mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-27 09:21:59 -06:00
6518a600b4
In order to simplify the build process between upstream FreeIPA and downstream builds (such as CentOS Stream) we are changing some file references from FreeIPA to IPA (and Identity Management). https://pagure.io/freeipa/issue/8669 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
265 lines
9.2 KiB
Python
265 lines
9.2 KiB
Python
#!/usr/bin/python3
|
|
#
|
|
# Authors: Sumit Bose <sbose@redhat.com>
|
|
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
# and ipa-dns-install by Martin Nagy
|
|
#
|
|
# Copyright (C) 2011 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
from __future__ import print_function
|
|
|
|
import logging
|
|
import os
|
|
import sys
|
|
|
|
import six
|
|
|
|
from optparse import SUPPRESS_HELP # pylint: disable=deprecated-module
|
|
|
|
from ipalib.install import sysrestore
|
|
from ipaserver.install import adtrust, service
|
|
from ipaserver.install.installutils import (
|
|
read_password,
|
|
check_server_configuration,
|
|
run_script)
|
|
from ipapython.admintool import ScriptError
|
|
from ipapython import version
|
|
from ipapython import ipautil
|
|
from ipalib import api, errors, krb_utils
|
|
from ipapython.config import IPAOptionParser
|
|
from ipaplatform.paths import paths
|
|
from ipapython.ipa_log_manager import standard_logging_setup
|
|
|
|
if six.PY3:
|
|
unicode = str
|
|
|
|
logger = logging.getLogger(os.path.basename(__file__))
|
|
|
|
log_file_name = paths.IPASERVER_ADTRUST_INSTALL_LOG
|
|
|
|
|
|
def parse_options():
|
|
parser = IPAOptionParser(version=version.VERSION)
|
|
parser.add_option("-d", "--debug", dest="debug", action="store_true",
|
|
default=False, help="print debugging information")
|
|
parser.add_option("--netbios-name", dest="netbios_name",
|
|
help="NetBIOS name of the IPA domain")
|
|
|
|
# no-msdcs has not effect, option is here just for backward compatibility
|
|
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
|
|
default=False, help=SUPPRESS_HELP)
|
|
|
|
parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
|
|
help="Start value for mapping UIDs and GIDs to RIDs")
|
|
parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
|
|
type=int, default=100000000,
|
|
help="Start value of the secondary range for mapping "
|
|
"UIDs and GIDs to RIDs")
|
|
parser.add_option("-U", "--unattended", dest="unattended",
|
|
action="store_true",
|
|
default=False,
|
|
help="unattended installation never prompts the user")
|
|
parser.add_option("-a", "--admin-password",
|
|
sensitive=True, dest="admin_password",
|
|
help="admin user kerberos password")
|
|
parser.add_option("-A", "--admin-name",
|
|
sensitive=True, dest="admin_name", default='admin',
|
|
help="admin user principal")
|
|
parser.add_option("--add-sids", dest="add_sids", action="store_true",
|
|
default=False, help="Add SIDs for existing users and"
|
|
" groups as the final step")
|
|
parser.add_option("--add-agents", dest="add_agents", action="store_true",
|
|
default=False,
|
|
help="Add IPA masters to a list of hosts allowed to "
|
|
"serve information about users from trusted forests")
|
|
parser.add_option("--enable-compat",
|
|
dest="enable_compat", default=False, action="store_true",
|
|
help="Enable support for trusted domains for old "
|
|
"clients")
|
|
|
|
options, _args = parser.parse_args()
|
|
safe_options = parser.get_safe_opts(options)
|
|
|
|
return safe_options, options
|
|
|
|
|
|
def read_admin_password(admin_name):
|
|
print("Configuring cross-realm trusts for IPA server requires password "
|
|
"for user '%s'." % (admin_name))
|
|
print("This user is a regular system account used for IPA server "
|
|
"administration.")
|
|
print("")
|
|
admin_password = read_password(admin_name, confirm=False, validate=None)
|
|
return admin_password
|
|
|
|
|
|
def ensure_admin_kinit(admin_name, admin_password):
|
|
try:
|
|
ipautil.run([paths.KINIT, admin_name], stdin=admin_password+'\n')
|
|
except ipautil.CalledProcessError:
|
|
print("There was error to automatically re-kinit your admin user "
|
|
"ticket.")
