websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.8.10

Browse Source
This commit is contained in:
Mario Fetka
2021-10-03 11:06:28 +02:00
parent 10dfc9587b
commit 03a8170b15
2361 changed files with 1883897 additions and 338759 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
install/tools/Makefile.am
View File

@@ -4,34 +4,83 @@ SUBDIRS = \
man \
$(NULL)
sbin_SCRIPTS = \
dist_noinst_DATA = \
ipa-ca-install.in \
ipa-dns-install.in \
ipa-kra-install.in \
ipa-server-install.in \
ipa-adtrust-install.in \
ipa-replica-conncheck.in \
ipa-replica-install.in \
ipa-replica-manage.in \
ipa-csreplica-manage.in \
ipa-server-certinstall.in \
ipa-server-upgrade.in \
ipactl.in \
ipa-compat-manage.in \
ipa-nis-manage.in \
ipa-managed-entries.in \
ipa-ldap-updater.in \
ipa-otptoken-import.in \
ipa-backup.in \
ipa-restore.in \
ipa-advise.in \
ipa-cacert-manage.in \
ipa-winsync-migrate.in \
ipa-pkinit-manage.in \
ipa-crlgen-manage.in \
ipa-cert-fix.in \
ipa-custodia.in \
ipa-custodia-check.in \
ipa-httpd-kdcproxy.in \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
$(NULL)
nodist_sbin_SCRIPTS = \
ipa-ca-install \
ipa-dns-install \
ipa-kra-install \
ipa-server-install \
ipa-adtrust-install \
ipa-replica-conncheck \
ipa-replica-install \
ipa-replica-prepare \
ipa-replica-manage \
ipa-csreplica-manage \
ipa-server-certinstall \
ipa-server-upgrade \
ipactl \
ipa-compat-manage \
ipa-nis-manage \
ipa-managed-entries \
ipa-ldap-updater \
ipa-otptoken-import \
ipa-upgradeconfig \
ipa-backup \
ipa-restore \
ipa-advise \
ipa-cacert-manage \
ipa-winsync-migrate \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
$(NULL)
EXTRA_DIST = \
README \
$(sbin_SCRIPTS) \
appdir = $(libexecdir)/ipa/
nodist_app_SCRIPTS = \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in
PYTHON_SHEBANG = \
$(nodist_sbin_SCRIPTS) \
$(nodist_app_SCRIPTS) \
$(NULL)
CLEANFILES = $(PYTHON_SHEBANG)
include $(top_srcdir)/Makefile.pythonscripts.am

376
install/tools/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -14,8 +14,19 @@
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -76,13 +87,23 @@ POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
subdir = tools
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
build_triplet = @build@
host_triplet = @host@
subdir = install/tools
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/../version.m4 \
$(top_srcdir)/configure.ac
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_DATA) \
$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
@@ -114,8 +135,8 @@ am__uninstall_files_from_dir = { \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(sbindir)"
SCRIPTS = $(sbin_SCRIPTS)
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"
SCRIPTS = $(nodist_app_SCRIPTS) $(nodist_sbin_SCRIPTS)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -143,6 +164,7 @@ am__can_run_installinfo = \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
DATA = $(dist_noinst_DATA)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
am__recursive_targets = \
@@ -150,7 +172,7 @@ am__recursive_targets = \
$(RECURSIVE_CLEAN_TARGETS) \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
distdir
distdir distdir-am
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
@@ -171,6 +193,8 @@ am__define_uniq_tagged_files = \
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in \
$(top_srcdir)/Makefile.pythonscripts.am
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -200,34 +224,111 @@ am__relativize = \
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
API_VERSION = @API_VERSION@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CONFIG_STATUS = @CONFIG_STATUS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
DIRSRV_LIBS = @DIRSRV_LIBS@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
INTLLIBS = @INTLLIBS@
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
LIBOBJS = @LIBOBJS@
LIBPDB_NAME = @LIBPDB_NAME@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
LIBVERTO_LIBS = @LIBVERTO_LIBS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
MAINT = @MAINT@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MK_ASSIGN = @MK_ASSIGN@
MK_ELSE = @MK_ELSE@
MK_ENDIF = @MK_ENDIF@
MK_IFEQ = @MK_IFEQ@
MSGATTRIB = @MSGATTRIB@
MSGCMP = @MSGCMP@
MSGFMT = @MSGFMT@
MSGINIT = @MSGINIT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
NAMED_GROUP = @NAMED_GROUP@
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
NDRNBT_LIBS = @NDRNBT_LIBS@
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
NDRPAC_LIBS = @NDRPAC_LIBS@
NDR_CFLAGS = @NDR_CFLAGS@
NDR_LIBS = @NDR_LIBS@
NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
@@ -236,33 +337,87 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
STRIP = @STRIP@
TX = @TX@
TALLOC_CFLAGS = @TALLOC_CFLAGS@
TALLOC_LIBS = @TALLOC_LIBS@
TEVENT_CFLAGS = @TEVENT_CFLAGS@
TEVENT_LIBS = @TEVENT_LIBS@
UNISTRING_LIBS = @UNISTRING_LIBS@
UNLINK = @UNLINK@
USE_NLS = @USE_NLS@
UUID_CFLAGS = @UUID_CFLAGS@
UUID_LIBS = @UUID_LIBS@
VENDOR_SUFFIX = @VENDOR_SUFFIX@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
XMLRPC_LIBS = @XMLRPC_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
i18ntests = @i18ntests@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
krb5rundir = @krb5rundir@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
@@ -271,13 +426,22 @@ mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
@@ -287,42 +451,88 @@ SUBDIRS = \
man \
$(NULL)
sbin_SCRIPTS = \
dist_noinst_DATA = \
ipa-ca-install.in \
ipa-dns-install.in \
ipa-kra-install.in \
ipa-server-install.in \
ipa-adtrust-install.in \
ipa-replica-conncheck.in \
ipa-replica-install.in \
ipa-replica-manage.in \
ipa-csreplica-manage.in \
ipa-server-certinstall.in \
ipa-server-upgrade.in \
ipactl.in \
ipa-compat-manage.in \
ipa-nis-manage.in \
ipa-managed-entries.in \
ipa-ldap-updater.in \
ipa-otptoken-import.in \
ipa-backup.in \
ipa-restore.in \
ipa-advise.in \
ipa-cacert-manage.in \
ipa-winsync-migrate.in \
ipa-pkinit-manage.in \
ipa-crlgen-manage.in \
ipa-cert-fix.in \
ipa-custodia.in \
ipa-custodia-check.in \
ipa-httpd-kdcproxy.in \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
$(NULL)
nodist_sbin_SCRIPTS = \
ipa-ca-install \
ipa-dns-install \
ipa-kra-install \
ipa-server-install \
ipa-adtrust-install \
ipa-replica-conncheck \
ipa-replica-install \
ipa-replica-prepare \
ipa-replica-manage \
ipa-csreplica-manage \
ipa-server-certinstall \
ipa-server-upgrade \
ipactl \
ipa-compat-manage \
ipa-nis-manage \
ipa-managed-entries \
ipa-ldap-updater \
ipa-otptoken-import \
ipa-upgradeconfig \
ipa-backup \
ipa-restore \
ipa-advise \
ipa-cacert-manage \
ipa-winsync-migrate \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
$(NULL)
EXTRA_DIST = \
README \
$(sbin_SCRIPTS) \
appdir = $(libexecdir)/ipa/
nodist_app_SCRIPTS = \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in
PYTHON_SHEBANG = \
$(nodist_sbin_SCRIPTS) \
$(nodist_app_SCRIPTS) \
$(NULL)
CLEANFILES = $(PYTHON_SHEBANG)
all: all-recursive
.SUFFIXES:
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/Makefile.pythonscripts.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
@@ -331,30 +541,65 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__confi
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/Makefile'; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign install/tools/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign tools/Makefile
.PRECIOUS: Makefile
$(AUTOMAKE) --foreign install/tools/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_srcdir)/Makefile.pythonscripts.am $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-sbinSCRIPTS: $(sbin_SCRIPTS)
install-nodist_appSCRIPTS: $(nodist_app_SCRIPTS)
@$(NORMAL_INSTALL)
@list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \
@list='$(nodist_app_SCRIPTS)'; test -n "$(appdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(appdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(appdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n' \
-e 'h;s|.*|.|' \
-e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) { files[d] = files[d] " " $$1; \
if (++n[d] == $(am__install_max)) { \
print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
else { print "f", d "/" $$4, $$1 } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(appdir)$$dir'"; \
$(INSTALL_SCRIPT) $$files "$(DESTDIR)$(appdir)$$dir" || exit $$?; \
} \
; done
uninstall-nodist_appSCRIPTS:
@$(NORMAL_UNINSTALL)
@list='$(nodist_app_SCRIPTS)'; test -n "$(appdir)" || exit 0; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 's,.*/,,;$(transform)'`; \
dir='$(DESTDIR)$(appdir)'; $(am__uninstall_files_from_dir)
install-nodist_sbinSCRIPTS: $(nodist_sbin_SCRIPTS)
@$(NORMAL_INSTALL)
@list='$(nodist_sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \
$(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \
@@ -381,13 +626,19 @@ install-sbinSCRIPTS: $(sbin_SCRIPTS)
} \
; done
uninstall-sbinSCRIPTS:
uninstall-nodist_sbinSCRIPTS:
@$(NORMAL_UNINSTALL)
@list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \
@list='$(nodist_sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 's,.*/,,;$(transform)'`; \
dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir)
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
# This directory's subdirectories are mostly independent; you can cd
# into them and run 'make' without going through this Makefile.
# To change the values of 'make' variables: instead of editing Makefiles,
@@ -487,7 +738,10 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(DISTFILES)
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -544,10 +798,10 @@ distdir: $(DISTFILES)
done
check-am: all-am
check: check-recursive
all-am: Makefile $(SCRIPTS)
all-am: Makefile $(SCRIPTS) $(DATA)
installdirs: installdirs-recursive
installdirs-am:
for dir in "$(DESTDIR)$(sbindir)"; do \
for dir in "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-recursive
@@ -572,6 +826,7 @@ install-strip:
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -580,10 +835,9 @@ distclean-generic:
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
clean: clean-recursive
clean-am: clean-generic mostlyclean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-recursive
-rm -f Makefile
@@ -601,13 +855,13 @@ info: info-recursive
info-am:
install-data-am:
install-data-am: install-nodist_appSCRIPTS
install-dvi: install-dvi-recursive
install-dvi-am:
install-exec-am: install-sbinSCRIPTS
install-exec-am: install-nodist_sbinSCRIPTS
install-html: install-html-recursive
@@ -635,7 +889,7 @@ maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-recursive
mostlyclean-am: mostlyclean-generic
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-recursive
@@ -645,23 +899,35 @@ ps: ps-recursive
ps-am:
uninstall-am: uninstall-sbinSCRIPTS
uninstall-am: uninstall-nodist_appSCRIPTS uninstall-nodist_sbinSCRIPTS
.MAKE: $(am__recursive_targets) install-am install-strip
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
check-am clean clean-generic cscopelist-am ctags ctags-am \
distclean distclean-generic distclean-tags distdir dvi dvi-am \
html html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-ps install-ps-am install-sbinSCRIPTS install-strip \
installcheck installcheck-am installdirs installdirs-am \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic pdf pdf-am ps ps-am tags tags-am uninstall \
uninstall-am uninstall-sbinSCRIPTS
check-am clean clean-generic clean-libtool cscopelist-am ctags \
ctags-am distclean distclean-generic distclean-libtool \
distclean-tags distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-nodist_appSCRIPTS install-nodist_sbinSCRIPTS \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
installdirs-am maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am tags tags-am uninstall uninstall-am \
uninstall-nodist_appSCRIPTS uninstall-nodist_sbinSCRIPTS
.PRECIOUS: Makefile
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
$(AM_V_GEN)chmod +x $@
.PHONY: python_scripts_sub
python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.

456
install/tools/ipa-adtrust-install
View File

@@ -1,456 +0,0 @@
#! /usr/bin/python2
#
# Authors: Sumit Bose <sbose@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
# and ipa-dns-install by Martin Nagy
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaserver.install import adtrustinstance
from ipaserver.install.installutils import *
from ipaserver.install import service
from ipapython import version
from ipapython import ipautil, sysrestore
from ipalib import api, errors, util
from ipapython.config import IPAOptionParser
import krbV
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
log_file_name = paths.IPASERVER_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
parser.add_option("--ip-address", dest="ip_address",
type="ip", ip_local=True, help="Master Server IP Address")
parser.add_option("--netbios-name", dest="netbios_name",
help="NetBIOS name of the IPA domain")
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
default=False, help="Do not create DNS service records " \
"for Windows in managed DNS server")
parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
help="Start value for mapping UIDs and GIDs to RIDs")
parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
type=int, default=100000000,
help="Start value of the secondary range for mapping " \
"UIDs and GIDs to RIDs")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
parser.add_option("-a", "--admin-password",
sensitive=True, dest="admin_password",
help="admin user kerberos password")
parser.add_option("-A", "--admin-name",
sensitive=True, dest="admin_name", default='admin',
help="admin user principal")
parser.add_option("--add-sids", dest="add_sids", action="store_true",
default=False, help="Add SIDs for existing users and" \
" groups as the final step")
parser.add_option("--enable-compat",
dest="enable_compat", default=False, action="store_true",
help="Enable support for trusted domains for old clients")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
return safe_options, options
def netbios_name_error(name):
print "\nIllegal NetBIOS name [%s].\n" % name
print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
def read_netbios_name(netbios_default):
netbios_name = ""
print "Enter the NetBIOS name for the IPA domain."
print "Only up to 15 uppercase ASCII letters and digits are allowed."
print "Example: EXAMPLE."
print ""
print ""
if not netbios_default:
netbios_default = "EXAMPLE"
while True:
netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
print ""
if adtrustinstance.check_netbios_name(netbios_name):
break
netbios_name_error(netbios_name)
return netbios_name
def read_admin_password(admin_name):
print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
print "This user is a regular system account used for IPA server administration."
print ""
admin_password = read_password(admin_name, confirm=False, validate=None)
return admin_password
def set_and_check_netbios_name(netbios_name, unattended):
"""
Depending if trust in already configured or not a given NetBIOS domain
name must be handled differently.
If trust is not configured the given NetBIOS is used or the NetBIOS is
generated if none was given on the command line.
If trust is already configured the given NetBIOS name is used to reset
the stored NetBIOS name it it differs from the current one.
"""
flat_name_attr = 'ipantflatname'
cur_netbios_name = None
gen_netbios_name = None
reset_netbios_name = False
entry = None
try:
entry = api.Backend.ldap2.get_entry(
DN(('cn', api.env.domain), api.env.container_cifsdomains,
ipautil.realm_to_suffix(api.env.realm)),
[flat_name_attr])
except errors.NotFound:
# trust not configured
pass
else:
cur_netbios_name = entry.get(flat_name_attr)[0]
if cur_netbios_name and not netbios_name:
# keep the current NetBIOS name
netbios_name = cur_netbios_name
reset_netbios_name = False
elif cur_netbios_name and cur_netbios_name != netbios_name:
# change the NetBIOS name
print "Current NetBIOS domain name is %s, new name is %s.\n" % \
(cur_netbios_name, netbios_name)
print "Please note that changing the NetBIOS name might " \
"break existing trust relationships."
if unattended:
reset_netbios_name = True
print "NetBIOS domain name will be changed to %s.\n" % \
netbios_name
else:
print "Say 'yes' if the NetBIOS shall be changed and " \
"'no' if the old one shall be kept."
reset_netbios_name = ipautil.user_input(
'Do you want to reset the NetBIOS domain name?',
default = False, allow_empty = False)
if not reset_netbios_name:
netbios_name = cur_netbios_name
elif cur_netbios_name and cur_netbios_name == netbios_name:
# keep the current NetBIOS name
reset_netbios_name = False
elif not cur_netbios_name:
if not netbios_name:
gen_netbios_name = adtrustinstance.make_netbios_name(api.env.domain)
if entry is not None:
# Fix existing trust configuration
print "Trust is configured but no NetBIOS domain name found, " \
"setting it now."
reset_netbios_name = True
else:
# initial trust configuration
reset_netbios_name = False
else:
# all possible cases should be covered above
raise Exception('Unexpected state while checking NetBIOS domain name')
if not adtrustinstance.check_netbios_name(netbios_name):
if unattended and not gen_netbios_name:
netbios_name_error(netbios_name)
sys.exit("Aborting installation.")
else:
if netbios_name:
netbios_name_error(netbios_name)
netbios_name = None
if not unattended and not netbios_name:
netbios_name = read_netbios_name(gen_netbios_name)
if unattended and not netbios_name and gen_netbios_name:
netbios_name = gen_netbios_name
return (netbios_name, reset_netbios_name)
def ensure_admin_kinit(admin_name, admin_password):
try:
ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
except ipautil.CalledProcessError, e:
print "There was error to automatically re-kinit your admin user ticket."
return False
return True
def enable_compat_tree():
print "Do you want to enable support for trusted domains in Schema Compatibility plugin?"
print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users."
print ""
enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False)
print ""
return enable_compat
def main():
safe_options, options = parse_options()
if os.getegid() != 0:
sys.exit("Must be root to setup AD trusts on server")
standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
print "\nThe log file for this installation can be found in %s" % log_file_name
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
root_logger.debug("missing options might be asked for interactively later\n")
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
check_server_configuration()
global fstore
fstore = sysrestore.FileStore(paths.SYSRESTORE)
print "=============================================================================="
print "This program will setup components needed to establish trust to AD domains for"
print "the FreeIPA Server."
print ""
print "This includes:"
print " * Configure Samba"
print " * Add trust related objects to FreeIPA LDAP server"
#TODO:
#print " * Add a SID to all users and Posix groups"
print ""
print "To accept the default shown in brackets, press the Enter key."
print ""
# Check if samba packages are installed
if not adtrustinstance.check_inst():
sys.exit("Aborting installation.")
# Initialize the ipalib api
cfg = dict(
in_server=True,
debug=options.debug,
)
api.bootstrap(**cfg)
api.finalize()
# If domain name and realm does not match, IPA server will not be able
# to estabilish trust with Active Directory. Print big fat warning.
realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
if realm_not_matching_domain:
print("WARNING: Realm name does not match the domain name.\n"
"You will not be able to estabilish trusts with Active "
"Directory unless\nthe realm name of the IPA server matches its "
"domain name.\n\n")
if not options.unattended:
if not ipautil.user_input("Do you wish to continue?",
default = False,
allow_empty = False):
sys.exit("Aborting installation.")
# Check if /etc/samba/smb.conf already exists. In case it was not generated
# by IPA, print a warning that we will break existing configuration.
if adtrustinstance.ipa_smb_conf_exists():
if not options.unattended:
print "IPA generated smb.conf detected."
if not ipautil.user_input("Overwrite smb.conf?",
default = False,
allow_empty = False):
sys.exit("Aborting installation.")
elif os.path.exists(paths.SMB_CONF):
print("WARNING: The smb.conf already exists. Running "
"ipa-adtrust-install will break your existing samba "
"configuration.\n\n")
if not options.unattended:
if not ipautil.user_input("Do you wish to continue?",
default = False,
allow_empty = False):
sys.exit("Aborting installation.")
if not options.unattended and not options.enable_compat:
options.enable_compat = enable_compat_tree()
# Check we have a public IP that is associated with the hostname
ip = None
try:
hostaddr = resolve_host(api.env.host)
if len(hostaddr) > 1:
print >> sys.stderr, "The server hostname resolves to more than one address:"
for addr in hostaddr:
print >> sys.stderr, " %s" % addr
if options.ip_address:
if str(options.ip_address) not in hostaddr:
print >> sys.stderr, "Address passed in --ip-address did not match any resolved"
print >> sys.stderr, "address!"
sys.exit(1)
print "Selected IP address:", str(options.ip_address)
ip = options.ip_address
else:
if options.unattended:
print >> sys.stderr, "Please use --ip-address option to specify the address"
sys.exit(1)
else:
ip = read_ip_address(api.env.host, fstore)
else:
ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
except Exception, e:
print "Error: Invalid IP Address %s: %s" % (ip, e)
print "Aborting installation"
sys.exit(1)
ip_address = str(ip)
root_logger.debug("will use ip_address: %s\n", ip_address)
admin_password = options.admin_password
if not (options.unattended or admin_password):
admin_password = read_admin_password(options.admin_name)
admin_kinited = None
if admin_password:
admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
if not admin_kinited:
print "Proceeding with credentials that existed before"
try:
ctx = krbV.default_context()
ccache = ctx.default_ccache()
principal = ccache.principal()
except krbV.Krb5Error, e:
sys.exit("Must have Kerberos credentials to setup AD trusts on server")
try:
api.Backend.ldap2.connect(ccache)
except errors.ACIError, e:
sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
except errors.DatabaseError, e:
sys.exit("Cannot connect to the LDAP database. Please check if IPA is running")
try:
user = api.Command.user_show(unicode(principal[0]))['result']
group = api.Command.group_show(u'admins')['result']
if not (user['uid'][0] in group['member_user'] and
group['cn'][0] in user['memberof_group']):
raise errors.RequirementError(name='admins group membership')
except errors.RequirementError, e:
sys.exit("Must have administrative privileges to setup AD trusts on server")
except Exception, e:
sys.exit("Unrecognized error during check of admin rights: %s" % (str(e)))
(netbios_name, reset_netbios_name) = \
set_and_check_netbios_name(options.netbios_name,
options.unattended)
if not options.add_sids:
# The filter corresponds to ipa_sidgen_task.c LDAP search filter
filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
'(|(objectclass=posixaccount)(objectclass=posixgroup)' \
'(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
base_dn = api.env.basedn
try:
root_logger.debug("Searching for objects with missing SID with "
"filter=%s, base_dn=%s", filter, base_dn)
(entries, truncated) = api.Backend.ldap2.find_entries(filter=filter,
base_dn=base_dn, attrs_list=[''])
except errors.NotFound:
# All objects have SIDs assigned
pass
except (errors.DatabaseError, errors.NetworkError), e:
print "Could not retrieve a list of objects that need a SID identifier assigned:"
print unicode(e)
else:
object_count = len(entries)
if object_count > 0:
print ""
print "WARNING: %d existing users or groups do not have a SID identifier assigned." \
% len(entries)
print "Installer can run a task to have ipa-sidgen Directory Server plugin generate"
print "the SID identifier for all these users. Please note, the in case of a high"
print "number of users and groups, the operation might lead to high replication"
print "traffic and performance degradation. Refer to ipa-adtrust-install(1) man page"
print "for details."
print ""
if options.unattended:
print "Unattended mode was selected, installer will NOT run ipa-sidgen task!"
else:
if ipautil.user_input("Do you want to run the ipa-sidgen task?", default=False,
allow_empty=False):
options.add_sids = True
if not options.unattended:
print ""
print "The following operations may take some minutes to complete."
print "Please wait until the prompt is returned."
print ""
smb = adtrustinstance.ADTRUSTInstance(fstore)
smb.realm = api.env.realm
smb.autobind = service.ENABLED
smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
netbios_name, reset_netbios_name,
options.rid_base, options.secondary_rid_base,
options.no_msdcs, options.add_sids,
enable_compat = options.enable_compat)
smb.find_local_id_range()
smb.create_instance()
print """
=============================================================================
Setup complete
You must make sure these network ports are open:
\tTCP Ports:
\t * 138: netbios-dgm
\t * 139: netbios-ssn
\t * 445: microsoft-ds
\tUDP Ports:
\t * 138: netbios-dgm
\t * 139: netbios-ssn
\t * 389: (C)LDAP
\t * 445: microsoft-ds
Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
\tTCP Ports:
\t * 389, 636: LDAP/LDAPS
You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.
=============================================================================
"""
if admin_password:
admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
if not admin_kinited:
print """
WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
family in order to re-generate Kerberos tickets to include AD-specific
information"""
return 0
if __name__ == '__main__':
run_script(main, log_file_name=log_file_name,
operation_name='ipa-adtrust-install')

264
install/tools/ipa-adtrust-install.in Normal file
View File

@@ -0,0 +1,264 @@
#!/usr/bin/python3
#
# Authors: Sumit Bose <sbose@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
# and ipa-dns-install by Martin Nagy
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import logging
import os
import sys
import six
from optparse import SUPPRESS_HELP # pylint: disable=deprecated-module
from ipalib.install import sysrestore
from ipaserver.install import adtrust, service
from ipaserver.install.installutils import (
read_password,
check_server_configuration,
run_script)
from ipapython.admintool import ScriptError
from ipapython import version
from ipapython import ipautil
from ipalib import api, errors, krb_utils
from ipapython.config import IPAOptionParser
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import standard_logging_setup
if six.PY3:
unicode = str
logger = logging.getLogger(os.path.basename(__file__))
log_file_name = paths.IPASERVER_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
parser.add_option("--netbios-name", dest="netbios_name",
help="NetBIOS name of the IPA domain")
# no-msdcs has not effect, option is here just for backward compatibility
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
default=False, help=SUPPRESS_HELP)
parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
help="Start value for mapping UIDs and GIDs to RIDs")
parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
type=int, default=100000000,
help="Start value of the secondary range for mapping "
"UIDs and GIDs to RIDs")
parser.add_option("-U", "--unattended", dest="unattended",
action="store_true",
default=False,
help="unattended installation never prompts the user")
parser.add_option("-a", "--admin-password",
sensitive=True, dest="admin_password",
help="admin user kerberos password")
parser.add_option("-A", "--admin-name",
sensitive=True, dest="admin_name", default='admin',
help="admin user principal")
parser.add_option("--add-sids", dest="add_sids", action="store_true",
default=False, help="Add SIDs for existing users and"
" groups as the final step")
parser.add_option("--add-agents", dest="add_agents", action="store_true",
default=False,
help="Add IPA masters to a list of hosts allowed to "
"serve information about users from trusted forests")
parser.add_option("--enable-compat",
dest="enable_compat", default=False, action="store_true",
help="Enable support for trusted domains for old "
"clients")
options, _args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
return safe_options, options
def read_admin_password(admin_name):
print("Configuring cross-realm trusts for IPA server requires password "
"for user '%s'." % (admin_name))
print("This user is a regular system account used for IPA server "
"administration.")
print("")
admin_password = read_password(admin_name, confirm=False, validate=None)
return admin_password
def ensure_admin_kinit(admin_name, admin_password):
try:
ipautil.run([paths.KINIT, admin_name], stdin=admin_password+'\n')
except ipautil.CalledProcessError:
print("There was error to automatically re-kinit your admin user "
"ticket.")
return False
return True
def main():
safe_options, options = parse_options()
if os.getegid() != 0:
raise ScriptError("Must be root to setup AD trusts on server")
standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
print("\nThe log file for this installation can be found in %s"
% log_file_name)
logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options)
logger.debug(
"missing options might be asked for interactively later\n")
logger.debug('IPA version %s', version.VENDOR_VERSION)
check_server_configuration()
fstore = sysrestore.FileStore(paths.SYSRESTORE)
print("================================================================"
"==============")
print("This program will setup components needed to establish trust to "
"AD domains for")
print("the FreeIPA Server.")
print("")
print("This includes:")
print(" * Configure Samba")
print(" * Add trust related objects to FreeIPA LDAP server")
# TODO:
# print " * Add a SID to all users and Posix groups"
print("")
print("To accept the default shown in brackets, press the Enter key.")
print("")
# Check if samba packages are installed
# the same check is in the adtrust module but we must fail first if the
# package is missing
adtrust.check_for_installed_deps()
# Initialize the ipalib api
api.bootstrap(
in_server=True,
debug=options.debug,
context='install',
confdir=paths.ETC_IPA
)
api.finalize()
admin_password = options.admin_password
if not (options.unattended or admin_password):
admin_password = read_admin_password(options.admin_name)
admin_kinited = None
if admin_password:
admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
if not admin_kinited:
print("Proceeding with credentials that existed before")
try:
principal = krb_utils.get_principal()
except errors.CCacheError as e:
raise ScriptError(
"Must have Kerberos credentials to setup AD trusts on server: "
"{err}".format(err=e))
try:
api.Backend.ldap2.connect()
except errors.ACIError:
raise ScriptError(
"Outdated Kerberos credentials. "
"Use kdestroy and kinit to update your ticket")
except errors.DatabaseError:
raise ScriptError(
"Cannot connect to the LDAP database. Please check if IPA "
"is running")
try:
user = api.Command.user_show(
principal.partition('@')[0].partition('/')[0])['result']
group = api.Command.group_show(u'admins')['result']
if not (user['uid'][0] in group['member_user'] and
group['cn'][0] in user['memberof_group']):
raise errors.RequirementError(name='admins group membership')
except errors.RequirementError as e:
raise ScriptError(
"Must have administrative privileges to setup AD trusts on server"
)
except Exception as e:
raise ScriptError(
"Unrecognized error during check of admin rights: %s" % e)
adtrust.install_check(True, options, api)
adtrust.install(True, options, fstore, api)
# Enable configured services and update DNS SRV records
service.sync_services_state(api.env.host)
dns_help = adtrust.generate_dns_service_records_help(api)
if dns_help:
for line in dns_help:
service.print_msg(line, sys.stdout)
else:
api.Command.dns_update_system_records()
print("""
=============================================================================
Setup complete
You must make sure these network ports are open:
\tTCP Ports:
\t * 135: epmap
\t * 138: netbios-dgm
\t * 139: netbios-ssn
\t * 445: microsoft-ds
\t * 1024..1300: epmap listener range
\t * 3268: msft-gc
\tUDP Ports:
\t * 138: netbios-dgm
\t * 139: netbios-ssn
\t * 389: (C)LDAP
\t * 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
""")
if admin_password:
admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
if not admin_kinited:
print("""
WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
family in order to re-generate Kerberos tickets to include AD-specific
information""")
api.Backend.ldap2.disconnect()
return 0
if __name__ == '__main__':
run_script(
main,
log_file_name=log_file_name,
operation_name='ipa-adtrust-install')

2
install/tools/ipa-advise → install/tools/ipa-advise.in Executable file → Normal file
View File

@@ -1,4 +1,4 @@
#! /usr/bin/python2 -E
#!/usr/bin/python3
# Authors: Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2013 Red Hat

2
install/tools/ipa-backup → install/tools/ipa-backup.in Executable file → Normal file
View File

@@ -1,4 +1,4 @@
#! /usr/bin/python2 -E
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2013 Red Hat

