[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Mon Jan 29 10:38:02 UTC 2024


The branch, master has been updated
       via  1f823424418 python:gp: Improve working of log messages to avoid confusion
       via  367756b85a9 python:gp: Log an error if update fails
       via  98dc44286ea python:gp: Do not print an error if template already exists
       via  728757cd1ff python:gp: Do not print an error, if CA already exists
       via  6d5507e0505 python:gp: Improve logging for certificate enrollment
       via  6a9630eff62 python:gp: Avoid path check for cepces-submit
      from  6e6d8384f36 vfs_ceph: Use ceph_fdopendir() when available for SMB_VFS_FDOPENDIR

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1f823424418e814d9dc0785658e2a7d92643dab2
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jan 22 15:46:24 2024 +0100

    python:gp: Improve working of log messages to avoid confusion
    
    We should not use the word "Failed". We are totally fine if we can't
    connect to NDES in the meantime. This logs:
    
    Try to get root or server certificates.
    Unable to install root certificates (requires NDES).
    Installing the server certificate only.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Mon Jan 29 10:37:29 UTC 2024 on atb-devel-224

commit 367756b85a9ac8daaac2326392bcd1373feed3b7
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jan 22 15:05:24 2024 +0100

    python:gp: Log an error if update fails
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>

commit 98dc44286ea102ef7701ccdea26bbde32b523a7e
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jan 22 15:05:02 2024 +0100

    python:gp: Do not print an error if template already exists
    
    We will get an exit status for duplicate in future:
    https://www.pagure.io/certmonger/issue/269
    We can't really fix that right now, as older version of certmonger
    don't support the `-v` option.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>

commit 728757cd1ff0465967fcbda100254c9312e87c93
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jan 22 15:04:36 2024 +0100

    python:gp: Do not print an error, if CA already exists
    
    We will get an exit status for duplicate in future:
    https://www.pagure.io/certmonger/issue/269
    We can't really fix that right now, as older version of certmonger
    don't support the `-v` option.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>

commit 6d5507e05050690cd4c56f3f97f5fb7de0338b87
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jan 22 14:07:47 2024 +0100

    python:gp: Improve logging for certificate enrollment
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>

commit 6a9630eff624643fd725219775784e68d967d04c
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jan 22 14:14:30 2024 +0100

    python:gp: Avoid path check for cepces-submit
    
    find_cepces_submit() uses which(), which returns None if not found.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/gp/gp_cert_auto_enroll_ext.py | 41 +++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 12 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
index 8ba1960efe5..9b743cb7f9b 100644
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -185,7 +185,7 @@ def find_cepces_submit():
 
 def get_supported_templates(server):
     cepces_submit = find_cepces_submit()
-    if not cepces_submit or not os.path.exists(cepces_submit):
+    if not cepces_submit:
         log.error('Failed to find cepces-submit')
         return []
 
@@ -209,12 +209,10 @@ def getca(ca, url, trust_dir):
         r = requests.get(url=url, params={'operation': 'GetCACert',
                                           'message': 'CAIdentifier'})
     except requests.exceptions.ConnectionError:
-        log.warn('Failed to establish a new connection')
+        log.warn('Could not connect to Network Device Enrollment Service.')
         r = None
     if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
-        log.warn('Failed to fetch the root certificate chain.')
-        log.warn('The Network Device Enrollment Service is either not' +
-                 ' installed or not configured.')
+        log.warn('Unable to fetch root certificates (requires NDES).')
         if 'cACertificate' in ca:
             log.warn('Installing the server certificate only.')
             der_certificate = base64.b64decode(ca['cACertificate'])
@@ -274,6 +272,9 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
     """Install the root certificate chain."""
     data = dict({'files': [], 'templates': []}, **ca)
     url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
+
+    log.info("Try to get root or server certificates")
+
     root_certs = getca(ca, url, trust_dir)
     data['files'].extend(root_certs)
     global_trust_dir = find_global_trust_dir()
@@ -283,6 +284,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
         try:
             os.symlink(src, dst)
             data['files'].append(dst)
+            log.info("Created symlink: %s -> %s" % (src, dst))
         except PermissionError:
             log.warn('Failed to symlink root certificate to the'
                      ' admin trust anchors')
@@ -295,13 +297,18 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
             # already exists. Ignore the FileExistsError. Preserve the
             # existing symlink in the unapply data.
             data['files'].append(dst)
+
     update = update_ca_command()
+    log.info("Running %s" % (update))
     if update is not None:
-        Popen([update]).wait()
+        ret = Popen([update]).wait()
+        if ret != 0:
+            log.error('Failed to run %s' % (update))
+
     # Setup Certificate Auto Enrollment
     getcert = which('getcert')
     cepces_submit = find_cepces_submit()
-    if getcert is not None and os.path.exists(cepces_submit):
+    if getcert is not None and cepces_submit is not None:
         p = Popen([getcert, 'add-ca', '-c', ca['name'], '-e',
                   '%s --server=%s --auth=%s' % (cepces_submit,
                   ca['hostname'], auth)],
@@ -309,8 +316,12 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
         out, err = p.communicate()
         log.debug(out.decode())
         if p.returncode != 0:
-            data = { 'Error': err.decode(), 'CA': ca['name'] }
-            log.error('Failed to add Certificate Authority', data)
+            if p.returncode == 2:
+                log.info('The CA [%s] already exists' % ca['name'])
+            else:
+                data = {'Error': err.decode(), 'CA': ca['name']}
+                log.error('Failed to add Certificate Authority', data)
+
         supported_templates = get_supported_templates(ca['hostname'])
         for template in supported_templates:
             attrs = fetch_template_attrs(ldb, template)
@@ -325,12 +336,18 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
             out, err = p.communicate()
             log.debug(out.decode())
             if p.returncode != 0:
-                data = { 'Error': err.decode(), 'Certificate': nickname }
-                log.error('Failed to request certificate', data)
+                if p.returncode == 2:
+                    log.info('The template [%s] already exists' % (nickname))
+                else:
+                    data = {'Error': err.decode(), 'Certificate': nickname}
+                    log.error('Failed to request certificate', data)
+
             data['files'].extend([keyfile, certfile])
             data['templates'].append(nickname)
         if update is not None:
-            Popen([update]).wait()
+            ret = Popen([update]).wait()
+            if ret != 0:
+                log.error('Failed to run %s' % (update))
     else:
         log.warn('certmonger and cepces must be installed for ' +
                  'certificate auto enrollment to work')


-- 
Samba Shared Repository



More information about the samba-cvs mailing list