websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

253
ipaserver/install/adtrustinstance.py
View File

@@ -17,8 +17,6 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import os
import errno
import ldap
@@ -28,30 +26,32 @@ import string
import struct
import re
import six
from ipaserver.install import service
from ipaserver.install import installutils
from ipaserver.install.dsinstance import realm_to_serverid
from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
dns_zone_exists
from ipaserver.install.replication import wait_for_task
from ipalib import errors, api
from ipalib.util import normalize_zone
from ipapython.dn import DN
from ipapython import sysrestore
from ipapython import ipautil
from ipapython.ipa_log_manager import root_logger
import ipapython.errors
from ipapython.ipa_log_manager import *
import ipaclient.ipachangeconf
from ipaplatform import services
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
if six.PY3:
unicode = str
ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
SELINUX_WARNING = """
WARNING: could not set selinux boolean(s) %(var)s to true. The adtrust
service may not function correctly until this boolean is successfully
change with the command:
/usr/sbin/setsebool -P %(var)s true
Try updating the policycoreutils and selinux-policy packages.
"""
UPGRADE_ERROR = """
Entry %(dn)s does not exist.
@@ -60,15 +60,12 @@ configuration was not set up properly. Please run ipa-ldap-updater manually
and re-run ipa-adtrust-instal again afterwards.
"""
SELINUX_BOOLEAN_SETTINGS = {'samba_portmapper': 'on'}
def check_inst():
for smbfile in [paths.SMBD, paths.NET]:
if not os.path.exists(smbfile):
print("%s was not found on this system" % smbfile)
print("Please install the 'samba' packages and " \
"start the installation again")
print "%s was not found on this system" % smbfile
print "Please install the 'samba' packages and " \
"start the installation again"
return False
#TODO: Add check for needed samba4 libraries
@@ -78,7 +75,7 @@ def check_inst():
def ipa_smb_conf_exists():
try:
conf_fd = open(paths.SMB_CONF, 'r')
except IOError as err:
except IOError, err:
if err.errno == errno.ENOENT:
return False
@@ -90,19 +87,13 @@ def ipa_smb_conf_exists():
return False
def check_netbios_name(name):
# Empty NetBIOS name is not allowed
if name is None:
def check_netbios_name(s):
# NetBIOS names may not be longer than 15 allowed characters
if not s or len(s) > 15 or \
''.join([c for c in s if c not in ALLOWED_NETBIOS_CHARS]):
return False
# NetBIOS names may not be longer than 15 allowed characters
invalid_netbios_name = any([
len(name) > 15,
''.join([c for c in name if c not in ALLOWED_NETBIOS_CHARS])
])
return not invalid_netbios_name
return True
def make_netbios_name(s):
return ''.join([c for c in s.split('.')[0].upper() \
@@ -120,6 +111,7 @@ class ADTRUSTInstance(service.Service):
FALLBACK_GROUP_NAME = u'Default SMB Group'
def __init__(self, fstore=None):
self.ip_address = None
self.netbios_name = None
self.reset_netbios_name = None
self.no_msdcs = None
@@ -156,6 +148,7 @@ class ADTRUSTInstance(service.Service):
# Constants
self.smb_conf = paths.SMB_CONF
self.samba_keytab = paths.SAMBA_KEYTAB
self.selinux_booleans = ["samba_portmapper"]
self.cifs_hosts = []
# Values obtained from API.env
@@ -167,7 +160,7 @@ class ADTRUSTInstance(service.Service):
self.cifs_principal = "cifs/" + self.fqdn + "@" + self.realm
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
installutils.realm_to_serverid(self.realm)
realm_to_serverid(self.realm)
# DN definitions
self.trust_dn = DN(api.env.container_trusts, self.suffix)
@@ -184,9 +177,6 @@ class ADTRUSTInstance(service.Service):
self.cifs_agent = DN(('krbprincipalname', self.cifs_principal.lower()),
api.env.container_service,
self.suffix)
self.host_princ = DN(('fqdn', self.fqdn),
api.env.container_host,
self.suffix)
def __gen_sid_string(self):
@@ -221,13 +211,13 @@ class ADTRUSTInstance(service.Service):
try:
admin_entry = self.admin_conn.get_entry(admin_dn)
except errors.NotFound:
except:
self.print_msg("IPA admin object not found")
return
try:
admin_group_entry = self.admin_conn.get_entry(admin_group_dn)
except errors.NotFound:
except:
self.print_msg("IPA admin group object not found")
return
@@ -238,7 +228,7 @@ class ADTRUSTInstance(service.Service):
self.admin_conn.modify_s(admin_dn, \
[(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
(ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
except Exception:
except:
self.print_msg("Failed to modify IPA admin object")
if admin_group_entry.single_value.get(self.ATTR_SID):
@@ -248,30 +238,9 @@ class ADTRUSTInstance(service.Service):
self.admin_conn.modify_s(admin_group_dn, \
[(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
(ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
except Exception:
except:
self.print_msg("Failed to modify IPA admin group object")
def __add_default_trust_view(self):
default_view_dn = DN(('cn', 'Default Trust View'),
api.env.container_views, self.suffix)
try:
self.admin_conn.get_entry(default_view_dn)
except errors.NotFound:
try:
self._ldap_mod('default-trust-view.ldif', self.sub_dict)
except Exception as e:
self.print_msg("Failed to add default trust view.")
raise e
else:
self.print_msg("Default Trust View already exists.")
