa.org/page/V3/Messages? We can do warnings already:

# ipa dnszone-add example.test --forwarder 10.0.0.1 --name-server=`hostname`.
Administrator e-mail address [hostmaster.example.test.]:
ipa: WARNING: DNS forwarder semantics changed since IPA 4.0.
You may want to use forward zones (dnsforwardzone-*) instead.
For more details read the docs.
  Zone name: example.test.
  Active zone: TRUE
  Zone forwarders: 10.0.0.1
  Authoritative nameserver: ipa.mkosek-fedora20.test.
  Administrator e-mail address: hostmaster.example.test.
  SOA serial: 1409322255
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant MKOSEK-FEDORA20.TEST krb5-self * A; grant
MKOSEK-FEDORA20.TEST krb5-self *
                      AAAA; grant MKOSEK-FEDORA20.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;


> Thus, I decided
> to leave it as it is, without additional Python exception raising
> because one can easily see the error message when enabling debug output,
> even without restarting Apache.

More information about the Freeipa-devel mailing list