websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

165
ipaserver/install/krbinstance.py
View File

@@ -17,9 +17,6 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import absolute_import
from __future__ import print_function
import shutil
import fileinput
import re
@@ -29,8 +26,8 @@ import pwd
import socket
import dns.name
from ipaserver.install import service
from ipaserver.install import installutils
import service
import installutils
from ipapython import sysrestore
from ipapython import ipautil
from ipapython import kernel_keyring
@@ -40,17 +37,36 @@ from ipapython.ipa_log_manager import *
from ipapython.dn import DN
from ipaserver.install import replication
from ipaserver.install import ldapupdate
from ipaserver.install import dsinstance
import pyasn1.codec.ber.decoder
import struct
from ipaserver.install import certs
import certs
from distutils import version
from ipaplatform.constants import constants
from ipaplatform.tasks import tasks
from ipaplatform.paths import paths
def update_key_val_in_file(filename, key, val):
if os.path.exists(filename):
pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val))
p = re.compile(pattern)
for line in fileinput.input(filename):
if p.search(line):
fileinput.close()
return
fileinput.close()
pattern = "^[\s#]*%s\s*=" % re.escape(key)
p = re.compile(pattern)
for line in fileinput.input(filename, inplace=1):
if not p.search(line):
sys.stdout.write(line)
fileinput.close()
f = open(filename, "a")
f.write("%s=%s\n" % (key, val))
f.close()
class KpasswdInstance(service.SimpleServiceInstance):
def __init__(self):
service.SimpleServiceInstance.__init__(self, "kadmin")
@@ -118,11 +134,6 @@ class KrbInstance(service.Service):
host_entry['krbticketflags'] = service_entry['krbticketflags']
self.admin_conn.add_entry(host_entry)
# Add the host to the ipaserver host group
ld = ldapupdate.LDAPUpdate(ldapi=True)
ld.update([os.path.join(paths.UPDATES_DIR,
'20-ipaservers_hostgroup.update')])
def __common_setup(self, realm_name, host_name, domain_name, admin_password):
self.fqdn = host_name
self.realm = realm_name.upper()
@@ -157,6 +168,7 @@ class KrbInstance(service.Service):
self.__common_setup(realm_name, host_name, domain_name, admin_password)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("adding kerberos container to the directory", self.__add_krb_container)
self.step("configuring KDC", self.__configure_instance)
self.step("initialize kerberos container", self.__init_ipa_kdb)
@@ -179,25 +191,22 @@ class KrbInstance(service.Service):
master_fqdn, host_name,
domain_name, admin_password,
setup_pkinit=False, pkcs12_info=None,
subject_base=None, promote=False):
subject_base=None):
self.pkcs12_info = pkcs12_info
self.subject_base = subject_base
self.master_fqdn = master_fqdn
self.__common_setup(realm_name, host_name, domain_name, admin_password)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("writing stash file from DS", self.__write_stash_from_ds)
self.step("configuring KDC", self.__configure_instance)
if not promote:
self.step("creating a keytab for the directory",
self.__create_ds_keytab)
self.step("creating a keytab for the machine",
self.__create_host_keytab)
self.step("creating a keytab for the directory", self.__create_ds_keytab)
self.step("creating a keytab for the machine", self.__create_host_keytab)
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
if setup_pkinit:
self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit)
if not promote:
self.step("enable GSSAPI for replication",
self.__convert_to_gssapi_replication)
self.step("enable GSSAPI for replication", self.__convert_to_gssapi_replication)
self.__common_post_setup()
@@ -227,13 +236,8 @@ class KrbInstance(service.Service):
SUFFIX=self.suffix,
DOMAIN=self.domain,
HOST=self.host,
SERVER_ID=installutils.realm_to_serverid(self.realm),
REALM=self.realm,
KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL,
DICT_WORDS=paths.DICT_WORDS,
KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
KDC_PEM=paths.KDC_PEM,
CACERT_PEM=paths.CACERT_PEM)
SERVER_ID=dsinstance.realm_to_serverid(self.realm),
REALM=self.realm)
# IPA server/KDC is not a subdomain of default domain
# Proper domain-realm mapping needs to be specified
@@ -260,13 +264,59 @@ class KrbInstance(service.Service):
root_logger.debug("Persistent keyring CCACHE is not enabled")
self.sub_dict['OTHER_LIBDEFAULTS'] = ''
def __configure_sasl_mappings(self):
