mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 00:41:25 -06:00
247 lines
9.0 KiB
Python
Executable File
247 lines
9.0 KiB
Python
Executable File
#! /usr/bin/python
|
|
#
|
|
# Authors: Sumit Bose <sbose@redhat.com>
|
|
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
# and ipa-dns-install by Martin Nagy
|
|
#
|
|
# Copyright (C) 2011 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
from ipaserver.plugins.ldap2 import ldap2
|
|
from ipaserver.install import adtrustinstance
|
|
from ipaserver.install.installutils import *
|
|
from ipaserver.install import installutils
|
|
from ipapython import version
|
|
from ipapython import ipautil, sysrestore
|
|
from ipalib import api, errors, util
|
|
from ipapython.config import IPAOptionParser
|
|
import krbV
|
|
import ldap
|
|
from ipapython.ipa_log_manager import *
|
|
|
|
log_file_name = "/var/log/ipaserver-install.log"
|
|
|
|
def parse_options():
|
|
parser = IPAOptionParser(version=version.VERSION)
|
|
parser.add_option("-p", "--ds-password", dest="dm_password",
|
|
sensitive=True, help="directory manager password")
|
|
parser.add_option("-d", "--debug", dest="debug", action="store_true",
|
|
default=False, help="print debugging information")
|
|
parser.add_option("--ip-address", dest="ip_address",
|
|
type="ip", ip_local=True, help="Master Server IP Address")
|
|
parser.add_option("--netbios-name", dest="netbios_name",
|
|
help="NetBIOS name of the IPA domain")
|
|
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
|
|
default=False, help="Do not create DNS service records " \
|
|
"for Windows in managed DNS server")
|
|
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
|
|
default=False, help="unattended installation never prompts the user")
|
|
|
|
options, args = parser.parse_args()
|
|
safe_options = parser.get_safe_opts(options)
|
|
|
|
return safe_options, options
|
|
|
|
def netbios_name_error(name):
|
|
print "Illegal NetBIOS name [%s].\n" % name
|
|
print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
|
|
|
|
def read_netbios_name(netbios_default):
|
|
netbios_name = ""
|
|
|
|
print "Enter the NetBIOS name for the IPA domain."
|
|
print "Only up to 15 uppercase ASCII letters and digits are allowed."
|
|
print "Example: EXAMPLE."
|
|
print ""
|
|
print ""
|
|
if not netbios_default:
|
|
netbios_default = "EXAMPLE"
|
|
while True:
|
|
netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
|
|
print ""
|
|
if adtrustinstance.check_netbios_name(netbios_name):
|
|
break
|
|
|
|
netbios_name_error(netbios_name)
|
|
|
|
return netbios_name
|
|
|
|
def main():
|
|
safe_options, options = parse_options()
|
|
|
|
if os.getegid() != 0:
|
|
sys.exit("Must be root to setup AD trusts on server")
|
|
|
|
standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
|
|
print "\nThe log file for this installation can be found in %s" % log_file_name
|
|
|
|
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
|
|
root_logger.debug("missing options might be asked for interactively later\n")
|
|
|
|
installutils.check_server_configuration()
|
|
|
|
global fstore
|
|
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
|
|
|
|
print "=============================================================================="
|
|
print "This program will setup components needed to establish trust to AD domains for"
|
|
print "the FreeIPA Server."
|
|
print ""
|
|
print "This includes:"
|
|
print " * Configure Samba"
|
|
print " * Add trust related objects to FreeIPA LDAP server"
|
|
#TODO:
|
|
#print " * Add a SID to all users and Posix groups"
|
|
print ""
|
|
print "To accept the default shown in brackets, press the Enter key."
|
|
print ""
|
|
|
|
# Check if samba packages are installed
|
|
if not adtrustinstance.check_inst():
|
|
sys.exit("Aborting installation.")
|
|
|
|
# Initialize the ipalib api
|
|
cfg = dict(
|
|
in_server=True,
|
|
debug=options.debug,
|
|
)
|
|
api.bootstrap(**cfg)
|
|
api.finalize()
|
|
|
|
if adtrustinstance.ipa_smb_conf_exists():
|
|
if not options.unattended:
|
|
while True:
|
|
print "IPA generated smb.conf detected."
|
|
if not ipautil.user_input("Overwrite smb.conf?", default = False, allow_empty = False):
|
|
sys.exit("Aborting installation.")
