mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-02 12:16:56 -06:00
253 lines
9.4 KiB
Python
Executable File
253 lines
9.4 KiB
Python
Executable File
#! /usr/bin/python
|
|
#
|
|
# Authors: Sumit Bose <sbose@redhat.com>
|
|
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
# and ipa-dns-install by Martin Nagy
|
|
#
|
|
# Copyright (C) 2011 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import traceback
|
|
|
|
from ipaserver.plugins.ldap2 import ldap2
|
|
from ipaserver.install import adtrustinstance
|
|
from ipaserver.install.installutils import *
|
|
from ipaserver.install import installutils
|
|
from ipapython import version
|
|
from ipapython import ipautil, sysrestore
|
|
from ipalib import api, errors, util
|
|
from ipapython.config import IPAOptionParser
|
|
import krbV
|
|
import ldap
|
|
from ipapython.ipa_log_manager import *
|
|
|
|
def parse_options():
|
|
parser = IPAOptionParser(version=version.VERSION)
|
|
parser.add_option("-p", "--ds-password", dest="dm_password",
|
|
sensitive=True, help="directory manager password")
|
|
parser.add_option("-d", "--debug", dest="debug", action="store_true",
|
|
default=False, help="print debugging information")
|
|
parser.add_option("--ip-address", dest="ip_address",
|
|
type="ip", ip_local=True, help="Master Server IP Address")
|
|
parser.add_option("--netbios-name", dest="netbios_name",
|
|
help="NetBIOS name of the IPA domain")
|
|
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
|
|
default=False, help="Do not create DNS service records " \
|
|
"for Windows in managed DNS server")
|
|
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
|
|
default=False, help="unattended installation never prompts the user")
|
|
|
|
options, args = parser.parse_args()
|
|
safe_options = parser.get_safe_opts(options)
|
|
|
|
return safe_options, options
|
|
|
|
def netbios_name_error(name):
|
|
print "Illegal NetBIOS name [%s].\n" % name
|
|
print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
|
|
|
|
def read_netbios_name(netbios_default):
|
|
netbios_name = ""
|
|
|
|
print "Enter the NetBIOS name for the IPA domain."
|
|
print "Only up to 15 uppercase ASCII letters and digits are allowed."
|
|
print "Example: EXAMPLE."
|
|
print ""
|
|
print ""
|
|
if not netbios_default:
|
|
netbios_default = "EXAMPLE"
|
|
while True:
|
|
netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
|
|
print ""
|
|
if adtrustinstance.check_netbios_name(netbios_name):
|
|
break
|
|
|
|
netbios_name_error(netbios_name)
|
|
|
|
return netbios_name
|
|
|
|
def main():
|
|
safe_options, options = parse_options()
|
|
|
|
if os.getegid() != 0:
|
|
sys.exit("Must be root to setup AD trusts on server")
|
|
|
|
standard_logging_setup("/var/log/ipaserver-install.log", debug=options.debug, filemode='a')
|
|
print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
|
|
|
|
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
|
|
root_logger.debug("missing options might be asked for interactively later\n")
|
|
|
|
installutils.check_server_configuration()
|
|
|
|
global fstore
|
|
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
|
|
|
|
print "=============================================================================="
|
|
print "This program will setup components needed to establish trust to AD domains for"
|
|
print "the FreeIPA Server."
|
|
print ""
|
|
print "This includes:"
|
|
print " * Configure Samba"
|
|
print " * Add trust related objects to FreeIPA LDAP server"
|
|
#TODO:
|
|
#print " * Add a SID to all users and Posix groups"
|
|
print ""
|
|
print "To accept the default shown in brackets, press the Enter key."
|
|
print ""
|
|
|
|
# Check if samba packages are installed
|
|
if not adtrustinstance.check_inst():
|
|
sys.exit("Aborting installation.")
|
|
|
|
# Initialize the ipalib api
|
|
cfg = dict(
|
|
in_server=True,
|
|
debug=options.debug,
|
|
)
|
|
api.bootstrap(**cfg)
|
|
api.finalize()
|
|
|
|
if adtrustinstance.ipa_smb_conf_exists():
|
|
if not options.unattended:
|
|
while True:
|
|
print "IPA generated smb.conf detected."
|
|
if not ipautil.user_input("Overwrite smb.conf?", default = False, allow_empty = False):
|
|
sys.exit("Aborting installation.")
