On 07/15/2015 04:05 PM, Jan Cholasta wrote:
Dne 15.7.2015 v 16:02 Martin Babinsky napsal(a):
During investigation of https://fedorahosted.org/freeipa/ticket/3993 I
have realized that I can do some guerilla ref*ctoring and move the guts
of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS
and friends.
+1
I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the
commit message, is it OK even if we formally closed the ticket?
To quote the last comment in the ticket: "Please open tickets for
missing functionality that you depend on."
Attaching updated patch with the link to #4468 removed from commit message.
--
Martin^3 Babinsky
From 71d58b685d7ba3050e6d390a9b2d2f94c866fc24 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 15 Jul 2015 15:44:19 +0200
Subject: [PATCH] separate module to handle installation of AD trust related
functionality
This patch is a part of installer rewrite effort. It also sets the stage for
implementing uninstallation logic into 'ipa-adtrust-install'.
https://fedorahosted.org/freeipa/ticket/3993
---
install/tools/ipa-adtrust-install | 377 +--------------------
.../install/adtrust.py | 109 +-----
2 files changed, 10 insertions(+), 476 deletions(-)
copy install/tools/ipa-adtrust-install => ipaserver/install/adtrust.py (78%)
mode change 100755 => 100644
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5340c31d16ed78da0cb39725d9ae93c76470b698..a33c0f6cfdcad91a94419918cf30b41c17088c0a 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -21,7 +21,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-from ipaserver.install import adtrustinstance
+from ipaserver.install import adtrust
from ipaserver.install.installutils import *
from ipaserver.install import service
from ipapython import version
@@ -73,140 +73,6 @@ def parse_options():
return safe_options, options
-def netbios_name_error(name):
- print "\nIllegal NetBIOS name [%s].\n" % name
- print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
-
-def read_netbios_name(netbios_default):
- netbios_name = ""
-
- print "Enter the NetBIOS name for the IPA domain."
- print "Only up to 15 uppercase ASCII letters and digits are allowed."
- print "Example: EXAMPLE."
- print ""
- print ""
- if not netbios_default:
- netbios_default = "EXAMPLE"
- while True:
- netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
- print ""
- if adtrustinstance.check_netbios_name(netbios_name):
- break
-
- netbios_name_error(netbios_name)
-
- return netbios_name
-
-def read_admin_password(admin_name):
- print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
- print "This user is a regular system account used for IPA server administration."
- print ""
- admin_password = read_password(admin_name, confirm=False, validate=None)
- return admin_password
-
-def set_and_check_netbios_name(netbios_name, unattended):
- """
- Depending if trust in already configured or not a given NetBIOS domain
- name must be handled differently.
-
- If trust is not configured the given NetBIOS is used or the NetBIOS is
- generated if none was given on the command line.
-
- If trust is already configured the given NetBIOS name is used to reset
- the stored NetBIOS name it it differs from the current one.
- """
-
- flat_name_attr = 'ipantflatname'
- cur_netbios_name = None
- gen_netbios_name = None
- reset_netbios_name = False
- entry = None
-
- try:
- entry = api.Backend.ldap2.get_entry(
- DN(('cn', api.env.domain), api.env.container_cifsdomains,
- ipautil.realm_to_suffix(api.env.realm)),
- [flat_name_attr])
- except errors.NotFound:
- # trust not configured
- pass
- else:
- cur_netbios_name = entry.get(flat_name_attr)[0]
-
- if cur_netbios_name and not netbios_name:
- # keep the current NetBIOS name
- netbios_name = cur_netbios_name
- reset_netbios_name = False
- elif cur_netbios_name and cur_netbios_name != netbios_name:
- # change the NetBIOS name
- print "Current NetBIOS domain name is %s, new name is %s.\n" % \
- (cur_netbios_name, netbios_name)
- print "Please note that changing the NetBIOS name might " \
- "break existing trust relationships."
