|
|
c58629 |
From aae0cc2fdaeead8ff33ade93e73d6aba25704659 Mon Sep 17 00:00:00 2001
|
|
|
c58629 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
c58629 |
Date: Fri, 17 Nov 2017 17:25:57 +0200
|
|
|
c58629 |
Subject: [PATCH] ipaserver/plugins/trust.py: pep8 compliance
|
|
|
c58629 |
|
|
|
c58629 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
c58629 |
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
|
|
c58629 |
---
|
|
|
c58629 |
ipaserver/plugins/trust.py | 356 +++++++++++++++++++++++++++------------------
|
|
|
c58629 |
1 file changed, 214 insertions(+), 142 deletions(-)
|
|
|
c58629 |
|
|
|
c58629 |
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
|
|
|
c58629 |
index d01529ee022d4a4f9b671a8f06156ed450326041..73e137abcec9625997a619fe64d4f615743247b1 100644
|
|
|
c58629 |
--- a/ipaserver/plugins/trust.py
|
|
|
c58629 |
+++ b/ipaserver/plugins/trust.py
|
|
|
c58629 |
@@ -81,10 +81,10 @@ Cross-realm trusts
|
|
|
c58629 |
|
|
|
c58629 |
Manage trust relationship between IPA and Active Directory domains.
|
|
|
c58629 |
|
|
|
c58629 |
-In order to allow users from a remote domain to access resources in IPA
|
|
|
c58629 |
-domain, trust relationship needs to be established. Currently IPA supports
|
|
|
c58629 |
-only trusts between IPA and Active Directory domains under control of Windows
|
|
|
c58629 |
-Server 2008 or later, with functional level 2008 or later.
|
|
|
c58629 |
+In order to allow users from a remote domain to access resources in IPA domain,
|
|
|
c58629 |
+trust relationship needs to be established. Currently IPA supports only trusts
|
|
|
c58629 |
+between IPA and Active Directory domains under control of Windows Server 2008
|
|
|
c58629 |
+or later, with functional level 2008 or later.
|
|
|
c58629 |
|
|
|
c58629 |
Please note that DNS on both IPA and Active Directory domain sides should be
|
|
|
c58629 |
configured properly to discover each other. Trust relationship relies on
|
|
|
c58629 |
@@ -95,7 +95,8 @@ Examples:
|
|
|
c58629 |
1. Establish cross-realm trust with Active Directory using AD administrator
|
|
|
c58629 |
credentials:
|
|
|
c58629 |
|
|
|
c58629 |
- ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password
|
|
|
c58629 |
+ ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> \
|
|
|
c58629 |
+ --password
|
|
|
c58629 |
|
|
|
c58629 |
2. List all existing trust relationships:
|
|
|
c58629 |
|
|
|
c58629 |
@@ -110,35 +111,39 @@ Examples:
|
|
|
c58629 |
ipa trust-del <ad.domain>
|
|
|
c58629 |
|
|
|
c58629 |
Once trust relationship is established, remote users will need to be mapped
|
|
|
c58629 |
-to local POSIX groups in order to actually use IPA resources. The mapping should
|
|
|
c58629 |
-be done via use of external membership of non-POSIX group and then this group
|
|
|
c58629 |
-should be included into one of local POSIX groups.
|
|
|
c58629 |
+to local POSIX groups in order to actually use IPA resources. The mapping
|
|
|
c58629 |
+should be done via use of external membership of non-POSIX group and then
|
|
|
c58629 |
+this group should be included into one of local POSIX groups.
|
|
|
c58629 |
|
|
|
c58629 |
Example:
|
|
|
c58629 |
|
|
|
c58629 |
-1. Create group for the trusted domain admins' mapping and their local POSIX group:
|
|
|
c58629 |
+1. Create group for the trusted domain admins' mapping and their local POSIX
|
|
|
c58629 |
+group:
|
|
|
c58629 |
|
|
|
c58629 |
- ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
|
|
|
c58629 |
+ ipa group-add --desc='<ad.domain> admins external map' \
|
|
|
c58629 |
+ ad_admins_external --external
|
|
|
c58629 |
ipa group-add --desc='<ad.domain> admins' ad_admins
|
|
|
c58629 |
|
|
|
c58629 |
-2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
|
|
|
c58629 |
- group:
|
|
|
c58629 |
+2. Add security identifier of Domain Admins of the <ad.domain> to the
|
|
|
c58629 |
+ ad_admins_external group:
|
|
|
c58629 |
|
|
|
c58629 |
ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
|
|
|
c58629 |
|
|
|
c58629 |
-3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
|
|
|
c58629 |
+3. Allow members of ad_admins_external group to be associated with
|
|
|
c58629 |
+ ad_admins POSIX group:
|
|
|
c58629 |
|
|
|
c58629 |
ipa group-add-member ad_admins --groups ad_admins_external
|
|
|
c58629 |
|
|
|
c58629 |
-4. List members of external members of ad_admins_external group to see their SIDs:
|
|
|
c58629 |
+4. List members of external members of ad_admins_external group to see
|
|
|
c58629 |
+ their SIDs:
|
|
|
c58629 |
|
|
|
c58629 |
ipa group-show ad_admins_external
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
GLOBAL TRUST CONFIGURATION
|
|
|
c58629 |
|
|
|
c58629 |
-When IPA AD trust subpackage is installed and ipa-adtrust-install is run,
|
|
|
c58629 |
-a local domain configuration (SID, GUID, NetBIOS name) is generated. These
|
|
|
c58629 |
+When IPA AD trust subpackage is installed and ipa-adtrust-install is run, a
|
|
|
c58629 |
+local domain configuration (SID, GUID, NetBIOS name) is generated. These
|
|
|
c58629 |
identifiers are then used when communicating with a trusted domain of the
|
|
|
c58629 |
particular type.
|
|
|
c58629 |
|
|
|
c58629 |
@@ -147,11 +152,11 @@ particular type.