231
install/tools/ipa-ca-install
View File

@@ -1,231 +0,0 @@
#! /usr/bin/python2 -E
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import socket
import os, shutil
from ipapython import ipautil
from ipaserver.install import installutils, service
from ipaserver.install import certs
from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
expand_replica_info, read_replica_info, get_host_name, BadHostError,
private_ccache, read_replica_info_dogtag_port)
from ipaserver.install import dsinstance, cainstance, bindinstance
from ipaserver.install.replication import replica_conn_check
from ipapython import version
from ipalib import api, util
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
from ipapython import sysrestore
from ipapython import dogtag
from ipapython.ipa_log_manager import *
from ipaplatform import services
from ipaplatform.paths import paths
log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
REPLICA_INFO_TOP_DIR = None
def parse_options():
usage = "%prog [options] REPLICA_FILE"
parser = IPAOptionParser(usage=usage, version=version.VERSION)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="gather extra debugging information")
parser.add_option("-p", "--password", dest="password", sensitive=True,
help="Directory Manager (existing master) password")
parser.add_option("-w", "--admin-password", dest="admin_password", sensitive=True,
help="Admin user Kerberos password used for connection check")
parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
default=False,
help="Do not use DNS for hostname lookup during installation")
parser.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
default=False, help="skip connection check to remote master")
parser.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
default=False, help="skip check for updated CA DS schema on the remote master")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if len(args) != 1:
parser.error("you must provide a file generated by ipa-replica-prepare")
return safe_options, options, args[0]
def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
def check_ca():
if not cainstance.check_port():
print "IPA requires port 8443 for PKI but it is currently in use."
sys.exit(1)
def install_dns_records(config, options):
if not bindinstance.dns_container_exists(config.master_host_name,
ipautil.realm_to_suffix(config.realm_name),
dm_password=config.dirman_password):
return
bind = bindinstance.BindInstance(dm_password=config.dirman_password)
try:
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=config.dirman_password)
bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
finally:
if api.Backend.ldap2.isconnected():
api.Backend.ldap2.disconnect()
def main():
safe_options, options, filename = parse_options()
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
standard_logging_setup(log_file_name, debug=options.debug)
root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
global sstore
sstore = sysrestore.StateFile(paths.SYSRESTORE)
if not dsinstance.DsInstance().is_configured():
sys.exit("IPA server is not configured on this system.\n")
api.bootstrap(in_server=True)
api.finalize()
if api.env.ra_plugin == 'selfsign':
sys.exit('A selfsign CA can not be added')
# get the directory manager password
dirman_password = options.password
if not dirman_password:
if options.unattended:
sys.exit('Directory Manager password required')
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
if dirman_password is None:
sys.exit("Directory Manager password required")
if not options.admin_password and not options.skip_conncheck and \
options.unattended:
sys.exit('admin password required')
try:
top_dir, dir = expand_replica_info(filename, dirman_password)
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = top_dir
except Exception, e:
print "ERROR: Failed to decrypt or open the replica file."
print "Verify you entered the correct Directory Manager password."
sys.exit(1)
config = ReplicaConfig()
read_replica_info(dir, config)
config.dirman_password = dirman_password
try:
host = get_host_name(options.no_host_dns)
except BadHostError, e:
root_logger.error(str(e))
sys.exit(1)
if config.host_name != host:
try:
print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host)
if not ipautil.user_input("This may cause problems. Continue?", True):
sys.exit(0)
config.host_name = host
print ""
except KeyboardInterrupt:
sys.exit(0)
config.dir = dir
config.setup_ca = True
config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
if not ipautil.file_exists(config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
sys.exit(1)
if not options.skip_conncheck:
replica_conn_check(
config.master_host_name, config.host_name, config.realm_name, True,
config.ca_ds_port, options.admin_password)
if options.skip_schema_check:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(config)
check_ca()
# Configure the CA if necessary
CA = cainstance.install_replica_ca(config, postinstall=True)
# We need to ldap_enable the CA now that DS is up and running
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
# This is done within stopped_service context, which restarts CA
CA.enable_client_auth_to_db()
# Install CA DNS records
install_dns_records(config, options)
# We need to restart apache as we drop a new config file in there
services.knownservices.httpd.restart(capture_output=True)
#update dogtag version in config file
try:
fd = open(paths.IPA_DEFAULT_CONF, "a")
fd.write(
"dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
fd.close()
except IOError, e:
print "Failed to update /etc/ipa/default.conf"
root_logger.error(str(e))
sys.exit(1)
fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
'''
if __name__ == '__main__':
try:
with private_ccache():
installutils.run_script(main, log_file_name=log_file_name,
operation_name='ipa-ca-install',
fail_message=fail_message)
finally:
# always try to remove decrypted replica file
try:
if REPLICA_INFO_TOP_DIR:
shutil.rmtree(REPLICA_INFO_TOP_DIR)
except OSError:
pass

339
install/tools/ipa-ca-install.in Normal file
View File

@@ -0,0 +1,339 @@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import logging
import sys
import os
import shutil
import tempfile
from ipalib.install.kinit import kinit_keytab
from ipapython import ipautil
from ipaclient.install import ipa_certupdate
from ipaserver.install import installutils
from ipaserver.install.installutils import check_creds, ReplicaConfig
from ipaserver.install import dsinstance, ca
from ipaserver.install import cainstance, service
from ipaserver.install import custodiainstance
from ipaserver.masters import find_providing_server
from ipapython import version
from ipalib import api, x509
from ipalib.constants import DOMAIN_LEVEL_1
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup
from ipaplatform.paths import paths
logger = logging.getLogger(os.path.basename(__file__))
log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
REPLICA_INFO_TOP_DIR = None
def parse_options():
usage = "%prog [options]"
parser = IPAOptionParser(usage=usage, version=version.VERSION)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="gather extra debugging information")
parser.add_option("-p", "--password", dest="password", sensitive=True,
help="Directory Manager (existing master) password")
parser.add_option("-w", "--admin-password", dest="admin_password", sensitive=True,
help="Admin user Kerberos password used for connection check")
parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
default=False,
help="Do not use DNS for hostname lookup during installation")
parser.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
default=False, help="skip connection check to remote master")
parser.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
default=False, help="skip check for updated CA DS schema on the remote master")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
parser.add_option("--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
ext_cas = tuple(x.value for x in x509.ExternalCAType)
parser.add_option("--external-ca-type", dest="external_ca_type",
type="choice", choices=ext_cas,
metavar="{{{0}}}".format(",".join(ext_cas)),
help="Type of the external CA. Default: generic")
parser.add_option("--external-ca-profile", dest="external_ca_profile",
type='constructor', constructor=x509.ExternalCAProfile,
default=None, metavar="PROFILE-SPEC",
help="Specify the certificate profile/template to use "
"at the external CA")
parser.add_option("--external-cert-file", dest="external_cert_files",
action="append", metavar="FILE",
help="File containing the IPA CA certificate and the external CA certificate chain")
ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA')
parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
type="choice", choices=ca_algos,
metavar="{{{0}}}".format(",".join(ca_algos)),
help="Signing algorithm of the IPA CA certificate")
parser.add_option("-P", "--principal", dest="principal", sensitive=True,
default=None, help="User allowed to manage replicas")
parser.add_option("--subject-base", dest="subject_base",
default=None,
help=(
"The certificate subject base "
"(default O=<realm-name>). "
"RDNs are in LDAP order (most specific RDN first)."))
parser.add_option("--ca-subject", dest="ca_subject",
default=None,
help=(
"The CA certificate subject DN "
"(default CN=Certificate Authority,O=<realm-name>). "
"RDNs are in LDAP order (most specific RDN first)."))
parser.add_option("--pki-config-override", dest="pki_config_override",
default=None,
help="Path to ini file with config overrides.")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if args:
parser.error("Too many arguments provided")
if options.external_ca:
if options.external_cert_files:
parser.error("You cannot specify --external-cert-file "
"together with --external-ca")
if options.external_ca_type and not options.external_ca:
parser.error(
"You cannot specify --external-ca-type without --external-ca")
if options.external_ca_profile and not options.external_ca:
parser.error(
"You cannot specify --external-ca-profile "
"without --external-ca")
return safe_options, options
def _get_dirman_password(password=None, unattended=False):
# sys.exit() is used on purpose, because otherwise user is advised to
# uninstall the component, even though it is not needed
if not password:
if unattended:
sys.exit('Directory Manager password required')
password = installutils.read_password(
"Directory Manager (existing master)", confirm=False,
validate=False)
try:
installutils.validate_dm_password_ldap(password)
except ValueError:
sys.exit("Directory Manager password is invalid")
return password
def install_replica(safe_options, options):
if options.ca_subject:
sys.exit("--ca-subject cannot be used when installing a CA replica")
if options.subject_base:
sys.exit("--subject-base cannot be used when installing a CA replica")
# Check if we have admin creds already, otherwise acquire them
check_creds(options, api.env.realm)
# get the directory manager password
dirman_password = _get_dirman_password(
options.password, options.unattended)
# Run ipa-certupdate to ensure we have the CA cert. This is
# necessary if the admin has just promoted the topology from
# CA-less to CA-ful, and ipa-certupdate has not been run yet.
ipa_certupdate.run_with_args(api)
# CertUpdate restarts DS causing broken pipe on the original
# connection, so reconnect the backend.
api.Backend.ldap2.disconnect()
api.Backend.ldap2.connect()
config = ReplicaConfig()
config.ca_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = dirman_password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
cafile = paths.IPA_CA_CRT
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = True
if config.subject_base is None:
attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.ca_host_name is None:
config.ca_host_name = find_providing_server(
'CA', api.Backend.ldap2, [api.env.ca_host]
)
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.dm_password = config.dirman_password
options.host_name = config.host_name
options.ca_host_name = config.ca_host_name
if os.path.exists(cafile):
options.ca_cert_file = cafile
else:
options.ca_cert_file = None
ca.install_check(True, config, options)
custodia = custodiainstance.get_custodia_instance(
options, custodiainstance.CustodiaModes.CA_PEER)
ca.install(True, config, options, custodia=custodia)
def install_master(safe_options, options):
dm_password = _get_dirman_password(
options.password, options.unattended)
options.realm_name = api.env.realm
options.domain_name = api.env.domain
options.dm_password = dm_password
options.host_name = api.env.host
if not options.subject_base:
options.subject_base = str(
installutils.default_subject_base(api.env.realm))
if not options.ca_subject:
options.ca_subject = str(
installutils.default_ca_subject_dn(options.subject_base))
try:
ca.subject_validator(ca.VALID_SUBJECT_BASE_ATTRS, options.subject_base)
except ValueError as e:
sys.exit("Subject base: {}".format(e))
try:
ca.subject_validator(ca.VALID_SUBJECT_ATTRS, options.ca_subject)
except ValueError as e:
sys.exit("CA subject: {}".format(e))
ca.install_check(True, None, options)
ca.print_ca_configuration(options)
print()
if not options.unattended:
if not ipautil.user_input(
"Continue to configure the CA with these values?", False):
sys.exit("Installation aborted")
# No CA peer available yet.
custodia = custodiainstance.get_custodia_instance(
options, custodiainstance.CustodiaModes.FIRST_MASTER)
ca.install(True, None, options, custodia=custodia)
# Run ipa-certupdate to add the new CA certificate to
# certificate databases on this server.
logger.info("Updating certificate databases.")
ipa_certupdate.run_with_args(api)
def install(safe_options, options):
with ipautil.private_ccache():
ccache = os.environ['KRB5CCNAME']
kinit_keytab(
'host/{env.host}@{env.realm}'.format(env=api.env),
paths.KRB5_KEYTAB,
ccache)
ca_host = find_providing_server('CA', api.Backend.ldap2)
if ca_host is None:
install_master(safe_options, options)
else:
install_replica(safe_options, options)
def main():
safe_options, options = parse_options()
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
if not dsinstance.DsInstance().is_configured():
sys.exit("IPA server is not configured on this system.\n")
if (not options.external_cert_files and
cainstance.is_ca_installed_locally()):
sys.exit("CA is already installed on this host.")
standard_logging_setup(log_file_name, debug=options.debug)
logger.debug("%s was invoked with options: %s",
sys.argv[0], safe_options)
logger.debug("IPA version %s", version.VENDOR_VERSION)
# override ra_plugin setting read from default.conf so that we have
# functional dogtag backend plugins during CA install
api.bootstrap(
context='install', confdir=paths.ETC_IPA,
in_server=True, ra_plugin='dogtag'
)
api.finalize()
api.Backend.ldap2.connect()
domain_level = dsinstance.get_domain_level(api)
if domain_level < DOMAIN_LEVEL_1:
api.Backend.ldap2.disconnect()
sys.exit("Unsupported domain level %d" % domain_level)
install(safe_options, options)
# pki-spawn restarts 389-DS, reconnect
api.Backend.ldap2.close()
api.Backend.ldap2.connect()
# Enable configured services and update DNS SRV records
service.sync_services_state(api.env.host)
api.Command.dns_update_system_records()
api.Backend.ldap2.disconnect()
# execute ipactl to refresh services status
ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'],
raiseonerr=False)
fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
'''
if __name__ == '__main__':
try:
installutils.run_script(main, log_file_name=log_file_name,
operation_name='ipa-ca-install',
fail_message=fail_message)
finally:
# always try to remove decrypted replica file
try:
if REPLICA_INFO_TOP_DIR:
shutil.rmtree(REPLICA_INFO_TOP_DIR)
except OSError:
pass

23
install/tools/ipa-cacert-manage.in Normal file
View File

@@ -0,0 +1,23 @@
#!/usr/bin/python3
# Authors: Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaserver.install.ipa_cacert_manage import CACertManage
CACertManage.run_cli()

8
install/tools/ipa-cert-fix.in Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_cert_fix import IPACertFix
IPACertFix.run_cli()

202
install/tools/ipa-compat-manage
View File

@@ -1,202 +0,0 @@
#!/usr/bin/python2
# Authors: Rob Crittenden <rcritten@redhat.com>
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
from ipaplatform.paths import paths
try:
from optparse import OptionParser
from ipapython import ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
from ipaserver.plugins.ldap2 import ldap2
from ipalib import api, errors
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % sys.exc_value
sys.exit(1)
compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config'))
nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
def parse_options():
usage = "%prog [options] <enable|disable>\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
parser.add_option("-y", dest="password",
help="File containing the Directory Manager password")
config.add_standard_options(parser)
options, args = parser.parse_args()
config.init_config(options)
return options, args
def get_dirman_password():
"""Prompt the user for the Directory Manager password and verify its
correctness.
"""
password = installutils.read_password("Directory Manager", confirm=False, validate=False)
return password
def get_entry(dn, conn):
"""
Return the entry for the given DN. If the entry is not found return
None.
"""
entry = None
try:
entry = conn.get_entry(dn)
except errors.NotFound:
pass
return entry
def main():
retval = 0
files = [paths.SCHEMA_COMPAT_ULDIF]
options, args = parse_options()
if len(args) != 1:
sys.exit("You must specify one action, either enable or disable")
elif args[0] != "enable" and args[0] != "disable" and args[0] != "status":
sys.exit("Unrecognized action [" + args[0] + "]")
standard_logging_setup(None, debug=options.debug)
dirman_password = ""
if options.password:
pw = ipautil.template_file(options.password, [])
dirman_password = pw.strip()
else:
dirman_password = get_dirman_password()
if dirman_password is None:
sys.exit("Directory Manager password required")
api.bootstrap(context='cli', debug=options.debug)
api.finalize()
conn = None
try:
try:
conn = ldap2(shared_instance=False, base_dn='')
conn.connect(
bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password
)
except errors.ExecutionError, lde:
sys.exit("An error occurred while connecting to the server.\n%s\n" % str(lde))
except errors.ACIError, e:
sys.exit("Authentication failed: %s" % e.info)
if args[0] == "status":
entry = None
try:
entry = get_entry(compat_dn, conn)
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print "Plugin Enabled"
else:
print "Plugin Disabled"
except errors.LDAPError, lde:
print "An error occurred while talking to the server."
print lde
if args[0] == "enable":
entry = None
try:
entry = get_entry(compat_dn, conn)
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print "Plugin already Enabled"
retval = 2
else:
print "Enabling plugin"
if entry is None:
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
if not ld.update(files):
print "Updating Directory Server failed."
retval = 1
else:
entry['nsslapd-pluginenabled'] = ['on']
conn.update_entry(entry)
except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
elif args[0] == "disable":
entry = None
try:
entry = get_entry(nis_config_dn, conn)
# We can't disable schema compat if the NIS plugin is enabled
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print >>sys.stderr, "The NIS plugin is configured, cannot disable compatibility."
print >>sys.stderr, "Run 'ipa-nis-manage disable' first."
retval = 2
except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
if retval == 0:
entry = None
try:
entry = get_entry(compat_dn, conn)
if entry is None or entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
print "Plugin is already disabled"
retval = 2
else:
print "Disabling plugin"
entry['nsslapd-pluginenabled'] = ['off']
conn.update_entry(entry)
except errors.DatabaseError, dbe:
print "An error occurred while talking to the server."
print dbe
retval = 1
except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
else:
retval = 1
if retval == 0:
print "This setting will not take effect until you restart Directory Server."
finally:
if conn and conn.isconnected():
conn.disconnect()
return retval
if __name__ == '__main__':
installutils.run_script(main, operation_name='ipa-compat-manage')

193
install/tools/ipa-compat-manage.in Normal file
View File

@@ -0,0 +1,193 @@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2008-2016 Red Hat, Inc.
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import sys
from ipaplatform.paths import paths
try:
from optparse import OptionParser # pylint: disable=deprecated-module
from ipapython import ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate
from ipalib import api, errors
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
except ImportError as e:
print("""\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % e, file=sys.stderr)
sys.exit(1)
compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config'))
nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
def parse_options():
usage = "%prog [options] <enable|disable|status>\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
parser.add_option("-y", dest="password",
help="File containing the Directory Manager password")
config.add_standard_options(parser)
options, args = parser.parse_args()
return options, args
def get_dirman_password():
"""Prompt the user for the Directory Manager password and verify its
correctness.
"""
password = installutils.read_password("Directory Manager", confirm=False, validate=False)
return password
def get_entry(dn):
"""
Return the entry for the given DN. If the entry is not found return
None.
"""
entry = None
try:
entry = api.Backend.ldap2.get_entry(dn)
except errors.NotFound:
pass
return entry
def main():
retval = 0
files = [paths.SCHEMA_COMPAT_ULDIF]
installutils.check_server_configuration()
options, args = parse_options()
if len(args) != 1:
sys.exit("You must specify one action: enable | disable | status")
elif args[0] != "enable" and args[0] != "disable" and args[0] != "status":
sys.exit("Unrecognized action [" + args[0] + "]")
standard_logging_setup(None, debug=options.debug)
dirman_password = ""
if options.password:
pw = ipautil.template_file(options.password, [])
dirman_password = pw.strip()
else:
dirman_password = get_dirman_password()
if dirman_password is None:
sys.exit("Directory Manager password required")
api.bootstrap(context='cli',
in_server=True,
debug=options.debug,
confdir=paths.ETC_IPA)
api.finalize()
api.Backend.ldap2.connect(bind_pw=dirman_password)
if args[0] == "status":
entry = None
try:
entry = get_entry(compat_dn)
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print("Plugin Enabled")
else:
print("Plugin Disabled")
except errors.LDAPError as lde:
print("An error occurred while talking to the server.")
print(lde)
if args[0] == "enable":
entry = None
try:
entry = get_entry(compat_dn)
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print("Plugin already Enabled")
retval = 2
else:
print("Enabling plugin")
if entry is None:
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
if not ld.update(files):
print("Updating Directory Server failed.")
retval = 1
else:
entry['nsslapd-pluginenabled'] = ['on']
api.Backend.ldap2.update_entry(entry)
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
elif args[0] == "disable":
entry = None
try:
entry = get_entry(nis_config_dn)
# We can't disable schema compat if the NIS plugin is enabled
if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr)
print("Run 'ipa-nis-manage disable' first.", file=sys.stderr)
retval = 2
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
if retval == 0:
entry = None
try:
entry = get_entry(compat_dn)
if entry is None or entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
print("Plugin is already disabled")
retval = 2
else:
print("Disabling plugin")
entry['nsslapd-pluginenabled'] = ['off']
api.Backend.ldap2.update_entry(entry)
except errors.DatabaseError as dbe:
print("An error occurred while talking to the server.")
print(dbe)
retval = 1
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
else:
retval = 1
if retval == 0:
print("This setting will not take effect until you restart Directory Server.")
api.Backend.ldap2.disconnect()
return retval
if __name__ == '__main__':
installutils.run_script(main, operation_name='ipa-compat-manage')

8
install/tools/ipa-crlgen-manage.in Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/python3
#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_crlgen_manage import CRLGenManage
CRLGenManage.run_cli()

206
install/tools/ipa-csreplica-manage → install/tools/ipa-csreplica-manage.in Executable file → Normal file
View File

@@ -1,4 +1,4 @@
#! /usr/bin/python2 -E
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Based on ipa-replica-manage by Karl MacMillan <kmacmillan@mentalrootkit.com>
@@ -19,19 +19,24 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import logging
import sys
import os
import krbV
from ipapython.ipa_log_manager import *
from ipaplatform.paths import paths
from ipaserver.install import (replication, installutils, bindinstance,
cainstance, certs)
from ipalib import api, errors, util
from ipalib.constants import CACERT
from ipapython import ipautil, ipaldap, version, dogtag
cainstance)
from ipalib import api, errors
from ipalib.util import has_managed_topology
from ipapython import ipautil, ipaldap, version
from ipapython.admintool import ScriptError
from ipapython.dn import DN
logger = logging.getLogger(os.path.basename(__file__))
# dict of command name and tuples of min/max num of args needed
commands = {
"list": (0, 1, "[master fqdn]", ""),
@@ -48,7 +53,7 @@ commands = {
def parse_options():
from optparse import OptionParser
from optparse import OptionParser # pylint: disable=deprecated-module
parser = OptionParser(version=version.VERSION)
parser.add_option("-H", "--host", dest="host", help="starting host")
@@ -65,8 +70,7 @@ def parse_options():
if len(args):
n = len(args) - 1
k = commands.keys()
for cmd in k:
for cmd in commands:
if cmd == args[0]:
v = commands[cmd]
err = None
@@ -91,8 +95,10 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
try:
# connect to main IPA LDAP server
conn = ipaldap.IPAdmin(host, 636, cacert=CACERT)
conn.do_simple_bind(bindpw=dirman_passwd)
ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)
dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), ipautil.realm_to_suffix(realm))
entries = conn.get_entries(dn, conn.SCOPE_ONELEVEL)
@@ -105,7 +111,7 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
except errors.NotFound:
peers[ent.single_value['cn']] = ['CA not configured', '']
except Exception, e:
except Exception as e:
sys.exit(
"Failed to get data from '%s' while trying to list replicas: %s" %
(host, e))
@@ -113,31 +119,33 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
conn.unbind()
if not replica:
for k, p in peers.iteritems():
print '%s: %s' % (k, p[0])
for k, p in peers.items():
print('%s: %s' % (k, p[0]))
return
try:
repl = replication.get_cs_replication_manager(realm, replica, dirman_passwd)
except Exception, e:
except Exception as e:
sys.exit(str(e))
entries = repl.find_replication_agreements()
for entry in entries:
print '%s' % entry.single_value.get('nsds5replicahost')
print('%s' % entry.single_value.get('nsds5replicahost'))
if verbose:
print " last init status: %s" % entry.single_value.get(
'nsds5replicalastinitstatus')
print " last init ended: %s" % str(
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
if initstatus is not None:
print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus'))
print(" last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend']))
print " last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus')
print " last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastupdateend']))
entry.single_value['nsds5replicalastupdateend'])))
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
@@ -162,9 +170,9 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
repl1.hostnames = [replica1, replica2]
except errors.NetworkError, e:
except errors.NetworkError as e:
sys.exit("Unable to connect to %s: %s" % (replica1, e))
except Exception, e:
except Exception as e:
sys.exit("Failed to get data from '%s': %s" % (replica1, e))
try:
@@ -177,20 +185,20 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
# Now that we've confirmed that both hostnames are vaild, make sure
# that we aren't removing the last link from either side.
if not force and len(repl_list) <= 1:
print "Cannot remove the last replication link of '%s'" % replica2
print "Please use the 'del' command to remove it from the domain"
print("Cannot remove the last replication link of '%s'" % replica2)
print("Please use the 'del' command to remove it from the domain")
sys.exit(1)
if not force and len(repl_list1) <= 1:
print "Cannot remove the last replication link of '%s'" % replica1
print "Please use the 'del' command to remove it from the domain"
print("Cannot remove the last replication link of '%s'" % replica1)
print("Please use the 'del' command to remove it from the domain")
sys.exit(1)
# Find the DN of the replication agreement to remove
replica2_dn = None
for e in repl_list:
if e.single_value.get('nsDS5ReplicaHost') == replica1:
replica2_dn = e.dn
for entry in repl_list:
if entry.single_value.get('nsDS5ReplicaHost') == replica1:
replica2_dn = entry.dn
break
# This should never happen
@@ -198,11 +206,11 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
sys.exit("'%s' has no replication agreement for '%s'" % (replica1, replica2))
except errors.NotFound:
print "'%s' has no replication agreement for '%s'" % (replica2, replica1)
print("'%s' has no replication agreement for '%s'" % (replica2, replica1))
if not force:
return
except Exception, e:
print "Failed to get data from '%s': %s" % (replica2, e)
except Exception as exc:
print("Failed to get data from '%s': %s" % (replica2, exc))
if not force:
sys.exit(1)
@@ -211,35 +219,32 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
try:
repl2.delete_agreement(replica1, replica2_dn)
repl2.delete_referral(replica1, repl1.port)
except Exception, e:
print "Unable to remove agreement on %s: %s" % (replica2, e)
except Exception as exc:
print("Unable to remove agreement on %s: %s" % (replica2, exc))
failed = True
if failed:
if force:
print "Forcing removal on '%s'" % replica1
print("Forcing removal on '%s'" % replica1)
else:
sys.exit(1)
if not repl2 and force:
print "Forcing removal on '%s'" % replica1
print("Forcing removal on '%s'" % replica1)
repl1.delete_agreement(replica2, replica1_dn)
repl1.delete_referral(replica2, repl2.port)
print "Deleted replication agreement from '%s' to '%s'" % (replica1, replica2)
print("Deleted replication agreement from '%s' to '%s'" % (replica1, replica2))
def del_master(realm, hostname, options):
force_del = False
delrepl = None
# 1. Connect to the local dogtag DS server
try:
thisrepl = replication.get_cs_replication_manager(realm, options.host,
options.dirman_passwd)
except Exception, e:
except Exception as e:
sys.exit("Failed to connect to server %s: %s" % (options.host, e))
# 2. Ensure we have an agreement with the master
@@ -250,13 +255,12 @@ def del_master(realm, hostname, options):
try:
delrepl = replication.get_cs_replication_manager(realm, hostname,
options.dirman_passwd)
except Exception, e:
except Exception as e:
if not options.force:
print "Unable to delete replica %s: %s" % (hostname, e)
print("Unable to delete replica %s: %s" % (hostname, e))
sys.exit(1)
else:
print "Unable to connect to replica %s, forcing removal" % hostname
force_del = True
print("Unable to connect to replica %s, forcing removal" % hostname)
# 4. Get list of agreements.
if delrepl is None:
@@ -271,45 +275,44 @@ def del_master(realm, hostname, options):
for r in replica_names:
try:
del_link(realm, r, hostname, options.dirman_passwd, force=True)
except Exception, e:
except Exception as e:
sys.exit("There were issues removing a connection: %s" % e)
# 6. Pick CA renewal master
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
ca = cainstance.CAInstance(api.env.realm)
if ca.is_renewal_master(hostname):
ca.set_renewal_master(options.host)
# 7. And clean up the removed replica DNS entries if any.
try:
if bindinstance.dns_container_exists(options.host, api.env.basedn,
dm_password=options.dirman_passwd):
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=options.dirman_passwd)
if bindinstance.dns_container_exists(api.env.basedn):
bind = bindinstance.BindInstance()
bind.remove_ipa_ca_dns_records(hostname, realm.lower())
except Exception, e:
print "Failed to cleanup %s DNS entries: %s" % (hostname, e)
print "You may need to manually remove them from the tree"
bind.update_system_records()
except Exception as e:
print("Failed to cleanup %s DNS entries: %s" % (hostname, e))
print("You may need to manually remove them from the tree")
def add_link(realm, replica1, replica2, dirman_passwd, options):
try:
repl2 = replication.get_cs_replication_manager(realm, replica2,
dirman_passwd)
except Exception, e:
except Exception as e:
sys.exit(str(e))
try:
conn = ipaldap.IPAdmin(replica2, 636, cacert=CACERT)
conn.do_simple_bind(bindpw=dirman_passwd)
ldap_uri = ipaldap.get_ldap_uri(replica2, 636, cacert=paths.IPA_CA_CRT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)
dn = DN(('cn', 'CA'), ('cn', replica2), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
ipautil.realm_to_suffix(realm))
conn.get_entries(dn, conn.SCOPE_ONELEVEL)
conn.get_entries(dn, conn.SCOPE_BASE)
conn.unbind()
except errors.NotFound:
sys.exit('%s does not have a CA configured.' % replica2)
except errors.NetworkError, e:
except errors.NetworkError as e:
sys.exit("Unable to connect to %s: %s" % (ipautil.format_netloc(replica2, 636), str(e)))
except Exception, e:
except Exception as e:
sys.exit("Failed to get data while trying to bind to '%s': %s" % (replica1, str(e)))
try:
@@ -323,9 +326,9 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
except errors.NotFound:
sys.exit("Cannot find replica '%s'" % replica1)
except errors.NetworkError, e:
except errors.NetworkError as e:
sys.exit("Unable to connect to %s: %s" % (replica1, e))
except Exception, e:
except Exception as e:
sys.exit(
"Failed to get data from '%s' while trying to get current "
"agreements: %s" % (replica1, e))
@@ -333,7 +336,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
repl1.setup_replication(
replica2, repl2.port, 0, DN(('cn', 'Directory Manager')),
dirman_passwd, is_cs_replica=True, local_port=repl1.port)
print "Connected '%s' to '%s'" % (replica1, replica2)
print("Connected '%s' to '%s'" % (replica1, replica2))
def re_initialize(realm, options):
@@ -347,7 +350,7 @@ def re_initialize(realm, options):
options.dirman_passwd)
thisrepl = replication.get_cs_replication_manager(realm, thishost,
options.dirman_passwd)
except Exception, e:
except Exception as e:
sys.exit(str(e))
filter = repl.get_agreement_filter(host=thishost)
@@ -355,10 +358,12 @@ def re_initialize(realm, options):
entry = repl.conn.get_entries(
DN(('cn', 'config')), repl.conn.SCOPE_SUBTREE, filter)
except errors.NotFound:
root_logger.error("Unable to find %s -> %s replication agreement" % (options.fromhost, thishost))
logger.error("Unable to find %s -> %s replication agreement",
options.fromhost, thishost)
sys.exit(1)
if len(entry) > 1:
root_logger.error("Found multiple agreements for %s. Only initializing the first one returned: %s" % (thishost, entry[0].dn))
logger.error("Found multiple agreements for %s. Only initializing the "
"first one returned: %s", thishost, entry[0].dn)
repl.hostnames = thisrepl.hostnames = [thishost, options.fromhost]
thisrepl.enable_agreement(options.fromhost)
@@ -373,41 +378,58 @@ def force_sync(realm, thishost, fromhost, dirman_passwd):
repl = replication.get_cs_replication_manager(realm, fromhost,
dirman_passwd)
repl.force_sync(repl.conn, thishost)
except Exception, e:
except Exception as e:
sys.exit(str(e))
def set_renewal_master(realm, replica):
if not replica:
replica = installutils.get_fqdn()
ca = cainstance.CAInstance(realm, certs.NSS_DIR)
ca = cainstance.CAInstance(realm)
if ca.is_renewal_master(replica):
sys.exit("%s is already the renewal master" % replica)
try:
ca.set_renewal_master(replica)
except Exception, e:
except Exception as e:
sys.exit("Failed to set renewal master to %s: %s" % (replica, e))
print "%s is now the renewal master" % replica
print("%s is now the renewal master" % replica)
def exit_on_managed_topology(what, hint="topologysegment"):
if hint == "topologysegment":
hinttext = ("Please use `ipa topologysegment-*` commands to manage "
"the topology.")
elif hint == "ipa-replica-manage-del":
hinttext = ("Please use the `ipa-replica-manage del` command.")
else:
assert False, "Unexpected value"
sys.exit("{0} is deprecated with managed IPA replication topology. {1}"
.format(what, hinttext))
def main():
installutils.check_server_configuration()
options, args = parse_options()
# Just initialize the environment. This is so the installer can have
# access to the plugin environment
api_env = {'in_server' : True,
'verbose' : options.verbose,
}
api_env = {}
if os.getegid() != 0:
api_env['log'] = None # turn off logging for non-root
api.bootstrap(**api_env)
api.bootstrap(
context='cli',
in_server=True,
verbose=options.verbose,
confdir=paths.ETC_IPA,
**api_env
)
api.finalize()
dirman_passwd = None
realm = krbV.default_context().default_realm
realm = api.env.realm
if options.host:
host = options.host
@@ -426,12 +448,18 @@ def main():
options.dirman_passwd = dirman_passwd
api.Backend.ldap2.connect(bind_pw=options.dirman_passwd)
if args[0] == "list":
replica = None
if len(args) == 2:
replica = args[1]
list_replicas(realm, host, replica, dirman_passwd, options.verbose)
elif args[0] == "del":
if has_managed_topology(api):
exit_on_managed_topology(
"Removal of IPA CS replication agreement and replication data",
hint="ipa-replica-manage-del")
del_master(realm, args[1], options)
elif args[0] == "re-initialize":
re_initialize(realm, options)
@@ -440,6 +468,8 @@ def main():
sys.exit("force-sync requires the option --from <host name>")
force_sync(realm, host, options.fromhost, options.dirman_passwd)
elif args[0] == "connect":
if has_managed_topology(api):
exit_on_managed_topology("Creation of IPA CS replication agreement")
if len(args) == 3:
replica1 = args[1]
replica2 = args[2]
@@ -448,6 +478,8 @@ def main():
replica2 = args[1]
add_link(realm, replica1, replica2, dirman_passwd, options)
elif args[0] == "disconnect":
if has_managed_topology(api):
exit_on_managed_topology("Removal of IPA CS replication agreement")
if len(args) == 3:
replica1 = args[1]
replica2 = args[2]
@@ -461,11 +493,13 @@ def main():
replica = args[1]
set_renewal_master(realm, replica)
api.Backend.ldap2.disconnect()
try:
main()
except KeyboardInterrupt:
sys.exit(1)
except SystemExit, e:
except (SystemExit, ScriptError) as e:
sys.exit(e)
except Exception, e:
except Exception as e:
sys.exit("unexpected error: %s" % e)