|
|
break
|
|
|
|
# Check we have a public IP that is associated with the hostname
|
|
try:
|
|
if options.ip_address:
|
|
ip = ipautil.CheckedIPAddress(options.ip_address, match_local=True)
|
|
else:
|
|
hostaddr = resolve_host(api.env.host)
|
|
ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True)
|
|
except Exception, e:
|
|
print "Error: Invalid IP Address %s: %s" % (ip, e)
|
|
ip = None
|
|
|
|
if not ip:
|
|
if options.unattended:
|
|
sys.exit("Unable to resolve IP address for host name")
|
|
else:
|
|
read_ip = read_ip_address(api.env.host, fstore)
|
|
try:
|
|
ip = ipautil.CheckedIPAddress(read_ip, match_local=True)
|
|
except Exception, e:
|
|
print "Error: Invalid IP Address %s: %s" % (ip, e)
|
|
sys.exit("Aborting installation.")
|
|
|
|
ip_address = str(ip)
|
|
root_logger.debug("will use ip_address: %s\n", ip_address)
|
|
|
|
if not options.unattended:
|
|
print ""
|
|
print "The following operations may take some minutes to complete."
|
|
print "Please wait until the prompt is returned."
|
|
print ""
|
|
|
|
# Create a Adtrust instance
|
|
if options.unattended and not options.dm_password:
|
|
sys.exit("\nIn unattended mode you need to provide at least the -p option")
|
|
|
|
netbios_name = options.netbios_name
|
|
if not netbios_name:
|
|
netbios_name = adtrustinstance.make_netbios_name(api.env.domain)
|
|
|
|
if not adtrustinstance.check_netbios_name(netbios_name):
|
|
if options.unattended:
|
|
netbios_name_error(netbios_name)
|
|
sys.exit("Aborting installation.")
|
|
else:
|
|
netbios_name = None
|
|
if options.netbios_name:
|
|
netbios_name_error(options.netbios_name)
|
|
|
|
if not options.unattended and ( not netbios_name or not options.netbios_name):
|
|
netbios_name = read_netbios_name(netbios_name)
|
|
|
|
dm_password = options.dm_password or read_password("Directory Manager",
|
|
confirm=False, validate=False)
|
|
smb = adtrustinstance.ADTRUSTInstance(fstore, dm_password)
|
|
|
|
# try the connection
|
|
try:
|
|
smb.ldap_connect()
|
|
smb.ldap_disconnect()
|
|
except ldap.INVALID_CREDENTIALS, e:
|
|
sys.exit("Password is not valid!")
|
|
|
|
if smb.dm_password:
|
|
api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password)
|
|
else:
|
|
# See if our LDAP server is up and we can talk to it over GSSAPI
|
|
ccache = krbV.default_context().default_ccache().name
|
|
api.Backend.ldap2.connect(ccache)
|
|
|
|
smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
|
|
netbios_name, options.no_msdcs)
|
|
smb.create_instance()
|
|
|
|
print "=============================================================================="
|
|
print "Setup complete"
|
|
print ""
|
|
print "\tYou must make sure these network ports are open:"
|
|
print "\t\tTCP Ports:"
|
|
print "\t\t * 138: netbios-dgm"
|
|
print "\t\t * 139: netbios-ssn"
|
|
print "\t\t * 445: microsoft-ds"
|
|
print "\t\tUDP Ports:"
|
|
print "\t\t * 138: netbios-dgm"
|
|
print "\t\t * 139: netbios-ssn"
|
|
print "\t\t * 389: (C)LDAP"
|
|
print "\t\t * 445: microsoft-ds"
|
|
print ""
|
|
print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached"
|
|
print "\tby any domain controller in the Active Directory domain by closing the"
|
|
print "\tfollowing ports for these servers:"
|
|
print "\t\tTCP Ports:"
|
|
print "\t\t * 389, 636: LDAP/LDAPS"
|
|
print "\tYou may want to choose to REJECT the network packets instead of DROPing them"
|
|
print "\tto avoid timeouts on the AD domain controllers."
|
|
|
|
return 0
|
|
|
|
try:
|
|
sys.exit(main())
|
|
except SystemExit, e:
|
|
sys.exit(e)
|
|
except KeyboardInterrupt:
|
|
print "Installation cancelled."
|
|
except RuntimeError, e:
|
|
print str(e)
|
|
except HostnameLocalhost:
|
|
print "The hostname resolves to the localhost address (127.0.0.1/::1)"
|
|
print "Please change your /etc/hosts file so that the hostname"
|
|
print "resolves to the ip address of your network interface."
|
|
print "The KDC service does not listen on localhost"
|
|
print ""
|
|
print "Please fix your /etc/hosts file and restart the setup program"
|
|
except Exception, e:
|
|
message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e)
|
|
print message
|
|
message = str(e)
|
|
for str in traceback.format_tb(sys.exc_info()[2]):
|
|
message = message + "\n" + str
|
|
root_logger.debug(message)
|
|
sys.exit(1)
|