On 07/15/2015 04:19 PM, Martin Babinsky wrote:
On 07/15/2015 04:05 PM, Jan Cholasta wrote:
Dne 15.7.2015 v 16:02 Martin Babinsky napsal(a):
During investigation of https://fedorahosted.org/freeipa/ticket/3993 I
have realized that I can do some guerilla ref*ctoring and move the guts
of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS
and friends.
+1
I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the
commit message, is it OK even if we formally closed the ticket?
To quote the last comment in the ticket: "Please open tickets for
missing functionality that you depend on."
Attaching updated patch with the link to #4468 removed from commit message.
Git's copy/rename detection can confuse people. That's why I am
attaching a patch generated without passing '-M' and '-C' options to
'git format-patch'.
--
Martin^3 Babinsky
From 4177fd6b1ec692b40ab3f9a6b28f201d8f5e16e0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 15 Jul 2015 15:44:19 +0200
Subject: [PATCH] separate module to handle installation of AD trust related
functionality
This patch is a part of installer rewrite effort. It also sets the stage for
implementing uninstallation logic into 'ipa-adtrust-install'.
https://fedorahosted.org/freeipa/ticket/3993
---
install/tools/ipa-adtrust-install | 377 +----------------------------------
ipaserver/install/adtrust.py | 399 ++++++++++++++++++++++++++++++++++++++
2 files changed, 402 insertions(+), 374 deletions(-)
create mode 100644 ipaserver/install/adtrust.py
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5340c31d16ed78da0cb39725d9ae93c76470b698..a33c0f6cfdcad91a94419918cf30b41c17088c0a 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -21,7 +21,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-from ipaserver.install import adtrustinstance
+from ipaserver.install import adtrust
from ipaserver.install.installutils import *
from ipaserver.install import service
from ipapython import version
@@ -73,140 +73,6 @@ def parse_options():
return safe_options, options
-def netbios_name_error(name):
- print "\nIllegal NetBIOS name [%s].\n" % name
- print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
-
-def read_netbios_name(netbios_default):
- netbios_name = ""
-
- print "Enter the NetBIOS name for the IPA domain."
- print "Only up to 15 uppercase ASCII letters and digits are allowed."
- print "Example: EXAMPLE."
- print ""
- print ""
- if not netbios_default:
- netbios_default = "EXAMPLE"
- while True:
- netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
- print ""
- if adtrustinstance.check_netbios_name(netbios_name):
- break
-
- netbios_name_error(netbios_name)
-
- return netbios_name
-
-def read_admin_password(admin_name):
- print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
- print "This user is a regular system account used for IPA server administration."
- print ""
- admin_password = read_password(admin_name, confirm=False, validate=None)
- return admin_password
-
-def set_and_check_netbios_name(netbios_name, unattended):
- """
- Depending if trust in already configured or not a given NetBIOS domain
- name must be handled differently.
-
- If trust is not configured the given NetBIOS is used or the NetBIOS is
- generated if none was given on the command line.
-
- If trust is already configured the given NetBIOS name is used to reset
- the stored NetBIOS name it it differs from the current one.
- """
-
- flat_name_attr = 'ipantflatname'
- cur_netbios_name = None
- gen_netbios_name = None
- reset_netbios_name = False
- entry = None
-
- try:
- entry = api.Backend.ldap2.get_entry(
- DN(('cn', api.env.domain), api.env.container_cifsdomains,
- ipautil.realm_to_suffix(api.env.realm)),
- [flat_name_attr])
- except errors.NotFound:
- # trust not configured
- pass
- else:
- cur_netbios_name = entry.get(flat_name_attr)[0]
-
- if cur_netbios_name and not netbios_name:
- # keep the current NetBIOS name
- netbios_name = cur_netbios_name
- reset_netbios_name = False
- elif cur_netbios_name and cur_netbios_name != netbios_name:
- # change the NetBIOS name
- print "Current NetBIOS domain name is %s, new name is %s.\n" % \
- (cur_netbios_name, netbios_name)
- print "Please note that changing the NetBIOS name might " \
- "break existing trust relationships."