296
install/tools/ipa-custodia-check.in Normal file
View File

@@ -0,0 +1,296 @@
#!/usr/bin/python3
"""Test client for ipa-custodia
The test script is expected to be executed on an IPA server with existing
Custodia server keys.
"""
from __future__ import print_function
import argparse
import logging
import os
import platform
import socket
import warnings
from custodia.message.kem import KEY_USAGE_SIG, KEY_USAGE_ENC, KEY_USAGE_MAP
from jwcrypto.common import json_decode
from jwcrypto.jwk import JWK
from ipalib import api
from ipalib.facts import is_ipa_configured
from ipaplatform.paths import paths
import ipapython.version
try:
# FreeIPA >= 4.5
from ipaserver.secrets.client import CustodiaClient
except ImportError:
# FreeIPA <= 4.4
from ipapython.secrets.client import CustodiaClient
# Ignore security warning from vendored and non-vendored urllib3
try:
from urllib3.exceptions import SecurityWarning
except ImportError:
SecurityWarning = None
else:
warnings.simplefilter("ignore", SecurityWarning)
try:
from requests.packages.urllib3.exceptions import SecurityWarning
except ImportError:
SecurityWarning = None
else:
warnings.simplefilter("ignore", SecurityWarning)
KEYS = [
'dm/DMHash',
'ra/ipaCert',
'ca/auditSigningCert cert-pki-ca',
'ca/caSigningCert cert-pki-ca',
'ca/ocspSigningCert cert-pki-ca',
'ca/subsystemCert cert-pki-ca',
]
IPA_CUSTODIA_KEYFILE = os.path.join(paths.IPA_CUSTODIA_CONF_DIR,
'server.keys')
logger = logging.getLogger('ipa-custodia-tester')
parser = argparse.ArgumentParser(
"IPA Custodia check",
)
# --store is dangerous and therefore hidden! Don't use it unless you really
# know what you are doing! Keep in mind that it might destroy your NSSDB
# unless it uses sqlite format.
parser.add_argument(
"--store", action='store_true', dest='store',
help=argparse.SUPPRESS
)
parser.add_argument(
"--debug", action='store_true',
help="Debug mode"
)
parser.add_argument(
"--verbose", action='store_true',
help='Verbose mode'
)
parser.add_argument(
"server",
help="FQDN of a IPA server (can be own FQDN for self-test)"
)
parser.add_argument(
'keys', nargs='*', default=KEYS,
help="Remote key ({})".format(', '.join(KEYS))
)
class IPACustodiaTester:
files = [
paths.IPA_DEFAULT_CONF,
paths.KRB5_KEYTAB,
paths.IPA_CUSTODIA_CONF,
IPA_CUSTODIA_KEYFILE
]
def __init__(self, parser, args):
self.parser = parser
self.args = args
if not api.isdone('bootstrap'):
# bootstrap to initialize api.env
api.bootstrap(log=None)
self.debug("IPA API bootstrapped")
self.realm = api.env.realm
self.host = api.env.host
self.host_spn = 'host/{}@{}'.format(self.host, self.realm)
self.server_spn = 'host/{}@{}'.format(self.args.server, self.realm)
self.client = None
self._errors = []
def error(self, msg, fatal=False):
self._errors.append(msg)
logger.error(msg, exc_info=self.args.verbose)
if fatal:
self.exit()
def exit(self):
if self._errors:
self.parser.exit(1, "[ERROR] One or more tests have failed.\n")
else:
self.parser.exit(0, "All tests have passed successfully.\n")
def warning(self, msg):
logger.warning(msg)
def info(self, msg):
logger.info(msg)
def debug(self, msg):
logger.debug(msg)
def check(self):
self.status()
self.check_fqdn()
self.check_files()
self.check_client()
self.check_jwk()
self.check_keys()
def status(self):
self.info("Platform: {}".format(platform.platform()))
self.info("IPA version: {}".format(
ipapython.version.VERSION
))
self.info("IPA vendor version: {}".format(
ipapython.version.VENDOR_VERSION
))
self.info("Realm: {}".format(self.realm))
self.info("Host: {}".format(self.host))
self.info("Remote server: {}".format(self.args.server))
if self.host == self.args.server:
self.warning("Performing self-test only.")
def check_fqdn(self):
fqdn = socket.getfqdn()
if self.host != fqdn:
self.warning(
"socket.getfqdn() reports hostname '{}'".format(fqdn)
)
def check_files(self):
for filename in self.files:
if not os.path.isfile(filename):
self.error("File '{0}' is missing.".format(filename))
else:
self.info("File '{0}' exists.".format(filename))
def check_client(self):
try:
self.client = CustodiaClient(
server=self.args.server,
client_service='host@{}'.format(self.host),
keyfile=IPA_CUSTODIA_KEYFILE,
keytab=paths.KRB5_KEYTAB,
realm=self.realm,
)
except Exception as e:
self.error("Failed to create client: {}".format(e), fatal=True)
else:
self.info("Custodia client created.")
def _check_jwk_single(self, usage_id):
usage = KEY_USAGE_MAP[usage_id]
with open(IPA_CUSTODIA_KEYFILE) as f:
dictkeys = json_decode(f.read())
try:
pkey = JWK(**dictkeys[usage_id])
local_pubkey = json_decode(pkey.export_public())
except Exception:
raise self.error(
"Failed to load and parse local JWK.", fatal=True
)
else:
self.info("Loaded key for usage '{}' from '{}'.".format(
usage, IPA_CUSTODIA_KEYFILE
))
if pkey.key_id != self.host_spn:
raise self.error(
"KID '{}' != host service principal name '{}' "
"(usage: {})".format(pkey.key_id, self.host_spn, usage),
fatal=True
)
else:
self.info(
"JWK KID matches host's service principal name '{}'.".format(
self.host_spn
))
# LDAP doesn't contain KID
local_pubkey.pop("kid", None)
find_key = self.client.ikk.find_key
try:
host_pubkey = json_decode(find_key(self.host_spn, usage_id))
except Exception:
raise self.error(
"Fetching host keys {} (usage: {}) failed.".format(
self.host_spn, usage),
fatal=True
)
else:
self.info("Checked host LDAP keys '{}' for usage {}.".format(
self.host_spn, usage
))
if host_pubkey != local_pubkey:
self.debug("LDAP: '{}'".format(host_pubkey))
self.debug("Local: '{}'".format(local_pubkey))
raise self.error(
"Host key in LDAP does not match local key.",
fatal=True
)
else:
self.info(
"Local key for usage '{}' matches key in LDAP.".format(usage)
)
try:
server_pubkey = json_decode(find_key(self.server_spn, usage_id))
except Exception:
raise self.error(
"Fetching server keys {} (usage: {}) failed.".format(
self.server_spn, usage),
fatal=True
)
else:
self.info("Checked server LDAP keys '{}' for usage {}.".format(
self.server_spn, usage
))
return local_pubkey, host_pubkey, server_pubkey
def check_jwk(self):
self._check_jwk_single(KEY_USAGE_SIG)
self._check_jwk_single(KEY_USAGE_ENC)
def check_keys(self):
for key in self.args.keys:
try:
result = self.client.fetch_key(key, store=self.args.store)
except Exception as e:
self.error("Failed to retrieve key '{}': {}.".format(
key, e
))
else:
self.info("Successfully retrieved '{}'.".format(key))
if not self.args.store:
self.debug(result)
def main():
args = parser.parse_args()
if args.debug:
args.verbose = True
logging.basicConfig(
level=logging.DEBUG if args.debug else logging.INFO,
format='[%(asctime)s %(name)s] <%(levelname)s>: %(message)s',
datefmt='%Y-%m-%dT%H:%M:%S',
)
if not is_ipa_configured():
parser.error("IPA is not configured on this system.\n")
if os.geteuid() != 0:
parser.error("Script must be executed as root.\n")
tester = IPACustodiaTester(parser, args)
tester.check()
tester.exit()
if __name__ == '__main__':
main()

6
install/tools/ipa-custodia.in Normal file
View File

@@ -0,0 +1,6 @@
#!/usr/bin/python3
# Copyright (C) 2017 IPA Project Contributors, see COPYING for license
from ipaserver.secrets.service import main
if __name__ == '__main__':
main()

237
install/tools/ipa-dns-install
View File

@@ -1,237 +0,0 @@
#! /usr/bin/python2 -E
# Authors: Martin Nagy <mnagy@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 - 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from optparse import OptionGroup, SUPPRESS_HELP
import krbV
from ipaserver.install import service, bindinstance, ntpinstance, httpinstance
from ipaserver.install.installutils import *
from ipaserver.install import installutils
from ipapython import version
from ipapython import ipautil, sysrestore
from ipalib import api, errors, util
from ipaplatform.paths import paths
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup, root_logger
log_file_name = paths.IPASERVER_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-p", "--ds-password", dest="dm_password",
sensitive=True, help="admin password")
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
parser.add_option("--ip-address", dest="ip_address",
type="ip", ip_local=True, help="Master Server IP Address")
parser.add_option("--forwarder", dest="forwarders", action="append",
type="ip", help="Add a DNS forwarder")
parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
default=False, help="Do not add any DNS forwarders, use root servers instead")
parser.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use")
parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
default=False, help="Do not create new reverse DNS zone")
parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
type="string",
help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if options.forwarders and options.no_forwarders:
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
elif options.reverse_zone and options.no_reverse:
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
if options.unattended:
if not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
return safe_options, options
def main():
safe_options, options = parse_options()
if os.getegid() != 0:
sys.exit("Must be root to setup server")
standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
print "\nThe log file for this installation can be found in %s" % log_file_name
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
root_logger.debug("missing options might be asked for interactively later\n")
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
installutils.check_server_configuration()
global fstore
fstore = sysrestore.FileStore(paths.SYSRESTORE)
print "=============================================================================="
print "This program will setup DNS for the FreeIPA Server."
print ""
print "This includes:"
print " * Configure DNS (bind)"
print ""
print "To accept the default shown in brackets, press the Enter key."
print ""
# Check bind packages are installed
if not bindinstance.check_inst(options.unattended):
sys.exit("Aborting installation.")
# Initialize the ipalib api
cfg = dict(
in_server=True,
debug=options.debug,
)
api.bootstrap(**cfg)
api.finalize()
if bindinstance.named_conf_exists():
sys.exit("\nDNS is already configured in this IPA server.")
# Create a BIND instance
if options.unattended and not options.dm_password:
sys.exit("\nIn unattended mode you need to provide at least the -p option")
dm_password = options.dm_password or read_password("Directory Manager",
confirm=False, validate=False)
if dm_password is None:
sys.exit("Directory Manager password required")
bind = bindinstance.BindInstance(fstore, dm_password)
# try the connection
try:
bind.ldap_connect()
bind.ldap_disconnect()
except errors.ACIError:
sys.exit("Password is not valid!")
# Check we have a public IP that is associated with the hostname
if options.ip_address:
ip = options.ip_address
else:
hostaddr = resolve_host(api.env.host)
try:
if len(hostaddr) > 1:
print >> sys.stderr, "The server hostname resolves to more than one address:"
for addr in hostaddr:
print >> sys.stderr, " %s" % addr
if options.ip_address:
if str(options.ip_address) not in hostaddr:
print >> sys.stderr, "Address passed in --ip-address did not match any resolved"
print >> sys.stderr, "address!"
sys.exit(1)
print "Selected IP address:", str(options.ip_address)
ip = options.ip_address
else:
if options.unattended:
print >> sys.stderr, "Please use --ip-address option to specify the address"
sys.exit(1)
else:
ip = read_ip_address(api.env.host, fstore)
else:
ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
except Exception, e:
print "Error: Invalid IP Address %s: %s" % (ip, e)
ip = None
if not ip:
if options.unattended:
sys.exit("Unable to resolve IP address for host name")
else:
ip = read_ip_address(api.env.host, fstore)
ip_address = str(ip)
root_logger.debug("will use ip_address: %s\n", ip_address)
if options.reverse_zone and not bindinstance.verify_reverse_zone(options.reverse_zone, ip):
sys.exit(1)
if options.no_forwarders:
dns_forwarders = ()
elif options.forwarders:
dns_forwarders = options.forwarders
else:
dns_forwarders = read_dns_forwarders()
root_logger.debug("will use dns_forwarders: %s\n", str(dns_forwarders))
if bind.dm_password:
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=bind.dm_password)
else:
# See if our LDAP server is up and we can talk to it over GSSAPI
ccache = krbV.default_context().default_ccache()
api.Backend.ldap2.connect(ccache)
if options.reverse_zone:
reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
else:
reverse_zone = bindinstance.find_reverse_zone(ip)
if reverse_zone is None and not options.no_reverse:
if options.unattended:
reverse_zone = util.get_reverse_zone_default(ip)
elif bindinstance.create_reverse():
reverse_zone = util.get_reverse_zone_default(ip)
reverse_zone = bindinstance.read_reverse_zone(reverse_zone, ip)
if reverse_zone is not None:
print "Using reverse zone %s" % reverse_zone
conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled()
if not options.unattended:
print ""
print "The following operations may take some minutes to complete."
print "Please wait until the prompt is returned."
print ""
bind.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
dns_forwarders, conf_ntp, reverse_zone, zonemgr=options.zonemgr)
bind.create_instance()
# Restart http instance to make sure that python-dns has the right resolver
# https://bugzilla.redhat.com/show_bug.cgi?id=800368
http = httpinstance.HTTPInstance(fstore)
service.print_msg("Restarting the web server")
http.restart()
print "=============================================================================="
print "Setup complete"
print ""
bind.check_global_configuration()
print ""
print ""
print "\tYou must make sure these network ports are open:"
print "\t\tTCP Ports:"
print "\t\t * 53: bind"
print "\t\tUDP Ports:"
print "\t\t * 53: bind"
return 0
if __name__ == '__main__':
with private_ccache():
installutils.run_script(main, log_file_name=log_file_name,
operation_name='ipa-dns-install')

156
install/tools/ipa-dns-install.in Normal file
View File

@@ -0,0 +1,156 @@
#!/usr/bin/python3
# Authors: Martin Nagy <mnagy@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 - 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import logging
import os
import sys
from ipaserver.install import bindinstance
from ipaserver.install import installutils
from ipapython import version
from ipalib import api
from ipaplatform.paths import paths
from ipapython import ipautil
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup
from ipaserver.install import dns as dns_installer
logger = logging.getLogger(os.path.basename(__file__))
log_file_name = paths.IPASERVER_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS",
default=[], action="append",
type="ip",
help="Master Server IP Address. This option can be used "
"multiple times")
parser.add_option("--forwarder", dest="forwarders", action="append",
type="ip_with_loopback", help="Add a DNS forwarder. This option can be used multiple times")
parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
default=False, help="Do not add any DNS forwarders, use root servers instead")
parser.add_option("--auto-forwarders", dest="auto_forwarders",
action="store_true", default=False,
help="Use DNS forwarders configured in /etc/resolv.conf")
parser.add_option("--forward-policy", dest="forward_policy",
choices=("first", "only"), default=None,
help="DNS forwarding policy for global forwarders")
parser.add_option("--reverse-zone", dest="reverse_zones",
default=[], action="append", metavar="REVERSE_ZONE",
help="The reverse DNS zone to use. This option can be used multiple times")
parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
default=False, help="Do not create new reverse DNS zone")
parser.add_option("--auto-reverse", dest="auto_reverse", action="store_true",
default=False, help="Create necessary DNS zones")
parser.add_option("--allow-zone-overlap", dest="allow_zone_overlap",
action="store_true", default=False, help="Create DNS "
"zone even if it already exists")
parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
default=False, help="Disable DNSSEC validation")
parser.add_option("--dnssec-master", dest="dnssec_master", action="store_true",
default=False, help="Setup server to be DNSSEC key master")
parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
type="string",
help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
parser.add_option("--disable-dnssec-master", dest="disable_dnssec_master",
action="store_true", default=False, help="Disable the "
"DNSSEC master on this server")
parser.add_option("--kasp-db", dest="kasp_db_file", type="string",
metavar="FILE", action="store", help="Copy OpenDNSSEC "
"metadata from the specified file (will not create a new "
"kasp.db file)")
parser.add_option("--force", dest="force", action="store_true",
help="Force install")
options, _args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if options.dnssec_master and options.disable_dnssec_master:
parser.error("Invalid combination of parameters: --dnssec-master and "
"--disable-dnssec-master")
if options.forwarders and options.no_forwarders:
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
elif options.reverse_zones and options.no_reverse:
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
elif options.auto_reverse and options.no_reverse:
parser.error("You cannot specify a --auto-reverse option together with --no-reverse")
if options.unattended:
if (not options.forwarders
and not options.no_forwarders
and not options.auto_forwarders):
parser.error("You must specify at least one option: "
"--forwarder or --no-forwarders or --auto-forwarders")
if options.kasp_db_file and not os.path.isfile(options.kasp_db_file):
parser.error("File %s does not exist" % options.kasp_db_file)
return safe_options, options
def main():
safe_options, options = parse_options()
if os.getegid() != 0:
sys.exit("Must be root to setup server")
standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
print("\nThe log file for this installation can be found in %s" % log_file_name)
logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options)
logger.debug("missing options might be asked for interactively later\n")
logger.debug('IPA version %s', version.VENDOR_VERSION)
installutils.check_server_configuration()
# Initialize the ipalib api
api.bootstrap(
context='install', confdir=paths.ETC_IPA,
in_server=True, debug=options.debug,
)
api.finalize()
api.Backend.ldap2.connect()
options.setup_ca = None # must be None to enable autodetection
dns_installer.install_check(True, api, False, options, hostname=api.env.host)
dns_installer.install(True, False, options)
# Services are enabled in dns_installer.install()
# execute ipactl to refresh services status
ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'],
raiseonerr=False)
api.Backend.ldap2.disconnect()
return 0
if __name__ == '__main__':
installutils.run_script(main, log_file_name=log_file_name,
operation_name='ipa-dns-install')

219
install/tools/ipa-httpd-kdcproxy.in Normal file
View File

@@ -0,0 +1,219 @@
#!/usr/bin/python3
# Authors:
# Christian Heimes <cheimes@redhat.com>
#
# Copyright (C) 2015 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""ipa-httpd-kdproxy
This script creates or removes the symlink from /etc/ipa/ipa-kdc-proxy.conf
to /etc/httpd/conf.d/. It's called from ExecStartPre hook in httpd.service.
"""
import logging
import os
import socket
import sys
from ipalib import api, errors
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.ipaldap import LDAPClient
from ipapython.dn import DN
from ipaplatform.paths import paths
logger = logging.getLogger(os.path.basename(__file__))
DEBUG = False
TIME_LIMIT = 2
class Error(Exception):
"""Base error class"""
class ConfigFileError(Error):
"""Something is wrong with the config file"""
class CheckError(Error):
"""An unrecoverable error has occured
The exit code is 0.
"""
class FatalError(Error):
"""A fatal error has occured
Fatal errors cause the command to exit with a non-null exit code.
"""
class KDCProxyConfig:
ipaconfig_flag = 'ipaKDCProxyEnabled'
def __init__(self, time_limit=TIME_LIMIT):
self.time_limit = time_limit
self.con = None
self.ldap_uri = api.env.ldap_uri
self.kdc_dn = DN(('cn', 'KDC'), ('cn', api.env.host),
('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
api.env.basedn)
self.conf = paths.HTTPD_IPA_KDCPROXY_CONF
self.conflink = paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK
def _ldap_con(self):
"""Establish LDAP connection"""
logger.debug('ldap_uri: %s', self.ldap_uri)
try:
self.con = LDAPClient(self.ldap_uri)
self.con.external_bind()
except (errors.NetworkError, socket.timeout) as e:
msg = 'Unable to connect to dirsrv: %s' % e
raise CheckError(msg)
except errors.AuthorizationError as e:
msg = 'Authorization error: %s' % e
raise CheckError(msg)
except Exception as e:
msg = ('Unknown error while retrieving setting from %s: %s' %
(self.ldap_uri, e))
logger.exception('%s', msg)
raise FatalError(msg)
def _find_entry(self, dn, attrs, filter, scope=LDAPClient.SCOPE_BASE):
"""Find an LDAP entry, handles NotFound and Limit"""
try:
entries = self.con.get_entries(
dn, scope, filter, attrs, time_limit=self.time_limit)
except errors.NotFound:
logger.debug('Entry not found: %s', dn)
return None
except Exception as e:
msg = ('Unknown error while retrieving setting from %s: %s' %
(self.ldap_uri, e))
logger.exception('%s', msg)
raise FatalError(msg)
return entries[0]
def is_host_enabled(self):
"""Check replica specific flag"""
logger.debug('Read settings from dn: %s', self.kdc_dn)
srcfilter = self.con.make_filter(
{'ipaConfigString': u'kdcProxyEnabled'}
)
entry = self._find_entry(self.kdc_dn, ['cn'], srcfilter)
logger.debug('%s ipaConfigString: %s', self.kdc_dn, entry)
return entry is not None
def validate_symlink(self):
"""Validate symlink in Apache conf.d"""
if not os.path.exists(self.conflink):
return False
if not os.path.islink(self.conflink):
raise ConfigFileError(
"'%s' already exists, but it is not a symlink"
% self.conflink)
dest = os.readlink(self.conflink)
if dest != self.conf:
raise ConfigFileError(
"'%s' points to '%s', expected '%s'"
% (self.conflink, dest, self.conf))
return True
def create_symlink(self):
"""Create symlink to enable KDC proxy support"""
try:
valid = self.validate_symlink()
except ConfigFileError as e:
logger.warning("Cannot enable KDC proxy: %s ", e)
return False
if valid:
logger.debug("Symlink exists and is valid")
return True
if not os.path.isfile(self.conf):
logger.warning("'%s' does not exist", self.conf)
return False
# create the symbolic link
logger.debug("Creating symlink from '%s' to '%s'",
self.conf, self.conflink)
os.symlink(self.conf, self.conflink)
return True
def remove_symlink(self):
"""Delete symlink to disable KDC proxy support"""
try:
valid = self.validate_symlink()
except CheckError as e:
logger.warning("Cannot disable KDC proxy: %s ", e)
return False
if valid:
logger.debug("Removing symlink '%s'", self.conflink)
os.unlink(self.conflink)
else:
logger.debug("Symlink '%s' has already been removed.",
self.conflink)
return True
def __enter__(self):
self._ldap_con()
return self
def __exit__(self, exc_type, exc_value, traceback):
if self.con is not None:
self.con.unbind()
self.con = None
def main(debug=DEBUG, time_limit=TIME_LIMIT):
# initialize API without file logging
if not api.isdone('bootstrap'):
api.bootstrap(
context='server', confdir=paths.ETC_IPA, log=None,
debug=debug
)
standard_logging_setup(verbose=True, debug=debug)
try:
cfg = KDCProxyConfig(time_limit)
with cfg:
if cfg.is_host_enabled():
if cfg.create_symlink():
logger.info('KDC proxy enabled')
return 0
else:
if cfg.remove_symlink():
logger.info('KDC proxy disabled')
return 0
except CheckError as e:
logger.warning('%s', str(e))
logger.warning('Disabling KDC proxy')
cfg.remove_symlink()
return 0
except Exception as e:
logger.error('%s', str(e))
return 1
else:
return 0
if __name__ == '__main__':
sys.exit(main())

43
install/tools/ipa-httpd-pwdreader.in Executable file
View File

@@ -0,0 +1,43 @@
#!/usr/bin/python3
"""mod_ssl password reader
This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
If you'd like to write your custom binary providing passwords to mod_ssl,
see the documentation of the aforementioned directive of the mod_ssl module.
"""
import argparse
import os
from ipaplatform.paths import paths
HTTPD_PASSWD_DIR = os.path.realpath(
os.path.dirname(paths.HTTPD_PASSWD_FILE_FMT)
)
parser = argparse.ArgumentParser(description="mod_ssl password reader")
parser.add_argument(
"host_port", help="host:port",
)
parser.add_argument(
"keytype", help="RSA|DSA|ECC|number",
)
def main():
args = parser.parse_args()
host_port = args.host_port.replace(":", "-")
keytype = args.keytype
pwdpath = os.path.realpath(
os.path.join(HTTPD_PASSWD_DIR, f"{host_port}-{keytype}")
)
if not pwdpath.startswith(HTTPD_PASSWD_DIR):
parser.error(f"Invalid path {pwdpath}\n")
try:
with open(pwdpath) as f:
print(f.read(), end="")
except OSError as e:
parser.error(str(e))
if __name__ == "__main__":
main()

23
install/tools/ipa-kra-install.in Normal file
View File

@@ -0,0 +1,23 @@
#!/usr/bin/python3
# Authors: Ade Lee <alee@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaserver.install.ipa_kra_install import KRAInstall
KRAInstall.run_cli()

2
install/tools/ipa-ldap-updater → install/tools/ipa-ldap-updater.in Executable file → Normal file
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python2
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2008 Red Hat

114
install/tools/ipa-managed-entries → install/tools/ipa-managed-entries.in Executable file → Normal file
View File

@@ -1,4 +1,4 @@
#!/usr/bin/python2
#!/usr/bin/python3
# Authors: Jr Aquino <jr.aquino@citrix.com>
#
# Copyright (C) 2011 Red Hat
@@ -18,17 +18,24 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import logging
import os
import re
import sys
from optparse import OptionParser
from optparse import OptionParser # pylint: disable=deprecated-module
from ipapython import ipautil, config, ipaldap
from ipaplatform.paths import paths
from ipapython import config
from ipaserver.install import installutils
from ipalib import api, errors
from ipalib.constants import CACERT
from ipapython.ipa_log_manager import *
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
logger = logging.getLogger(os.path.basename(__file__))
def parse_options():
usage = "%prog [options] <status|enable|disable>\n"
usage += "%prog [options]\n"
@@ -41,7 +48,7 @@ def parse_options():
help="DN for the Managed Entry Definition")
parser.add_option("-l", "--list", dest="list_managed_entries",
action="store_true",
help="DN for the Managed Entry Definition")
help="List available Managed Entries")
parser.add_option("-p", "--password", dest="dirman_password",
help="Directory Manager password")
@@ -61,6 +68,9 @@ def get_dirman_password():
def main():
retval = 0
def_dn = None
installutils.check_server_configuration()
options, args = parse_options()
if options.list_managed_entries:
@@ -71,9 +81,13 @@ def main():
sys.exit("Unrecognized action [" + args[0] + "]")
standard_logging_setup(None, debug=options.debug)
host = installutils.get_fqdn()
api.bootstrap(context='cli', debug=options.debug)
api.bootstrap(
context='cli',
in_server=True,
debug=options.debug,
confdir=paths.ETC_IPA)
api.finalize()
api.Backend.ldap2.connect(bind_pw=options.dirman_password)
managed_entry_definitions_dn = DN(
('cn', 'Definitions'),
@@ -82,41 +96,22 @@ def main():
api.env.basedn
)
conn = None
try:
filter = '(objectClass=extensibleObject)'
conn = ipaldap.IPAdmin(host, 636, cacert=CACERT)
if options.dirman_password:
conn.do_simple_bind(bindpw=options.dirman_password)
else:
conn.do_sasl_gssapi_bind()
except errors.ACIError:
dirman_password = get_dirman_password()
if dirman_password is None:
sys.exit("Directory Manager password required")
try:
conn.do_simple_bind(bindpw=dirman_password)
except errors.ACIError:
sys.exit("Invalid credentials")
except errors.ExecutionError, lde:
sys.exit("An error occurred while connecting to the server.\n%s\n" %
str(lde))
filter = '(objectClass=extensibleObject)'
if options.list_managed_entries:
# List available Managed Entry Plugins
managed_entries = None
try:
entries = conn.get_entries(
managed_entry_definitions_dn, conn.SCOPE_SUBTREE, filter)
except Exception, e:
root_logger.debug("Search for managed entries failed: %s" % str(e))
entries = api.Backend.ldap2.get_entries(
managed_entry_definitions_dn, api.Backend.ldap2.SCOPE_SUBTREE, filter)
except Exception as e:
logger.debug("Search for managed entries failed: %s", str(e))
sys.exit("Unable to find managed entries at %s" % managed_entry_definitions_dn)
managed_entries = [entry.single_value['cn'] for entry in entries]
if managed_entries:
print "Available Managed Entry Definitions:"
print("Available Managed Entry Definitions:")
for managed_entry in managed_entries:
print managed_entry
print(managed_entry)
retval = 0
sys.exit()
@@ -127,8 +122,7 @@ def main():
disabled = True
try:
[entry] = conn.get_entries(def_dn, conn.SCOPE_BASE,
filter, ['originfilter'])
entry = api.Backend.ldap2.get_entry(def_dn)
disable_attr = '(objectclass=disable)'
try:
org_filter = entry.single_value.get('originfilter')
@@ -137,35 +131,35 @@ def main():
sys.exit("%s is not a valid Managed Entry" % def_dn)
except errors.NotFound:
sys.exit("%s is not a valid Managed Entry" % def_dn)
except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
if args[0] == "status":
if not disabled:
print "Plugin Enabled"
print("Plugin Enabled")
else:
print "Plugin Disabled"
print("Plugin Disabled")
return 0
if args[0] == "enable":
try:
if not disabled:
print "Plugin already Enabled"
print("Plugin already Enabled")
retval = 2
else:
# Remove disable_attr from filter
enable_attr = org_filter.replace(disable_attr, '')
#enable_attr = {'originfilter': enable_attr}
entry['originfilter'] = [enable_attr]
conn.update_entry(entry)
print "Enabling Plugin"
api.Backend.ldap2.update_entry(entry)
print("Enabling Plugin")
retval = 0
except errors.NotFound:
print "Enabling Plugin"
except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
print("Enabling Plugin")
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
elif args[0] == "disable":
@@ -174,7 +168,7 @@ def main():
# disabling.
try:
if disabled:
print "Plugin already disabled"
print("Plugin already disabled")
retval = 2
else:
if org_filter[:2] == '(&' and org_filter[-1] == ')':
@@ -182,24 +176,28 @@ def main():
else:
disable_attr = '(&%s(%s))' % (disable_attr, org_filter)
entry['originfilter'] = [disable_attr]
conn.update_entry(entry)
print "Disabling Plugin"
api.Backend.ldap2.update_entry(entry)
print("Disabling Plugin")
except errors.NotFound:
print "Plugin is already disabled"
print("Plugin is already disabled")
retval = 2
except errors.DatabaseError, dbe:
print "An error occurred while talking to the server."
print dbe
except errors.DatabaseError as dbe:
print("An error occurred while talking to the server.")
print(dbe)
retval = 1
except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
else:
retval = 1
api.Backend.ldap2.disconnect()
return retval
if __name__ == '__main__':
if not os.geteuid() == 0:
sys.exit("\nMust be run as root\n")
installutils.run_script(main, operation_name='ipa-managed-entries')

