Warn user if trust is broken

Detect missing ipaNTSecurityIdentifier and print message for a user, that the trust is broken as result of trust-show and trust-find commands. https://fedorahosted.org/freeipa/ticket/5665 Reviewed-By: Tomas Babej <tbabej@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-11 00:31:56 -06:00 · 2016-02-19 14:55:34 +01:00 · 2016-02-19 14:55:34 +01:00 · c96822f3e5
commit c96822f3e5
parent 70bd7c8802
2 changed files with 52 additions and 0 deletions
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@ -341,6 +341,17 @@ class SearchResultTruncated(PublicMessage):
    format = _("Search result has been truncated to configured search limit.")


+class BrokenTrust(PublicMessage):
+    """
+    **13018** Trust for a specified domain is broken
+    """
+
+    errno = 13018
+    type = "warning"
+    format = _("Your trust to %(domain)s is broken. Please re-create it by "
+               "running 'ipa trust-add' again.")
+
+
 def iter_messages(variables, base):
    """Return a tuple with all subclasses
    """
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@ -20,6 +20,9 @@

 import six

+from ipalib.messages import (
+    add_message,
+    BrokenTrust)
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import (
    pkey_to_value,
@ -586,6 +589,30 @@ class trust(LDAPObject):

        return make_trust_dn(self.env, trust_type, DN(*sdn))

+    def warning_if_ad_trust_dom_have_missing_SID(self, result, **options):
+        """Due bug https://fedorahosted.org/freeipa/ticket/5665 there might be
+        AD trust domain without generated SID, warn user about it.
+        """
+        ldap = self.api.Backend.ldap2
+
+        try:
+            entries, truncated = ldap.find_entries(
+                base_dn=DN(self.container_dn, self.api.env.basedn),
+                attrs_list=['cn'],
+                filter='(&(ipaNTTrustPartner=*)'
+                       '(!(ipaNTSecurityIdentifier=*)))',
+            )
+        except errors.NotFound:
+            pass
+        else:
+            for entry in entries:
+                 add_message(
+                    options['version'],
+                    result,
+                    BrokenTrust(domain=entry.single_value['cn'])
+                 )
+
+
@register()
 class trust_add(LDAPCreate):
    __doc__ = _('''
@ -1043,6 +1070,13 @@ class trust_find(LDAPSearch):
        filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
        return (filter, base_dn, ldap.SCOPE_SUBTREE)

+    def execute(self, *args, **options):
+        result = super(trust_find, self).execute(*args, **options)
+
+        self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
+
+        return result
+
    def post_callback(self, ldap, entries, truncated, *args, **options):
        if options.get('pkey_only', False):
            return truncated
@ -1062,6 +1096,13 @@ class trust_show(LDAPRetrieve):
    has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\
                        (Str('ipanttrusttype'), Str('ipanttrustdirection'))

+    def execute(self, *keys, **options):
+        result = super(trust_show, self).execute(*keys, **options)
+
+        self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
+
+        return result
+
    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):

        assert isinstance(dn, DN)