mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-27 16:46:42 -06:00
391 lines
16 KiB
Python
391 lines
16 KiB
Python
#! /usr/bin/python -E
|
|
# Authors: Simo Sorce <ssorce@redhat.com>
|
|
# Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
# Copyright (C) 2007 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation; version 2 only
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#
|
|
|
|
try:
|
|
import sys
|
|
|
|
import os
|
|
import krbV
|
|
import socket
|
|
import logging
|
|
from optparse import OptionParser
|
|
import ipaclient.ipadiscovery
|
|
import ipaclient.ipachangeconf
|
|
import ipaclient.ntpconf
|
|
from ipa.ipautil import run, user_input
|
|
from ipa import sysrestore
|
|
from ipa import version
|
|
except ImportError:
|
|
print >> sys.stderr, """\
|
|
There was a problem importing one of the required Python modules. The
|
|
error was:
|
|
|
|
%s
|
|
""" % sys.exc_value
|
|
sys.exit(1)
|
|
|
|
|
|
def parse_options():
|
|
parser = OptionParser(version=version.VERSION)
|
|
parser.add_option("--domain", dest="domain", help="domain name")
|
|
parser.add_option("--server", dest="server", help="IPA server")
|
|
parser.add_option("--realm", dest="realm_name", help="realm name")
|
|
parser.add_option("-f", "--force", dest="force", action="store_true",
|
|
default=False, help="force setting of ldap/kerberos conf")
|
|
parser.add_option("-d", "--debug", dest="debug", action="store_true",
|
|
default=False, help="print debugging information")
|
|
parser.add_option("-U", "--unattended", dest="unattended",
|
|
action="store_true",
|
|
help="unattended installation never prompts the user")
|
|
parser.add_option("--ntp-server", dest="ntp_server", help="ntp server to use")
|
|
parser.add_option("-N", "--no-ntp", action="store_false",
|
|
help="do not configure ntp", default=True, dest="conf_ntp")
|
|
parser.add_option("--on-master", dest="on_master", action="store_true",
|
|
help="use this option when run on a master", default=False)
|
|
parser.add_option("", "--uninstall", dest="uninstall", action="store_true",
|
|
default=False, help="uninstall an existing installation")
|
|
|
|
options, args = parser.parse_args()
|
|
|
|
if (options.server and not options.domain):
|
|
parser.error("--server cannot be used without providing --domain")
|
|
|
|
return options
|
|
|
|
def logging_setup(options):
|
|
# Always log everything (i.e., DEBUG) to the log
|
|
# file.
|
|
|
|
log_file = "/var/log/ipaclient-install.log"
|
|
if options.uninstall:
|
|
log_file = "/var/log/ipaclient-uninstall.log"
|
|
|
|
old_umask = os.umask(077)
|
|
logging.basicConfig(level=logging.DEBUG,
|
|
format='%(asctime)s %(levelname)s %(message)s',
|
|
filename=log_file,
|
|
filemode='w')
|
|
os.umask(old_umask)
|
|
|
|
console = logging.StreamHandler()
|
|
# If the debug option is set, also log debug messages to the console
|
|
if options.debug:
|
|
console.setLevel(logging.DEBUG)
|
|
else:
|
|
# Otherwise, log critical and error messages
|
|
console.setLevel(logging.ERROR)
|
|
formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s')
|
|
console.setFormatter(formatter)
|
|
logging.getLogger('').addHandler(console)
|
|
|
|
def uninstall(options):
|
|
|
|
print "Restoring client configuration files"
|
|
fstore.restore_all_files()
|
|
|
|
print "Disabling client Kerberos and Ldap configurations"
|
|
try:
|
|
run(["/usr/sbin/authconfig", "--disableldap", "--disablekrb5", "--update"])
|
|
except Exception, e:
|
|
print "Failed to remove krb5/ldap configuration. " +str(e)
|
|
sys.exit(1)
|
|
|
|
try:
|
|
run(["/sbin/service", "nscd", "restart"])
|
|
except:
|
|
print "Failed to restart start the NSCD daemon"
|
|
|
|
if not options.unattended:
|
|
print "The original nsswitch.conf configuration has been restored."