- if unattended:
- reset_netbios_name = True
- print "NetBIOS domain name will be changed to %s.\n" % \
- netbios_name
- else:
- print "Say 'yes' if the NetBIOS shall be changed and " \
- "'no' if the old one shall be kept."
- reset_netbios_name = ipautil.user_input(
- 'Do you want to reset the NetBIOS domain name?',
- default = False, allow_empty = False)
- if not reset_netbios_name:
- netbios_name = cur_netbios_name
- elif cur_netbios_name and cur_netbios_name == netbios_name:
- # keep the current NetBIOS name
- reset_netbios_name = False
- elif not cur_netbios_name:
- if not netbios_name:
- gen_netbios_name = adtrustinstance.make_netbios_name(api.env.domain)
-
- if entry is not None:
- # Fix existing trust configuration
- print "Trust is configured but no NetBIOS domain name found, " \
- "setting it now."
- reset_netbios_name = True
- else:
- # initial trust configuration
- reset_netbios_name = False
- else:
- # all possible cases should be covered above
- raise Exception('Unexpected state while checking NetBIOS domain name')
-
- if not adtrustinstance.check_netbios_name(netbios_name):
- if unattended and not gen_netbios_name:
- netbios_name_error(netbios_name)
- sys.exit("Aborting installation.")
- else:
- if netbios_name:
- netbios_name_error(netbios_name)
- netbios_name = None
-
- if not unattended and not netbios_name:
- netbios_name = read_netbios_name(gen_netbios_name)
-
- if unattended and not netbios_name and gen_netbios_name:
- netbios_name = gen_netbios_name
-
- return (netbios_name, reset_netbios_name)
-
-def ensure_admin_kinit(admin_name, admin_password):
- try:
- ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
- except ipautil.CalledProcessError, e:
- print "There was error to automatically re-kinit your admin user ticket."
- return False
- return True
-
-def enable_compat_tree():
- print "Do you want to enable support for trusted domains in Schema Compatibility plugin?"
- print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users."
- print ""
- enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False)
- print ""
- return enable_compat
-
def main():
safe_options, options = parse_options()
@@ -239,10 +105,6 @@ def main():
print "To accept the default shown in brackets, press the Enter key."
print ""
- # Check if samba packages are installed
- if not adtrustinstance.check_inst():
- sys.exit("Aborting installation.")
-
# Initialize the ipalib api
cfg = dict(
in_server=True,
@@ -251,241 +113,8 @@ def main():
api.bootstrap(**cfg)
api.finalize()
- # If domain name and realm does not match, IPA server will not be able
- # to estabilish trust with Active Directory. Print big fat warning.
-
- realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
-
- if realm_not_matching_domain:
- print("WARNING: Realm name does not match the domain name.\n"
- "You will not be able to estabilish trusts with Active "
- "Directory unless\nthe realm name of the IPA server matches its "
- "domain name.\n\n")
- if not options.unattended:
- if not ipautil.user_input("Do you wish to continue?",
- default = False,
- allow_empty = False):
- sys.exit("Aborting installation.")
-
- # Check if /etc/samba/smb.conf already exists. In case it was not generated
- # by IPA, print a warning that we will break existing configuration.
-
- if adtrustinstance.ipa_smb_conf_exists():
- if not options.unattended:
- print "IPA generated smb.conf detected."
- if not ipautil.user_input("Overwrite smb.conf?",
- default = False,
- allow_empty = False):
- sys.exit("Aborting installation.")
-
- elif os.path.exists(paths.SMB_CONF):
- print("WARNING: The smb.conf already exists. Running "
- "ipa-adtrust-install will break your existing samba "
- "configuration.\n\n")
- if not options.unattended:
- if not ipautil.user_input("Do you wish to continue?",
- default = False,
- allow_empty = False):
- sys.exit("Aborting installation.")
