IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)

Browse Source 
Make ipaclient a Python library like ipapython, ipalib, etc.
Use setup.py instead of autotools for installing it.

Move C client tools, Python scripts, and man pages, to client/.

Remove old, empty or outdated, boilerplate files (NEWS, README, AUTHORS).
Remove /setup-client.py (ipalib/setup.py should be used instead).

Update Makefiles and the spec file accordingly.

https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Petr Viktorin
2016-01-14 14:15:49 +01:00
committed by Jan Cholasta
parent 7dae5c09d5
commit 840de9bb48
38 changed files with 111 additions and 235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
client/Makefile.am Normal file
View File

@@ -0,0 +1,126 @@
# This file will be processed with automake-1.7 to create Makefile.in
AUTOMAKE_OPTIONS = 1.7
NULL =
AM_CFLAGS = $(NULL)
if HAVE_GCC
AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
-Wcast-align -Werror-implicit-function-declaration \
$(NULL)
endif
export AM_CFLAGS
KRB5_UTIL_DIR=../util
KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
ASN1_UTIL_DIR=../asn1
IPA_CONF_FILE=$(sysconfdir)/ipa/default.conf
AM_CPPFLAGS = \
-I. \
-I$(srcdir) \
-I$(KRB5_UTIL_DIR) \
-I$(ASN1_UTIL_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLOCALEDIR=\""$(localedir)"\" \
-DIPACONFFILE=\""$(IPA_CONF_FILE)"\" \
$(KRB5_CFLAGS) \
$(OPENLDAP_CFLAGS) \
$(SASL_CFLAGS) \
$(POPT_CFLAGS) \
$(WARN_CFLAGS) \
$(INI_CFLAGS) \
$(NULL)
sbin_PROGRAMS = \
ipa-getkeytab \
ipa-rmkeytab \
ipa-join \
$(NULL)
sbin_SCRIPTS = \
ipa-client-install \
ipa-client-automount \
ipa-certupdate \
$(NULL)
ipa_getkeytab_SOURCES = \
ipa-getkeytab.c \
ipa-client-common.c \
$(KRB5_UTIL_SRCS) \
$(NULL)
ipa_getkeytab_LDADD = \
../asn1/libipaasn1.la \
$(KRB5_LIBS) \
$(OPENLDAP_LIBS) \
$(SASL_LIBS) \
$(POPT_LIBS) \
$(LIBINTL_LIBS) \
$(INI_LIBS) \
$(NULL)
ipa_rmkeytab_SOURCES = \
ipa-rmkeytab.c \
ipa-client-common.c \
$(NULL)
ipa_rmkeytab_LDADD = \
$(KRB5_LIBS) \
$(POPT_LIBS) \
$(LIBINTL_LIBS) \
$(NULL)
ipa_join_SOURCES = \
config.c \
ipa-client-common.c \
ipa-join.c \
$(NULL)
ipa_join_LDADD = \
$(KRB5_LIBS) \
$(OPENLDAP_LIBS) \
$(SASL_LIBS) \
$(CURL_LIBS) \
$(XMLRPC_LIBS) \
$(POPT_LIBS) \
$(LIBINTL_LIBS) \
$(NULL)
SUBDIRS = \
../asn1 \
man \
$(NULL)
EXTRA_DIST = \
$(sbin_SCRIPTS) \
$(NULL)
DISTCLEANFILES = \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
intltool-*.in \
compile \
configure \
COPYING \
INSTALL \
install-sh \
missing \
mkinstalldirs \
config.guess \
ltmain.sh \
config.sub \
depcomp \
Makefile.in \
config.h.* \
aclocal.m4 \
version.m4 \
$(NULL)

174
client/config.c Normal file
View File

@@ -0,0 +1,174 @@
/* Authors: Rob Crittenden <rcritten@redhat.com>
*
* Copyright (C) 2009 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/* Simple and INI-style file reader.
*
* usage is:
* char * data = read_config_file("/path/to/something.conf")
* char * entry = get_config_entry(data, "section", "mykey")
*
* caller must free data and entry.
*/
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <errno.h>
#include "config.h"
#include "ipa-client-common.h"
char *
read_config_file(const char *filename)
{
int fd = -1;
struct stat st;
char *data = NULL;
char *dest;
size_t left;
fd = open(filename, O_RDONLY);
if (fd == -1) {
fprintf(stderr, _("cannot open configuration file %s\n"), filename);
goto error_out;
}
/* stat() the file so we know the size and can pre-allocate the right
* amount of memory. */
if (fstat(fd, &st) == -1) {
fprintf(stderr, _("cannot stat() configuration file %s\n"), filename);
goto error_out;
}
left = st.st_size;
data = malloc(st.st_size + 1);
if (data == NULL) {
fprintf(stderr, _("out of memory\n"));
goto error_out;
}
dest = data;
while (left != 0) {
ssize_t res;
res = read(fd, dest, left);
if (res == 0)
break;
if (res < 0) {
fprintf(stderr, _("read error\n"));
goto error_out;
}
dest += res;
left -= res;
}
close(fd);
*dest = 0;
return data;
error_out:
if (fd != -1) close(fd);
free(data);
return NULL;
}
char *
get_config_entry(char * in_data, const char *section, const char *key)
{
char *ptr = NULL, *p, *tmp;
char *line;
int in_section = 0;
char * data;
if (NULL == in_data)
return NULL;
else
data = strdup(in_data);
for (line = strtok_r(data, "\n", &ptr); line != NULL;
line = strtok_r(NULL, "\n", &ptr)) {
/* Skip initial whitespace. */
while (isspace((unsigned char)*line) && (*line != '\0'))
line++;
/* If it's a comment, bail. */
if (*line == '#') {
continue;
}
/* If it's the beginning of a section, process it and clear the key
* and value values. */
if (*line == '[') {
line++;
p = strchr(line, ']');
if (p) {
tmp = strndup(line, p - line);
if (in_section) {
/* We exited the matching section without a match */
free(data);
return NULL;
}
if (strcmp(section, tmp) == 0) {
free(tmp);
in_section = 1;
continue;
}
}
} /* [ */
p = strchr(line, '=');
if (p != NULL && in_section) {
/* Trim any trailing whitespace off the key name. */
while (p != line && isspace((unsigned char)p[-1]))
p--;
/* Save the key. */
tmp = strndup(line, p - line);
if (strcmp(key, tmp) != 0) {
free(tmp);
} else {
free(tmp);
/* Skip over any whitespace after the equal sign. */
line = strchr(line, '=');
line++;
while (isspace((unsigned char)*line) && (*line != '\0'))
line++;
/* Trim off any trailing whitespace. */
p = strchr(line, '\0');
while (p != line && isspace((unsigned char)p[-1]))
p--;
/* Save the value. */
tmp = strndup(line, p - line);
free(data);
return tmp;
}
}
}
free(data);
return NULL;
}

244
client/configure.ac Normal file
View File

@@ -0,0 +1,244 @@
AC_PREREQ(2.59)
m4_include(version.m4)
AC_INIT([ipa-client],
IPA_VERSION,
[https://hosted.fedoraproject.org/projects/freeipa/newticket])
LT_INIT()
AC_PROG_LIBTOOL
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_SUBDIRS([../asn1])
AM_INIT_AUTOMAKE([foreign])
AM_MAINTAINER_MODE
AC_PROG_CC_C99
AC_STDC_HEADERS
AC_DISABLE_STATIC
AC_HEADER_STDC
AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
AC_SUBST(VERSION)
AC_SUBST([INSTALL_DATA], ['$(INSTALL) -m 644 -p'])
dnl ---------------------------------------------------------------------------
dnl - Check for KRB5
dnl ---------------------------------------------------------------------------
KRB5_LIBS=
AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([krb5.h not found])])
krb5_impl=mit
if test "x$ac_cv_header_krb5_h" = "xyes" ; then
dnl lazy check for Heimdal Kerberos
AC_CHECK_HEADERS(heim_err.h)
if test $ac_cv_header_heim_err_h = yes ; then
krb5_impl=heimdal
else
krb5_impl=mit
fi
if test "x$krb5_impl" = "xmit"; then
AC_CHECK_LIB(k5crypto, main,
[krb5crypto=k5crypto],
[krb5crypto=crypto])
AC_CHECK_LIB(krb5, main,
[have_krb5=yes
KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err"],
[have_krb5=no],
[-l$krb5crypto -lcom_err])
elif test "x$krb5_impl" = "xheimdal"; then
AC_CHECK_LIB(des, main,
[krb5crypto=des],
[krb5crypto=crypto])
AC_CHECK_LIB(krb5, main,
[have_krb5=yes
KRB5_LIBS="-lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err"],
[have_krb5=no],
[-l$krb5crypto -lasn1 -lroken -lcom_err])
AC_DEFINE(HAVE_HEIMDAL_KERBEROS, 1,
[define if you have HEIMDAL Kerberos])
else
have_krb5=no
AC_MSG_WARN([Unrecognized Kerberos5 Implementation])
fi
if test "x$have_krb5" = "xyes" ; then
ol_link_krb5=yes
AC_DEFINE(HAVE_KRB5, 1,
[define if you have Kerberos V])
else
AC_MSG_ERROR([Required Kerberos 5 support not available])
fi
fi
AC_SUBST(KRB5_LIBS)
dnl ---------------------------------------------------------------------------
dnl - OpenLDAP SDK
dnl ---------------------------------------------------------------------------
AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
dnl Check for other libraries we need to link with to get the main routines.
test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
dnl Recently, we need -lber even though the main routines are elsewhere,
dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just
dnl check for that (it's a variable not a fun but that doesn't seem to
dnl matter in these checks) and stick in -lber if so. Can't hurt (even to
dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
dnl #### understands LDAP needs to fix this properly.
test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
if test "$with_ldap" = "yes"; then
if test "$with_ldap_des" = "yes" ; then
OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes"
fi
if test "$with_ldap_krb" = "yes" ; then
OPENLDAP_LIBS="${OPENLDAP_LIBS} -lkrb"
fi
if test "$with_ldap_lber" = "yes" ; then
OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
fi
OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
else
AC_MSG_ERROR([OpenLDAP not found])
fi
AC_SUBST(OPENLDAP_LIBS)
dnl ---------------------------------------------------------------------------
dnl - Check for POPT
dnl ---------------------------------------------------------------------------
POPT_LIBS=
AC_CHECK_HEADER(popt.h, [], [AC_MSG_ERROR([popt.h not found])])
AC_CHECK_LIB(popt, poptGetContext, [POPT_LIBS="-lpopt"])
AC_SUBST(POPT_LIBS)
dnl ---------------------------------------------------------------------------
dnl - Check for SASL
dnl ---------------------------------------------------------------------------
SASL_LIBS=
AC_CHECK_HEADER(sasl/sasl.h, [], [AC_MSG_ERROR([sasl/sasl.h not found])])
AC_CHECK_LIB(sasl2, sasl_client_init, [SASL_LIBS="-lsasl2"])
AC_SUBST(SASL_LIBS)
dnl ---------------------------------------------------------------------------
dnl - Check for CURL
dnl ---------------------------------------------------------------------------
CURL_LIBS=
AC_CHECK_HEADER(curl/curl.h, [], [AC_MSG_ERROR([curl/curl.h not found])])
AC_CHECK_LIB(curl, curl_easy_init, [CURL_LIBS="-lcurl"])
if test "x$CURL_LIBS" = "x" ; then
AC_MSG_ERROR([curl not found])
fi
AC_SUBST(CURL_LIBS)
dnl ---------------------------------------------------------------------------
dnl - Check for XMLRPC-C
dnl ---------------------------------------------------------------------------
XMLRPC_LIBS=
AC_CHECK_HEADER(xmlrpc-c/base.h, [], [AC_MSG_ERROR([xmlrpc-c/base.h not found])])
AC_CHECK_LIB(xmlrpc_client, xmlrpc_client_init2, [XMLRPC_LIBS="-lxmlrpc -lxmlrpc_client -lxmlrpc_util"])
if test "x$XMLRPC_LIBS" = "x" ; then
AC_MSG_ERROR([xmlrpc-c not found])
fi
AC_SUBST(XMLRPC_LIBS)
dnl ---------------------------------------------------------------------------
dnl - Check for libintl
dnl ---------------------------------------------------------------------------
SAVE_LIBS="$LIBS"
LIBINTL_LIBS=
AC_CHECK_HEADER(libintl.h, [], [AC_MSG_ERROR([libintl.h not found, please install xgettext])])
AC_SEARCH_LIBS([bindtextdomain], [libintl],[], [])
if test "x$ac_cv_search_bindtextdomain" = "xno" ; then
AC_MSG_ERROR([libintl is not found and your libc does not support gettext, please install xgettext])
elif test "x$ac_cv_search_bindtextdomain" != "xnone required" ; then
LIBINTL_LIBS="$ac_cv_search_bindtextdomain"
fi
LIBS="$SAVELIBS"
AC_SUBST(LIBINTL_LIBS)
dnl ---------------------------------------------------------------------------
dnl - Check for libini_config
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([LIBINI_CONFIG], [ini_config >= 1.2.0], [have_libini_config=1], [have_libini_config=])
if test x$have_libini_config = x; then
AC_MSG_WARN([Could not find LIBINI_CONFIG headers])
else
INI_CONFIG_CFLAGS="`$PKG_CONFIG --cflags ini_config`"
INI_CONFIG_LIBS="`$PKG_CONFIG --libs ini_config`"
AC_CHECK_LIB(ini_config, ini_config_file_open, [],
[AC_MSG_WARN([ini_config library must support ini_config_file_open])],
[$INI_CONFIG_LIBS])
AC_CHECK_LIB(ini_config, ini_config_augment, [],
[AC_MSG_WARN([ini_config library must support ini_config_augment])],
[$INI_CONFIG_LIBS])
fi
if test x$have_libini_config = x1; then
INI_CFLAGS="$INI_CONFIG_CFLAGS"
INI_LIBS="$INI_CONFIG_LIBS"
else
AC_MSG_ERROR([ini_config development packages not available])
fi
AC_SUBST(INI_LIBS)
AC_SUBST(INI_CFLAGS)
dnl ---------------------------------------------------------------------------
dnl - Set the data install directory since we don't use pkgdatadir
dnl ---------------------------------------------------------------------------
IPA_DATA_DIR="$datadir/ipa"
AC_SUBST(IPA_DATA_DIR)
dnl ---------------------------------------------------------------------------
dnl Finish
dnl ---------------------------------------------------------------------------
# Files
AC_CONFIG_FILES([
Makefile
../asn1/Makefile
man/Makefile
])
AC_OUTPUT
echo "
IPA client $VERSION
========================
prefix: ${prefix}
exec_prefix: ${exec_prefix}
libdir: ${libdir}
bindir: ${bindir}
sbindir: ${sbindir}
sysconfdir: ${sysconfdir}
localstatedir: ${localstatedir}
datadir: ${datadir}
source code location: ${srcdir}
Maintainer mode: ${USE_MAINTAINER_MODE}
"