204
install/tools/ipa-nis-manage
View File

@@ -1,204 +0,0 @@
#!/usr/bin/python2
# Authors: Rob Crittenden <rcritten@redhat.com>
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
from ipaplatform.paths import paths
try:
from optparse import OptionParser
from ipapython import ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax
from ipaserver.plugins.ldap2 import ldap2
from ipalib import api, errors
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
from ipaplatform import services
except ImportError:
print >> sys.stderr, """\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % sys.exc_value
sys.exit(1)
nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config'))
def parse_options():
usage = "%prog [options] <enable|disable>\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
parser.add_option("-y", dest="password",
help="File containing the Directory Manager password")
config.add_standard_options(parser)
options, args = parser.parse_args()
config.init_config(options)
return options, args
def get_dirman_password():
"""Prompt the user for the Directory Manager password and verify its
correctness.
"""
password = installutils.read_password("Directory Manager", confirm=False, validate=False, retry=False)
return password
def get_entry(dn, conn):
"""
Return the entry for the given DN. If the entry is not found return
None.
"""
entry = None
try:
entry = conn.get_entry(dn)
except errors.NotFound:
pass
return entry
def main():
retval = 0
files = [paths.NIS_ULDIF]
servicemsg = ""
if os.getegid() != 0:
sys.exit('Must be root to use this tool.')
installutils.check_server_configuration()
options, args = parse_options()
if len(args) != 1:
sys.exit("You must specify one action, either enable or disable")
elif args[0] != "enable" and args[0] != "disable":
sys.exit("Unrecognized action [" + args[0] + "]")
standard_logging_setup(None, debug=options.debug)
dirman_password = ""
if options.password:
try:
pw = ipautil.template_file(options.password, [])
except IOError:
sys.exit("File \"%s\" not found or not readable" % options.password)
dirman_password = pw.strip()
else:
dirman_password = get_dirman_password()
if dirman_password is None:
sys.exit("Directory Manager password required")
if not dirman_password:
sys.exit("No password supplied")
api.bootstrap(context='cli', debug=options.debug)
api.finalize()
conn = None
try:
try:
conn = ldap2(shared_instance=False, base_dn='')
conn.connect(
bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password
)
except errors.ExecutionError, lde:
sys.exit("An error occurred while connecting to the server: %s" % str(lde))
except errors.AuthorizationError:
sys.exit("Incorrect password")
if args[0] == "enable":
compat = get_entry(compat_dn, conn)
if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable")
entry = None
try:
entry = get_entry(nis_config_dn, conn)
except errors.ExecutionError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
# Enable either the portmap or rpcbind service
try:
portmap = services.knownservices.portmap
portmap.enable()
servicemsg = portmap.service_name
except ipautil.CalledProcessError, cpe:
if cpe.returncode == 1:
try:
rpcbind = services.knownservices.rpcbind
rpcbind.enable()
servicemsg = rpcbind.service_name
except ipautil.CalledProcessError, cpe:
print "Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name)
retval = 3
# The cn=config entry for the plugin may already exist but it
# could be turned off, handle both cases.
if entry is None:
print "Enabling plugin"
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True)
if ld.update(files) != True:
retval = 1
elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
print "Enabling plugin"
# Already configured, just enable the plugin
entry['nsslapd-pluginenabled'] = ['on']
conn.update_entry(entry)
else:
print "Plugin already Enabled"
retval = 2
elif args[0] == "disable":
try:
entry = conn.get_entry(nis_config_dn, ['nsslapd-pluginenabled'])
entry['nsslapd-pluginenabled'] = ['off']
conn.update_entry(entry)
except (errors.NotFound, errors.EmptyModlist):
print "Plugin is already disabled"
retval = 2
except errors.LDAPError, lde:
print "An error occurred while talking to the server."
print lde
retval = 1
else:
retval = 1
if retval == 0:
print "This setting will not take effect until you restart Directory Server."
if args[0] == "enable":
print "The %s service may need to be started." % servicemsg
finally:
if conn and conn.isconnected():
conn.disconnect()
return retval
if __name__ == '__main__':
installutils.run_script(main, operation_name='ipa-nis-manage')

205
install/tools/ipa-nis-manage.in Normal file
View File

@@ -0,0 +1,205 @@
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import sys
import os
from ipaplatform.paths import paths
try:
from optparse import OptionParser # pylint: disable=deprecated-module
from ipapython import ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate
from ipalib import api, errors
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
from ipaplatform import services
except ImportError as e:
print("""\
There was a problem importing one of the required Python modules. The
error was:
%s
""" % e, file=sys.stderr)
sys.exit(1)
nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config'))
def parse_options():
usage = "%prog [options] <enable|disable|status>\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
parser.add_option("-y", dest="password",
help="File containing the Directory Manager password")
config.add_standard_options(parser)
options, args = parser.parse_args()
return options, args
def get_dirman_password():
"""Prompt the user for the Directory Manager password and verify its
correctness.
"""
password = installutils.read_password("Directory Manager", confirm=False, validate=False, retry=False)
return password
def get_entry(dn):
"""
Return the entry for the given DN. If the entry is not found return
None.
"""
entry = None
try:
entry = api.Backend.ldap2.get_entry(dn)
except errors.NotFound:
pass
return entry
def main():
retval = 0
files = [paths.NIS_ULDIF]
servicemsg = ""
if os.getegid() != 0:
sys.exit('Must be root to use this tool.')
installutils.check_server_configuration()
options, args = parse_options()
if len(args) != 1:
sys.exit("You must specify one action: enable | disable | status")
elif args[0] not in {"enable", "disable", "status"}:
sys.exit("Unrecognized action [" + args[0] + "]")
standard_logging_setup(None, debug=options.debug)
dirman_password = ""
if options.password:
try:
pw = ipautil.template_file(options.password, [])
except IOError:
sys.exit("File \"%s\" not found or not readable" % options.password)
dirman_password = pw.strip()
else:
dirman_password = get_dirman_password()
if dirman_password is None:
sys.exit("Directory Manager password required")
if not dirman_password:
sys.exit("No password supplied")
api.bootstrap(
context='cli', confdir=paths.ETC_IPA,
debug=options.debug, in_server=True)
api.finalize()
api.Backend.ldap2.connect(bind_pw=dirman_password)
if args[0] == "enable":
compat = get_entry(compat_dn)
if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable")
entry = None
try:
entry = get_entry(nis_config_dn)
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
# Enable either the portmap or rpcbind service
portmap = services.knownservices.portmap
rpcbind = services.knownservices.rpcbind
if portmap.is_installed():
portmap.enable()
servicemsg = portmap.service_name
elif rpcbind.is_installed():
rpcbind.enable()
servicemsg = rpcbind.service_name
else:
print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name))
retval = 3
# The cn=config entry for the plugin may already exist but it
# could be turned off, handle both cases.
if entry is None:
print("Enabling plugin")
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True)
if ld.update(files) != True:
retval = 1
elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
print("Enabling plugin")
# Already configured, just enable the plugin
entry['nsslapd-pluginenabled'] = ['on']
api.Backend.ldap2.update_entry(entry)
else:
print("Plugin already Enabled")
retval = 2
elif args[0] == "disable":
try:
entry = api.Backend.ldap2.get_entry(nis_config_dn, ['nsslapd-pluginenabled'])
entry['nsslapd-pluginenabled'] = ['off']
api.Backend.ldap2.update_entry(entry)
except (errors.NotFound, errors.EmptyModlist):
print("Plugin is already disabled")
retval = 2
except errors.LDAPError as lde:
print("An error occurred while talking to the server.")
print(lde)
retval = 1
elif args[0] == "status":
nis_entry = get_entry(nis_config_dn)
enabled = (nis_entry and
nis_entry.get(
'nsslapd-pluginenabled', '')[0].lower() == "on")
if enabled:
print("Plugin is enabled")
retval = 0
else:
print("Plugin is not enabled")
retval = 4
else:
retval = 1
if retval == 0:
if args[0] in {"enable", "disable"}:
print("This setting will not take effect until you restart "
"Directory Server.")
if args[0] == "enable":
print("The %s service may need to be started." % servicemsg)
api.Backend.ldap2.disconnect()
return retval
if __name__ == '__main__':
installutils.run_script(main, operation_name='ipa-nis-manage')

4
install/tools/ipa-otptoken-import → install/tools/ipa-otptoken-import.in Executable file → Normal file
View File

@@ -1,4 +1,4 @@
#! /usr/bin/python2 -E
#!/usr/bin/python3
# Authors: Nathaniel McCallum <npmccallum@redhat.com>
#
# Copyright (C) 2014 Red Hat
@@ -19,7 +19,5 @@
#
from ipaserver.install.ipa_otptoken_import import OTPTokenImport
import nss.nss as nss
OTPTokenImport.run_cli()

81
install/tools/ipa-pki-retrieve-key.in Normal file
View File

@@ -0,0 +1,81 @@
#!/usr/bin/python3
from __future__ import print_function
import argparse
import os
from requests import HTTPError
from ipalib import constants
from ipalib.config import Env
from ipaplatform.paths import paths
from ipaserver.secrets.client import CustodiaClient
def main():
env = Env()
env._finalize()
parser = argparse.ArgumentParser("ipa-pki-retrieve-key")
parser.add_argument("keyname", type=str)
parser.add_argument("servername", type=str)
args = parser.parse_args()
keyname = "ca_wrapped/{}".format(args.keyname)
service = constants.PKI_GSSAPI_SERVICE_NAME
client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys')
client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab')
for filename in [client_keyfile, client_keytab]:
if not os.access(filename, os.R_OK):
parser.error(
"File '{}' missing or not readable.\n".format(filename)
)
# pylint: disable=no-member
client = CustodiaClient(
client_service="{}@{}".format(service, env.host),
server=args.servername,
realm=env.realm,
ldap_uri="ldaps://" + env.host,
keyfile=client_keyfile,
keytab=client_keytab,
)
OID_AES128_CBC = "2.16.840.1.101.3.4.1.2"
try:
# Initially request a key wrapped using AES128-CBC.
# This uses the recent ability to specify additional
# parameters to a Custodia resource.
path = f'{keyname}/{OID_AES128_CBC}' # aes128-cbc
resp = client.fetch_key(path, store=False)
except HTTPError as e:
if e.response.status_code == 404:
# The 404 indicates one of two conditions:
#
# a) The server is an older version that does not support
# extra Custodia parameters. We should retry without
# specifying an algorithm.
#
# b) The key does not exist. At this point we cannot
# distinguish (a) and (b) but if we retry without
# specifying an algorithm, the second attempt will
# also fail with status 404.
#
# So the correct way to handle both scenarios is to
# retry without the algorithm parameter.
#
resp = client.fetch_key(keyname, store=False)
else:
raise # something else went wrong; re-raise
# Print the response JSON to stdout; it is already in the format
# that Dogtag's ExternalProcessKeyRetriever expects
print(resp)
if __name__ == '__main__':
main()

132
install/tools/ipa-pki-wait-running.in Normal file
View File

@@ -0,0 +1,132 @@
#!/usr/bin/python3
"""Wait until pki-tomcatd is up
The script polls on Dogtag's HTTP port and wait until the admin interface
reports status 'running' for the CA sub system.
/etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
[Service]
ExecStartPost=/usr/libexec/ipa/ipa-pki-wait-running
"""
import os
import logging
import sys
import time
from xml.etree import ElementTree
from ipalib import api
from ipaplatform.paths import paths
from pki.client import PKIConnection
from pki.system import SystemStatusClient
from requests.exceptions import ConnectionError, Timeout, RequestException
logger = logging.getLogger('ipa-pki-wait-running')
# check the CA subsystem. All pki-tomcatd instances in IPA have a CA
SUBSYSTEM = 'ca'
# time out for TCP connection attempts
CONNECTION_TIMEOUT = 1.0
EXIT_SUCCESS = 0
EXIT_FAILURE = 1
if hasattr(time, 'monotonic'):
curtime = time.monotonic
else:
curtime = time.time
def check_installed(subsystem):
"""Check if the subsystem is configured
"""
catalina_base = os.environ.get(
'CATALINA_BASE', '/var/lib/pki/pki-tomcat'
)
# /var/lib/pki/pki-tomcat/conf -> /etc/pki/pki-tomcat
cs_cfg = os.path.join(catalina_base, 'conf', subsystem, 'CS.cfg')
if os.path.isfile(cs_cfg):
logger.debug("File %s exists.", cs_cfg)
return True
else:
logger.info("File %s does not exist.", cs_cfg)
return False
def get_conn(hostname, subsystem):
"""Create a connection object
"""
conn = PKIConnection(
hostname=hostname,
subsystem=subsystem,
cert_paths=paths.IPA_CA_CRT
)
logger.info(
"Created connection %s://%s:%s/%s",
conn.protocol, conn.hostname, conn.port, conn.subsystem
)
return conn
def get_status(conn, timeout):
"""Get status from subsystem and return parsed (status, error)
"""
client = SystemStatusClient(conn)
response = client.get_status(timeout=timeout)
root = ElementTree.fromstring(response)
status = root.findtext("Status")
error = root.findtext("Error")
logging.debug("Got status '%s', error '%s'", status, error)
return status, error
def main():
if not check_installed(SUBSYSTEM):
logger.info(
"subsystem %s is not installed, exiting", SUBSYSTEM
)
sys.exit(EXIT_SUCCESS)
# bootstrap ipalib.api to parse config file
api.bootstrap(confdir=paths.ETC_IPA, log=None)
timeout = api.env.startup_timeout
conn = get_conn(api.env.host, subsystem=SUBSYSTEM)
end = curtime() + timeout
while curtime() < end:
try:
status, error = get_status(conn, CONNECTION_TIMEOUT)
except (ConnectionError, Timeout) as e:
logger.info("Connection failed: %s", e)
except RequestException as e:
logger.error("Request failed unexpectedly, %s ", e)
else:
if status == 'running':
logger.info("Success, subsystem %s is running!", SUBSYSTEM)
sys.exit(EXIT_SUCCESS)
elif error is not None:
logger.info(
"Subsystem %s failed with error '%s', giving up!",
SUBSYSTEM, error
)
sys.exit(EXIT_FAILURE)
else:
logger.info("Status is '%s', waiting...", status)
# wait and try again
time.sleep(1)
# giving up
logger.error(
"Reached end of wait timeout %s, giving up", timeout
)
sys.exit(EXIT_FAILURE)
if __name__ == '__main__':
logging.basicConfig(
format='%(name)s: %(message)s',
level=logging.INFO
)
main()

8
install/tools/ipa-pkinit-manage.in Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/python3
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_pkinit_manage import PKINITManage
PKINITManage.run_cli()

435
install/tools/ipa-replica-conncheck
View File

@@ -1,435 +0,0 @@
#! /usr/bin/python2 -E
# Authors: Martin Kosek <mkosek@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipapython.config import IPAOptionParser
from ipapython import version
from ipapython import ipautil
from ipapython import dogtag
from ipapython.ipautil import CalledProcessError
from ipaserver.install import installutils
import ipaclient.ipachangeconf
from optparse import OptionGroup
from ipapython.ipa_log_manager import *
import sys
import os
import signal
import tempfile
import socket
import time
import threading
import errno
from socket import SOCK_STREAM, SOCK_DGRAM
import distutils.spawn
from ipaplatform.paths import paths
CONNECT_TIMEOUT = 5
RESPONDERS = [ ]
QUIET = False
CCACHE_FILE = paths.CONNCHECK_CCACHE
KRB5_CONFIG = None
class SshExec(object):
def __init__(self, user, addr):
self.user = user
self.addr = addr
self.cmd = distutils.spawn.find_executable('ssh')
def __call__(self, command, verbose=False):
# Bail if ssh is not installed
if self.cmd is None:
print "WARNING: ssh not installed, skipping ssh test"
return ('', '', 0)
tmpf = tempfile.NamedTemporaryFile()
cmd = [
self.cmd,
'-o StrictHostKeychecking=no',
'-o UserKnownHostsFile=%s' % tmpf.name,
'%s@%s' % (self.user, self.addr), command
]
if verbose:
cmd.insert(1, '-v')
env = {'KRB5_CONFIG': KRB5_CONFIG, 'KRB5CCNAME': CCACHE_FILE}
return ipautil.run(cmd, env=env, raiseonerr=False)
class CheckedPort(object):
def __init__(self, port, port_type, description):
self.port = port
self.port_type = port_type
self.description = description
BASE_PORTS = [
CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"),
CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"),
CheckedPort(88, SOCK_STREAM, "Kerberos KDC: TCP"),
CheckedPort(88, SOCK_DGRAM, "Kerberos KDC: UDP"),
CheckedPort(464, SOCK_STREAM, "Kerberos Kpasswd: TCP"),
CheckedPort(464, SOCK_DGRAM, "Kerberos Kpasswd: UDP"),
CheckedPort(80, SOCK_STREAM, "HTTP Server: Unsecure port"),
CheckedPort(443, SOCK_STREAM, "HTTP Server: Secure port"),
]
def print_info(msg):
if not QUIET:
print msg
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
replica_group = OptionGroup(parser, "on-replica options")
replica_group.add_option("-m", "--master", dest="master",
help="Master address with running IPA for output connection check")
replica_group.add_option("-a", "--auto-master-check", dest="auto_master_check",
action="store_true",
default=False,
help="Automatically execute connection check on master")
replica_group.add_option("-r", "--realm", dest="realm",
help="Realm name")
replica_group.add_option("-k", "--kdc", dest="kdc",
help="Master KDC. Defaults to master address")
replica_group.add_option("-p", "--principal", dest="principal",
default="admin", help="Principal to use to log in to remote master")
replica_group.add_option("-w", "--password", dest="password", sensitive=True,
help="Password for the principal"),
parser.add_option_group(replica_group)
master_group = OptionGroup(parser, "on-master options")
master_group.add_option("-R", "--replica", dest="replica",
help="Address of remote replica machine to check against")
parser.add_option_group(master_group)
common_group = OptionGroup(parser, "common options")
common_group.add_option("-c", "--check-ca", dest="check_ca",
action="store_true",
default=False,
help="Check also ports for Certificate Authority "
"(for servers installed before IPA 3.1)")
common_group.add_option("", "--hostname", dest="hostname",
help="The hostname of this server (FQDN). "
"By default a nodename from uname(2) is used.")
parser.add_option_group(common_group)
parser.add_option("-d", "--debug", dest="debug",
action="store_true",
default=False, help="Print debugging information")
parser.add_option("-q", "--quiet", dest="quiet",
action="store_true",
default=False, help="Output only errors")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if options.master and options.replica:
parser.error("on-master and on-replica options are mutually exclusive!")
if options.master:
if options.auto_master_check and not options.realm:
parser.error("Realm is parameter is required to connect to remote master!")
if not os.getegid() == 0:
parser.error("You can only run on-replica part as root.")
if options.master and not options.kdc:
options.kdc = options.master
if not options.master and not options.replica:
parser.error("No action: you should select either --replica or --master option.")
if not options.hostname:
options.hostname = socket.getfqdn()
if options.quiet:
global QUIET
QUIET = True
return safe_options, options
def logging_setup(options):
log_file = None
if os.getegid() == 0:
log_file = paths.IPAREPLICA_CONNCHECK_LOG
standard_logging_setup(log_file, debug=options.debug)
def clean_responders(responders):
if not responders:
return
for responder in responders:
responder.stop()
for responder in responders:
responder.join()
responders.remove(responder)
def sigterm_handler(signum, frame):
# do what SIGINT does (raise a KeyboardInterrupt)
sigint_handler = signal.getsignal(signal.SIGINT)
if callable(sigint_handler):
sigint_handler(signum, frame)
def configure_krb5_conf(realm, kdc, filename):
krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment((" = ", " "))
krbconf.setSectionNameDelimiters(("[","]"))
krbconf.setSubSectionDelimiters(("{","}"))
krbconf.setIndent((""," "," "))
opts = [{'name':'comment', 'type':'comment', 'value':'File created by ipa-replica-conncheck'},
{'name':'empty', 'type':'empty'}]
#[libdefaults]
libdefaults = [{'name':'default_realm', 'type':'option', 'value':realm}]
libdefaults.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'})
opts.append({'name':'libdefaults', 'type':'section', 'value': libdefaults})
opts.append({'name':'empty', 'type':'empty'})
#the following are necessary only if DNS discovery does not work
#[realms]
realms_info =[{'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(kdc, 88)},
{'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(kdc, 88)},
{'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(kdc, 749)}]
realms = [{'name':realm, 'type':'subsection', 'value':realms_info}]
opts.append({'name':'realms', 'type':'section', 'value':realms})
opts.append({'name':'empty', 'type':'empty'})
#[appdefaults]
pamopts = [{'name':'debug', 'type':'option', 'value':'false'},
{'name':'ticket_lifetime', 'type':'option', 'value':'36000'},
{'name':'renew_lifetime', 'type':'option', 'value':'36000'},
{'name':'forwardable', 'type':'option', 'value':'true'},
{'name':'krb4_convert', 'type':'option', 'value':'false'}]
appopts = [{'name':'pam', 'type':'subsection', 'value':pamopts}]
opts.append({'name':'appdefaults', 'type':'section', 'value':appopts})
root_logger.debug("Writing temporary Kerberos configuration to %s:\n%s"
% (filename, krbconf.dump(opts)))
krbconf.newConf(filename, opts)
class PortResponder(threading.Thread):
def __init__(self, port, port_type, socket_timeout=1):
super(PortResponder, self).__init__()
self.port = port
self.port_type = port_type
self.socket_timeout = socket_timeout
self._stop_request = False
def run(self):
while not self._stop_request:
try:
ipautil.bind_port_responder(self.port,
self.port_type,
socket_timeout=self.socket_timeout,
responder_data="FreeIPA")
except socket.timeout:
pass
except socket.error, e:
if e.errno == errno.EADDRINUSE:
time.sleep(1)
else:
raise
def stop(self):
self._stop_request = True
def port_check(host, port_list):
ports_failed = []
ports_udp_warning = [] # conncheck could not verify that port is open
for port in port_list:
try:
port_open = ipautil.host_port_open(host, port.port,
port.port_type, socket_timeout=CONNECT_TIMEOUT)
except socket.gaierror:
raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
if port_open:
result = "OK"
else:
if port.port_type == socket.SOCK_DGRAM:
ports_udp_warning.append(port)
result = "WARNING"
else:
ports_failed.append(port)
result = "FAILED"
print_info(" %s (%d): %s" % (port.description, port.port, result))
if ports_udp_warning:
print "The following UDP ports could not be verified as open: %s" \
% ", ".join(str(port.port) for port in ports_udp_warning)
print "This can happen if they are already bound to an application"
print "and ipa-replica-conncheck cannot attach own UDP responder."
if ports_failed:
msg_ports = []
for port in ports_failed:
port_type_text = "TCP" if port.port_type == SOCK_STREAM else "UDP"
msg_ports.append('%d (%s)' % (port.port, port_type_text))
raise RuntimeError("Port check failed! Inaccessible port(s): %s" \
% ", ".join(msg_ports))
def main():
safe_options, options = parse_options()
logging_setup(options)
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
root_logger.debug("missing options might be asked for interactively later\n")
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
signal.signal(signal.SIGTERM, sigterm_handler)
required_ports = BASE_PORTS
if options.check_ca:
# Check old Dogtag CA replication port
# New installs with unified databases use main DS port (checked above)
required_ports.append(CheckedPort(dogtag.Dogtag9Constants.DS_PORT,
SOCK_STREAM, "PKI-CA: Directory Service port"))
if options.replica:
print_info("Check connection from master to remote replica '%s':" % options.replica)
port_check(options.replica, required_ports)
print_info("\nConnection from master to replica is OK.")
# kinit to foreign master
if options.master:
# check ports on master first
print_info("Check connection from replica to remote master '%s':" % options.master)
tcp_ports = [ port for port in required_ports if port.port_type == SOCK_STREAM ]
udp_ports = [ port for port in required_ports if port.port_type == SOCK_DGRAM ]
port_check(options.master, tcp_ports)
if udp_ports:
print_info("\nThe following list of ports use UDP protocol and would need to be")
print_info("checked manually:")
for port in udp_ports:
result = "SKIPPED"
print_info(" %s (%d): %s" % (port.description, port.port, result))
print_info("\nConnection from replica to master is OK.")
# create listeners
global RESPONDERS
print_info("Start listening on required ports for remote master check")
for port in required_ports:
root_logger.debug("Start listening on port %d (%s)" % (port.port, port.description))
responder = PortResponder(port.port, port.port_type)
responder.start()
RESPONDERS.append(responder)
remote_check_opts = ['--replica %s' % options.hostname]
if options.auto_master_check:
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
configure_krb5_conf(options.realm, options.kdc, krb_name)
global KRB5_CONFIG
KRB5_CONFIG = krb_name
print_info("Get credentials to log in to remote master")
if options.principal.find('@') == -1:
principal = '%s@%s' % (options.principal, options.realm)
user = options.principal
else:
principal = options.principal
user = options.principal.partition('@')[0]
if options.password:
password=options.password
else:
password = installutils.read_password(principal, confirm=False,
validate=False, retry=False)
if password is None:
sys.exit("Principal password required")
stderr=''
(stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
stdin=password, raiseonerr=False)
if returncode != 0:
raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
# Verify kinit was actually successful
stderr=''
(stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO,
'host/%s' % options.master],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
raiseonerr=False)
if returncode != 0:
raise RuntimeError("Could not get ticket for master server: %s" % stderr)
ssh = SshExec(user, options.master)
print_info("Check SSH connection to remote master")
stdout, stderr, returncode = ssh('echo OK', verbose=True)
if returncode != 0:
print 'Could not SSH into remote host. Error output:'
for line in stderr.splitlines():
print ' %s' % line
raise RuntimeError('Could not SSH to remote host.')
print_info("Execute check on remote master")
stdout, stderr, returncode = ssh(
"/usr/sbin/ipa-replica-conncheck " +
" ".join(remote_check_opts))
print_info(stdout)
if returncode != 0:
raise RuntimeError("Remote master check failed with following error message(s):\n%s" % stderr)
else:
# wait until user test is ready
print_info("Listeners are started. Use CTRL+C to terminate the listening part after the test.")
print_info("")
print_info("Please run the following command on remote master:")
print_info("/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts))
time.sleep(3600)
print_info("Connection check timeout: terminating listening program")
if __name__ == "__main__":
try:
sys.exit(main())
except SystemExit, e:
sys.exit(e)
except KeyboardInterrupt:
print_info("\nCleaning up...")
sys.exit(1)
except RuntimeError, e:
sys.exit(e)
finally:
clean_responders(RESPONDERS)
for file_name in (CCACHE_FILE, KRB5_CONFIG):
if file_name:
try:
os.remove(file_name)
except OSError:
pass