- if unattended:
- reset_netbios_name = True
- print "NetBIOS domain name will be changed to %s.\n" % \
- netbios_name
- else:
- print "Say 'yes' if the NetBIOS shall be changed and " \
- "'no' if the old one shall be kept."
- reset_netbios_name = ipautil.user_input(
- 'Do you want to reset the NetBIOS domain name?',
- default = False, allow_empty = False)
- if not reset_netbios_name:
- netbios_name = cur_netbios_name
- elif cur_netbios_name and cur_netbios_name == netbios_name:
- # keep the current NetBIOS name
- reset_netbios_name = False
- elif not cur_netbios_name:
- if not netbios_name:
- gen_netbios_name = adtrustinstance.make_netbios_name(api.env.domain)
-
- if entry is not None:
- # Fix existing trust configuration
- print "Trust is configured but no NetBIOS domain name found, " \
- "setting it now."
- reset_netbios_name = True
- else:
- # initial trust configuration
- reset_netbios_name = False
- else:
- # all possible cases should be covered above
- raise Exception('Unexpected state while checking NetBIOS domain name')
-
- if not adtrustinstance.check_netbios_name(netbios_name):
- if unattended and not gen_netbios_name:
- netbios_name_error(netbios_name)
- sys.exit("Aborting installation.")
- else:
- if netbios_name:
- netbios_name_error(netbios_name)
- netbios_name = None
-
- if not unattended and not netbios_name:
- netbios_name = read_netbios_name(gen_netbios_name)
-
- if unattended and not netbios_name and gen_netbios_name:
- netbios_name = gen_netbios_name
-
- return (netbios_name, reset_netbios_name)
-
-def ensure_admin_kinit(admin_name, admin_password):
- try:
- ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
- except ipautil.CalledProcessError, e:
- print "There was error to automatically re-kinit your admin user ticket."
- return False
- return True
-
-def enable_compat_tree():
- print "Do you want to enable support for trusted domains in Schema Compatibility plugin?"
- print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users."
- print ""
- enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False)
- print ""
- return enable_compat
-
def main():
safe_options, options = parse_options()
@@ -239,10 +105,6 @@ def main():
print "To accept the default shown in brackets, press the Enter key."
print ""
- # Check if samba packages are installed
- if not adtrustinstance.check_inst():
- sys.exit("Aborting installation.")
-
# Initialize the ipalib api
cfg = dict(
in_server=True,
@@ -251,241 +113,8 @@ def main():
api.bootstrap(**cfg)
api.finalize()
- # If domain name and realm does not match, IPA server will not be able
- # to estabilish trust with Active Directory. Print big fat warning.
-
- realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
-
- if realm_not_matching_domain:
- print("WARNING: Realm name does not match the domain name.\n"
- "You will not be able to estabilish trusts with Active "
- "Directory unless\nthe realm name of the IPA server matches its "
- "domain name.\n\n")
- if not options.unattended:
- if not ipautil.user_input("Do you wish to continue?",
- default = False,
- allow_empty = False):
- sys.exit("Aborting installation.")
-
- # Check if /etc/samba/smb.conf already exists. In case it was not generated
- # by IPA, print a warning that we will break existing configuration.
-
- if adtrustinstance.ipa_smb_conf_exists():
- if not options.unattended:
- print "IPA generated smb.conf detected."
- if not ipautil.user_input("Overwrite smb.conf?",
- default = False,
- allow_empty = False):
- sys.exit("Aborting installation.")
-
- elif os.path.exists(paths.SMB_CONF):
- print("WARNING: The smb.conf already exists. Running "
- "ipa-adtrust-install will break your existing samba "
- "configuration.\n\n")
- if not options.unattended:
- if not ipautil.user_input("Do you wish to continue?",
- default = False,
- allow_empty = False):
- sys.exit("Aborting installation.")