23
client/ipa-certupdate Executable file
View File

@@ -0,0 +1,23 @@
#! /usr/bin/python2 -E
# Authors: Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from ipaclient.ipa_certupdate import CertUpdate
CertUpdate.run_cli()

505
client/ipa-client-automount Executable file
View File

@@ -0,0 +1,505 @@
#!/usr/bin/python2 -E
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2012 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Configure the automount client for ldap.
from __future__ import print_function
import sys
import os
import time
import tempfile
import gssapi
import SSSDConfig
from six.moves.urllib.parse import urlsplit
from optparse import OptionParser
from ipalib import api, errors
from ipapython import sysrestore
from ipapython import ipautil
from ipaclient import ipadiscovery
from ipaclient import ipachangeconf
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipapython.dn import DN
from ipaplatform.constants import constants
from ipaplatform.tasks import tasks
from ipaplatform import services
from ipaplatform.paths import paths
def parse_options():
usage = "%prog [options]\n"
parser = OptionParser(usage=usage)
parser.add_option("--server", dest="server", help="IPA server")
parser.add_option("--location", dest="location", help="Automount location",
default="default")
parser.add_option("-S", "--no-sssd", dest="sssd",
action="store_false", default=True,
help="Do not configure the client to use SSSD for automount")
parser.add_option("--debug", dest="debug", action="store_true",
default=False, help="enable debugging")
parser.add_option("-U", "--unattended", dest="unattended",
action="store_true", default=False,
help="unattended installation never prompts the user")
parser.add_option("--uninstall", dest="uninstall", action="store_true",
default=False, help="Unconfigure automount")
options, args = parser.parse_args()
return options, args
def wait_for_sssd():
"""
It takes a bit for sssd to get going, lets loop until it is
serving data.
This function returns nothing.
"""
n = 0
found = False
time.sleep(1)
while n < 10 and not found:
try:
ipautil.run(["getent", "passwd", "admin@%s" % api.env.realm])
found = True
except Exception as e:
time.sleep(1)
n = n + 1
# This should never happen but if it does, may as well warn the user
if not found:
err_msg = ("Unable to find 'admin' user with "
"'getent passwd admin@%s'!" % api.env.realm)
root_logger.debug(err_msg)
print(err_msg)
print("This may mean that sssd didn't re-start properly after the configuration changes.")
def configure_xml(fstore):
from lxml import etree
fstore.backup_file(paths.AUTOFS_LDAP_AUTH_CONF)
try:
f = open(paths.AUTOFS_LDAP_AUTH_CONF, 'r')
lines = f.read()
f.close()
saslconf = etree.fromstring(lines)
element = saslconf.xpath('//autofs_ldap_sasl_conf')
root = saslconf.getroottree()
except IOError as e:
root_logger.debug('Unable to open file %s' % e)
root_logger.debug('Creating new from template')
element = [etree.Element('autofs_ldap_sasl_conf')]
root = element[0].getroottree()
if len(element) != 1:
raise RuntimeError('Unable to parse %s' % paths.AUTOFS_LDAP_AUTH_CONF)
element[0].set('usetls', 'no')
element[0].set('tlsrequired', 'no')
element[0].set('authrequired', 'yes')
element[0].set('authtype', 'GSSAPI')
element[0].set('clientprinc', 'host/%s@%s' % (api.env.host, api.env.realm))
newconf = open(paths.AUTOFS_LDAP_AUTH_CONF, 'w')
try:
root.write(newconf, pretty_print=True, xml_declaration=True, encoding='UTF-8')
newconf.close()
except IOError as e:
print("Unable to write %s: %s" % (paths.AUTOFS_LDAP_AUTH_CONF, e))
print("Configured %s" % paths.AUTOFS_LDAP_AUTH_CONF)
def configure_nsswitch(fstore, options):
"""
Point automount to ldap in nsswitch.conf. This function is for non-SSSD
setups only
"""
fstore.backup_file(paths.NSSWITCH_CONF)
conf = ipachangeconf.IPAChangeConf("IPA Installer")
conf.setOptionAssignment(':')
nss_value = ' files ldap'
opts = [{'name':'automount', 'type':'option', 'action':'set', 'value':nss_value},
{'name':'empty', 'type':'empty'}]
conf.changeConf(paths.NSSWITCH_CONF, opts)
print("Configured %s" % paths.NSSWITCH_CONF)
def configure_autofs_sssd(fstore, statestore, autodiscover, options):
try:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
domains = sssdconfig.list_active_domains()
except Exception as e:
sys.exit(e)
try:
sssdconfig.new_service('autofs')
except SSSDConfig.ServiceAlreadyExists:
pass
except SSSDConfig.ServiceNotRecognizedError:
root_logger.error("Unable to activate the Autofs service in SSSD config.")
root_logger.info(
"Please make sure you have SSSD built with autofs support installed.")
root_logger.info(
"Configure autofs support manually in /etc/sssd/sssd.conf.")
sys.exit("Cannot create the autofs service in sssd.conf")
sssdconfig.activate_service('autofs')
domain = None
for name in domains:
domain = sssdconfig.get_domain(name)
try:
provider = domain.get_option('id_provider')
except SSSDConfig.NoOptionError:
continue
if provider == "ipa":
domain.add_provider('ipa', 'autofs')
try:
location = domain.get_option('ipa_automount_location')
sys.exit('An automount location is already configured')
except SSSDConfig.NoOptionError:
domain.set_option('ipa_automount_location', options.location)
break
if domain is None:
sys.exit('SSSD is not configured.')
sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
statestore.backup_state('autofs', 'sssd', True)
sssd = services.service('sssd')
sssd.restart()
print("Restarting sssd, waiting for it to become available.")
wait_for_sssd()
def configure_autofs(fstore, statestore, autodiscover, server, options):
"""
fstore: the FileStore to back up files in
options.server: the IPA server to use
options.location: the Automount location to use
"""
if not autodiscover:
ldap_uri = "ldap://%s" % server
else:
ldap_uri = "ldap:///%s" % api.env.basedn
search_base = str(DN(('cn', options.location), api.env.container_automount, api.env.basedn))
replacevars = {
'MAP_OBJECT_CLASS': 'automountMap',
'ENTRY_OBJECT_CLASS': 'automount',
'MAP_ATTRIBUTE': 'automountMapName',
'ENTRY_ATTRIBUTE': 'automountKey',
'VALUE_ATTRIBUTE': 'automountInformation',
'SEARCH_BASE': search_base,
'LDAP_URI': ldap_uri,
}
ipautil.backup_config_and_replace_variables(fstore,
paths.SYSCONFIG_AUTOFS, replacevars=replacevars)
tasks.restore_context(paths.SYSCONFIG_AUTOFS)
statestore.backup_state('autofs', 'sssd', False)
print("Configured %s" % paths.SYSCONFIG_AUTOFS)
def configure_autofs_common(fstore, statestore, options):
autofs = services.knownservices.autofs
statestore.backup_state('autofs', 'enabled', autofs.is_enabled())
statestore.backup_state('autofs', 'running', autofs.is_running())
try:
autofs.restart()
print("Started %s" % autofs.service_name)
except Exception as e:
root_logger.error("%s failed to restart: %s", autofs.service_name, e)
try:
autofs.enable()
except Exception as e:
print("Failed to configure automatic startup of the %s daemon" % (autofs.service_name))
root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (autofs.service_name, str(e)))
def uninstall(fstore, statestore):
print("Restoring configuration")
if fstore.has_file(paths.SYSCONFIG_AUTOFS):
fstore.restore_file(paths.SYSCONFIG_AUTOFS)
if fstore.has_file(paths.NSSWITCH_CONF):
fstore.restore_file(paths.NSSWITCH_CONF)
if fstore.has_file(paths.AUTOFS_LDAP_AUTH_CONF):
fstore.restore_file(paths.AUTOFS_LDAP_AUTH_CONF)
if fstore.has_file(paths.SYSCONFIG_NFS):
fstore.restore_file(paths.SYSCONFIG_NFS)
if fstore.has_file(paths.IDMAPD_CONF):
fstore.restore_file(paths.IDMAPD_CONF)
if statestore.has_state('autofs'):
enabled = statestore.restore_state('autofs', 'enabled')
running = statestore.restore_state('autofs', 'running')
sssd = statestore.restore_state('autofs', 'sssd')
autofs = services.knownservices.autofs
if not enabled:
autofs.disable()
if not running:
autofs.stop()
if sssd:
try:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
sssdconfig.deactivate_service('autofs')
domains = sssdconfig.list_active_domains()
for name in domains:
domain = sssdconfig.get_domain(name)
try:
provider = domain.get_option('id_provider')
except SSSDConfig.NoOptionError:
continue
if provider == "ipa":
domain.remove_option('ipa_automount_location')
domain.remove_provider('autofs')
break
sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
sssd = services.service('sssd')
sssd.restart()
wait_for_sssd()
except Exception as e:
print('Unable to restore SSSD configuration: %s' % str(e))
root_logger.debug('Unable to restore SSSD configuration: %s' % str(e))
if statestore.has_state('rpcidmapd'):
enabled = statestore.restore_state('rpcidmapd', 'enabled')
running = statestore.restore_state('rpcidmapd', 'running')
rpcidmapd = services.knownservices.rpcidmapd
if not enabled:
rpcidmapd.disable()
if not running:
rpcidmapd.stop()
if statestore.has_state('rpcgssd'):
enabled = statestore.restore_state('rpcgssd', 'enabled')
running = statestore.restore_state('rpcgssd', 'running')
rpcgssd = services.knownservices.rpcgssd
if not enabled:
rpcgssd.disable()
if not running:
rpcgssd.stop()
return 0
def configure_nfs(fstore, statestore):
"""
Configure secure NFS
"""
replacevars = {
constants.SECURE_NFS_VAR: 'yes',
}
ipautil.backup_config_and_replace_variables(fstore,
paths.SYSCONFIG_NFS, replacevars=replacevars)
tasks.restore_context(paths.SYSCONFIG_NFS)
print("Configured %s" % paths.SYSCONFIG_NFS)
# Prepare the changes
# We need to use IPAChangeConf as simple regexp substitution
# does not cut it here
conf = ipachangeconf.IPAChangeConf("IPA automount installer")
conf.case_insensitive_sections = False
conf.setOptionAssignment(" = ")
conf.setSectionNameDelimiters(("[", "]"))
changes = [conf.setOption('Domain', api.env.domain)]
section_with_changes = [conf.setSection('General', changes)]
# Backup the file and apply the changes
fstore.backup_file(paths.IDMAPD_CONF)
conf.changeConf(paths.IDMAPD_CONF, section_with_changes)
tasks.restore_context(paths.IDMAPD_CONF)
print("Configured %s" % paths.IDMAPD_CONF)
rpcidmapd = services.knownservices.rpcidmapd
statestore.backup_state('rpcidmapd', 'enabled', rpcidmapd.is_enabled())
statestore.backup_state('rpcidmapd', 'running', rpcidmapd.is_running())
try:
rpcidmapd.restart()
print("Started %s" % rpcidmapd.service_name)
except Exception as e:
root_logger.error("%s failed to restart: %s", rpcidmapd.service_name, e)
try:
rpcidmapd.enable()
except Exception as e:
print("Failed to configure automatic startup of the %s daemon" % (rpcidmapd.service_name))
root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcidmapd.service_name, str(e)))
rpcgssd = services.knownservices.rpcgssd
statestore.backup_state('rpcgssd', 'enabled', rpcgssd.is_enabled())
statestore.backup_state('rpcgssd', 'running', rpcgssd.is_running())
try:
rpcgssd.restart()
print("Started %s" % rpcgssd.service_name)
except Exception as e:
root_logger.error("%s failed to restart: %s", rpcgssd.service_name, e)
try:
rpcgssd.enable()
except Exception as e:
print("Failed to configure automatic startup of the %s daemon" % (rpcgssd.service_name))
root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcgssd.service_name, str(e)))
def main():
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
if not fstore.has_files() and not os.path.exists(paths.IPA_DEFAULT_CONF):
sys.exit('IPA client is not configured on this system.\n')
options, args = parse_options()
standard_logging_setup(
paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
filemode='a', console_format='%(message)s')
cfg = dict(
context='cli_installer',
in_server=False,
debug=options.debug,
verbose=0,
)
api.bootstrap(**cfg)
api.finalize()
ca_cert_path = None
if os.path.exists(paths.IPA_CA_CRT):
ca_cert_path = paths.IPA_CA_CRT
if options.uninstall:
return uninstall(fstore, statestore)
if statestore.has_state('autofs'):
sys.exit('automount is already configured on this system.\n')
autodiscover = False
servers = []
ds = ipadiscovery.IPADiscovery()
if not options.server:
print("Searching for IPA server...")
ret = ds.search(ca_cert_path=ca_cert_path)
root_logger.debug('Executing DNS discovery')
if ret == ipadiscovery.NO_LDAP_SERVER:
root_logger.debug('Autodiscovery did not find LDAP server')
s = urlsplit(api.env.xmlrpc_uri)
server = [s.netloc]
root_logger.debug('Setting server to %s' % s.netloc)
else:
autodiscover = True
if not ds.servers:
sys.exit('Autodiscovery was successful but didn\'t return a server')
root_logger.debug('Autodiscovery success, possible servers %s' % ','.join(ds.servers))
server = ds.servers[0]
else:
server = options.server
root_logger.debug("Verifying that %s is an IPA server" % server)
ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
print("Anonymous access to the LDAP server is disabled.")
print("Proceeding without strict verification.")
print("Note: This is not an error if anonymous access has been explicitly restricted.")
elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
root_logger.warning("Unencrypted access to LDAP is not supported.")
elif ldapret[0] != 0:
sys.exit('Unable to confirm that %s is an IPA server' % server)
if not autodiscover:
print("IPA server: %s" % server)
root_logger.debug('Using fixed server %s' % server)
else:
print("IPA server: DNS discovery")
root_logger.debug('Configuring to use DNS discovery')
search_base = str(DN(('cn', options.location), api.env.container_automount, api.env.basedn))
print("Location: %s" % options.location)
root_logger.debug('Using automount location %s' % options.location)
ccache_dir = tempfile.mkdtemp()
ccache_name = os.path.join(ccache_dir, 'ccache')
try:
try:
host_princ = str('host/%s@%s' % (api.env.host, api.env.realm))
ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
os.environ['KRB5CCNAME'] = ccache_name
except gssapi.exceptions.GSSError as e:
sys.exit("Failed to obtain host TGT: %s" % e)
# Now we have a TGT, connect to IPA
try:
api.Backend.rpcclient.connect()
except errors.KerberosError as e:
sys.exit('Cannot connect to the server due to ' + str(e))
try:
# Use the RPC directly so older servers are supported
result = api.Backend.rpcclient.forward(
'automountlocation_show',
ipautil.fsdecode(options.location),
version=u'2.0',
)
except errors.VersionError as e:
sys.exit('This client is incompatible: ' + str(e))
except errors.NotFound:
sys.exit("Automount location '%s' does not exist" % options.location)
except errors.PublicError as e:
sys.exit("Cannot connect to the server due to generic error: %s" % str(e))
finally:
os.remove(ccache_name)
os.rmdir(ccache_dir)
if not options.unattended and not ipautil.user_input("Continue to configure the system with these values?", False):
sys.exit("Installation aborted")
try:
if not options.sssd:
configure_nsswitch(fstore, options)
configure_nfs(fstore, statestore)
if options.sssd:
configure_autofs_sssd(fstore, statestore, autodiscover, options)
else:
configure_xml(fstore)
configure_autofs(fstore, statestore, autodiscover, server, options)
configure_autofs_common(fstore, statestore, options)
except Exception as e:
root_logger.debug('Raised exception %s' % e)
print("Installation failed. Rolling back changes.")
uninstall(fstore, statestore)
return 1
return 0
try:
if not os.geteuid()==0:
sys.exit("\nMust be run as root\n")
sys.exit(main())
except SystemExit as e:
sys.exit(e)
except RuntimeError as e:
sys.exit(e)
except (KeyboardInterrupt, EOFError):
sys.exit(1)