|
|
|
c58629 |
ipa trustconfig-show --type ad
|
|
|
c58629 |
|
|
|
c58629 |
2. Modify global configuration for all trusts of Active Directory type and set
|
|
|
c58629 |
- a different fallback primary group (fallback primary group GID is used as
|
|
|
c58629 |
- a primary user GID if user authenticating to IPA domain does not have any other
|
|
|
c58629 |
- primary GID already set):
|
|
|
c58629 |
+ a different fallback primary group (fallback primary group GID is used as a
|
|
|
c58629 |
+ primary user GID if user authenticating to IPA domain does not have any
|
|
|
c58629 |
+ other primary GID already set):
|
|
|
c58629 |
|
|
|
c58629 |
- ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group"
|
|
|
c58629 |
+ ipa trustconfig-mod --type ad --fallback-primary-group "another AD group"
|
|
|
c58629 |
|
|
|
c58629 |
3. Change primary fallback group back to default hidden group (any group with
|
|
|
c58629 |
posixGroup object class is allowed):
|
|
|
c58629 |
@@ -185,6 +190,7 @@ def make_trust_dn(env, trust_type, dn):
|
|
|
c58629 |
return DN(dn, container_dn)
|
|
|
c58629 |
return dn
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
def find_adtrust_masters(ldap, api):
|
|
|
c58629 |
"""
|
|
|
c58629 |
Returns a list of names of IPA servers with ADTRUST component configured.
|
|
|
c58629 |
@@ -200,6 +206,7 @@ def find_adtrust_masters(ldap, api):
|
|
|
c58629 |
|
|
|
c58629 |
return [entry.dn[1].value for entry in entries]
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
def verify_samba_component_presence(ldap, api):
|
|
|
c58629 |
"""
|
|
|
c58629 |
Verifies that Samba is installed and configured on this particular master.
|
|
|
c58629 |
@@ -233,7 +240,7 @@ def verify_samba_component_presence(ldap, api):
|
|
|
c58629 |
|
|
|
c58629 |
# First check for packages missing
|
|
|
c58629 |
elif not _bindings_installed:
|
|
|
c58629 |
- error_message=_(
|
|
|
c58629 |
+ error_message = _(
|
|
|
c58629 |
'Cannot perform the selected command without Samba 4 support '
|
|
|
c58629 |
'installed. Make sure you have installed server-trust-ad '
|
|
|
c58629 |
'sub-package of IPA.'
|
|
|
c58629 |
@@ -243,7 +250,7 @@ def verify_samba_component_presence(ldap, api):
|
|
|
c58629 |
|
|
|
c58629 |
# Packages present, but ADTRUST instance is not configured
|
|
|
c58629 |
elif not adtrust_present:
|
|
|
c58629 |
- error_message=_(
|
|
|
c58629 |
+ error_message = _(
|
|
|
c58629 |
'Cannot perform the selected command without Samba 4 instance '
|
|
|
c58629 |
'configured on this machine. Make sure you have run '
|
|
|
c58629 |
'ipa-adtrust-install on this server.'
|
|
|
c58629 |
@@ -263,7 +270,8 @@ def generate_creds(trustinstance, style, **options):
|
|
|
c58629 |
**options -- options with realm_admin and realm_passwd keys
|
|
|
c58629 |
|
|
|
c58629 |
Result:
|
|
|
c58629 |
- a string representing credentials with first % separating username and password
|
|
|
c58629 |
+ a string representing credentials with first % separating
|
|
|
c58629 |
+ username and password
|
|
|
c58629 |
None is returned if realm_passwd key returns nothing from options
|
|
|
c58629 |
"""
|
|
|
c58629 |
creds = None
|
|
|
c58629 |
@@ -284,8 +292,9 @@ def generate_creds(trustinstance, style, **options):
|
|
|
c58629 |
else:
|
|
|
c58629 |
sp = admin_name.split(sep)
|
|
|
c58629 |
if len(sp) == 1:
|
|
|
c58629 |
- sp.append(trustinstance.remote_domain
|
|
|
c58629 |
- .info['dns_domain'].upper())
|
|
|
c58629 |
+ sp.append(
|
|
|
c58629 |
+ trustinstance.remote_domain.info['dns_domain'].upper()
|
|
|
c58629 |
+ )
|
|
|
c58629 |
creds = u"{name}%{password}".format(name=sep.join(sp),
|
|
|
c58629 |
password=password)
|
|
|
c58629 |
return creds
|
|
|
c58629 |
@@ -334,7 +343,8 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
|
|
|
c58629 |
creds = None
|
|
|
c58629 |
if trustinstance:
|
|
|
c58629 |
# Re-use AD administrator credentials if they were provided
|
|
|
c58629 |
- creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
|
|
|
c58629 |
+ creds = generate_creds(trustinstance,
|
|
|
c58629 |
+ style=CRED_STYLE_KERBEROS, **options)
|
|
|
c58629 |
if creds:
|
|
|
c58629 |
domain_validator._admin_creds = creds
|
|
|
c58629 |
# KDC might not get refreshed data at the first time,
|
|
|
c58629 |
@@ -417,21 +427,32 @@ def fetch_trusted_domains_over_dbus(myapi, log, forest_name):
|
|
|
c58629 |
_stdout = ''
|
|
|
c58629 |
_stderr = ''
|
|
|
c58629 |
bus = dbus.SystemBus()
|
|
|
c58629 |
- intf = bus.get_object(DBUS_IFACE_TRUST,"/", follow_name_owner_changes=True)
|
|
|
c58629 |
- fetch_domains_method = intf.get_dbus_method('fetch_domains', dbus_interface=DBUS_IFACE_TRUST)
|
|
|
c58629 |
+ intf = bus.get_object(DBUS_IFACE_TRUST, "/",
|
|
|
c58629 |
+ follow_name_owner_changes=True)
|
|
|
c58629 |
+ fetch_domains_method = intf.get_dbus_method(
|
|
|
c58629 |
+ 'fetch_domains',
|
|
|
c58629 |
+ dbus_interface=DBUS_IFACE_TRUST)
|
|
|
c58629 |
(_ret, _stdout, _stderr) = fetch_domains_method(forest_name)
|
|
|
c58629 |
except dbus.DBusException as e:
|
|
|
c58629 |
- log.error('Failed to call %(iface)s.fetch_domains helper.'
