Installers: configure sid generation in server/replica installer

ADTRUSTInstance performs only sid configuration when it is called without --setup-adtrust. Update man pages for ipa-server-install and ipa-replica-install with the SID-related options. Related: https://pagure.io/freeipa/issue/8995 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2021-09-27 11:44:43 +02:00 · 2021-09-27 11:44:43 +02:00 · 5541b9d69f
commit 5541b9d69f
parent f9e95ce51e
8 changed files with 111 additions and 85 deletions
--- a/install/tools/ipa-adtrust-install.in
+++ b/install/tools/ipa-adtrust-install.in
@ -209,6 +209,8 @@ def main():
        raise ScriptError(
            "Unrecognized error during check of admin rights: %s" % e)
    # Force options.setup_adtrust
    options.setup_adtrust = True
    adtrust.install_check(True, options, api)
    adtrust.install(True, options, fstore, api)
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@ -205,10 +205,7 @@ Do not automatically create DNS SSHFP records.
 \fB\-\-no\-dnssec\-validation\fR
 Disable DNSSEC validation on this server.
-.SS "AD TRUST OPTIONS"
+.SS "SID GENERATION OPTIONS"
 .TP
 \fB\-\-setup\-adtrust\fR
 Configure AD Trust capability on a replica.
 .TP
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided then this is determined
@ -227,6 +224,21 @@ ipa\-adtrust\-install is run and scheduled independently. To start this task
 you have to load an edited version of ipa-sidgen-task-run.ldif with the
 ldapmodify command info the directory server.
 .TP
 \fB\-\-rid-base\fR=\fIRID_BASE\fR
 First RID value of the local domain. The first Posix ID of the local domain will
 be assigned to this RID, the second to RID+1 etc. See the online help of the
 idrange CLI for details.
 .TP
 \fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
 Start value of the secondary RID range, which is only used in the case a user
 and a group share numerically the same Posix ID. See the online help of the
 idrange CLI for details.
 .SS "AD TRUST OPTIONS"
 .TP
 \fB\-\-setup\-adtrust\fR
 Configure AD Trust capability on a replica.
 .TP
 \fB\-\-add\-agents\fR
 Add IPA masters to the list that allows to serve information about
 users from trusted forests. Starting with IPA 4.2, a regular IPA master
@ -240,16 +252,6 @@ information about users from trusted forests only if they are enabled
 via \ipa-adtrust\-install run on any other IPA master. At least SSSD
 version 1.13 on IPA master is required to be able to perform as a trust agent.
 .TP
 \fB\-\-rid-base\fR=\fIRID_BASE\fR
 First RID value of the local domain. The first Posix ID of the local domain will
 be assigned to this RID, the second to RID+1 etc. See the online help of the
 idrange CLI for details.
 .TP
 \fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
 Start value of the secondary RID range, which is only used in the case a user
 and a group share numerically the same Posix ID. See the online help of the
 idrange CLI for details.
 .TP
 \fB\-\-enable\-compat\fR
 Enables support for trusted domains users for old clients through Schema Compatibility plugin.
 SSSD supports trusted domains natively starting with version 1.9. For platforms that
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@ -230,11 +230,7 @@ Disable DNSSEC validation on this server.
 \fB\-\-allow\-zone\-overlap\fR
 Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
-.SS "AD TRUST OPTIONS"
+.SS "SID GENERATION OPTIONS"
 .TP
 \fB\-\-setup\-adtrust\fR
 Configure AD Trust capability.
 .TP
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided, this is determined
@ -252,6 +248,11 @@ idrange CLI for details.
 Start value of the secondary RID range, which is only used in the case a user
 and a group share numerically the same POSIX ID. See the online help of the
 idrange CLI for details.
 .SS "AD TRUST OPTIONS"
 .TP
 \fB\-\-setup\-adtrust\fR
 Configure AD Trust capability.
 .TP
 \fB\-\-enable\-compat\fR
 Enables support for trusted domains users for old clients through Schema Compatibility plugin.
--- a/ipaserver/install/adtrust.py
+++ b/ipaserver/install/adtrust.py
@ -413,7 +413,7 @@ def install_check(standalone, options, api):
    global netbios_name
    global reset_netbios_name
-    if not standalone:
+    if options.setup_adtrust and not standalone:
        check_for_installed_deps()
    realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
@ -432,26 +432,27 @@ def install_check(standalone, options, api):
    # Check if /etc/samba/smb.conf already exists. In case it was not generated
    # by IPA, print a warning that we will break existing configuration.
-    if adtrustinstance.ipa_smb_conf_exists():
+    if options.setup_adtrust:
-        if not options.unattended:
+        if adtrustinstance.ipa_smb_conf_exists():
-            print("IPA generated smb.conf detected.")
+            if not options.unattended:
-            if not ipautil.user_input("Overwrite smb.conf?",
+                print("IPA generated smb.conf detected.")
-                                      default=False,
+                if not ipautil.user_input("Overwrite smb.conf?",
-                                      allow_empty=False):
+                                          default=False,
-                raise ScriptError("Aborting installation.")