# _ldap_mod does not return useful error codes, so we must check again
# if the default trust view was created properly.
try:
self.admin_conn.get_entry(default_view_dn)
except errors.NotFound:
self.print_msg("Failed to add Default Trust View.")
def __add_fallback_group(self):
"""
@@ -304,7 +273,7 @@ class ADTRUSTInstance(service.Service):
except errors.NotFound:
try:
self._ldap_mod('default-smb-group.ldif', self.sub_dict)
except Exception as e:
except Exception, e:
self.print_msg("Failed to add fallback group.")
raise e
@@ -319,7 +288,7 @@ class ADTRUSTInstance(service.Service):
try:
mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP, fb_group_dn)]
self.admin_conn.modify_s(self.smb_dom_dn, mod)
except Exception:
except:
self.print_msg("Failed to add fallback group to domain object")
def __add_rid_bases(self):
@@ -340,7 +309,7 @@ class ADTRUSTInstance(service.Service):
r.single_value.get('ipaBaseRID'),
r.single_value.get('ipaSecondaryBaseRID')))
ranges_with_no_rid_base = [r for r in ranges if no_rid_base_set(r)]
ranges_with_no_rid_base = filter(no_rid_base_set, ranges)
# Return if no range is without RID base
if len(ranges_with_no_rid_base) == 0:
@@ -371,7 +340,7 @@ class ADTRUSTInstance(service.Service):
str(self.rid_base)),
(ldap.MOD_ADD, "ipaSecondaryBaseRID",
str(self.secondary_rid_base))])
except ldap.CONSTRAINT_VIOLATION as e:
except ldap.CONSTRAINT_VIOLATION, e:
self.print_msg("Failed to add RID bases to the local range "
"object:\n %s" % e[0]['info'])
raise RuntimeError("Constraint violation.\n")
@@ -414,7 +383,7 @@ class ADTRUSTInstance(service.Service):
except errors.NotFound:
try:
name = new_dn[1].attr
except Exception as e:
except Exception, e:
self.print_msg('Cannot extract RDN attribute value from "%s": %s' % \
(new_dn, e))
return
@@ -466,34 +435,32 @@ class ADTRUSTInstance(service.Service):
"""
self.__add_plugin_conf('CLDAP', 'ipa_cldap', 'ipa-cldap-conf.ldif')
def __add_sidgen_task(self):
def __add_sidgen_module(self):
"""
Add sidgen directory server plugin configuration and the related task
if they not already exist.
"""
self.__add_plugin_conf('Sidgen', 'IPA SIDGEN', 'ipa-sidgen-conf.ldif')
self.__add_plugin_conf('Sidgen task', 'ipa-sidgen-task',
'ipa-sidgen-task-conf.ldif')
def __add_sids(self):
"""
Add SIDs for existing users and groups. Make sure the task is finished
before continuing.
Add SIDs for existing users and groups
"""
try:
# Start the sidgen task
self._ldap_mod("ipa-sidgen-task-run.ldif", self.sub_dict)
except:
pass
# Notify the user about the possible delay
self.print_msg("This step may take considerable amount of time, please wait..")
# Wait for the task to complete
task_dn = DN('cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config')
wait_for_task(self.admin_conn, task_dn)
except Exception as e:
root_logger.warning("Exception occured during SID generation: {0}"
.format(str(e)))
def __add_extdom_module(self):
"""
Add directory server configuration for the extdom extended operation
if it not already exists.