48
client/ipa-client-common.c Normal file
View File

@@ -0,0 +1,48 @@
/* Authors: Jakub Hrozek <jhrozek@redhat.com>
*
* Copyright (C) 2010 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <locale.h>
#include <libintl.h>
#include <errno.h>
#include "config.h"
int init_gettext(void)
{
char *c;
c = setlocale(LC_ALL, "");
if (!c) {
return EIO;
}
errno = 0;
c = bindtextdomain("ipa", LOCALEDIR);
if (c == NULL) {
return errno;
}
errno = 0;
c = textdomain("ipa");
if (c == NULL) {
return errno;
}
return 0;
}

33
client/ipa-client-common.h Normal file
View File

@@ -0,0 +1,33 @@
/* Authors: Jakub Hrozek <jhrozek@redhat.com>
*
* Copyright (C) 2010 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef __IPA_CLIENT_COMMON_H
#define __IPA_CLIENT_COMMON_H
#include <libintl.h>
#define _(STRING) gettext(STRING)
#include <stdint.h>
#ifndef discard_const
#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
#endif
int init_gettext(void);
#endif /* __IPA_CLIENT_COMMON_H */

3144
client/ipa-client-install Executable file
View File

File diff suppressed because it is too large Load Diff

913
client/ipa-getkeytab.c Normal file
View File

@@ -0,0 +1,913 @@
/* Authors: Simo Sorce <ssorce@redhat.com>
*
* Copyright (C) 2007 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/time.h>
#include <unistd.h>
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#include <errno.h>
#include <time.h>
#include <krb5.h>
#include <ldap.h>
#include <sasl/sasl.h>
#include <popt.h>
#include <ini_configobj.h>
#include "config.h"
#include "ipa_krb5.h"
#include "ipa_asn1.h"
#include "ipa-client-common.h"
static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit)
{
sasl_interact_t *in = NULL;
int ret = LDAP_OTHER;
krb5_principal princ = (krb5_principal)priv_data;
krb5_context krbctx;
char *outname = NULL;
krb5_error_code krberr;
if (!ld) return LDAP_PARAM_ERROR;
for (in = sit; in && in->id != SASL_CB_LIST_END; in++) {
switch(in->id) {
case SASL_CB_USER:
krberr = krb5_init_context(&krbctx);
if (krberr) {
fprintf(stderr, _("Kerberos context initialization failed: %1$s (%2$d)\n"),
error_message(krberr), krberr);
in->result = NULL;
in->len = 0;
ret = LDAP_LOCAL_ERROR;
break;
}
krberr = krb5_unparse_name(krbctx, princ, &outname);
if (krberr) {
fprintf(stderr, _("Unable to parse principal: %1$s (%2$d)\n"),
error_message(krberr), krberr);
in->result = NULL;
in->len = 0;
ret = LDAP_LOCAL_ERROR;
break;
}
in->result = outname;
in->len = strlen(outname);
ret = LDAP_SUCCESS;
krb5_free_context(krbctx);
break;
case SASL_CB_GETREALM:
in->result = princ->realm.data;
in->len = princ->realm.length;
ret = LDAP_SUCCESS;
break;
default:
in->result = NULL;
in->len = 0;
ret = LDAP_OTHER;
}
}
return ret;
}
int filter_keys(krb5_context krbctx, struct keys_container *keys,
ber_int_t *enctypes)
{
struct krb_key_salt *ksdata;
int i, j, n;
n = keys->nkeys;
ksdata = keys->ksdata;
for (i = 0; i < n; i++) {
if (ksdata[i].enctype == enctypes[i]) continue;
if (enctypes[i] == 0) {
/* remove unsupported one */
krb5_free_keyblock_contents(krbctx, &ksdata[i].key);
krb5_free_data_contents(krbctx, &ksdata[i].salt);
for (j = i; j < n-1; j++) {
ksdata[j] = ksdata[j + 1];
enctypes[j] = enctypes[j + 1];
}
n--;
/* new key has been moved to this position, make sure
* we do not skip it, by neutralizing next i increment */
i--;
}
}
if (n == 0) {
fprintf(stderr, _("No keys accepted by KDC\n"));
return 0;
}
keys->nkeys = n;
return n;
}
static int ipa_ldap_init(LDAP ** ld, const char * scheme, const char * servername, const int port)
{
char* url = NULL;
int url_len = snprintf(url,0,"%s://%s:%d",scheme,servername,port) +1;
url = (char *)malloc (url_len);
if (!url){
fprintf(stderr, _("Out of memory \n"));
return LDAP_NO_MEMORY;
}
sprintf(url,"%s://%s:%d",scheme,servername,port);
int rc = ldap_initialize(ld, url);
free(url);
return rc;
}
const char *ca_cert_file = "/etc/ipa/ca.crt";
static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw, LDAP **_ld)
{
char *msg = NULL;
struct berval bv;
int version;
LDAP *ld;
int ssl;
int ret;
/* TODO: support referrals ? */
if (bind_dn) {
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CERTIFICATE\n"));
return ret;
}
ret = ipa_ldap_init(&ld, "ldaps", server_name, 636);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init for ldaps(636) connection\n"));
return ret;
}
ssl = LDAP_OPT_X_TLS_HARD;;
ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS\n"));
goto done;
}
} else {
ret = ipa_ldap_init(&ld, "ldap", server_name, 389);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init for ldap(389) connection\n"));
return ret;
}
}
if (ld == NULL) {
fprintf(stderr, _("Unable to initialize ldap library!\n"));
return LDAP_OPERATIONS_ERROR;
}
#ifdef LDAP_OPT_X_SASL_NOCANON
/* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto done;
}
#endif
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
goto done;
}
if (bind_dn) {
bv.bv_val = discard_const(bind_pw);
bv.bv_len = strlen(bind_pw);
ret = ldap_sasl_bind_s(ld, bind_dn, LDAP_SASL_SIMPLE,
&bv, NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Simple bind failed\n"));
goto done;
}
} else {
ret = ldap_sasl_interactive_bind_s(ld, NULL, "GSSAPI",
NULL, NULL, LDAP_SASL_QUIET,
ldap_sasl_interact, bind_princ);
if (ret != LDAP_SUCCESS) {
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
#endif
fprintf(stderr, "SASL Bind failed %s (%d) %s!\n",
ldap_err2string(ret), ret, msg ? msg : "");
goto done;
}
}
ret = LDAP_SUCCESS;
done:
if (ret != LDAP_SUCCESS) {
if (ld) ldap_unbind_ext(ld, NULL, NULL);
} else {
*_ld = ld;
}
return ret;
}
static int ipa_ldap_extended_op(LDAP *ld, const char *reqoid,
struct berval *control,
LDAPControl ***srvctrl)
{
struct berval *retdata = NULL;
LDAPMessage *res = NULL;
char *retoid = NULL;
struct timeval tv;
char *err = NULL;
int msgid;
int ret, rc;
ret = ldap_extended_operation(ld, reqoid, control,
NULL, NULL, &msgid);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Operation failed: %s\n"), ldap_err2string(ret));
return ret;
}
/* wait max 10 secs for the answer */
tv.tv_sec = 10;
tv.tv_usec = 0;
ret = ldap_result(ld, msgid, 1, &tv, &res);
if (ret == -1) {
fprintf(stderr, _("Failed to get result: %s\n"), ldap_err2string(ret));
goto done;
}
ret = ldap_parse_extended_result(ld, res, &retoid, &retdata, 0);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to parse extended result: %s\n"),
ldap_err2string(ret));
goto done;
}
ret = ldap_parse_result(ld, res, &rc, NULL, &err, NULL, srvctrl, 0);
if (ret != LDAP_SUCCESS || rc != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to parse result: %s\n"),
err ? err : ldap_err2string(ret));
if (ret == LDAP_SUCCESS) ret = rc;
goto done;
}
done:
if (err) ldap_memfree(err);
if (res) ldap_msgfree(res);
return ret;
}
static int find_control_data(LDAPControl **list, const char *repoid,
struct berval *data)
{
LDAPControl *control = NULL;
int i;
if (!list) {
fprintf(stderr, _("Missing reply control list!\n"));
return LDAP_OPERATIONS_ERROR;
}
for (i = 0; list[i]; i++) {
if (strcmp(list[i]->ldctl_oid, repoid) == 0) {
control = list[i];
}
}
if (!control) {
fprintf(stderr, _("Missing reply control!\n"));
return LDAP_OPERATIONS_ERROR;
}
*data = control->ldctl_value;
return LDAP_SUCCESS;
}
static BerElement *get_control_data(LDAPControl **list, const char *repoid)
{
struct berval data;
int ret;
ret = find_control_data(list, repoid, &data);
if (ret != LDAP_SUCCESS) return NULL;
return ber_init(&data);
}
static int ldap_set_keytab(krb5_context krbctx,
const char *servername,
const char *principal_name,
krb5_principal princ,
const char *binddn,
const char *bindpw,
struct keys_container *keys)
{
LDAP *ld = NULL;
BerElement *sctrl = NULL;
struct berval *control = NULL;
LDAPControl **srvctrl = NULL;
int ret;
int kvno, i;
ber_tag_t rtag;
ber_int_t *encs = NULL;
int successful_keys = 0;
/* cant' return more than nkeys, sometimes less */
encs = calloc(keys->nkeys + 1, sizeof(ber_int_t));
if (!encs) {
fprintf(stderr, _("Out of Memory!\n"));
return 0;
}
/* build password change control */
control = create_key_control(keys, principal_name);
if (!control) {
fprintf(stderr, _("Failed to create control!\n"));
goto error_out;
}
ret = ipa_ldap_bind(servername, princ, binddn, bindpw, &ld);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to bind to server!\n"));
goto error_out;
}
/* perform password change */
ret = ipa_ldap_extended_op(ld, KEYTAB_SET_OID, control, &srvctrl);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Failed to get keytab!\n"));
goto error_out;
}
ber_bvfree(control);
control = NULL;
sctrl = get_control_data(srvctrl, KEYTAB_RET_OID);
if (!sctrl) {
fprintf(stderr, _("ber_init() failed, Invalid control ?!\n"));
goto error_out;
}
/* Format of response
*
* KeytabGetRequest ::= SEQUENCE {
* new_kvno Int32
* SEQUENCE OF KeyTypes
* }
*
* * List of accepted enctypes *
* KeyTypes ::= SEQUENCE {
* enctype Int32
* }
*/
rtag = ber_scanf(sctrl, "{i{", &kvno);
if (rtag == LBER_ERROR) {
fprintf(stderr, _("ber_scanf() failed, unable to find kvno ?!\n"));
goto error_out;
}
for (i = 0; i < keys->nkeys; i++) {
ret = ber_scanf(sctrl, "{i}", &encs[i]);
if (ret == LBER_ERROR) {
char enc[79]; /* fit std terminal or truncate */
krb5_error_code krberr;
krberr = krb5_enctype_to_string(
keys->ksdata[i].enctype, enc, 79);
if (krberr) {
fprintf(stderr, _("Failed to retrieve "
"encryption type type #%d\n"),
keys->ksdata[i].enctype);
} else {
fprintf(stderr, _("Failed to retrieve "
"encryption type %1$s (#%2$d)\n"),
enc, keys->ksdata[i].enctype);
}
} else {
successful_keys++;
}
}
if (successful_keys == 0) {
fprintf(stderr, _("Failed to retrieve any keys"));
goto error_out;
}
ret = filter_keys(krbctx, keys, encs);
if (ret == 0) goto error_out;
ber_free(sctrl, 1);
ldap_controls_free(srvctrl);
ldap_unbind_ext(ld, NULL, NULL);
free(encs);
return kvno;
error_out:
if (sctrl) ber_free(sctrl, 1);
if (srvctrl) ldap_controls_free(srvctrl);
if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (control) ber_bvfree(control);
free(encs);
return -1;
}
/* use asn1c generated code to fill up control */
static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,
const char *password,
struct krb_key_salt *encsalts,
int num_encsalts)
