mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-28 01:41:14 -06:00
bd0d858043
A high-level description of the design and ACIs for trusts is available at https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html and https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html Ticket #1731
426 lines
15 KiB
Python
426 lines
15 KiB
Python
# Authors: Sumit Bose <sbose@redhat.com>
|
|
#
|
|
# Copyright (C) 2011 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import os
|
|
import errno
|
|
import ldap
|
|
import tempfile
|
|
import uuid
|
|
from ipaserver import ipaldap
|
|
from ipaserver.install import installutils
|
|
from ipaserver.install import service
|
|
from ipaserver.install.dsinstance import realm_to_serverid
|
|
from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
|
|
dns_zone_exists
|
|
from ipalib import errors, api
|
|
from ipapython import sysrestore
|
|
from ipapython import ipautil
|
|
from ipapython.ipa_log_manager import *
|
|
from ipapython import services as ipaservices
|
|
|
|
import string
|
|
import struct
|
|
|
|
ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
|
|
|
|
def check_inst():
|
|
for smbfile in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']:
|
|
if not os.path.exists(smbfile):
|
|
print "%s was not found on this system" % file
|
|
print "Please install the 'samba' packages and " \
|
|
"start the installation again"
|
|
return False
|
|
|
|
#TODO: Add check for needed samba4 libraries
|
|
|
|
return True
|
|
|
|
def ipa_smb_conf_exists():
|
|
try:
|
|
conf_fd = open('/etc/samba/smb.conf', 'r')
|
|
except IOError, err:
|
|
if err.errno == errno.ENOENT:
|
|
return False
|
|
|
|
lines = conf_fd.readlines()
|
|
conf_fd.close()
|
|
for line in lines:
|
|
if line.startswith('### Added by IPA Installer ###'):
|
|
return True
|
|
return False
|
|
|
|
|
|
def check_netbios_name(s):
|
|
# NetBIOS names may not be longer than 15 allowed characters
|
|
if not s or len(s) > 15 or \
|
|
''.join([c for c in s if c not in ALLOWED_NETBIOS_CHARS]):
|
|
return False
|
|
|
|
return True
|
|
|
|
def make_netbios_name(s):
|
|
return ''.join([c for c in s.split('.')[0].upper() \
|
|
if c in ALLOWED_NETBIOS_CHARS])[:15]
|
|
|
|
class ADTRUSTInstance(service.Service):
|
|
|
|
ATTR_SID = "ipaNTSecurityIdentifier"
|
|
ATTR_FLAT_NAME = "ipaNTFlatName"
|
|
ATTR_GUID = "ipaNTDomainGUID"
|
|
OBJC_USER = "ipaNTUserAttrs"
|
|
OBJC_GROUP = "ipaNTGroupAttrs"
|
|
OBJC_DOMAIN = "ipaNTDomainAttrs"
|
|
|
|
def __init__(self, fstore=None, dm_password=None):
|
|
self.fqdn = None
|
|
self.ip_address = None
|
|
self.realm_name = None
|
|
self.domain_name = None
|
|
self.netbios_name = None
|
|
self.no_msdcs = None
|
|
self.smbd_user = None
|
|
self.suffix = None
|
|
self.ldapi_socket = None
|
|
self.smb_conf = None
|
|
self.smb_dn = None
|
|
self.smb_dn_pwd = None
|
|
self.trust_dn = None
|
|
self.smb_dom_dn = None
|
|
self.sub_dict = None
|
|
