websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

287
install/tools/ipa-adtrust-install
View File

@@ -21,31 +21,26 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import six
import gssapi
from ipaserver.install import adtrustinstance
from ipaserver.install.installutils import *
from ipaserver.install import service
from ipapython import version
from ipapython import ipautil, sysrestore, ipaldap
from ipalib import api, errors, krb_utils
from ipapython import ipautil, sysrestore
from ipalib import api, errors, util
from ipapython.config import IPAOptionParser
import krbV
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
if six.PY3:
unicode = str
log_file_name = paths.IPASERVER_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
parser.add_option("--ip-address", dest="ip_address",
type="ip", ip_local=True, help="Master Server IP Address")
parser.add_option("--netbios-name", dest="netbios_name",
help="NetBIOS name of the IPA domain")
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
@@ -68,9 +63,6 @@ def parse_options():
parser.add_option("--add-sids", dest="add_sids", action="store_true",
default=False, help="Add SIDs for existing users and" \
" groups as the final step")
parser.add_option("--add-agents", dest="add_agents", action="store_true",
default=False, help="Add IPA masters to a list of hosts allowed to serve" \
"information about users from trusted forests")
parser.add_option("--enable-compat",
dest="enable_compat", default=False, action="store_true",
help="Enable support for trusted domains for old clients")
@@ -81,24 +73,22 @@ def parse_options():
return safe_options, options
def netbios_name_error(name):
print("\nIllegal NetBIOS name [%s].\n" % name)
print("Up to 15 characters and only uppercase ASCII letters, digits "
"and dashes are allowed.")
print "\nIllegal NetBIOS name [%s].\n" % name
print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
def read_netbios_name(netbios_default):
netbios_name = ""
print("Enter the NetBIOS name for the IPA domain.")
print("Only up to 15 uppercase ASCII letters, digits "
"and dashes are allowed.")
print("Example: EXAMPLE.")
print("")
print("")
print "Enter the NetBIOS name for the IPA domain."
print "Only up to 15 uppercase ASCII letters and digits are allowed."
print "Example: EXAMPLE."
print ""
print ""
if not netbios_default:
netbios_default = "EXAMPLE"
while True:
netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
print("")
print ""
if adtrustinstance.check_netbios_name(netbios_name):
break
@@ -107,9 +97,9 @@ def read_netbios_name(netbios_default):
return netbios_name
def read_admin_password(admin_name):
print("Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name))
print("This user is a regular system account used for IPA server administration.")
print("")
print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
print "This user is a regular system account used for IPA server administration."
print ""
admin_password = read_password(admin_name, confirm=False, validate=None)
return admin_password
@@ -148,17 +138,17 @@ def set_and_check_netbios_name(netbios_name, unattended):
reset_netbios_name = False
elif cur_netbios_name and cur_netbios_name != netbios_name:
# change the NetBIOS name
print("Current NetBIOS domain name is %s, new name is %s.\n" % \
(cur_netbios_name, netbios_name))
print("Please note that changing the NetBIOS name might " \
"break existing trust relationships.")
print "Current NetBIOS domain name is %s, new name is %s.\n" % \
(cur_netbios_name, netbios_name)
print "Please note that changing the NetBIOS name might " \
"break existing trust relationships."
if unattended:
reset_netbios_name = True
print("NetBIOS domain name will be changed to %s.\n" % \
netbios_name)
print "NetBIOS domain name will be changed to %s.\n" % \
netbios_name
else:
print("Say 'yes' if the NetBIOS shall be changed and " \
"'no' if the old one shall be kept.")
print "Say 'yes' if the NetBIOS shall be changed and " \
"'no' if the old one shall be kept."
reset_netbios_name = ipautil.user_input(
'Do you want to reset the NetBIOS domain name?',
default = False, allow_empty = False)
@@ -173,8 +163,8 @@ def set_and_check_netbios_name(netbios_name, unattended):
if entry is not None:
# Fix existing trust configuration
print("Trust is configured but no NetBIOS domain name found, " \
"setting it now.")
print "Trust is configured but no NetBIOS domain name found, " \
"setting it now."
reset_netbios_name = True
else:
# initial trust configuration
@@ -203,17 +193,17 @@ def set_and_check_netbios_name(netbios_name, unattended):
def ensure_admin_kinit(admin_name, admin_password):
try:
ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
except ipautil.CalledProcessError as e:
print("There was error to automatically re-kinit your admin user ticket.")
except ipautil.CalledProcessError, e:
print "There was error to automatically re-kinit your admin user ticket."
return False
return True
def enable_compat_tree():
print("Do you want to enable support for trusted domains in Schema Compatibility plugin?")
print("This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.")
print("")
print "Do you want to enable support for trusted domains in Schema Compatibility plugin?"
print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users."