|
|
|
c58629 |
- 'DBus exception is %(exc)s.' % dict(iface=DBUS_IFACE_TRUST, exc=str(e)))
|
|
|
c58629 |
+ log.error(
|
|
|
c58629 |
+ 'Failed to call %(iface)s.fetch_domains helper. '
|
|
|
c58629 |
+ 'DBus exception is %(exc)s.' % dict(iface=DBUS_IFACE_TRUST, exc=str(e))
|
|
|
c58629 |
+ )
|
|
|
c58629 |
if _ret != 0:
|
|
|
c58629 |
- log.error('Helper was called for forest %(forest)s, return code is %(ret)d' % dict(forest=forest_name, ret=_ret))
|
|
|
c58629 |
- log.error('Standard output from the helper:\n%s---\n' % (_stdout))
|
|
|
c58629 |
- log.error('Error output from the helper:\n%s--\n' % (_stderr))
|
|
|
c58629 |
- raise errors.ServerCommandError(server=myapi.env.host,
|
|
|
c58629 |
- error=_('Fetching domains from trusted forest failed. '
|
|
|
c58629 |
- 'See details in the error_log'))
|
|
|
c58629 |
+ log.error(
|
|
|
c58629 |
+ 'Helper was called for forest %s, return code is %d',
|
|
|
c58629 |
+ forest_name, _ret
|
|
|
c58629 |
+ )
|
|
|
c58629 |
+ log.error('Standard output from the helper:\n%s---\n', _stdout)
|
|
|
c58629 |
+ log.error('Error output from the helper:\n%s--\n', _stderr)
|
|
|
c58629 |
+ raise errors.ServerCommandError(
|
|
|
c58629 |
+ server=myapi.env.host,
|
|
|
c58629 |
+ error=_('Fetching domains from trusted forest failed. '
|
|
|
c58629 |
+ 'See details in the error_log')
|
|
|
c58629 |
+ )
|
|
|
c58629 |
return
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trust(LDAPObject):
|
|
|
c58629 |
"""
|
|
|
c58629 |
@@ -538,8 +559,8 @@ class trust(LDAPObject):
|
|
|
c58629 |
continue
|
|
|
c58629 |
for value in values:
|
|
|
c58629 |
if not ipaserver.dcerpc.is_sid_valid(value):
|
|
|
c58629 |
- raise errors.ValidationError(name=attr,
|
|
|
c58629 |
- error=_("invalid SID: %(value)s") % dict(value=value))
|
|
|
c58629 |
+ err = unicode(_("invalid SID: {SID}")).format(SID=value)
|
|
|
c58629 |
+ raise errors.ValidationError(name=attr, error=err)
|
|
|
c58629 |
|
|
|
c58629 |
def get_dn(self, *keys, **kwargs):
|
|
|
c58629 |
trust_type = kwargs.get('trust_type')
|
|
|
c58629 |
@@ -600,7 +621,8 @@ class trust(LDAPObject):
|
|
|
c58629 |
add_message(
|
|
|
c58629 |
options['version'],
|
|
|
c58629 |
result,
|
|
|
c58629 |
- BrokenTrust(domain=entry.single_value['cn']))
|
|
|
c58629 |
+ BrokenTrust(domain=entry.single_value['cn'])
|
|
|
c58629 |
+ )
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
@register()
|
|
|
c58629 |
@@ -622,7 +644,7 @@ sides.
|
|
|
c58629 |
range_types = {
|
|
|
c58629 |
u'ipa-ad-trust': unicode(_('Active Directory domain range')),
|
|
|
c58629 |
u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
|
|
|
c58629 |
- 'POSIX attributes')),
|
|
|
c58629 |
+ 'POSIX attributes')),
|
|
|
c58629 |
}
|
|
|
c58629 |
|
|
|
c58629 |
takes_options = LDAPCreate.takes_options + (
|
|
|
c58629 |
@@ -720,9 +742,10 @@ sides.
|
|
|
c58629 |
|
|
|
c58629 |
trust_filter = "cn=%s" % result['value']
|
|
|
c58629 |
trusts, _truncated = ldap.find_entries(
|
|
|
c58629 |
- base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
|
|
|
c58629 |
- filter=trust_filter,
|
|
|
c58629 |
- attrs_list=attrs_list)
|
|
|
c58629 |
+ base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
|
|
|
c58629 |
+ filter=trust_filter,
|
|
|
c58629 |
+ attrs_list=attrs_list
|
|
|
c58629 |
+ )
|
|
|
c58629 |
|
|
|
c58629 |
result['result'] = entry_to_dict(trusts[0], **options)
|
|
|
c58629 |
|
|
|
c58629 |
@@ -731,10 +754,11 @@ sides.
|
|
|
c58629 |
# Note that add_new_domains_from_trust will add needed ranges for
|
|
|
c58629 |
# the algorithmic ID mapping case.
|
|
|
c58629 |
if (options.get('trust_type') == u'ad' and
|
|
|
c58629 |
- options.get('trust_secret') is None):
|
|
|
c58629 |
+ options.get('trust_secret') is None):
|
|
|
c58629 |
+
|
|
|
c58629 |
if options.get('bidirectional') == True:
|
|
|
c58629 |
- # Bidirectional trust allows us to use cross-realm TGT, so we can
|
|
|
c58629 |
- # run the call under original user's credentials
|
|
|
c58629 |
+ # Bidirectional trust allows us to use cross-realm TGT,
|
|
|
c58629 |
+ # so we can run the call under original user's credentials
|
|
|
c58629 |
res = fetch_domains_from_trust(self.api, self.trustinstance,
|
|
|
c58629 |
**options)
|
|
|
c58629 |
add_new_domains_from_trust(
|
|
|
c58629 |
@@ -790,7 +814,9 @@ sides.
|
|
|
c58629 |
# If domain name and realm does not match, IPA server is not be able
|
|
|
c58629 |
# to establish trust with Active Directory.
|
|
|
c58629 |
|
|
|
c58629 |
- realm_not_matching_domain = (self.api.env.domain.upper() != self.api.env.realm)
|
|
|
c58629 |
+ realm_not_matching_domain = (
|
|
|
c58629 |
+ self.api.env.domain.upper() != self.api.env.realm
|
|
|
c58629 |
+ )
|
|
|
c58629 |
|
|
|
c58629 |
if options['trust_type'] == u'ad' and realm_not_matching_domain:
|
|
|
c58629 |
raise errors.ValidationError(
|
|
|
c58629 |
@@ -917,11 +943,12 @@ sides.
