[Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility

Simo Sorce simo at redhat.com
Fri Sep 9 23:06:47 UTC 2011


On Thu, 2011-09-08 at 14:39 +0200, Sumit Bose wrote:
> On Thu, Sep 08, 2011 at 02:06:44PM +0200, Martin Kosek wrote:
> > On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote:
> > > On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote:
> > > > On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote:
> > > > > I don't think that we should run winbind.
> > > > > 
> > > > > I also changed the path to the smb.conf file from /etc/ipa
> > > > > to /etc/samba
> > > > > which makes the change to /etc/sysconfig/samba unnecessary.
> > > > > 
> > > > > Thanks for review.
> > > > > 
> > > > Ok tested this today, after I was able to tame my machine.
> > > > 
> > > > Some issues and comments still.
> > > > 
> > > > 1) If you just run ipa-adtrust-install it throws an error about an
> > > > Illegal netbios name and quits. That's not right, as it should ask for
> > > > the netbios name if one is not provided on the command line presenting a
> > > > default option (based on the last domain component uppercased maybe),
> > > 
> > > fixed
> > > 
> > > > 
> > > > 2) I see the way you write the temp smb.conf is by using a lot of
> > > > fd.write() calls. It would be much easier instead to use the templating
> > > > engine we use elsewhere in the code and drop a template file in
> > > > install/share, this will allow us to easily tweak the initial
> > > > installation options w/o touching the python code every time.
> > > 
> > > fixed
> > > 
> > > new version attached.
> > > 
> > > bye,
> > > Sumit
> > > 
> > > > 
> > > > 3) Everything installed and started but my smbd coredump immediately
> > > > after. It is almost certainly not a problem in your patch though :-)
> > > > 
> > > > So jokes aside if you fix 1 and 2 I think we can push to master.
> > > > 
> > > > Simo.
> > > > 
> > > > -- 
> > > > Simo Sorce * Red Hat, Inc * New York
> > > > 
> > 
> > Only one nitpick from me. The new man page header should be changed
> > according to our last man page consolidation effort in ticket 1687 so
> > that it is consistent with the others. In your case, the header should
> > be:
> > 
> > +.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages"
> > 
> > Plus, --netbios-name option is not covered in the man page.
> 
> Thank you for the feedback, I fixed it accordingly. New version
> attached.

NACK

Ok I spent an afternoon with gd's packages trying to get the install
work.
I have it finally start smbd if run manually.

Quite a few things needed to be changed in the configuration to get it
to start smbd (not a working solution yet though).

First of all for some reason passdb backend would use the hostname
instead of the ldapi socket. This seem to be fixed in the latest patch
(the install had been done with the previous)

- ldap ssl need to set to off, as dirsrv does not allow (nor we want) to
use start tls on ldapi
I had to use: net conf setparms global 'ldap ssl' off

- ldap suffix = cn=accounts,dc=ipa,dc=test is definitely not right.
This is not fixed in the current patch either.

It should be ldap suffix = $SUFFIX

- log file directive is unusual %d causes each log file to be created
with the pid number, that is very annoying when you want to see the logs
of a specific machine, please change it to use %m

- No service principal is created for cifs/fqdn

- No directive to tell samba to use the system keytab. you should
probably set 'kerberos method = system keytab'


I couldn't test everything due to other issues I found and need to
investigate in both the samba packaghes and krb5kdc segfaulting on me
when I try to use smbclient -k yes :-(

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list