Hi,

On 26.08.2011 12:39, Sumit Bose wrote:
> Hi,
> 
> with this patch an initial samba configuration for the AD trust feature
> can be created by calling ipa-adtrust-install. Please be aware that you
> will need a samba/master build to start smbd with the created
> configuration, because only here all the needed features are available.
> G√ľnther is working on a spec file so that we can include a samba package
> in the IPA development repository
> (https://fedorahosted.org/freeipa/ticket/1610).

> +def parse_options():
> +    parser = IPAOptionParser(version=version.VERSION)
> +    parser.add_option("-p", "--ds-password", dest="dm_password",
> +                      sensitive=True, help="admin password")
If this is the only password you need, then make it --password. And it
is Directory Manager's account password, right? Would be nice to change
help to be more explicit.

> +    parser.add_option("--ip-address", dest="ip_address",
> +                      type="ip", ip_local=True, help="Master Server IP 
> Address")

> +def main():
> +    safe_options, options = parse_options()
> +
> +    if os.getegid() != 0:
> +        sys.exit("Must be root to setup AD trusts on server")
> +
> +    installutils.check_server_configuration()
> +
> +    standard_logging_setup("/var/log/ipaserver-install.log", options.debug, 
> filemode='a')
> +    print "\nThe log file for this installation can be found in 
> /var/log/ipaserver-install.log"
> +
> +    logging.debug('%s was invoked with options: %s' % (sys.argv[0], 
> safe_options))
> +    logging.debug("missing options might be asked for interactively later\n")
> +
> +    global fstore
> +    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
> +
> +    print 
> "=============================================================================="
> +    print "This program will setup components neede to establish trust to AD 
> domains for"
Typo: "neede_d_"

> +    # Check we have a public IP that is associated with the hostname
> +    if options.ip_address:
> +        ip = options.ip_address
I would also run options.ip_address through ipautil.CheckedIPAddress()
to make sure it is correct and is one of local addresses.

> +    else:
> +        hostaddr = resolve_host(api.env.host)
> +        try:
> +            ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, 
> match_local=True)
> +        except Exception, e:
> +            print "Error: Invalid IP Address %s: %s" % (ip, e)
> +            ip = None
> +
> +    if not ip:
> +        if options.unattended:
> +            sys.exit("Unable to resolve IP address for host name")
> +        else:
> +            ip = read_ip_address(api.env.host, fstore)
> +    ip_address = str(ip)
> +    logging.debug("will use ip_address: %s\n", ip_address)
And same here. You don't really want to blindly believe into what's entered.

> +    print "\tAdditionally you have to make sure the FreeIPA LDAP server 
> cannot reached"
> +    print "\tby any domain controller in the Active Directory domain by 
> closing the"
> +    print "\tfollowing ports for these servers:"
> +    print "\t\tTCP Ports:"
> +    print "\t\t  * 389, 636: LDAP/LDAPS"
> +    print "\t\tUDP Ports:"
> +    print "\t\t  * 389: (C)LDAP"
> +    print "\tYou may want to choose to REJECT the packages instead of 
> DROPing them to"
s/packages/network packets/

> diff --git a/ipaserver/install/smbinstance.py 
> b/ipaserver/install/smbinstance.py
> new file mode 100644
The code in smbinstance.py assumes Samba has been compiled with
/etc/ipa/smb.conf as default configuration file location. Is that correct?

-- 
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to