{
struct berval *result = NULL;
void *buffer = NULL;
size_t buflen;
long ets[num_encsalts];
bool ret;
int i;
if (gen) {
for (i = 0; i < num_encsalts; i++) {
ets[i] = encsalts[i].enctype;
}
}
ret = ipaasn1_enc_getkt(gen, svc_princ,
password, ets, num_encsalts,
&buffer, &buflen);
if (!ret) goto done;
result = malloc(sizeof(struct berval));
if (!result) goto done;
result->bv_val = buffer;
result->bv_len = buflen;
done:
if (result == NULL) {
if (buffer) {
free(buffer);
}
}
return result;
}
#define GK_REPLY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
#define GKREP_KEY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
#define GKREP_SALT_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
const char *enctypes, const char *bind_server,
const char *svc_princ, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw,
struct keys_container *keys, int *kvno,
char **err_msg)
{
struct krb_key_salt *es = NULL;
int num_es = 0;
struct berval *control = NULL;
LDAP *ld = NULL;
LDAPControl **srvctrl = NULL;
struct berval data;
bool res;
int ret;
*err_msg = NULL;
if (enctypes) {
ret = ipa_string_to_enctypes(enctypes, &es, &num_es, err_msg);
if (ret || num_es == 0) {
return LDAP_OPERATIONS_ERROR;
}
}
control = create_getkeytab_control(svc_princ, generate,
password, es, num_es);
if (!control) {
*err_msg = _("Failed to create control!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, &ld);
if (ret != LDAP_SUCCESS) {
*err_msg = _("Failed to bind to server!\n");
goto done;
}
/* perform extedned opt to get keytab */
ret = ipa_ldap_extended_op(ld, KEYTAB_GET_OID, control, &srvctrl);
if (ret != LDAP_SUCCESS) {
goto done;
}
ret = find_control_data(srvctrl, KEYTAB_GET_OID, &data);
if (ret != LDAP_SUCCESS) goto done;
res = ipaasn1_dec_getktreply(data.bv_val, data.bv_len, kvno, keys);
if (!res) {
*err_msg = _("Failed to decode control reply!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
ret = LDAP_SUCCESS;
done:
if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (control) ber_bvfree(control);
free(es);
if (ret) {
free_keys_contents(krbctx, keys);
}
return ret;
}
static char *ask_password(krb5_context krbctx)
{
krb5_prompt ap_prompts[2];
krb5_data k5d_pw0;
krb5_data k5d_pw1;
char pw0[256];
char pw1[256];
char *password;
k5d_pw0.length = sizeof(pw0);
k5d_pw0.data = pw0;
ap_prompts[0].prompt = _("New Principal Password");
ap_prompts[0].hidden = 1;
ap_prompts[0].reply = &k5d_pw0;
k5d_pw1.length = sizeof(pw1);
k5d_pw1.data = pw1;
ap_prompts[1].prompt = _("Verify Principal Password");
ap_prompts[1].hidden = 1;
ap_prompts[1].reply = &k5d_pw1;
krb5_prompter_posix(krbctx, NULL,
NULL, NULL,
2, ap_prompts);
if (strcmp(pw0, pw1)) {
fprintf(stderr, _("Passwords do not match!"));
return NULL;
}
password = malloc(k5d_pw0.length + 1);
if (!password) return NULL;
memcpy(password, pw0, k5d_pw0.length);
password[k5d_pw0.length] = '\0';
return password;
}
struct ipa_config {
const char *server_name;
};
static int config_from_file(struct ini_cfgobj *cfgctx)
{
struct ini_cfgfile *fctx = NULL;
char **errors = NULL;
int ret;
ret = ini_config_file_open(IPACONFFILE, 0, &fctx);
if (ret) {
fprintf(stderr, _("Failed to open config file %s\n"), IPACONFFILE);
return ret;
}
ret = ini_config_parse(fctx,
INI_STOP_ON_ANY,
INI_MS_MERGE | INI_MV1S_ALLOW | INI_MV2S_ALLOW,
INI_PARSE_NOWRAP,
cfgctx);
if (ret) {
fprintf(stderr, _("Failed to parse config file %s\n"), IPACONFFILE);
if (ini_config_error_count(cfgctx)) {
ini_config_get_errors(cfgctx, &errors);
if (errors) {
ini_config_print_errors(stderr, errors);
ini_config_free_errors(errors);
}
}
ini_config_file_destroy(fctx);
return ret;
}
ini_config_file_destroy(fctx);
return 0;
}
int read_ipa_config(struct ipa_config **ipacfg)
{
struct ini_cfgobj *cfgctx = NULL;
struct value_obj *obj = NULL;
int ret;
*ipacfg = calloc(1, sizeof(struct ipa_config));
if (!*ipacfg) {
return ENOMEM;
}
ret = ini_config_create(&cfgctx);
if (ret) {
return ENOENT;
}
ret = config_from_file(cfgctx);
if (ret) {
ini_config_destroy(cfgctx);
return EINVAL;
}
ret = ini_get_config_valueobj("global", "server", cfgctx,
INI_GET_LAST_VALUE, &obj);
if (ret != 0 || obj == NULL) {
/* if called on an IPA server we need to look for 'host' instead */
ret = ini_get_config_valueobj("global", "host", cfgctx,
INI_GET_LAST_VALUE, &obj);
}
if (ret == 0 && obj != NULL) {
(*ipacfg)->server_name = ini_get_string_config_value(obj, &ret);
}
return 0;
}
int main(int argc, const char *argv[])
{
static const char *server = NULL;
static const char *principal = NULL;
static const char *keytab = NULL;
static const char *enctypes_string = NULL;
static const char *binddn = NULL;
static const char *bindpw = NULL;
int quiet = 0;
int askpass = 0;
int permitted_enctypes = 0;
int retrieve = 0;
struct poptOption options[] = {
{ "quiet", 'q', POPT_ARG_NONE, &quiet, 0,
_("Print as little as possible"), _("Output only on errors")},
{ "server", 's', POPT_ARG_STRING, &server, 0,
_("Contact this specific KDC Server"),
_("Server Name") },
{ "principal", 'p', POPT_ARG_STRING, &principal, 0,
_("The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)"),
_("Kerberos Service Principal Name") },
{ "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
_("File were to store the keytab information"),
_("Keytab File Name") },
{ "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0,
_("Encryption types to request"),
_("Comma separated encryption types list") },
{ "permitted-enctypes", 0, POPT_ARG_NONE, &permitted_enctypes, 0,
_("Show the list of permitted encryption types and exit"),
_("Permitted Encryption Types") },
{ "password", 'P', POPT_ARG_NONE, &askpass, 0,
_("Asks for a non-random password to use for the principal"), NULL },
{ "binddn", 'D', POPT_ARG_STRING, &binddn, 0,
_("LDAP DN"), _("DN to bind as if not using kerberos") },
{ "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
_("LDAP password"), _("password to use if not using kerberos") },
{ "retrieve", 'r', POPT_ARG_NONE, &retrieve, 0,
_("Retrieve current keys without changing them"), NULL },
POPT_AUTOHELP
POPT_TABLEEND
};
poptContext pc;
char *ktname;
char *password = NULL;
krb5_context krbctx;
krb5_ccache ccache;
krb5_principal uprinc = NULL;
krb5_principal sprinc;
krb5_error_code krberr;
struct keys_container keys = { 0 };
krb5_keytab kt;
int kvno;
int i, ret;
char *err_msg;
ret = init_gettext();
if (ret) {
fprintf(stderr, "Failed to load translations\n");
}
krberr = krb5_init_context(&krbctx);
if (krberr) {
fprintf(stderr, _("Kerberos context initialization failed\n"));
exit(1);
}
pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0);
ret = poptGetNextOpt(pc);
if (ret == -1 && permitted_enctypes &&
!(server || principal || keytab || quiet)) {
krb5_enctype *ktypes;
char enc[79]; /* fit std terminal or truncate */
krberr = krb5_get_permitted_enctypes(krbctx, &ktypes);
if (krberr) {
fprintf(stderr, _("No system preferred enctypes ?!\n"));
exit(1);
}
fprintf(stdout, _("Supported encryption types:\n"));
for (i = 0; ktypes[i]; i++) {
krberr = krb5_enctype_to_string(ktypes[i], enc, 79);
if (krberr) {
fprintf(stderr, _("Warning: "
"failed to convert type (#%d)\n"), i);
continue;
}
fprintf(stdout, "%s\n", enc);
}
ipa_krb5_free_ktypes(krbctx, ktypes);
exit (0);
}
if (ret != -1 || !principal || !keytab || permitted_enctypes) {
if (!quiet) {
poptPrintUsage(pc, stderr, 0);
}
exit(2);
}
if (NULL!=binddn && NULL==bindpw) {
fprintf(stderr,
_("Bind password required when using a bind DN.\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
exit(10);
}
if (!server) {
struct ipa_config *ipacfg = NULL;
ret = read_ipa_config(&ipacfg);
if (ret == 0) {
server = ipacfg->server_name;
ipacfg->server_name = NULL;
}
free(ipacfg);
if (!server) {
fprintf(stderr, _("Server name not provided and unavailable\n"));
exit(2);
}
}
if (askpass && retrieve) {
fprintf(stderr, _("Incompatible options provided (-r and -P)\n"));
exit(2);
}
if (askpass) {
password = ask_password(krbctx);
if (!password) {
exit(2);
}
} else if (enctypes_string && strchr(enctypes_string, ':')) {
if (!quiet) {
fprintf(stderr, _("Warning: salt types are not honored"
" with randomized passwords (see opt. -P)\n"));
}
}
ret = asprintf(&ktname, "WRFILE:%s", keytab);
if (ret == -1) {
exit(3);
}
krberr = krb5_parse_name(krbctx, principal, &sprinc);
if (krberr) {
fprintf(stderr, _("Invalid Service Principal Name\n"));
exit(4);
}
if (NULL == bindpw) {
krberr = krb5_cc_default(krbctx, &ccache);
if (krberr) {
fprintf(stderr,
_("Kerberos Credential Cache not found. "
"Do you have a Kerberos Ticket?\n"));
exit(5);
}
krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc);
if (krberr) {
fprintf(stderr,
_("Kerberos User Principal not found. "
"Do you have a valid Credential Cache?\n"));
exit(6);
}
}
krberr = krb5_kt_resolve(krbctx, ktname, &kt);
if (krberr) {
fprintf(stderr, _("Failed to open Keytab\n"));
exit(7);
}
kvno = -1;
ret = ldap_get_keytab(krbctx, (retrieve == 0), password, enctypes_string,
server, principal, uprinc, binddn, bindpw,
&keys, &kvno, &err_msg);
if (ret) {
if (!quiet && err_msg != NULL) {
fprintf(stderr, "%s", err_msg);
}
}
if (retrieve == 0 && kvno == -1) {
if (!quiet) {
fprintf(stderr,
_("Retrying with pre-4.0 keytab retrieval method...\n"));
}
/* create key material */
ret = create_keys(krbctx, sprinc, password, enctypes_string, &keys, &err_msg);
if (!ret) {
if (err_msg != NULL) {
fprintf(stderr, "%s", err_msg);
}
fprintf(stderr, _("Failed to create key material\n"));
exit(8);
}
kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn, bindpw, &keys);
}
if (kvno == -1) {
fprintf(stderr, _("Failed to get keytab\n"));
exit(9);
}
for (i = 0; i < keys.nkeys; i++) {
krb5_keytab_entry kt_entry;
memset((char *)&kt_entry, 0, sizeof(kt_entry));
kt_entry.principal = sprinc;
kt_entry.key = keys.ksdata[i].key;
kt_entry.vno = kvno;
krberr = krb5_kt_add_entry(krbctx, kt, &kt_entry);
if (krberr) {
fprintf(stderr,
_("Failed to add key to the keytab\n"));
exit (11);
}
}
free_keys_contents(krbctx, &keys);
krberr = krb5_kt_close(krbctx, kt);
if (krberr) {
fprintf(stderr, _("Failed to close the keytab\n"));
exit (12);
}
if (!quiet) {
fprintf(stderr,
_("Keytab successfully retrieved and stored in: %s\n"),
keytab);
}
exit(0);
}