-
- if not options.unattended and not options.enable_compat:
- options.enable_compat = enable_compat_tree()
-
- admin_password = options.admin_password
- if not (options.unattended or admin_password):
- admin_password = read_admin_password(options.admin_name)
-
- admin_kinited = None
- if admin_password:
- admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
- if not admin_kinited:
- print "Proceeding with credentials that existed before"
-
- try:
- ctx = krbV.default_context()
- ccache = ctx.default_ccache()
- principal = ccache.principal()
- except krbV.Krb5Error, e:
- sys.exit("Must have Kerberos credentials to setup AD trusts on server")
-
- try:
- api.Backend.ldap2.connect(ccache)
- except errors.ACIError, e:
- sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
- except errors.DatabaseError, e:
- sys.exit("Cannot connect to the LDAP database. Please check if IPA is running")
-
- try:
- user = api.Command.user_show(unicode(principal[0]))['result']
- group = api.Command.group_show(u'admins')['result']
- if not (user['uid'][0] in group['member_user'] and
- group['cn'][0] in user['memberof_group']):
- raise errors.RequirementError(name='admins group membership')
- except errors.RequirementError, e:
- sys.exit("Must have administrative privileges to setup AD trusts on server")
- except Exception, e:
- sys.exit("Unrecognized error during check of admin rights: %s" % (str(e)))
-
- (netbios_name, reset_netbios_name) = \
- set_and_check_netbios_name(options.netbios_name,
- options.unattended)
-
- if not options.add_sids:
- # The filter corresponds to ipa_sidgen_task.c LDAP search filter
- filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
- '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
- '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
- base_dn = api.env.basedn
- try:
- root_logger.debug("Searching for objects with missing SID with "
- "filter=%s, base_dn=%s", filter, base_dn)
- (entries, truncated) = api.Backend.ldap2.find_entries(filter=filter,
- base_dn=base_dn, attrs_list=[''])
- except errors.NotFound:
- # All objects have SIDs assigned
- pass
- except (errors.DatabaseError, errors.NetworkError), e:
- print "Could not retrieve a list of objects that need a SID identifier assigned:"
- print unicode(e)
- else:
- object_count = len(entries)
- if object_count > 0:
- print ""
- print "WARNING: %d existing users or groups do not have a SID identifier assigned." \
- % len(entries)
- print "Installer can run a task to have ipa-sidgen Directory Server plugin generate"
- print "the SID identifier for all these users. Please note, the in case of a high"
- print "number of users and groups, the operation might lead to high replication"
- print "traffic and performance degradation. Refer to ipa-adtrust-install(1) man page"
- print "for details."
- print ""
- if options.unattended:
- print "Unattended mode was selected, installer will NOT run ipa-sidgen task!"
- else:
- if ipautil.user_input("Do you want to run the ipa-sidgen task?", default=False,
- allow_empty=False):
- options.add_sids = True
-
- if not options.unattended:
- print ""
- print "The following operations may take some minutes to complete."
- print "Please wait until the prompt is returned."
