Call certmonger after krb5, avoid uninstall errors, better password handling.

- Move the ipa-getcert request to after we set up /etc/krb5.conf - Don't try removing certificates that don't exist - Don't tell certmonger to stop tracking a cert that doesn't exist - Allow --password/-w to be the kerberos password - Print an error if prompting for a password would happen in unattended mode - Still support echoing a password in when in unattended mode
2025-02-25 18:55:28 -06:00 · 2010-05-05 14:52:39 -04:00 · 2010-05-05 14:52:39 -04:00 · 83cb7e75b8
commit 83cb7e75b8
parent c2f89941ed
2 changed files with 52 additions and 23 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -64,7 +64,7 @@ def parse_options():
    parser.add_option("-N", "--no-ntp", action="store_false",
                      help="do not configure ntp", default=True, dest="conf_ntp")
    parser.add_option("-w", "--password", dest="password",
-                      help="password to join the IPA realm"),
+                      help="password to join the IPA realm (assumes bulk password unless principal is also set)"),
    parser.add_option("-W", dest="prompt_password", action="store_true",
                      default=False,
                      help="Prompt for a password to join the IPA realm"),
@ -112,21 +112,31 @@ def logging_setup(options):
    console.setFormatter(formatter)
    logging.getLogger('').addHandler(console)

+def nickname_exists(nickname):
+        (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], raiseonerr=False)
+
+        if returncode == 0:
+            return True
+        else:
+            return False
+
 def uninstall(options):

    # Remove our host cert and CA cert
-    try:
-        run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"])
-    except Exception, e:
-        print "Failed to remove IPA CA from /etc/pki/nssdb: %s" % str(e)
-    try:
-        run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
-    except Exception, e:
-        print "Failed to remove Server-Cert from /etc/pki/nssdb: %s" % str(e)
-    try:
-        run(["/usr/bin/ipa-getcert", "stop-tracking", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
-    except Exception, e:
-        print "Failed to stop tracking Server-Cert in certmonger: %s" % str(e)
+    if nickname_exists("IPA CA"):
+        try:
+            run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"])
+        except Exception, e:
+            print "Failed to remove IPA CA from /etc/pki/nssdb: %s" % str(e)
+    if nickname_exists("Server-Cert"):
+        try:
+            run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
+        except Exception, e:
+            print "Failed to remove Server-Cert from /etc/pki/nssdb: %s" % str(e)
+        try:
+            run(["/usr/bin/ipa-getcert", "stop-tracking", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
+        except Exception, e:
+            print "Failed to stop tracking Server-Cert in certmonger: %s" % str(e)

    try:
        run(["/sbin/service", "certmonger", "stop"])
@ -480,12 +490,24 @@ def main():
            if options.debug:
                join_args.append("-d")
            if options.principal is not None:
+                stdin = None
                principal = options.principal
                if principal.find('@') == -1:
                    principal = '%s@%s' % (principal, cli_realm)
-                print "Password for %s: " % principal,
-                sys.stdout.flush()
-                (stderr, stdout, returncode) = run(["/usr/kerberos/bin/kinit", principal], raiseonerr=False)
+                if options.password is not None:
+                    stdin = options.password
+                else:
+                    if not options.unattended:
+                        print "Password for %s: " % principal,
+                        sys.stdout.flush()
+                    else:
+                        if sys.stdin.isatty():
+                            print "Password must be provided in non-interactive mode"
+                            return 1
+                        else:
+                            stdin = sys.stdin.readline()
+
+                (stderr, stdout, returncode) = run(["/usr/kerberos/bin/kinit", principal], raiseonerr=False, stdin=stdin)
                print ""
                if returncode != 0:
                    print stdout
@ -494,6 +516,9 @@ def main():
                join_args.append("-w")
                join_args.append(options.password)
            elif options.prompt_password:
+                if options.unattended:
+                    print "Password must be provided in non-interactive mode"
+                    return 1
                password = getpass.getpass("Password: ")
                join_args.append("-w")
                join_args.append(password)
@ -539,8 +564,6 @@ def main():
    # Add the CA to the default NSS database and trust it
    run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])

-    if not options.on_master:
-        configure_certmonger(fstore, subject_base, cli_realm, options)

    # If on master assume kerberos is already configured properly.
    if not options.on_master:
@ -551,6 +574,8 @@ def main():

        print "Configured /etc/krb5.conf for IPA realm " + cli_realm

+        configure_certmonger(fstore, subject_base, cli_realm, options)
+
    # Modify nsswitch/pam stack
    if options.sssd:
        cmd = ["/usr/sbin/authconfig", "--enablesssd", "--enablesssdauth", "--update"]
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@ -50,26 +50,30 @@ Unattended installation. The user will not be prompted.
 \fB\-N\fR, \fB\-\-no\-ntp\fR
 Do not configure or enable NTP.
 .TP 
+\fB\-\-ntp-server\fR=\fINTP_SERVER\fR
+Configure ntpd to use this NTP server.
+Do not configure or enable NTP.
+.TP
 \fB\-S\fR, \fB\-\-no\-sssd\fR
 Do not configure the client to use SSSD for authentication, use nss_ldap instead.
 .TP
 \fB\-\-on\-master\fB
 The client is being configured on an IPA server.
 .TP 
-\fB\-w\fR, \fB\-\-password\fR
-Password for joining a machine to the IPA realm.
+\fB\-w\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
+Password for joining a machine to the IPA realm. Assumes bulk password unless principal is also set.
 .TP 
 \fB\-W\fR
 Prompt for the password for joining a machine to the IPA realm.
 .TP 
 \fB\-p\fR, \fB\-\-principal\fR
-Principal to use to join the IPA realm.
+Authorized kerberos principal to use to join the IPA realm.
 .TP 
 \fB\-\-permit\fR
-Set the SSSD access rules to permit all access. Otherwise the machine will be controlled by the Host-based Access Controls on the IPA server.
+Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host-based Access Controls (HBAC) on the IPA server.
 .TP 
 \fB\-\-mkhomedir\fR
-Create a users home directory if it does not exist.
+Configure pam to create a users home directory if it does not exist.
 .TP
 \fB\-\-uninstall\fR
 Remove the IPA client software and restore the configuration to the pre-IPA state.