|
|
|
c58629 |
)
|
|
|
c58629 |
|
|
|
c58629 |
if range_type and range_type != old_range_type:
|
|
|
c58629 |
- raise errors.ValidationError(name=_('range type change'),
|
|
|
c58629 |
- error=_('ID range for the trusted domain already exists, '
|
|
|
c58629 |
- 'but it has a different type. Please remove the '
|
|
|
c58629 |
- 'old range manually, or do not enforce type '
|
|
|
c58629 |
- 'via --range-type option.'))
|
|
|
c58629 |
+ raise errors.ValidationError(
|
|
|
c58629 |
+ name=_('range type change'),
|
|
|
c58629 |
+ error=_('ID range for the trusted domain already '
|
|
|
c58629 |
+ 'exists, but it has a different type. Please '
|
|
|
c58629 |
+ 'remove the old range manually, or do not '
|
|
|
c58629 |
+ 'enforce type via --range-type option.'))
|
|
|
c58629 |
|
|
|
c58629 |
return old_range, range_name, dom_sid
|
|
|
c58629 |
|
|
|
c58629 |
@@ -956,33 +983,55 @@ sides.
|
|
|
c58629 |
trust_type
|
|
|
c58629 |
)
|
|
|
c58629 |
except errors.NotFound:
|
|
|
c58629 |
- error_message=_("Unable to resolve domain controller for '%s' domain. ") % (keys[-1])
|
|
|
c58629 |
- instructions=[]
|
|
|
c58629 |
+ _message = _("Unable to resolve domain controller for "
|
|
|
c58629 |
+ "{domain} domain. ")
|
|
|
c58629 |
+ error_message = unicode(_message).format(domain=keys[-1])
|
|
|
c58629 |
+ instructions = []
|
|
|
c58629 |
+
|
|
|
c58629 |
if dns_container_exists(self.obj.backend):
|
|
|
c58629 |
try:
|
|
|
c58629 |
- dns_zone = self.api.Command.dnszone_show(keys[-1])['result']
|
|
|
c58629 |
- if ('idnsforwardpolicy' in dns_zone) and dns_zone['idnsforwardpolicy'][0] == u'only':
|
|
|
c58629 |
- instructions.append(_("Forward policy is defined for it in IPA DNS, "
|
|
|
c58629 |
- "perhaps forwarder points to incorrect host?"))
|
|
|
c58629 |
+ dns_zone = self.api.Command.dnszone_show(
|
|
|
c58629 |
+ keys[-1])['result']
|
|
|
c58629 |
+
|
|
|
c58629 |
+ if (('idnsforwardpolicy' in dns_zone) and
|
|
|
c58629 |
+ dns_zone['idnsforwardpolicy'][0] == u'only'):
|
|
|
c58629 |
+
|
|
|
c58629 |
+ instructions.append(
|
|
|
c58629 |
+ _("Forward policy is defined for it in "
|
|
|
c58629 |
+ "IPA DNS, perhaps forwarder points to "
|
|
|
c58629 |
+ "incorrect host?")
|
|
|
c58629 |
+ )
|
|
|
c58629 |
except (errors.NotFound, KeyError):
|
|
|
c58629 |
- instructions.append(_("IPA manages DNS, please verify "
|
|
|
c58629 |
- "your DNS configuration and "
|
|
|
c58629 |
- "make sure that service records "
|
|
|
c58629 |
- "of the '%(domain)s' domain can "
|
|
|
c58629 |
- "be resolved. Examples how to "
|
|
|
c58629 |
- "configure DNS with CLI commands "
|
|
|
c58629 |
- "or the Web UI can be found in "
|
|
|
c58629 |
- "the documentation. " ) %
|
|
|
c58629 |
- dict(domain=keys[-1]))
|
|
|
c58629 |
+ _instruction = _(
|
|
|
c58629 |
+ "IPA manages DNS, please verify your DNS "
|
|
|
c58629 |
+ "configuration and make sure that service "
|
|
|
c58629 |
+ "records of the '{domain}' domain can be "
|
|
|
c58629 |
+ "resolved. Examples how to configure DNS "
|
|
|
c58629 |
+ "with CLI commands or the Web UI can be "
|
|
|
c58629 |
+ "found in the documentation. "
|
|
|
c58629 |
+ )
|
|
|
c58629 |
+ instructions.append(
|
|
|
c58629 |
+ unicode(_instruction).format(domain=keys[-1])
|
|
|
c58629 |
+ )
|
|
|
c58629 |
else:
|
|
|
c58629 |
- instructions.append(_("Since IPA does not manage DNS records, ensure DNS "
|
|
|
c58629 |
- "is configured to resolve '%(domain)s' domain from "
|
|
|
c58629 |
- "IPA hosts and back.") % dict(domain=keys[-1]))
|
|
|
c58629 |
- raise errors.NotFound(reason=error_message, instructions=instructions)
|
|
|
c58629 |
+ _instruction = _(
|
|
|
c58629 |
+ "Since IPA does not manage DNS records, ensure "
|
|
|
c58629 |
+ "DNS is configured to resolve '{domain}' "
|
|
|
c58629 |
+ "domain from IPA hosts and back."
|
|
|
c58629 |
+ )
|
|
|
c58629 |
+ instructions.append(
|
|
|
c58629 |
+ unicode(_instruction).format(domain=keys[-1])
|
|
|
c58629 |
+ )
|
|
|
c58629 |
+ raise errors.NotFound(
|
|
|
c58629 |
+ reason=error_message,
|
|
|
c58629 |
+ instructions=instructions
|
|
|
c58629 |
+ )
|
|
|
c58629 |
|
|
|
c58629 |
if result is None:
|
|
|
c58629 |
- raise errors.ValidationError(name=_('AD Trust setup'),
|
|
|
c58629 |
- error=_('Unable to verify write permissions to the AD'))
|
|
|
c58629 |
+ raise errors.ValidationError(
|
|
|
c58629 |
+ name=_('AD Trust setup'),
|
|
|
c58629 |
+ error=_('Unable to verify write permissions to the AD')
|
|
|
c58629 |
+ )
|
|
|
c58629 |
|
|
|
c58629 |
ret = dict(
|
|
|
c58629 |
value=pkey_to_value(
|
|
|
c58629 |
@@ -1019,12 +1068,14 @@ sides.
