[Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones

2017-03-01 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/479
Author: martbab
 Title: #479: Merge AD trust installer into composite ones
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/479/head:pr479
git checkout pr479
From 88fa344e3b33b92e7709e323fa139e06968707ab Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 16 Feb 2017 14:06:08 +0100
Subject: [PATCH 01/13] Refactor the code checking for missing SIDs

Decompose the individual sub-tasks into separate functions. Also perform
the lookup only when LDAP is connected.

https://fedorahosted.org/freeipa/ticket/6630
---
 ipaserver/install/adtrust.py | 107 ++-
 1 file changed, 64 insertions(+), 43 deletions(-)

diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
index 92fe031..69e9834 100644
--- a/ipaserver/install/adtrust.py
+++ b/ipaserver/install/adtrust.py
@@ -168,6 +168,69 @@ def check_for_installed_deps():
 raise ScriptError("Aborting installation.")
 
 
+def retrieve_entries_without_sid(api):
+"""
+Retrieve a list of entries without assigned SIDs.
+:returns: a list of entries or an empty list if an error occurs
+"""
+# The filter corresponds to ipa_sidgen_task.c LDAP search filter
+filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
+ '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
+ '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
+base_dn = api.env.basedn
+try:
+root_logger.debug(
+"Searching for objects with missing SID with "
+"filter=%s, base_dn=%s", filter, base_dn)
+entries, _truncated = api.Backend.ldap2.find_entries(
+filter=filter, base_dn=base_dn, attrs_list=[''])
+return entries
+except errors.NotFound:
+# All objects have SIDs assigned
+pass
+except (errors.DatabaseError, errors.NetworkError) as e:
+print("Could not retrieve a list of objects that need a SID "
+  "identifier assigned:")
+print(unicode(e))
+
+return []
+
+
+def retrieve_and_ask_about_sids(api, options):
+entries = []
+if api.Backend.ldap2.isconnected():
+entries = retrieve_entries_without_sid(api)
+else:
+root_logger.debug(
+"LDAP backend not connected, can not retrieve entries "
+"with missing SID")
+
+object_count = len(entries)
+if object_count > 0:
+print("")
+print("WARNING: %d existing users or groups do not have "
+  "a SID identifier assigned." % len(entries))
+print("Installer can run a task to have ipa-sidgen "
+  "Directory Server plugin generate")
+print("the SID identifier for all these users. Please note, "
+  "the in case of a high")
+print("number of users and groups, the operation might "
+  "lead to high replication")
+print("traffic and performance degradation. Refer to "
+  "ipa-adtrust-install(1) man page")
+print("for details.")
+print("")
+if options.unattended:
+print("Unattended mode was selected, installer will "
+  "NOT run ipa-sidgen task!")
+else:
+if ipautil.user_input(
+"Do you want to run the ipa-sidgen task?",
+default=False,
+allow_empty=False):
+options.add_sids = True
+
+
 def install_check(standalone, options, api):
 global netbios_name
 global reset_netbios_name
@@ -225,49 +288,7 @@ def install_check(standalone, options, api):
 options.netbios_name, options.unattended, api)
 
 if not options.add_sids:
-# The filter corresponds to ipa_sidgen_task.c LDAP search filter
-filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
- '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
- '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
-base_dn = api.env.basedn
-try:
-root_logger.debug(
-"Searching for objects with missing SID with "
-"filter=%s, base_dn=%s", filter, base_dn)
-entries, _truncated = api.Backend.ldap2.find_entries(
-filter=filter, base_dn=base_dn, attrs_list=[''])
-except errors.NotFound:
-# All objects have SIDs assigned
-pass
-except (errors.DatabaseError, errors.NetworkError) as e:
-print("Could not retrieve a list of objects that need a SID "
-  "identifier assigned:")
-print(unicode(e))
-else:
-object_count = len(entries)
-if object_count > 0:
-print("")
-print("WARNING: %d existing users or groups do not have "
-

[Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones

2017-02-28 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/479
Author: martbab
 Title: #479: Merge AD trust installer into composite ones
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/479/head:pr479
git checkout pr479
From 279684608d667d31e919021f4b7ffb397c4a6fcf Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 16 Feb 2017 14:06:08 +0100
Subject: [PATCH 01/13] Refactor the code checking for missing SIDs

Decompose the individual sub-tasks into separate functions. Also perform
the lookup only when LDAP is connected.

https://fedorahosted.org/freeipa/ticket/6630
---
 ipaserver/install/adtrust.py | 107 ++-
 1 file changed, 64 insertions(+), 43 deletions(-)

diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
index 92fe031..69e9834 100644
--- a/ipaserver/install/adtrust.py
+++ b/ipaserver/install/adtrust.py
@@ -168,6 +168,69 @@ def check_for_installed_deps():
 raise ScriptError("Aborting installation.")
 
 
+def retrieve_entries_without_sid(api):
+"""
+Retrieve a list of entries without assigned SIDs.
+:returns: a list of entries or an empty list if an error occurs
+"""
+# The filter corresponds to ipa_sidgen_task.c LDAP search filter
+filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
+ '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
+ '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
+base_dn = api.env.basedn
+try:
+root_logger.debug(
+"Searching for objects with missing SID with "
+"filter=%s, base_dn=%s", filter, base_dn)
+entries, _truncated = api.Backend.ldap2.find_entries(
+filter=filter, base_dn=base_dn, attrs_list=[''])
+return entries
+except errors.NotFound:
+# All objects have SIDs assigned
+pass
+except (errors.DatabaseError, errors.NetworkError) as e:
+print("Could not retrieve a list of objects that need a SID "
+  "identifier assigned:")
+print(unicode(e))
+
+return []
+
+
+def retrieve_and_ask_about_sids(api, options):
+entries = []
+if api.Backend.ldap2.isconnected():
+entries = retrieve_entries_without_sid(api)
+else:
+root_logger.debug(
+"LDAP backend not connected, can not retrieve entries "
+"with missing SID")
+
+object_count = len(entries)
+if object_count > 0:
+print("")
+print("WARNING: %d existing users or groups do not have "
+  "a SID identifier assigned." % len(entries))
+print("Installer can run a task to have ipa-sidgen "
+  "Directory Server plugin generate")
+print("the SID identifier for all these users. Please note, "
+  "the in case of a high")
+print("number of users and groups, the operation might "
+  "lead to high replication")
+print("traffic and performance degradation. Refer to "
+  "ipa-adtrust-install(1) man page")
+print("for details.")
+print("")
+if options.unattended:
+print("Unattended mode was selected, installer will "
+  "NOT run ipa-sidgen task!")
+else:
+if ipautil.user_input(
+"Do you want to run the ipa-sidgen task?",
+default=False,
+allow_empty=False):
+options.add_sids = True
+
+
 def install_check(standalone, options, api):
 global netbios_name
 global reset_netbios_name
@@ -225,49 +288,7 @@ def install_check(standalone, options, api):
 options.netbios_name, options.unattended, api)
 
 if not options.add_sids:
-# The filter corresponds to ipa_sidgen_task.c LDAP search filter
-filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
- '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
- '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
-base_dn = api.env.basedn
-try:
-root_logger.debug(
-"Searching for objects with missing SID with "
-"filter=%s, base_dn=%s", filter, base_dn)
-entries, _truncated = api.Backend.ldap2.find_entries(
-filter=filter, base_dn=base_dn, attrs_list=[''])
-except errors.NotFound:
-# All objects have SIDs assigned
-pass
-except (errors.DatabaseError, errors.NetworkError) as e:
-print("Could not retrieve a list of objects that need a SID "
-  "identifier assigned:")
-print(unicode(e))
-else:
-object_count = len(entries)
-if object_count > 0:
-print("")
-print("WARNING: %d existing users or groups do not have "
-

[Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones

2017-02-23 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/479
Author: martbab
 Title: #479: Merge AD trust installer into composite ones
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/479/head:pr479
git checkout pr479
From e24d7ffe6978328738cf37c69cd522a2324f0343 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 16 Feb 2017 14:06:08 +0100
Subject: [PATCH 01/12] Refactor the code checking for missing SIDs

Decompose the individual sub-tasks into separate functions. Also perform
the lookup only when LDAP is connected.

https://fedorahosted.org/freeipa/ticket/6630
---
 ipaserver/install/adtrust.py | 107 ++-
 1 file changed, 64 insertions(+), 43 deletions(-)

diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
index 92fe031..69e9834 100644
--- a/ipaserver/install/adtrust.py
+++ b/ipaserver/install/adtrust.py
@@ -168,6 +168,69 @@ def check_for_installed_deps():
 raise ScriptError("Aborting installation.")
 
 
+def retrieve_entries_without_sid(api):
+"""
+Retrieve a list of entries without assigned SIDs.
+:returns: a list of entries or an empty list if an error occurs
+"""
+# The filter corresponds to ipa_sidgen_task.c LDAP search filter
+filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
+ '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
+ '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
+base_dn = api.env.basedn
+try:
+root_logger.debug(
+"Searching for objects with missing SID with "
+"filter=%s, base_dn=%s", filter, base_dn)
+entries, _truncated = api.Backend.ldap2.find_entries(
+filter=filter, base_dn=base_dn, attrs_list=[''])
+return entries
+except errors.NotFound:
+# All objects have SIDs assigned
+pass
+except (errors.DatabaseError, errors.NetworkError) as e:
+print("Could not retrieve a list of objects that need a SID "
+  "identifier assigned:")
+print(unicode(e))
+
+return []
+
+
+def retrieve_and_ask_about_sids(api, options):
+entries = []
+if api.Backend.ldap2.isconnected():
+entries = retrieve_entries_without_sid(api)
+else:
+root_logger.debug(
+"LDAP backend not connected, can not retrieve entries "
+"with missing SID")
+
+object_count = len(entries)
+if object_count > 0:
+print("")
+print("WARNING: %d existing users or groups do not have "
+  "a SID identifier assigned." % len(entries))
+print("Installer can run a task to have ipa-sidgen "
+  "Directory Server plugin generate")
+print("the SID identifier for all these users. Please note, "
+  "the in case of a high")
+print("number of users and groups, the operation might "
+  "lead to high replication")
+print("traffic and performance degradation. Refer to "
+  "ipa-adtrust-install(1) man page")
+print("for details.")
+print("")
+if options.unattended:
+print("Unattended mode was selected, installer will "
+  "NOT run ipa-sidgen task!")
+else:
+if ipautil.user_input(
+"Do you want to run the ipa-sidgen task?",
+default=False,
+allow_empty=False):
+options.add_sids = True
+
+
 def install_check(standalone, options, api):
 global netbios_name
 global reset_netbios_name
@@ -225,49 +288,7 @@ def install_check(standalone, options, api):
 options.netbios_name, options.unattended, api)
 
 if not options.add_sids:
-# The filter corresponds to ipa_sidgen_task.c LDAP search filter
-filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
- '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
- '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
-base_dn = api.env.basedn
-try:
-root_logger.debug(
-"Searching for objects with missing SID with "
-"filter=%s, base_dn=%s", filter, base_dn)
-entries, _truncated = api.Backend.ldap2.find_entries(
-filter=filter, base_dn=base_dn, attrs_list=[''])
-except errors.NotFound:
-# All objects have SIDs assigned
-pass
-except (errors.DatabaseError, errors.NetworkError) as e:
-print("Could not retrieve a list of objects that need a SID "
-  "identifier assigned:")
-print(unicode(e))
-else:
-object_count = len(entries)
-if object_count > 0:
-print("")
-print("WARNING: %d existing users or groups do not have "
-

[Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones

2017-02-22 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/479
Author: martbab
 Title: #479: Merge AD trust installer into composite ones
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/479/head:pr479
git checkout pr479
From befb5e97602d1e523157b503d33a3ca8f8f84a9d Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 3 Feb 2017 17:14:20 +0100
Subject: [PATCH 01/16] allow for more flexibility when requesting service
 keytab

The service installers can now override the methods for cleaning up
stale keytabs and changing file ownership of the newly acquired keytabs.

The default actions should be usable by most installers without specific
overriding.

https://fedorahosted.org/freeipa/ticket/6638
---
 ipaserver/install/service.py | 41 ++---
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index b9d1ffc..80bb4bb 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -540,22 +540,35 @@ def _add_service_principal(self):
 except errors.DuplicateEntry:
 pass
 
+def clean_previous_keytab(self, keytab=None):
+if keytab is None:
+keytab = self.keytab
+
+self.fstore.backup_file(keytab)
+try:
+os.unlink(keytab)
+except OSError:
+pass
+
+def set_keytab_owner(self, keytab=None, owner=None):
+if keytab is None:
+keytab = self.keytab
+if owner is None:
+owner = self.service_user
+
+pent = pwd.getpwnam(owner)
+os.chown(keytab, pent.pw_uid, pent.pw_gid)
+
 def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
 """
-backup and remove old service keytab (if present) and fetch a new one
-using ipa-getkeytab. This assumes that the service principal is already
-created in LDAP. By default GSSAPI authentication is used unless:
+retrieve service keytab using ipa-getkeytab. This assumes that the
+service principal is already created in LDAP. By default GSSAPI
+authentication is used unless:
 * LDAPI socket is used and effective process UID is 0, then
   autobind is used by EXTERNAL SASL mech
 * self.dm_password is not none, then DM credentials are used to
   fetch keytab
 """
-self.fstore.backup_file(keytab)
-try:
-os.unlink(keytab)
-except OSError:
-pass
-
 args = [paths.IPA_GETKEYTAB,
 '-k', keytab,
 '-p', principal,
@@ -576,17 +589,15 @@ def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
 ipautil.run(args, nolog=nolog)
 
 def _request_service_keytab(self):
-if any(attr is None for attr in (self.principal, self.keytab,
- self.service_user)):
+if any(attr is None for attr in (self.principal, self.keytab)):
 raise NotImplementedError(
 "service must have defined principal "
-"name, keytab, and username")
+"name and keytab")
 
 self._add_service_principal()
+self.clean_previous_keytab()
 self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
-
-pent = pwd.getpwnam(self.keytab_user)
-os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+self.set_keytab_owner()
 
 
 class SimpleServiceInstance(Service):

From 54a7975465e965efc677e5e6efde2be239ac25d3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 17 Feb 2017 14:31:55 +0100
Subject: [PATCH 02/16] Make request_service_keytab into a public method

a cosmetic change: we had private method comprising of calls to public
ones, which did not make much sense in our case

https://fedorahosted.org/freeipa/ticket/6638
---
 ipaserver/install/dsinstance.py   | 6 +++---
 ipaserver/install/httpinstance.py | 2 +-
 ipaserver/install/service.py  | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 9172b65..bf80ae0 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -393,7 +393,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
 self.__common_setup(enable_ssl=(not self.promote))
 self.step("restarting directory server", self.__restart_instance)
 
-self.step("creating DS keytab", self._request_service_keytab)
+self.step("creating DS keytab", self.request_service_keytab)
 if self.promote:
 if self.pkcs12_info:
 self.step("configuring TLS for DS instance", self.__enable_ssl)
@@ -1221,8 +1221,8 @@ def __set_domain_level(self):
 if self.domainlevel is not None:
 self._ldap_mod("domainlevel.ldif",