|
|
return False
|
|
return True
|
|
|
|
|
|
def main():
|
|
safe_options, options = parse_options()
|
|
|
|
if os.getegid() != 0:
|
|
raise ScriptError("Must be root to setup AD trusts on server")
|
|
|
|
standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
|
|
print("\nThe log file for this installation can be found in %s"
|
|
% log_file_name)
|
|
|
|
logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options)
|
|
logger.debug(
|
|
"missing options might be asked for interactively later\n")
|
|
logger.debug('IPA version %s', version.VENDOR_VERSION)
|
|
|
|
check_server_configuration()
|
|
|
|
fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
|
|
print("================================================================"
|
|
"==============")
|
|
print("This program will setup components needed to establish trust to "
|
|
"AD domains for")
|
|
print("the IPA Server.")
|
|
print("")
|
|
print("This includes:")
|
|
print(" * Configure Samba")
|
|
print(" * Add trust related objects to IPA LDAP server")
|
|
# TODO:
|
|
# print " * Add a SID to all users and Posix groups"
|
|
print("")
|
|
print("To accept the default shown in brackets, press the Enter key.")
|
|
print("")
|
|
|
|
# Check if samba packages are installed
|
|
# the same check is in the adtrust module but we must fail first if the
|
|
# package is missing
|
|
adtrust.check_for_installed_deps()
|
|
|
|
# Initialize the ipalib api
|
|
api.bootstrap(
|
|
in_server=True,
|
|
debug=options.debug,
|
|
context='install',
|
|
confdir=paths.ETC_IPA
|
|
)
|
|
api.finalize()
|
|
|
|
admin_password = options.admin_password
|
|
if not (options.unattended or admin_password):
|
|
admin_password = read_admin_password(options.admin_name)
|
|
|
|
admin_kinited = None
|
|
if admin_password:
|
|
admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
|
|
if not admin_kinited:
|
|
print("Proceeding with credentials that existed before")
|
|
|
|
try:
|
|
principal = krb_utils.get_principal()
|
|
except errors.CCacheError as e:
|
|
raise ScriptError(
|
|
"Must have Kerberos credentials to setup AD trusts on server: "
|
|
"{err}".format(err=e))
|
|
|
|
try:
|
|
api.Backend.ldap2.connect()
|
|
except errors.ACIError:
|
|
raise ScriptError(
|
|
"Outdated Kerberos credentials. "
|
|
"Use kdestroy and kinit to update your ticket")
|
|
except errors.DatabaseError:
|
|
raise ScriptError(
|
|
"Cannot connect to the LDAP database. Please check if IPA "
|
|
"is running")
|
|
|
|
try:
|
|
user = api.Command.user_show(
|
|
principal.partition('@')[0].partition('/')[0])['result']
|
|
group = api.Command.group_show(u'admins')['result']
|
|
if not (user['uid'][0] in group['member_user'] and
|
|
group['cn'][0] in user['memberof_group']):
|
|
raise errors.RequirementError(name='admins group membership')
|
|
except errors.RequirementError as e:
|
|
raise ScriptError(
|
|
"Must have administrative privileges to setup AD trusts on server"
|
|
)
|
|
except Exception as e:
|
|
raise ScriptError(
|
|
"Unrecognized error during check of admin rights: %s" % e)
|
|
|
|
adtrust.install_check(True, options, api)
|
|
adtrust.install(True, options, fstore, api)
|
|
|
|
# Enable configured services and update DNS SRV records
|
|
service.sync_services_state(api.env.host)
|
|
|
|
dns_help = adtrust.generate_dns_service_records_help(api)
|
|
if dns_help:
|
|
for line in dns_help:
|
|
service.print_msg(line, sys.stdout)
|
|
else:
|
|
api.Command.dns_update_system_records()
|
|
|
|
print("""
|
|
=============================================================================
|
|
Setup complete
|
|
|
|
You must make sure these network ports are open:
|
|
\tTCP Ports:
|
|
\t * 135: epmap
|
|
\t * 138: netbios-dgm
|
|
\t * 139: netbios-ssn
|
|
\t * 445: microsoft-ds
|
|
\t * 1024..1300: epmap listener range
|
|
\t * 3268: msft-gc
|
|
\tUDP Ports:
|
|
\t * 138: netbios-dgm
|
|
\t * 139: netbios-ssn
|
|
\t * 389: (C)LDAP
|
|
\t * 445: microsoft-ds
|
|
|
|
See the ipa-adtrust-install(1) man page for more details
|
|
|
|
=============================================================================
|
|
""")
|
|
if admin_password:
|
|
admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
|
|
|
|
if not admin_kinited:
|
|
print("""
|
|
WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
|
|
family in order to re-generate Kerberos tickets to include AD-specific
|
|
information""")
|
|
|
|
api.Backend.ldap2.disconnect()
|
|
|
|
return 0
|
|
|
|
if __name__ == '__main__':
|
|
run_script(
|
|
main,
|
|
log_file_name=log_file_name,
|
|
operation_name='ipa-adtrust-install')
|