661
install/tools/ipa-replica-conncheck.in Normal file
View File

@@ -0,0 +1,661 @@
#!/usr/bin/python3
# Authors: Martin Kosek <mkosek@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import logging
from ipapython import ipachangeconf
from ipapython.config import IPAOptionParser
from ipapython.dn import DN
from ipapython import version
from ipapython import ipautil, certdb
from ipalib import api, errors, x509
from ipaserver.install import installutils
# pylint: disable=deprecated-module
from optparse import OptionGroup, OptionValueError
# pylint: enable=deprecated-module
from ipapython.ipa_log_manager import standard_logging_setup
import copy
import sys
import os
import signal
import tempfile
import select
import socket
import time
import threading
import traceback
from socket import SOCK_STREAM, SOCK_DGRAM
import distutils.spawn
from ipaplatform.paths import paths
import gssapi
logger = logging.getLogger(os.path.basename(__file__))
CONNECT_TIMEOUT = 5
RESPONDER = None
QUIET = False
CCACHE_FILE = None
KRB5_CONFIG = None
class SshExec:
def __init__(self, user, addr):
self.user = user
self.addr = addr
self.cmd = distutils.spawn.find_executable('ssh')
# Bail if ssh is not installed
if self.cmd is None:
raise RuntimeError("ssh not installed")
def __call__(self, command, verbose=False):
tmpf = tempfile.NamedTemporaryFile()
cmd = [
self.cmd,
'-o StrictHostKeychecking=no',
'-o UserKnownHostsFile=%s' % tmpf.name,
'-o GSSAPIAuthentication=yes',
'-o User=%s' % self.user,
'%s' % self.addr,
command
]
if verbose:
cmd.insert(1, '-v')
env = dict()
if KRB5_CONFIG is not None:
env['KRB5_CONFIG'] = KRB5_CONFIG
elif 'KRB5_CONFIG' in os.environ:
env['KRB5_CONFIG'] = os.environ['KRB5_CONFIG']
if CCACHE_FILE is not None:
env['KRB5CCNAME'] = CCACHE_FILE
elif 'KRB5CCNAME' in os.environ:
env['KRB5CCNAME'] = os.environ['KRB5CCNAME']
return ipautil.run(cmd, env=env, raiseonerr=False,
capture_output=True, capture_error=True)
class CheckedPort:
def __init__(self, port, port_type, description):
self.port = port
self.port_type = port_type
self.description = description
BASE_PORTS = [
CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"),
CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"),
CheckedPort(88, SOCK_STREAM, "Kerberos KDC: TCP"),
CheckedPort(88, SOCK_DGRAM, "Kerberos KDC: UDP"),
CheckedPort(464, SOCK_STREAM, "Kerberos Kpasswd: TCP"),
CheckedPort(464, SOCK_DGRAM, "Kerberos Kpasswd: UDP"),
CheckedPort(80, SOCK_STREAM, "HTTP Server: Unsecure port"),
CheckedPort(443, SOCK_STREAM, "HTTP Server: Secure port"),
]
def parse_options():
def ca_cert_file_callback(option, opt, value, parser):
if not os.path.exists(value):
raise OptionValueError(
"%s option '%s' does not exist" % (opt, value))
if not os.path.isfile(value):
raise OptionValueError(
"%s option '%s' is not a file" % (opt, value))
if not os.path.isabs(value):
raise OptionValueError(
"%s option '%s' is not an absolute file path" % (opt, value))
try:
x509.load_certificate_list_from_file(value)
except Exception:
raise OptionValueError(
"%s option '%s' is not a valid certificate file" %
(opt, value))
parser.values.ca_cert_file = value
parser = IPAOptionParser(version=version.VERSION)
replica_group = OptionGroup(parser, "on-replica options")
replica_group.add_option("-m", "--master", dest="master",
help="Master address with running IPA for output connection check")
replica_group.add_option("-a", "--auto-master-check", dest="auto_master_check",
action="store_true",
default=False,
help="Automatically execute connection check on master")
replica_group.add_option("-r", "--realm", dest="realm",
help="Realm name")
replica_group.add_option("-k", "--kdc", dest="kdc",
help="Master KDC. Defaults to master address")
replica_group.add_option("-p", "--principal", dest="principal",
default=None, help="Principal to use to log in to remote master")
replica_group.add_option("-w", "--password", dest="password", sensitive=True,
help="Password for the principal")
replica_group.add_option("--ca-cert-file", dest="ca_cert_file",
type="string", action="callback",
callback=ca_cert_file_callback,
help="load the CA certificate from this file")
parser.add_option_group(replica_group)
master_group = OptionGroup(parser, "on-master options")
master_group.add_option("-R", "--replica", dest="replica",
help="Address of remote replica machine to check against")
parser.add_option_group(master_group)
common_group = OptionGroup(parser, "common options")
common_group.add_option("-c", "--check-ca", dest="check_ca",
action="store_true",
default=False,
help="Check also ports for Certificate Authority "
"(for servers installed before IPA 3.1)")
common_group.add_option("", "--hostname", dest="hostname",
help="The hostname of this server (FQDN). "
"By default the result of getfqdn() call from "
"Python's socket module is used.")
parser.add_option_group(common_group)
parser.add_option("-d", "--debug", dest="debug",
action="store_true",
default=False, help="Print debugging information")
parser.add_option("-q", "--quiet", dest="quiet",
action="store_true",
default=False, help="Output only errors")
parser.add_option("--no-log", dest="log_to_file", action="store_false",
default=True, help="Do not log into file")
options, _args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if options.master and options.replica:
parser.error("on-master and on-replica options are mutually exclusive!")
if options.master:
if options.auto_master_check and not options.realm:
parser.error("Realm is parameter is required to connect to remote master!")
if not os.getegid() == 0:
parser.error("You can only run on-replica part as root.")
if options.master and not options.kdc:
options.kdc = options.master
if not options.master and not options.replica:
parser.error("No action: you should select either --replica or --master option.")
if not options.hostname:
options.hostname = socket.getfqdn()
return safe_options, options
def logging_setup(options):
log_file = None
if os.getegid() == 0 and options.log_to_file:
log_file = paths.IPAREPLICA_CONNCHECK_LOG
standard_logging_setup(log_file, verbose=(not options.quiet),
debug=options.debug, console_format='%(message)s')
def sigterm_handler(signum, frame):
# do what SIGINT does (raise a KeyboardInterrupt)
sigint_handler = signal.getsignal(signal.SIGINT)
if callable(sigint_handler):
sigint_handler(signum, frame)
def configure_krb5_conf(realm, kdc, filename):
krbconf = ipachangeconf.IPAChangeConf("IPA Installer")
krbconf.setOptionAssignment((" = ", " "))
krbconf.setSectionNameDelimiters(("[","]"))
krbconf.setSubSectionDelimiters(("{","}"))
krbconf.setIndent((""," "," "))
opts = [{'name':'comment', 'type':'comment', 'value':'File created by ipa-replica-conncheck'},
{'name':'empty', 'type':'empty'}]
#[libdefaults]
libdefaults = [{'name':'default_realm', 'type':'option', 'value':realm}]
libdefaults.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libdefaults.append({'name':'forwardable', 'type':'option', 'value':'true'})
libdefaults.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
opts.append({'name':'libdefaults', 'type':'section', 'value': libdefaults})
opts.append({'name':'empty', 'type':'empty'})
#the following are necessary only if DNS discovery does not work
#[realms]
realms_info =[{'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(kdc, 88)},
{'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(kdc, 88)},
{'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(kdc, 749)}]
realms = [{'name':realm, 'type':'subsection', 'value':realms_info}]
opts.append({'name':'realms', 'type':'section', 'value':realms})
opts.append({'name':'empty', 'type':'empty'})
#[appdefaults]
pamopts = [{'name':'debug', 'type':'option', 'value':'false'},
{'name':'ticket_lifetime', 'type':'option', 'value':'36000'},
{'name':'renew_lifetime', 'type':'option', 'value':'36000'},
{'name':'forwardable', 'type':'option', 'value':'true'},
{'name':'krb4_convert', 'type':'option', 'value':'false'}]
appopts = [{'name':'pam', 'type':'subsection', 'value':pamopts}]
opts.append({'name':'appdefaults', 'type':'section', 'value':appopts})
logger.debug("Writing temporary Kerberos configuration to %s:\n%s",
filename, krbconf.dump(opts))
krbconf.newConf(filename, opts)
class PortResponder(threading.Thread):
PROTO = {socket.SOCK_STREAM: 'tcp',
socket.SOCK_DGRAM: 'udp'}
def __init__(self, ports):
"""
ports: a list of CheckedPort
"""
super(PortResponder, self).__init__()
# copy ports to avoid the need to synchronize it between threads
self.ports = copy.deepcopy(ports)
self._sockets = []
self._close = False
self._close_lock = threading.Lock()
self.responder_data = b'FreeIPA'
self.ports_opened = False
self.ports_open_cond = threading.Condition()
def run(self):
logger.debug('Starting listening thread.')
for port in self.ports:
self._bind_to_port(port.port, port.port_type)
with self.ports_open_cond:
self.ports_opened = True
logger.debug('Ports opened, notify original thread')
self.ports_open_cond.notify()
while not self._is_closing():
ready_socks, _socks1, _socks2 = select.select(
self._sockets, [], [], 1)
if ready_socks:
ready_sock = ready_socks[0]
self._respond(ready_sock)
for sock in self._sockets:
port = sock.getsockname()[1]
proto = PortResponder.PROTO[sock.type]
sock.close()
logger.debug('%d %s: Stopped listening', port, proto)
def _is_closing(self):
with self._close_lock: # pylint: disable=not-context-manager
return self._close
def _bind_to_port(self, port, socket_type):
# Use IPv6 socket as it is able to accept both IPv6 and IPv4
# connections. Since IPv6 kernel module is required by other
# parts of IPA, it should always be available.
family = socket.AF_INET6
host = '::' # all available interfaces
proto = PortResponder.PROTO[socket_type]
try:
sock = socket.socket(family, socket_type)
# Make sure IPv4 clients can connect to IPv6 socket
sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0)
if socket_type == socket.SOCK_STREAM:
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((host, port))
if socket_type == socket.SOCK_STREAM:
# There might be a delay before accepting the connection,
# because a single thread is used to handle all the
# connections. Thus a backlog size of at least 1 is needed.
sock.listen(1)
logger.debug('%d %s: Started listening', port, proto)
except socket.error:
logger.warning('%d %s: Failed to bind', port, proto)
logger.debug("%s", traceback.format_exc())
else:
self._sockets.append(sock)
def _respond(self, sock):
port = sock.getsockname()[1]
if sock.type == socket.SOCK_STREAM:
connection, addr = sock.accept()
try:
connection.sendall(self.responder_data)
logger.debug('%d tcp: Responded to %s', port, addr[0])
finally:
connection.close()
elif sock.type == socket.SOCK_DGRAM:
_data, addr = sock.recvfrom(1)
sock.sendto(self.responder_data, addr)
logger.debug('%d udp: Responded to %s', port, addr[0])
def stop(self):
logger.debug('Stopping listening thread.')
with self._close_lock: # pylint: disable=not-context-manager
self._close = True
def port_check(host, port_list):
ports_failed = []
ports_udp_warning = [] # conncheck could not verify that port is open
log_level = {
SOCK_DGRAM: logging.WARNING,
SOCK_STREAM: logging.ERROR
}
for port in port_list:
try:
port_open = ipautil.host_port_open(
host, port.port, port.port_type,
socket_timeout=CONNECT_TIMEOUT, log_errors=True,
log_level=log_level[port.port_type])
except socket.gaierror:
raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
if port_open:
result = "OK"
else:
if port.port_type == socket.SOCK_DGRAM:
ports_udp_warning.append(port)
result = "WARNING"
else:
ports_failed.append(port)
result = "FAILED"
logger.info(" %s (%d): %s", port.description, port.port, result)
if ports_udp_warning:
logger.warning(
("The following UDP ports could not be verified as open: %s\n"
"This can happen if they are already bound to an application\n"
"and ipa-replica-conncheck cannot attach own UDP responder."),
", ".join(str(port.port) for port in ports_udp_warning))
if ports_failed:
msg_ports = []
for port in ports_failed:
port_type_text = "TCP" if port.port_type == SOCK_STREAM else "UDP"
msg_ports.append('%d (%s)' % (port.port, port_type_text))
raise RuntimeError("Port check failed! Inaccessible port(s): %s" \
% ", ".join(msg_ports))
def main():
global RESPONDER
safe_options, options = parse_options()
logging_setup(options)
logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options)
logger.debug("missing options might be asked for interactively later\n")
logger.debug('IPA version %s', version.VENDOR_VERSION)
signal.signal(signal.SIGTERM, sigterm_handler)
required_ports = BASE_PORTS
if options.check_ca:
# Check old Dogtag CA replication port
# New installs with unified databases use main DS port (checked above)
required_ports.append(CheckedPort(7389, SOCK_STREAM,
"PKI-CA: Directory Service port"))
if options.replica:
logger.info("Check connection from master to remote replica '%s':",
options.replica)
port_check(options.replica, required_ports)
logger.info("\nConnection from master to replica is OK.")
# kinit to foreign master
if options.master:
# check ports on master first
logger.info("Check connection from replica to remote master '%s':",
options.master)
tcp_ports = [ port for port in required_ports if port.port_type == SOCK_STREAM ]
udp_ports = [ port for port in required_ports if port.port_type == SOCK_DGRAM ]
port_check(options.master, tcp_ports)
if udp_ports:
logger.info("\nThe following list of ports use UDP protocol "
"and would need to be\n"
"checked manually:")
for port in udp_ports:
result = "SKIPPED"
logger.info(" %s (%d): %s",
port.description, port.port, result)
logger.info("\nConnection from replica to master is OK.")
# create listeners
logger.info("Start listening on required ports for remote "
"master check")
RESPONDER = PortResponder(required_ports)
RESPONDER.start()
with RESPONDER.ports_open_cond:
if not RESPONDER.ports_opened:
logger.debug('Original thread stopped')
RESPONDER.ports_open_cond.wait()
logger.debug('Original thread resumed')
remote_check_opts = ['--replica %s' % options.hostname]
if options.auto_master_check:
logger.info("Get credentials to log in to remote master")
cred = None
if options.principal is None:
# Check if ccache is available
try:
logger.debug('KRB5CCNAME set to %s',
os.environ.get('KRB5CCNAME', None))
# get default creds, will raise if none found
cred = gssapi.creds.Credentials()
principal = str(cred.name)
except gssapi.raw.misc.GSSError as e:
logger.debug('Failed to find default ccache: %s', e)
# Use admin as the default principal
principal = "admin"
else:
principal = options.principal
if cred is None:
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
configure_krb5_conf(options.realm, options.kdc, krb_name)
global KRB5_CONFIG
KRB5_CONFIG = krb_name
(ccache_fd, ccache_name) = tempfile.mkstemp()
os.close(ccache_fd)
global CCACHE_FILE
CCACHE_FILE = ccache_name
if principal.find('@') == -1:
principal = '%s@%s' % (principal, options.realm)
if options.password:
password=options.password
else:
password = installutils.read_password(principal, confirm=False,
validate=False, retry=False)
if password is None:
sys.exit("Principal password required")
result = ipautil.run([paths.KINIT, principal],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
stdin=password, raiseonerr=False, capture_error=True)
if result.returncode != 0:
raise RuntimeError("Cannot acquire Kerberos ticket: %s" %
result.error_output)
# Verify kinit was actually successful
result = ipautil.run([paths.BIN_KVNO,
'host/%s' % options.master],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
raiseonerr=False, capture_error=True)
if result.returncode != 0:
raise RuntimeError("Could not get ticket for master server: %s" %
result.error_output)
# Now that the cred cache file is initialized,
# use it for the IPA API calls
os.environ['KRB5CCNAME'] = CCACHE_FILE
try:
logger.info("Check RPC connection to remote master")
xmlrpc_uri = ('https://%s/ipa/xml' %
ipautil.format_netloc(options.master))
if options.ca_cert_file:
nss_dir = None
else:
nss_dir = paths.IPA_NSSDB_DIR
with certdb.NSSDatabase(nss_dir) as nss_db:
if options.ca_cert_file:
nss_db.create_db()
ca_certs = x509.load_certificate_list_from_file(
options.ca_cert_file)
for ca_cert in ca_certs:
nss_db.add_cert(
ca_cert,
str(DN(ca_cert.subject)),
certdb.EXTERNAL_CA_TRUST_FLAGS)
api.bootstrap(context='client',
confdir=paths.ETC_IPA,
xmlrpc_uri=xmlrpc_uri,
nss_dir=nss_db.secdir)
api.finalize()
try:
api.Backend.rpcclient.connect()
api.Command.ping()
except Exception as e:
logger.info(
"Could not connect to the remote host: %s", e)
raise
logger.info("Execute check on remote master")
try:
result = api.Backend.rpcclient.forward(
'server_conncheck',
ipautil.fsdecode(options.master),
ipautil.fsdecode(options.hostname),
version=u'2.162',
)
except (errors.CommandError, errors.NetworkError) as e:
logger.info(
"Remote master does not support check over RPC: "
"%s", e)
raise
except errors.PublicError as e:
returncode = 1
stderr = e
else:
for message in result['messages']:
logger.info('%s', message['message'])
returncode = int(not result['result'])
stderr = ("ipa-replica-conncheck returned non-zero "
"exit code")
finally:
if api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.disconnect()
except Exception as e:
logger.debug("RPC connection failed: %s", e)
logger.info("Retrying using SSH...")
# Ticket 5812 Always qualify requests for admin
user = principal
try:
ssh = SshExec(user, options.master)
except RuntimeError as e:
logger.warning("WARNING: %s, skipping ssh test", e)
return 0
logger.info("Check SSH connection to remote master")
result = ssh('echo OK', verbose=True)
if result.returncode != 0:
logger.debug('%s', result.error_output)
raise RuntimeError(
'Could not SSH to remote host.\n'
'See /var/log/ipareplica-conncheck.log for more '
'information.')
logger.info("Execute check on remote master")
result = ssh(
"/usr/sbin/ipa-replica-conncheck " +
" ".join(remote_check_opts))
returncode = result.returncode
stderr = result.error_output
logger.info('%s', result.output)
if returncode != 0:
raise RuntimeError(
"Remote master check failed with following "
"error message(s):\n%s" % stderr)
else:
# wait until user test is ready
logger.info(
"Listeners are started. Use CTRL+C to terminate the listening "
"part after the test.\n\n"
"Please run the following command on remote master:\n"
"/usr/sbin/ipa-replica-conncheck %s",
" ".join(remote_check_opts))
time.sleep(3600)
logger.info(
"Connection check timeout: terminating listening program")
return 0
if __name__ == "__main__":
try:
sys.exit(main())
except KeyboardInterrupt:
logger.info("\nCleaning up...")
sys.exit(1)
except RuntimeError as e:
logger.error('ERROR: %s', e)
sys.exit(1)
finally:
if RESPONDER is not None:
RESPONDER.stop()
RESPONDER.join()
for file_name in (CCACHE_FILE, KRB5_CONFIG):
if file_name:
try:
os.remove(file_name)
except OSError:
pass

775
install/tools/ipa-replica-install
View File

@@ -1,775 +0,0 @@
#! /usr/bin/python2 -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import socket
import os, pwd, shutil
from optparse import OptionGroup
from contextlib import contextmanager
import dns.resolver
import dns.reversename
import dns.exception
from ipapython import ipautil
from ipaserver.install import dsinstance, installutils, krbinstance, service
from ipaserver.install import bindinstance, httpinstance, ntpinstance
from ipaserver.install import memcacheinstance
from ipaserver.install import otpdinstance
from ipaserver.install.replication import replica_conn_check, ReplicationManager
from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
read_replica_info, get_host_name, BadHostError, private_ccache,
read_replica_info_dogtag_port)
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install import cainstance
from ipalib import api, errors, util
from ipalib.constants import CACERT
from ipapython import version
from ipapython.config import IPAOptionParser
from ipapython import sysrestore
from ipapython.ipa_log_manager import *
from ipapython import dogtag
from ipapython.dn import DN
import ipaclient.ntpconf
from ipaplatform.tasks import tasks
from ipaplatform import services
from ipaplatform.paths import paths
log_file_name = paths.IPAREPLICA_INSTALL_LOG
REPLICA_INFO_TOP_DIR = None
DIRMAN_DN = DN(('cn', 'directory manager'))
def parse_options():
usage = "%prog [options] REPLICA_FILE"
parser = IPAOptionParser(usage=usage, version=version.VERSION)
basic_group = OptionGroup(parser, "basic options")
basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true",
default=False, help="configure a dogtag CA")
basic_group.add_option("--ip-address", dest="ip_address",
type="ip", ip_local=True,
help="Replica server IP Address")
basic_group.add_option("-p", "--password", dest="password", sensitive=True,
help="Directory Manager (existing master) password")
basic_group.add_option("-w", "--admin-password", dest="admin_password", sensitive=True,
help="Admin user Kerberos password used for connection check")
basic_group.add_option("--mkhomedir",
dest="mkhomedir",
action="store_true",
default=False,
help="create home directories for users "
"on their first login")
basic_group.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false",
help="do not configure ntp", default=True)
basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false",
default=True, help="Do not automatically redirect to the Web UI")
basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
help="configure OpenSSH client to trust DNS SSHFP records")
basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
basic_group.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
default=False, help="skip connection check to remote master")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="gather extra debugging information")
basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
parser.add_option_group(basic_group)
cert_group = OptionGroup(parser, "certificate system options")
cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
default=True, help="disables pkinit setup steps")
cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
default=False, help="skip check for updated CA DS schema on the remote master")
parser.add_option_group(cert_group)
dns_group = OptionGroup(parser, "DNS options")
dns_group.add_option("--setup-dns", dest="setup_dns", action="store_true",
default=False, help="configure bind with our zone")
dns_group.add_option("--forwarder", dest="forwarders", action="append",
type="ip", help="Add a DNS forwarder")
dns_group.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
default=False, help="Do not add any DNS forwarders, use root servers instead")
dns_group.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use")
dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true",
default=False, help="Do not create new reverse DNS zone")
dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
default=False,
help="Do not use DNS for hostname lookup during installation")
dns_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
help="do not automatically create DNS SSHFP records")
parser.add_option_group(dns_group)
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if len(args) != 1:
parser.error("you must provide a file generated by ipa-replica-prepare")
if not options.setup_dns:
if options.forwarders:
parser.error("You cannot specify a --forwarder option without the --setup-dns option")
if options.no_forwarders:
parser.error("You cannot specify a --no-forwarders option without the --setup-dns option")
if options.reverse_zone:
parser.error("You cannot specify a --reverse-zone option without the --setup-dns option")
if options.no_reverse:
parser.error("You cannot specify a --no-reverse option without the --setup-dns option")
elif options.forwarders and options.no_forwarders:
parser.error("You cannot specify a --forwarder option together with --no-forwarders")
elif not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
elif options.reverse_zone and options.no_reverse:
parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
return safe_options, options, args[0]
def get_dirman_password():
return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
def set_owner(config, dir):
pw = pwd.getpwnam(dsinstance.DS_USER)
os.chown(dir, pw.pw_uid, pw.pw_gid)
def make_pkcs12_info(directory, cert_name, password_name):
"""Make pkcs12_info
:param directory: Base directory (config.dir)
:param cert_name: Cert filename (e.g. "dscert.p12")
:param password_name: Cert filename (e.g. "dirsrv_pin.txt")
:return: a (full cert path, password) tuple, or None if cert is not found
"""
cert_path = os.path.join(directory, cert_name)
if ipautil.file_exists(cert_path):
password_file = os.path.join(directory, password_name)
password = open(password_file).read().strip()
return cert_path, password
else:
return None
def install_replica_ds(config):
dsinstance.check_ports()
# if we have a pkcs12 file, create the cert db from
# that. Otherwise the ds setup will create the CA
# cert
pkcs12_info = make_pkcs12_info(config.dir, "dscert.p12", "dirsrv_pin.txt")
ds = dsinstance.DsInstance()
ds.create_replica(
realm_name=config.realm_name,
master_fqdn=config.master_host_name,
fqdn=config.host_name,
domain_name=config.domain_name,
dm_password=config.dirman_password,
subject_base=config.subject_base,
pkcs12_info=pkcs12_info,
ca_is_configured=ipautil.file_exists(config.dir + "/cacert.p12"),
ca_file=config.dir + "/ca.crt",
)
return ds
def install_krb(config, setup_pkinit=False):
krb = krbinstance.KrbInstance()
#pkinit files
pkcs12_info = make_pkcs12_info(config.dir, "pkinitcert.p12",
"pkinit_pin.txt")
krb.create_replica(config.realm_name,
config.master_host_name, config.host_name,
config.domain_name, config.dirman_password,
setup_pkinit, pkcs12_info)
return krb
def install_ca_cert(config):
cafile = config.dir + "/ca.crt"
if not ipautil.file_exists(cafile):
raise RuntimeError("Ca cert file is not available")
try:
shutil.copy(cafile, CACERT)
os.chmod(CACERT, 0444)
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
def install_http(config, auto_redirect):
# if we have a pkcs12 file, create the cert db from
# that. Otherwise the ds setup will create the CA
# cert
pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12", "http_pin.txt")
memcache = memcacheinstance.MemcacheInstance()
memcache.create_instance('MEMCACHE', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name))
http = httpinstance.HTTPInstance()
http.create_instance(
config.realm_name, config.host_name, config.domain_name,
config.dirman_password, False, pkcs12_info,
auto_redirect=auto_redirect, ca_file = config.dir + "/ca.crt")
# Now copy the autoconfiguration files
try:
if ipautil.file_exists(config.dir + "/preferences.html"):
shutil.copy(config.dir + "/preferences.html",
paths.PREFERENCES_HTML)
if ipautil.file_exists(config.dir + "/configure.jar"):
shutil.copy(config.dir + "/configure.jar",
paths.CONFIGURE_JAR)
if ipautil.file_exists(config.dir + "/krb.js"):
shutil.copy(config.dir + "/krb.js",
paths.KRB_JS)
shutil.copy(config.dir + "/kerberosauth.xpi",
paths.KERBEROSAUTH_XPI)
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
http.setup_firefox_extension(config.realm_name, config.domain_name)
return http
def install_bind(config, options):
api.Backend.ldap2.connect(bind_dn=DIRMAN_DN,
bind_pw=config.dirman_password)
if options.forwarders:
forwarders = options.forwarders
else:
forwarders = ()
bind = bindinstance.BindInstance(dm_password=config.dirman_password)
if options.reverse_zone:
if not bindinstance.verify_reverse_zone(options.reverse_zone, config.ip):
sys.exit(1)
reverse_zone = bindinstance.normalize_zone(options.reverse_zone)
else:
reverse_zone = bindinstance.find_reverse_zone(config.ip)
if reverse_zone is None and not options.no_reverse:
reverse_zone = util.get_reverse_zone_default(config.ip)
if not options.unattended and bindinstance.create_reverse():
reverse_zone = bindinstance.read_reverse_zone(reverse_zone, config.ip)
if reverse_zone is not None:
print "Using reverse zone %s" % reverse_zone
bind.setup(config.host_name, config.ip_address, config.realm_name,
config.domain_name, forwarders, options.conf_ntp, reverse_zone,
ca_configured=options.setup_ca)
bind.create_instance()
print ""
bind.check_global_configuration()
print ""
@contextmanager
def temporary_ldap2_connection(host_name, bind_pw, bind_dn=DIRMAN_DN):
"""Context in which the ldap2 backend is connected to the given host
When the context is entered, forcefully change the ldap2's URI and connect
with the given password.
When it's exited, disconnect and restore ldap2 to previous configuration.
Needed to use the standard IPA tools on the remote master, before the
DS on localhost is installed.
"""
# TODO: We shouldn't have to resort to such hacks
cur_uri = api.Backend.ldap2.ldap_uri
# ldap2 is finalized at this point, so use __setattr__ directly
object.__setattr__(api.Backend.ldap2, 'ldap_uri',
'ldaps://%s' % ipautil.format_netloc(host_name))
api.Backend.ldap2.connect(bind_dn=DIRMAN_DN, bind_pw=bind_pw,
tls_cacertfile=CACERT)
yield
api.Backend.ldap2.disconnect()
#set it back to the default
object.__setattr__(api.Backend.ldap2, 'ldap_uri', cur_uri)
def install_dns_records(config, options):
if not bindinstance.dns_container_exists(config.master_host_name,
ipautil.realm_to_suffix(config.realm_name),
dm_password=config.dirman_password):
return
# We have to force to connect to the remote master because we do this step
# before our DS server is installed.
with temporary_ldap2_connection(
config.master_host_name, config.dirman_password):
try:
bind = bindinstance.BindInstance(dm_password=config.dirman_password)
reverse_zone = bindinstance.find_reverse_zone(config.ip)
bind.add_master_dns_records(config.host_name, config.ip_address,
config.realm_name, config.domain_name,
reverse_zone, options.conf_ntp,
options.setup_ca)
except errors.NotFound, e:
root_logger.debug('Replica DNS records could not be added '
'on master: %s', str(e))
# we should not fail here no matter what
except Exception, e:
root_logger.info('Replica DNS records could not be added '
'on master: %s', str(e))
def check_dirsrv():
(ds_unsecure, ds_secure) = dsinstance.check_ports()
if not ds_unsecure or not ds_secure:
print "IPA requires ports 389 and 636 for the Directory Server."
print "These are currently in use:"
if not ds_unsecure:
print "\t389"
if not ds_secure:
print "\t636"
sys.exit(1)
def check_bind():
if not bindinstance.check_inst(unattended=True):
print "Aborting installation"
sys.exit(1)
def check_dns_resolution(host_name, dns_servers):
"""Check forward and reverse resolution of host_name using dns_servers
"""
# Point the resolver at specified DNS server
server_ips = []
for dns_server in dns_servers:
try:
server_ips = list(
a[4][0] for a in socket.getaddrinfo(dns_server, None))
except socket.error:
pass
else:
break
if not server_ips:
root_logger.error(
'Could not resolve any DNS server hostname: %s', dns_servers)
return False
resolver = dns.resolver.Resolver()
resolver.nameservers = server_ips
root_logger.debug('Search DNS server %s (%s) for %s',
dns_server, server_ips, host_name)
# Get IP addresses of host_name
addresses = set()
for rtype in 'A', 'AAAA':
try:
result = resolver.query(host_name, rtype)
except dns.exception.DNSException:
rrset = []
else:
rrset = result.rrset
if rrset:
addresses.update(r.address for r in result.rrset)
if not addresses:
root_logger.error(
'Could not resolve hostname %s using DNS. '
'Clients may not function properly. '
'Please check your DNS setup. '
'(Note that this check queries IPA DNS directly and '
'ignores /etc/hosts.)',
host_name)
return False
no_errors = True
# Check each of the IP addresses
checked = set()
for address in addresses:
if address in checked:
continue
checked.add(address)
try:
root_logger.debug('Check reverse address %s (%s)',
address, host_name)
revname = dns.reversename.from_address(address)
rrset = resolver.query(revname, 'PTR').rrset
except Exception, e:
root_logger.debug('Check failed: %s %s', type(e).__name__, e)
root_logger.error(
'Reverse DNS resolution of address %s (%s) failed. '
'Clients may not function properly. '
'Please check your DNS setup. '
'(Note that this check queries IPA DNS directly and '
'ignores /etc/hosts.)',
address, host_name)
no_errors = False
else:
host_name_obj = dns.name.from_text(host_name)
if rrset:
names = [r.target.to_text() for r in rrset]
else:
names = []
root_logger.debug(
'Address %s resolves to: %s. ', address, ', '.join(names))
if not rrset or not any(
r.target == host_name_obj for r in rrset):
root_logger.error(
'The IP address %s of host %s resolves to: %s. '
'Clients may not function properly. '
'Please check your DNS setup. '
'(Note that this check queries IPA DNS directly and '
'ignores /etc/hosts.)',
address, host_name, ', '.join(names))
no_errors = False
return no_errors
def main():
tasks.check_selinux_status()
safe_options, options, filename = parse_options()
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
standard_logging_setup(log_file_name, debug=options.debug)
root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
if client_fstore.has_files():
sys.exit("IPA client is already configured on this system.\n" +
"Please uninstall it first before configuring the replica, " +
"using 'ipa-client-install --uninstall'.")
global sstore
sstore = sysrestore.StateFile(paths.SYSRESTORE)
global fstore
fstore = sysrestore.FileStore(paths.SYSRESTORE)
# check the bind is installed
if options.setup_dns:
check_bind()
# Check to see if httpd is already configured to listen on 443
if httpinstance.httpd_443_configured():
sys.exit("Aborting installation")
check_dirsrv()
if options.setup_ca:
if not cainstance.check_port():
print "IPA requires port 8443 for PKI but it is currently in use."
sys.exit("Aborting installation")
if options.conf_ntp:
try:
ipaclient.ntpconf.check_timedate_services()
except ipaclient.ntpconf.NTPConflictingService, e:
print "WARNING: conflicting time&date synchronization service '%s'" \
" will" % e.conflicting_service
print "be disabled in favor of ntpd"
print ""
except ipaclient.ntpconf.NTPConfigurationError:
pass
# get the directory manager password
dirman_password = options.password
if not dirman_password:
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
if dirman_password is None:
sys.exit("Directory Manager password required")
try:
top_dir, dir = expand_replica_info(filename, dirman_password)
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = top_dir
except Exception, e:
print "ERROR: Failed to decrypt or open the replica file."
print "Verify you entered the correct Directory Manager password."
sys.exit(1)
config = ReplicaConfig()
read_replica_info(dir, config)
root_logger.debug('Installing replica file with version %d (0 means no version in prepared file).' % config.version)
if config.version and config.version > version.NUM_VERSION:
root_logger.error('A replica file from a newer release (%d) cannot be installed on an older version (%d)' % (config.version, version.NUM_VERSION))
sys.exit(1)
config.dirman_password = dirman_password
try:
host = get_host_name(options.no_host_dns)
except BadHostError, e:
root_logger.error(str(e))
sys.exit(1)
if config.host_name != host:
try:
print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host)
if not ipautil.user_input("This may cause problems. Continue?", False):
sys.exit(0)
config.host_name = host
print ""
except KeyboardInterrupt:
sys.exit(0)
config.dir = dir
config.setup_ca = options.setup_ca
config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"):
print 'CA cannot be installed in CA-less setup.'
sys.exit(1)
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
# check connection
if not options.skip_conncheck:
replica_conn_check(
config.master_host_name, config.host_name, config.realm_name,
options.setup_ca, config.ca_ds_port, options.admin_password)
# check replica host IP resolution
config.ip = installutils.get_server_ip_address(config.host_name, fstore, True, options)
config.ip_address = str(config.ip)
# Create the management framework config file
# Note: We must do this before bootstraping and finalizing ipalib.api
old_umask = os.umask(022) # must be readable for httpd
try:
fd = open(paths.IPA_DEFAULT_CONF, "w")
fd.write("[global]\n")
fd.write("host=%s\n" % config.host_name)
fd.write("basedn=%s\n" % str(ipautil.realm_to_suffix(config.realm_name)))
fd.write("realm=%s\n" % config.realm_name)
fd.write("domain=%s\n" % config.domain_name)
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % ipautil.format_netloc(config.host_name))
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name))
if ipautil.file_exists(config.dir + "/cacert.p12"):
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=%s\n" %
dogtag.install_constants.DOGTAG_VERSION)
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
fd.write("mode=production\n")
fd.close()
finally:
os.umask(old_umask)
api.bootstrap(in_server=True, context='installer')
api.finalize()
# Create DS group if it doesn't exist yet
group_exists = dsinstance.create_ds_group()
sstore.backup_state("install", "group_exists", group_exists)
#Automatically disable pkinit w/ dogtag until that is supported
options.setup_pkinit = False
# Install CA cert so that we can do SSL connections with ldap
install_ca_cert(config)
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
replman = conn = None
try:
# Try out the password
conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
conn.connect(bind_dn=DIRMAN_DN, bind_pw=config.dirman_password,
tls_cacertfile=CACERT)
replman = ReplicationManager(config.realm_name, config.master_host_name,
config.dirman_password)
# Check that we don't already have a replication agreement
try:
(agreement_cn, agreement_dn) = replman.agreement_dn(host)
entry = conn.get_entry(agreement_dn, ['*'])
except errors.NotFound:
pass
else:
root_logger.info('Error: A replication agreement for this host '
'already exists.')
print ('A replication agreement for this host already exists. '
'It needs to be removed.')
print "Run this on the master that generated the info file:"
print " %% ipa-replica-manage del %s --force" % host
exit(3)
# Check pre-existing host entry
try:
entry = conn.find_entries(u'fqdn=%s' % host, ['fqdn'], DN(api.env.container_host, api.env.basedn))
except errors.NotFound:
pass
else:
root_logger.info(
'Error: Host %s already exists on the master server.' % host)
print 'The host %s already exists on the master server.' % host
print "You should remove it before proceeding:"
print " %% ipa host-del %s" % host
exit(3)
# If remote host has DNS, check forward/reverse resolution
with temporary_ldap2_connection(
config.master_host_name, config.dirman_password):
dns_masters = api.Object['dnsrecord'].get_dns_masters()
if dns_masters:
if not options.no_host_dns:
master = config.master_host_name
root_logger.debug('Check forward/reverse DNS resolution')
resolution_ok = (
check_dns_resolution(master, dns_masters) and
check_dns_resolution(config.host_name, dns_masters))
if not resolution_ok and not options.unattended:
if not ipautil.user_input("Continue?", False):
sys.exit(0)
else:
root_logger.debug('No IPA DNS servers, '
'skipping forward/reverse resolution check')
except errors.ACIError:
sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
except errors.LDAPError:
sys.exit("\nUnable to connect to LDAP server %s" % config.master_host_name)
finally:
if conn and conn.isconnected():
conn.disconnect()
if replman and replman.conn:
replman.conn.unbind()
if options.skip_schema_check:
root_logger.info("Skipping CA DS schema check")
else:
cainstance.replica_ca_install_check(config)
# Configure ntpd
if options.conf_ntp:
ipaclient.ntpconf.force_ntpd(sstore)
ntp = ntpinstance.NTPInstance()
ntp.create_instance()
# Configure dirsrv
ds = install_replica_ds(config)
# Configure the CA if necessary
CA = cainstance.install_replica_ca(config)
# Always try to install DNS records
install_dns_records(config, options)
# We need to ldap_enable the CA now that DS is up and running
if CA and config.setup_ca:
CA.ldap_enable('CA', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
# This is done within stopped_service context, which restarts CA
CA.enable_client_auth_to_db()
krb = install_krb(config, setup_pkinit=options.setup_pkinit)
http = install_http(config, auto_redirect=options.ui_redirect)
otpd = otpdinstance.OtpdInstance()
otpd.create_instance('OTPD', config.host_name, config.dirman_password,
ipautil.realm_to_suffix(config.realm_name))
if CA:
CA.configure_certmonger_renewal()
CA.import_ra_cert(dir + "/ra.p12")
CA.fix_ra_perms()
# The DS instance is created before the keytab, add the SSL cert we
# generated
ds.add_cert_to_service()
# Apply any LDAP updates. Needs to be done after the replica is synced-up
service.print_msg("Applying LDAP updates")
ds.apply_updates()
# Restart ds and krb after configurations have been changed
service.print_msg("Restarting the directory server")
ds.restart()
service.print_msg("Restarting the KDC")
krb.restart()
if CA and config.setup_ca:
service.print_msg("Restarting the certificate server")
CA.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
if options.setup_dns:
install_bind(config, options)
# Restart httpd to pick up the new IPA configuration
service.print_msg("Restarting the web server")
http.restart()
# Call client install script
try:
args = [paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--domain", config.domain_name, "--server", config.host_name, "--realm", config.realm_name]
if not options.create_sshfp:
args.append("--no-dns-sshfp")
if options.trust_sshfp:
args.append("--ssh-trust-dns")
if not options.conf_ssh:
args.append("--no-ssh")
if not options.conf_sshd:
args.append("--no-sshd")
if options.mkhomedir:
args.append("--mkhomedir")
ipautil.run(args)
except Exception, e:
print "Configuration of client side components failed!"
print "ipa-client-install returned: " + str(e)
raise RuntimeError("Failed to configure the client")
ds.replica_populate()
#Everything installed properly, activate ipa service.
services.knownservices.ipa.enable()
fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
'''
if __name__ == '__main__':
try:
with private_ccache():
installutils.run_script(main, log_file_name=log_file_name,
operation_name='ipa-replica-install',
fail_message=fail_message)
finally:
# always try to remove decrypted replica file
try:
if REPLICA_INFO_TOP_DIR:
shutil.rmtree(REPLICA_INFO_TOP_DIR)
except OSError:
pass

