[Freeipa-devel] [PATCH] Add ipasam samba passdb backend
Sumit Bose
sbose at redhat.com
Wed Nov 23 15:48:02 UTC 2011
Hi,
this set of patches basically adds a samba passwd backend for IPA with
can be build in the freeipa tree, plus the needed new objectclasses and
attributes and enables the CLDAP service from Simo which is already
committed.
I compressed "Add-ipasam-samba-passdb-backend" to save some bandwidth.
The backend is based on the old IPA passdb backend form the samba tree
and various modified parts from the samba LDAP backend to make it work.
As the result there are parts of the code which are not very pretty,
but will work as planned. I will start refactoring the code together
with fixing the first Coverity findings.
bye,
Sumit
-------------- next part --------------
From dac0ae3118475cabc3626a364474e430014f4749 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 7 Nov 2011 11:56:57 +0100
Subject: [PATCH 1/6] Move our own domain info into cn=etc
https://fedorahosted.org/freeipa/ticket/2001
---
ipaserver/install/adtrustinstance.py | 26 +++++++++++++++++---------
1 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index ee50a43061e76bd9e8c6744bc66b13ce10802521..1216f6bd8cf44cb54eb152d69c5001c10628fb92 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -183,17 +183,24 @@ class ADTRUSTInstance(service.Service):
except errors.NotFound:
pass
- try:
- self.admin_conn.getEntry(self.trust_dn, ldap.SCOPE_BASE)
- except errors.NotFound:
- entry = ipaldap.Entry(self.trust_dn)
- entry.setValues("objectclass", ["nsContainer"])
- entry.setValues("cn", "trusts")
- self.admin_conn.add_s(entry)
+ for new_dn in (self.trust_dn, \
+ "cn=ad,"+self.trust_dn, \
+ "cn=ad,cn=etc,"+self.suffix):
+ try:
+ self.admin_conn.getEntry(dn, ldap.SCOPE_BASE)
+ except errors.NotFound:
+ entry = ipaldap.Entry(dn)
+ entry.setValues("objectclass", ["nsContainer"])
+ name = dn.split('=')[1].split(',')[0]
+ if not name:
+ print "Cannot extract RDN attribute value from [%s]" % dn
+ return
+ entry.setValues("cn", name)
+ self.admin_conn.add_s(entry)
entry = ipaldap.Entry(self.smb_dom_dn)
entry.setValues("objectclass", ["sambaDomain", "nsContainer"])
- entry.setValues("cn", "ad")
+ entry.setValues("cn", self.domain_name)
entry.setValues("sambaDomainName", self.netbios_name)
entry.setValues("sambaSID", self.__gen_sid_string())
#TODO: which MAY attributes do we want to set ?
@@ -346,7 +353,8 @@ class ADTRUSTInstance(service.Service):
self.smb_dn_pwd = ipautil.ipa_generate_password()
self.trust_dn = "cn=trusts,%s" % self.suffix
- self.smb_dom_dn = "cn=ad,%s" % self.trust_dn
+ self.smb_dom_dn = "cn=%s,cn=ad,cn=etc,%s" % (self.domain_name, \
+ self.suffix)
self.__setup_sub_dict()
--
1.7.6
-------------- next part --------------
From be3cea4a6bf16d1a623694fe5315821eefd1c94b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Wed, 9 Nov 2011 16:38:10 +0100
Subject: [PATCH 2/6] Add trust objectclass and attributes to v3 schema
---
install/share/60basev3.ldif | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index f518541586b2df9ed08718098a7f170563aa4e1d..6db644addf298216e2b85dc68b616e8351457cf5 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -14,7 +14,18 @@ attributeTypes: (2.16.840.1.113730.3.8.11.7 NAME 'ipaNTProfilePath' DESC 'User P
attributeTypes: (2.16.840.1.113730.3.8.11.8 NAME 'ipaNTHomeDirectory' DESC 'User Home Directory Path' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.9 NAME 'ipaNTHomeDirectoryDrive' DESC 'User Home Drive Letter' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.10 NAME 'ipaNTDomainGUID' DESC 'NT Domain GUID' EQUALITY caseIgnoreIA5Match OREDRING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.11 NAME 'ipaNTTrustType' DESC 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.12 NAME 'ipaNTTrustAttributes' DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.13 NAME 