websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

257
install/tools/ipa-replica-conncheck
View File

@@ -18,16 +18,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
from ipapython.config import IPAOptionParser
from ipapython import version
from ipapython import ipautil, certdb
from ipapython import ipautil
from ipapython import dogtag
from ipapython.ipautil import CalledProcessError
from ipalib import api, errors, x509
from ipaserver.install import installutils
import ipaclient.ipachangeconf
from optparse import OptionGroup, OptionValueError
from optparse import OptionGroup
from ipapython.ipa_log_manager import *
import sys
import os
@@ -40,13 +38,11 @@ import errno
from socket import SOCK_STREAM, SOCK_DGRAM
import distutils.spawn
from ipaplatform.paths import paths
import gssapi
from nss import nss
CONNECT_TIMEOUT = 5
RESPONDERS = [ ]
QUIET = False
CCACHE_FILE = None
CCACHE_FILE = paths.CONNCHECK_CCACHE
KRB5_CONFIG = None
class SshExec(object):
@@ -58,7 +54,7 @@ class SshExec(object):
def __call__(self, command, verbose=False):
# Bail if ssh is not installed
if self.cmd is None:
print("WARNING: ssh not installed, skipping ssh test")
print "WARNING: ssh not installed, skipping ssh test"
return ('', '', 0)
tmpf = tempfile.NamedTemporaryFile()
@@ -66,24 +62,13 @@ class SshExec(object):
self.cmd,
'-o StrictHostKeychecking=no',
'-o UserKnownHostsFile=%s' % tmpf.name,
'-o GSSAPIAuthentication=yes',
'%s@%s' % (self.user, self.addr), command
]
if verbose:
cmd.insert(1, '-v')
env = dict()
if KRB5_CONFIG is not None:
env['KRB5_CONFIG'] = KRB5_CONFIG
elif 'KRB5_CONFIG' in os.environ:
env['KRB5_CONFIG'] = os.environ['KRB5_CONFIG']
if CCACHE_FILE is not None:
env['KRB5CCNAME'] = CCACHE_FILE
elif 'KRB5CCNAME' in os.environ:
env['KRB5CCNAME'] = os.environ['KRB5CCNAME']
return ipautil.run(cmd, env=env, raiseonerr=False,
capture_output=True, capture_error=True)
env = {'KRB5_CONFIG': KRB5_CONFIG, 'KRB5CCNAME': CCACHE_FILE}
return ipautil.run(cmd, env=env, raiseonerr=False)
class CheckedPort(object):
@@ -106,33 +91,9 @@ BASE_PORTS = [
def print_info(msg):
if not QUIET:
print(msg)
print msg
def parse_options():
def ca_cert_file_callback(option, opt, value, parser):
if not os.path.exists(value):
raise OptionValueError(
"%s option '%s' does not exist" % (opt, value))
if not os.path.isfile(value):
raise OptionValueError(
"%s option '%s' is not a file" % (opt, value))
if not os.path.isabs(value):
raise OptionValueError(
"%s option '%s' is not an absolute file path" % (opt, value))
initialized = nss.nss_is_initialized()
try:
x509.load_certificate_list_from_file(value)
except Exception:
raise OptionValueError(
"%s option '%s' is not a valid certificate file" %
(opt, value))
finally:
if not initialized:
nss.nss_shutdown()
parser.values.ca_cert_file = value
parser = IPAOptionParser(version=version.VERSION)
replica_group = OptionGroup(parser, "on-replica options")
@@ -147,13 +108,9 @@ def parse_options():
replica_group.add_option("-k", "--kdc", dest="kdc",
help="Master KDC. Defaults to master address")
replica_group.add_option("-p", "--principal", dest="principal",
default=None, help="Principal to use to log in to remote master")
default="admin", help="Principal to use to log in to remote master")
replica_group.add_option("-w", "--password", dest="password", sensitive=True,
help="Password for the principal"),
replica_group.add_option("--ca-cert-file", dest="ca_cert_file",
type="string", action="callback",
callback=ca_cert_file_callback,
help="load the CA certificate from this file")
parser.add_option_group(replica_group)
@@ -250,8 +207,7 @@ def configure_krb5_conf(realm, kdc, filename):
libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libdefaults.append({'name':'forwardable', 'type':'option', 'value':'true'})
libdefaults.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'})
opts.append({'name':'libdefaults', 'type':'section', 'value': libdefaults})
opts.append({'name':'empty', 'type':'empty'})
@@ -298,7 +254,7 @@ class PortResponder(threading.Thread):
responder_data="FreeIPA")
except socket.timeout:
pass
except socket.error as e:
except socket.error, e:
if e.errno == errno.EADDRINUSE:
time.sleep(1)
else:
@@ -328,10 +284,10 @@ def port_check(host, port_list):
print_info(" %s (%d): %s" % (port.description, port.port, result))
if ports_udp_warning:
print("The following UDP ports could not be verified as open: %s" \
% ", ".join(str(port.port) for port in ports_udp_warning))
print("This can happen if they are already bound to an application")
print("and ipa-replica-conncheck cannot attach own UDP responder.")