23
install/tools/ipa-replica-install.in Normal file
View File

@@ -0,0 +1,23 @@
#!/usr/bin/python3
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaserver.install import ipa_replica_install
ipa_replica_install.run()

950
install/tools/ipa-replica-manage → install/tools/ipa-replica-manage.in Executable file → Normal file
View File

File diff suppressed because it is too large Load Diff

2
install/tools/ipa-restore → install/tools/ipa-restore.in Executable file → Normal file
View File

@@ -1,4 +1,4 @@
#! /usr/bin/python2 -E
#!/usr/bin/python3
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2013 Red Hat

2
install/tools/ipa-server-certinstall → install/tools/ipa-server-certinstall.in Executable file → Normal file
View File

@@ -1,4 +1,4 @@
#! /usr/bin/python2 -E
#!/usr/bin/python3
# Authors: Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2013 Red Hat

1306
install/tools/ipa-server-install
View File

File diff suppressed because it is too large Load Diff

25
install/tools/ipa-server-install.in Normal file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/python3
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Simo Sorce <ssorce@redhat.com>
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2007-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaserver.install import ipa_server_install
ipa_server_install.run()

12
install/tools/ipa-server-upgrade.in Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/python3
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
# Documentation can be found at:
# http://freeipa.org/page/LdapUpdate
# http://www.freeipa.org/page/V4/Server_Upgrade_Refactoring
from ipaserver.install.ipa_server_upgrade import ServerUpgrade
ServerUpgrade.run_cli()

1191
install/tools/ipa-upgradeconfig
View File

File diff suppressed because it is too large Load Diff

10
install/tools/ipa-replica-prepare → install/tools/ipa-winsync-migrate.in Executable file → Normal file
View File

@@ -1,7 +1,7 @@
#! /usr/bin/python2 -E
# Authors: Petr Viktorin <pviktori@redhat.com>
#!/usr/bin/python3
# Authors: Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2012 Red Hat
# Copyright (C) 2015 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@@ -18,6 +18,6 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaserver.install.ipa_replica_prepare import ReplicaPrepare
from ipaserver.install.ipa_winsync_migrate import WinsyncMigrate
ReplicaPrepare.run_cli()
WinsyncMigrate.run_cli()

515
install/tools/ipactl
View File

@@ -1,515 +0,0 @@
#!/usr/bin/python2
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2008-2010 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
import json
import ldapurl
from ipaserver.install import service, installutils
from ipaserver.install.dsinstance import config_dirname, realm_to_serverid
from ipaserver.install.installutils import is_ipa_configured, ScriptError
from ipalib import api, errors
from ipapython.ipaldap import IPAdmin
from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
from ipapython import config, dogtag
from ipaplatform.tasks import tasks
from ipapython.dn import DN
from ipaplatform import services
from ipaplatform.paths import paths
class IpactlError(ScriptError):
pass
def check_IPA_configuration():
if not is_ipa_configured():
# LSB status code 6: program is not configured
raise IpactlError("IPA is not configured " +
"(see man pages of ipa-server-install for help)", 6)
def is_dirsrv_debugging_enabled():
"""
Check the 389-ds instance to see if debugging is enabled.
If so we suppress that in our output.
returns True or False
"""
debugging = False
serverid = realm_to_serverid(api.env.realm)
dselist = [config_dirname(serverid)]
for dse in dselist:
try:
fd = open(dse + 'dse.ldif', 'r')
except IOError:
continue
lines = fd.readlines()
fd.close()
for line in lines:
if line.lower().startswith('nsslapd-errorlog-level'):
(option, value) = line.split(':')
if int(value) > 0:
debugging = True
return debugging
def get_capture_output(service, debug):
"""
We want to display any output of a start/stop command with the
exception of 389-ds when debugging is enabled because it outputs
tons and tons of information.
"""
if service == 'dirsrv' and not debug and is_dirsrv_debugging_enabled():
print ' debugging enabled, suppressing output.'
return True
else:
return False
def parse_options():
usage = "%prog start|stop|restart|status\n"
parser = config.IPAOptionParser(usage=usage,
formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information")
parser.add_option("-f", "--force", action="store_true", dest="force",
help="If any service start fails, do not rollback the"
+ " services, continue with the operation")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
return safe_options, options, args
def emit_err(err):
sys.stderr.write(err + '\n')
def get_config(dirsrv):
base = DN(('cn', api.env.host), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
srcfilter = '(ipaConfigString=enabledService)'
attrs = ['cn', 'ipaConfigString']
if not dirsrv.is_running():
raise IpactlError("Failed to get list of services to probe status:\n" +
"Directory Server is stopped", 3)
try:
# The start/restart functions already wait for the server to be
# started. What we are doing with this wait is really checking to see
# if the server is listening at all.
lurl = ldapurl.LDAPUrl(api.env.ldap_uri)
if lurl.urlscheme == 'ldapi':
wait_for_open_socket(lurl.hostport, timeout=api.env.startup_timeout)
else:
(host, port) = lurl.hostport.split(':')
wait_for_open_ports(host, [int(port)], timeout=api.env.startup_timeout)
con = IPAdmin(ldap_uri=api.env.ldap_uri)
con.do_external_bind()
res, truncated = con.find_entries(
filter=srcfilter,
attrs_list=attrs,
base_dn=base,
scope=con.SCOPE_SUBTREE,
time_limit=10)
if truncated:
raise errors.LimitsExceeded()
except errors.NetworkError:
# LSB status code 3: program is not running
raise IpactlError("Failed to get list of services to probe status:\n" +
"Directory Server is stopped", 3)
except errors.NotFound:
masters_list = []
dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
attrs = ['cn']
try:
entries = con.get_entries(dn, con.SCOPE_ONELEVEL, attrs_list=attrs)
except Exception, e:
masters_list.append("No master found because of error: %s" % str(e))
else:
for master_entry in entries:
masters_list.append(master_entry.single_value['cn'])
masters = "\n".join(masters_list)
raise IpactlError("Failed to get list of services to probe status!\n"
"Configured hostname '%s' does not match any master server in LDAP:\n%s"
% (api.env.host, masters))
except Exception, e:
raise IpactlError("Unknown error when retrieving list of services from LDAP: " + str(e))
svc_list = []
for entry in res:
name = entry.single_value['cn']
for p in entry['ipaConfigString']:
if p.startswith('startOrder '):
try:
order = int(p.split()[1])
except ValueError:
raise IpactlError("Expected order as integer in: %s:%s" % (
name, p))
svc_list.append([order, name])
ordered_list = []
for (order, svc) in sorted(svc_list):
if svc in service.SERVICE_LIST:
ordered_list.append(service.SERVICE_LIST[svc][0])
return ordered_list
def get_config_from_file():
svc_list = []
try:
f = open(tasks.get_svc_list_file(), 'r')
svc_list = json.load(f)
except Exception, e:
raise IpactlError("Unknown error when retrieving list of services from file: " + str(e))
# the framework can start/stop a number of related services we are not
# authoritative for, so filter the list through SERVICES_LIST and order it
# accordingly too.
def_svc_list = []
for svc in service.SERVICE_LIST:
s = service.SERVICE_LIST[svc]
def_svc_list.append([s[1], s[0]])
ordered_list = []
for (order, svc) in sorted(def_svc_list):
if svc in svc_list:
ordered_list.append(svc)
return ordered_list
def stop_services(svc_list):
for svc in svc_list:
svc_off = services.service(svc)
try:
svc_off.stop(capture_output=False)
except Exception:
pass
def stop_dirsrv(dirsrv):
try:
dirsrv.stop(capture_output=False)
except Exception:
pass
def ipa_start(options):
if os.path.isfile(tasks.get_svc_list_file()):
emit_err("Existing service file detected!")
emit_err("Assuming stale, cleaning and proceeding")
# remove file with list of started services
# This is ok as systemd will just skip services
# that are already running and just return, so that the
# stop() method of the base class will simply fill in the
# service file again
os.unlink(paths.SVC_LIST_FILE)
dirsrv = services.knownservices.dirsrv
try:
print "Starting Directory Service"
dirsrv.start(capture_output=get_capture_output('dirsrv', options.debug))
except Exception, e:
raise IpactlError("Failed to start Directory Service: " + str(e))
ldap_list = []
try:
svc_list = get_config(dirsrv)
except Exception, e:
emit_err("Failed to read data from service file: " + str(e))
emit_err("Shutting down")
if not options.force:
stop_dirsrv(dirsrv)
if isinstance(e, IpactlError):
# do not display any other error message
raise IpactlError(rval=e.rval)
else:
raise IpactlError()
if len(svc_list) == 0:
# no service to start
return
for svc in svc_list:
svchandle = services.service(svc)
try:
print "Starting %s Service" % svc
svchandle.start(capture_output=get_capture_output(svc, options.debug))
except Exception:
emit_err("Failed to start %s Service" % svc)
#if force start specified, skip rollback and continue with the next service
if options.force:
emit_err("Forced start, ignoring %s Service, continuing normal operation" % svc)
continue
emit_err("Shutting down")
stop_services(svc_list)
stop_dirsrv(dirsrv)
raise IpactlError("Aborting ipactl")
def ipa_stop(options):
dirsrv = services.knownservices.dirsrv
try:
svc_list = get_config_from_file()
except Exception, e:
# Issue reading the file ? Let's try to get data from LDAP as a
# fallback
try:
dirsrv.start(capture_output=False)
svc_list = get_config(dirsrv)
except Exception, e:
emit_err("Failed to read data from Directory Service: " + str(e))
emit_err("Shutting down")
try:
# just try to stop it, do not read a result
dirsrv.stop()
finally:
raise IpactlError()
try:
print "Stopping Directory Service"
dirsrv.stop(capture_output=False)
except:
raise IpactlError("Failed to stop Directory Service")
for svc in reversed(svc_list):
svchandle = services.service(svc)
try:
print "Stopping %s Service" % svc
svchandle.stop(capture_output=False)
except:
emit_err("Failed to stop %s Service" % svc)
# remove file with list of started services
try:
os.unlink(paths.SVC_LIST_FILE)
except OSError:
pass
def ipa_restart(options):
dirsrv = services.knownservices.dirsrv
new_svc_list = []
dirsrv_restart = True
if not dirsrv.is_running():
try:
print "Starting Directory Service"
dirsrv.start(capture_output=get_capture_output('dirsrv', options.debug))
dirsrv_restart = False
except Exception, e:
raise IpactlError("Failed to start Directory Service: " + str(e))
try:
new_svc_list = get_config(dirsrv)
except Exception, e:
emit_err("Failed to read data from Directory Service: " + str(e))
emit_err("Shutting down")
try:
dirsrv.stop(capture_output=False)
except:
pass
if isinstance(e, IpactlError):
# do not display any other error message
raise IpactlError(rval=e.rval)
else:
raise IpactlError()
old_svc_list = []
try:
old_svc_list = get_config_from_file()
except Exception, e:
emit_err("Failed to get service list from file: " + str(e))
# fallback to what's in LDAP
old_svc_list = new_svc_list
# match service to start/stop
svc_list = []
for s in new_svc_list:
if s in old_svc_list:
svc_list.append(s)
#remove commons
for s in svc_list:
if s in old_svc_list:
old_svc_list.remove(s)
for s in svc_list:
if s in new_svc_list:
new_svc_list.remove(s)
if len(old_svc_list) != 0:
# we need to definitely stop some services
for svc in reversed(old_svc_list):
svchandle = services.service(svc)
try:
print "Stopping %s Service" % svc
svchandle.stop(capture_output=False)
except:
emit_err("Failed to stop %s Service" % svc)
try:
if dirsrv_restart:
print "Restarting Directory Service"
dirsrv.restart(capture_output=get_capture_output('dirsrv', options.debug))
except Exception, e:
emit_err("Failed to restart Directory Service: " + str(e))
emit_err("Shutting down")
if not options.force:
stop_services(reversed(svc_list))
stop_dirsrv(dirsrv)
raise IpactlError("Aborting ipactl")
if len(svc_list) != 0:
# there are services to restart
for svc in svc_list:
svchandle = services.service(svc)
try:
print "Restarting %s Service" % svc
svchandle.restart(capture_output=get_capture_output(svc, options.debug))
except Exception:
emit_err("Failed to restart %s Service" % svc)
#if force start specified, skip rollback and continue with the next service
if options.force:
emit_err("Forced restart, ignoring %s Service, continuing normal operation" % svc)
continue
emit_err("Shutting down")
stop_services(svc_list)
stop_dirsrv(dirsrv)
raise IpactlError("Aborting ipactl")
if len(new_svc_list) != 0:
# we still need to start some services
for svc in new_svc_list:
svchandle = services.service(svc)
try:
print "Starting %s Service" % svc
svchandle.start(capture_output=get_capture_output(svc, options.debug))
except Exception:
emit_err("Failed to start %s Service" % svc)
#if force start specified, skip rollback and continue with the next service
if options.force:
emit_err("Forced start, ignoring %s Service, continuing normal operation" % svc)
continue
emit_err("Shutting down")
stop_services(svc_list)
stop_dirsrv(dirsrv)
raise IpactlError("Aborting ipactl")
def ipa_status(options):
try:
dirsrv = services.knownservices.dirsrv
if dirsrv.is_running():
svc_list = get_config(dirsrv)
else:
svc_list = get_config_from_file()
except IpactlError, e:
if os.path.exists(tasks.get_svc_list_file()):
raise e
else:
svc_list = []
except Exception, e:
raise IpactlError("Failed to get list of services to probe status: " + str(e))
dirsrv = services.knownservices.dirsrv
try:
if dirsrv.is_running():
print "Directory Service: RUNNING"
else:
print "Directory Service: STOPPED"
if len(svc_list) == 0:
print ("Directory Service must be running in order to " +
"obtain status of other services")
except:
raise IpactlError("Failed to get Directory Service status")
if len(svc_list) == 0:
return
for svc in svc_list:
svchandle = services.service(svc)
try:
if svchandle.is_running():
print "%s Service: RUNNING" % svc
else:
print "%s Service: STOPPED" % svc
except:
emit_err("Failed to get %s Service status" % svc)
def main():
if not os.getegid() == 0:
# LSB status code 4: user had insufficient privilege
raise IpactlError("You must be root to run ipactl.", 4)
safe_options, options, args = parse_options()
if len(args) != 1:
# LSB status code 2: invalid or excess argument(s)
raise IpactlError("You must specify one action", 2)
elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
# check if IPA is configured at all
try:
check_IPA_configuration()
except IpactlError, e:
if args[0].lower() == "status":
# Different LSB return code for status command:
# 4 - program or service status is unknown
# This should differentiate uninstalled IPA from status
# code 3 - program is not running
e.rval = 4
raise e
else:
raise e
api.bootstrap(context='ipactl', debug=options.debug)
api.finalize()
if '.' not in api.env.host:
raise IpactlError("Invalid hostname '%s' in IPA configuration!\n"
"The hostname must be fully-qualified" % api.env.host)
if args[0].lower() == "start":
ipa_start(options)
elif args[0].lower() == "stop":
ipa_stop(options)
elif args[0].lower() == "restart":
ipa_restart(options)
elif args[0].lower() == "status":
ipa_status(options)
if __name__ == '__main__':
installutils.run_script(main, operation_name='ipactl')

25
install/tools/ipactl.in Normal file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/python3
# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2008, 2019 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaserver.install import installutils
from ipaserver.install.ipactl import main
if __name__ == '__main__':
installutils.run_script(main, operation_name='ipactl')

21
install/tools/man/Makefile.am
View File

@@ -4,17 +4,18 @@ AUTOMAKE_OPTIONS = 1.7
NULL=
man1_MANS = \
dist_man1_MANS = \
ipa-replica-conncheck.1 \
ipa-replica-install.1 \
ipa-replica-manage.1 \
ipa-csreplica-manage.1 \
ipa-replica-prepare.1 \
ipa-server-certinstall.1 \
ipa-server-install.1 \
ipa-server-upgrade.1 \
ipa-dns-install.1 \
ipa-adtrust-install.1 \
ipa-ca-install.1 \
ipa-kra-install.1 \
ipa-ldap-updater.1 \
ipa-compat-manage.1 \
ipa-nis-manage.1 \
@@ -23,17 +24,13 @@ man1_MANS = \
ipa-restore.1 \
ipa-advise.1 \
ipa-otptoken-import.1 \
ipa-cacert-manage.1 \
ipa-winsync-migrate.1 \
ipa-pkinit-manage.1 \
ipa-crlgen-manage.1 \
ipa-cert-fix.1 \
$(NULL)
man8_MANS = \
dist_man8_MANS = \
ipactl.8 \
ipa-upgradeconfig.8 \
$(NULL)
install-data-hook:
@for i in $(man1_MANS) ; do gzip -f $(DESTDIR)$(man1dir)/$$i ; done
@for i in $(man8_MANS) ; do gzip -f $(DESTDIR)$(man8dir)/$$i ; done
MAINTAINERCLEANFILES = \
Makefile.in \
$(NULL)

278
install/tools/man/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -16,7 +16,17 @@
# This file will be processed with automake-1.7 to create Makefile.in
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -77,13 +87,22 @@ POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
subdir = tools/man
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
build_triplet = @build@
host_triplet = @host@
subdir = install/tools/man
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/../version.m4 \
$(top_srcdir)/configure.ac
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
@@ -138,40 +157,119 @@ man1dir = $(mandir)/man1
am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
man8dir = $(mandir)/man8
NROFF = nroff
MANS = $(man1_MANS) $(man8_MANS)
MANS = $(dist_man1_MANS) $(dist_man8_MANS)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(dist_man1_MANS) $(dist_man8_MANS) \
$(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
API_VERSION = @API_VERSION@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CONFIG_STATUS = @CONFIG_STATUS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
DIRSRV_LIBS = @DIRSRV_LIBS@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
INTLLIBS = @INTLLIBS@
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
LIBOBJS = @LIBOBJS@
LIBPDB_NAME = @LIBPDB_NAME@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
LIBVERTO_LIBS = @LIBVERTO_LIBS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
MAINT = @MAINT@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MK_ASSIGN = @MK_ASSIGN@
MK_ELSE = @MK_ELSE@
MK_ENDIF = @MK_ENDIF@
MK_IFEQ = @MK_IFEQ@
MSGATTRIB = @MSGATTRIB@
MSGCMP = @MSGCMP@
MSGFMT = @MSGFMT@
MSGINIT = @MSGINIT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
NAMED_GROUP = @NAMED_GROUP@
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
NDRNBT_LIBS = @NDRNBT_LIBS@
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
NDRPAC_LIBS = @NDRPAC_LIBS@
NDR_CFLAGS = @NDR_CFLAGS@
NDR_LIBS = @NDR_LIBS@
NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
@@ -180,33 +278,87 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
STRIP = @STRIP@
TX = @TX@
TALLOC_CFLAGS = @TALLOC_CFLAGS@
TALLOC_LIBS = @TALLOC_LIBS@
TEVENT_CFLAGS = @TEVENT_CFLAGS@
TEVENT_LIBS = @TEVENT_LIBS@
UNISTRING_LIBS = @UNISTRING_LIBS@
UNLINK = @UNLINK@
USE_NLS = @USE_NLS@
UUID_CFLAGS = @UUID_CFLAGS@
UUID_LIBS = @UUID_LIBS@
VENDOR_SUFFIX = @VENDOR_SUFFIX@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
XMLRPC_LIBS = @XMLRPC_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
i18ntests = @i18ntests@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
krb5rundir = @krb5rundir@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
@@ -215,30 +367,40 @@ mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AUTOMAKE_OPTIONS = 1.7
NULL =
man1_MANS = \
dist_man1_MANS = \
ipa-replica-conncheck.1 \
ipa-replica-install.1 \
ipa-replica-manage.1 \
ipa-csreplica-manage.1 \
ipa-replica-prepare.1 \
ipa-server-certinstall.1 \
ipa-server-install.1 \
ipa-server-upgrade.1 \
ipa-dns-install.1 \
ipa-adtrust-install.1 \
ipa-ca-install.1 \
ipa-kra-install.1 \
ipa-ldap-updater.1 \
ipa-compat-manage.1 \
ipa-nis-manage.1 \
@@ -247,21 +409,21 @@ man1_MANS = \
ipa-restore.1 \
ipa-advise.1 \
ipa-otptoken-import.1 \
ipa-cacert-manage.1 \
ipa-winsync-migrate.1 \
ipa-pkinit-manage.1 \
ipa-crlgen-manage.1 \
ipa-cert-fix.1 \
$(NULL)
man8_MANS = \
dist_man8_MANS = \
ipactl.8 \
ipa-upgradeconfig.8 \
$(NULL)
MAINTAINERCLEANFILES = \
Makefile.in \
$(NULL)
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
@@ -270,30 +432,35 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__confi
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/man/Makefile'; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign install/tools/man/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign tools/man/Makefile
.PRECIOUS: Makefile
$(AUTOMAKE) --foreign install/tools/man/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-man1: $(man1_MANS)
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
install-man1: $(dist_man1_MANS)
@$(NORMAL_INSTALL)
@list1='$(man1_MANS)'; \
@list1='$(dist_man1_MANS)'; \
list2=''; \
test -n "$(man1dir)" \
&& test -n "`echo $$list1$$list2`" \
@@ -327,14 +494,14 @@ install-man1: $(man1_MANS)
uninstall-man1:
@$(NORMAL_UNINSTALL)
@list='$(man1_MANS)'; test -n "$(man1dir)" || exit 0; \
@list='$(dist_man1_MANS)'; test -n "$(man1dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir)
install-man8: $(man8_MANS)
install-man8: $(dist_man8_MANS)
@$(NORMAL_INSTALL)
@list1='$(man8_MANS)'; \
@list1='$(dist_man8_MANS)'; \
list2=''; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
@@ -368,7 +535,7 @@ install-man8: $(man8_MANS)
uninstall-man8:
@$(NORMAL_UNINSTALL)
@list='$(man8_MANS)'; test -n "$(man8dir)" || exit 0; \
@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
@@ -380,7 +547,10 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(DISTFILES)
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -447,10 +617,9 @@ distclean-generic:
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
clean: clean-am
clean-am: clean-generic mostlyclean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
@@ -469,8 +638,7 @@ info: info-am
info-am:
install-data-am: install-man
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) install-data-hook
install-dvi: install-dvi-am
install-dvi-am:
@@ -503,7 +671,7 @@ maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
@@ -517,25 +685,23 @@ uninstall-am: uninstall-man
uninstall-man: uninstall-man1 uninstall-man8
.MAKE: install-am install-data-am install-strip
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic cscopelist-am \
ctags-am distclean distclean-generic distdir dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-data-hook install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man install-man1 \
install-man8 install-pdf install-pdf-am install-ps \
install-ps-am install-strip installcheck installcheck-am \
installdirs maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic pdf pdf-am ps ps-am tags-am \
uninstall uninstall-am uninstall-man uninstall-man1 \
uninstall-man8
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-man1 install-man8 install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-man uninstall-man1 uninstall-man8
.PRECIOUS: Makefile
install-data-hook:
@for i in $(man1_MANS) ; do gzip -f $(DESTDIR)$(man1dir)/$$i ; done
@for i in $(man8_MANS) ; do gzip -f $(DESTDIR)$(man8dir)/$$i ; done
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.

94
install/tools/man/ipa-adtrust-install.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Sumit Bose <sbose@redhat.com>
.\"
.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-adtrust-install" "1" "April 11 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains
.SH "SYNOPSIS"
@@ -26,23 +26,47 @@ Adds all necessary objects and configuration to allow an IPA server to create a
trust to an Active Directory domain. This requires that the IPA server is
already installed and configured.
Please note you will not be able to estabilish an trust to an Active Directory
Please note you will not be able to establish a trust to an Active Directory
domain unless the realm name of the IPA server matches its domain name.
ipa\-adtrust\-install can be run multiple times to reinstall deleted objects or
broken configuration files. E.g. a fresh samba configuration (smb.conf file and
broken configuration files. E.g. a fresh samba configuration (smb.conf) file and
registry based configuration can be created. Other items like e.g. the
configuration of the local range cannot be changed by running
ipa\-adtrust\-install a second time because with changes here other objects
might be affected as well.
.SS "Firewall Requirements"
In addition to the IPA server firewall requirements, ipa\-adtrust\-install requires
the following ports to be open to allow IPA and Active Directory to communicate together:
\fBTCP Ports\fR
.IP
\(bu 135/tcp EPMAP
.IP
\(bu 138/tcp NetBIOS-DGM
.IP
\(bu 139/tcp NetBIOS-SSN
.IP
\(bu 445/tcp Microsoft-DS
.IP
\(bu 1024/tcp through 1300/tcp to allow EPMAP on port 135/tcp to create a TCP listener based
on an incoming request.
.IP
\(bu 3268/tcp Microsoft-GC
.TP
\fBUDP Ports\fR
.IP
\(bu 138/udp NetBIOS-DGM
.IP
\(bu 139/udp NetBIOS-SSN
.IP
\(bu 389/udp LDAP
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
The IP address of the IPA server. If not provided then this is determined based on the hostname of the server.
Enable debug logging when more verbose output is needed.
.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided then this is determined
@@ -51,35 +75,8 @@ ipa\-adtrust\-install for a second time with a different NetBIOS name will
change the name. Please note that changing the NetBIOS name might break
existing trust relationships to other domains.
.TP
\fB\-\-no\-msdcs\fR
Do not create DNS service records for Windows in managed DNS server. Since those
DNS service records are the only way to discover domain controllers of other
domains they must be added manually to a different DNS server to allow trust
realationships work properly. All needed service records are listed when
ipa\-adtrust\-install finishes and either \-\-no\-msdcs was given or no IPA DNS
service is configured. Typically service records for the following service names
are needed for the IPA domain which should point to all IPA servers:
.IP
\(bu _ldap._tcp
.IP
\(bu _kerberos._tcp
.IP
\(bu _kerberos._udp
.IP
\(bu _ldap._tcp.dc._msdcs
.IP
\(bu _kerberos._tcp.dc._msdcs
.IP
\(bu _kerberos._udp.dc._msdcs
.IP
\(bu _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
.IP
\(bu _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
.IP
\(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
.TP
\fB\-\-add\-sids\fR
Add SIDs to existing users and groups as a final step of the
Add SIDs to existing users and groups as one of the final steps of the
ipa\-adtrust\-install run. If there a many existing users and groups and a
couple of replicas in the environment this operation might lead to a high
replication traffic and a performance degradation of all IPA servers in the
@@ -88,17 +85,30 @@ ipa\-adtrust\-install is run and scheduled independently. To start this task
you have to load an edited version of ipa-sidgen-task-run.ldif with the
ldapmodify command info the directory server.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
can provide this information to SSSD clients. IPA masters aren't added
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
automatically.
.IP
Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
information about users from trusted forests only if they are enabled
via \ipa-adtrust\-install run on any other IPA master. At least SSSD
version 1.13 on IPA master is required to be able to perform as a trust agent.
.TP
\fB\-U\fR, \fB\-\-rid-base\fR=\fIRID_BASE\fR
First RID value of the local domain. The first Posix ID of the local domain will
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input.
.TP
\fB\-\-rid-base\fR=\fIRID_BASE\fR
First RID value of the local domain. The first POSIX ID of the local domain will
be assigned to this RID, the second to RID+1 etc. See the online help of the
idrange CLI for details.
.TP
\fB\-U\fR, \fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
Start value of the secondary RID range, which is only used in the case a user
and a group share numerically the same Posix ID. See the online help of the
and a group share numerically the same POSIX ID. See the online help of the
idrange CLI for details.
.TP
\fB\-A\fR, \fB\-\-admin\-name\fR=\fIADMIN_NAME\fR
@@ -107,7 +117,7 @@ The name of the user with administrative privileges for this IPA server. Default
\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
.TP
The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust\-add \-\-type=ad' command.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.