|
|
|
c58629 |
error=_('Not enough arguments specified to perform trust '
|
|
|
c58629 |
'setup'))
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trust_del(LDAPDelete):
|
|
|
c58629 |
__doc__ = _('Delete a trust.')
|
|
|
c58629 |
|
|
|
c58629 |
msg_summary = _('Deleted trust "%(value)s"')
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trust_mod(LDAPUpdate):
|
|
|
c58629 |
__doc__ = _("""
|
|
|
c58629 |
@@ -1037,13 +1088,14 @@ class trust_mod(LDAPUpdate):
|
|
|
c58629 |
msg_summary = _('Modified trust "%(value)s" '
|
|
|
c58629 |
'(change will be effective in 60 seconds)')
|
|
|
c58629 |
|
|
|
c58629 |
- def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
|
|
c58629 |
+ def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
|
|
|
c58629 |
assert isinstance(dn, DN)
|
|
|
c58629 |
|
|
|
c58629 |
- self.obj.validate_sid_blacklists(entry_attrs)
|
|
|
c58629 |
+ self.obj.validate_sid_blacklists(e_attrs)
|
|
|
c58629 |
|
|
|
c58629 |
return dn
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trust_find(LDAPSearch):
|
|
|
c58629 |
__doc__ = _('Search for trusts.')
|
|
|
c58629 |
@@ -1054,9 +1106,10 @@ class trust_find(LDAPSearch):
|
|
|
c58629 |
'%(count)d trust matched', '%(count)d trusts matched', 0
|
|
|
c58629 |
)
|
|
|
c58629 |
|
|
|
c58629 |
- # Since all trusts types are stored within separate containers under 'cn=trusts',
|
|
|
c58629 |
- # search needs to be done on a sub-tree scope
|
|
|
c58629 |
- def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
|
|
|
c58629 |
+ # Since all trusts types are stored within separate containers
|
|
|
c58629 |
+ # under 'cn=trusts', search needs to be done on a sub-tree scope
|
|
|
c58629 |
+ def pre_callback(self, ldap, filters, attrs_list,
|
|
|
c58629 |
+ base_dn, scope, *args, **options):
|
|
|
c58629 |
# list only trust, not trust domains
|
|
|
c58629 |
return (filters, base_dn, ldap.SCOPE_SUBTREE)
|
|
|
c58629 |
|
|
|
c58629 |
@@ -1076,13 +1129,16 @@ class trust_find(LDAPSearch):
|
|
|
c58629 |
trust_type = attrs.single_value.get('ipanttrusttype', None)
|
|
|
c58629 |
attributes = attrs.single_value.get('ipanttrustattributes', 0)
|
|
|
c58629 |
if not options.get('raw', False) and trust_type is not None:
|
|
|
c58629 |
- attrs['trusttype'] = [trust_type_string(trust_type, attributes)]
|
|
|
c58629 |
+ attrs['trusttype'] = [
|
|
|
c58629 |
+ trust_type_string(trust_type, attributes)
|
|
|
c58629 |
+ ]
|
|
|
c58629 |
del attrs['ipanttrusttype']
|
|
|
c58629 |
if attributes:
|
|
|
c58629 |
del attrs['ipanttrustattributes']
|
|
|
c58629 |
|
|
|
c58629 |
return truncated
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trust_show(LDAPRetrieve):
|
|
|
c58629 |
__doc__ = _('Display information about a trust.')
|
|
|
c58629 |
@@ -1098,7 +1154,7 @@ class trust_show(LDAPRetrieve):
|
|
|
c58629 |
|
|
|
c58629 |
return result
|
|
|
c58629 |
|
|
|
c58629 |
- def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
|
c58629 |
+ def post_callback(self, ldap, dn, e_attrs, *keys, **options):
|
|
|
c58629 |
|
|
|
c58629 |
assert isinstance(dn, DN)
|
|
|
c58629 |
# Translate ipanttrusttype to trusttype
|
|
|
c58629 |
@@ -1106,25 +1162,28 @@ class trust_show(LDAPRetrieve):
|
|
|
c58629 |
# if --raw not used
|
|
|
c58629 |
|
|
|
c58629 |
if not options.get('raw', False):
|
|
|
c58629 |
- trust_type = entry_attrs.single_value.get('ipanttrusttype', None)
|
|
|
c58629 |
- attributes = entry_attrs.single_value.get('ipanttrustattributes', 0)
|
|
|
c58629 |
+ trust_type = e_attrs.single_value.get('ipanttrusttype', None)
|
|
|
c58629 |
+ attributes = e_attrs.single_value.get('ipanttrustattributes', 0)
|
|
|
c58629 |
if trust_type is not None:
|
|
|
c58629 |
- entry_attrs['trusttype'] = [trust_type_string(trust_type, attributes)]
|
|
|
c58629 |
- del entry_attrs['ipanttrusttype']
|
|
|
c58629 |
+ e_attrs['trusttype'] = [
|
|
|
c58629 |
+ trust_type_string(trust_type, attributes)
|
|
|
c58629 |
+ ]
|
|
|
c58629 |
+ del e_attrs['ipanttrusttype']
|
|
|
c58629 |
|
|
|
c58629 |
- dir_str = entry_attrs.single_value.get('ipanttrustdirection', None)
|
|
|
c58629 |
+ dir_str = e_attrs.single_value.get('ipanttrustdirection', None)
|
|
|
c58629 |
if dir_str is not None:
|
|
|
c58629 |
- entry_attrs['trustdirection'] = [trust_direction_string(dir_str)]
|
|
|
c58629 |
- del entry_attrs['ipanttrustdirection']
|
|
|
c58629 |
+ e_attrs['trustdirection'] = [trust_direction_string(dir_str)]
|
|
|
c58629 |
+ del e_attrs['ipanttrustdirection']
|
|
|
c58629 |
|
|
|
c58629 |
if attributes:
|
|
|
c58629 |
- del entry_attrs['ipanttrustattributes']
|
|
|
c58629 |
+ del e_attrs['ipanttrustattributes']
|
|
|
c58629 |
|
|
|
c58629 |
return dn
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
_trustconfig_dn = {
|
|
|
c58629 |
- u'ad': DN(('cn', api.env.domain), api.env.container_cifsdomains, api.env.basedn),
|
|
|
c58629 |
+ u'ad': DN(('cn', api.env.domain),
|
|
|
c58629 |
+ api.env.container_cifsdomains, api.env.basedn),
|
|
|
c58629 |
}
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
@@ -1184,8 +1243,10 @@ class trustconfig(LDAPObject):
|
|
|
c58629 |
try:
|
|
|
c58629 |
return _trustconfig_dn[kwargs['trust_type']]
|
|
|
c58629 |
except KeyError:
|
|
|
c58629 |
- raise errors.ValidationError(name='trust_type',
|
|
|
c58629 |
- error=_("unsupported trust type"))
|
|
|
c58629 |
+ raise errors.ValidationError(
|
|
|
c58629 |
+ name='trust_type',
|
|
|
c58629 |
+ error=_("unsupported trust type")
|
|
|
c58629 |
+ )
|
|
|
c58629 |
|
|
|
c58629 |
def _normalize_groupdn(self, entry_attrs):
|
|
|
c58629 |
"""
|
|
|
c58629 |
@@ -1254,8 +1315,8 @@ class trustconfig_mod(LDAPUpdate):
|
|
|
c58629 |
msg_summary = _('Modified "%(value)s" trust configuration')
|
|
|
c58629 |
has_output = output.simple_entry
|
|
|
c58629 |
|
|
|
c58629 |
- def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
|
|
c58629 |
- self.obj._normalize_groupdn(entry_attrs)
|
|
|
c58629 |
+ def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
|
|
|
c58629 |
+ self.obj._normalize_groupdn(e_attrs)
|
|
|
c58629 |
return dn
|
|
|
c58629 |
|
|
|
c58629 |
def execute(self, *keys, **options):
|
|
|
c58629 |
@@ -1263,14 +1324,13 @@ class trustconfig_mod(LDAPUpdate):
|
|
|
c58629 |
result['value'] = pkey_to_value(options['trust_type'], options)
|
|
|
c58629 |
return result
|
|
|
c58629 |
|
|
|
c58629 |
- def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
|
c58629 |
- self.obj._convert_groupdn(entry_attrs, options)
|
|
|
c58629 |
+ def post_callback(self, ldap, dn, e_attrs, *keys, **options):
|
|
|
c58629 |
+ self.obj._convert_groupdn(e_attrs, options)
|
|
|
c58629 |
self.api.Object.config.show_servroles_attributes(
|
|
|
c58629 |
- entry_attrs, "AD trust agent", "AD trust controller", **options)
|
|
|
c58629 |
+ e_attrs, "AD trust agent", "AD trust controller", **options)
|
|
|
c58629 |
return dn
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
-
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trustconfig_show(LDAPRetrieve):
|
|
|
c58629 |
__doc__ = _('Show global trust configuration.')
|
|
|
c58629 |
@@ -1293,18 +1353,21 @@ class trustconfig_show(LDAPRetrieve):
|
|
|
c58629 |
|
|
|
c58629 |
if _nss_idmap_installed:
|
|
|
c58629 |
_idmap_type_dict = {
|
|
|
c58629 |
- pysss_nss_idmap.ID_USER : 'user',
|
|
|
c58629 |
- pysss_nss_idmap.ID_GROUP : 'group',
|
|
|
c58629 |
- pysss_nss_idmap.ID_BOTH : 'both',
|
|
|
c58629 |
+ pysss_nss_idmap.ID_USER: 'user',
|
|
|
c58629 |
+ pysss_nss_idmap.ID_GROUP: 'group',
|
|
|
c58629 |
+ pysss_nss_idmap.ID_BOTH: 'both',
|
|
|
c58629 |
}
|
|
|
c58629 |
+
|
|
|
c58629 |
def idmap_type_string(level):
|
|
|
c58629 |
string = _idmap_type_dict.get(int(level), 'unknown')
|
|
|
c58629 |
return unicode(string)
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trust_resolve(Command):
|
|
|
c58629 |
NO_CLI = True
|
|
|
c58629 |
- __doc__ = _('Resolve security identifiers of users and groups in trusted domains')
|
|
|
c58629 |
+ __doc__ = _('Resolve security identifiers of users and groups '
|
|
|
c58629 |
+ 'in trusted domains')
|
|
|
c58629 |
|
|
|
c58629 |
takes_options = (
|
|
|
c58629 |
Str('sids+',
|
|
|
c58629 |
@@ -1313,8 +1376,8 @@ class trust_resolve(Command):
|
|
|
c58629 |
)
|
|
|
c58629 |
|
|
|
c58629 |
has_output_params = (
|
|
|
c58629 |
- Str('name', label= _('Name')),
|
|
|
c58629 |
- Str('sid', label= _('SID')),
|
|
|
c58629 |
+ Str('name', label=_('Name')),
|
|
|
c58629 |
+ Str('sid', label=_('SID')),
|
|
|
c58629 |
)
|
|
|
c58629 |
|
|
|
c58629 |
has_output = (
|
|
|
c58629 |
@@ -1326,13 +1389,15 @@ class trust_resolve(Command):
|
|
|
c58629 |
if not _nss_idmap_installed:
|
|
|
c58629 |
return dict(result=result)
|
|
|
c58629 |
try:
|
|
|
c58629 |
+ NAME_KEY = pysss_nss_idmap.NAME_KEY
|
|
|
c58629 |
+ TYPE_KEY = pysss_nss_idmap.TYPE_KEY
|
|
|
c58629 |
sids = [str(x) for x in options['sids']]
|
|
|
c58629 |
xlate = pysss_nss_idmap.getnamebysid(sids)
|
|
|
c58629 |
for sid in xlate:
|
|
|
c58629 |
entry = dict()
|
|
|
c58629 |
entry['sid'] = [unicode(sid)]
|
|
|
c58629 |
- entry['name'] = [unicode(xlate[sid][pysss_nss_idmap.NAME_KEY])]
|
|
|
c58629 |
- entry['type'] = [idmap_type_string(xlate[sid][pysss_nss_idmap.TYPE_KEY])]
|
|
|
c58629 |
+ entry['name'] = [unicode(xlate[sid][NAME_KEY])]
|
|
|
c58629 |
+ entry['type'] = [idmap_type_string(xlate[sid][TYPE_KEY])]
|
|
|
c58629 |
result.append(entry)
|
|
|
c58629 |
except ValueError:
|
|
|
c58629 |
pass
|
|
|
c58629 |
@@ -1340,7 +1405,6 @@ class trust_resolve(Command):
|
|
|
c58629 |
return dict(result=result)
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
-
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class adtrust_is_enabled(Command):
|
|
|
c58629 |
NO_CLI = True
|
|
|
c58629 |
@@ -1367,7 +1431,6 @@ class adtrust_is_enabled(Command):
|
|
|
c58629 |
return dict(result=True)
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
-
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class compat_is_enabled(Command):
|
|
|
c58629 |
NO_CLI = True
|
|
|
c58629 |
@@ -1411,7 +1474,6 @@ class compat_is_enabled(Command):
|
|
|
c58629 |
return dict(result=True)
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
-
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class sidgen_was_run(Command):
|
|
|
c58629 |
"""
|
|
|
c58629 |
@@ -1461,7 +1523,7 @@ class trustdomain(LDAPObject):
|
|
|
c58629 |
Object representing a domain of the AD trust.