- print ""
-
- smb = adtrustinstance.ADTRUSTInstance(fstore)
- smb.realm = api.env.realm
- smb.autobind = ipaldap.AUTOBIND_ENABLED
- smb.setup(api.env.host, api.env.realm, api.env.domain,
- netbios_name, reset_netbios_name,
- options.rid_base, options.secondary_rid_base,
- options.no_msdcs, options.add_sids,
- enable_compat = options.enable_compat)
- smb.find_local_id_range()
- smb.create_instance()
-
- if options.add_agents:
- # Find out IPA masters which are not part of the cn=adtrust agents
- # and propose them to be added to the list
- base_dn = api.env.basedn
- masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn)
- agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), base_dn)
- new_agents = []
- entries_m = []
- entries_a = []
- try:
- # Search only masters which have support for domain levels
- # because only these masters will have SSSD recent enough to support AD trust agents
- (entries_m, truncated) = smb.admin_conn.find_entries(
- filter="(&(objectclass=ipaSupportedDomainLevelConfig)(!(ipaMaxDomainLevel=0)))",
- base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
- except errors.NotFound:
- pass
- except (errors.DatabaseError, errors.NetworkError), e:
- print "Could not retrieve a list of existing IPA masters:"
- print unicode(e)
-
- try:
- (entries_a, truncated) = smb.admin_conn.find_entries(filter="",
- base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE)
- except errors.NotFound:
- pass
- except (errors.DatabaseError, errors.NetworkError), e:
- print "Could not retrieve a list of adtrust agents:"
- print unicode(e)
-
- if len(entries_m) > 0:
- existing_masters = [x['cn'][0] for x in entries_m]
- adtrust_agents = entries_a[0]['member']
- potential_agents = []
- for m in existing_masters:
- mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn)
- found = False
- for a in adtrust_agents:
- if mdn == a:
- found = True
- break
- if not found:
- potential_agents += [[m, mdn]]
-
- object_count = len(potential_agents)
- if object_count > 0:
- print ""
- print "WARNING: %d IPA masters are not yet able to serve information about users from trusted forests." \
- % (object_count)
- print "Installer can add them to the list of IPA masters allowed to access infromation about trusts."
- print "If you choose to do so, you also need to restart LDAP service on those masters."
- print "Refer to ipa-adtrust-install(1) man page for details."
- print ""
- if options.unattended:
- print "Unattended mode was selected, installer will NOT add other IPA masters to the list of allowed to"
- print "access information about trusted forests!"
- else:
- print "Do you want to allow following IPA masters to serve information about users from trusted forests?"
- for (name, dn) in potential_agents:
- if name == api.env.host:
- # Don't add this host here
- # it shouldn't be here as it was added by the adtrustinstance setup code
- continue
- if ipautil.user_input("IPA master [%s]?" % (name), default=False, allow_empty=False):
- new_agents += [[name, dn]]
-
- if len(new_agents) > 0:
- # Add the CIFS and host principals to the 'adtrust agents' group
- # as 389-ds only operates with GroupOfNames, we have to use
- # the principal's proper dn as defined in self.cifs_agent
- service.add_principals_to_group(smb.admin_conn, agents_dn, "member",
- [x[1] for x in new_agents])
- print """
-WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order
-to activate them to serve information about users from trusted forests:"""
- for x in new_agents:
- print x[0]
-
- print """
-=============================================================================
-Setup complete
-
-You must make sure these network ports are open:
-\tTCP Ports:
-\t * 138: netbios-dgm
-\t * 139: netbios-ssn
-\t * 445: microsoft-ds
-\tUDP Ports:
-\t * 138: netbios-dgm
-\t * 139: netbios-ssn
-\t * 389: (C)LDAP
-\t * 445: microsoft-ds
-
-=============================================================================
-"""
- if admin_password:
- admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
-
- if not admin_kinited:
- print """
-WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
-family in order to re-generate Kerberos tickets to include AD-specific
-information"""
+ adtrust.install_check(options)
+ adtrust.install(fstore, options)
return 0
diff --git a/install/tools/ipa-adtrust-install b/ipaserver/install/adtrust.py
old mode 100755
new mode 100644
similarity index 78%
copy from install/tools/ipa-adtrust-install
copy to ipaserver/install/adtrust.py
index 5340c31d16ed78da0cb39725d9ae93c76470b698..edf7f962507cf284c579e1eff61cf1819b50d05c
--- a/install/tools/ipa-adtrust-install
+++ b/ipaserver/install/adtrust.py
@@ -1,24 +1,5 @@
-#! /usr/bin/python2
#
-# Authors: Sumit Bose <sb...@redhat.com>