-
- if not options.unattended and not options.enable_compat:
- options.enable_compat = enable_compat_tree()
-
- admin_password = options.admin_password
- if not (options.unattended or admin_password):
- admin_password = read_admin_password(options.admin_name)
-
- admin_kinited = None
- if admin_password:
- admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
- if not admin_kinited:
- print "Proceeding with credentials that existed before"
-
- try:
- ctx = krbV.default_context()
- ccache = ctx.default_ccache()
- principal = ccache.principal()
- except krbV.Krb5Error, e:
- sys.exit("Must have Kerberos credentials to setup AD trusts on server")
-
- try:
- api.Backend.ldap2.connect(ccache)
- except errors.ACIError, e:
- sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
- except errors.DatabaseError, e:
- sys.exit("Cannot connect to the LDAP database. Please check if IPA is running")
-
- try:
- user = api.Command.user_show(unicode(principal[0]))['result']
- group = api.Command.group_show(u'admins')['result']
- if not (user['uid'][0] in group['member_user'] and
- group['cn'][0] in user['memberof_group']):
- raise errors.RequirementError(name='admins group membership')
- except errors.RequirementError, e:
- sys.exit("Must have administrative privileges to setup AD trusts on server")
- except Exception, e:
- sys.exit("Unrecognized error during check of admin rights: %s" % (str(e)))
-
- (netbios_name, reset_netbios_name) = \
- set_and_check_netbios_name(options.netbios_name,
- options.unattended)
-
- if not options.add_sids:
- # The filter corresponds to ipa_sidgen_task.c LDAP search filter
- filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
- '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
- '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
- base_dn = api.env.basedn
- try:
- root_logger.debug("Searching for objects with missing SID with "
- "filter=%s, base_dn=%s", filter, base_dn)
- (entries, truncated) = api.Backend.ldap2.find_entries(filter=filter,
- base_dn=base_dn, attrs_list=[''])
- except errors.NotFound:
- # All objects have SIDs assigned
- pass
- except (errors.DatabaseError, errors.NetworkError), e:
- print "Could not retrieve a list of objects that need a SID identifier assigned:"
- print unicode(e)
- else:
- object_count = len(entries)
- if object_count > 0:
- print ""
- print "WARNING: %d existing users or groups do not have a SID identifier assigned." \
- % len(entries)
- print "Installer can run a task to have ipa-sidgen Directory Server plugin generate"
- print "the SID identifier for all these users. Please note, the in case of a high"
- print "number of users and groups, the operation might lead to high replication"
- print "traffic and performance degradation. Refer to ipa-adtrust-install(1) man page"
- print "for details."
- print ""
- if options.unattended:
- print "Unattended mode was selected, installer will NOT run ipa-sidgen task!"
- else:
- if ipautil.user_input("Do you want to run the ipa-sidgen task?", default=False,
- allow_empty=False):
- options.add_sids = True
-
- if not options.unattended:
- print ""
- print "The following operations may take some minutes to complete."
- print "Please wait until the prompt is returned."
- print ""
-
- smb = adtrustinstance.ADTRUSTInstance(fstore)
- smb.realm = api.env.realm
- smb.autobind = ipaldap.AUTOBIND_ENABLED
- smb.setup(api.env.host, api.env.realm, api.env.domain,
- netbios_name, reset_netbios_name,
- options.rid_base, options.secondary_rid_base,
- options.no_msdcs, options.add_sids,
- enable_compat = options.enable_compat)
- smb.find_local_id_range()
- smb.create_instance()
-
- if options.add_agents:
- # Find out IPA masters which are not part of the cn=adtrust agents
- # and propose them to be added to the list
- base_dn = api.env.basedn
- masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn)
- agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), base_dn)
- new_agents = []
- entries_m = []
- entries_a = []
- try:
- # Search only masters which have support for domain levels
- # because only these masters will have SSSD recent enough to support AD trust agents
- (entries_m, truncated) = smb.admin_conn.find_entries(
- filter="(&(objectclass=ipaSupportedDomainLevelConfig)(!(ipaMaxDomainLevel=0)))",
- base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
- except errors.NotFound:
- pass
- except (errors.DatabaseError, errors.NetworkError), e:
- print "Could not retrieve a list of existing IPA masters:"
- print unicode(e)
-
- try:
- (entries_a, truncated) = smb.admin_conn.find_entries(filter="",
- base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE)
- except errors.NotFound:
- pass
- except (errors.DatabaseError, errors.NetworkError), e:
- print "Could not retrieve a list of adtrust agents:"
- print unicode(e)
-
- if len(entries_m) > 0:
- existing_masters = [x['cn'][0] for x in entries_m]
- adtrust_agents = entries_a[0]['member']
- potential_agents = []
- for m in existing_masters:
- mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn)
- found = False
- for a in adtrust_agents:
- if mdn == a:
- found = True
- break
- if not found:
- potential_agents += [[m, mdn]]
-
- object_count = len(potential_agents)
- if object_count > 0:
- print ""
- print "WARNING: %d IPA masters are not yet able to serve information about users from trusted forests." \
- % (object_count)
- print "Installer can add them to the list of IPA masters allowed to access infromation about trusts."