print ""
enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False)
print("")
print ""
return enable_compat
@@ -224,7 +214,7 @@ def main():
sys.exit("Must be root to setup AD trusts on server")
standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
print("\nThe log file for this installation can be found in %s" % log_file_name)
print "\nThe log file for this installation can be found in %s" % log_file_name
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
root_logger.debug("missing options might be asked for interactively later\n")
@@ -235,18 +225,18 @@ def main():
global fstore
fstore = sysrestore.FileStore(paths.SYSRESTORE)
print("==============================================================================")
print("This program will setup components needed to establish trust to AD domains for")
print("the FreeIPA Server.")
print("")
print("This includes:")
print(" * Configure Samba")
print(" * Add trust related objects to FreeIPA LDAP server")
print "=============================================================================="
print "This program will setup components needed to establish trust to AD domains for"
print "the FreeIPA Server."
print ""
print "This includes:"
print " * Configure Samba"
print " * Add trust related objects to FreeIPA LDAP server"
#TODO:
#print " * Add a SID to all users and Posix groups"
print("")
print("To accept the default shown in brackets, press the Enter key.")
print("")
print ""
print "To accept the default shown in brackets, press the Enter key."
print ""
# Check if samba packages are installed
if not adtrustinstance.check_inst():
@@ -281,7 +271,7 @@ def main():
if adtrustinstance.ipa_smb_conf_exists():
if not options.unattended:
print("IPA generated smb.conf detected.")
print "IPA generated smb.conf detected."
if not ipautil.user_input("Overwrite smb.conf?",
default = False,
allow_empty = False):
@@ -300,6 +290,38 @@ def main():
if not options.unattended and not options.enable_compat:
options.enable_compat = enable_compat_tree()
# Check we have a public IP that is associated with the hostname
ip = None
try:
hostaddr = resolve_host(api.env.host)
if len(hostaddr) > 1:
print >> sys.stderr, "The server hostname resolves to more than one address:"
for addr in hostaddr:
print >> sys.stderr, " %s" % addr
if options.ip_address:
if str(options.ip_address) not in hostaddr:
print >> sys.stderr, "Address passed in --ip-address did not match any resolved"
print >> sys.stderr, "address!"
sys.exit(1)
print "Selected IP address:", str(options.ip_address)
ip = options.ip_address
else:
if options.unattended:
print >> sys.stderr, "Please use --ip-address option to specify the address"
sys.exit(1)
else:
ip = read_ip_address(api.env.host, fstore)
else:
ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
except Exception, e:
print "Error: Invalid IP Address %s: %s" % (ip, e)
print "Aborting installation"
sys.exit(1)
ip_address = str(ip)
root_logger.debug("will use ip_address: %s\n", ip_address)
admin_password = options.admin_password
if not (options.unattended or admin_password):
admin_password = read_admin_password(options.admin_name)
@@ -308,29 +330,31 @@ def main():
if admin_password:
admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
if not admin_kinited:
print("Proceeding with credentials that existed before")
print "Proceeding with credentials that existed before"
try:
principal = krb_utils.get_principal()
except errors.CCacheError as e:
sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message)
ctx = krbV.default_context()
ccache = ctx.default_ccache()
principal = ccache.principal()
except krbV.Krb5Error, e:
sys.exit("Must have Kerberos credentials to setup AD trusts on server")
try:
api.Backend.ldap2.connect()
except errors.ACIError as e:
api.Backend.ldap2.connect(ccache)
except errors.ACIError, e:
sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
except errors.DatabaseError as e:
except errors.DatabaseError, e:
sys.exit("Cannot connect to the LDAP database. Please check if IPA is running")
try:
user = api.Command.user_show(principal.partition('@')[0].partition('/')[0])['result']
user = api.Command.user_show(unicode(principal[0]))['result']
group = api.Command.group_show(u'admins')['result']
if not (user['uid'][0] in group['member_user'] and
group['cn'][0] in user['memberof_group']):
raise errors.RequirementError(name='admins group membership')
except errors.RequirementError as e:
except errors.RequirementError, e:
sys.exit("Must have administrative privileges to setup AD trusts on server")
except Exception as e:
except Exception, e:
sys.exit("Unrecognized error during check of admin rights: %s" % (str(e)))
(netbios_name, reset_netbios_name) = \
@@ -351,38 +375,38 @@ def main():
except errors.NotFound:
# All objects have SIDs assigned
pass
except (errors.DatabaseError, errors.NetworkError) as e:
print("Could not retrieve a list of objects that need a SID identifier assigned:")
print(unicode(e))
except (errors.DatabaseError, errors.NetworkError), e:
print "Could not retrieve a list of objects that need a SID identifier assigned:"
print unicode(e)
else:
object_count = len(entries)
if object_count > 0:
print("")
print("WARNING: %d existing users or groups do not have a SID identifier assigned." \
% len(entries))
print("Installer can run a task to have ipa-sidgen Directory Server plugin generate")
print("the SID identifier for all these users. Please note, the in case of a high")
print("number of users and groups, the operation might lead to high replication")
print("traffic and performance degradation. Refer to ipa-adtrust-install(1) man page")
print("for details.")