-# Based on ipa-server-install by Karl MacMillan <kmacmil...@mentalrootkit.com>
-# and ipa-dns-install by Martin Nagy
-#
-# Copyright (C) 2011 Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
from ipaserver.install import adtrustinstance
@@ -35,43 +16,6 @@ from ipapython.dn import DN
log_file_name = paths.IPASERVER_INSTALL_LOG
-def parse_options():
- parser = IPAOptionParser(version=version.VERSION)
- parser.add_option("-d", "--debug", dest="debug", action="store_true",
- default=False, help="print debugging information")
- parser.add_option("--netbios-name", dest="netbios_name",
- help="NetBIOS name of the IPA domain")
- parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
- default=False, help="Do not create DNS service records " \
- "for Windows in managed DNS server")
- parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
- help="Start value for mapping UIDs and GIDs to RIDs")
- parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
- type=int, default=100000000,
- help="Start value of the secondary range for mapping " \
- "UIDs and GIDs to RIDs")
- parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
- default=False, help="unattended installation never prompts the user")
- parser.add_option("-a", "--admin-password",
- sensitive=True, dest="admin_password",
- help="admin user kerberos password")
- parser.add_option("-A", "--admin-name",
- sensitive=True, dest="admin_name", default='admin',
- help="admin user principal")
- parser.add_option("--add-sids", dest="add_sids", action="store_true",
- default=False, help="Add SIDs for existing users and" \
- " groups as the final step")
- parser.add_option("--add-agents", dest="add_agents", action="store_true",
- default=False, help="Add IPA masters to a list of hosts allowed to serve" \
- "information about users from trusted forests")
- parser.add_option("--enable-compat",
- dest="enable_compat", default=False, action="store_true",
- help="Enable support for trusted domains for old clients")
-
- options, args = parser.parse_args()
- safe_options = parser.get_safe_opts(options)
-
- return safe_options, options
def netbios_name_error(name):
print "\nIllegal NetBIOS name [%s].\n" % name
@@ -177,7 +121,7 @@ def set_and_check_netbios_name(netbios_name, unattended):
if not adtrustinstance.check_netbios_name(netbios_name):
if unattended and not gen_netbios_name:
netbios_name_error(netbios_name)
- sys.exit("Aborting installation.")
+ raise RuntimeError
else:
if netbios_name:
netbios_name_error(netbios_name)
@@ -208,49 +152,13 @@ def enable_compat_tree():
return enable_compat
-def main():
- safe_options, options = parse_options()
-
- if os.getegid() != 0:
- sys.exit("Must be root to setup AD trusts on server")
-
- standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
- print "\nThe log file for this installation can be found in %s" % log_file_name
-
- root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
- root_logger.debug("missing options might be asked for interactively later\n")
- root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
-
- check_server_configuration()
-
- global fstore
- fstore = sysrestore.FileStore(paths.SYSRESTORE)
-
- print "=============================================================================="
- print "This program will setup components needed to establish trust to AD domains for"
- print "the FreeIPA Server."
- print ""
- print "This includes:"
- print " * Configure Samba"
- print " * Add trust related objects to FreeIPA LDAP server"
- #TODO:
- #print " * Add a SID to all users and Posix groups"
- print ""
- print "To accept the default shown in brackets, press the Enter key."
- print ""
+def install_check(options):
+ global admin_password
# Check if samba packages are installed
if not adtrustinstance.check_inst():
sys.exit("Aborting installation.")
- # Initialize the ipalib api
- cfg = dict(
- in_server=True,
- debug=options.debug,
- )
- api.bootstrap(**cfg)
- api.finalize()
-
# If domain name and realm does not match, IPA server will not be able
# to estabilish trust with Active Directory. Print big fat warning.
@@ -295,6 +203,9 @@ def main():
if not (options.unattended or admin_password):
admin_password = read_admin_password(options.admin_name)
+
+def install(fstore, options):
+
admin_kinited = None
if admin_password:
admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
@@ -486,9 +397,3 @@ You must make sure these network ports are open:
WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
family in order to re-generate Kerberos tickets to include AD-specific
information"""
-
- return 0
-
-if __name__ == '__main__':
- run_script(main, log_file_name=log_file_name,
- operation_name='ipa-adtrust-install')
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code