+                                          allow_empty=False):
                    raise ScriptError("Aborting installation.")
-    elif os.path.exists(paths.SMB_CONF):
+        elif os.path.exists(paths.SMB_CONF):
-        print("WARNING: The smb.conf already exists. Running "
+            print("WARNING: The smb.conf already exists. Running "
-              "ipa-adtrust-install will break your existing samba "
+                  "ipa-adtrust-install will break your existing samba "
-              "configuration.\n\n")
+                  "configuration.\n\n")
-        if not options.unattended:
+            if not options.unattended:
-            if not ipautil.user_input("Do you wish to continue?",
+                if not ipautil.user_input("Do you wish to continue?",
-                                      default=False,
+                                          default=False,
-                                      allow_empty=False):
+                                          allow_empty=False):
-                raise ScriptError("Aborting installation.")
+                    raise ScriptError("Aborting installation.")
-    if not options.unattended and not options.enable_compat:
+        if not options.unattended and not options.enable_compat:
-        options.enable_compat = enable_compat_tree()
+            options.enable_compat = enable_compat_tree()
    netbios_name, reset_netbios_name = set_and_check_netbios_name(
        options.netbios_name, options.unattended, api)
@ -467,7 +468,7 @@ def install(standalone, options, fstore, api):
        print("Please wait until the prompt is returned.")
        print("")
-    smb = adtrustinstance.ADTRUSTInstance(fstore)
+    smb = adtrustinstance.ADTRUSTInstance(fstore, options.setup_adtrust)
    smb.realm = api.env.realm
    smb.autobind = ipaldap.AUTOBIND_ENABLED
    smb.setup(api.env.host, api.env.realm,
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@ -149,7 +149,7 @@ class ADTRUSTInstance(service.Service):
    OBJC_DOMAIN = "ipaNTDomainAttrs"
    FALLBACK_GROUP_NAME = u'Default SMB Group'
-    def __init__(self, fstore=None):
+    def __init__(self, fstore=None, fulltrust=True):
        self.netbios_name = None
        self.reset_netbios_name = None
        self.add_sids = None
@ -163,10 +163,15 @@ class ADTRUSTInstance(service.Service):
        self.fqdn = None
        self.host_netbios_name = None
        self.fulltrust = fulltrust
-        super(ADTRUSTInstance, self).__init__(
+        if self.fulltrust:
-            "smb", service_desc="CIFS", fstore=fstore, service_prefix=u'cifs',
+            super(ADTRUSTInstance, self).__init__(
-            keytab=paths.SAMBA_KEYTAB)
+                "smb", service_desc="CIFS", fstore=fstore,
                service_prefix=u'cifs',
                keytab=paths.SAMBA_KEYTAB)
        else:
            super(ADTRUSTInstance, self).__init__("SID generation")
        self.__setup_default_attributes()
@ -200,12 +205,13 @@ class ADTRUSTInstance(service.Service):
                             api.env.container_cifsdomains,
                             self.suffix)
-        self.cifs_agent = DN(('krbprincipalname', self.principal.lower()),
+        if self.fulltrust:
-                             api.env.container_service,
+            self.cifs_agent = DN(('krbprincipalname', self.principal.lower()),
-                             self.suffix)
+                                 api.env.container_service,
-        self.host_princ = DN(('fqdn', self.fqdn),
+                                 self.suffix)
-                             api.env.container_host,
+            self.host_princ = DN(('fqdn', self.fqdn),
-                             self.suffix)
+                                 api.env.container_host,
                                 self.suffix)
    def __gen_sid_string(self):
@ -546,7 +552,7 @@ class ADTRUSTInstance(service.Service):
        try:
            current = api.Backend.ldap2.get_entry(targets_dn)
            members = current.get('memberPrincipal', [])
-            if not(self.principal in members):
+            if self.principal not in members:
                current["memberPrincipal"] = members + [self.principal]
                api.Backend.ldap2.update_entry(current)
            else:
@ -838,45 +844,59 @@ class ADTRUSTInstance(service.Service):
        self.sub_dict['IPA_LOCAL_RANGE'] = get_idmap_range(self.realm)
    def create_instance(self):
-        self.step("validate server hostname",
+        if self.fulltrust:
-                  self.__validate_server_hostname)
+            self.step("validate server hostname",
-        self.step("stopping smbd", self.__stop)
+                      self.__validate_server_hostname)
            self.step("stopping smbd", self.__stop)
        self.step("creating samba domain object", \
                  self.__create_samba_domain_object)
-        self.step("retrieve local idmap range", self.__retrieve_local_range)
+        if self.fulltrust:
-        self.step("writing samba config file", self.__write_smb_conf)
+            self.step("retrieve local idmap range",
-        self.step("creating samba config registry", self.__write_smb_registry)
+                      self.__retrieve_local_range)
-        self.step("adding cifs Kerberos principal",
+            self.step("writing samba config file", self.__write_smb_conf)
-                  self.request_service_keytab)
+            self.step("creating samba config registry",
-        self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
+                      self.__write_smb_registry)
            self.step("adding cifs Kerberos principal",
                      self.request_service_keytab)
            self.step("adding cifs and host Kerberos principals to the "
                      "adtrust agents group",