1161
client/ipa-join.c Normal file
View File

File diff suppressed because it is too large Load Diff

268
client/ipa-rmkeytab.c Normal file
View File

@@ -0,0 +1,268 @@
/* Authors: Rob Crittenden <rcritten@redhat.com>
*
* Copyright (C) 2009 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#define _GNU_SOURCE
#include <stdlib.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <krb5.h>
#include <popt.h>
#include <errno.h>
#include "ipa-client-common.h"
#include "config.h"
int
remove_principal(krb5_context context, krb5_keytab ktid, const char *principal, int debug)
{
krb5_error_code krberr;
krb5_keytab_entry entry, entry2;
int rval = 0;
int removed = 0;
memset(&entry, 0, sizeof(entry));
krberr = krb5_parse_name(context, principal, &entry.principal);
if (krberr) {
fprintf(stderr, _("Unable to parse principal name\n"));
if (debug)
fprintf(stderr, _("krb5_parse_name %1$d: %2$s\n"),
krberr, error_message(krberr));
rval = 4;
goto done;
}
/* Loop through the keytab and remove all entries with this principal name
* irrespective of the encryption type. A failure to find one after the
* first means we're done.
*/
fprintf(stderr, _("Removing principal %s\n"), principal);
while (1) {
memset(&entry2, 0, sizeof(entry2));
krberr = krb5_kt_get_entry(context, ktid,
entry.principal,
0,
0,
&entry2);
if (krberr) {
if (removed > 0)
/* not found but we've removed some, we're done */
break;
if (krberr == ENOENT) {
fprintf(stderr, _("Failed to open keytab\n"));
rval = 3;
goto done;
}
fprintf(stderr, _("principal not found\n"));
if (debug)
fprintf(stderr, _("krb5_kt_get_entry %1$d: %2$s\n"),
krberr, error_message(krberr));
rval = 5;
break;
}
krberr = krb5_kt_remove_entry(context, ktid, &entry2);
if (krberr) {
fprintf(stderr, _("Unable to remove entry\n"));
if (debug) {
fprintf(stdout, _("kvno %d\n"), entry2.vno);
fprintf(stderr, _("krb5_kt_remove_entry %1$d: %2$s\n"),
krberr, error_message(krberr));
}
rval = 6;
break;
}
krb5_free_keytab_entry_contents(context, &entry2);
removed++;
}
if (entry2.principal)
krb5_free_keytab_entry_contents(context, &entry2);
done:
return rval;
}
int
remove_realm(krb5_context context, krb5_keytab ktid, const char *realm, int debug)
{
krb5_error_code krberr;
krb5_keytab_entry entry;
krb5_kt_cursor kt_cursor;
char * entry_princ_s = NULL;
int rval = 0;
bool realm_found = false;
krberr = krb5_kt_start_seq_get(context, ktid, &kt_cursor);
memset(&entry, 0, sizeof(entry));
while (krb5_kt_next_entry(context, ktid, &entry, &kt_cursor) == 0) {
krberr = krb5_unparse_name(context, entry.principal, &entry_princ_s);
if (krberr) {
fprintf(stderr, _("Unable to parse principal\n"));
if (debug) {
fprintf(stderr, _("krb5_unparse_name %1$d: %2$s\n"),
krberr, error_message(krberr));
}
rval = 4;
goto done;
}
/* keytab entries are locked when looping. Temporarily suspend
* the looping. */
krb5_kt_end_seq_get(context, ktid, &kt_cursor);
if (strstr(entry_princ_s, realm) != NULL) {
realm_found = true;
rval = remove_principal(context, ktid, entry_princ_s, debug);
if (rval != 0)
goto done;
/* Have to reset the cursor */
krberr = krb5_kt_start_seq_get(context, ktid, &kt_cursor);
}
}
if (!realm_found) {
fprintf(stderr, _("realm not found\n"));
return 5;
}
done:
return rval;
}
int
main(int argc, const char **argv)
{
krb5_context context;
krb5_error_code krberr;
krb5_keytab ktid;
krb5_kt_cursor cursor;
char * ktname = NULL;
char * atrealm = NULL;
poptContext pc;
static const char *keytab = NULL;
static const char *principal = NULL;
static const char *realm = NULL;
int debug = 0;
int ret, rval = 0;
struct poptOption options[] = {
{ "debug", 'd', POPT_ARG_NONE, &debug, 0,
_("Print debugging information"), _("Debugging output") },
{ "principal", 'p', POPT_ARG_STRING, &principal, 0,
_("The principal to remove from the keytab (ex: ftp/ftp.example.com@EXAMPLE.COM)"),
_("Kerberos Service Principal Name") },
{ "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
_("The keytab file to remove the principcal(s) from"), _("Keytab File Name") },
{ "realm", 'r', POPT_ARG_STRING, &realm, 0,
_("Remove all principals in this realm"), _("Realm name") },
POPT_AUTOHELP
POPT_TABLEEND
};
ret = init_gettext();
if (ret) {
exit(1);
}
memset(&ktid, 0, sizeof(ktid));
krberr = krb5_init_context(&context);
if (krberr) {
fprintf(stderr, _("Kerberos context initialization failed\n"));
exit(1);
}
pc = poptGetContext("ipa-rmkeytab", argc, (const char **)argv, options, 0);
ret = poptGetNextOpt(pc);
if (ret != -1 || (!principal && !realm) || !keytab) {
poptPrintUsage(pc, stderr, 0);
rval = 1;
goto cleanup;
}
ret = asprintf(&ktname, "WRFILE:%s", keytab);
if (ret == -1) {
rval = 2;
goto cleanup;
}
/* The remove_realm function just does a substring match. Ensure that
* the string we pass in looks like a realm.
*/
if (realm) {
if (realm[0] != '@') {
ret = asprintf(&atrealm, "@%s", realm);
if (ret == -1) {
rval = 2;
goto cleanup;
}
} else {
atrealm = strdup(realm);
if (NULL == atrealm) {
rval = 2;
goto cleanup;
}
}
}
krberr = krb5_kt_resolve(context, ktname, &ktid);
if (krberr) {
fprintf(stderr, _("Failed to open keytab '%1$s': %2$s\n"), keytab,
error_message(krberr));
rval = 3;
goto cleanup;
}
krberr = krb5_kt_start_seq_get(context, ktid, &cursor);
if (krberr) {
fprintf(stderr, _("Failed to open keytab '%1$s': %2$s\n"), keytab,
error_message(krberr));
rval = 3;
goto cleanup;
}
krb5_kt_end_seq_get(context, ktid, &cursor);
if (principal)
rval = remove_principal(context, ktid, principal, debug);
else if (realm)
rval = remove_realm(context, ktid, atrealm, debug);
cleanup:
if (rval == 0 || rval > 3) {
krberr = krb5_kt_close(context, ktid);
if (krberr) {
fprintf(stderr, _("Closing keytab failed\n"));
if (debug)
fprintf(stderr, _("krb5_kt_close %1$d: %2$s\n"),
krberr, error_message(krberr));
}
}
krb5_free_context(context);
poptFreeContext(pc);
free(atrealm);
free(ktname);
return rval;
}