print "The following UDP ports could not be verified as open: %s" \
% ", ".join(str(port.port) for port in ports_udp_warning)
print "This can happen if they are already bound to an application"
print "and ipa-replica-conncheck cannot attach own UDP responder."
if ports_failed:
msg_ports = []
@@ -355,8 +311,8 @@ def main():
if options.check_ca:
# Check old Dogtag CA replication port
# New installs with unified databases use main DS port (checked above)
required_ports.append(CheckedPort(7389, SOCK_STREAM,
"PKI-CA: Directory Service port"))
required_ports.append(CheckedPort(dogtag.Dogtag9Constants.DS_PORT,
SOCK_STREAM, "PKI-CA: Directory Service port"))
if options.replica:
print_info("Check connection from master to remote replica '%s':" % options.replica)
@@ -393,147 +349,60 @@ def main():
remote_check_opts = ['--replica %s' % options.hostname]
if options.auto_master_check:
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
configure_krb5_conf(options.realm, options.kdc, krb_name)
global KRB5_CONFIG
KRB5_CONFIG = krb_name
print_info("Get credentials to log in to remote master")
cred = None
if options.principal is None:
# Check if ccache is available
try:
root_logger.debug('KRB5CCNAME set to %s' %
os.environ.get('KRB5CCNAME', None))
# get default creds, will raise if none found
cred = gssapi.creds.Credentials()
principal = str(cred.name)
except gssapi.raw.misc.GSSError as e:
root_logger.debug('Failed to find default ccache: %s' % e)
# Use admin as the default principal
principal = "admin"
if options.principal.find('@') == -1:
principal = '%s@%s' % (options.principal, options.realm)
user = options.principal
else:
principal = options.principal
user = options.principal.partition('@')[0]
if cred is None:
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
configure_krb5_conf(options.realm, options.kdc, krb_name)
global KRB5_CONFIG
KRB5_CONFIG = krb_name
(ccache_fd, ccache_name) = tempfile.mkstemp()
os.close(ccache_fd)
global CCACHE_FILE
CCACHE_FILE = ccache_name
if principal.find('@') == -1:
principal = '%s@%s' % (principal, options.realm)
if options.password:
password=options.password
else:
password = installutils.read_password(principal, confirm=False,
validate=False, retry=False)
if password is None:
sys.exit("Principal password required")
if options.password:
password=options.password
else:
password = installutils.read_password(principal, confirm=False,
validate=False, retry=False)
if password is None:
sys.exit("Principal password required")
result = ipautil.run([paths.KINIT, principal],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
stdin=password, raiseonerr=False, capture_error=True)
if result.returncode != 0:
raise RuntimeError("Cannot acquire Kerberos ticket: %s" %
result.error_output)
stderr=''
(stdout, stderr, returncode) = ipautil.run([paths.KINIT, principal],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
stdin=password, raiseonerr=False)
if returncode != 0:
raise RuntimeError("Cannot acquire Kerberos ticket: %s" % stderr)
# Verify kinit was actually successful
result = ipautil.run([paths.BIN_KVNO,
'host/%s' % options.master],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
raiseonerr=False, capture_error=True)
if result.returncode != 0:
raise RuntimeError("Could not get ticket for master server: %s" %
result.error_output)
# Verify kinit was actually successful
stderr=''
(stdout, stderr, returncode) = ipautil.run([paths.BIN_KVNO,
'host/%s' % options.master],
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
raiseonerr=False)
if returncode != 0:
raise RuntimeError("Could not get ticket for master server: %s" % stderr)
try:
print_info("Check RPC connection to remote master")
ssh = SshExec(user, options.master)
xmlrpc_uri = ('https://%s/ipa/xml' %
ipautil.format_netloc(options.master))
api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri)
api.finalize()
print_info("Check SSH connection to remote master")
stdout, stderr, returncode = ssh('echo OK', verbose=True)
if returncode != 0:
print 'Could not SSH into remote host. Error output:'
for line in stderr.splitlines():
print ' %s' % line
raise RuntimeError('Could not SSH to remote host.')