17
install/tools/man/ipa-backup.1
View File

@@ -43,10 +43,7 @@ A backup can not be restored in a different version of IPA.
Back up data only. The default is to back up all IPA files plus data.
.TP
\fB\-\-gpg\fR
Encrypt the back up file.
.TP
\fB\-\-gpg\-keyring\fR=\fIGPG_KEYRING\fR
The full path to a GPG keyring. The keyring consists of two files, a public and a private key (.sec and .pub respectively). Specify the path without an extension.
Encrypt the back up file. Set \fBGNUPGHOME\fR environment variable to use a custom keyring and gpg2 configuration.
.TP
\fB\-\-logs\fR
Include the IPA service log files in the backup.
@@ -54,6 +51,9 @@ Include the IPA service log files in the backup.
\fB\-\-online\fR
Perform the backup on\-line. Requires the \-\-data option.
.TP
\fB\-\-disable\-role\-check\fR
Perform the backup even if this host does not have all the roles in use in the cluster. This is not recommended.
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
@@ -69,6 +69,12 @@ Log to the given file
0 if the command was successful
1 if an error occurred
2 if IPA is not configured
.SH "ENVIRONMENT VARIABLES"
.PP
\fBGNUPGHOME\fR
Use custom GnuPG keyring and settings (default: \fB~/.gnupg\fR).
.SH "FILES"
.PP
\fI/var/lib/ipa/backup\fR
@@ -81,4 +87,5 @@ The default directory for storing backup files.
The log file for backups
.PP
.SH "SEE ALSO"
ipa\-restore(1).
.BR ipa\-restore(1)
.BR gpg2(1)

56
install/tools/man/ipa-ca-install.1
View File

@@ -1,5 +1,5 @@
.\" A man page for ipa-replica-install
.\" Copyright (C) 2011 Red Hat, Inc.
.\" A man page for ipa-ca-install
.\" Copyright (C) 2011-2017 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
@@ -16,15 +16,19 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-ca-install" "1" "Jun 17 2011" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-ca-install" "1" "Mar 30 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-ca\-install \- Install a CA on a replica
ipa\-ca\-install \- Install a CA on a server
.SH "SYNOPSIS"
ipa\-ca\-install [\fIOPTION\fR]... replica_file
.TP
ipa\-ca\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Adds a CA as an IPA\-managed service. This requires that the IPA server is already installed and configured.
The replica_file is created using the ipa\-replica\-prepare utility and should be the same one used when originally installing the replica.
ipa\-ca\-install can be used to upgrade from CA-less to CA-full or to install the CA service on a replica.
Domain level 0 is not supported anymore.
.SH "OPTIONS"
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
@@ -35,6 +39,46 @@ Directory Manager (existing master) password
\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
Admin user Kerberos password used for connection check
.TP
\fB\-\-external\-ca\fR
Generate a CSR for the IPA CA certificate to be signed by an external CA.
.TP
\fB\-\-external\-ca\-type\fR=\fITYPE\fR
Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see \fB\-\-external\-ca\-profile\fR for full details).
.TP
\fB\-\-external\-ca\-profile\fR=\fIPROFILE_SPEC\fR
Specify the certificate profile or template to use at the external CA.
When \fB\-\-external\-ca\-type\fR is "ms-cs" the following specifiers may be used:
.RS
.TP
\fB<oid>:<majorVersion>[:<minorVersion>]\fR
Specify a certificate template by OID and major version, optionally also specifying minor version.
.TP
\fB<name>\fR
Specify a certificate template by name. The name cannot contain any \fI:\fR characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence).
.TP
\fBdefault\fR
If no template is specified, the template name "SubCA" is used.
.RE
.TP
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
\fB\-\-ca\-subject\fR=\fISUBJECT\fR
The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-subject\-base\fR=\fISUBJECT\fR
The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for CA installation.
.TP
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP

153
install/tools/man/ipa-cacert-manage.1 Normal file
View File

@@ -0,0 +1,153 @@
.\" A man page for ipa-cacert-manage
.\" Copyright (C) 2014 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Jan Cholasta <jcholast@redhat.com>
.\"
.TH "ipa-cacert-manage" "1" "Aug 12 2013" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-cacert\-manage \- Manage CA certificates in IPA
.SH "SYNOPSIS"
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] renew
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] install \fICERTFILE\fR...
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] delete \fINICKNAME\fR
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] list
.SH "DESCRIPTION"
\fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA.
.SH "COMMANDS"
.TP
\fBrenew\fR
\- Renew the IPA CA certificate
.sp
.RS
This command can be used to manually renew the CA certificate of the IPA CA (NSS database nickname: "caSigningCert cert-pki-ca"). To renew other certificates, use getcert-resubmit(1).
.sp
When the IPA CA is the root CA (the default), it is not usually necessary to manually renew the CA certificate, as it will be renewed automatically when it is about to expire, but you can do so if you wish.
.sp
When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to the external CA and installing the newly issued certificate in IPA, which cannot be done automatically. It is necessary to manually renew the CA certificate in this setup.
.sp
When the IPA CA is not configured, this command is not available.
.RE
.TP
\fBinstall\fR
\- Install one or more CA certificates
.sp
.RS
This command can be used to install the certificates contained in \fICERTFILE\fR as additional CA certificates to IPA.
.sp
Important: this does not replace IPA CA but adds the provided certificate as a known CA. This is useful for instance when using ipa-server-certinstall to replace HTTP/LDAP certificates with third-party certificates signed by this additional CA.
.sp
Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.
.sp
The supported formats for the certificate files are DER, PEM and PKCS#7 format.
.RE
.TP
\fBdelete\fR
\- Remove a CA certificate
.sp
.RS
Remove a CA from IPA. The nickname of a CA to be removed can be found using the list command. The CA chain is validated before allowing a CA to be removed so leaf certificates in a chain need to be removed first.
.sp
Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.
.RE
.TP
\fBlist\fR
\- List the stored CA certificates
.sp
.RS
Display a list of the nicknames or subjects of the CA certificates that have been installed.
.RE
.SH "COMMON OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
The Directory Manager password to use for authentication.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors.
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.SH "RENEW OPTIONS"
.TP
\fB\-\-self\-signed\fR
Sign the renewed certificate by itself.
.TP
\fB\-\-external\-ca\fR
Sign the renewed certificate by external CA.
.TP
\fB\-\-external\-ca\-type\fR=\fITYPE\fR
Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see \fB\-\-external\-ca\-profile\fR for full details).
.TP
\fB\-\-external\-ca\-profile\fR=\fIPROFILE_SPEC\fR
Specify the certificate profile or template to use at the external CA.
When \fB\-\-external\-ca\-type\fR is "ms-cs" the following specifiers may be used:
.RS
.TP
\fB<oid>:<majorVersion>[:<minorVersion>]\fR
Specify a certificate template by OID and major version, optionally also specifying minor version.
.TP
\fB<name>\fR
Specify a certificate template by name. The name cannot contain any \fI:\fR characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence).
.TP
\fBdefault\fR
If no template is specified, the template name "SubCA" is used.
.RE
.TP
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.SH "INSTALL OPTIONS"
.TP
\fB\-n\fR \fINICKNAME\fR, \fB\-\-nickname\fR=\fINICKNAME\fR
Nickname for the certificate. Applicable only when a single certificate is being installed.
.TP
\fB\-t\fR \fITRUST_FLAGS\fR, \fB\-\-trust\-flags\fR=\fITRUST_FLAGS\fR
Trust flags for the certificate in certutil format. Trust flags are of the form "A,B,C" or "A,B,C,D" where A is for SSL, B is for S/MIME, C is for code signing, and D is for PKINIT. Use ",," for no explicit trust.
.sp
The supported trust flags are:
.RS
.IP
C \- CA trusted to issue server certificates
.IP
T \- CA trusted to issue client certificates
.IP
p \- not trusted
.RE
.SH "DELETE OPTIONS"
.TP
\fB\-f\fR, \fB\-\-force\fR
Force a CA certificate to be removed even if chain validation fails.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
.SH "SEE ALSO"
.BR getcert-resubmit(1)

66
install/tools/man/ipa-cert-fix.1 Normal file
View File

@@ -0,0 +1,66 @@
.\"
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-cert\-fix \- Renew expired certificates
.SH "SYNOPSIS"
ipa\-cert\-fix [options]
.SH "DESCRIPTION"
\fIipa-cert-fix\fR is a tool for recovery when expired certificates
prevent the normal operation of FreeIPA. It should ONLY be used in
such scenarios, and backup of the system, especially certificates
and keys, is \fBSTRONGLY RECOMMENDED\fR.
Do not use this program unless expired certificates are inhibiting
normal operation and renewal procedures.
To renew the IPA CA certificate, use \fIipa-cacert-manage(1)\fR.
This tool cannot renew certificates signed by external CAs. To
install new, externally-signed HTTP, LDAP or KDC certificates, use
\fIipa-server-certinstall(1)\fR.
\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
certificates and renew certificates that are expired, or close to
expiry (less than two weeks). If any "shared" certificates are
renewed, \fIipa-cert-fix\fR will set the current server to be the CA
renewal master, and add the new shared certificate(s) to LDAP for
replication to other CA servers. Shared certificates include all
Dogtag system certificates except the HTTPS certificate, and the IPA
RA certificate.
To repair certificates across multiple CA servers, first ensure that
LDAP replication is working across the topology. Then run
\fIipa-cert-fix\fR on one CA server. Before running
\fIipa-cert-fix\fR on another CA server, trigger Certmonger renewals
for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
CA server). This is to avoid unnecessary renewal of shared
certificates.
.SH "OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors (output from child processes may still be shown).
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
.SH "SEE ALSO"
.BR ipa-cacert-manage(1)
.BR ipa-server-certinstall(1)
.BR getcert-resubmit(1)

47
install/tools/man/ipa-crlgen-manage.1 Normal file
View File

@@ -0,0 +1,47 @@
.\"
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-crlgen\-manage \- Enables or disables CRL generation
.SH "SYNOPSIS"
ipa\-crlgen\-manage [options] <enable|disable|status>
.SH "DESCRIPTION"
Run the command with the \fBenable\fR option to enable CRL generation on the
local host. This requires that the IPA server is already installed and
configured, including a CA. The command will restart Dogtag and Apache.
Run the command with the \fBdisable\fR option to disable CRL generation on the
local host. The command will restart Dogtag and Apache.
Run the command with the \fBstatus\fR option to determine the current status
of CRL generation. If the local host is configured for CRL generation, the
command also prints the last CRL generation date and number.
Important: the administrator must ensure that there is only one IPA server
generating CRLs. In order to transfer the CRL generation from one server to
another, please run \fBipa-crlgen-manage disable\fR on the current CRL
generation master, followed by \fBipa-crlgen-manage enable\fR on the new
CRL generation master.
.SH "OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors.
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
2 if the local host is not an IPA server

17
install/tools/man/ipa-csreplica-manage.1
View File

@@ -22,16 +22,20 @@ ipa\-csreplica\-manage \- Manage an IPA CS replica
.SH "SYNOPSIS"
ipa\-csreplica\-manage [\fIOPTION\fR]... [connect|disconnect|del|list|re\-initialize|force\-sync]
.SH "DESCRIPTION"
Manages the CA replication agreements of an IPA server.
Manages the CA replication agreements of an IPA server for domain at domain level 0.
To manage CA replication agreements in a domain at domain level 1, use IPA CLI or Web UI, see `ipa help topology` for additional information.
.TP
\fBconnect\fR [SERVER_A] <SERVER_B>
\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B
\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. Applicable only at domain level 0.
.TP
\fBdisconnect\fR [SERVER_A] <SERVER_B>
\- Removes a replication agreement between SERVER_A/localhost and SERVER_B
\- Removes a replication agreement between SERVER_A/localhost and SERVER_B. Applicable only at domain level 0.
.TP
\fBdel\fR <SERVER>
\- Removes all replication agreements and data about SERVER
\- Removes all replication agreements and data about SERVER. Applicable only at domain level 0.
.TP
\fBlist\fR [SERVER]
\- Lists all the servers or the list of agreements of SERVER
@@ -86,9 +90,12 @@ Add a new replication agreement:
Remove an existing replication agreement:
# ipa\-csreplica\-manage disconnect srv1.example.com srv3.example.com
.TP
Completely remove a replica:
Completely remove a replica at domain level 0:
# ipa\-csreplica\-manage del srv4.example.com
.TP
Completely remove a replica at domain level 1:
# ipa\-replica\-manage del srv4.example.com
.TP
Using connect/disconnect you can manage the replication topology.
.SH "EXIT STATUS"
0 if the command was successful

64
install/tools/man/ipa-dns-install.1
View File

@@ -1,20 +1,5 @@
.\" A man page for ipa-dns-install
.\" Copyright (C) 2010 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\" Copyright (C) 2010-2016 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-dns-install" "1" "Jun 28, 2012" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
@@ -22,17 +7,23 @@ ipa\-dns\-install \- Add DNS as a service to an IPA server
.SH "SYNOPSIS"
ipa\-dns\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Adds DNS as an IPA\-managed service. This requires that the IPA server is already installed and configured.
Configure an integrated DNS server on this IPA server, create DNS zone with the name of the IPA primary DNS domain, and fill it in with service records necessary for IPA deployment.
In cases where the IPA server name does not belong to the primary DNS domain and is not resolvable using DNS, create a DNS zone containing the IPA server name as well.
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
This command requires that an IPA server is already installed and configured.
.SH "OPTIONS"
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
The password to be used by the Directory Server for the Directory Manager user
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
The IP address of the IPA server. If not provided then this is determined based on the hostname of the server.
This option can be used multiple times to specify more IP addresses of the server (e.g. multihomed and/or dualstacked server).
.TP
\fB\-\-forwarder\fR=\fIFORWARDER\fR
A forwarder is a DNS server where queries for a specific non\-resolvable address can be directed. To define multiple forwarders use multiple instances of \fB\-\-forwarder\fR
@@ -40,17 +31,48 @@ A forwarder is a DNS server where queries for a specific non\-resolvable address
\fB\-\-no\-forwarders\fR
Do not add any DNS forwarders, send non\-resolvable addresses to the DNS root servers.
.TP
\fB\-\-auto\-forwarders\fR
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
.TP
\fB\-\-forward\-policy\fR=\fIfirst|only\fR
DNS forwarding policy for global forwarders specified using other options.
Defaults to first if no IP address belonging to a private or reserved ranges is
detected on local interfaces (RFC 6303). Defaults to only if a private
IP address is detected.
.TP
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
The reverse DNS zone to use
The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
.TP
\fB\-\-no\-reverse\fR
Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
.TP
\fB\-\-auto\-reverse\fR
Try to resolve reverse records and reverse zones for server IP addresses and if neither is resolvable creates these reverse zones.
.TP
\fB\-\-no\-dnssec\-validation\fR
Disable DNSSEC validation on this server.
.TP
\fB\-\-dnssec\-master\fR
Setup server to be DNSSEC key master.
.TP
\fB\-\-disable\-dnssec\-master\fR
Disable the DNSSEC master on this server.
.TP
\fB\-\-kasp\-db\fR=\fIKASP_DB\fR
Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file.
.TP
\fB\-\-zonemgr\fR
The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
.TP
\fB\-\-allow\-zone\-overlap\fR
Allow creatin of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
.SH "DEPRECATED OPTIONS"
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
The password to be used by the Directory Server for the Directory Manager user
.SH "EXIT STATUS"
0 if the installation was successful

60
install/tools/man/ipa-kra-install.1 Normal file
View File

@@ -0,0 +1,60 @@
.\" A man page for ipa-kra-install
.\" Copyright (C) 2014 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Ade Lee <alee@redhat.com>
.\"
.TH "ipa-kra-install" "1" "May 10 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-kra\-install \- Install a KRA on a server
.SH "SYNOPSIS"
.TP
ipa\-kra\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Adds a KRA as an IPA\-managed service. This requires that the IPA server is already installed and configured, including a CA.
The KRA (Key Recovery Authority) is a component used to securely store secrets such as passwords, symmetric keys and private asymmetric keys. It is used as the back-end repository for the IPA Password Vault.
Domain level 0 is not supported anymore.
ipa\-kra\-install can be used to add KRA to the existing CA, or to install the KRA service on a replica.
KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall.
.SH "OPTIONS"
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
Directory Manager (existing master) password
.TP
\fB\-\-no-host-dns\fR
Do not use DNS for hostname lookup during installation
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Enable debug output when more verbose output is needed
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.TP
\fB\-\-log-file\fR=\fRFILE\fR
Log to the given file
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for KRA installation.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

49
install/tools/man/ipa-ldap-updater.1
View File

@@ -21,11 +21,8 @@
ipa\-ldap\-updater \- Update the IPA LDAP configuration
.SH "SYNOPSIS"
ipa\-ldap\-updater [options] input_file(s)
ipa\-ldap\-updater [options]
.SH "DESCRIPTION"
ipa\-ldap\-updater is used to apply updates to the IPA LDAP server when the IPA packages are being updated. It is not intended to be executed by end\-users.
When run with no file arguments, ipa\-ldap\-updater will process all files with the extension .update in /usr/share/ipa/updates.
ipa\-ldap\-updater is utility which can be used to update the IPA LDAP server.
An update file describes an LDAP entry and a set of operations to be performed on that entry. It can be used to add new entries or modify existing entries.
@@ -34,17 +31,15 @@ Blank lines and lines beginning with # are ignored.
There are 7 keywords:
* default: the starting value
* add: add a value (or values) to an attribute
* remove: remove a value (or values) from an attribute
* add: add a value to an attribute
* remove: remove a value from an attribute
* only: set an attribute to this
* onlyifexist: set an attribute to this only if the entry exists
* deleteentry: remove the entry
* replace: replace an existing value, format is old: new
* replace: replace an existing value, format is old::new
* addifnew: add a new attribute and value only if the attribute doesn't already exist. Only works with single\-value attributes.
* addifexist: add a new attribute and value only if the entry exists. This is used to update optional entries.
Values is a comma\-separated field so multi\-values may be added at one time. Double or single quotes may be put around individual values that contain embedded commas.
The difference between the default and add keywords is if the DN of the entry exists then default is ignored. So for updating something like schema, which will be under cn=schema, you must always use add (because cn=schema is guaranteed to exist). It will not re\-add the same information again and again.
It also provides some things that can be templated such as architecture (for plugin paths), realm and domain name.
@@ -59,6 +54,12 @@ The available template variables are:
* $LIBARCH \- set to 64 on x86_64 systems to be used for plugin paths
* $TIME \- an integer representation of current time
For base64 encoded values a double colon ('::') must be used between attribute and value.
Base64 format examples:
add:binaryattr::d2UgbG92ZSBiYXNlNjQ=
replace:binaryattr::SVBBIGlzIGdyZWF0::SVBBIGlzIHJlYWxseSBncmVhdA==
A few rules:
1. Only one rule per line
@@ -69,11 +70,15 @@ A few rules:
6. If a DN does exist the default values are skipped
7. Only the first rule on a line is respected
Adds and updates are applied from shortest to longest length of DN. Deletes are done from longest to shortest.
ipa-ldap-updater allows to execute update plugins.
Plugins to be executed are specified with following keyword, in update files:
* plugin: name of plugin
This keyword is not bounded to DN, and plugin names have to be registered in API.
Additionally, ipa-ldap-updater can update the schema based on LDIF files.
Any missing object classes and attribute types are added, and differing ones are updated to match the LDIF file.
To enable this behavior, use the \-\-schema or \-\-schema-file options.
To enable this behavior, use the \-\-schema-file options.
Schema files should be in LDIF format, and may only specify attributeTypes and objectClasses attributes of cn=schema.
.SH "OPTIONS"
@@ -81,26 +86,8 @@ Schema files should be in LDIF format, and may only specify attributeTypes and o
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-t\fR, \fB\-\-test\fR
Run through the update without changing anything. If changes are available then the command returns 2. If no updates are available it returns 0.
.TP
\fB\-y\fR
File containing the Directory Manager password
.TP
\fB\-l\fR, \fB\-\-ldapi\fR
Connect to the LDAP server using the ldapi socket
.TP
\fB\-p\fR, \fB\-\-plugins\fR
Execute update plugins as well as any update files. There is no way to execute only the plugins.
.TP
\fB\-u\fR, \fB\-\-upgrade\fR
Upgrade an installed server in offline mode (implies \-\-ldapi, \-\-plugins, and \-\-schema)
.TP
\fB\-W\fR, \fB\-\-password\fR
Prompt for the Directory Manager password
.TP
\fB\-s\fR, \fB\-\-schema\fR
Also update the LDAP schema. If no \-\-schema-file is specified, update to the built-in IPA schema.
Upgrade an installed server in offline mode (implies \-\-schema)
.TP
\fB\-S\fR, \fB\-\-schema\-file\fR
Specify a schema file. May be used multiple times. Implies \-\-schema.
@@ -108,5 +95,3 @@ Specify a schema file. May be used multiple times. Implies \-\-schema.
0 if the command was successful
1 if an error occurred
2 if run with in test mode (\-t) and updates are available

14
install/tools/man/ipa-nis-manage.1
View File

@@ -16,17 +16,19 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-nis-manage" "1" "May 6 2009" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-nis-manage" "1" "April 25 2016" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-nis\-manage \- Enables or disables the NIS listener plugin
.SH "SYNOPSIS"
ipa\-nis\-manage [options] <enable|disable>
ipa\-nis\-manage [options] <enable|disable|status>
.SH "DESCRIPTION"
Run the command with the \fBenable\fR option to enable the NIS plugin.
Run the command with the \fBdisable\fR option to disable the compat plugin.
Run the command with the \fBdisable\fR option to disable the NIS plugin.
In both cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
Run the command with the \fBstatus\fR option to read status of the NIS plugin. Return code 0 indicates enabled plugin, return code 4 indicates disabled plugin.
In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
Directory Server will need to be restarted after the NIS listener plugin has been enabled.
@@ -43,3 +45,7 @@ File containing the Directory Manager password
1 if an error occurred
2 if the plugin is already in the required status (enabled or disabled)
3 if RPC services cannot be enabled.
4 if status command detected plugin in disabled state.

34
install/tools/man/ipa-pkinit-manage.1 Normal file
View File

@@ -0,0 +1,34 @@
.\"
.\" Copyright (C) 2017 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-pkinit-manage" "1" "Jun 05 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-pkinit\-manage \- Enables or disables PKINIT
.SH "SYNOPSIS"
ipa\-pkinit\-manage [options] <enable|disable|status>
.SH "DESCRIPTION"
Run the command with the \fBenable\fR option to enable PKINIT.
Run the command with the \fBdisable\fR option to disable PKINIT.
Run the command with the \fBstatus\fR to determine the current status of PKINIT.
.SH "OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors.
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

10
install/tools/man/ipa-replica-conncheck.1
View File

@@ -40,7 +40,7 @@ Automatically log in to master machine and execute the master machine part of th
The Kerberos realm name for the IPA server
.TP
\fB\-k\fR \fIKDC\fR, \fB\-\-kdc\fR=\fIKDC\fR
KDC server address. Defaults t \fIMASTER\fR
KDC server address. Defaults to \fIMASTER\fR
.TP
\fB\-p\fR \fIPRINCIPAL\fR, \fB\-\-principal\fR=\fIPRINCIPAL\fR
Authorized Kerberos principal to use to log in to master machine. Defaults to \fIadmin\fR
@@ -60,7 +60,7 @@ Remote replica machine address
Include in a check also a set of dogtag connection requirements. Only needed when the master was installed with Dogtag 9 or lower.
.TP
\fB\-h\fR \fIHOSTNAME\fR, \fB\-\-hostname\fR=\fIHOSTNAME\fR
The hostname of this server (FQDN). By default a nodename from uname(2) is used
The hostname of this server (FQDN). By default the result of getfqdn() call from Python's socket module is used.
.TP
\fB\-d\fR, \fB\-\-debug\fR
Print debugging information
@@ -70,13 +70,13 @@ Output only errors
.SH "EXAMPLES"
.TP
\fBipa-replica-conncheck -m master.example.com\fR
\fBipa\-replica\-conncheck \-m master.example.com\fR
Run a replica machine connection check against a remote master \fImaster.example.com\fR. If the connection to the remote master machine is successful the program will switch to listening mode and prompt for running the master machine part. The second part check the connection from master to replica.
.TP
\fBipa-replica-conncheck -R replica.example.com\fR
\fBipa\-replica\-conncheck \-R replica.example.com\fR
Run a master machine connection check part. This is either run automatically by replica part of the connection check program (when \fI-a\fR option is set) or manually by the user. A running ipa-replica-conncheck(1) in a listening mode must be already running on a replica machine.
.TP
\fBipa-replica-conncheck -m master.example.com -a -r EXAMPLE.COM -w password\fR
\fBipa\-replica\-conncheck \-m master.example.com \-a \-r EXAMPLE.COM \-w password\fR
Run a replica\-master connection check. In case of a success switch to listening mode, automatically log to \fImaster.example.com\fR in a realm \fIEXAMPLE.COM\fR with a password \fIpassword\fR and run the second part of the connection check.
.SH "EXIT STATUS"