self.cifs_principal = None
|
|
self.cifs_agent = None
|
|
|
|
service.Service.__init__(self, "smb", dm_password=dm_password)
|
|
|
|
if fstore:
|
|
self.fstore = fstore
|
|
else:
|
|
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
|
|
|
|
def __gen_sid_string(self):
|
|
sub_ids = struct.unpack("<LLL", os.urandom(12))
|
|
return "S-1-5-21-%d-%d-%d" % (sub_ids[0], sub_ids[1], sub_ids[2])
|
|
|
|
def __add_admin_sids(self):
|
|
admin_dn = "uid=admin,cn=users,cn=accounts,%s" % self.suffix
|
|
admin_group_dn = "cn=admins,cn=groups,cn=accounts,%s" % self.suffix
|
|
|
|
try:
|
|
dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
|
|
ldap.SCOPE_BASE)
|
|
except errors.NotFound:
|
|
print "Samba domain object not found"
|
|
return
|
|
|
|
dom_sid = dom_entry.getValue(self.ATTR_SID)
|
|
if not dom_sid:
|
|
print "Samba domain object does not have a SID"
|
|
return
|
|
|
|
try:
|
|
admin_entry = self.admin_conn.getEntry(admin_dn, ldap.SCOPE_BASE)
|
|
except:
|
|
print "IPA admin object not found"
|
|
return
|
|
|
|
try:
|
|
admin_group_entry = self.admin_conn.getEntry(admin_group_dn, \
|
|
ldap.SCOPE_BASE)
|
|
except:
|
|
print "IPA admin group object not found"
|
|
return
|
|
|
|
if admin_entry.getValue(self.ATTR_SID) or \
|
|
admin_group_entry.getValue(self.ATTR_SID):
|
|
print "Admin SID already set, nothing to do"
|
|
return
|
|
|
|
try:
|
|
self.admin_conn.modify_s(admin_dn, \
|
|
[(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
|
|
(ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
|
|
except:
|
|
print "Failed to modify IPA admin object"
|
|
|
|
try:
|
|
self.admin_conn.modify_s(admin_group_dn, \
|
|
[(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
|
|
(ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
|
|
except:
|
|
print "Failed to modify IPA admin group object"
|
|
|
|
def __create_samba_domain_object(self):
|
|
|
|
try:
|
|
self.admin_conn.getEntry(self.smb_dom_dn, ldap.SCOPE_BASE)
|
|
root_logger.info("Samba domain object already exists")
|
|
return
|
|
except errors.NotFound:
|
|
pass
|
|
|
|
for new_dn in (self.trust_dn, \
|
|
"cn=ad,"+self.trust_dn, \
|
|
"cn=ad,cn=etc,"+self.suffix):
|
|
try:
|
|
self.admin_conn.getEntry(new_dn, ldap.SCOPE_BASE)
|
|
except errors.NotFound:
|
|
entry = ipaldap.Entry(new_dn)
|
|
entry.setValues("objectclass", ["nsContainer"])
|
|
name = new_dn.split('=')[1].split(',')[0]
|
|
if not name:
|
|
print "Cannot extract RDN attribute value from [%s]" % \
|
|
new_dn
|
|
return
|
|
entry.setValues("cn", name)
|
|
self.admin_conn.addEntry(entry)
|
|
|
|
entry = ipaldap.Entry(self.smb_dom_dn)
|
|
entry.setValues("objectclass", [self.OBJC_DOMAIN, "nsContainer"])
|
|
entry.setValues("cn", self.domain_name)
|
|
entry.setValues(self.ATTR_FLAT_NAME, self.netbios_name)
|
|
entry.setValues(self.ATTR_SID, self.__gen_sid_string())
|
|
entry.setValues(self.ATTR_GUID, str(uuid.uuid4()))
|
|
#TODO: which MAY attributes do we want to set ?
