Improve kerberos install patch from Simo.

2025-02-25 18:55:28 -06:00
parent a53a4e71bb
commit 326b37371b
6 changed files with 135 additions and 19 deletions
--- a/ipa-install/README
+++ b/ipa-install/README
@@ -5,12 +5,17 @@ krb5-server
 fedora-ds-base
 openldap-clients
 krb5-server-ldap
 cyrus-sasl-gssapi
 Installation example:
 TEMPORARY: (until fedora ds scripts are fixed)
 please use the fedora-ds.init.patch under share/ to patch your init scripts before
 running ipa-server-install
 cd ipa-install
 make install
 cd ..
-/usr/sbin/ipa-server-install -r FREEIPA.ORG -a rc1.freeipa.org -p freeipa -m ipafree
+/usr/sbin/ipa-server-install -u fds -r FREEIPA.ORG -p freeipa -m ipafree
--- a/ipa-install/share/bind.zone.db.template
+++ b/ipa-install/share/bind.zone.db.template
@@ -0,0 +1,26 @@
 $$ORIGIN $DOMAIN.
 $$TTL	86400
@			IN SOA	$DOMAIN. root.$DOMAIN. (
 				01		; serial (d. adams)
 				3H		; refresh
 				15M		; retry
 				1W		; expiry
 				1D )		; minimum
        		IN NS			$HOST
 $HOST			IN A			$IP
 ;
 ; ldap servers
 _ldap._tcp		IN SRV 0 100 389	$HOST
 ;kerberos realm
 _kerberos		IN TXT $REALM
 ; kerberos servers
 _kerberos._tcp		IN SRV 0 100 88		$HOST
 _kerberos._udp		IN SRV 0 100 88		$HOST
 _kerberos-master._tcp	IN SRV 0 100 88		$HOST
 _kerberos-master._udp	IN SRV 0 100 88		$HOST
 _kpasswd._tcp		IN SRV 0 100 88		$HOST
 _kpasswd._udp		IN SRV 0 100 88		$HOST
--- a/ipa-install/share/fedora-ds.init.patch
+++ b/ipa-install/share/fedora-ds.init.patch
@@ -0,0 +1,12 @@
 --- /etc/init.d/fedora-ds.orig	2007-07-06 18:21:30.000000000 -0400
 +++ /etc/init.d/fedora-ds	2007-05-18 19:36:24.000000000 -0400
@@ -10,6 +10,9 @@
 # datadir:     /var/lib/fedora-ds/slapd-<instance name>
 #
 +# Get config.
 +[ -r /etc/sysconfig/fedora-ds ] && . /etc/sysconfig/fedora-ds
 +
 # Source function library.
 if [ -f /etc/rc.d/init.d/functions ] ; then
 . /etc/rc.d/init.d/functions
--- a/ipa-install/share/krb5.conf.template
+++ b/ipa-install/share/krb5.conf.template
@@ -10,6 +10,13 @@
 ticket_lifetime = 24h
 forwardable = yes
 [realms]
 $REALM = {
  kdc = $FQDN:88
  admin_server = $FQDN:749
  default_domain = $DOMAIN
 }
 [domain_realm]
 .$DOMAIN = $REALM
 $DOMAIN = $REALM
@@ -29,7 +36,7 @@
    ldap_servers = ldap://127.0.0.1/
    ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
    ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX
-;    ldap_kadmind_dn = cn=Directory Manager
+    ldap_kadmind_dn = uid=kdc,cn=kerberos,$SUFFIX
    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
  }
--- a/ipa-install/src/ipa-server-install
+++ b/ipa-install/src/ipa-server-install
@@ -26,6 +26,7 @@
 VERSION = "%prog .1"
 import socket
 import logging
 from optparse import OptionParser
 import ipa.dsinstance
@@ -37,19 +38,18 @@ def parse_options():
                      help="ds user")
    parser.add_option("-r", "--realm", dest="realm_name",
                      help="realm name")
    parser.add_option("-a", "--host-address", dest="host_name",
                      help="host address (name or IP address)")
    parser.add_option("-p", "--password", dest="password",
                      help="admin password")
    parser.add_option("-m", "--master-password", dest="master_password",
                      help="kerberos master password")
    parser.add_option("-d", "--debug", dest="debug", action="store_true",
                     dest="debug", default=False, help="print debugging information")
    parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
    options, args = parser.parse_args()
-    if not options.realm_name or not options.host_name or not options.password:
+    if not options.ds_user or not options.realm_name or not options.password or not options.master_password:
-        parser.error("error: password, realm, and host name required")
+        parser.error("error: all options are required")
    return options
@@ -76,13 +76,39 @@ def main():
    options = parse_options()
    logging_setup(options)
    # check the hostname is correctly configured, it must be as the kldap
    # utilities just use the hostname as returned by gethostbyname to set
    # up some of the standard entries
    if options.host_name:
        host_name = options.host_name
    else:
        host_name = socket.gethostname()
    if len(host_name.split(".")) < 2:
        print "Invalid hostname <"+host_name+">"
        print "Check the /etc/hosts file and make sure to have a valid FQDN"
        return "-Fatal Error-"
    if socket.gethostbyname(host_name) == "127.0.0.1":
        print "The hostname resolves to the localhost address (127.0.0.1)"
        print "Please change your /etc/hosts file or your DNS so that the"
        print "hostname resolves to the ip address of your network interface."