|
|
|
c58629 |
"""
|
|
|
c58629 |
parent_object = 'trust'
|
|
|
c58629 |
- trust_type_idx = {'2':u'ad'}
|
|
|
c58629 |
+ trust_type_idx = {'2': u'ad'}
|
|
|
c58629 |
object_name = _('trust domain')
|
|
|
c58629 |
object_name_plural = _('trust domains')
|
|
|
c58629 |
object_class = ['ipaNTTrustedDomain']
|
|
|
c58629 |
@@ -1478,40 +1540,39 @@ class trustdomain(LDAPObject):
|
|
|
c58629 |
Str('cn',
|
|
|
c58629 |
label=_('Domain name'),
|
|
|
c58629 |
cli_name='domain',
|
|
|
c58629 |
- primary_key=True
|
|
|
c58629 |
- ),
|
|
|
c58629 |
+ primary_key=True),
|
|
|
c58629 |
Str('ipantflatname?',
|
|
|
c58629 |
cli_name='flat_name',
|
|
|
c58629 |
- label=_('Domain NetBIOS name'),
|
|
|
c58629 |
- ),
|
|
|
c58629 |
+ label=_('Domain NetBIOS name')),
|
|
|
c58629 |
Str('ipanttrusteddomainsid?',
|
|
|
c58629 |
cli_name='sid',
|
|
|
c58629 |
- label=_('Domain Security Identifier'),
|
|
|
c58629 |
- ),
|
|
|
c58629 |
+ label=_('Domain Security Identifier')),
|
|
|
c58629 |
Flag('domain_enabled',
|
|
|
c58629 |
- label=_('Domain enabled'),
|
|
|
c58629 |
- flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
|
|
|
c58629 |
- ),
|
|
|
c58629 |
+ label=_('Domain enabled'),
|
|
|
c58629 |
+ flags={'virtual_attribute',
|
|
|
c58629 |
+ 'no_create', 'no_update', 'no_search'}),
|
|
|
c58629 |
)
|
|
|
c58629 |
|
|
|
c58629 |
- # LDAPObject.get_dn() only passes all but last element of keys and no kwargs
|
|
|
c58629 |
- # to the parent object's get_dn() no matter what you pass to it. Make own get_dn()
|
|
|
c58629 |
- # as we really need all elements to construct proper dn.
|
|
|
c58629 |
+ # LDAPObject.get_dn() only passes all but last element of keys and no
|
|
|
c58629 |
+ # kwargs to the parent object's get_dn() no matter what you pass to it.
|
|
|
c58629 |
+ # Make own get_dn() as we really need all elements to construct proper dn.
|
|
|
c58629 |
def get_dn(self, *keys, **kwargs):
|
|
|
c58629 |
sdn = [('cn', x) for x in keys]
|
|
|
c58629 |
sdn.reverse()
|
|
|
c58629 |
trust_type = kwargs.get('trust_type')
|
|
|
c58629 |
if not trust_type:
|
|
|
c58629 |
- trust_type=u'ad'
|
|
|
c58629 |
+ trust_type = u'ad'
|
|
|
c58629 |
|
|
|
c58629 |
- dn=make_trust_dn(self.env, trust_type, DN(*sdn))
|
|
|
c58629 |
+ dn = make_trust_dn(self.env, trust_type, DN(*sdn))
|
|
|
c58629 |
return dn
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trustdomain_find(LDAPSearch):
|
|
|
c58629 |
__doc__ = _('Search domains of the trust')
|
|
|
c58629 |
|
|
|
c58629 |
- def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
|
|
|
c58629 |
+ def pre_callback(self, ldap, filters, attrs_list, base_dn,
|
|
|
c58629 |
+ scope, *args, **options):
|
|
|
c58629 |
return (filters, base_dn, ldap.SCOPE_SUBTREE)
|
|
|
c58629 |
|
|
|
c58629 |
def post_callback(self, ldap, entries, truncated, *args, **options):
|
|
|
c58629 |
@@ -1532,7 +1593,6 @@ class trustdomain_find(LDAPSearch):
|
|
|
c58629 |
return truncated
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
-
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trustdomain_mod(LDAPUpdate):
|
|
|
c58629 |
__doc__ = _('Modify trustdomain of the trust')
|
|
|
c58629 |
@@ -1540,31 +1600,36 @@ class trustdomain_mod(LDAPUpdate):
|
|
|
c58629 |
NO_CLI = True
|
|
|
c58629 |
takes_options = LDAPUpdate.takes_options + (_trust_type_option,)
|
|
|
c58629 |
|
|
|
c58629 |
+
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trustdomain_add(LDAPCreate):
|
|
|
c58629 |
__doc__ = _('Allow access from the trusted domain')
|
|
|
c58629 |
NO_CLI = True
|
|
|
c58629 |
|
|
|
c58629 |
takes_options = LDAPCreate.takes_options + (_trust_type_option,)
|
|
|
c58629 |
- def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
|
|
c58629 |
- # ipaNTTrustPartner must always be set to the name of the trusted domain
|
|
|
c58629 |
- # See MS-ADTS 6.1.6.7.13
|
|
|
c58629 |
- entry_attrs['ipanttrustpartner'] = [dn[0]['cn']]
|
|
|
c58629 |
+
|
|
|
c58629 |
+ def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
|
|
|
c58629 |
+ # ipaNTTrustPartner must always be set to the name of the trusted
|
|
|
c58629 |
+ # domain. See MS-ADTS 6.1.6.7.13
|
|
|
c58629 |
+ e_attrs['ipanttrustpartner'] = [dn[0]['cn']]
|
|
|
c58629 |
return dn
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
@register()
|
|
|
c58629 |
class trustdomain_del(LDAPDelete):
|
|
|
c58629 |
- __doc__ = _('Remove information about the domain associated with the trust.')
