Univention Bugzilla – Attachment 7854 Details for
Bug 38285
adconnector/check_domain() GSSAPI failed
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
flush_nscd_and_set_hosts_static.patch
flush_nscd_and_set_hosts_static.patch (text/plain), 3.77 KB, created by
Arvid Requate
on 2016-08-04 19:29 CEST
(
hide
)
Description:
flush_nscd_and_set_hosts_static.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2016-08-04 19:29 CEST
Size:
3.77 KB
patch
obsolete
>Index: python/admember.py >=================================================================== >--- python/admember.py (Revision 71423) >+++ python/admember.py (Arbeitskopie) >@@ -217,15 +217,16 @@ > > (previous_dns_ucr_set, previous_dns_ucr_unset) = set_nameserver([ad_server_ip], ucr) > (previous_krb_ucr_set, previous_krb_ucr_unset) = prepare_kerberos_ucr_settings(realm=ad_realm, ucr=ucr) >+ (previous_host_static_ucr_set, previous_host_static_ucr_unset) = prepare_dns_reverse_settings(ad_domain_info) > > try: > principal = "%s@%s" % (username, ad_realm) > _get_kerberos_ticket(principal, password, ucr) > auth = ldap.sasl.gssapi("") >- prepare_dns_reverse_settings(ad_domain_info) > except Exception: > set_ucr(previous_dns_ucr_set, previous_dns_ucr_unset) > set_ucr(previous_krb_ucr_set, previous_krb_ucr_unset) >+ set_ucr(previous_host_static_ucr_set, previous_host_static_ucr_unset) > raise > > ## Ok, ready and set for kerberized LDAP lookup >@@ -239,6 +240,7 @@ > finally: > set_ucr(previous_dns_ucr_set, previous_dns_ucr_unset) > set_ucr(previous_krb_ucr_set, previous_krb_ucr_unset) >+ set_ucr(previous_host_static_ucr_set, previous_host_static_ucr_unset) > > res = lo_ad.search(scope="base", attr=["objectSid"]) > if not res or not "objectSid" in res[0][1]: >@@ -912,22 +914,52 @@ > def prepare_dns_reverse_settings(ad_domain_info): > ## For python-ldap / GSSAPI / AD we need working reverse DNS lookups > ## Otherwise one ends up with: >+ ## > ## SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) >- ## (Matching credential (ldap/10.20.30.123@10.20.30.123) not found) >+ ## (Matching credential (ldap/10.20.30.123@10.20.30.123) not found) >+ ## >+ ## Or even worse, in case there had been a (nscd cached?) PTR record >+ ## in the ucs.domain: >+ ## >+ ## SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) >+ ## (Matching credential (ldap/adhost.ucs.domain@UCS.DOMAIN) not found) >+ ## >+ >+ ## Flush the cache, just in case >+ if os.path.exists("/usr/sbin/nscd"): >+ cmd = ("/usr/sbin/nscd", "--invalidate=hosts") >+ p1 = subprocess.Popen(cmd, close_fds=True) >+ p1.communicate() >+ >+ ## Test DNS resolution (just for fun) > try: >- socket.gethostbyaddr(ad_domain_info['DC IP']) >- except socket.herror: >- ad_server_name = ad_domain_info['DC DNS Name'] >- ip = socket.gethostbyname(ad_server_name) >- ucr_key = u'hosts/static/%s' % (ip,) >- ucr_set = [ u'%s=%s' % (ucr_key, ad_server_name), ] >- univention.config_registry.handler_set(ucr_set) >- if os.path.exists("/usr/sbin/nscd"): >- cmd = ("/usr/sbin/nscd", "--invalidate=hosts") >- p1 = subprocess.Popen(cmd, close_fds=True) >- p1.communicate() >- >+ hostname, aliaslist, ipaddrlist = socket.gethostbyaddr(ad_domain_info['DC IP']) >+ ud.debug(ud.MODULE, ud.INFO, "%s resolves to %s" % (ad_domain_info['DC IP'], hostname)) >+ except (socket.herror, socket.gaierror) as exc: >+ ud.debug(ud.MODULE, ud.INFO, "Resolving %s failed: %s" % (ad_domain_info['DC IP'], exc.args[1])) > >+ ## Set a hosts/static anyway, to be safe from DNS issues (Bug #38285) >+ previous_ucr_set = [] >+ previous_ucr_unset = [] >+ >+ ad_server_name = ad_domain_info['DC DNS Name'] >+ ip = socket.gethostbyname(ad_server_name) >+ ucr_key = u'hosts/static/%s' % (ip,) >+ ucr_set = [ u'%s=%s' % (ucr_key, ad_server_name), ] >+ >+ for setting in ucr_set: >+ var = setting.split("=", 1)[0] >+ old_val = ucr.get(var) >+ if old_val is not None: >+ previous_ucr_set.append(u'%s=%s' % (var, old_val)) >+ else: >+ previous_ucr_unset.append(u'%s' % (var,)) >+ >+ ud.debug(ud.MODULE, ud.PROCESS, "Setting UCR variables: %s" % ucr_set) >+ univention.config_registry.handler_set(ucr_set) >+ >+ return (previous_ucr_set, previous_ucr_unset) >+ > def prepare_kerberos_ucr_settings(realm=None, ucr=None): > ud.debug(ud.MODULE, ud.PROCESS, "Prepare Kerberos UCR settings") >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7854">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 38285
:
7852
|
7853
| 7854