ipa-adtrust-install: add IPA master host principal to adtrust agents

Fixes https://fedorahosted.org/freeipa/ticket/4951

Reviewed-By: Tomas Babej <tbabej@redhat.com>

ACI.txt

@@ -299,7 +299,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=trusts,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=trusts,dc=ipa,dc=example
 aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example

ipalib/plugins/trust.py

@@ -327,7 +327,8 @@ class trust(LDAPObject):
                 'cn', 'objectclass',
                 'ipantflatname', 'ipantsecurityidentifier',
                 'ipanttrusteddomainsid', 'ipanttrustpartner',
-                'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing'
+                'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing',
+                'ipanttrustdirection'
             },
         },
 

ipaserver/install/adtrustinstance.py

@@ -171,6 +171,9 @@ class ADTRUSTInstance(service.Service):
         self.cifs_agent = DN(('krbprincipalname', self.cifs_principal.lower()),
                              api.env.container_service,
                              self.suffix)
+        self.host_princ = DN(('fqdn', self.fqdn),
+                             api.env.container_host,
+                             self.suffix)
 
 
     def __gen_sid_string(self):
@@ -450,12 +453,11 @@ class ADTRUSTInstance(service.Service):
         """
         self.__add_plugin_conf('CLDAP', 'ipa_cldap', 'ipa-cldap-conf.ldif')
 
-    def __add_sidgen_module(self):
+    def __add_sidgen_task(self):
         """
         Add sidgen directory server plugin configuration and the related task
         if they not already exist.
         """
-        self.__add_plugin_conf('Sidgen', 'IPA SIDGEN', 'ipa-sidgen-conf.ldif')
         self.__add_plugin_conf('Sidgen task', 'ipa-sidgen-task',
                                'ipa-sidgen-task-conf.ldif')
 
@@ -469,14 +471,6 @@ class ADTRUSTInstance(service.Service):
         except:
             pass
 
-    def __add_extdom_module(self):
-        """
-        Add directory server configuration for the extdom extended operation
-        if it not already exists.
-        """
-        self.__add_plugin_conf('Extdom', 'ipa_extdom_extop',
-                               'ipa-extdom-extop-conf.ldif')
-
     def __add_s4u2proxy_target(self):
         """
         Add CIFS principal to S4U2Proxy target
@@ -509,6 +503,13 @@ class ADTRUSTInstance(service.Service):
         finally:
             os.remove(tmp_name)
 
+    def __setup_group_membership(self):
+        # Add the CIFS and host principals to the 'adtrust agents' group
+        # as 389-ds only operates with GroupOfNames, we have to use
+        # the principal's proper dn as defined in self.cifs_agent
+        service.add_principals_to_group(self.admin_conn, self.smb_dn, "member",
+                                        [self.cifs_agent, self.host_princ])
+
     def __setup_principal(self):
         try:
             api.Command.service_add(unicode(self.cifs_principal))
@@ -520,24 +521,6 @@ class ADTRUSTInstance(service.Service):
         except Exception, e:
             self.print_msg("Cannot add CIFS service: %s" % e)
 
-        # Add the principal to the 'adtrust agents' group
-        # as 389-ds only operates with GroupOfNames, we have to use
-        # the principal's proper dn as defined in self.cifs_agent
-        try:
-            current = self.admin_conn.get_entry(self.smb_dn)
-            members = current.get('member', [])
-            if not(self.cifs_agent in members):
-                current["member"] = members + [self.cifs_agent]
-                self.admin_conn.update_entry(current)
-        except errors.NotFound:
-            entry = self.admin_conn.make_entry(
-                self.smb_dn,
-                objectclass=["top", "GroupOfNames"],
-                cn=[self.smb_dn['cn']],
-                member=[self.cifs_agent],
-            )
-            self.admin_conn.add_entry(entry)
-
         self.clean_samba_keytab()
 
         try:
@@ -846,14 +829,15 @@ class ADTRUSTInstance(service.Service):
         self.step("creating samba config registry", self.__write_smb_registry)
         self.step("writing samba config file", self.__write_smb_conf)
         self.step("adding cifs Kerberos principal", self.__setup_principal)
+        self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
+                  self.__setup_group_membership)
         self.step("check for cifs services defined on other replicas", self.__check_replica)
         self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target)
         self.step("adding admin(group) SIDs", self.__add_admin_sids)
         self.step("adding RID bases", self.__add_rid_bases)
         self.step("updating Kerberos config", self.__update_krb5_conf)
         self.step("activating CLDAP plugin", self.__add_cldap_module)
-        self.step("activating sidgen plugin and task", self.__add_sidgen_module)
-        self.step("activating extdom plugin", self.__add_extdom_module)
+        self.step("activating sidgen task", self.__add_sidgen_task)
         self.step("configuring smbd to start on boot", self.__enable)
         self.step("adding special DNS service records", \
                   self.__add_dns_service_records)

