mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-28 01:41:14 -06:00
2a2d63669d
Use ipaplatform.constants in every corner instead of importing other bits or calling some platform specific things, and remove most of the remaining hardcoded uid's. https://fedorahosted.org/freeipa/ticket/5343 Reviewed-By: David Kupka <dkupka@redhat.com>
205 lines
7.5 KiB
Python
Executable File
205 lines
7.5 KiB
Python
Executable File
#!/usr/bin/python2
|
|
|
|
from ipaserver import dcerpc
|
|
from ipaserver.install.installutils import is_ipa_configured, ScriptError
|
|
from ipapython import config, ipautil
|
|
from ipalib import api, errors
|
|
from ipapython.dn import DN
|
|
from ipalib.config import Env
|
|
from ipalib.constants import DEFAULT_CONFIG
|
|
from ipapython.ipautil import kinit_keytab
|
|
from ipaplatform.constants import constants
|
|
import sys
|
|
import os
|
|
import pwd
|
|
|
|
import six
|
|
import gssapi
|
|
|
|
if six.PY3:
|
|
unicode = str
|
|
|
|
def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
|
|
getkeytab_args = ["/usr/sbin/ipa-getkeytab",
|
|
"-s", api.env.host,
|
|
"-p", oneway_principal,
|
|
"-k", oneway_keytab_name,
|
|
"-r"]
|
|
if os.path.isfile(oneway_keytab_name):
|
|
os.unlink(oneway_keytab_name)
|
|
|
|
ipautil.run(getkeytab_args, env={'KRB5CCNAME': ccache_name, 'LANG': 'C'},
|
|
raiseonerr=False)
|
|
# Make sure SSSD is able to read the keytab
|
|
try:
|
|
sssd = pwd.getpwnam(constants.SSSD_USER)
|
|
os.chown(oneway_keytab_name, sssd[2], sssd[3])
|
|
except KeyError as e:
|
|
# If user 'sssd' does not exist, we don't need to chown from root to sssd
|
|
# because it means SSSD does not run as sssd user
|
|
pass
|
|
|
|
|
|
def parse_options():
|
|
usage = "%prog <trusted domain name>\n"
|
|
parser = config.IPAOptionParser(usage=usage,
|
|
formatter=config.IPAFormatter())
|
|
|
|
parser.add_option("-d", "--debug", action="store_true", dest="debug",
|
|
help="Display debugging information")
|
|
|
|
options, args = parser.parse_args()
|
|
safe_options = parser.get_safe_opts(options)
|
|
|
|
return safe_options, options, args
|
|
|
|
|
|
if not is_ipa_configured():
|
|
# LSB status code 6: program is not configured
|
|
raise ScriptError("IPA is not configured " +
|
|
"(see man pages of ipa-server-install for help)", 6)
|
|
|
|
if not os.getegid() == 0:
|
|
# LSB status code 4: user had insufficient privilege
|
|
raise ScriptError("You must be root to run ipactl.", 4)
|
|
|
|
safe_options, options, args = parse_options()
|
|
|
|
if len(args) != 1:
|
|
# LSB status code 2: invalid or excess argument(s)
|
|
raise ScriptError("You must specify trusted domain name", 2)
|
|
|
|
trusted_domain = ipautil.fsdecode(args[0]).lower()
|
|
|
|
env = Env()
|
|
env._bootstrap(context='server', debug=options.debug, log=None)
|
|
env._finalize_core(**dict(DEFAULT_CONFIG))
|
|
|
|
# Initialize the API with the proper debug level
|
|
api.bootstrap(context='server', debug=env.debug, log=None)
|
|
api.finalize()