- print "If you choose to do so, you also need to restart LDAP service on those masters."
- print "Refer to ipa-adtrust-install(1) man page for details."
- print ""
- if options.unattended:
- print "Unattended mode was selected, installer will NOT add other IPA masters to the list of allowed to"
- print "access information about trusted forests!"
- else:
- print "Do you want to allow following IPA masters to serve information about users from trusted forests?"
- for (name, dn) in potential_agents:
- if name == api.env.host:
- # Don't add this host here
- # it shouldn't be here as it was added by the adtrustinstance setup code
- continue
- if ipautil.user_input("IPA master [%s]?" % (name), default=False, allow_empty=False):
- new_agents += [[name, dn]]
-
- if len(new_agents) > 0:
- # Add the CIFS and host principals to the 'adtrust agents' group
- # as 389-ds only operates with GroupOfNames, we have to use
- # the principal's proper dn as defined in self.cifs_agent
- service.add_principals_to_group(smb.admin_conn, agents_dn, "member",
- [x[1] for x in new_agents])
- print """
-WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order
-to activate them to serve information about users from trusted forests:"""
- for x in new_agents:
- print x[0]
-
- print """
-=============================================================================
-Setup complete
-
-You must make sure these network ports are open:
-\tTCP Ports:
-\t * 138: netbios-dgm
-\t * 139: netbios-ssn
-\t * 445: microsoft-ds
-\tUDP Ports:
-\t * 138: netbios-dgm
-\t * 139: netbios-ssn
-\t * 389: (C)LDAP
-\t * 445: microsoft-ds
-
-=============================================================================
-"""
- if admin_password:
- admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
-
- if not admin_kinited:
- print """
-WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
-family in order to re-generate Kerberos tickets to include AD-specific
-information"""
+ adtrust.install_check(options)
+ adtrust.install(fstore, options)
return 0
diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
new file mode 100644
index 0000000000000000000000000000000000000000..edf7f962507cf284c579e1eff61cf1819b50d05c
--- /dev/null
+++ b/ipaserver/install/adtrust.py
@@ -0,0 +1,399 @@
+#
+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+#
+
+from ipaserver.install import adtrustinstance
+from ipaserver.install.installutils import *
+from ipaserver.install import service
+from ipapython import version
+from ipapython import ipautil, sysrestore, ipaldap
+from ipalib import api, errors, util
+from ipapython.config import IPAOptionParser
+import krbV
+from ipaplatform.paths import paths
+from ipapython.ipa_log_manager import *
+from ipapython.dn import DN
+
+log_file_name = paths.IPASERVER_INSTALL_LOG
+
+
+def netbios_name_error(name):
+ print "\nIllegal NetBIOS name [%s].\n" % name
+ print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
+
+def read_netbios_name(netbios_default):
+ netbios_name = ""
+
+ print "Enter the NetBIOS name for the IPA domain."
+ print "Only up to 15 uppercase ASCII letters and digits are allowed."
+ print "Example: EXAMPLE."
+ print ""
+ print ""
+ if not netbios_default:
+ netbios_default = "EXAMPLE"
+ while True:
+ netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
+ print ""
+ if adtrustinstance.check_netbios_name(netbios_name):
+ break
+
+ netbios_name_error(netbios_name)
+
+ return netbios_name
+
+def read_admin_password(admin_name):
+ print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
+ print "This user is a regular system account used for IPA server administration."
+ print ""
+ admin_password = read_password(admin_name, confirm=False, validate=None)
+ return admin_password
+
+def set_and_check_netbios_name(netbios_name, unattended):
+ """
+ Depending if trust in already configured or not a given NetBIOS domain
+ name must be handled differently.