        print "The KDC service does not listen on 127.0.0.1"
        return "-Fatal Error-"
    print "The Final KDC Host Name will be: " + host_name
    # Create a directory server instance
    ds = ipa.dsinstance.DsInstance()
-    ds.create_instance(options.ds_user, options.realm_name, options.host_name, options.password)
+    ds.create_instance(options.ds_user, options.realm_name, host_name,
                       options.password)
    # Create a kerberos instance
    krb = ipa.krbinstance.KrbInstance()
-    krb.create_instance(options.ds_user, options.realm_name, options.host_name, options.password, options.master_password)
+    krb.create_instance(options.ds_user, options.realm_name, host_name,
                        options.password, options.master_password)
    #restart ds after the krb instance have add the sasl map
    ds.restart()
--- a/ipa-install/src/ipa/krbinstance.py
+++ b/ipa-install/src/ipa/krbinstance.py
@@ -25,6 +25,9 @@ import shutil
 import logging
 from random import Random
 from time import gmtime
 import os
 import pwd
 import socket
 SHARE_DIR = "/usr/share/ipa/"
@@ -33,6 +36,10 @@ def realm_to_suffix(realm_name):
    terms = ["dc=" + x.lower() for x in s]
    return ",".join(terms)
 def host_to_domain(fqdn):
    s = fqdn.split(".")
    return ".".join(s[1:])
 def generate_kdc_password():
    rndpwd = ''
    r = Random()
@@ -75,8 +82,10 @@ def run(args, stdin=None):
 class KrbInstance:
    def __init__(self):
        self.ds_user = None
-        self.realm_name = None
+        self.fqdn = None
-        self.host_name = None
+        self.realm = None
 	self.domain = None
        self.host = None
        self.admin_password = None
        self.master_password = None
        self.suffix = None
@@ -85,12 +94,15 @@ class KrbInstance:
    def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
        self.ds_user = ds_user
-        self.realm_name = realm_name.upper()
+        self.fqdn = host_name
-        self.host_name = host_name
+        self.ip = socket.gethostbyname(host_name)
        self.realm = realm_name.upper()
        self.host = host_name.split(".")[0]
        self.domain = host_to_domain(host_name)
        self.admin_password = admin_password
        self.master_password = master_password
-	self.suffix = realm_to_suffix(self.realm_name)
+	self.suffix = realm_to_suffix(self.realm)
        self.kdc_password = generate_kdc_password()
 	self.__configure_kdc_account_password()
@@ -100,6 +112,10 @@ class KrbInstance:
        self.__create_instance()
        self.__create_ds_keytab()
        self.__create_sample_bind_zone()
        self.start()
    def stop(self):
@@ -120,12 +136,13 @@ class KrbInstance:
        pwd_fd.close()
    def __setup_sub_dict(self):
-	#FIXME: can DOMAIN be different than REALM ?
+        self.sub_dict = dict(FQDN=self.fqdn,
-        self.sub_dict = dict(FQHN=self.host_name,
+                             IP=self.ip,
                             PASSWORD=self.kdc_password,
                             SUFFIX=self.suffix,
-                             DOMAIN= self.realm_name.lower(),
+                             DOMAIN=self.domain,
-                             REALM=self.realm_name)
+                             HOST=self.host,
                             REALM=self.realm)
    def __configure_ldap(self):
@@ -153,7 +170,7 @@ class KrbInstance:
        krb5_fd.close()
        #populate the directory with the realm structure
-        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"]
+        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
        run(args)
    # TODO: NOT called yet, need to find out how to make sure the plugin is available first
@@ -165,5 +182,28 @@ class KrbInstance:
 	extop_fd.close()
 	#add an ACL to let the DS user read the master key
-	args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm_name]
+	args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
 	run(args)
    def __create_sample_bind_zone(self):
        bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
        [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
        os.write(bind_fd, bind_txt)
        os.close(bind_fd)
        print "Sample zone file for bind has been created in "+bind_name
    def __create_ds_keytab(self):
        (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
        kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
        kwrite.flush()
        kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
        kwrite.flush()
        kwrite.close()
        kread.close()
        kerr.close()
 	cfg_fd = open("/etc/sysconfig/fedora-ds", "a")
        cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n")
        cfg_fd.close()
 	pent = pwd.getpwnam(self.ds_user)
        os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)