[Freeipa-devel] [PATCHES 523-525] replica install: add remote connection check over API

Jan Cholasta jcholast at redhat.com
Mon Dec 14 06:23:18 UTC 2015 

On 11.12.2015 18:49, Tomas Babej wrote:
>
>
> On 12/11/2015 05:37 PM, Martin Basti wrote:
>>
>>
>> On 11.12.2015 15:40, Jan Cholasta wrote:
>>> On 11.12.2015 08:03, Jan Cholasta wrote:
>>>> On 11.12.2015 07:08, Jan Cholasta wrote:
>>>>> On 10.12.2015 15:56, Martin Babinsky wrote:
>>>>>> On 12/10/2015 09:48 AM, Jan Cholasta wrote:
>>>>>>> On 9.12.2015 16:38, Jan Cholasta wrote:
>>>>>>>> On 9.12.2015 14:52, Jan Cholasta wrote:
>>>>>>>>> On 9.12.2015 10:02, Jan Cholasta wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> the attached patches fix
>>>>>>>>>> <https://fedorahosted.org/freeipa/ticket/5497>.
>>>>>>>>>
>>>>>>>>> Note that this needs selinux-policy fix to work, so put SELinux
>>>>>>>>> into
>>>>>>>>> permissive mode for testing:
>>>>>>>>> <https://bugzilla.redhat.com/show_bug.cgi?id=1289930>.
>>>>>>>>
>>>>>>>> Updated patches attached.
>>>>>>>
>>>>>>> I screwed up a change in patch 524 and accidentally included a
>>>>>>> chunk of
>>>>>>> code in patch 525 that doesn't belong in it.
>>>>>>>
>>>>>>> Updated patches attached.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Patches work as expected and I was not able to find any functional
>>>>>> problem.
>>>>>>
>>>>>> I have a question about the naming of the oddjob helper script: the
>>>>>> one
>>>>>> related to trusts is named 'com.redhat.idm.trust-fetch-domains',
>>>>>> and the
>>>>>> conncheck runner is named 'org.freeipa.server.conncheck'. I don't want
>>>>>> to start another bikeshedding conversation but shouldn't we named them
>>>>>> in a consistent fashion (either rename the first one in separate patch
>>>>>> or rename the new helper to com.redhat.idm.server.conncheck)?
>>>>>>
>>>>>> I understand that as an upstream, we should go with the
>>>>>> 'org.freeipa.*'
>>>>>> convention, but having two helpers with different prefixes makes me
>>>>>> sad.
>>>>>
>>>>> If you look at the larger picture, org.freeipa is the consistent name.
>>>>> It makes me sad as well, but mistakes should be corrected. This is
>>>>> similar to how we use PEP8 in new code, but do not fix it in old code
>>>>> just for the sake of fixing it.
>>>>>
>>>>>>
>>>>>> That is a nitpick though, it does not affect the overall functionality
>>>>>> of the patches so ACK.
>>>>>
>>>>> Thanks for the review. The current patch 523 breaks the trusts oddjob
>>>>> with SELinux in enforcing mode, I will send an update which corrects
>>>>> that, until bug 1289930 is fixed.
>>>>
>>>> Updated patches attached.
>>>
>>> Rebased on top of current master.
>>>
>>>
>>>
>> Just question, should be any kinited user allowed to run conncheck via rpc?
>>
>> Martin^2
>
> I guess there's is little harm, any kinited user that was allowed to
> access the machine could perform the conncheck even without these patches:

In the RPC check, the user must have the Replication Administrators 
privilege, which by default only admins have.

>
> # ipa-replica-conncheck --master master.ipa.test -p random at IPA.TEST -w
> ratarata -a -r IPA.TEST
> Check connection from replica to remote master 'master.ipa.test':
>     Directory Service: Unsecure port (389): OK
>     Directory Service: Secure port (636): OK
>     Kerberos KDC: TCP (88): OK
>     Kerberos Kpasswd: TCP (464): OK
>     HTTP Server: Unsecure port (80): OK
>     HTTP Server: Secure port (443): OK
>
> The following list of ports use UDP protocol and would need to be
> checked manually:
>     Kerberos KDC: UDP (88): SKIPPED
>     Kerberos Kpasswd: UDP (464): SKIPPED
>
> Connection from replica to master is OK.
> Start listening on required ports for remote master check
> Get credentials to log in to remote master
> Check SSH connection to remote master
> Execute check on remote master
> Check connection from master to remote replica 'replica.ipa.test':
>     Directory Service: Unsecure port (389): OK
>     Directory Service: Secure port (636): OK
>     Kerberos KDC: TCP (88): OK
>     Kerberos KDC: UDP (88): OK
>     Kerberos Kpasswd: TCP (464): OK
>     Kerberos Kpasswd: UDP (464): OK
>     HTTP Server: Unsecure port (80): OK
>     HTTP Server: Secure port (443): OK
>
> Connection from master to replica is OK.
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list