+
+ If trust is not configured the given NetBIOS is used or the NetBIOS is
+ generated if none was given on the command line.
+
+ If trust is already configured the given NetBIOS name is used to reset
+ the stored NetBIOS name it it differs from the current one.
+ """
+
+ flat_name_attr = 'ipantflatname'
+ cur_netbios_name = None
+ gen_netbios_name = None
+ reset_netbios_name = False
+ entry = None
+
+ try:
+ entry = api.Backend.ldap2.get_entry(
+ DN(('cn', api.env.domain), api.env.container_cifsdomains,
+ ipautil.realm_to_suffix(api.env.realm)),
+ [flat_name_attr])
+ except errors.NotFound:
+ # trust not configured
+ pass
+ else:
+ cur_netbios_name = entry.get(flat_name_attr)[0]
+
+ if cur_netbios_name and not netbios_name:
+ # keep the current NetBIOS name
+ netbios_name = cur_netbios_name
+ reset_netbios_name = False
+ elif cur_netbios_name and cur_netbios_name != netbios_name:
+ # change the NetBIOS name
+ print "Current NetBIOS domain name is %s, new name is %s.\n" % \
+ (cur_netbios_name, netbios_name)
+ print "Please note that changing the NetBIOS name might " \
+ "break existing trust relationships."
+ if unattended:
+ reset_netbios_name = True
+ print "NetBIOS domain name will be changed to %s.\n" % \
+ netbios_name
+ else:
+ print "Say 'yes' if the NetBIOS shall be changed and " \
+ "'no' if the old one shall be kept."
+ reset_netbios_name = ipautil.user_input(
+ 'Do you want to reset the NetBIOS domain name?',
+ default = False, allow_empty = False)
+ if not reset_netbios_name:
+ netbios_name = cur_netbios_name
+ elif cur_netbios_name and cur_netbios_name == netbios_name:
+ # keep the current NetBIOS name
+ reset_netbios_name = False
+ elif not cur_netbios_name:
+ if not netbios_name:
+ gen_netbios_name = adtrustinstance.make_netbios_name(api.env.domain)
+
+ if entry is not None:
+ # Fix existing trust configuration
+ print "Trust is configured but no NetBIOS domain name found, " \
+ "setting it now."
+ reset_netbios_name = True
+ else:
+ # initial trust configuration
+ reset_netbios_name = False
+ else:
+ # all possible cases should be covered above
+ raise Exception('Unexpected state while checking NetBIOS domain name')
+
+ if not adtrustinstance.check_netbios_name(netbios_name):
+ if unattended and not gen_netbios_name:
+ netbios_name_error(netbios_name)
+ raise RuntimeError
+ else:
+ if netbios_name:
+ netbios_name_error(netbios_name)
+ netbios_name = None
+
+ if not unattended and not netbios_name:
+ netbios_name = read_netbios_name(gen_netbios_name)
+
+ if unattended and not netbios_name and gen_netbios_name:
+ netbios_name = gen_netbios_name
+
+ return (netbios_name, reset_netbios_name)
+
+def ensure_admin_kinit(admin_name, admin_password):
+ try:
+ ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
+ except ipautil.CalledProcessError, e:
+ print "There was error to automatically re-kinit your admin user ticket."
+ return False
+ return True
+
+def enable_compat_tree():
+ print "Do you want to enable support for trusted domains in Schema Compatibility plugin?"
+ print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users."
+ print ""
+ enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False)
+ print ""
+ return enable_compat
+
+
+def install_check(options):
+ global admin_password
+
+ # Check if samba packages are installed
+ if not adtrustinstance.check_inst():
+ sys.exit("Aborting installation.")
+
+ # If domain name and realm does not match, IPA server will not be able
+ # to estabilish trust with Active Directory. Print big fat warning.
+
+ realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
+
+ if realm_not_matching_domain:
+ print("WARNING: Realm name does not match the domain name.\n"
+ "You will not be able to estabilish trusts with Active "
+ "Directory unless\nthe realm name of the IPA server matches its "
+ "domain name.\n\n")
+ if not options.unattended:
+ if not ipautil.user_input("Do you wish to continue?",
+ default = False,
+ allow_empty = False):
+ sys.exit("Aborting installation.")