                  self.__setup_group_membership)
-        self.step("check for cifs services defined on other replicas", self.__check_replica)
+            self.step("check for cifs services defined on other replicas",
-        self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target)
+                      self.__check_replica)
            self.step("adding cifs principal to S4U2Proxy targets",
                      self.__add_s4u2proxy_target)
        self.step("adding admin(group) SIDs", self.__add_admin_sids)
        self.step("adding RID bases", self.__add_rid_bases)
        self.step("updating Kerberos config", self.__update_krb5_conf)
-        self.step("activating CLDAP plugin", self.__add_cldap_module)
+        if self.fulltrust:
            self.step("activating CLDAP plugin", self.__add_cldap_module)
        self.step("activating sidgen task", self.__add_sidgen_task)
-        self.step("map BUILTIN\\Guests to nobody group",
+        if self.fulltrust:
-                  self.__map_Guests_to_nobody)
+            self.step("map BUILTIN\\Guests to nobody group",
-        self.step("configuring smbd to start on boot", self.__enable)
+                      self.__map_Guests_to_nobody)
            self.step("configuring smbd to start on boot", self.__enable)
        if self.enable_compat:
-            self.step("enabling trusted domains support for older clients via Schema Compatibility plugin",
+            self.step("enabling trusted domains support for older clients via "
                      "Schema Compatibility plugin",
                      self.__enable_compat_tree)
-        self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \
+        self.step("restarting Directory Server to take MS PAC and LDAP "
                  "plugins changes into account",
                  self.__restart_dirsrv)
        self.step("adding fallback group", self.__add_fallback_group)
-        self.step("adding Default Trust View", self.__add_default_trust_view)
+        if self.fulltrust:
-        self.step("setting SELinux booleans", \
+            self.step("adding Default Trust View",
-                  self.__configure_selinux_for_smbd)
+                      self.__add_default_trust_view)
-        self.step("starting CIFS services", self.__start)
+            self.step("setting SELinux booleans",
                      self.__configure_selinux_for_smbd)
            self.step("starting CIFS services", self.__start)
        if self.add_sids:
            self.step("adding SIDs to existing users and groups",
                      self.__add_sids)
-        self.step("restarting smbd", self.__restart_smb)
+        if self.fulltrust:
            self.step("restarting smbd", self.__restart_smb)
        self.start_creation(show_service_name=False)
--- a/ipaserver/install/server/init.py
+++ b/ipaserver/install/server/init.py
@ -432,11 +432,6 @@ class ServerInstallInterface(ServerCertificateInstallInterface,
                    "You cannot specify an --enable-compat option without the "
                    "--setup-adtrust option")
            if self.netbios_name:
                raise RuntimeError(
                    "You cannot specify a --netbios-name option without the "
                    "--setup-adtrust option")
            if self.no_msdcs:
                raise RuntimeError(
                    "You cannot specify a --no-msdcs option without the "
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -443,6 +443,7 @@ def install_check(installer):
        print("  * Configure KRA (dogtag) for secret management")
    if options.setup_dns:
        print("  * Configure DNS (bind)")
    print("  * Configure SID generation")
    if options.setup_adtrust:
        print("  * Configure Samba (smb) and winbind for managing AD trusts")
    if not options.no_pkinit:
@ -703,8 +704,9 @@ def install_check(installer):
        logger.debug('Starting Directory Server')
        services.knownservices.dirsrv.start(instance_name)
-    if options.setup_adtrust:
+    # Always call adtrust.install_check
-        adtrust.install_check(False, options, api)
+    # if --setup-adtrust is not specified, only the SID part is executed
    adtrust.install_check(False, options, api)
    # installer needs to update hosts file when DNS subsystem will be
    # installed or custom addresses are used
@ -966,8 +968,9 @@ def install(installer):
    if options.setup_dns:
        dns.install(False, False, options)
-    if options.setup_adtrust:
+    # Always call adtrust installer to configure SID generation
-        adtrust.install(False, options, fstore, api)
+    # if --setup-adtrust is not specified, only the SID part is executed
    adtrust.install(False, options, fstore, api)
    # Set the admin user kerberos password
    ds.change_admin_password(admin_password)
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -1158,8 +1158,9 @@ def promote_check(installer):
            # check addresses here, dns module is doing own check
            no_matching_interface_for_ip_address_warning(config.ips)
-        if options.setup_adtrust:
+        # Always call adtrust.install_check
-            adtrust.install_check(False, options, remote_api)
+        # if --setup-adtrust is not specified, only the SID part is executed
        adtrust.install_check(False, options, remote_api)
    except errors.ACIError:
        logger.debug("%s", traceback.format_exc())
@ -1365,8 +1366,9 @@ def install(installer):
    if options.setup_dns:
        dns.install(False, True, options, api)
-    if options.setup_adtrust:
+    # Always call adtrust.install
-        adtrust.install(False, options, fstore, api)
+    # if --setup-adtrust is not specified, only the SID part is executed
    adtrust.install(False, options, fstore, api)
    if options.hidden_replica:
        # Set services to hidden