"""
self.__add_plugin_conf('Extdom', 'ipa_extdom_extop',
'ipa-extdom-extop-conf.ldif')
def __add_s4u2proxy_target(self):
"""
@@ -520,11 +487,6 @@ class ADTRUSTInstance(service.Service):
os.write(tmp_fd, conf)
os.close(tmp_fd)
# Workaround for: https://fedorahosted.org/freeipa/ticket/5687
# We make sure that paths.SMB_CONF file exists, hence touch it
with open(paths.SMB_CONF, 'a'):
os.utime(paths.SMB_CONF, None)
args = [paths.NET, "conf", "import", tmp_name]
try:
@@ -532,13 +494,6 @@ class ADTRUSTInstance(service.Service):
finally:
os.remove(tmp_name)
def __setup_group_membership(self):
# Add the CIFS and host principals to the 'adtrust agents' group
# as 389-ds only operates with GroupOfNames, we have to use
# the principal's proper dn as defined in self.cifs_agent
service.add_principals_to_group(self.admin_conn, self.smb_dn, "member",
[self.cifs_agent, self.host_princ])
def __setup_principal(self):
try:
api.Command.service_add(unicode(self.cifs_principal))
@@ -547,11 +502,28 @@ class ADTRUSTInstance(service.Service):
# adtrustinstance is managed
# That's fine, we we'll re-extract the key again.
pass
except Exception as e:
except Exception, e:
self.print_msg("Cannot add CIFS service: %s" % e)
# Add the principal to the 'adtrust agents' group
# as 389-ds only operates with GroupOfNames, we have to use
# the principal's proper dn as defined in self.cifs_agent
try:
current = self.admin_conn.get_entry(self.smb_dn)
members = current.get('member', [])
if not(self.cifs_agent in members):
current["member"] = members + [self.cifs_agent]
self.admin_conn.update_entry(current)
except errors.NotFound:
entry = self.admin_conn.make_entry(
self.smb_dn,
objectclass=["top", "GroupOfNames"],
cn=[self.smb_dn['cn']],
member=[self.cifs_agent],
)
self.admin_conn.add_entry(entry)
self.clean_samba_keytab()
installutils.remove_ccache(paths.KRB5CC_SAMBA)
try:
ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
@@ -566,7 +538,7 @@ class ADTRUSTInstance(service.Service):
try:
ipautil.run(["ipa-rmkeytab", "--principal", self.cifs_principal,
"-k", self.samba_keytab])
except ipautil.CalledProcessError as e:
except ipautil.CalledProcessError, e:
if e.returncode != 5:
root_logger.critical("Failed to remove old key for %s"
% self.cifs_principal)
@@ -582,7 +554,12 @@ class ADTRUSTInstance(service.Service):
"""
zone = self.domain_name
host_in_rr = normalize_zone(self.fqdn)
host, host_domain = self.fqdn.split(".", 1)
if normalize_zone(zone) == normalize_zone(host_domain):
host_in_rr = host
else:
host_in_rr = normalize_zone(self.fqdn)
priority = 0
@@ -612,10 +589,9 @@ class ADTRUSTInstance(service.Service):
self.print_msg(err_msg)
self.print_msg("Add the following service records to your DNS " \
"server for DNS zone %s: " % zone)
for suff in win_srv_suffix:
for srv in ipa_srv_rec:
self.print_msg("%s%s IN SRV %s" % (srv[0], suff, " ".join(srv[1])))
self.print_msg("")
for srv in ipa_srv_rec:
for suff in win_srv_suffix:
self.print_msg(" - %s%s" % (srv[0], suff))
return
for (srv, rdata, port) in ipa_srv_rec:
@@ -635,11 +611,35 @@ class ADTRUSTInstance(service.Service):
add_rr(zone, win_srv, "SRV", rec)
def __configure_selinux_for_smbd(self):
selinux = False
try:
tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS,
self.backup_state)
except ipapython.errors.SetseboolError as e:
self.print_msg(e.format_service_warning('adtrust service'))
if (os.path.exists(paths.SELINUXENABLED)):
ipautil.run([paths.SELINUXENABLED])
selinux = True
except ipautil.CalledProcessError:
# selinuxenabled returns 1 if not enabled
pass
if selinux:
# Don't assume all booleans are available
sebools = []
for var in self.selinux_booleans:
try:
(stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, var])
if stdout and not stderr and returncode == 0:
self.backup_state(var, stdout.split()[2])
sebools.append(var)
except:
pass
if sebools:
bools = [var + "=true" for var in sebools]
args = [paths.SETSEBOOL, "-P"]
args.extend(bools);
try:
ipautil.run(args)
except:
self.print_msg(SELINUX_WARNING % dict(var=','.join(sebools)))
def __mod_krb5_conf(self):
"""
@@ -679,7 +679,7 @@ class ADTRUSTInstance(service.Service):
try:
krb5conf = open(paths.KRB5_CONF, 'r')
except IOError as e:
except IOError, e:
self.print_msg("Cannot open /etc/krb5.conf (%s)\n" % str(e))
return
@@ -713,9 +713,9 @@ class ADTRUSTInstance(service.Service):
# this is CIFS service of a different host in our
# REALM, we need to remember it to announce via
# SRV records for _msdcs
self.cifs_hosts.append(normalize_zone(fqdn))
self.cifs_hosts.append(fqdn.split(".")[0])
except Exception as e:
except Exception, e:
root_logger.critical("Checking replicas for cifs principals failed with error '%s'" % e)
def __enable_compat_tree(self):
@@ -729,14 +729,14 @@ class ADTRUSTInstance(service.Service):
if not(config[1] in lookup_nsswitch):
current[lookup_nsswitch_name] = [config[1]]
self.admin_conn.update_entry(current)
except Exception as e:
except Exception, e:
root_logger.critical("Enabling nsswitch support in slapi-nis failed with error '%s'" % e)
def __start(self):
try:
self.start()
services.service('winbind').start()
except Exception:
except:
root_logger.critical("CIFS services failed to start")
def __stop(self):
@@ -744,19 +744,13 @@ class ADTRUSTInstance(service.Service):
try:
services.service('winbind').stop()
self.stop()
except Exception:
except:
pass
def __restart_dirsrv(self):
try:
services.knownservices.dirsrv.restart()
except Exception:
pass
def __restart_smb(self):
try:
services.knownservices.smb.restart()
except Exception:
except:
pass
def __enable(self):
@@ -769,13 +763,13 @@ class ADTRUSTInstance(service.Service):
try:
self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \
self.suffix)
except (ldap.ALREADY_EXISTS, errors.DuplicateEntry) as e:
except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e:
root_logger.info("ADTRUST Service startup entry already exists.")