24
client/man/Makefile.am Normal file
View File

@@ -0,0 +1,24 @@
# This file will be processed with automake-1.7 to create Makefile.in
AUTOMAKE_OPTIONS = 1.7
NULL =
man1_MANS = \
ipa-getkeytab.1 \
ipa-rmkeytab.1 \
ipa-client-install.1 \
ipa-client-automount.1 \
ipa-certupdate.1 \
ipa-join.1
man5_MANS = \
default.conf.5
install-data-hook:
@for i in $(man1_MANS) ; do gzip -f $(DESTDIR)$(man1dir)/$$i ; done
@for i in $(man5_MANS) ; do gzip -f $(DESTDIR)$(man5dir)/$$i ; done
MAINTAINERCLEANFILES = \
Makefile.in \
$(NULL)

246
client/man/default.conf.5 Normal file
View File

@@ -0,0 +1,246 @@
.\" A man page for default.conf
.\" Copyright (C) 2011 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@@redhat.com>
.\"
.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
default.conf \- IPA configuration file
.SH "SYNOPSIS"
/etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf, /etc/ipa/cli.conf
.SH "DESCRIPTION"
The \fIdefault.conf \fRconfiguration file is used to set system\-wide defaults to be applied when running IPA clients and servers.
Users may create an optional configuration file in \fI~/.ipa/default.conf\fR which will be merged into the system\-wide defaults file.
The following files are read, in order:
.nf
~/.ipa/default.conf
/etc/ipa/<context>.conf
/etc/ipa/default.conf
built\-in constants
.fi
The IPA server does not read ~/.ipa/default.conf.
The first setting wins.
.SH "SYNTAX"
The configuration options are not case sensitive. The values may be case sensitive, depending on the option.
Blank lines are ignored.
Lines beginning with # are comments and are ignored.
Valid lines consist of an option name, an equals sign and a value. Spaces surrounding equals sign are ignored. An option terminates at the end of a line.
Values should not be quoted, the quotes will not be stripped.
.DS L
# Wrong \- don't include quotes
verbose = "True"
# Right \- Properly formatted options
verbose = True
verbose=True
.DE
Options must appear in the section named [global]. There are no other sections defined or used currently.
Options may be defined that are not used by IPA. Be careful of misspellings, they will not be rejected.
.SH "OPTIONS"
The following options are relevant for the server:
.TP
.B basedn\fR <base>
Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
.TP
.B ca_agent_port <port>
Specifies the secure CA agent port. The default is 8443.
.TP
.B ca_ee_port <port>
Specifies the secure CA end user port. The default is 8443.
.TP
.B ca_host <hostname>
Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
.TP
.B ca_port <port>
Specifies the insecure CA end user port. The default is 8080.
.TP
.B context <context>
Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
.TP
.B debug <boolean>
When True provides detailed information. Specifically this set the global log level to "debug". Default is False.
.TP
.B dogtag_version <version>
Stores the version of Dogtag. Value 9 is assumed if not specified otherwise.
.TP
.B domain <domain>
The domain of the IPA server e.g. example.com.
.TP
.B enable_ra <boolean>
Specifies whether the CA is acting as an RA agent, such as when dogtag is being used as the Certificate Authority. This setting only applies to the IPA server configuration.
.TP
.B fallback <boolean>
Specifies whether an IPA client should attempt to fall back and try other services if the first connection fails.
.TP
.B host <hostname>
Specifies the local system hostname.
.TP
.B in_server <boolean>
Specifies whether requests should be forwarded to an IPA server or handled locally. This is used internally by IPA in a similar way as context. The same IPA framework is used by the ipa command\-line tool and the server. This setting tells the framework whether it should execute the command as if on the server or forward it via XML\-RPC to a remote server.
.TP
.B in_tree <boolean>
This is used in development and is generally a detected value. It means that the code is being executed within a source tree.
.TP
.B interactive <boolean>
Specifies whether values should be prompted for or not. The default is True.
.TP
.B ldap_uri <URI>
Specifies the URI of the IPA LDAP server to connect to. The URI scheme may be one of \fBldap\fR or \fBldapi\fR. The default is to use ldapi, e.g. ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-COM.socket
.TP
.B log_logger_XXX <comma separated list of regexps>
loggers matching regexp will be assigned XXX level.
.IP
Logger levels can be explicitly specified for specific loggers as
opposed to a global logging level. Specific loggers are indicated
by a list of regular expressions bound to a level. If a logger's
name matches the regexp then it is assigned that level. This config item
must begin with "log_logger_level_" and then be
followed by a symbolic or numeric log level, for example:
.IP
log_logger_level_debug = ipalib\\.dn\\..*
.IP
log_logger_level_35 = ipalib\\.plugins\\.dogtag
.IP
The first line says any logger belonging to the ipalib.dn module
will have it's level configured to debug.
.IP
The second line say the ipa.plugins.dogtag logger will be
configured to level 35.
.IP
This config item is useful when you only want to see the log output from
one or more selected loggers. Turning on the global debug flag will produce
an enormous amount of output. This allows you to leave the global debug flag
off and selectively enable output from a specific logger. Typically loggers
are bound to classes and plugins.
.IP
Note: logger names are a dot ('.') separated list forming a path
in the logger tree. The dot character is also a regular
expression metacharacter (matches any character) therefore you
will usually need to escape the dot in the logger names by
preceding it with a backslash.
.TP
.B mode <mode>
Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.
.TP
.B mount_ipa <URI>
Specifies the mount point that the development server will register. The default is /ipa/
.TP
.B prompt_all <boolean>
Specifies that all options should be prompted for in the IPA client, even optional values. Default is False.
.TP
.B ra_plugin <name>
Specifies the name of the CA back end to use. The current options are \fBdogtag\fR and \fBnone\fR. This is a server\-side setting. Changing this value is not recommended as the CA back end is only set up during initial installation.
.TP
.B realm <realm>
Specifies the Kerberos realm.
.TP
.B session_auth_duration <time duration spec>
Specifies the length of time authentication credentials cached in the session are valid. After the duration expires credentials will be automatically reacquired. Examples are "2 hours", "1h:30m", "10 minutes", "5min, 30sec".
.TP
.B session_duration_type <inactivity_timeout|from_start>
Specifies how the expiration of a session is computed. With \fBinactivity_timeout\fR the expiration time is advanced by the value of session_auth_duration everytime the user accesses the service. With \fBfrom_start\fR the session expiration is the start of the user's session plus the value of session_auth_duration.
.TP
.B server <hostname>
Specifies the IPA Server hostname.
.TP
.B skip_version_check <boolean>
Skip client vs. server API version checking. Can lead to errors/strange behavior when newer clients talk to older servers. Use with caution.
.TP
.B startup_timeout <time in seconds>
Controls the amount of time waited when starting a service. The default value is 120 seconds.
.TP
.B startup_traceback <boolean>
If the IPA server fails to start and this value is True the server will attempt to generate a python traceback to make identifying the underlying problem easier.
.TP
.B validate_api <boolean>
Used internally in the IPA source package to verify that the API has not changed. This is used to prevent regressions. If it is true then some errors are ignored so enough of the IPA framework can be loaded to verify all of the API, even if optional components are not installed. The default is False.
.TP
.B verbose <boolean>
When True provides more information. Specifically this sets the global log level to "info".
.TP
.B wait_for_dns <number of attempts>
Controls whether the IPA commands dnsrecord\-{add,mod,del} work synchronously or not. The DNS commands will repeat DNS queries up to the specified number of attempts until the DNS server returns an up-to-date answer to a query for modified records. Delay between retries is one second.
.IP
The DNS commands will raise a DNSDataMismatch exception if the answer doesn't match the expected value even after the specified number of attempts.
.IP
The DNS queries will be sent to the resolver configured in /etc/resolv.conf on the IPA server.
.IP
Do not enable this in production! This will cause problems if the resolver on IPA server uses a caching server instead of a local authoritative server or e.g. if DNS answers are modified by DNS64. The default is disabled (the option is not present).
.TP
.B xmlrpc_uri <URI>
Specifies the URI of the XML\-RPC server for a client. This may be used by IPA, and is used by some external tools, such as ipa\-getcert. Example: https://ipa.example.com/ipa/xml
.TP
.B jsonrpc_uri <URI>
Specifies the URI of the JSON server for a client. This is used by IPA. If not given, it is derived from xmlrpc_uri. Example: https://ipa.example.com/ipa/json
.TP
.B rpc_protocol <URI>
Specifies the type of RPC calls IPA makes: 'jsonrpc' or 'xmlrpc'. Defaults to 'jsonrpc'.
.TP
The following define the containers for the IPA server. Containers define where in the DIT that objects can be found. The full location is the value of container + basedn.
container_accounts: cn=accounts
container_applications: cn=applications,cn=configs,cn=policies
container_automount: cn=automount
container_configs: cn=configs,cn=policies
container_dns: cn=dns
container_group: cn=groups,cn=accounts
container_hbac: cn=hbac
container_hbacservice: cn=hbacservices,cn=hbac
container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
container_host: cn=computers,cn=accounts
container_hostgroup: cn=hostgroups,cn=accounts
container_netgroup: cn=ng,cn=alt
container_permission: cn=permissions,cn=pbac
container_policies: cn=policies
container_policygroups: cn=policygroups,cn=configs,cn=policies
container_policylinks: cn=policylinks,cn=configs,cn=policies
container_privilege: cn=privileges,cn=pbac
container_rolegroup: cn=roles,cn=accounts
container_roles: cn=roles,cn=policies
container_service: cn=services,cn=accounts
container_sudocmd: cn=sudocmds,cn=sudo
container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
container_sudorule: cn=sudorules,cn=sudo
container_user: cn=users,cn=accounts
container_vault: cn=vaults,cn=kra
container_virtual: cn=virtual operations,cn=etc
.SH "FILES"
.TP
.I /etc/ipa/default.conf
system\-wide IPA configuration file
.TP
.I $HOME/.ipa/default.conf
user IPA configuration file
.TP
It is also possible to define context\-specific configuration files. The \fBcontext\fR is set when the IPA api is initialized. The two currently defined contexts in IPA are \fBcli\fR and \fBserver\fR. This is helpful, for example, if you only want \fBdebug\fR enabled on the server and not in the client. If this is set to True in \fIdefault.conf\fR it will affect both the ipa client tool and the IPA server. If it is only set in \fIserver.conf\fR then only the server will have \fBdebug\fR set. These files will be loaded if they exist:
.TP
.I /etc/ipa/cli.conf
system\-wide IPA client configuration file
.TP
.I /etc/ipa/server.conf
system\-wide IPA server configuration file
.SH "SEE ALSO"
.BR ipa (1)

39
client/man/ipa-certupdate.1 Normal file
View File

@@ -0,0 +1,39 @@
.\" A man page for ipa-certupdate
.\" Copyright (C) 2014 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Jan Cholasta <jcholast@redhat.com>
.\"
.TH "ipa-certupdate" "1" "Jul 2 2014" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-certupdate \- Update local IPA certificate databases with certificates from the server
.SH "SYNOPSIS"
\fBipa\-certupdate\fR [\fIOPTIONS\fR...]
.SH "DESCRIPTION"
\fBipa\-certupdate\fR can be used to update local IPA certificate databases with certificates from the server.
.SH "OPTIONS"
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors.
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