ipaserver/install/dsinstance.py

@@ -265,6 +265,8 @@ class DsInstance(service.Service):
         self.step("adding replication acis", self.__add_replication_acis)
         self.step("enabling compatibility plugin",
                   self.__enable_compat_plugin)
+        self.step("activating sidgen plugin", self._add_sidgen_plugin)
+        self.step("activating extdom plugin", self._add_extdom_plugin)
         self.step("tuning directory server", self.__tuning)
 
         self.step("configuring directory to start on boot", self.__enable)
@@ -923,6 +925,20 @@ class DsInstance(service.Service):
     def __add_range_check_plugin(self):
         self._ldap_mod("range-check-conf.ldif", self.sub_dict)
 
+    # These two methods are not local, they are also called from the upgrade code
+    def _add_sidgen_plugin(self):
+        """
+        Add sidgen directory server plugin configuration if it does not already exist.
+        """
+        self._ldap_mod('ipa-sidgen-conf.ldif', self.sub_dict)
+
+    def _add_extdom_plugin(self):
+        """
+        Add directory server configuration for the extdom extended operation
+        if it does not already exist.
+        """
+        self._ldap_mod('ipa-extdom-extop-conf.ldif', self.sub_dict)
+
     def replica_populate(self):
         self.ldap_connect()
 

ipaserver/install/server/upgrade.py

@@ -18,6 +18,7 @@ import ipalib.errors
 from ipaplatform import services
 from ipaplatform.tasks import tasks
 from ipapython import ipautil, sysrestore, version, certdb
+from ipapython import ipaldap
 from ipapython.ipa_log_manager import *
 from ipapython import certmonger
 from ipapython import dogtag
@@ -1254,6 +1255,18 @@ def update_mod_nss_protocol(http):
 
     sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
 
+def ds_enable_sidgen_extdom_plugins(ds):
+    """For AD trust agents, make sure we enable sidgen and extdom plugins
+    """
+    root_logger.info('[Enable sidgen and extdom plugins by default]')
+
+    if sysupgrade.get_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins'):
+        root_logger.info('sidgen and extdom plugins are enabled already')
+        return
+
+    ds._add_sidgen_plugin()
+    ds._add_extdom_plugin()
+    sysupgrade.set_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins', True)
 
 def ca_upgrade_schema(ca):
     root_logger.info('[Upgrading CA schema]')
@@ -1412,6 +1425,14 @@ def upgrade_configuration():
     remove_ds_ra_cert(subject_base)
     ds.start(ds_serverid)
 
+    # Force enabling plugins via LDAPI and external bind
+    ds.ldapi = True
+    ds.autobind = ipaldap.AUTOBIND_ENABLED
+    ds.fqdn = fqdn
+    ds.realm = api.env.realm
+    ds.suffix = ipautil.realm_to_suffix(api.env.realm)
+    ds_enable_sidgen_extdom_plugins(ds)
+
     uninstall_selfsign(ds, http)
 
     simple_service_list = (

ipaserver/install/service.py

@@ -71,6 +71,33 @@ def format_seconds(seconds):
             parts[-1] += 's'
     return ' '.join(parts)
 
+def add_principals_to_group(admin_conn, group, member_attr, principals):
+    """Add principals to a GroupOfNames LDAP group
+    admin_conn  -- LDAP connection with admin rights
+    group       -- DN of the group
+    member_attr -- attribute to represent members
+    principals  -- list of DNs to add as members
+    """
+    try:
+        current = admin_conn.get_entry(group)
+        members = current.get(member_attr, [])
+        if len(members) == 0:
+            current[member_attr] = []
+        for amember in principals:
+            if not(amember in members):
+                current[member_attr].extend([amember])
+        admin_conn.update_entry(current)
+    except errors.NotFound:
+        entry = admin_conn.make_entry(
+                group,
+                objectclass=["top", "GroupOfNames"],
+                cn=[group['cn']],
+                member=principals,
+        )
+        admin_conn.add_entry(entry)
+    except errors.EmptyModlist:
+        # If there are no changes just pass
+        pass
 
 class Service(object):
     def __init__(self, service_name, service_desc=None, sstore=None,