+
+ # Check if /etc/samba/smb.conf already exists. In case it was not generated
+ # by IPA, print a warning that we will break existing configuration.
+
+ if adtrustinstance.ipa_smb_conf_exists():
+ if not options.unattended:
+ print "IPA generated smb.conf detected."
+ if not ipautil.user_input("Overwrite smb.conf?",
+ default = False,
+ allow_empty = False):
+ sys.exit("Aborting installation.")
+
+ elif os.path.exists(paths.SMB_CONF):
+ print("WARNING: The smb.conf already exists. Running "
+ "ipa-adtrust-install will break your existing samba "
+ "configuration.\n\n")
+ if not options.unattended:
+ if not ipautil.user_input("Do you wish to continue?",
+ default = False,
+ allow_empty = False):
+ sys.exit("Aborting installation.")
+
+ if not options.unattended and not options.enable_compat:
+ options.enable_compat = enable_compat_tree()
+
+ admin_password = options.admin_password
+ if not (options.unattended or admin_password):
+ admin_password = read_admin_password(options.admin_name)
+
+
+def install(fstore, options):
+
+ admin_kinited = None
+ if admin_password:
+ admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
+ if not admin_kinited:
+ print "Proceeding with credentials that existed before"
+
+ try:
+ ctx = krbV.default_context()
+ ccache = ctx.default_ccache()
+ principal = ccache.principal()
+ except krbV.Krb5Error, e:
+ sys.exit("Must have Kerberos credentials to setup AD trusts on server")
+
+ try:
+ api.Backend.ldap2.connect(ccache)
+ except errors.ACIError, e:
+ sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
+ except errors.DatabaseError, e:
+ sys.exit("Cannot connect to the LDAP database. Please check if IPA is running")
+
+ try:
+ user = api.Command.user_show(unicode(principal[0]))['result']
+ group = api.Command.group_show(u'admins')['result']
+ if not (user['uid'][0] in group['member_user'] and
+ group['cn'][0] in user['memberof_group']):
+ raise errors.RequirementError(name='admins group membership')
+ except errors.RequirementError, e:
+ sys.exit("Must have administrative privileges to setup AD trusts on server")
+ except Exception, e:
+ sys.exit("Unrecognized error during check of admin rights: %s" % (str(e)))
+
+ (netbios_name, reset_netbios_name) = \
+ set_and_check_netbios_name(options.netbios_name,
+ options.unattended)
+
+ if not options.add_sids:
+ # The filter corresponds to ipa_sidgen_task.c LDAP search filter
+ filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
+ '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
+ '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
+ base_dn = api.env.basedn
+ try:
+ root_logger.debug("Searching for objects with missing SID with "
+ "filter=%s, base_dn=%s", filter, base_dn)
+ (entries, truncated) = api.Backend.ldap2.find_entries(filter=filter,
+ base_dn=base_dn, attrs_list=[''])
+ except errors.NotFound:
+ # All objects have SIDs assigned
+ pass
+ except (errors.DatabaseError, errors.NetworkError), e:
+ print "Could not retrieve a list of objects that need a SID identifier assigned:"
+ print unicode(e)
+ else:
+ object_count = len(entries)
+ if object_count > 0:
+ print ""
+ print "WARNING: %d existing users or groups do not have a SID identifier assigned." \
+ % len(entries)
+ print "Installer can run a task to have ipa-sidgen Directory Server plugin generate"
+ print "the SID identifier for all these users. Please note, the in case of a high"
+ print "number of users and groups, the operation might lead to high replication"
+ print "traffic and performance degradation. Refer to ipa-adtrust-install(1) man page"
+ print "for details."
+ print ""
+ if options.unattended:
+ print "Unattended mode was selected, installer will NOT run ipa-sidgen task!"
+ else:
+ if ipautil.user_input("Do you want to run the ipa-sidgen task?", default=False,
+ allow_empty=False):
+ options.add_sids = True
+
+ if not options.unattended:
+ print ""
+ print "The following operations may take some minutes to complete."
+ print "Please wait until the prompt is returned."
