From b08bab80ab8c11681a96a10807930c830a2d096f Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 19 Feb 2016 14:55:34 +0100
Subject: [PATCH] Warn user if trust is broken
Detect missing ipaNTSecurityIdentifier and print message for a user,
that the trust is broken as result of trust-show and trust-find commands.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
ipalib/messages.py | 11 +++++++++++
ipalib/plugins/trust.py | 41 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+)
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 58ae1f3ecbbf139f6f584c0ea2ebea6eb92e6e2b..ce92547de78a07f00d40fd850563faf1253826e3 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -241,6 +241,17 @@ class DNSSECValidationFailingWarning(PublicMessage):
u"validation on all IPA servers.")
+class BrokenTrust(PublicMessage):
+ """
+ **13018** Trust for a specified domain is broken
+ """
+
+ errno = 13018
+ type = "warning"
+ format = _("Your trust to %(domain)s is broken. Please re-create it by "
+ "running 'ipa trust-add' again.")
+
+
def iter_messages(variables, base):
"""Return a tuple with all subclasses
"""
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index ff142591d385e715994f0381c6b23c416763cd03..d451325e31e4e1d8d7223f009677bbcb002c65cb 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -18,6 +18,9 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+from ipalib.messages import (
+ add_message,
+ BrokenTrust)
from ipalib.plugable import Registry
from ipalib.plugins.baseldap import *
from ipalib.plugins.dns import dns_container_exists
@@ -554,6 +557,30 @@ class trust(LDAPObject):
dn=make_trust_dn(self.env, trust_type, DN(*sdn))
return dn
+ def warning_if_ad_trust_dom_have_missing_SID(self, result, **options):
+ """Due bug https://fedorahosted.org/freeipa/ticket/5665 there might be
+ AD trust domain without generated SID, warn user about it.
+ """
+ ldap = self.api.Backend.ldap2
+
+ try:
+ entries, truncated = ldap.find_entries(
+ base_dn=DN(self.container_dn, self.api.env.basedn),
+ attrs_list=['cn'],
+ filter='(&(ipaNTTrustPartner=*)'
+ '(!(ipaNTSecurityIdentifier=*)))',
+ )
+ except errors.NotFound:
+ pass
+ else:
+ for entry in entries:
+ add_message(
+ options['version'],
+ result,
+ BrokenTrust(domain=entry.single_value['cn'])
+ )
+
+
@register()
class trust_add(LDAPCreate):
__doc__ = _('''
@@ -1003,6 +1030,13 @@ class trust_find(LDAPSearch):
filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
return (filter, base_dn, ldap.SCOPE_SUBTREE)
+ def execute(self, *args, **options):
+ result = super(trust_find, self).execute(*args, **options)
+
+ self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
+
+ return result
+
def post_callback(self, ldap, entries, truncated, *args, **options):
if options.get('pkey_only', False):
return truncated
@@ -1022,6 +1056,13 @@ class trust_show(LDAPRetrieve):
has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\
(Str('ipanttrusttype'), Str('ipanttrustdirection'))
+ def execute(self, *keys, **options):
+ result = super(trust_show, self).execute(*keys, **options)
+
+ self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
+
+ return result
+
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
--
2.5.0