|
|
self.admin_conn.addEntry(entry)
|
|
|
|
def __write_smb_conf(self):
|
|
self.fstore.backup_file(self.smb_conf)
|
|
|
|
conf_fd = open(self.smb_conf, "w")
|
|
conf_fd.write('### Added by IPA Installer ###\n')
|
|
conf_fd.write('[global]\n')
|
|
conf_fd.write('config backend = registry\n')
|
|
conf_fd.close()
|
|
|
|
def __add_cldap_module(self):
|
|
try:
|
|
self._ldap_mod("ipa-cldap-conf.ldif", self.sub_dict)
|
|
except:
|
|
pass
|
|
|
|
def __write_smb_registry(self):
|
|
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
|
|
conf = ipautil.template_file(template, self.sub_dict)
|
|
[tmp_fd, tmp_name] = tempfile.mkstemp()
|
|
os.write(tmp_fd, conf)
|
|
os.close(tmp_fd)
|
|
|
|
args = ["/usr/bin/net", "conf", "import", tmp_name]
|
|
|
|
try:
|
|
ipautil.run(args)
|
|
finally:
|
|
os.remove(tmp_name)
|
|
|
|
def __setup_principal(self):
|
|
try:
|
|
api.Command.service_add(unicode(self.cifs_principal))
|
|
# Add the principal to the 'adtrust agents' group
|
|
# as 389-ds only operates with GroupOfNames, we have to use
|
|
# the principal's proper dn as defined in self.cifs_agent
|
|
entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE)
|
|
current = ipaldap.Entry(self.smb_dn, entry.toDict())
|
|
if not('member' in current):
|
|
current['member'] = []
|
|
entry.setValues("member", current['member'] + [self.cifs_agent])
|
|
self.admin_conn.updateEntry(self.smb_dn, current, entry)
|
|
except Exception, e:
|
|
# CIFS principal already exists, it is not the first time adtrustinstance is managed
|
|
# That's fine, we we'll re-extract the key again.
|
|
pass
|
|
|
|
samba_keytab = "/etc/samba/samba.keytab"
|
|
if os.path.exists(samba_keytab):
|
|
try:
|
|
ipautil.run(["ipa-rmkeytab", "--principal", self.cifs_principal,
|
|
"-k", samba_keytab])
|
|
except ipautil.CalledProcessError, e:
|
|
if e.returncode != 5:
|
|
root_logger.critical("Failed to remove old key for %s" % self.cifs_principal)
|
|
|
|
try:
|
|
ipautil.run(["ipa-getkeytab", "--server", self.fqdn,
|
|
"--principal", self.cifs_principal,
|
|
"-k", samba_keytab])
|
|
except ipautil.CalledProcessError, e:
|
|
root_logger.critical("Failed to add key for %s" % self.cifs_principal)
|
|
|
|
def __add_dns_service_records(self):
|
|
"""
|
|
Add DNS service records for Windows if DNS is enabled and the DNS zone
|
|
is managed. If there are already service records for LDAP and Kerberos
|
|
their values are used. Otherwise default values are used.
|
|
"""
|
|
|
|
zone = self.domain_name
|
|
host = self.fqdn.split(".")[0]
|
|
|
|
ipa_srv_rec = (
|
|
("_ldap._tcp", ["0 100 389 %s" % host]),
|
|
("_kerberos._tcp", ["0 100 88 %s" % host]),
|
|
("_kerberos._udp", ["0 100 88 %s" % host])
|
|
)
|
|
win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
|
|
".dc._msdcs")
|
|
|
|
err_msg = None
|
|
ret = api.Command['dns_is_enabled']()
|
|
if not ret['result']:
|
|
err_msg = "DNS management was not enabled at install time."
|
|
else:
|
|
if not dns_zone_exists(zone):
|
|
err_msg = "DNS zone %s cannot be managed " \
|
|
"as it is not defined in IPA" % zone
|
|
|
|
if err_msg:
|
|
print err_msg
|
|
print "Add the following service records to your DNS server " \
|
|
"for DNS zone %s: " % zone
|
|
for (srv, rdata) in ipa_srv_rec:
|
|
for suff in win_srv_suffix:
|
|
print " - %s%s" % (srv, suff)
|
|
return
|
|
|
|
for (srv, rdata) in ipa_srv_rec:
|
|
ipa_rdata = get_rr(zone, srv, "SRV")
|
|
if not ipa_rdata:
|
|
ipa_rdata = rdata
|
|
|
|
for suff in win_srv_suffix:
|
|
win_srv = srv+suff
|
|
win_rdata = get_rr(zone, win_srv, "SRV")
|
|
if win_rdata:
|
|
for rec in win_rdata:
|
|
del_rr(zone, win_srv, "SRV", rec)
|
|
for rec in ipa_rdata:
|
|
add_rr(zone, win_srv, "SRV", rec)
|
|
|
|
def __start(self):
|
|
try:
|
|
self.start()
|
|
except:
|
|
root_logger.critical("smbd service failed to start")
|
|
|
|
def __stop(self):
|
|
self.backup_state("running", self.is_running())
|
|
try:
|
|
self.stop()
|
|
except:
|
|
pass
|
|
|
|
def __restart_kdc(self):
|
|
try:
|
|
ipaservices.knownservices.krb5kdc.restart()
|
|
except:
|
|
pass
|
|
|
|
def __enable(self):
|
|
self.backup_state("enabled", self.is_enabled())
|
|
# We do not let the system start IPA components on its own,
|
|
# Instead we reply on the IPA init script to start only enabled
|
|
# components as found in our LDAP configuration tree
|
|
try:
|
|
self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \
|
|
self.suffix)
|
|
except (ldap.ALREADY_EXISTS, errors.DuplicateEntry), e:
|
|
root_logger.info("ADTRUST Service startup entry already exists.")