235
install/tools/man/ipa-replica-install.1
View File

@@ -1,57 +1,84 @@
.\" A man page for ipa-replica-install
.\" Copyright (C) 2008-2012 Red Hat, Inc.
.\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-install" "1" "May 16 2012" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-replica-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-replica\-install \- Create an IPA replica
.SH "SYNOPSIS"
ipa\-replica\-install [\fIOPTION\fR]... replica_file
.TP
ipa\-replica\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Configures a new IPA server that is a replica of the server that generated it. Once it has been created it is an exact copy of the original IPA server and is an equal master. Changes made to any master are automatically replicated to other masters.
Configures a new IPA server that is a replica of the server. Once it has been created it is an exact copy of the original IPA server and is an equal master. Changes made to any master are automatically replicated to other masters.
The replica_file is created using the ipa\-replica\-prepare utility.
Domain level 0 is not supported anymore.
If the installation fails you may need to run ipa\-server\-install \-\-uninstall before running ipa\-replica\-install again.
To create a replica, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica. The NTP configuration cannot be updated during client promotion.
To promote a blank machine into a replica, you have two options, you can either run ipa\-client\-install in a separate step, or pass the enrollment related options to the ipa\-replica\-install (see CLIENT ENROLLMENT OPTIONS). In the latter case, ipa\-replica\-install will join the machine to the IPA realm automatically and will proceed with the promotion step.
If the installation fails you may need to run ipa\-server\-install \-\-uninstall and ipa\-client\-install before running ipa\-replica\-install again.
The installation will fail if the host you are installing the replica on exists as a host in IPA or an existing replication agreement exists (for example, from a previously failed installation).
A replica should only be installed on the same or higher version of IPA on the remote system.
.SH "OPTIONS"
.SS "BASIC OPTIONS"
.SS "OPTIONS"
.TP
\fB\-\-setup\-ca\fR
Install and configure a CA on this replica. If a CA is not configured then
certificate operations will be forwarded to a master with a CA installed.
\fB\-P\fR, \fB\-\-principal\fR
The user principal which will be used to promote the client to the replica and enroll the client itself, if necessary.
.TP
\fB\-w\fR, \fB\-\-admin\-password\fR
The Kerberos password for the given principal.
.SS "CLIENT ENROLLMENT OPTIONS"
To install client and promote it to replica using a host keytab or One Time Password, the host needs to be a member of ipaservers group. This requires to create a host entry and add it to the host group prior replica installation.
\-\-server, \-\-domain, \-\-realm options are autodiscovered via DNS records by default. See manual page
.BR ipa\-client\-install (1)
for further details about these options.
.TP
\fB\-p\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
One Time Password for joining a machine to the IPA realm.
.TP
\fB\-k\fR, \fB\-\-keytab\fR
Path to host keytab.
.TP
\fB\-\-server\fR
The fully qualified domain name of the IPA server to enroll to. The IPA server must provide the CA role if \fB\-\-setup-ca\fR option is specified, and the KRA role if \fB\-\-setup-kra\fR option is specified.
.TP
\fB\-n\fR, \fB\-\-domain\fR=\fIDOMAIN\fR
The primary DNS domain of an existing IPA deployment, e.g. example.com.
This DNS domain should contain the SRV records generated by the IPA server installer.
.TP
\fB\-r\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
The Kerberos realm of an existing IPA deployment.
.TP
\fB\-\-hostname\fR
The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot.
.TP
\fB\-\-force\-join\fR
Join the host even if it is already enrolled.
.SS "BASIC OPTIONS"
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
Directory Manager (existing master) password
.TP
\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
Admin user Kerberos password used for connection check
This option can be used multiple times to specify more IP addresses of the server (e.g. multihomed and/or dualstacked server).
.TP
\fB\-\-mkhomedir\fR
Create home directories for users on their first login
.TP
\fB\-\-ntp\-server\fR=\fINTP_SERVER\fR
Configure chronyd to use this NTP server. This option can be used multiple times and it is used to specify exactly one time server.
.TP
\fB\-\-ntp\-pool\fR=\fINTP_SERVER_POOL\fR
Configure chronyd to use this NTP server pool. This option is meant to be pool of multiple servers resolved as one host name. This pool's servers may vary but pool address will be still same and chrony will choose only one server from this pool.
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure NTP
Do not configure NTP client (chronyd).
.TP
\fB\-\-no\-ui\-redirect\fR
Do not automatically redirect to the Web UI.
@@ -73,21 +100,72 @@ Enable debug logging when more verbose output is needed
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
.TP
\fB\-\-dirsrv\-config\-file\fR
The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance
.SS "CERTIFICATE SYSTEM OPTIONS"
.TP
\fB\-\-setup\-ca\fR
Install and configure a CA on this replica. If a CA is not configured then
certificate operations will be forwarded to a master with a CA installed.
.TP
\fB\-\-no\-pkinit\fR
Disables pkinit setup steps
Disables pkinit setup steps.
.TP
\fB\-\-dirsrv\-cert\-file\fR=FILE
File containing the Directory Server SSL certificate and private key
.TP
\fB\-\-http\-cert\-file\fR=FILE
File containing the Apache Server SSL certificate and private key
.TP
\fB\-\-pkinit\-cert\-file\fR=FILE
File containing the Kerberos KDC SSL certificate and private key
.TP
\fB\-\-dirsrv\-pin\fR=PIN
The password to unlock the Directory Server private key
.TP
\fB\-\-http\-pin\fR=PIN
The password to unlock the Apache Server private key
.TP
\fB\-\-pkinit\-pin\fR=PIN
The password to unlock the Kerberos KDC private key
.TP
\fB\-\-dirsrv\-cert\-name\fR=NAME
Name of the Directory Server SSL certificate to install
.TP
\fB\-\-http\-cert\-name\fR=NAME
Name of the Apache Server SSL certificate to install
.TP
\fB\-\-pkinit\-cert\-name\fR=NAME
Name of the Kerberos KDC SSL certificate to install
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for CA and KRA installation.
.TP
\fB\-\-skip\-schema\-check\fR
Skip check for updated CA DS schema on the remote master
.SS "SECRET MANAGEMENT OPTIONS"
.TP
\fB\-\-setup\-kra\fR
Install and configure a KRA on this replica. If a KRA is not configured then
vault operations will be forwarded to a master with a KRA installed.
.SS "DNS OPTIONS"
.TP
\fB\-\-setup\-dns\fR
Generate a DNS zone if it does not exist already and configure the DNS server.
Configure an integrated DNS server, create a primary DNS zone (name specified by \-\-domain or taken from an existing deployment), and fill it with service records necessary for IPA deployment.
In cases where the IPA server name does not belong to the primary DNS domain and is not resolvable using DNS, create a DNS zone containing the IPA server name as well.
This option requires that you either specify at least one DNS forwarder through
the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option.
Note that you can set up a DNS at any time after the initial IPA server install by running
.B ipa-dns-install
(see
.BR ipa-dns-install (1)).
IPA DNS cannot be uninstalled.
.TP
\fB\-\-forwarder\fR=\fIIP_ADDRESS\fR
Add a DNS forwarder to the DNS configuration. You can use this option multiple
@@ -97,21 +175,108 @@ the \fB\-\-no\-forwarders\fR option is specified.
\fB\-\-no\-forwarders\fR
Do not add any DNS forwarders. Root DNS servers will be used instead.
.TP
\fB\-\-auto\-forwarders\fR
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
.TP
\fB\-\-forward\-policy\fR=\fIfirst|only\fR
DNS forwarding policy for global forwarders specified using other options.
Defaults to first if no IP address belonging to a private or reserved ranges is
detected on local interfaces (RFC 6303). Defaults to only if a private
IP address is detected.
.TP
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
The reverse DNS zone to use
The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
.TP
\fB\-\-no\-reverse\fR
Do not create new reverse DNS zone. If a reverse DNS zone already exists for the subnet, it will be used.
.TP
\fB\-\-auto-reverse\fR
Create necessary reverse zones
.TP
\fB\-\-allow-zone-overlap\fR
Create DNS zone even if it already exists
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP
\fB\-\-no\-dns\-sshfp\fR
Do not automatically create DNS SSHFP records.
.TP
\fB\-\-no\-dnssec\-validation\fR
Disable DNSSEC validation on this server.
.SS "AD TRUST OPTIONS"
.TP
\fB\-\-setup\-adtrust\fR
Configure AD Trust capability on a replica.
.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided then this is determined
based on the leading component of the DNS domain name. Running
ipa\-adtrust\-install for a second time with a different NetBIOS name will
change the name. Please note that changing the NetBIOS name might break
existing trust relationships to other domains.
.TP
\fB\-\-add\-sids\fR
Add SIDs to existing users and groups as on of final steps of the
ipa\-adtrust\-install run. If there a many existing users and groups and a
couple of replicas in the environment this operation might lead to a high
replication traffic and a performance degradation of all IPA servers in the
environment. To avoid this the SID generation can be run after
ipa\-adtrust\-install is run and scheduled independently. To start this task
you have to load an edited version of ipa-sidgen-task-run.ldif with the
ldapmodify command info the directory server.
.TP
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
can provide this information to SSSD clients. IPA masters aren't added
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
automatically.
.IP
Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
information about users from trusted forests only if they are enabled
via \ipa-adtrust\-install run on any other IPA master. At least SSSD
version 1.13 on IPA master is required to be able to perform as a trust agent.
.TP
\fB\-\-rid-base\fR=\fIRID_BASE\fR
First RID value of the local domain. The first Posix ID of the local domain will
be assigned to this RID, the second to RID+1 etc. See the online help of the
idrange CLI for details.
.TP
\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
Start value of the secondary RID range, which is only used in the case a user
and a group share numerically the same Posix ID. See the online help of the
idrange CLI for details.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
SSSD supports trusted domains natively starting with version 1.9. For platforms that
lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and groups will be
available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
SSSD will normalize names of users and groups to lower case.
.IP
In addition to providing these users and groups through the compat tree, this option enables
authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR.
.IP
LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
rule to allow access to anyone to this rule on IPA masters.
.IP
As '\fBsystem\-auth\fR' PAM service is not used directly by any other
application, it is safe to use it for trusted domain users via compatibility
path.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
3 if the host exists in the IPA server or a replication agreement to the remote master already exists
4 if the remote master specified for enrollment does not provide required services such as CA or KRA

48
install/tools/man/ipa-replica-manage.1
View File

@@ -16,22 +16,27 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-manage" "1" "Mar 1 2013" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-replica-manage" "1" "Jul 12 2016" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-replica\-manage \- Manage an IPA replica
.SH "SYNOPSIS"
ipa\-replica\-manage [\fIOPTION\fR]... [COMMAND]
.SH "DESCRIPTION"
Manages the replication agreements of an IPA server. The available commands are:
Manages the replication agreements of an IPA server.
To manage IPA replication agreements in a domain, use IPA CLI
or Web UI, see `ipa help topology` for additional information.
The available commands are:
.TP
\fBconnect\fR [SERVER_A] <SERVER_B>
\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B
\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. Applicable only for winsync agreements.
.TP
\fBdisconnect\fR [SERVER_A] <SERVER_B>
\- Removes a replication agreement between SERVER_A/localhost and SERVER_B
\- Removes a replication agreement between SERVER_A/localhost and SERVER_B. Applicable only for winsync agreements.
.TP
\fBdel\fR <SERVER>
\- Removes all replication agreements and data about SERVER
\- Removes all replication agreements and data about SERVER. Removes data and agreements for both suffixes - domain and ca.
.TP
\fBlist\fR [SERVER]
\- Lists all the servers or the list of agreements of SERVER
@@ -48,8 +53,11 @@ Manages the replication agreements of an IPA server. The available commands are:
\fBclean\-ruv\fR [REPLICATION_ID]
\- Run the CLEANALLRUV task to remove a replication ID.
.TP
\fBclean\-dangling\-ruv\fR
\- Cleans all RUVs and CS\-RUVs that are left in the system from uninstalled replicas.
.TP
\fBabort\-clean\-ruv\fR [REPLICATION_ID]
\- Abort a running CLEANALLRUV task.
\- Abort a running CLEANALLRUV task. With \-\-force option the task does not wait for all the replica servers to have been sent the abort task, or be online, before completing.
.TP
\fBlist\-clean\-ruv\fR
\- List all running CLEANALLRUV and abort CLEANALLRUV tasks.
@@ -101,12 +109,12 @@ Provide additional information
\fB\-f\fR, \fB\-\-force\fR
Ignore some types of errors, don't prompt when deleting a master
.TP
\fB\-c\fR, \fB\-\-no\-lookup\fR
Do not perform DNS lookup checks.
.TP
\fB\-c\fR, \fB\-\-cleanup\fR
When deleting a master with the \-\-force flag, remove leftover references to an already deleted master.
.TP
\fB\-\-no\-lookup\fR
Do not perform DNS lookup checks.
.TP
\fB\-\-binddn\fR=\fIADMIN_DN\fR
Bind DN to use with remote server (default is cn=Directory Manager) \- Be careful to quote this value on the command line
.TP
@@ -127,6 +135,7 @@ Password for the IPA system user used by the Windows PassSync plugin to synchron
.TP
\fB\-\-from\fR=\fISERVER\fR
The server to pull the data from, used by the re\-initialize and force\-sync commands.
.TP
.SH "RANGES"
IPA uses the 389\-ds Distributed Numeric Assignment (DNA) Plugin to allocate POSIX ids for users and groups. A range is created when IPA is installed and half the range is assigned to the first IPA master for the purposes of allocation.
.TP
@@ -149,20 +158,20 @@ The DNA range and on\-deck (next) values can be managed using the dnarange\-set
.TP
The range and next range of a specific master can be displayed by passing the FQDN of that master to the dnarange\-show or dnanextrange\-show command.
.TP
Performing range changes as a delegated administrator (e.g. not using the Directory Manager password) requires additional 389\-ds ACIs. These are installed in upgraded masters but not existing ones. The changs are made in cn=config which is not replicated. The result is that DNA ranges cannot be managed on non\-upgraded masters as a delegated administrator.
Performing range changes as a delegated administrator (e.g. not using the Directory Manager password) requires additional 389\-ds ACIs. These are installed in upgraded masters but not existing ones. The changes are made in cn=config which is not replicated. The result is that DNA ranges cannot be managed on non\-upgraded masters as a delegated administrator.
.SH "EXAMPLES"
.TP
List all masters:
# ipa\-replica\-manage list
srv1.example.com
srv2.example.com
srv3.example.com
srv4.example.com
srv1.example.com: master
srv2.example.com: master
srv3.example.com: master
srv4.example.com: master
.TP
List a server's replication agreements.
# ipa\-replica\-manage list srv1.example.com
srv2.example.com
srv3.example.com
srv2.example.com: replica
srv3.example.com: replica
.TP
Re\-initialize a replica:
# ipa\-replica\-manage re\-initialize \-\-from srv2.example.com
@@ -182,8 +191,11 @@ Using connect/disconnect you can manage the replication topology.
.TP
List the replication IDs in use:
# ipa\-replica\-manage list\-ruv
srv1.example.com:389: 7
srv2.example.com:389: 4
Replica Update Vectors:
srv1.example.com:389: 7
srv2.example.com:389: 4
Certificate Server Replica Update Vectors:
srv1.example.com:389: 9
.TP
Remove references to an orphaned and deleted master:
# ipa\-replica\-manage del \-\-force \-\-cleanup master.example.com

79
install/tools/man/ipa-replica-prepare.1
View File

@@ -1,79 +0,0 @@
.\" A man page for ipa-replica-prepare
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-prepare" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-replica\-prepare \- Create an IPA replica file
.SH "SYNOPSIS"
ipa\-replica\-prepare [\fIOPTION\fR]... hostname
.SH "DESCRIPTION"
Generates a replica file that may be used with ipa\-replica\-install to create a replica of an IPA server.
A replica can only be created on an IPA server installed with ipa\-server\-install (the first server).
You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname.
If IPA manages the DNS for your domain, you should either use the \fB\-\-ip\-address\fR option or add the forward and reverse records manually using IPA plugins.
Once the file has been created it will be named replica\-hostname. This file can then be moved across the network to the target machine and a new IPA replica setup by running ipa\-replica\-install replica\-hostname.
A replica should only be installed on the same or higher version of IPA on the remote system.
.SH "OPTIONS"
.TP
\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Directory Server SSL Certificate and Private Key
.TP
\fB\-\-http_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Apache Server SSL Certificate and Private Key
.TP
\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Kerberos KDC Certificate and Private Key
.TP
\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
The password of the Directory Server PKCS#12 file
.TP
\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
The password of the Apache Server PKCS#12 file
.TP
\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR
The password of the Kerberos KDC PKCS#12 file
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
Directory Manager (existing master) password
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
IP address of the replica server. If you provide this option, the A and PTR records will be added to the DNS.
.TP
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
The reverse DNS zone to use
.TP
\fB\-\-no\-reverse\fR
Do not create reverse DNS zone
.TP
\fB\-\-ca\fR=\fICA_FILE\fR
Location of CA PKCS#12 file, default /root/cacert.p12
.TP
\fB\-\-no\-pkinit\fR
Disables pkinit setup steps
.TP
\fB\-\-debug\fR
Prints info log messages to the output
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

23
install/tools/man/ipa-restore.1
View File

@@ -32,7 +32,7 @@ The type of backup is automatically detected. A data restore can be done from ei
.TP
\fBWARNING\fR: A full restore will restore files like /etc/passwd, /etc/group, /etc/resolv.conf as well. Any file that IPA may have touched is backed up and restored.
.TP
An encrypted backup is also automatically detected and the root keyring is used by default. The \-\-keyring option can be used to define the full path to the private and public keys.
An encrypted backup is also automatically detected and the root keyring and gpg-agent is used by default. Set \fBGNUPGHOME\fR environment variable to use a custom keyring and gpg2 configuration.
.TP
Within the subdirectory is file, header, that describes the back up including the type, system, date of backup, the version of IPA, the version of the backup and the services on the master.
.TP
@@ -57,24 +57,22 @@ If you have older masters you should consider re\-creating them rather than tryi
.TP
\fB\-p\fR, \fB\-\-password\fR=\fIPASSWORD\fR
The Directory Manager password.
.TP
\fB\-\-data\fR
Restore the data only. The default is to restore everything in the backup.
.TP
\fB\-\-gpg\-keyring\fR=\fIGPG_KEYRING\fR
The full path to a GPG keyring. The keyring consists of two files, a public and a private key (.sec and .pub respectively). Specify the path without an extension.
.TP
\fB\-\-no\-logs\fR
Exclude the IPA service log files in the backup (if they were backed up). Applicable only with a full backup.
Exclude the IPA service log files in the backup (if they were backed up).
.TP
\fB\-\-online\fR
Perform the restore on\-line. Requires the \-\-data option.
Perform the restore on\-line. Requires data\-only backup or the \-\-data option.
.TP
\fB\-\-instance\fR=\fIINSTANCE\fR
The backend to restore within an instance or instances.
.TP
Restore only the databases in this 389\-ds instance. The default is to restore all found (at most this is the IPA REALM instance and the PKI\-IPA instance).
Restore only the databases in this 389\-ds instance. The default is to restore all found (at most this is the IPA REALM instance and the PKI\-IPA instance). Requires data\-only backup or the \-\-data option.
.TP
\fB\-\-backend\fR=\fIBACKEND\fR
The backend to restore within an instance or instances. Requires data\-only backup or the \-\-data option.
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
@@ -90,6 +88,10 @@ Log to the given file
0 if the command was successful
1 if an error occurred
.SH "ENVIRONMENT VARIABLES"
.PP
\fBGNUPGHOME\fR
Use custom GnuPG keyring and settings (default: \fB~/.gnupg\fR).
.SH "FILES"
.PP
\fI/var/lib/ipa/backup\fR
@@ -102,4 +104,5 @@ The default directory for storing backup files.
The log file for restoration
.PP
.SH "SEE ALSO"
ipa\-backup(1).
.BR ipa\-backup(1)
.BR gpg2(1)

34
install/tools/man/ipa-server-certinstall.1
View File

@@ -20,15 +20,16 @@
.SH "NAME"
ipa\-server\-certinstall \- Install new SSL server certificates
.SH "SYNOPSIS"
ipa\-server\-certinstall [\fIOPTION\fR]... PKCS12_FILE
ipa\-server\-certinstall [\fIOPTION\fR]... FILE...
.SH "DESCRIPTION"
Replace the current SSL Directory and/or Apache server certificate(s) with the certificate in the PKCS#12 file.
Replace the current Directory server SSL certificate, Apache server SSL certificate and/or Kerberos KDC certificate with the certificate in the specified files. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.
PKCS#12 is a file format used to safely transport SSL certificates and public/private keypairs.
They may be generated and managed using the NSS pk12util command or the OpenSSL pkcs12 command.
The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory and/or Apache servers.
The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory, Apache and/or Krb5kdc servers.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-dirsrv\fR
@@ -37,11 +38,32 @@ Install the certificate on the Directory Server
\fB\-w\fR, \fB\-\-http\fR
Install the certificate in the Apache Web Server
.TP
\fB\-\-pin\fR=\fIPIN\fR
The password of the PKCS#12 file
\fB\-k\fR, \fB\-\-kdc\fR
Install the certificate in the Kerberos KDC
.TP
\fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR
\fB\-\-pin\fR=\fIPIN\fR
The password to unlock the private key
.TP
\fB\-\-cert\-name\fR=\fINAME\fR
Name of the certificate to install
.TP
\fB\-p\fR, \fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR
Directory Manager password
.TP
\fB\-\-version\fR
Show the program's version and exit
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file
.SH "EXIT STATUS"
0 if the installation was successful

247
install/tools/man/ipa-server-install.1
View File

@@ -1,22 +1,7 @@
.\" A man page for ipa-server-install
.\" Copyright (C) 2008 Red Hat, Inc.
.\" Copyright (C) 2008-2017 FreeIPA Contributors see COPYING for license
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-server-install" "1" "Jun 28 2012" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-server-install" "1" "Feb 17 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-server\-install \- Configure an IPA server
.SH "SYNOPSIS"
@@ -28,41 +13,61 @@ Configures the services needed by an IPA server. This includes setting up a Kerb
.SS "BASIC OPTIONS"
.TP
\fB\-r\fR \fIREALM_NAME\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
The Kerberos realm name for the IPA server. You will not be able to estabilish trust with Active Directory unless the realm name is uppercased domain name.
The Kerberos realm name for the new IPA deployment.
It is strongly recommended to \fBuse an upper-cased name of the primary DNS domain name\fR of your IPA deployment. You will not be able to establish trust with Active Directory unless the realm name is the upper-cased domain name.
The realm name cannot be changed after the installation.
.TP
\fB\-n\fR \fIDOMAIN_NAME\fR, \fB\-\-domain\fR=\fIDOMAIN_NAME\fR
Your DNS domain name
The primary DNS domain of the IPA deployment, e.g. example.com. This DNS domain should contain the SRV records generated by the IPA server installer. The specified DNS domain must not contain DNS records of any other LDAP or Kerberos based management system (like Active Directory or MIT Kerberos).
It is strongly recommended to \fBuse a lower-cased name of the IPA Kerberos realm name.\fR
The primary DNS domain name cannot be changed after the installation.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
The password to be used by the Directory Server for the Directory Manager user
.TP
\fB\-P\fR \fIMASTER_PASSWORD\fR, \fB\-\-master\-password\fR=\fIMASTER_PASSWORD\fR
The kerberos master password (normally autogenerated)
The password to be used by the Directory Server for the Directory Manager user.
.TP
\fB\-a\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
The password for the IPA admin user
The password for the IPA admin user.
.TP
\fB\-\-mkhomedir\fR
Create home directories for users on their first login
Create home directories for users on their first login.
.TP
\fB\-\-hostname\fR=\fIHOST_NAME\fR
The fully\-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures.
The fully\-qualified DNS name of this server.
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected, the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
This option can be used multiple times to specify more IP addresses of the server (e.g. multihomed and/or dualstacked server).
.TP
Configure chronyd to use this NTP server. This option can be used multiple times and it is used to specify exactly one time server.
.TP
\fB\-\-ntp\-server\fR=\fINTP_SERVER\fR
Configure chronyd to use this NTP server. This option can be used multiple times and it is used to specify exactly one time server.
.TP
\fB\-\-ntp\-pool\fR=\fINTP_SERVER_POOL\fR
Configure chronyd to use this NTP server pool. This option is meant to be pool of multiple servers resolved as one host name. This pool's servers may vary but pool address will be still same and chrony will choose only one server from this pool.
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure NTP
Do not configure NTP client (chronyd).
.TP
\fB\-\-idstart\fR=\fIIDSTART\fR
The starting user and group id number (default random)
The starting user and group id number (default random).
.TP
\fB\-\-idmax\fR=\fIIDMAX\fR
The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used.
.TP
\fB\-\-no_hbac_allow\fR
\fB\-\-no-hbac-allow\fR
Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.
.TP
\fB\-\-ignore-topology-disconnect\fR
Ignore errors reported when IPA server uninstall would lead to disconnected topology.
.TP
\fB\-\-ignore-last-of-role\fR
Ignore errors reported when IPA server uninstall would lead to removal of last CA/DNS server or DNSSec master.
.TP
\fB\-\-no\-ui\-redirect\fR
Do not automatically redirect to the Web UI.
.TP
@@ -76,58 +81,104 @@ Do not configure OpenSSH client.
Do not configure OpenSSH server.
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
Enable debug logging when more verbose output is needed.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
An unattended installation that will never prompt for user input.
.TP
\fB\-\-dirsrv\-config\-file\fR
The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance.
.SS "CERTIFICATE SYSTEM OPTIONS"
.TP
\fB\-\-external\-ca\fR
Generate a CSR for the IPA CA certificate to be signed by an external CA.
.TP
\fB\-\-external_cert_file\fR=\fIFILE\fR
File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with \-\-external_ca_file.
\fB\-\-external\-ca\-type\fR=\fITYPE\fR
Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see \fB\-\-external\-ca\-profile\fR for full details).
.TP
\fB\-\-external_ca_file\fR=\fIFILE\fR
File containing the external CA certificate chain in PEM format. Must be given with \-\-external_cert_file.
\fB\-\-external\-ca\-profile\fR=\fIPROFILE_SPEC\fR
Specify the certificate profile or template to use at the external CA.
If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
When \fB\-\-external\-ca\-type\fR is "ms-cs" the following specifiers may be used:
openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
.RS
.TP
\fB<oid>:<majorVersion>[:<minorVersion>]\fR
Specify a certificate template by OID and major version, optionally also specifying minor version.
.TP
\fB<name>\fR
Specify a certificate template by name. The name cannot contain any \fI:\fR characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence).
.TP
\fBdefault\fR
If no template is specified, the template name "SubCA" is used.
.RE
.TP
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
\fB\-\-no\-pkinit\fR
Disables pkinit setup steps
Disables pkinit setup steps.
.TP
\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Directory Server SSL Certificate
\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-http_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Apache Server SSL Certificate
\fB\-\-http\-cert\-file\fR=\fIFILE\fR
File containing the Apache Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR
PKCS#12 file containing the Kerberos KDC SSL certificate
\fB\-\-pkinit\-cert\-file\fR=\fIFILE\fR
File containing the Kerberos KDC SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
The password of the Directory Server PKCS#12 file
\fB\-\-dirsrv\-pin\fR=\fIPIN\fR
The password to unlock the Directory Server private key.
.TP
\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
The password of the Apache Server PKCS#12 file
\fB\-\-http\-pin\fR=\fIPIN\fR
The password to unlock the Apache Server private key.
.TP
\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR
The password of the Kerberos KDC PKCS#12 file
\fB\-\-pkinit\-pin\fR=\fIPIN\fR
The password to unlock the Kerberos KDC private key.
.TP
\fB\-\-root\-ca\-file\fR=\fIFILE\fR
PEM file containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC SSL certificates. Use this option if the CA certificate is not present in the PKCS#12 files.
\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR
Name of the Directory Server SSL certificate to install.
.TP
\fB\-\-subject\fR=\fISUBJECT\fR
The certificate subject base (default O=REALM.NAME)
\fB\-\-http\-cert\-name\fR=\fINAME\fR
Name of the Apache Server SSL certificate to install.
.TP
\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR
Name of the Kerberos KDC SSL certificate to install.
.TP
\fB\-\-ca\-cert\-file\fR=\fIFILE\fR
File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for CA and KRA installation.
.TP
\fB\-\-ca\-subject\fR=\fISUBJECT\fR
The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-subject\-base\fR=\fISUBJECT\fR
The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
.SS "SECRET MANAGEMENT OPTIONS"
.TP
\fB\-\-setup\-kra\fR
Install and configure a KRA on this server.
.SS "DNS OPTIONS"
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
.TP
\fB\-\-setup\-dns\fR
Generate a DNS zone if it does not exist already and configure the DNS server.
Configure an integrated DNS server, create DNS zone specified by \-\-domain, and fill it with service records necessary for IPA deployment.
In cases where the IPA server name does not belong to the primary DNS domain and is not resolvable using DNS, create a DNS zone containing the IPA server name as well.
This option requires that you either specify at least one DNS forwarder through
the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option.
@@ -135,6 +186,8 @@ Note that you can set up a DNS at any time after the initial IPA server install
.B ipa-dns-install
(see
.BR ipa-dns-install (1)).
IPA DNS cannot be uninstalled.
.TP
\fB\-\-forwarder\fR=\fIIP_ADDRESS\fR
Add a DNS forwarder to the DNS configuration. You can use this option multiple
@@ -144,28 +197,97 @@ the \fB\-\-no\-forwarders\fR option is specified.
\fB\-\-no\-forwarders\fR
Do not add any DNS forwarders. Root DNS servers will be used instead.
.TP
\fB\-\-auto\-forwarders\fR
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
.TP
\fB\-\-forward\-policy\fR=\fIfirst|only\fR
DNS forwarding policy for global forwarders specified using other options.
Defaults to first if no IP address belonging to a private or reserved ranges is
detected on local interfaces (RFC 6303). Defaults to only if a private
IP address is detected.
.TP
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
The reverse DNS zone to use
The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
.TP
\fB\-\-no\-reverse\fR
Do not create reverse DNS zone
Do not create reverse DNS zone.
.TP
\fB\-\-auto\-reverse\fR
Try to resolve reverse records and reverse zones for server IP addresses. If neither is resolvable, creates the reverse zones.
.TP
\fB\-\-zonemgr\fR
The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
Do not use DNS for hostname lookup during installation.
.TP
\fB\-\-no\-dns\-sshfp\fR
Do not automatically create DNS SSHFP records.
.TP
\fB\-\-no\-dnssec\-validation\fR
Disable DNSSEC validation on this server.
.TP
\fB\-\-allow\-zone\-overlap\fR
Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
.SS "AD TRUST OPTIONS"
.TP
\fB\-\-setup\-adtrust\fR
Configure AD Trust capability.
.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided, this is determined
based on the leading component of the DNS domain name. Running
ipa\-adtrust\-install for a second time with a different NetBIOS name will
change the name. Please note that changing the NetBIOS name might break
existing trust relationships to other domains.
.TP
\fB\-\-rid-base\fR=\fIRID_BASE\fR
First RID value of the local domain. The first POSIX ID of the local domain will
be assigned to this RID, the second to RID+1 etc. See the online help of the
idrange CLI for details.
.TP
\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
Start value of the secondary RID range, which is only used in the case a user
and a group share numerically the same POSIX ID. See the online help of the
idrange CLI for details.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
SSSD supports trusted domains natively starting with version 1.9. For platforms that
lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and groups will be
available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
SSSD will normalize names of users and groups to lower case.
.IP
In addition to providing these users and groups through the compat tree, this option enables
authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR.
.IP
LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
rule to allow access to anyone to this rule on IPA masters.
.IP
As '\fBsystem\-auth\fR' PAM service is not used directly by any other
application, it is safe to use it for trusted domain users via compatibility
path.
.SS "UNINSTALL OPTIONS"
.TP
\fB\-\-uninstall\fR
Uninstall an existing IPA installation
Uninstall an existing IPA installation.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended uninstallation that will never prompt for user input
An unattended uninstallation that will never prompt for user input.
.SH "DEPRECATED OPTIONS"
.TP
\fB\-P\fR \fIMASTER_PASSWORD\fR, \fB\-\-master\-password\fR=\fIMASTER_PASSWORD\fR
The kerberos master password (normally autogenerated).
.SH "EXIT STATUS"
0 if the (un)installation was successful
@@ -174,3 +296,4 @@ An unattended uninstallation that will never prompt for user input
.SH "SEE ALSO"
.BR ipa-dns-install (1)
.BR ipa-adtrust-install (1)

46
install/tools/man/ipa-server-upgrade.1 Normal file
View File

@@ -0,0 +1,46 @@
.\"
.\" Copyright (C) 2015 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-server-upgrade" "1" "April 02 2015" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
ipa\-server\-upgrade [options]
.SH "DESCRIPTION"
ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
ipa\-server\-upgrade will:
* update LDAP schema
* process all files with the extension .update in /usr/share/ipa/updates (including update plugins).
* upgrade local configurations of IPA services
.SH "OPTIONS"
.TP
\fB\-\-skip\-version\-check\fR
Skip version check. WARNING: this option may break your system
.TP
\fB\-\-force\fR
Force upgrade (alias for --skip-version-check)
.TP
\fB\-\-version\fR
Show IPA version
.TP
\fB\-h\fR, \fB\-\-help\fR
Show help message and exit
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.TP
\fB-\-log-file=FILE\fR
Log to given file
.TP
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

42
install/tools/man/ipa-upgradeconfig.8
View File

@@ -1,42 +0,0 @@
.\" A man page for ipa-upgradeconfig
.\" Copyright (C) 2010 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-upgradeconfig" "8" "Jun 18 2012" "freeipa" ""
.SH "NAME"
ipa\-upgradeconfig \- Upgrade the IPA Apache configuration
.SH "SYNOPSIS"
ipa\-upgradeconfig
.SH "DESCRIPTION"
A tool to update the IPA Apache configuration during an upgrade.
It examines the VERSION value in the head of \fI/etc/httpd/conf.d/ipa.conf\fR and \fI/etc/httpd/conf.d/ipa\-rewrite.conf\fR and compares this with the templates. If an update is needed then new files are written.
It also will convert a CA configured to be accessible via ports 9443, 9444, 9445 and 9446 to be proxied by the IPA web server on ports 80 and 443.
This is not intended to be run by an end\-user. It is executed when the IPA rpms are upgraded. This must be run as the root user.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.SH "EXIT STATUS"
0 if the update was successful or there was nothing to do
1 if an error occurred

52
install/tools/man/ipa-winsync-migrate.1 Normal file
View File

@@ -0,0 +1,52 @@
.\" A man page for ipa-advise
.\" Copyright (C) 2013 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Tomas Babej <tbabej@redhat.com>
.\"
.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
.SH "SYNOPSIS"
ipa\-winsync\-migrate
.SH "DESCRIPTION"
Migrates AD users created by winsync agreement to ID overrides in
the Default Trust View, thus preserving the actual POSIX attributes
already established.
Prior to the actual migration, the winsync replication agreement
will be removed to protect the removal of the user accounts
on the Active Directory side.
During the migration, group, assigned roles, HBAC rules and SELinux
memberships of the synced users will be preserved. Any local copies
(created by winsync) of the migrated users will be removed.
.SH "WARNINGS"
After the migration, any PassSync agreements need to be removed
from Active Directory Domain Controllers, otherwise they might
attempt to update passwords for accounts that no longer exist
on the IPA server.
.SH "OPTIONS"
.TP
\fB\-\-realm\fR
The Active Directory realm the winsynced users belong to.
.TP
\fB\-\-server\fR
The hostname of Active Directory Domain Controller the winsync replication agreement is established with.
.TP
\fB\-\-unattended\fR
Never prompts for user input.

11
install/tools/man/ipactl.8
View File

@@ -38,8 +38,17 @@ Stop all of the services that make up IPA
restart
Stop then start all of the services that make up IPA
.TP
status
Provides status of all the services that make up IPA
.TP
\fB\-d\fR, \fB\-\-debug\fR
Display debugging information
.TP
\fB\-f\fR, \fB\-\-force\fR
\fB\-\-skip\-version\-check\fR
Skip version check
.TP
\fB\-\-ignore\-service\-failures\fR
If any service start fails, do not rollback the services, continue with the operation
.TP
\fB\-f\fR, \fB\-\-force\fR
Force IPA to start. Combine options --skip-version-check and --ignore-service-failures