'ipaNTTrustDirection' DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.14 NAME 'ipaNTTrustPartner' DESC 'Fully qualified name of the domain with which a trust exists' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.15 NAME 'ipaNTTrustAuthOutgoing' DESC 'Authentication information for the outgoing portion of a trust' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.16 NAME 'ipaNTTrustAuthIncoming' DESC 'Authentication information for the incoming portion of a trust' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.17 NAME 'ipaNTTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.18 NAME 'ipaNTTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.19 NAME 'ipaNTSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTSecurityIdentifier $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes) )
+
--
1.7.6
-------------- next part --------------
From 6af8a4054e5c1e0c06897807a5c8420ed8870c90 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 7 Nov 2011 12:48:10 +0100
Subject: [PATCH 3/6] Use new objectclasses and attributes for trust
---
ipaserver/install/adtrustinstance.py | 46 +++++++++++++++++++++++----------
1 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 1216f6bd8cf44cb54eb152d69c5001c10628fb92..78b319fb8f4d793879a41395558d14f72c225647 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -22,7 +22,7 @@ import errno
import ldap
import service
import tempfile
-import installutils
+import uuid
from ipaserver import ipaldap
from ipaserver.install.dsinstance import realm_to_serverid
from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
@@ -75,6 +75,14 @@ def make_netbios_name(s):
return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15]
class ADTRUSTInstance(service.Service):
+
+ ATTR_SID = "ipaNTSecurityIdentifier"
+ ATTR_FLAT_NAME = "ipaNTFlatName"
+ ATTR_GUID = "ipaNTDomainGUID"
+ OBJC_USER = "ipaNTUserAttrs"
+ OBJC_GROUP = "ipaNTGroupAttrs"
+ OBJC_DOMAIN = "ipaNTDomainAttrs"
+
def __init__(self, fstore=None, dm_password=None):
service.Service.__init__(self, "smb", dm_password=dm_password)
@@ -107,13 +115,22 @@ class ADTRUSTInstance(service.Service):
# Also the premission to create trusted domain objects below the
# domain object is granted.
mod = [(ldap.MOD_ADD, 'aci',
- str('(targetattr = "sambaNTPassword")' \
+ str('(targetattr = "ipaNTHash")' \
'(version 3.0; acl "Samba user can read NT passwords";' \
'allow (read) userdn="ldap:///%s";)' % self.smb_dn)),
(ldap.MOD_ADD, 'aci',
str('(target = "ldap:///cn=ad,cn=trusts,%s")' \
- '(targetattr = "sambaTrustType || sambaTrustAttributes || sambaTrustDirection || sambaTrustPartner || sambaFlatName || sambaTrustAuthOutgoing || sambaTrustAuthIncoming || sambaSecurityIdentifier || sambaTrustForestTrustInfo || sambaTrustPosixOffset || sambaSupportedEncryptionTypes")' \
- '(version 3.0;acl "Allow samba user to create and delete trust accounts";' \
+ '(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ' \
+ 'ipaNTTrustDirection || ' \
+ 'ipaNTTrustPartner || ipaNTFlatName || ' \
+ 'ipaNTTrustAuthOutgoing || ' \
+ 'ipaNTTrustAuthIncoming || ' \
+ 'ipaNTSecurityIdentifier || ' \
+ 'ipaNTTrustForestTrustInfo || ' \
+ 'ipaNTTrustPosixOffset || ' \
+ 'ipaNTSupportedEncryptionTypes")' \
+ '(version 3.0;acl "Allow samba user to create and delete ' \
+ 'trust accounts";' \
'allow (write,add,delete) userdn = "ldap:///%s";)' % \
(self.suffix, self.smb_dn)))]
@@ -137,7 +154,7 @@ class ADTRUSTInstance(service.Service):
print "Samba domain object not found"
return
- dom_sid = dom_entry.getValue("sambaSID")
+ dom_sid = dom_entry.getValue(self.ATTR_SID)
if not dom_sid:
print "Samba domain object does not have a SID"
return
@@ -155,22 +172,22 @@ class ADTRUSTInstance(service.Service):
print "IPA admin group object not found"
return
- if admin_entry.getValue("sambaSID") or \
- admin_group_entry.getValue("sambaSID"):
+ if admin_entry.getValue(self.ATTR_SID) or \