|
|
pass
|
|
|
|
def __setup_sub_dict(self):
|
|
self.sub_dict = dict(REALM = self.realm_name,
|
|
SUFFIX = self.suffix,
|
|
NETBIOS_NAME = self.netbios_name,
|
|
SMB_DN = self.smb_dn,
|
|
LDAPI_SOCKET = self.ldapi_socket,
|
|
FQDN = self.fqdn)
|
|
|
|
def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
|
|
no_msdcs=False, smbd_user="samba"):
|
|
self.fqdn = fqdn
|
|
self.ip_address = ip_address
|
|
self.realm_name = realm_name
|
|
self.domain_name = domain_name
|
|
self.netbios_name = netbios_name
|
|
self.no_msdcs = no_msdcs
|
|
self.smbd_user = smbd_user
|
|
self.suffix = ipautil.realm_to_suffix(self.realm_name)
|
|
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
|
|
realm_to_serverid(self.realm_name)
|
|
|
|
self.smb_conf = "/etc/samba/smb.conf"
|
|
|
|
self.smb_dn = "cn=adtrust agents,cn=sysaccounts,cn=etc,%s" % self.suffix
|
|
|
|
self.trust_dn = "cn=trusts,%s" % self.suffix
|
|
self.smb_dom_dn = "cn=%s,cn=ad,cn=etc,%s" % (self.domain_name, \
|
|
self.suffix)
|
|
self.cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name
|
|
self.cifs_agent = "krbprincipalname=%s,cn=services,cn=accounts,%s" % \
|
|
(self.cifs_principal.lower(), self.suffix)
|
|
|
|
self.__setup_sub_dict()
|
|
|
|
|
|
def create_instance(self):
|
|
|
|
self.ldap_connect()
|
|
|
|
self.step("stopping smbd", self.__stop)
|
|
self.step("creating samba domain object", \
|
|
self.__create_samba_domain_object)
|
|
self.step("creating samba config registry", self.__write_smb_registry)
|
|
self.step("writing samba config file", self.__write_smb_conf)
|
|
self.step("adding cifs Kerberos principal", self.__setup_principal)
|
|
self.step("adding admin(group) SIDs", self.__add_admin_sids)
|
|
self.step("activating CLDAP plugin", self.__add_cldap_module)
|
|
self.step("configuring smbd to start on boot", self.__enable)
|
|
if not self.no_msdcs:
|
|
self.step("adding special DNS service records", \
|
|
self.__add_dns_service_records)
|
|
self.step("restarting KDC to take MS PAC changes into account", \
|
|
self.__restart_kdc)
|
|
self.step("starting smbd", self.__start)
|
|
|
|
self.start_creation("Configuring smbd:")
|
|
|
|
def uninstall(self):
|
|
if self.is_configured():
|
|
self.print_msg("Unconfiguring %s" % self.service_name)
|
|
|
|
running = self.restore_state("running")
|
|
enabled = self.restore_state("enabled")
|
|
|
|
try:
|
|
self.stop()
|
|
except:
|
|
pass
|
|
|
|
for r_file in [self.smb_conf]:
|
|
try:
|
|
self.fstore.restore_file(r_file)
|
|
except ValueError, error:
|
|
root_logger.debug(error)
|
|
pass
|
|
|
|
if not enabled is None and not enabled:
|
|
self.disable()
|
|
|
|
if not running is None and running:
|
|
self.start()
|