Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-129123 / 24.10 / Expand error recovery in AD health checks #13781

Merged
merged 1 commit into from
May 29, 2024
Merged

NAS-129123 / 24.10 / Expand error recovery in AD health checks #13781

merged 1 commit into from
May 29, 2024

Conversation

anodos325
Copy link
Contributor

This primarily adds two new features to our AD health checks

  • Check whether the secrets.tdb file exists and has a valid machine account password. If it's missing, then try to restore from backup.

  • Check whether we have a stored kerberos keytab for the AD domain. If it's missing, reconstruct it from our machine account password in the secrets.tdb file.

This commit also refactors the kerberos plugin to move many methods into general-purpose krb5 utils that can be tested more easily in isolation.

@bugclerk
Copy link
Contributor

Jira URL: https://ixsystems.atlassian.net/browse/NAS-129123

@bugclerk bugclerk changed the title Expand error recovery in AD health checks NAS-129123 / 24.10 / Expand error recovery in AD health checks May 22, 2024
mgrimesix
mgrimesix reviewed May 24, 2024
View reviewed changes
Copy link
Contributor

@mgrimesix mgrimesix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was not a detailed review. I might circle back.

src/middlewared/middlewared/plugins/activedirectory.py Show resolved Hide resolved
src/middlewared/middlewared/plugins/kerberos.py Show resolved Hide resolved
src/middlewared/middlewared/plugins/kerberos.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/plugins/activedirectory_/health.py Show resolved Hide resolved
src/middlewared/middlewared/plugins/directoryservices_/secrets.py Show resolved Hide resolved
src/middlewared/middlewared/utils/directoryservices/krb5.py Outdated Show resolved Hide resolved
@anodos325 anodos325 force-pushed the NAS-129123 branch 2 times, most recently from f9271ce to e1aa30c Compare May 26, 2024 12:01
bmeagherix
bmeagherix approved these changes May 28, 2024
View reviewed changes
Copy link
Contributor

@bmeagherix bmeagherix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving because all comments are suggestions/cleanup, and not essential.

src/middlewared/middlewared/utils/directoryservices/krb5.py Show resolved Hide resolved
src/middlewared/middlewared/pytest/unit/utils/test_krb5.py Show resolved Hide resolved
src/middlewared/middlewared/plugins/kerberos.py Show resolved Hide resolved
tests/api2/test_030_activedirectory.py Outdated Show resolved Hide resolved
src/middlewared/middlewared/plugins/kerberos.py Show resolved Hide resolved
src/middlewared/middlewared/plugins/ldap.py Show resolved Hide resolved
src/middlewared/middlewared/plugins/directoryservices_/cache.py Show resolved Hide resolved
src/middlewared/middlewared/utils/directoryservices/krb5.py Outdated Show resolved Hide resolved
mgrimesix
mgrimesix approved these changes May 28, 2024
View reviewed changes
Copy link
Contributor

@mgrimesix mgrimesix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve also since most my suggestions were flake8 fixes.

@anodos325
Expand error recovery in AD health checks
7e7a9e4 
This primarily adds two new features to our AD health checks

* Check whether the secrets.tdb file exists and has a valid machine
  account password. If it's missing, then try to restore from backup.

* Check whether we have a stored kerberos keytab for the AD domain.
  If it's missing, reconstruct it from our machine account password
  in the secrets.tdb file.
@anodos325 anodos325 merged commit 0a706f4 into master May 29, 2024
2 of 3 checks passed
@anodos325 anodos325 deleted the NAS-129123 branch May 29, 2024 17:30
@bugclerk
Copy link
Contributor

This PR has been merged and conversations have been locked.
If you would like to discuss more about this issue please use our forums or raise a Jira ticket.

@truenas truenas locked as resolved and limited conversation to collaborators May 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bmeagherix bmeagherix bmeagherix approved these changes

@mgrimesix mgrimesix mgrimesix approved these changes

Assignees
No one assigned
Labels
jira-medium no-time-tracked
Projects
None yet
Milestone
No milestone
4 participants
@anodos325 @bugclerk @bmeagherix @mgrimesix