From b08bab80ab8c11681a96a10807930c830a2d096f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 19 Feb 2016 14:55:34 +0100 Subject: [PATCH] Warn user if trust is broken Detect missing ipaNTSecurityIdentifier and print message for a user, that the trust is broken as result of trust-show and trust-find commands. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Alexander Bokovoy Reviewed-By: Tomas Babej --- ipalib/messages.py | 11 +++++++++++ ipalib/plugins/trust.py | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/ipalib/messages.py b/ipalib/messages.py index 58ae1f3ecbbf139f6f584c0ea2ebea6eb92e6e2b..ce92547de78a07f00d40fd850563faf1253826e3 100644 --- a/ipalib/messages.py +++ b/ipalib/messages.py @@ -241,6 +241,17 @@ class DNSSECValidationFailingWarning(PublicMessage): u"validation on all IPA servers.") +class BrokenTrust(PublicMessage): + """ + **13018** Trust for a specified domain is broken + """ + + errno = 13018 + type = "warning" + format = _("Your trust to %(domain)s is broken. Please re-create it by " + "running 'ipa trust-add' again.") + + def iter_messages(variables, base): """Return a tuple with all subclasses """ diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index ff142591d385e715994f0381c6b23c416763cd03..d451325e31e4e1d8d7223f009677bbcb002c65cb 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -18,6 +18,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +from ipalib.messages import ( + add_message, + BrokenTrust) from ipalib.plugable import Registry from ipalib.plugins.baseldap import * from ipalib.plugins.dns import dns_container_exists @@ -554,6 +557,30 @@ class trust(LDAPObject): dn=make_trust_dn(self.env, trust_type, DN(*sdn)) return dn + def warning_if_ad_trust_dom_have_missing_SID(self, result, **options): + """Due bug https://fedorahosted.org/freeipa/ticket/5665 there might be + AD trust domain without generated SID, warn user about it. + """ + ldap = self.api.Backend.ldap2 + + try: + entries, truncated = ldap.find_entries( + base_dn=DN(self.container_dn, self.api.env.basedn), + attrs_list=['cn'], + filter='(&(ipaNTTrustPartner=*)' + '(!(ipaNTSecurityIdentifier=*)))', + ) + except errors.NotFound: + pass + else: + for entry in entries: + add_message( + options['version'], + result, + BrokenTrust(domain=entry.single_value['cn']) + ) + + @register() class trust_add(LDAPCreate): __doc__ = _(''' @@ -1003,6 +1030,13 @@ class trust_find(LDAPSearch): filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) return (filter, base_dn, ldap.SCOPE_SUBTREE) + def execute(self, *args, **options): + result = super(trust_find, self).execute(*args, **options) + + self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options) + + return result + def post_callback(self, ldap, entries, truncated, *args, **options): if options.get('pkey_only', False): return truncated @@ -1022,6 +1056,13 @@ class trust_show(LDAPRetrieve): has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\ (Str('ipanttrusttype'), Str('ipanttrustdirection')) + def execute(self, *keys, **options): + result = super(trust_show, self).execute(*keys, **options) + + self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options) + + return result + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN) -- 2.5.0