IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Call certmonger after krb5, avoid uninstall errors, better password handling.

Browse Source 
- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode
This commit is contained in:
Rob Crittenden 2010-05-05 14:52:39 -04:00 committed by Jason Gerard DeRose
parent c2f89941ed
commit 83cb7e75b8
2 changed files with 52 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
ipa-client/ipa-install/ipa-client-install
View File

@ -64,7 +64,7 @@ def parse_options():
parser.add_option("-N", "--no-ntp", action="store_false", parser.add_option("-N", "--no-ntp", action="store_false",
help="do not configure ntp", default=True, dest="conf_ntp") help="do not configure ntp", default=True, dest="conf_ntp")
parser.add_option("-w", "--password", dest="password", parser.add_option("-w", "--password", dest="password",
help="password to join the IPA realm"), help="password to join the IPA realm (assumes bulk password unless principal is also set)"),
parser.add_option("-W", dest="prompt_password", action="store_true", parser.add_option("-W", dest="prompt_password", action="store_true",
default=False, default=False,
help="Prompt for a password to join the IPA realm"), help="Prompt for a password to join the IPA realm"),
@ -112,21 +112,31 @@ def logging_setup(options):
console.setFormatter(formatter) console.setFormatter(formatter)
logging.getLogger('').addHandler(console) logging.getLogger('').addHandler(console)
def nickname_exists(nickname):
(sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], raiseonerr=False)
if returncode == 0:
return True
else:
return False
def uninstall(options): def uninstall(options):
# Remove our host cert and CA cert # Remove our host cert and CA cert
try: if nickname_exists("IPA CA"):
run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"]) try:
except Exception, e: run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"])
print "Failed to remove IPA CA from /etc/pki/nssdb: %s" % str(e) except Exception, e:
try: print "Failed to remove IPA CA from /etc/pki/nssdb: %s" % str(e)
run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"]) if nickname_exists("Server-Cert"):
except Exception, e: try:
print "Failed to remove Server-Cert from /etc/pki/nssdb: %s" % str(e) run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
try: except Exception, e:
run(["/usr/bin/ipa-getcert", "stop-tracking", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"]) print "Failed to remove Server-Cert from /etc/pki/nssdb: %s" % str(e)
except Exception, e: try:
print "Failed to stop tracking Server-Cert in certmonger: %s" % str(e) run(["/usr/bin/ipa-getcert", "stop-tracking", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
except Exception, e:
print "Failed to stop tracking Server-Cert in certmonger: %s" % str(e)
try: try:
run(["/sbin/service", "certmonger", "stop"]) run(["/sbin/service", "certmonger", "stop"])
@ -480,12 +490,24 @@ def main():
if options.debug: if options.debug:
join_args.append("-d") join_args.append("-d")
if options.principal is not None: if options.principal is not None:
stdin = None
principal = options.principal principal = options.principal
if principal.find('@') == -1: if principal.find('@') == -1:
principal = '%s@%s' % (principal, cli_realm) principal = '%s@%s' % (principal, cli_realm)
print "Password for %s: " % principal, if options.password is not None:
sys.stdout.flush() stdin = options.password
(stderr, stdout, returncode) = run(["/usr/kerberos/bin/kinit", principal], raiseonerr=False) else:
if not options.unattended:
print "Password for %s: " % principal,
sys.stdout.flush()
else:
if sys.stdin.isatty():
print "Password must be provided in non-interactive mode"
return 1
else:
stdin = sys.stdin.readline()
(stderr, stdout, returncode) = run(["/usr/kerberos/bin/kinit", principal], raiseonerr=False, stdin=stdin)
print "" print ""
if returncode != 0: if returncode != 0:
print stdout print stdout
@ -494,6 +516,9 @@ def main():
join_args.append("-w") join_args.append("-w")
join_args.append(options.password) join_args.append(options.password)
elif options.prompt_password: elif options.prompt_password:
if options.unattended:
print "Password must be provided in non-interactive mode"
return 1
password = getpass.getpass("Password: ") password = getpass.getpass("Password: ")
join_args.append("-w") join_args.append("-w")
join_args.append(password) join_args.append(password)
@ -539,8 +564,6 @@ def main():
# Add the CA to the default NSS database and trust it # Add the CA to the default NSS database and trust it
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"]) run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
if not options.on_master:
configure_certmonger(fstore, subject_base, cli_realm, options)
# If on master assume kerberos is already configured properly. # If on master assume kerberos is already configured properly.
if not options.on_master: if not options.on_master:
@ -551,6 +574,8 @@ def main():
print "Configured /etc/krb5.conf for IPA realm " + cli_realm print "Configured /etc/krb5.conf for IPA realm " + cli_realm
configure_certmonger(fstore, subject_base, cli_realm, options)
# Modify nsswitch/pam stack # Modify nsswitch/pam stack
if options.sssd: if options.sssd:
cmd = ["/usr/sbin/authconfig", "--enablesssd", "--enablesssdauth", "--update"] cmd = ["/usr/sbin/authconfig", "--enablesssd", "--enablesssdauth", "--update"]

14
ipa-client/man/ipa-client-install.1
View File

@ -50,26 +50,30 @@ Unattended installation. The user will not be prompted.
\fB\-N\fR, \fB\-\-no\-ntp\fR \fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure or enable NTP. Do not configure or enable NTP.
.TP .TP
\fB\-\-ntp-server\fR=\fINTP_SERVER\fR
Configure ntpd to use this NTP server.
Do not configure or enable NTP.
.TP
\fB\-S\fR, \fB\-\-no\-sssd\fR \fB\-S\fR, \fB\-\-no\-sssd\fR
Do not configure the client to use SSSD for authentication, use nss_ldap instead. Do not configure the client to use SSSD for authentication, use nss_ldap instead.
.TP .TP
\fB\-\-on\-master\fB \fB\-\-on\-master\fB
The client is being configured on an IPA server. The client is being configured on an IPA server.
.TP .TP
\fB\-w\fR, \fB\-\-password\fR \fB\-w\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
Password for joining a machine to the IPA realm. Password for joining a machine to the IPA realm. Assumes bulk password unless principal is also set.
.TP .TP
\fB\-W\fR \fB\-W\fR
Prompt for the password for joining a machine to the IPA realm. Prompt for the password for joining a machine to the IPA realm.
.TP .TP
\fB\-p\fR, \fB\-\-principal\fR \fB\-p\fR, \fB\-\-principal\fR
Principal to use to join the IPA realm. Authorized kerberos principal to use to join the IPA realm.
.TP .TP
\fB\-\-permit\fR \fB\-\-permit\fR
Set the SSSD access rules to permit all access. Otherwise the machine will be controlled by the Host-based Access Controls on the IPA server. Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host-based Access Controls (HBAC) on the IPA server.
.TP .TP
\fB\-\-mkhomedir\fR \fB\-\-mkhomedir\fR
Create a users home directory if it does not exist. Configure pam to create a users home directory if it does not exist.
.TP .TP
\fB\-\-uninstall\fR \fB\-\-uninstall\fR
Remove the IPA client software and restore the configuration to the pre-IPA state. Remove the IPA client software and restore the configuration to the pre-IPA state.