89
client/man/ipa-client-automount.1 Normal file
View File

@@ -0,0 +1,89 @@
.\" A man page for ipa-client-automount
.\" Copyright (C) 2012 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-client-automount" "1" "May 25 2012" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-client\-automount \- Configure automount and NFS for IPA
.SH "SYNOPSIS"
ipa\-client\-automount [\fIOPTION\fR]... <location>
.SH "DESCRIPTION"
Configures automount for IPA.
The automount configuration consists of three files:
.PP
.IP o
/etc/nsswitch.conf
.IP o
/etc/sysconfig/autofs
.IP o
/etc/autofs_ldap_auth.conf
.TP
By default this will use DNS discovery to attempt to determine the IPA server(s) to use. If IPA servers are discovered then the automount client will be configured to use DNS discovery.
.TP
If DNS discovery fails or a specific server is desired, use the \-\-server option.
.TP
The default automount location is named default. To specify a different one use the \-\-location option.
.TP
The IPA client must already be configured in order to configure automount. The IPA client is configured as part of a server installation.
.TP
There are two ways to configure automount. The default is to use sssd to manage the automount maps. Alternatively autofs can configured to bind to LDAP over GSSAPI and authenticate using the machine's host principal.
.TP
The nsswitch automount service is configured to use either sss or ldap and files depending on whether SSSD is configured or not.
.TP
NFSv4 is also configured. The rpc.gssd and rpc.idmapd are started on clients to support Kerberos\-secured mounts.
.SH "OPTIONS"
\fB\-\-server\fR=\fISERVER\fR
Set the IPA server to connect to
.TP
\fB\-\-location\fR=\fILOCATION\fR
Automount location
.TP
\fB\-S\fR, \fB\-\-no\-sssd\fR
Do not configure the client to use SSSD for automount
.TP
\fB\-d\fR, \fB\-\-debug\fR
Print debugging information to stdout
.TP
\fB\-U\fR, \fB\-\-unattended\fR
Unattended installation. The user will not be prompted
.TP
\fB\-\-uninstall\fR
Restore the automount configuration files
.SH "FILES"
.TP
Files that will be always be configured:
/etc/nsswitch.conf
.TP
Files that will be configured when SSSD is the automount client (default):
/etc/sssd/sssd.conf
.TP
Files that will be configured when using the ldap automount client:
/etc/sysconfig/autofs
/etc/autofs_ldap_auth.conf
.SH "EXIT STATUS"
0 if the installation was successful
1 if an error occurred

288
client/man/ipa-client-install.1 Normal file
View File

@@ -0,0 +1,288 @@
.\" A man page for ipa-client-install
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-client-install" "1" "Jan 31 2013" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-client\-install \- Configure an IPA client
.SH "SYNOPSIS"
ipa\-client\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Configures a client machine to use IPA for authentication and identity services.
By default this configures SSSD to connect to an IPA server for authentication and authorization. Optionally one can instead configure PAM and NSS (Name Switching Service) to work with an IPA server over Kerberos and LDAP.
An authorized user is required to join a client machine to IPA. This can take the form of a kerberos principal or a one\-time password associated with the machine.
This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the principal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable <fqdn>).
.SS "Assumptions"
The ipa\-client\-install script assumes that the machine has already generated SSH keys. It will not generate SSH keys of its own accord. If SSH keys are not present (e.g when running the ipa\-client\-install in a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server.
.SS "Hostname Requirements"
Client must use a \fBstatic hostname\fR. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication.
\-\-hostname option may be used to specify a static hostname that persists over reboot.
.SS "DNS Autodiscovery"
Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for all domains that are parent to its hostname. For example, if a client machine has a hostname 'client1.lab.example.com', the installer will try to retrieve an IPA server hostname from _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com DNS SRV records, respectively. The discovered domain is then used to configure client components (e.g. SSSD and Kerberos 5 configuration) on the machine.
When the client machine hostname is not in a subdomain of an IPA server, its domain can be passed with \-\-domain option. In that case, both SSSD and Kerberos components have the domain set in the configuration files and will use it to autodiscover IPA servers.
Client machine can also be configured without a DNS autodiscovery at all. When both \-\-server and \-\-domain options are used, client installer will use the specified server and domain directly. \-\-server option accepts multiple server hostnames which can be used for failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of KDC and Admin servers. SSSD is still configured to either try to read domain's SRV records or the specified fixed list of servers. When \-\-fixed\-primary option is specified, SSSD will not try to read DNS SRV record at all (see sssd\-ipa(5) for details).
.SS "The Failover Mechanism"
When some of the IPA servers is not available, client components are able to fallback to other IPA replica and thus preserving a continued service. When client machine is configured to use DNS SRV record autodiscovery (no fixed server was passed to the installer), client components do the fallback automatically, based on the IPA server hostnames and priorities discovered from the DNS SRV records.
If DNS autodiscovery is not available, clients should be configured at least with a fixed list of IPA servers that can be used in case of a failure. When only one IPA server is configured, IPA client services will not be available in case of a failure of the IPA server. Please note, that in case of a fixed list of IPA servers, the fixed server lists in client components need to be updated when a new IPA server is enrolled or a current IPA server is decommissioned.
.SS "Coexistence With Other Directory Servers"
Other directory servers deployed in the network (e.g. Microsoft Active Directory) may use the same DNS SRV records to denote hosts with a directory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the installation if the installer discovers these DNS records before it finds DNS SRV records pointing to IPA servers. The installer would then fail to discover the IPA server and exit with error.
In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname should be in a domain with properly defined DNS SRV records pointing to IPA servers, either manually with a custom DNS server or with IPA DNS integrated solution. A second approach would be to avoid autodiscovery and configure the installer to use a fixed list of IPA server hostnames using the \-\-server option and with a \-\-fixed\-primary option disabling DNS SRV record autodiscovery in SSSD.
.SS "Re\-enrollment of the host"
Requirements:
1. Host has not been un\-enrolled (the ipa\-client\-install \-\-uninstall command has not been run).
.br
2. The host entry has not been disabled via the ipa host\-disable command.
If this has been the case, host can be re\-enrolled using the usual methods.
There are two method of authenticating a re\-enrollment:
1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credentials provided via the \-w/\-\-password option.
.br
2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option.
Consequences of the re\-enrollment on the host entry:
1. A new host certificate is issued
.br
2. The old host certificate is revoked
.br
3. New SSH keys are generated
.br
4. ipaUniqueID is preserved
.SH "OPTIONS"
.SS "BASIC OPTIONS"
.TP
\fB\-\-domain\fR=\fIDOMAIN\fR
Set the domain name to DOMAIN. When no \-\-server option is specified, the installer will try to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details).
.TP
\fB\-\-server\fR=\fISERVER\fR
Set the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf or krb5.conf. Only the first value is considered when used with \-\-no\-sssd. When this option is used, DNS autodiscovery for Kerberos is disabled and a fixed list of KDC and Admin servers is configured.
.TP
\fB\-\-realm\fR=\fIREALM_NAME\fR
Set the IPA realm name to REALM_NAME. Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server.
.TP
\fB\-\-fixed\-primary\fR
Configure SSSD to use a fixed server as the primary IPA server. The default is to use DNS SRV records to determine the primary server to use and fall back to the server the client is enrolled with. When used in conjunction with \-\-server then no _srv_ value is set in the ipa_server option in sssd.conf.
.TP
\fB\-p\fR, \fB\-\-principal\fR
Authorized kerberos principal to use to join the IPA realm.
.TP
\fB\-w\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
Password for joining a machine to the IPA realm. Assumes bulk password unless principal is also set.
.TP
\fB\-W\fR
Prompt for the password for joining a machine to the IPA realm.
.TP
\fB\-k\fR, \fB\-\-keytab\fR
Path to backed up host keytab from previous enrollment. Joins the host even if it is already enrolled.
.TP
\fB\-\-mkhomedir\fR
Configure PAM to create a users home directory if it does not exist.
.TP
\fB\-\-hostname\fR
The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot. By default a nodename result from uname(2) is used.
.TP
\fB\-\-force\-join\fR
Join the host even if it is already enrolled.
.TP
\fB\-\-ntp\-server\fR=\fINTP_SERVER\fR
Configure ntpd to use this NTP server. This option can be used multiple times.
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure or enable NTP.
.TP
\fB\-\-force\-ntpd\fR
Stop and disable any time&date synchronization services besides ntpd.
.TP
\fB\-\-nisdomain\fR=\fINIS_DOMAIN\fR
Set the NIS domain name as specified. By default, this is set to the IPA domain name.
.TP
\fB\-\-no\-nisdomain\fR
Do not configure NIS domain name.
.TP
\fB\-\-ssh\-trust\-dns\fR
Configure OpenSSH client to trust DNS SSHFP records.
.TP
\fB\-\-no\-ssh\fR
Do not configure OpenSSH client.
.TP
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
\fB\-\-no\-sudo\fR
Do not configure SSSD as a data source for sudo.
.TP
\fB\-\-no\-dns\-sshfp\fR
Do not automatically create DNS SSHFP records.
.TP
\fB\-\-noac\fR
Do not use Authconfig to modify the nsswitch.conf and PAM configuration.
.TP
\fB\-f\fR, \fB\-\-force\fR
Force the settings even if errors occur
.TP
\fB\-\-kinit\-attempts\fR=\fIKINIT_ATTEMPTS\fR
In case of unresponsive KDC (e.g. when enrolling multiple hosts at once in a
heavy load environment) repeat the request for host Kerberos ticket up to a
total number of \fIKINIT_ATTEMPTS\fR times before giving up and aborting client
installation. Default number of attempts is 5. The request is not repeated when
there is a problem with host credentials themselves (e.g. wrong keytab format
or invalid principal) so using this option will not lead to account lockouts.
.TP
\fB\-d\fR, \fB\-\-debug\fR
Print debugging information to stdout
.TP
\fB\-U\fR, \fB\-\-unattended\fR
Unattended installation. The user will not be prompted.
.TP
\fB\-\-ca\-cert\-file\fR=\fICA_FILE\fR
Do not attempt to acquire the IPA CA certificate via automated means,
instead use the CA certificate found locally in in \fICA_FILE\fR. The
\fICA_FILE\fR must be an absolute path to a PEM formatted certificate
file. The CA certificate found in \fICA_FILE\fR is considered
authoritative and will be installed without checking to see if it's
valid for the IPA domain.
.TP
\fB\-\-request\-cert\fR
Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host".
.TP
\fB\-\-automount\-location\fR=\fILOCATION\fR
Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as
automount location.
.TP
\fB\-\-configure\-firefox\fR
Configure Firefox to use IPA domain credentials.
.TP
\fB\-\-firefox\-dir\fR=\fIDIR\fR
Specify Firefox installation directory. For example: '/usr/lib/firefox'
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
Use \fIIP_ADDRESS\fR in DNS A/AAAA record for this host. May be specified multiple times to add multiple DNS records.
.TP
\fB\-\-all\-ip\-addresses\fR
Create DNS A/AAAA record for each IP address on this host.
.SS "SSSD OPTIONS"
.TP
\fB\-\-permit\fR
Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server.
.TP
\fB\-\-enable\-dns\-updates\fR
This option tells SSSD to automatically update DNS with the IP address of this client.
.TP
\fB\-\-no\-krb5\-offline\-passwords\fR
Configure SSSD not to store user password when the server is offline.
.TP
\fB\-S\fR, \fB\-\-no\-sssd\fR
Do not configure the client to use SSSD for authentication, use nss_ldap instead.
.TP
\fB\-\-preserve\-sssd\fR
Disabled by default. When enabled, preserves old SSSD configuration if it is
not possible to merge it with a new one. Effectively, if the merge is not
possible due to SSSDConfig reader encountering unsupported options,
\fBipa\-client\-install\fR will not run further and ask to fix SSSD config
first. When this option is not specified, \fBipa\-client\-install\fR will back
up SSSD config and create new one. The back up version will be restored during
uninstall.
.SS "UNINSTALL OPTIONS"
.TP
\fB\-\-uninstall\fR
Remove the IPA client software and restore the configuration to the pre\-IPA state.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
Unattended uninstallation. The user will not be prompted.
.SH "FILES"
.TP
Files that will be replaced if SSSD is configured (default):
/etc/sssd/sssd.conf
.TP
Files that will be replaced if they exist and SSSD is not configured (\-\-no\-sssd):
/etc/ldap.conf
.br
/etc/nss_ldap.conf
.br
/etc/libnss\-ldap.conf
.br
/etc/pam_ldap.conf
.br
/etc/nslcd.conf
.TP
Files replaced if NTP is enabled:
/etc/ntp.conf
.br
/etc/sysconfig/ntpd
.br
/etc/ntp/step\-tickers
.TP
Files always created (replacing existing content):
/etc/krb5.conf
.br
/etc/ipa/ca.crt
.br
/etc/ipa/default.conf
.br
/etc/ipa/nssdb
.br
/etc/openldap/ldap.conf
.TP
Files updated, existing content is maintained:
/etc/nsswitch.conf
.br
/etc/pki/nssdb
.br
/etc/krb5.keytab
.br
/etc/sysconfig/network
.SH "EXIT STATUS"
0 if the installation was successful
1 if an error occurred
2 if uninstalling and the client is not configured
3 if installing and the client is already configured
4 if an uninstall error occurred
.SH "SEE ALSO"
.BR ipa\-client\-automount(1),
.BR krb5.conf(5),
.BR sssd.conf(5)