|
|
|
c58629 |
+ __doc__ = _('Remove information about the domain associated '
|
|
|
c58629 |
+ 'with the trust.')
|
|
|
c58629 |
|
|
|
c58629 |
- msg_summary = _('Removed information about the trusted domain "%(value)s"')
|
|
|
c58629 |
+ msg_summary = _('Removed information about the trusted domain '
|
|
|
c58629 |
+ '"%(value)s"')
|
|
|
c58629 |
|
|
|
c58629 |
def execute(self, *keys, **options):
|
|
|
c58629 |
ldap = self.api.Backend.ldap2
|
|
|
c58629 |
verify_samba_component_presence(ldap, self.api)
|
|
|
c58629 |
|
|
|
c58629 |
- # Note that pre-/post- callback handling for LDAPDelete is causing pre_callback
|
|
|
c58629 |
- # to always receive empty keys. We need to catch the case when root domain is being deleted
|
|
|
c58629 |
+ # Note that pre-/post- callback handling for LDAPDelete is causing
|
|
|
c58629 |
+ # pre_callback to always receive empty keys. We need to catch the case
|
|
|
c58629 |
+ # when root domain is being deleted
|
|
|
c58629 |
|
|
|
c58629 |
for domain in keys[1]:
|
|
|
c58629 |
try:
|
|
|
c58629 |
@@ -1603,10 +1668,10 @@ def fetch_domains_from_trust(myapi, trustinstance, **options):
|
|
|
c58629 |
forest_root_name = trustinstance.remote_domain.info['dns_forest']
|
|
|
c58629 |
|
|
|
c58629 |
# We want to use Kerberos if we have admin credentials even with SMB calls
|
|
|
c58629 |
- # as eventually use of NTLMSSP will be deprecated for trusted domain operations
|
|
|
c58629 |
- # If admin credentials are missing, 'creds' will be None and fetch_domains
|
|
|
c58629 |
- # will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos authentication
|
|
|
c58629 |
- # as well.
|
|
|
c58629 |
+ # as eventually use of NTLMSSP will be deprecated for trusted domain
|
|
|
c58629 |
+ # operations If admin credentials are missing, 'creds' will be None and
|
|
|
c58629 |
+ # fetch_domains will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos
|
|
|
c58629 |
+ # authentication as well.
|
|
|
c58629 |
creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
|
|
|
c58629 |
server = options.get('realm_server', None)
|
|
|
c58629 |
domains = ipaserver.dcerpc.fetch_domains(
|
|
|
c58629 |
@@ -1616,7 +1681,8 @@ def fetch_domains_from_trust(myapi, trustinstance, **options):
|
|
|
c58629 |
return domains
|
|
|
c58629 |
|
|
|
c58629 |
|
|
|
c58629 |
-def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options):
|
|
|
c58629 |
+def add_new_domains_from_trust(myapi, trustinstance, trust_entry,
|
|
|
c58629 |
+ domains, **options):
|
|
|
c58629 |
result = []
|
|
|
c58629 |
if not domains:
|
|
|
c58629 |
return result
|
|
|
c58629 |
@@ -1728,8 +1794,11 @@ class trustdomain_enable(LDAPQuery):
|
|
|
c58629 |
verify_samba_component_presence(ldap, self.api)
|
|
|
c58629 |
|
|
|
c58629 |
if keys[0].lower() == keys[1].lower():
|
|
|
c58629 |
- raise errors.ValidationError(name='domain',
|
|
|
c58629 |
- error=_("Root domain of the trust is always enabled for the existing trust"))
|
|
|
c58629 |
+ raise errors.ValidationError(
|
|
|
c58629 |
+ name='domain',
|
|
|
c58629 |
+ error=_("Root domain of the trust is always enabled "
|
|
|
c58629 |
+ "for the existing trust")
|
|
|
c58629 |
+ )
|
|
|
c58629 |
try:
|
|
|
c58629 |
trust_dn = self.obj.get_dn(keys[0], trust_type=u'ad')
|
|
|
c58629 |
trust_entry = ldap.get_entry(trust_dn)
|
|
|
c58629 |
@@ -1766,8 +1835,11 @@ class trustdomain_disable(LDAPQuery):
|
|
|
c58629 |
verify_samba_component_presence(ldap, self.api)
|
|
|
c58629 |
|
|
|
c58629 |
if keys[0].lower() == keys[1].lower():
|
|
|
c58629 |
- raise errors.ValidationError(name='domain',
|
|
|
c58629 |
- error=_("cannot disable root domain of the trust, use trust-del to delete the trust itself"))
|
|
|
c58629 |
+ raise errors.ValidationError(
|
|
|
c58629 |
+ name='domain',
|
|
|
c58629 |
+ error=_("cannot disable root domain of the trust, "
|
|
|
c58629 |
+ "use trust-del to delete the trust itself")
|
|
|
c58629 |
+ )
|
|
|
c58629 |
try:
|
|
|
c58629 |
trust_dn = self.obj.get_dn(keys[0], trust_type=u'ad')
|
|
|
c58629 |
trust_entry = ldap.get_entry(trust_dn)
|
|
|
c58629 |
--
|
|
|
c58629 |
2.13.6
|
|
|
c58629 |
|