|
|
print "You may need to restart services or reboot the machine."
|
|
if not options.on_master:
|
|
if user_input("Do you want to reboot the machine?", False):
|
|
try:
|
|
run(["/usr/bin/reboot"])
|
|
except Exception, e:
|
|
print "Reboot command failed to exceute. " + str(e)
|
|
sys.exit(1)
|
|
|
|
def main():
|
|
options = parse_options()
|
|
logging_setup(options)
|
|
dnsok = True
|
|
|
|
global fstore
|
|
fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
|
|
|
|
if options.uninstall:
|
|
return uninstall(options)
|
|
|
|
cli_domain = None
|
|
cli_server = None
|
|
cli_realm = None
|
|
cli_basedn = None
|
|
|
|
# Create the discovery instance
|
|
ds = ipaclient.ipadiscovery.IPADiscovery()
|
|
|
|
ret = ds.search(domain=options.domain, server=options.server)
|
|
if ret == -10:
|
|
print "Can't get the fully qualified name of this host"
|
|
print "Please check that the client is properly configured"
|
|
return ret
|
|
if ret == -1 or not ds.getDomainName():
|
|
logging.debug("Domain not found")
|
|
if options.domain:
|
|
cli_domain = options.domain
|
|
elif options.unattended:
|
|
return ret
|
|
else:
|
|
print "DNS discovery failed to determine your DNS domain"
|
|
cli_domain = user_input("Please provide the domain name of your IPA server (ex: example.com)", allow_empty = False)
|
|
ret = ds.search(domain=cli_domain, server=options.server)
|
|
if not cli_domain:
|
|
if ds.getDomainName():
|
|
cli_domain = ds.getDomainName()
|
|
|
|
if ret == -2 or not ds.getServerName():
|
|
dnsok = False
|
|
logging.debug("IPA Server not found")
|
|
if options.server:
|
|
cli_server = options.server
|
|
elif options.unattended:
|
|
return ret
|
|
else:
|
|
print "DNS discovery failed to find the IPA Server"
|
|
cli_server = user_input("Please provide your IPA server name (ex: ipa.example.com)", allow_empty = False)
|
|
ret = ds.search(domain=cli_domain, server=cli_server)
|
|
if not cli_server:
|
|
if ds.getServerName():
|
|
cli_server = ds.getServerName()
|
|
|
|
if ret != 0:
|
|
print "Failed to verify that "+cli_server+" is an IPA Server."
|
|
print "This may mean that the remote server is not up or is not reachable"
|
|
print "due to network or firewall settings."
|
|
return ret
|
|
|
|
if dnsok:
|
|
print "Discovery was successful!"
|
|
elif not options.unattended:
|
|
print "\nThe failure to use DNS to find your IPA server indicates that your"
|
|
print "resolv.conf file is not properly configured.\n"
|
|
print "Autodiscovery of servers for failover cannot work with this configuration.\n"
|
|
print "If you proceed with the installation, services will be configured to always"
|
|
print "access the discovered server for all operation and will not fail over to"
|
|
print "other servers in case of failure.\n"
|
|
if not user_input("Do you want to proceed and configure the system with fixed values with no DNS discovery?", False):
|
|
return ret
|
|
|
|
if options.realm_name and options.realm_name != ds.getRealmName():
|
|
if not options.unattended:
|
|
print "ERROR: The provided realm name: ["+options.realm_name+"] does not match with the discovered one: ["+ds.getRealmName()+"]\n"
|
|
return -3
|
|
|
|
cli_realm = ds.getRealmName()
|
|
cli_basedn = ds.getBaseDN()
|
|
|
|
print "Realm: "+cli_realm
|
|
print "DNS Domain: "+cli_domain
|
|
print "IPA Server: "+cli_server
|
|
print "BaseDN: "+cli_basedn
|
|
|
|
print "\n"
|
|
if not options.unattended and not user_input("Continue to configure the system with these values?", False):
|
|
return 1
|
|
|
|
