[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Mon Jan 29 10:38:02 UTC 2024
The branch, master has been updated
via 1f823424418 python:gp: Improve working of log messages to avoid confusion
via 367756b85a9 python:gp: Log an error if update fails
via 98dc44286ea python:gp: Do not print an error if template already exists
via 728757cd1ff python:gp: Do not print an error, if CA already exists
via 6d5507e0505 python:gp: Improve logging for certificate enrollment
via 6a9630eff62 python:gp: Avoid path check for cepces-submit
from 6e6d8384f36 vfs_ceph: Use ceph_fdopendir() when available for SMB_VFS_FDOPENDIR
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1f823424418e814d9dc0785658e2a7d92643dab2
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 22 15:46:24 2024 +0100
python:gp: Improve working of log messages to avoid confusion
We should not use the word "Failed". We are totally fine if we can't
connect to NDES in the meantime. This logs:
Try to get root or server certificates.
Unable to install root certificates (requires NDES).
Installing the server certificate only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jan 29 10:37:29 UTC 2024 on atb-devel-224
commit 367756b85a9ac8daaac2326392bcd1373feed3b7
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 22 15:05:24 2024 +0100
python:gp: Log an error if update fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
commit 98dc44286ea102ef7701ccdea26bbde32b523a7e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 22 15:05:02 2024 +0100
python:gp: Do not print an error if template already exists
We will get an exit status for duplicate in future:
https://www.pagure.io/certmonger/issue/269
We can't really fix that right now, as older version of certmonger
don't support the `-v` option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
commit 728757cd1ff0465967fcbda100254c9312e87c93
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 22 15:04:36 2024 +0100
python:gp: Do not print an error, if CA already exists
We will get an exit status for duplicate in future:
https://www.pagure.io/certmonger/issue/269
We can't really fix that right now, as older version of certmonger
don't support the `-v` option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
commit 6d5507e05050690cd4c56f3f97f5fb7de0338b87
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 22 14:07:47 2024 +0100
python:gp: Improve logging for certificate enrollment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
commit 6a9630eff624643fd725219775784e68d967d04c
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 22 14:14:30 2024 +0100
python:gp: Avoid path check for cepces-submit
find_cepces_submit() uses which(), which returns None if not found.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/gp/gp_cert_auto_enroll_ext.py | 41 +++++++++++++++++++++---------
1 file changed, 29 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
index 8ba1960efe5..9b743cb7f9b 100644
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -185,7 +185,7 @@ def find_cepces_submit():
def get_supported_templates(server):
cepces_submit = find_cepces_submit()
- if not cepces_submit or not os.path.exists(cepces_submit):
+ if not cepces_submit:
log.error('Failed to find cepces-submit')
return []
@@ -209,12 +209,10 @@ def getca(ca, url, trust_dir):
r = requests.get(url=url, params={'operation': 'GetCACert',
'message': 'CAIdentifier'})
except requests.exceptions.ConnectionError:
- log.warn('Failed to establish a new connection')
+ log.warn('Could not connect to Network Device Enrollment Service.')
r = None
if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
- log.warn('Failed to fetch the root certificate chain.')
- log.warn('The Network Device Enrollment Service is either not' +
- ' installed or not configured.')
+ log.warn('Unable to fetch root certificates (requires NDES).')
if 'cACertificate' in ca:
log.warn('Installing the server certificate only.')
der_certificate = base64.b64decode(ca['cACertificate'])
@@ -274,6 +272,9 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
"""Install the root certificate chain."""
data = dict({'files': [], 'templates': []}, **ca)
url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
+
+ log.info("Try to get root or server certificates")
+
root_certs = getca(ca, url, trust_dir)
data['files'].extend(root_certs)
global_trust_dir = find_global_trust_dir()
@@ -283,6 +284,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
try:
os.symlink(src, dst)
data['files'].append(dst)
+ log.info("Created symlink: %s -> %s" % (src, dst))
except PermissionError:
log.warn('Failed to symlink root certificate to the'
' admin trust anchors')
@@ -295,13 +297,18 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
# already exists. Ignore the FileExistsError. Preserve the
# existing symlink in the unapply data.
data['files'].append(dst)
+
update = update_ca_command()
+ log.info("Running %s" % (update))
if update is not None:
- Popen([update]).wait()
+ ret = Popen([update]).wait()
+ if ret != 0:
+ log.error('Failed to run %s' % (update))
+
# Setup Certificate Auto Enrollment
getcert = which('getcert')
cepces_submit = find_cepces_submit()
- if getcert is not None and os.path.exists(cepces_submit):
+ if getcert is not None and cepces_submit is not None:
p = Popen([getcert, 'add-ca', '-c', ca['name'], '-e',
'%s --server=%s --auth=%s' % (cepces_submit,
ca['hostname'], auth)],
@@ -309,8 +316,12 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
out, err = p.communicate()
log.debug(out.decode())
if p.returncode != 0:
- data = { 'Error': err.decode(), 'CA': ca['name'] }
- log.error('Failed to add Certificate Authority', data)
+ if p.returncode == 2:
+ log.info('The CA [%s] already exists' % ca['name'])
+ else:
+ data = {'Error': err.decode(), 'CA': ca['name']}
+ log.error('Failed to add Certificate Authority', data)
+
supported_templates = get_supported_templates(ca['hostname'])
for template in supported_templates:
attrs = fetch_template_attrs(ldb, template)
@@ -325,12 +336,18 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
out, err = p.communicate()
log.debug(out.decode())
if p.returncode != 0:
- data = { 'Error': err.decode(), 'Certificate': nickname }
- log.error('Failed to request certificate', data)
+ if p.returncode == 2:
+ log.info('The template [%s] already exists' % (nickname))
+ else:
+ data = {'Error': err.decode(), 'Certificate': nickname}
+ log.error('Failed to request certificate', data)
+
data['files'].extend([keyfile, certfile])
data['templates'].append(nickname)
if update is not None:
- Popen([update]).wait()
+ ret = Popen([update]).wait()
+ if ret != 0:
+ log.error('Failed to run %s' % (update))
else:
log.warn('certmonger and cepces must be installed for ' +
'certificate auto enrollment to work')
--
Samba Shared Repository
More information about the samba-cvs
mailing list