147
client/man/ipa-getkeytab.1 Normal file
View File

@@ -0,0 +1,147 @@
.\" A man page for ipa-getkeytab
.\" Copyright (C) 2007 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Karl MacMillan <kmacmill@redhat.com>
.\" Author: Simo Sorce <ssorce@redhat.com>
.\"
.TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a Kerberos principal
.SH "SYNOPSIS"
ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-r\fR ]
.SH "DESCRIPTION"
Retrieves a Kerberos \fIkeytab\fR.
Kerberos keytabs are used for services (like sshd) to
perform Kerberos authentication. A keytab is a file
with one or more secrets (or keys) for a Kerberos
principal.
A Kerberos service principal is a Kerberos identity
that can be used for authentication. Service principals
contain the name of the service, the hostname of the
server, and the realm name. For example, the following
is an example principal for an ldap server:
ldap/foo.example.com@EXAMPLE.COM
When using ipa\-getkeytab the realm name is already
provided, so the principal name is just the service
name and hostname (ldap/foo.example.com from the
example above).
\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
This renders all other keytabs for that principal invalid.
This is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
.SH "OPTIONS"
.TP
\fB\-p principal\-name\fR
The non\-realm part of the full principal name.
.TP
\fB\-k keytab\-file\fR
The keytab file where to append the new key (will be
created if it does not exist).
.TP
\fB\-e encryption\-types\fR
The list of encryption types to use to generate keys.
ipa\-getkeytab will use local client defaults if not provided.
Valid values depend on the Kerberos library version and configuration.
Common values are:
aes256\-cts
aes128\-cts
des3\-hmac\-sha1
arcfour\-hmac
des\-hmac\-sha1
des\-cbc\-md5
des\-cbc\-crc
.TP
\fB\-s ipaserver\fR
The IPA server to retrieve the keytab from (FQDN). If this option is not
provided the server name is read from the IPA configuration file
(/etc/ipa/default.conf)
.TP
\fB\-q\fR
Quiet mode. Only errors are displayed.
.TP
\fB\-\-permitted\-enctypes\fR
This options returns a description of the permitted encryption types, like this:
Supported encryption types:
AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
Triple DES cbc mode with HMAC/sha1
ArcFour with HMAC/md5
DES cbc mode with CRC\-32
DES cbc mode with RSA\-MD5
DES cbc mode with RSA\-MD4
.TP
\fB\-P, \-\-password\fR
Use this password for the key instead of one randomly generated.
.TP
\fB\-D, \-\-binddn\fR
The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option.
.TP
\fB\-w, \-\-bindpw\fR
The LDAP password to use when not binding with Kerberos.
.TP
\fB\-r\fR
Retrieve mode. Retrieve an existing key from the server instead of generating a
new one. This is incompatibile with the \-\-password option, and will work only
against a FreeIPA server more recent than version 3.3. The user requesting the
keytab must have access to the keys for this operation to succeed.
.SH "EXAMPLES"
Add and retrieve a keytab for the NFS service principal on
the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
# ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
Add and retrieve a keytab for the ldap service principal on
the host foo.example.com and save it in the file /tmp/ldap.keytab.
# ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab
Retrieve a keytab using LDAP credentials (this will typically be done by \fBipa\-join(1)\fR when enrolling a client using the \fBipa\-client\-install(1)\fR command:
# ipa\-getkeytab \-s ipaserver.example.com \-p host/foo.example.com \-k /etc/krb5.keytab \-D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com \-w password
.SH "EXIT STATUS"
The exit status is 0 on success, nonzero on error.
0 Success
1 Kerberos context initialization failed
2 Incorrect usage
3 Out of memory
4 Invalid service principal name
5 No Kerberos credentials cache
6 No Kerberos principal and no bind DN and password
7 Failed to open keytab
8 Failed to create key material
9 Setting keytab failed
10 Bind password required when using a bind DN
11 Failed to add key to keytab
12 Failed to close keytab

142
client/man/ipa-join.1 Normal file
View File

@@ -0,0 +1,142 @@
.\" A man page for ipa-join
.\" Copyright (C) 2009 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-join" "1" "Oct 8 2009" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
.SH "SYNOPSIS"
ipa\-join [\fB\-d\fR|\fB\-\-debug\fR] [\fB\-q\fR|\fB\-\-quiet\fR] [\fB\-u\fR|\fB\-\-unenroll\fR] [\fB\-h\fR|\fB\-\-hostname\fR hostname] [\fB\-s\fR|\fB\-\-server\fR hostname] [\fB\-k\fR|\fB\-\-keytab\fR filename] [\fB\-w\fR|\fB\-\-bindpw\fR password] [\fB-b\fR|\-\-\fBbasedn basedn\fR] [\fB\-?\fR|\fB\-\-help\fR] [\fB\-\-usage\fR]
.SH "DESCRIPTION"
Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal, or unenrolls an enrolled host from an IPA server.
Kerberos keytabs are used for services (like sshd) to perform kerberos authentication. A keytab is a file with one or more secrets (or keys) for a kerberos principal.
The ipa\-join command will create and retrieve a service principal for host/foo.example.com@EXAMPLE.COM and place it by default into /etc/krb5.keytab. The location can be overridden with the \-k option.
The IPA server to contact is set in /etc/ipa/default.conf by default and can be overridden using the \-s,\-\-server option.
In order to join the machine needs to be authenticated. This can happen in one of two ways:
* Authenticate using the current kerberos principal
* Provide a password to authenticate with
If a client host has already been joined to the IPA realm the ipa\-join command will fail. The host will need to be removed from the server using `ipa host\-del FQDN` in order to join the client to the realm.
This command is normally executed by the ipa\-client\-install command as part of the enrollment process.
The reverse is unenrollment. Unenrolling a host removes the Kerberos key on the IPA server. This prepares the host to be re\-enrolled. This uses the host principal stored in /etc/krb5.conf to authenticate to the IPA server to perform the unenrollment.
Please note, that while the ipa\-join option removes the client from the domain, it does not actually uninstall the client or properly remove all of the IPA\-related configuration. The only way to uninstall a client completely is to use ipa\-client\-install \-\-uninstall
(see
.BR ipa\-client\-install (1)).
.SH "OPTIONS"
.TP
\fB\-h,\-\-hostname hostname\fR
The hostname of this server (FQDN). By default of nodename from uname(2) is used.
.TP
\fB\-s,\-\-server server\fR
The hostname of the IPA server (FQDN). Note that by default there is no /etc/ipa/default.conf, in most cases it needs to be supplied.
.TP
\fB\-k,\-\-keytab keytab\-file\fR
The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab
.TP
\fB\-w,\-\-bindpw password\fR
The password to use if not using Kerberos to authenticate. Use a password of this particular host (one time password created on IPA server)
.TP
\fB\-b,\-\-basedn basedn\fR
The basedn of the IPA server (of the form dc=example,dc=com). This is only needed when not using Kerberos to authenticate and anonymous binds are disallowed in the IPA LDAP server.
.TP
\fB\-f,\-\-force\fR
Force enrolling the host even if host entry exists.
.TP
\fB\-u,\-\-unenroll\fR
Unenroll this host from the IPA server. No keytab entry is removed in the process
(see
.BR ipa-rmkeytab (1)).
.TP
\fB\-q,\-\-quiet\fR
Quiet mode. Only errors are displayed.
.TP
\fB\-d,\-\-debug\fR
Print the raw XML-RPC output in GSSAPI mode.
.SH "EXAMPLES"
Join IPA domain and retrieve a keytab with kerberos credentials.
# kinit admin
# ipa\-join
Join IPA domain and retrieve a keytab using a one\-time password.
# ipa\-join \-w secret123
Join IPA domain and save the keytab in another location.
# ipa\-join \-k /tmp/host.keytab
.SH "EXIT STATUS"
The exit status is 0 on success, nonzero on error.
0 Success
1 Kerberos context initialization failed
2 Incorrect usage
3 Out of memory
4 Invalid service principal name
5 No Kerberos credentials cache
6 No Kerberos principal and no bind DN and password
7 Failed to open keytab
8 Failed to create key material
9 Setting keytab failed
10 Bind password required when using a bind DN
11 Failed to add key to keytab
12 Failed to close keytab
13 Host is already enrolled
14 LDAP failure
15 Incorrect bulk password
16 Host name must be fully\-qualified
17 XML\-RPC fault
18 Principal not found in host entry
19 Unable to generate Kerberos credentials cache
20 Unenrollment result not in XML\-RPC response
21 Failed to get default Kerberos realm
.SH "SEE ALSO"
.BR ipa-rmkeytab (1)
.BR ipa-client-install (1)

89
client/man/ipa-rmkeytab.1 Normal file
View File

@@ -0,0 +1,89 @@
.\" A man page for ipa-rmkeytab
.\" Copyright (C) 2009 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.\"
.TH "ipa-rmkeytab" "1" "Oct 30 2009" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-rmkeytab \- Remove a kerberos principal from a keytab
.SH "SYNOPSIS"
ipa\-rmkeytab [ \fB\-p\fR principal\-name ] [ \fB\-k\fR keytab\-file ] [ \fB\-r\fR realm ] [ \fB\-d\fR ]
.SH "DESCRIPTION"
Removes a kerberos principal from a \fIkeytab\fR.
Kerberos keytabs are used for services (like sshd) to
perform kerberos authentication. A keytab is a file
with one or more secrets (or keys) for a kerberos
principal.
A kerberos service principal is a kerberos identity
that can be used for authentication. Service principals
contain the name of the service, the hostname of the
server, and the realm name.
ipa\-rmkeytab provides two ways to remove principals.
A specific principal can be removed or all
principals for a given realm can be removed.
All encryption types and versions of a principal are removed.
The realm may be included when removing a specific principal but
it is not required.
\fBNOTE:\fR removing a principal from the keytab does not affect
the Kerberos principal stored in the IPA server. It merely removes
the entry from the local keytab.
.SH "OPTIONS"
.TP
\fB\-p principal\-name\fR
The non\-realm part of the full principal name.
.TP
\fB\-k keytab\-file\fR
The keytab file to remove the principal(s) from.
.TP
\fB\-r realm\fR
A realm to remove all principals for.
.TP
\fB\-d\fR
Debug mode. Additional information is displayed.
.SH "EXAMPLES"
Remove the NFS service principal on the host foo.example.com from /tmp/nfs.keytab.
# ipa\-rmkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab
Remove the ldap service principal on the host foo.example.com from /etc/krb5.keytab.
# ipa\-rmkeytab \-p ldap/foo.example.com \-k /etc/krb5.keytab
Remove all principals for the realm EXAMPLE.COM.
# ipa\-rmkeytab \-r EXAMPLE.COM \-k /etc/krb5.keytab
.SH "EXIT STATUS"
The exit status is 0 on success, nonzero on error.
1 Kerberos initialization failed
2 Memory allocation error
3 Unable to open keytab
4 Unable to parse the principal name
5 Principal name or realm not found in keytab
6 Unable to remove principal from keytab

1
client/version.m4.in Normal file
View File

@@ -0,0 +1 @@
define([IPA_VERSION], [__VERSION__])