# Configure ipa.conf
|
|
if not options.on_master:
|
|
ipaconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
|
|
ipaconf.setOptionAssignment(" = ")
|
|
ipaconf.setSectionNameDelimiters(("[","]"))
|
|
|
|
opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
|
|
{'name':'empty', 'type':'empty'}]
|
|
|
|
#[defaults]
|
|
defopts = [{'name':'server', 'type':'option', 'value':cli_server},
|
|
{'name':'realm', 'type':'option', 'value':cli_realm},
|
|
{'name':'domain', 'type':'option', 'value':cli_domain}]
|
|
|
|
opts.append({'name':'defaults', 'type':'section', 'value':defopts})
|
|
opts.append({'name':'empty', 'type':'empty'})
|
|
|
|
fstore.backup_file("/etc/ipa/ipa.conf")
|
|
ipaconf.newConf("/etc/ipa/ipa.conf", opts)
|
|
print "Created /etc/ipa/ipa.conf"
|
|
|
|
|
|
# Configure ldap.conf
|
|
ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
|
|
ldapconf.setOptionAssignment(" ")
|
|
|
|
opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
|
|
{'name':'empty', 'type':'empty'},
|
|
{'name':'ldap_version', 'type':'option', 'value':'3'},
|
|
{'name':'base', 'type':'option', 'value':cli_basedn},
|
|
{'name':'empty', 'type':'empty'},
|
|
{'name':'nss_base_passwd', 'type':'option', 'value':'cn=users,cn=accounts,'+cli_basedn+'?sub'},
|
|
{'name':'nss_base_group', 'type':'option', 'value':'cn=groups,cn=accounts,'+cli_basedn+'?sub'},
|
|
{'name':'nss_schema', 'type':'option', 'value':'rfc2307bis'},
|
|
{'name':'nss_map_attribute', 'type':'option', 'value':'uniqueMember member'},
|
|
{'name':'nss_initgroups_ignoreusers', 'type':'option', 'value':'root,dirsrv'},
|
|
{'name':'empty', 'type':'empty'},
|
|
{'name':'nss_reconnect_maxsleeptime', 'type':'option', 'value':'8'},
|
|
{'name':'nss_reconnect_sleeptime', 'type':'option', 'value':'1'},
|
|
{'name':'bind_timelimit', 'type':'option', 'value':'5'},
|
|
{'name':'timelimit', 'type':'option', 'value':'15'},
|
|
{'name':'empty', 'type':'empty'}]
|
|
if not dnsok or options.force or options.on_master:
|
|
if options.on_master:
|
|
opts.append({'name':'uri', 'type':'option', 'value':'ldap://localhost'})
|
|
else:
|
|
opts.append({'name':'uri', 'type':'option', 'value':'ldap://'+cli_server})
|
|
else:
|
|
opts.append({'name':'nss_srv_domain', 'type':'option', 'value':cli_domain})
|
|
|
|
opts.append({'name':'empty', 'type':'empty'})
|
|
try:
|
|
fstore.backup_file("/etc/ldap.conf")
|
|
ldapconf.newConf("/etc/ldap.conf", opts)
|
|
print "Configured /etc/ldap.conf"
|
|
except Exception, e:
|
|
print "Creation of /etc/ldap.conf: " + str(e)
|
|
return 1
|
|
|
|
#Check if kerberos is already configured properly
|
|
krbctx = krbV.default_context()
|
|
# If we find our domain assume we are properly configured
|
|
#(ex. we are configuring the client side of a Master)
|
|
if not options.on_master and (not krbctx.default_realm == cli_realm or options.force):
|
|
|
|
#Configure krb5.conf
|
|
krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
|
|
krbconf.setOptionAssignment(" = ")
|
|
krbconf.setSectionNameDelimiters(("[","]"))
|
|
krbconf.setSubSectionDelimiters(("{","}"))
|
|
krbconf.setIndent((""," "," "))
|
|
|
|
opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
|
|
{'name':'empty', 'type':'empty'}]
|
|
|
|
#[libdefaults]
|
|
libopts = [{'name':'default_realm', 'type':'option', 'value':cli_realm}]
|
|
if dnsok and not options.force and not options.on_master:
|
|
libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'true'})
|
|
libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
|
|
else:
|
|
libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
|
|
libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'false'})
|
|
libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
|
|
libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
|
|
|
|
opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
|
|
opts.append({'name':'empty', 'type':'empty'})
|
|
|
|
#the following are necessary only if DNS discovery does not work
|
|
if not dnsok or options.force:
|
|
#[realms]
|
|
kropts =[{'name':'kdc', 'type':'option', 'value':cli_server+':88'},
|
|
{'name':'admin_server', 'type':'option', 'value':cli_server+':749'},
|
|
{'name':'default_domain', 'type':'option', 'value':cli_domain}]
|
|
ropts = [{'name':cli_realm, 'type':'subsection', 'value':kropts}]
|
|
opts.append({'name':'realms', 'type':'section', 'value':ropts})
|
|
opts.append({'name':'empty', 'type':'empty'})
|
|
|
|
#[domain_realm]
|
|
dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm},
|
|
{'name':cli_domain, 'type':'option', 'value':cli_realm}]
|
|
opts.append({'name':'domain_realm', 'type':'section', 'value':dropts})
|
|
opts.append({'name':'empty', 'type':'empty'})
|
|
|
|
#[appdefaults]
|
|
pamopts = [{'name':'debug', 'type':'option', 'value':'false'},
|
|
{'name':'ticket_lifetime', 'type':'option', 'value':'36000'},
|
|
{'name':'renew_lifetime', 'type':'option', 'value':'36000'},
|
|
{'name':'forwardable', 'type':'option', 'value':'true'},
|
|
{'name':'krb4_convert', 'type':'option', 'value':'false'}]
|
|
appopts = [{'name':'pam', 'type':'subsection', 'value':pamopts}]
|
|
opts.append({'name':'appdefaults', 'type':'section', 'value':appopts})
|
|
|
|
fstore.backup_file("/etc/krb5.conf")
|
|
krbconf.newConf("/etc/krb5.conf", opts);
|
|
print "Configured /etc/krb5.conf for IPA realm " + cli_realm
|
|
|
|
#Modify nsswitch to add nss_ldap
|
|
run(["/usr/sbin/authconfig", "--enableldap", "--update"])
|
|
print "LDAP enabled"
|
|
|
|
#Check nss_ldap is working properly
|
|
if not options.on_master:
|
|
try:
|
|
run(["getent", "passwd", "admin"])
|
|
except Exception, e:
|
|
print "nss_ldap is not able to use DNS discovery!"
|
|
print "Changing configuration to use hardcoded server name: " +cli_server
|
|
|
|
opts = [{'name':'uri', 'type':'option', 'action':'set', 'value':'ldap://'+cli_server},
|
|
{'name':'empty', 'type':'empty'}]
|
|
try:
|
|
ldapconf.changeConf("/etc/ldap.conf", opts)
|
|
except Exception, e:
|
|
print "Adding hardcoded server name to /etc/ldap.conf failed: " + str(e)
|
|
return 1
|
|
|
|
#Modify pam to add pam_krb5
|
|
run(["/usr/sbin/authconfig", "--enablekrb5", "--update"])
|
|
print "Kerberos 5 enabled"
|
|
|
|
if options.conf_ntp and not options.on_master:
|
|
if options.ntp_server:
|
|
ntp_server = options.ntp_server
|
|
else:
|
|
ntp_server = cli_server
|
|
ipaclient.ntpconf.config_ntp(ntp_server, fstore)
|
|
print "NTP enabled"
|
|
|
|
#Activate Name Server Caching Daemon
|
|
try:
|
|
run(["/sbin/service", "nscd", "restart"])
|
|
except:
|
|
print "Failed to start the NSCD daemon"
|
|
print "Caching of users/groups will not be available"
|
|
pass
|
|
|
|
try:
|
|
run(["/sbin/chkconfig", "nscd", "on"])
|
|
except:
|
|
print "Failed to configure automatic startup of the NSCD daemon"
|
|
print "Caching of users/groups will not be available after reboot"
|
|
pass
|
|
|
|
print "Client configuration complete."
|
|
|
|
return 0
|
|
|
|
try:
|
|
if __name__ == "__main__":
|
|
sys.exit(main())
|
|
except SystemExit, e:
|
|
sys.exit(e)
|
|
except KeyboardInterrupt:
|
|
sys.exit(1)
|