if options.ca_cert_file:
nss_dir = None
else:
nss_dir = paths.IPA_NSSDB_DIR
with certdb.NSSDatabase(nss_dir) as nss_db:
if options.ca_cert_file:
nss_dir = nss_db.secdir
password = ipautil.ipa_generate_password()
password_file = ipautil.write_tmp_file(password)
nss_db.create_db(password_file.name)
ca_certs = x509.load_certificate_list_from_file(
options.ca_cert_file, dbdir=nss_db.secdir)
for ca_cert in ca_certs:
nss_db.add_cert(
ca_cert.der_data, str(ca_cert.subject), 'C,,')
del ca_cert
del ca_certs
else:
nss_dir = None
try:
api.Backend.rpcclient.connect(nss_dir=nss_dir)
api.Command.ping()
except Exception as e:
print_info(
"Could not connect to the remote host: %s" % e)
raise
print_info("Execute check on remote master")
try:
result = api.Backend.rpcclient.forward(
'server_conncheck',
ipautil.fsdecode(options.master),
ipautil.fsdecode(options.hostname),
version=u'2.162',
)
except (errors.CommandError, errors.NetworkError) as e:
print_info(
"Remote master does not support check over RPC: "
"%s" % e)
raise
except errors.PublicError as e:
returncode = 1
stderr = e
else:
for message in result['messages']:
print_info(message['message'])
returncode = int(not result['result'])
stderr = ("ipa-replica-conncheck returned non-zero "
"exit code")
finally:
if api.Backend.rpcclient.isconnected():
api.Backend.rpcclient.disconnect()
except Exception:
print_info("Retrying using SSH...")
user = principal.partition('@')[0]
ssh = SshExec(user, options.master)
print_info("Check SSH connection to remote master")
result = ssh('echo OK', verbose=True)
if result.returncode != 0:
print('Could not SSH into remote host. Error output:')
for line in result.error_output.splitlines():
print(' %s' % line)
raise RuntimeError('Could not SSH to remote host.')
print_info("Execute check on remote master")
result = ssh(
"/usr/sbin/ipa-replica-conncheck " +
" ".join(remote_check_opts))
returncode = result.returncode
stderr = result.error_output
print_info(result.output)
print_info("Execute check on remote master")
stdout, stderr, returncode = ssh(
"/usr/sbin/ipa-replica-conncheck " +
" ".join(remote_check_opts))
print_info(stdout)
if returncode != 0:
raise RuntimeError("Remote master check failed with following error message(s):\n%s" % stderr)
else:
@@ -549,12 +418,12 @@ def main():
if __name__ == "__main__":
try:
sys.exit(main())
except SystemExit as e:
except SystemExit, e:
sys.exit(e)
except KeyboardInterrupt:
print_info("\nCleaning up...")
sys.exit(1)
except RuntimeError as e:
except RuntimeError, e:
sys.exit(e)
finally:
clean_responders(RESPONDERS)