[Freeipa-devel] [PATCH] 0154-0158 improve trust operations
Alexander Bokovoy
abokovoy at redhat.com
Fri Aug 29 14:39:29 UTC 2014
On Fri, 29 Aug 2014, Martin Kosek wrote:
>On 08/29/2014 11:35 AM, Alexander Bokovoy wrote:
>> On Fri, 29 Aug 2014, Sumit Bose wrote:
>>> On Thu, Aug 21, 2014 at 01:43:35PM +0300, Alexander Bokovoy wrote:
>>>> Hi!
>>>>
>>>> Attached patchset improves trust operations:
>>>>
>>>> 1. Ensures we only allow establishing trust to forest root domain
>>>> 2. Ensures that we select primary domain controllers
>>>> 3. Ensures first create trust and later set it to transitive state and
>>>> update forest topology
>>>> 4. Relaxes filtering of domains obtained from AD side to allow some of
>>>> possible topology combinations which were not accounted for
>>>> previously
>>>> 5. Reverts to any PDC rather than a closest one if closest one is not
>>>> available due to site mismanagement.
>>>>
>>>> Affected tickets:
>>>> https://fedorahosted.org/freeipa/ticket/4463
>>>> https://fedorahosted.org/freeipa/ticket/4479
>>>> https://fedorahosted.org/freeipa/ticket/4458
>>>>
>>>> The patches should apply cleanly to master and ipa-3-3 (and 4-0/4-1
>>>> branches).
>>>>
>>>> They were tested with Windows Server 2008R2 and Windows Server 2012
>>>> environments.
>>>
>>> Patches are looking good and I didn't found any issue in my tests, ACK.
>>>
>>> I only have a question about 158. I wonder if the admin calling ipa
>>> trust-add would be interested to see that setting the transitive
>>> attribute failed? Currently it is buried in the logs so chances are the
>>> nobody will recognise it.
>> Unfortunately, we don't have means in the framework to return warnings
>> nicely formatted and separated from the original output.
>
>What about http://www.freeipa.org/page/V3/Messages? We can do warnings already:
>
># ipa dnszone-add example.test --forwarder 10.0.0.1 --name-server=`hostname`.
>Administrator e-mail address [hostmaster.example.test.]:
>ipa: WARNING: DNS forwarder semantics changed since IPA 4.0.
>You may want to use forward zones (dnsforwardzone-*) instead.
>For more details read the docs.
We need to understand consequences. If setting transitive flag on the
trust will fail, what does it mean for the trust's use? And what does it
mean in the context of one-way trust work?
Adding to that, there is another consideration: which leg of the trust
failed? With two-way trust we have four of them, with one-way there will
be two legs. Since code is structured in a such way that all of these
calls are symmetrical, we'll need to pass up the warning to some higher
caller and there decide what has happened. The task quickly goes beyond
a simple use of messages.
I don't have myself all answers yet. :)
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list