# we need to remove any existing SASL mappings in the directory as otherwise they
# they may conflict.
try:
res = self.admin_conn.get_entries(
DN(('cn', 'mapping'), ('cn', 'sasl'), ('cn', 'config')),
self.admin_conn.SCOPE_ONELEVEL,
"(objectclass=nsSaslMapping)")
for r in res:
try:
self.admin_conn.delete_entry(r)
except Exception, e:
root_logger.critical(
"Error during SASL mapping removal: %s", e)
raise
except Exception, e:
root_logger.critical("Error while enumerating SASL mappings %s", e)
raise
entry = self.admin_conn.make_entry(
DN(
('cn', 'Full Principal'), ('cn', 'mapping'), ('cn', 'sasl'),
('cn', 'config')),
objectclass=["top", "nsSaslMapping"],
cn=["Full Principal"],
nsSaslMapRegexString=['\(.*\)@\(.*\)'],
nsSaslMapBaseDNTemplate=[self.suffix],
nsSaslMapFilterTemplate=['(krbPrincipalName=\\1@\\2)'],
nsSaslMapPriority=['10'],
)
self.admin_conn.add_entry(entry)
entry = self.admin_conn.make_entry(
DN(
('cn', 'Name Only'), ('cn', 'mapping'), ('cn', 'sasl'),
('cn', 'config')),
objectclass=["top", "nsSaslMapping"],
cn=["Name Only"],
nsSaslMapRegexString=['^[^:@]+$'],
nsSaslMapBaseDNTemplate=[self.suffix],
nsSaslMapFilterTemplate=['(krbPrincipalName=&@%s)' % self.realm],
nsSaslMapPriority=['10'],
)
self.admin_conn.add_entry(entry)
def __add_krb_container(self):
self._ldap_mod("kerberos.ldif", self.sub_dict)
def __add_default_acis(self):
self._ldap_mod("default-aci.ldif", self.sub_dict)
def __template_file(self, path, chmod=0o644):
def __template_file(self, path, chmod=0644):
template = os.path.join(ipautil.SHARE_DIR, os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
self.fstore.backup_file(path)
@@ -292,8 +342,8 @@ class KrbInstance(service.Service):
)
try:
ipautil.run(args, nolog=(self.master_password,), stdin=''.join(dialogue))
except ipautil.CalledProcessError as e:
print("Failed to initialize the realm container")
except ipautil.CalledProcessError, e:
print "Failed to initialize the realm container"
def __configure_instance(self):
self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None)
@@ -305,10 +355,9 @@ class KrbInstance(service.Service):
MIN_KRB5KDC_WITH_WORKERS = "1.9"
cpus = os.sysconf('SC_NPROCESSORS_ONLN')
workers = False
result = ipautil.run(['klist', '-V'],
raiseonerr=False, capture_output=True)
if result.returncode == 0:
verstr = result.output.split()[-1]
(stdout, stderr, rc) = ipautil.run(['klist', '-V'], raiseonerr=False)
if rc == 0:
verstr = stdout.split()[-1]
ver = version.LooseVersion(verstr)
min = version.LooseVersion(MIN_KRB5KDC_WITH_WORKERS)
if ver >= min:
@@ -324,6 +373,31 @@ class KrbInstance(service.Service):
appendvars=appendvars)
tasks.restore_context(paths.SYSCONFIG_KRB5KDC_DIR)
def __write_stash_from_ds(self):
try:
entries = self.admin_conn.get_entries(
self.get_realm_suffix(), self.admin_conn.SCOPE_SUBTREE)
# TODO: Ensure we got only one entry
entry = entries[0]
except errors.NotFound, e:
root_logger.critical("Could not find master key in DS")
raise e
krbMKey = pyasn1.codec.ber.decoder.decode(
entry.single_value.get('krbmkey'))
keytype = int(krbMKey[0][1][0])
keydata = str(krbMKey[0][1][1])
format = '=hi%ss' % len(keydata)
s = struct.pack(format, keytype, len(keydata), keydata)
try:
fd = open(paths.VAR_KRB5KDC_K5_REALM+self.realm, "w")
fd.write(s)
fd.close()
except os.error, e:
root_logger.critical("failed to write stash file")
raise e
#add the password extop module
def __add_pwd_extop_module(self):
self._ldap_mod("pwd-extop-conf.ldif", self.sub_dict)
@@ -336,10 +410,8 @@ class KrbInstance(service.Service):
self.fstore.backup_file(paths.DS_KEYTAB)
installutils.create_keytab(paths.DS_KEYTAB, ldap_principal)
vardict = {"KRB5_KTNAME": paths.DS_KEYTAB}
ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
replacevars=vardict)
pent = pwd.getpwnam(constants.DS_USER)
update_key_val_in_file(paths.SYSCONFIG_DIRSRV, "KRB5_KTNAME", paths.DS_KEYTAB)
pent = pwd.getpwnam(dsinstance.DS_USER)
os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
def __create_host_keytab(self):
@@ -351,7 +423,7 @@ class KrbInstance(service.Service):
# Make sure access is strictly reserved to root only for now
os.chown(paths.KRB5_KEYTAB, 0, 0)
os.chmod(paths.KRB5_KEYTAB, 0o600)
os.chmod(paths.KRB5_KEYTAB, 0600)
self.move_service_to_host(host_principal)
@@ -404,16 +476,15 @@ class KrbInstance(service.Service):
for f in [paths.KRB5KDC_KDC_CONF, paths.KRB5_CONF]:
try:
self.fstore.restore_file(f)
except ValueError as error:
except ValueError, error:
root_logger.debug(error)
pass
# disabled by default, by ldap_enable()
if enabled:
self.enable()
if not enabled is None and not enabled:
self.disable()
if running:
self.restart()
if not running is None and running:
self.start()
self.kpasswd = KpasswdInstance()
self.kpasswd.uninstall()