+ print ""
+
+ smb = adtrustinstance.ADTRUSTInstance(fstore)
+ smb.realm = api.env.realm
+ smb.autobind = ipaldap.AUTOBIND_ENABLED
+ smb.setup(api.env.host, api.env.realm, api.env.domain,
+ netbios_name, reset_netbios_name,
+ options.rid_base, options.secondary_rid_base,
+ options.no_msdcs, options.add_sids,
+ enable_compat = options.enable_compat)
+ smb.find_local_id_range()
+ smb.create_instance()
+
+ if options.add_agents:
+ # Find out IPA masters which are not part of the cn=adtrust agents
+ # and propose them to be added to the list
+ base_dn = api.env.basedn
+ masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn)
+ agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), base_dn)
+ new_agents = []
+ entries_m = []
+ entries_a = []
+ try:
+ # Search only masters which have support for domain levels
+ # because only these masters will have SSSD recent enough to support AD trust agents
+ (entries_m, truncated) = smb.admin_conn.find_entries(
+ filter="(&(objectclass=ipaSupportedDomainLevelConfig)(!(ipaMaxDomainLevel=0)))",
+ base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
+ except errors.NotFound:
+ pass
+ except (errors.DatabaseError, errors.NetworkError), e:
+ print "Could not retrieve a list of existing IPA masters:"
+ print unicode(e)
+
+ try:
+ (entries_a, truncated) = smb.admin_conn.find_entries(filter="",
+ base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE)
+ except errors.NotFound:
+ pass
+ except (errors.DatabaseError, errors.NetworkError), e:
+ print "Could not retrieve a list of adtrust agents:"
+ print unicode(e)
+
+ if len(entries_m) > 0:
+ existing_masters = [x['cn'][0] for x in entries_m]
+ adtrust_agents = entries_a[0]['member']
+ potential_agents = []
+ for m in existing_masters:
+ mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn)
+ found = False
+ for a in adtrust_agents:
+ if mdn == a:
+ found = True
+ break
+ if not found:
+ potential_agents += [[m, mdn]]
+
+ object_count = len(potential_agents)
+ if object_count > 0:
+ print ""
+ print "WARNING: %d IPA masters are not yet able to serve information about users from trusted forests." \
+ % (object_count)
+ print "Installer can add them to the list of IPA masters allowed to access infromation about trusts."
+ print "If you choose to do so, you also need to restart LDAP service on those masters."
+ print "Refer to ipa-adtrust-install(1) man page for details."
+ print ""
+ if options.unattended:
+ print "Unattended mode was selected, installer will NOT add other IPA masters to the list of allowed to"
+ print "access information about trusted forests!"
+ else:
+ print "Do you want to allow following IPA masters to serve information about users from trusted forests?"
+ for (name, dn) in potential_agents:
+ if name == api.env.host:
+ # Don't add this host here
+ # it shouldn't be here as it was added by the adtrustinstance setup code
+ continue
+ if ipautil.user_input("IPA master [%s]?" % (name), default=False, allow_empty=False):
+ new_agents += [[name, dn]]
+
+ if len(new_agents) > 0:
+ # Add the CIFS and host principals to the 'adtrust agents' group
+ # as 389-ds only operates with GroupOfNames, we have to use
+ # the principal's proper dn as defined in self.cifs_agent
+ service.add_principals_to_group(smb.admin_conn, agents_dn, "member",
+ [x[1] for x in new_agents])
+ print """
+WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order
+to activate them to serve information about users from trusted forests:"""
+ for x in new_agents:
+ print x[0]
+
+ print """
+=============================================================================
+Setup complete
+
+You must make sure these network ports are open:
+\tTCP Ports:
+\t * 138: netbios-dgm
+\t * 139: netbios-ssn
+\t * 445: microsoft-ds
+\tUDP Ports:
+\t * 138: netbios-dgm
+\t * 139: netbios-ssn
+\t * 389: (C)LDAP
+\t * 445: microsoft-ds
+
+=============================================================================
+"""
+ if admin_password:
+ admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
+
+ if not admin_kinited:
+ print """
+WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
+family in order to re-generate Kerberos tickets to include AD-specific
+information"""
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code