|
 |
aa60fb |
From b08bab80ab8c11681a96a10807930c830a2d096f Mon Sep 17 00:00:00 2001
|
|
|
aa60fb |
From: Martin Basti <mbasti@redhat.com>
|
|
|
aa60fb |
Date: Fri, 19 Feb 2016 14:55:34 +0100
|
|
|
aa60fb |
Subject: [PATCH] Warn user if trust is broken
|
|
|
aa60fb |
|
|
|
aa60fb |
Detect missing ipaNTSecurityIdentifier and print message for a user,
|
|
|
aa60fb |
that the trust is broken as result of trust-show and trust-find commands.
|
|
|
aa60fb |
|
|
|
aa60fb |
https://fedorahosted.org/freeipa/ticket/5665
|
|
|
aa60fb |
|
|
|
aa60fb |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
aa60fb |
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
|
|
aa60fb |
---
|
|
|
aa60fb |
ipalib/messages.py | 11 +++++++++++
|
|
|
aa60fb |
ipalib/plugins/trust.py | 41 +++++++++++++++++++++++++++++++++++++++++
|
|
|
aa60fb |
2 files changed, 52 insertions(+)
|
|
|
aa60fb |
|
|
|
aa60fb |
diff --git a/ipalib/messages.py b/ipalib/messages.py
|
|
|
aa60fb |
index 58ae1f3ecbbf139f6f584c0ea2ebea6eb92e6e2b..ce92547de78a07f00d40fd850563faf1253826e3 100644
|
|
|
aa60fb |
--- a/ipalib/messages.py
|
|
|
aa60fb |
+++ b/ipalib/messages.py
|
|
|
aa60fb |
@@ -241,6 +241,17 @@ class DNSSECValidationFailingWarning(PublicMessage):
|
|
|
aa60fb |
u"validation on all IPA servers.")
|
|
|
aa60fb |
|
|
|
aa60fb |
|
|
|
aa60fb |
+class BrokenTrust(PublicMessage):
|
|
|
aa60fb |
+ """
|
|
|
aa60fb |
+ **13018** Trust for a specified domain is broken
|
|
|
aa60fb |
+ """
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+ errno = 13018
|
|
|
aa60fb |
+ type = "warning"
|
|
|
aa60fb |
+ format = _("Your trust to %(domain)s is broken. Please re-create it by "
|
|
|
aa60fb |
+ "running 'ipa trust-add' again.")
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+
|
|
|
aa60fb |
def iter_messages(variables, base):
|
|
|
aa60fb |
"""Return a tuple with all subclasses
|
|
|
aa60fb |
"""
|
|
|
aa60fb |
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
|
|
|
aa60fb |
index ff142591d385e715994f0381c6b23c416763cd03..d451325e31e4e1d8d7223f009677bbcb002c65cb 100644
|
|
|
aa60fb |
--- a/ipalib/plugins/trust.py
|
|
|
aa60fb |
+++ b/ipalib/plugins/trust.py
|
|
|
aa60fb |
@@ -18,6 +18,9 @@
|
|
|
aa60fb |
# You should have received a copy of the GNU General Public License
|
|
|
aa60fb |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
aa60fb |
|
|
|
aa60fb |
+from ipalib.messages import (
|
|
|
aa60fb |
+ add_message,
|
|
|
aa60fb |
+ BrokenTrust)
|
|
|
aa60fb |
from ipalib.plugable import Registry
|
|
|
aa60fb |
from ipalib.plugins.baseldap import *
|
|
|
aa60fb |
from ipalib.plugins.dns import dns_container_exists
|
|
|
aa60fb |
@@ -554,6 +557,30 @@ class trust(LDAPObject):
|
|
|
aa60fb |
dn=make_trust_dn(self.env, trust_type, DN(*sdn))
|
|
|
aa60fb |
return dn
|
|
|
aa60fb |
|
|
|
aa60fb |
+ def warning_if_ad_trust_dom_have_missing_SID(self, result, **options):
|
|
|
aa60fb |
+ """Due bug https://fedorahosted.org/freeipa/ticket/5665 there might be
|
|
|
aa60fb |
+ AD trust domain without generated SID, warn user about it.
|
|
|
aa60fb |
+ """
|
|
|
aa60fb |
+ ldap = self.api.Backend.ldap2
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+ try:
|
|
|
aa60fb |
+ entries, truncated = ldap.find_entries(
|
|
|
aa60fb |
+ base_dn=DN(self.container_dn, self.api.env.basedn),
|
|
|
aa60fb |
+ attrs_list=['cn'],
|
|
|
aa60fb |
+ filter='(&(ipaNTTrustPartner=*)'
|
|
|
aa60fb |
+ '(!(ipaNTSecurityIdentifier=*)))',
|
|
|
aa60fb |
+ )
|
|
|
aa60fb |
+ except errors.NotFound:
|
|
|
aa60fb |
+ pass
|
|
|
aa60fb |
+ else:
|
|
|
aa60fb |
+ for entry in entries:
|
|
|
aa60fb |
+ add_message(
|
|
|
aa60fb |
+ options['version'],
|
|
|
aa60fb |
+ result,
|
|
|
aa60fb |
+ BrokenTrust(domain=entry.single_value['cn'])
|
|
|
aa60fb |
+ )
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+
|
|
|
aa60fb |
@register()
|
|
|
aa60fb |
class trust_add(LDAPCreate):
|
|
|
aa60fb |
__doc__ = _('''
|
|
|
aa60fb |
@@ -1003,6 +1030,13 @@ class trust_find(LDAPSearch):
|
|
|
aa60fb |
filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
|
|
|
aa60fb |
return (filter, base_dn, ldap.SCOPE_SUBTREE)
|
|
|
aa60fb |
|
|
|
aa60fb |
+ def execute(self, *args, **options):
|
|
|
aa60fb |
+ result = super(trust_find, self).execute(*args, **options)
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+ self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+ return result
|
|
|
aa60fb |
+
|
|
|
aa60fb |
def post_callback(self, ldap, entries, truncated, *args, **options):
|
|
|
aa60fb |
if options.get('pkey_only', False):
|
|
|
aa60fb |
return truncated
|
|
|
aa60fb |
@@ -1022,6 +1056,13 @@ class trust_show(LDAPRetrieve):
|
|
|
aa60fb |
has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\
|
|
|
aa60fb |
(Str('ipanttrusttype'), Str('ipanttrustdirection'))
|
|
|
aa60fb |
|
|
|
aa60fb |
+ def execute(self, *keys, **options):
|
|
|
aa60fb |
+ result = super(trust_show, self).execute(*keys, **options)
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+ self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+ return result
|
|
|
aa60fb |
+
|
|
|
aa60fb |
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
|
aa60fb |
|
|
|
aa60fb |
assert isinstance(dn, DN)
|
|
|
aa60fb |
--
|
|
|
aa60fb |
2.5.0
|
|
|
aa60fb |
|