|
|
|
|
# Only import trust plugin after api is initialized or internal imports
|
|
# within the plugin will not work
|
|
from ipalib.plugins import trust
|
|
|
|
# We have to dance with two different credentials caches:
|
|
# ccache_name -- for cifs/ipa.master@IPA.REALM to communicate with LDAP
|
|
# oneway_ccache_name -- for IPA$@AD.REALM to communicate with AD DCs
|
|
#
|
|
# ccache_name may not exist, we'll have to initialize it from Samba's keytab
|
|
#
|
|
# oneway_ccache_name may not exist either but to initialize it, we need
|
|
# to check if oneway_keytab_name keytab exists and fetch it first otherwise.
|
|
#
|
|
# to fetch oneway_keytab_name keytab, we need to initialize ccache_name ccache first
|
|
# and retrieve our own NetBIOS domain name and use cifs/ipa.master@IPA.REALM to
|
|
# retrieve the keys to oneway_keytab_name.
|
|
|
|
keytab_name = '/etc/samba/samba.keytab'
|
|
|
|
principal = str('cifs/' + api.env.host)
|
|
|
|
oneway_ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts_fetch'
|
|
ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts'
|
|
|
|
# Standard sequence:
|
|
# - check if ccache exists
|
|
# - if not, initialize it from Samba's keytab
|
|
# - check if ccache contains valid TGT
|
|
# - if not, initialize it from Samba's keytab
|
|
# - refer the correct ccache object for further use
|
|
#
|
|
have_ccache = False
|
|
try:
|
|
cred = kinit_keytab(principal, keytab_name, ccache_name)
|
|
if cred.lifetime > 0:
|
|
have_ccache = True
|
|
except gssapi.exceptions.ExpiredCredentialsError:
|
|
pass
|
|
if not have_ccache:
|
|
# delete stale ccache and try again
|
|
if os.path.exists(oneway_ccache_name):
|
|
os.unlink(ccache_name)
|
|
cred = kinit_keytab(principal, keytab_name, ccache_name)
|
|
|
|
old_ccache = os.environ.get('KRB5CCNAME')
|
|
api.Backend.ldap2.connect(ccache_name)
|
|
|
|
# Retrieve own NetBIOS name and trusted forest's name.
|
|
# We use script's input to retrieve the trusted forest's name to sanitize input
|
|
# for file-level access as we might need to wipe out keytab in /var/lib/sss/keytabs
|
|
own_trust_dn = DN(('cn', api.env.domain),('cn','ad'), ('cn', 'etc'), api.env.basedn)
|
|
own_trust_entry = api.Backend.ldap2.get_entry(own_trust_dn, ['ipantflatname'])
|
|
own_trust_flatname = own_trust_entry.single_value.get('ipantflatname').upper()
|
|
trusted_domain_dn = DN(('cn', trusted_domain.lower()), api.env.container_adtrusts, api.env.basedn)
|
|
trusted_domain_entry = api.Backend.ldap2.get_entry(trusted_domain_dn, ['cn'])
|
|
trusted_domain = trusted_domain_entry.single_value.get('cn').lower()
|
|
|
|
# At this point if we didn't find trusted forest name, an exception will be raised
|
|
# and script will quit. This is actually intended.
|
|
|
|
oneway_keytab_name = '/var/lib/sss/keytabs/' + trusted_domain + '.keytab'
|
|
oneway_principal = str('%s$@%s' % (own_trust_flatname, trusted_domain.upper()))
|
|
|
|
# If keytab does not exist, retrieve it
|
|
if not os.path.isfile(oneway_keytab_name):
|
|
retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
|
|
|
|
try:
|
|
have_ccache = False
|
|
try:
|
|
# The keytab may have stale key material (from older trust-add run)
|
|
cred = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
|
|
if cred.lifetime > 0:
|
|
have_ccache = True
|
|
except gssapi.exceptions.ExpiredCredentialsError:
|
|
pass
|
|
if not have_ccache:
|
|
if os.path.exists(oneway_ccache_name):
|
|
os.unlink(oneway_ccache_name)
|
|
kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
|
|
except gssapi.exceptions.GSSError:
|
|
# If there was failure on using keytab, assume it is stale and retrieve again
|
|
retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
|
|
if os.path.exists(oneway_ccache_name):
|
|
os.unlink(oneway_ccache_name)
|
|
kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
|
|
|
|
# We are done: we have ccache with TDO credentials and can fetch domains
|
|
ipa_domain = api.env.domain
|
|
os.environ['KRB5CCNAME'] = oneway_ccache_name
|
|
domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True)
|
|
|
|
if domains:
|
|
# trust range must exist by the time fetch_domains_from_trust is called
|
|
range_name = unicode(trusted_domain.upper() + '_id_range')
|
|
old_range = api.Command.idrange_show(range_name, raw=True)['result']
|
|
idrange_type = old_range['iparangetype'][0]
|
|
|
|
result = []
|
|
for dom in domains:
|
|
dom['trust_type'] = u'ad'
|
|
try:
|
|
name = dom['cn']
|
|
del dom['cn']
|
|
|
|
res = api.Command.trustdomain_add(trusted_domain, name, **dom)
|
|
result.append(res['result'])
|
|
|
|
if idrange_type != u'ipa-ad-trust-posix':
|
|
range_name = name.upper() + '_id_range'
|
|
dom['range_type'] = u'ipa-ad-trust'
|
|
# Do not pass ipaserver.dcerpc.TrustInstance to trust.add_range
|
|
# to force it using existing credentials cache
|
|
trust.add_range(api, None, range_name, dom['ipanttrusteddomainsid'],
|
|
trusted_domain, name, **dom)
|
|
except errors.DuplicateEntry:
|
|
# Ignore updating duplicate entries
|
|
pass
|
|
|
|
if old_ccache:
|
|
os.environ['KRB5CCNAME'] = old_ccache
|
|
|
|
sys.exit(0)
|