From c96822f3e5af57f5f1f062a957778c84ad2b520d Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Feb 23 2016 16:35:20 +0000 Subject: Warn user if trust is broken Detect missing ipaNTSecurityIdentifier and print message for a user, that the trust is broken as result of trust-show and trust-find commands. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Tomas Babej Reviewed-By: Alexander Bokovoy --- diff --git a/ipalib/messages.py b/ipalib/messages.py index e43584b..dbbc34a 100644 --- a/ipalib/messages.py +++ b/ipalib/messages.py @@ -341,6 +341,17 @@ class SearchResultTruncated(PublicMessage): format = _("Search result has been truncated to configured search limit.") +class BrokenTrust(PublicMessage): + """ + **13018** Trust for a specified domain is broken + """ + + errno = 13018 + type = "warning" + format = _("Your trust to %(domain)s is broken. Please re-create it by " + "running 'ipa trust-add' again.") + + def iter_messages(variables, base): """Return a tuple with all subclasses """ diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f68b94b..ba0c98e 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -20,6 +20,9 @@ import six +from ipalib.messages import ( + add_message, + BrokenTrust) from ipalib.plugable import Registry from ipalib.plugins.baseldap import ( pkey_to_value, @@ -586,6 +589,30 @@ class trust(LDAPObject): return make_trust_dn(self.env, trust_type, DN(*sdn)) + def warning_if_ad_trust_dom_have_missing_SID(self, result, **options): + """Due bug https://fedorahosted.org/freeipa/ticket/5665 there might be + AD trust domain without generated SID, warn user about it. + """ + ldap = self.api.Backend.ldap2 + + try: + entries, truncated = ldap.find_entries( + base_dn=DN(self.container_dn, self.api.env.basedn), + attrs_list=['cn'], + filter='(&(ipaNTTrustPartner=*)' + '(!(ipaNTSecurityIdentifier=*)))', + ) + except errors.NotFound: + pass + else: + for entry in entries: + add_message( + options['version'], + result, + BrokenTrust(domain=entry.single_value['cn']) + ) + + @register() class trust_add(LDAPCreate): __doc__ = _(''' @@ -1043,6 +1070,13 @@ class trust_find(LDAPSearch): filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) return (filter, base_dn, ldap.SCOPE_SUBTREE) + def execute(self, *args, **options): + result = super(trust_find, self).execute(*args, **options) + + self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options) + + return result + def post_callback(self, ldap, entries, truncated, *args, **options): if options.get('pkey_only', False): return truncated @@ -1062,6 +1096,13 @@ class trust_show(LDAPRetrieve): has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\ (Str('ipanttrusttype'), Str('ipanttrustdirection')) + def execute(self, *keys, **options): + result = super(trust_show, self).execute(*keys, **options) + + self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options) + + return result + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): assert isinstance(dn, DN)