On 26.08.2011 12:39, Sumit Bose wrote:
> with this patch an initial samba configuration for the AD trust feature
> can be created by calling ipa-adtrust-install. Please be aware that you
> will need a samba/master build to start smbd with the created
> configuration, because only here all the needed features are available.
> Günther is working on a spec file so that we can include a samba package
> in the IPA development repository
> +def parse_options():
> + parser = IPAOptionParser(version=version.VERSION)
> + parser.add_option("-p", "--ds-password", dest="dm_password",
> + sensitive=True, help="admin password")
If this is the only password you need, then make it --password. And it
is Directory Manager's account password, right? Would be nice to change
help to be more explicit.
> + parser.add_option("--ip-address", dest="ip_address",
> + type="ip", ip_local=True, help="Master Server IP
> +def main():
> + safe_options, options = parse_options()
> + if os.getegid() != 0:
> + sys.exit("Must be root to setup AD trusts on server")
> + installutils.check_server_configuration()
> + standard_logging_setup("/var/log/ipaserver-install.log", options.debug,
> + print "\nThe log file for this installation can be found in
> + logging.debug('%s was invoked with options: %s' % (sys.argv,
> + logging.debug("missing options might be asked for interactively later\n")
> + global fstore
> + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
> + print
> + print "This program will setup components neede to establish trust to AD
> domains for"
> + # Check we have a public IP that is associated with the hostname
> + if options.ip_address:
> + ip = options.ip_address
I would also run options.ip_address through ipautil.CheckedIPAddress()
to make sure it is correct and is one of local addresses.
> + else:
> + hostaddr = resolve_host(api.env.host)
> + try:
> + ip = hostaddr and ipautil.CheckedIPAddress(hostaddr,
> + except Exception, e:
> + print "Error: Invalid IP Address %s: %s" % (ip, e)
> + ip = None
> + if not ip:
> + if options.unattended:
> + sys.exit("Unable to resolve IP address for host name")
> + else:
> + ip = read_ip_address(api.env.host, fstore)
> + ip_address = str(ip)
> + logging.debug("will use ip_address: %s\n", ip_address)
And same here. You don't really want to blindly believe into what's entered.
> + print "\tAdditionally you have to make sure the FreeIPA LDAP server
> cannot reached"
> + print "\tby any domain controller in the Active Directory domain by
> closing the"
> + print "\tfollowing ports for these servers:"
> + print "\t\tTCP Ports:"
> + print "\t\t * 389, 636: LDAP/LDAPS"
> + print "\t\tUDP Ports:"
> + print "\t\t * 389: (C)LDAP"
> + print "\tYou may want to choose to REJECT the packages instead of
> DROPing them to"
> diff --git a/ipaserver/install/smbinstance.py
> new file mode 100644
The code in smbinstance.py assumes Samba has been compiled with
/etc/ipa/smb.conf as default configuration file location. Is that correct?
/ Alexander Bokovoy
Freeipa-devel mailing list