Imported Upstream version 4.6.2

2021-07-25 07:32:41 +02:00
commit 8ff3be4216
1788 changed files with 1900965 additions and 0 deletions
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -0,0 +1,254 @@
+#! /usr/bin/python2
+#
+# Authors: Sumit Bose <sbose@redhat.com>
+# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
+# and ipa-dns-install by Martin Nagy
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from __future__ import print_function
+
+import logging
+import os
+import sys
+
+import six
+
+from optparse import SUPPRESS_HELP  # pylint: disable=deprecated-module
+
+from ipalib.install import sysrestore
+from ipaserver.install import adtrust
+from ipaserver.install.installutils import (
+    read_password,
+    check_server_configuration,
+    run_script)
+from ipapython.admintool import ScriptError
+from ipapython import version
+from ipapython import ipautil
+from ipalib import api, errors, krb_utils
+from ipapython.config import IPAOptionParser
+from ipaplatform.paths import paths
+from ipapython.ipa_log_manager import standard_logging_setup
+
+if six.PY3:
+    unicode = str
+
+logger = logging.getLogger(os.path.basename(__file__))
+
+log_file_name = paths.IPASERVER_INSTALL_LOG
+
+
+def parse_options():
+    parser = IPAOptionParser(version=version.VERSION)
+    parser.add_option("-d", "--debug", dest="debug", action="store_true",
+                      default=False, help="print debugging information")
+    parser.add_option("--netbios-name", dest="netbios_name",
+                      help="NetBIOS name of the IPA domain")
+
+    # no-msdcs has not effect, option is here just for backward compatibility
+    parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
+                      default=False, help=SUPPRESS_HELP)
+
+    parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
+                      help="Start value for mapping UIDs and GIDs to RIDs")
+    parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
+                      type=int, default=100000000,
+                      help="Start value of the secondary range for mapping "
+                           "UIDs and GIDs to RIDs")
+    parser.add_option("-U", "--unattended", dest="unattended",
+                      action="store_true",
+                      default=False,
+                      help="unattended installation never prompts the user")
+    parser.add_option("-a", "--admin-password",
+                      sensitive=True, dest="admin_password",
+                      help="admin user kerberos password")
+    parser.add_option("-A", "--admin-name",
+                      sensitive=True, dest="admin_name", default='admin',
+                      help="admin user principal")
+    parser.add_option("--add-sids", dest="add_sids", action="store_true",
+                      default=False, help="Add SIDs for existing users and"
+                                          " groups as the final step")
+    parser.add_option("--add-agents", dest="add_agents", action="store_true",
+                      default=False,
+                      help="Add IPA masters to a list of hosts allowed to "
+                      "serve information about users from trusted forests")
+    parser.add_option("--enable-compat",
+                      dest="enable_compat", default=False, action="store_true",
+                      help="Enable support for trusted domains for old "
+                           "clients")
+
+    options, _args = parser.parse_args()
+    safe_options = parser.get_safe_opts(options)
+
+    return safe_options, options
+
+
+def read_admin_password(admin_name):
+    print("Configuring cross-realm trusts for IPA server requires password "
+          "for user '%s'." % (admin_name))
+    print("This user is a regular system account used for IPA server "
+          "administration.")
+    print("")
+    admin_password = read_password(admin_name, confirm=False, validate=None)
+    return admin_password
+
+
+def ensure_admin_kinit(admin_name, admin_password):
+    try:
+        ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
+    except ipautil.CalledProcessError:
+        print("There was error to automatically re-kinit your admin user "
+              "ticket.")
+        return False
+    return True
+
+
+def main():
+    safe_options, options = parse_options()
+
+    if os.getegid() != 0:
+        raise ScriptError("Must be root to setup AD trusts on server")
+
+    standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
+    print("\nThe log file for this installation can be found in %s"
+          % log_file_name)
+
+    logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options)
+    logger.debug(
+        "missing options might be asked for interactively later\n")
+    logger.debug('IPA version %s', version.VENDOR_VERSION)
+
+    check_server_configuration()
+
+    fstore = sysrestore.FileStore(paths.SYSRESTORE)
+
+    print("================================================================"
+          "==============")
+    print("This program will setup components needed to establish trust to "
+          "AD domains for")
+    print("the FreeIPA Server.")
+    print("")
+    print("This includes:")
+    print("  * Configure Samba")
+    print("  * Add trust related objects to FreeIPA LDAP server")
+    # TODO:
+    # print "  * Add a SID to all users and Posix groups"
+    print("")
+    print("To accept the default shown in brackets, press the Enter key.")
+    print("")
+
+    # Check if samba packages are installed
+    # the same check is in the adtrust module but we must fail first if the
+    # package is missing
+    adtrust.check_for_installed_deps()
+
+    # Initialize the ipalib api
+    api.bootstrap(
+        in_server=True,
+        debug=options.debug,
+        context='install',
+        confdir=paths.ETC_IPA
+    )
+    api.finalize()
+
+    admin_password = options.admin_password
+    if not (options.unattended or admin_password):
+        admin_password = read_admin_password(options.admin_name)
+
+    admin_kinited = None
+    if admin_password:
+        admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
+        if not admin_kinited:
+            print("Proceeding with credentials that existed before")
+
+    try:
+        principal = krb_utils.get_principal()
+    except errors.CCacheError as e:
+        raise ScriptError(
+            "Must have Kerberos credentials to setup AD trusts on server: "
+            "{err}".format(err=e))
+
+    try:
+        api.Backend.ldap2.connect()
+    except errors.ACIError:
+        raise ScriptError(
+            "Outdated Kerberos credentials. "
+            "Use kdestroy and kinit to update your ticket")
+    except errors.DatabaseError:
+        raise ScriptError(
+            "Cannot connect to the LDAP database. Please check if IPA "
+            "is running")
+
+    try:
+        user = api.Command.user_show(
+            principal.partition('@')[0].partition('/')[0])['result']
+        group = api.Command.group_show(u'admins')['result']
+        if not (user['uid'][0] in group['member_user'] and
+                group['cn'][0] in user['memberof_group']):
+            raise errors.RequirementError(name='admins group membership')
+    except errors.RequirementError as e:
+        raise ScriptError(
+            "Must have administrative privileges to setup AD trusts on server"
+        )
+    except Exception as e:
+        raise ScriptError(
+            "Unrecognized error during check of admin rights: %s" % e)
+
+    adtrust.install_check(True, options, api)
+    adtrust.install(True, options, fstore, api)
+
+    print("""
+=============================================================================
+Setup complete
+
+You must make sure these network ports are open:
+\tTCP Ports:
+\t  * 135: epmap
+\t  * 138: netbios-dgm
+\t  * 139: netbios-ssn
+\t  * 445: microsoft-ds
+\t  * 1024..1300: epmap listener range
+\t  * 3268: msft-gc
+\tUDP Ports:
+\t  * 138: netbios-dgm
+\t  * 139: netbios-ssn
+\t  * 389: (C)LDAP
+\t  * 445: microsoft-ds
+
+See the ipa-adtrust-install(1) man page for more details
+
+=============================================================================
+""")
+    if admin_password:
+        admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
+
+    if not admin_kinited:
+        print("""
+WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
+family in order to re-generate Kerberos tickets to include AD-specific
+information""")
+
+    api.Backend.ldap2.disconnect()
+
+    return 0
+
+if __name__ == '__main__':
+    run_script(
+        main,
+        log_file_name=log_file_name,
+        operation_name='ipa-adtrust-install')