print("")
print ""
print "WARNING: %d existing users or groups do not have a SID identifier assigned." \
% len(entries)
print "Installer can run a task to have ipa-sidgen Directory Server plugin generate"
print "the SID identifier for all these users. Please note, the in case of a high"
print "number of users and groups, the operation might lead to high replication"
print "traffic and performance degradation. Refer to ipa-adtrust-install(1) man page"
print "for details."
print ""
if options.unattended:
print("Unattended mode was selected, installer will NOT run ipa-sidgen task!")
print "Unattended mode was selected, installer will NOT run ipa-sidgen task!"
else:
if ipautil.user_input("Do you want to run the ipa-sidgen task?", default=False,
allow_empty=False):
options.add_sids = True
if not options.unattended:
print("")
print("The following operations may take some minutes to complete.")
print("Please wait until the prompt is returned.")
print("")
print ""
print "The following operations may take some minutes to complete."
print "Please wait until the prompt is returned."
print ""
smb = adtrustinstance.ADTRUSTInstance(fstore)
smb.realm = api.env.realm
smb.autobind = ipaldap.AUTOBIND_ENABLED
smb.setup(api.env.host, api.env.realm, api.env.domain,
smb.autobind = service.ENABLED
smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
netbios_name, reset_netbios_name,
options.rid_base, options.secondary_rid_base,
options.no_msdcs, options.add_sids,
@@ -390,113 +414,40 @@ def main():
smb.find_local_id_range()
smb.create_instance()
if options.add_agents:
# Find out IPA masters which are not part of the cn=adtrust agents
# and propose them to be added to the list
base_dn = api.env.basedn
masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn)
agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), base_dn)
new_agents = []
entries_m = []
entries_a = []
try:
# Search only masters which have support for domain levels
# because only these masters will have SSSD recent enough to support AD trust agents
(entries_m, truncated) = smb.admin_conn.find_entries(
filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))",
base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
except errors.NotFound:
pass
except (errors.DatabaseError, errors.NetworkError) as e:
print("Could not retrieve a list of existing IPA masters:")
print(unicode(e))
try:
(entries_a, truncated) = smb.admin_conn.find_entries(filter="",
base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE)
except errors.NotFound:
pass
except (errors.DatabaseError, errors.NetworkError) as e:
print("Could not retrieve a list of adtrust agents:")
print(unicode(e))
if len(entries_m) > 0:
existing_masters = [x['cn'][0] for x in entries_m]
adtrust_agents = entries_a[0]['member']
potential_agents = []
for m in existing_masters:
mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn)
found = False
for a in adtrust_agents:
if mdn == a:
found = True
break
if not found:
potential_agents += [[m, mdn]]
object_count = len(potential_agents)
if object_count > 0:
print("")
print("WARNING: %d IPA masters are not yet able to serve information about users from trusted forests." \
% (object_count))
print("Installer can add them to the list of IPA masters allowed to access infromation about trusts.")
print("If you choose to do so, you also need to restart LDAP service on those masters.")
print("Refer to ipa-adtrust-install(1) man page for details.")
print("")
if options.unattended:
print("Unattended mode was selected, installer will NOT add other IPA masters to the list of allowed to")
print("access information about trusted forests!")
else:
print("Do you want to allow following IPA masters to serve information about users from trusted forests?")
for (name, dn) in potential_agents:
if name == api.env.host:
# Don't add this host here
# it shouldn't be here as it was added by the adtrustinstance setup code
continue
if ipautil.user_input("IPA master [%s]?" % (name), default=False, allow_empty=False):
new_agents += [[name, dn]]
if len(new_agents) > 0:
# Add the CIFS and host principals to the 'adtrust agents' group
# as 389-ds only operates with GroupOfNames, we have to use
# the principal's proper dn as defined in self.cifs_agent
service.add_principals_to_group(smb.admin_conn, agents_dn, "member",
[x[1] for x in new_agents])
print("""
WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order
to activate them to serve information about users from trusted forests:""")
for x in new_agents:
print(x[0])
print("""
print """
=============================================================================
Setup complete
You must make sure these network ports are open:
\tTCP Ports:
\t * 135: epmap
\t * 138: netbios-dgm
\t * 139: netbios-ssn
\t * 445: microsoft-ds
\t * 1024..1300: epmap listener range
\tUDP Ports:
\t * 138: netbios-dgm
\t * 139: netbios-ssn
\t * 389: (C)LDAP
\t * 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
\tTCP Ports:
\t * 389, 636: LDAP/LDAPS
You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.
=============================================================================
""")
"""
if admin_password:
admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
if not admin_kinited:
print("""
print """
WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
family in order to re-generate Kerberos tickets to include AD-specific
information""")
information"""
return 0