try:
self.ldap_enable('EXTID', self.fqdn, self.dm_password, \
self.suffix)
except (ldap.ALREADY_EXISTS, errors.DuplicateEntry) as e:
except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e:
root_logger.info("EXTID Service startup entry already exists.")
def __setup_sub_dict(self):
@@ -787,10 +781,11 @@ class ADTRUSTInstance(service.Service):
LDAPI_SOCKET = self.ldapi_socket,
FQDN = self.fqdn)
def setup(self, fqdn, realm_name, domain_name, netbios_name,
def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
reset_netbios_name, rid_base, secondary_rid_base,
no_msdcs=False, add_sids=False, smbd_user="samba", enable_compat=False):
self.fqdn = fqdn
self.ip_address = ip_address
self.realm = realm_name
self.domain_name = domain_name
self.netbios_name = netbios_name
@@ -861,15 +856,14 @@ class ADTRUSTInstance(service.Service):
self.step("creating samba config registry", self.__write_smb_registry)
self.step("writing samba config file", self.__write_smb_conf)
self.step("adding cifs Kerberos principal", self.__setup_principal)
self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
self.__setup_group_membership)
self.step("check for cifs services defined on other replicas", self.__check_replica)
self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target)
self.step("adding admin(group) SIDs", self.__add_admin_sids)
self.step("adding RID bases", self.__add_rid_bases)
self.step("updating Kerberos config", self.__update_krb5_conf)
self.step("activating CLDAP plugin", self.__add_cldap_module)
self.step("activating sidgen task", self.__add_sidgen_task)
self.step("activating sidgen plugin and task", self.__add_sidgen_module)
self.step("activating extdom plugin", self.__add_extdom_module)
self.step("configuring smbd to start on boot", self.__enable)
self.step("adding special DNS service records", \
self.__add_dns_service_records)
@@ -881,7 +875,6 @@ class ADTRUSTInstance(service.Service):
self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \
self.__restart_dirsrv)
self.step("adding fallback group", self.__add_fallback_group)
self.step("adding Default Trust View", self.__add_default_trust_view)
self.step("setting SELinux booleans", \
self.__configure_selinux_for_smbd)
self.step("starting CIFS services", self.__start)
@@ -889,7 +882,6 @@ class ADTRUSTInstance(service.Service):
if self.add_sids:
self.step("adding SIDs to existing users and groups",
self.__add_sids)
self.step("restarting smbd", self.__restart_smb)
self.start_creation(show_service_name=False)
@@ -917,15 +909,18 @@ class ADTRUSTInstance(service.Service):
# we should not restore smb.conf
# Restore the state of affected selinux booleans
boolean_states = {name: self.restore_state(name)
for name in SELINUX_BOOLEAN_SETTINGS}
try:
tasks.set_selinux_booleans(boolean_states)
except ipapython.errors.SetseboolError as e:
self.print_msg('WARNING: ' + str(e))
for var in self.selinux_booleans:
sebool_state = self.restore_state(var)
if not sebool_state is None:
try:
ipautil.run([paths.SETSEBOOL,
"-P", var, sebool_state])
except Exception:
self.print_msg(SELINUX_WARNING % dict(var=var))
# Remove samba's credentials cache
installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
krb5cc_samba = paths.KRB5CC_SAMBA
installutils.remove_file(krb5cc_samba)
# Remove samba's configuration file
installutils.remove_file(self.smb_conf)