|
|
break
|
|
|
|
# Check we have a public IP that is associated with the hostname
|
|
ip = None
|
|
try:
|
|
hostaddr = resolve_host(api.env.host)
|
|
if len(hostaddr) > 1:
|
|
print >> sys.stderr, "The server hostname resolves to more than one address:"
|
|
for addr in hostaddr:
|
|
print >> sys.stderr, " %s" % addr
|
|
|
|
if options.ip_address:
|
|
if str(options.ip_address) not in hostaddr:
|
|
print >> sys.stderr, "Address passed in --ip-address did not match any resolved"
|
|
print >> sys.stderr, "address!"
|
|
sys.exit(1)
|
|
print "Selected IP address:", str(options.ip_address)
|
|
ip = options.ip_address
|
|
else:
|
|
if options.unattended:
|
|
print >> sys.stderr, "Please use --ip-address option to specify the address"
|
|
sys.exit(1)
|
|
else:
|
|
ip = read_ip_address(api.env.host, fstore)
|
|
else:
|
|
ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
|
|
except Exception, e:
|
|
print "Error: Invalid IP Address %s: %s" % (ip, e)
|
|
print "Aborting installation"
|
|
sys.exit(1)
|
|
|
|
ip_address = str(ip)
|
|
root_logger.debug("will use ip_address: %s\n", ip_address)
|
|
|
|
if not options.unattended:
|
|
print ""
|
|
print "The following operations may take some minutes to complete."
|
|
print "Please wait until the prompt is returned."
|
|
print ""
|
|
|
|
# Create a Adtrust instance
|
|
if options.unattended and not options.dm_password:
|
|
sys.exit("\nIn unattended mode you need to provide at least the -p option")
|
|
|
|
netbios_name = options.netbios_name
|
|
if not netbios_name:
|
|
netbios_name = adtrustinstance.make_netbios_name(api.env.domain)
|
|
|
|
if not adtrustinstance.check_netbios_name(netbios_name):
|
|
if options.unattended:
|
|
netbios_name_error(netbios_name)
|
|
sys.exit("Aborting installation.")
|
|
else:
|
|
netbios_name = None
|
|
if options.netbios_name:
|
|
netbios_name_error(options.netbios_name)
|
|
|
|
if not options.unattended and ( not netbios_name or not options.netbios_name):
|
|
netbios_name = read_netbios_name(netbios_name)
|
|
|
|
dm_password = options.dm_password or read_password("Directory Manager",
|
|
confirm=False, validate=False)
|
|
smb = adtrustinstance.ADTRUSTInstance(fstore, dm_password)
|
|
|
|
# try the connection
|
|
try:
|
|
smb.ldap_connect()
|
|
smb.ldap_disconnect()
|
|
except ldap.INVALID_CREDENTIALS, e:
|
|
sys.exit("Password is not valid!")
|
|
|
|
if smb.dm_password:
|
|
api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password)
|
|
else:
|
|
# See if our LDAP server is up and we can talk to it over GSSAPI
|
|
ccache = krbV.default_context().default_ccache().name
|
|
api.Backend.ldap2.connect(ccache)
|
|
|
|
smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
|
|
netbios_name, options.no_msdcs)
|
|
smb.create_instance()
|
|
|
|
print """
|
|
=============================================================================
|
|
Setup complete
|
|
|
|
You must make sure these network ports are open:
|
|
\tTCP Ports:
|
|
\t * 138: netbios-dgm
|
|
\t * 139: netbios-ssn
|
|
\t * 445: microsoft-ds
|
|
\tUDP Ports:
|
|
\t * 138: netbios-dgm
|
|
\t * 139: netbios-ssn
|
|
\t * 389: (C)LDAP
|
|
\t * 445: microsoft-ds
|
|
|
|
Additionally you have to make sure the FreeIPA LDAP server is not reachable
|
|
by any domain controller in the Active Directory domain by closing down
|
|
the following ports for these servers:
|
|
\tTCP Ports:
|
|
\t * 389, 636: LDAP/LDAPS
|
|
|
|
You may want to choose to REJECT the network packets instead of DROPing
|
|
them to avoid timeouts on the AD domain controllers.
|
|
|
|
=============================================================================
|
|
WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
|
|
family in order to re-generate Kerberos tickets to include AD-specific
|
|
information"""
|
|
|
|
return 0
|
|
|
|
if __name__ == '__main__':
|
|
installutils.run_script(main, log_file_name=log_file_name,
|
|
operation_name='ipa-adtrust-install')
|