+ admin_group_entry.getValue(self.ATTR_SID):
print "Admin SID already set, nothing to do"
return
try:
self.admin_conn.modify_s(admin_dn, \
- [(ldap.MOD_ADD, "objectclass", "sambaSamAccount"), \
- (ldap.MOD_ADD, "sambaSID", dom_sid + "-500")])
+ [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
+ (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
except:
print "Failed to modify IPA admin object"
try:
self.admin_conn.modify_s(admin_group_dn, \
- [(ldap.MOD_ADD, "objectclass", "sambaSidEntry"), \
- (ldap.MOD_ADD, "sambaSID", dom_sid + "-512")])
+ [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
+ (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
except:
print "Failed to modify IPA admin group object"
@@ -199,10 +216,11 @@ class ADTRUSTInstance(service.Service):
self.admin_conn.add_s(entry)
entry = ipaldap.Entry(self.smb_dom_dn)
- entry.setValues("objectclass", ["sambaDomain", "nsContainer"])
+ entry.setValues("objectclass", [self.OBJC_DOMAIN, "nsContainer"])
entry.setValues("cn", self.domain_name)
- entry.setValues("sambaDomainName", self.netbios_name)
- entry.setValues("sambaSID", self.__gen_sid_string())
+ entry.setValues(self.ATTR_FLAT_NAME, self.netbios_name)
+ entry.setValues(self.ATTR_SID, self.__gen_sid_string())
+ entry.setValues(self.ATTR_GUID, str(uuid.uuid4()))
#TODO: which MAY attributes do we want to set ?
self.admin_conn.add_s(entry)
--
1.7.6
-------------- next part --------------
From ec8f6e42db0ddf172aea48a364278ff2cf277458 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 7 Nov 2011 12:59:20 +0100
Subject: [PATCH 4/6] Fix some pylint warnings
---
install/tools/ipa-adtrust-install | 2 +-
ipaserver/install/adtrustinstance.py | 103 +++++++++++++++++++++------------
2 files changed, 66 insertions(+), 39 deletions(-)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 87fecbfb4834d65fdccc3f8536a5665ba75e48a5..c6fd3478a28697301cac317dff1bbf25c6d865ce 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -111,7 +111,7 @@ def main():
print ""
# Check if samba packages are installed
- if not adtrustinstance.check_inst(options.unattended):
+ if not adtrustinstance.check_inst():
sys.exit("Aborting installation.")
# Initialize the ipalib api
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 78b319fb8f4d793879a41395558d14f72c225647..390ab5efda679ca039189722e46d32b90cd99b6d 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -20,10 +20,11 @@
import os
import errno
import ldap
-import service
import tempfile
import uuid
from ipaserver import ipaldap
+from ipaserver.install import installutils
+from ipaserver.install import service
from ipaserver.install.dsinstance import realm_to_serverid
from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
dns_zone_exists
@@ -32,17 +33,17 @@ from ipapython import sysrestore
from ipapython import ipautil
from ipapython.ipa_log_manager import *
-import random
import string
import struct
-allowed_netbios_chars = string.ascii_uppercase + string.digits
+ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
-def check_inst(unattended):
- for f in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']:
- if not os.path.exists(f):
- print "%s was not found on this system" % f
- print "Please install the 'samba' packages and start the installation again"
+def check_inst():
+ for smbfile in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']:
+ if not os.path.exists(smbfile):
+ print "%s was not found on this system" % file
+ print "Please install the 'samba' packages and " \
+ "start the installation again"
return False
#TODO: Add check for needed samba4 libraries
@@ -51,13 +52,13 @@ def check_inst(unattended):
def ipa_smb_conf_exists():
try:
- fd = open('/etc/samba/smb.conf', 'r')
- except IOError, e:
- if e.errno == errno.ENOENT:
+ conf_fd = open('/etc/samba/smb.conf', 'r')
+ except IOError, err:
+ if err.errno == errno.ENOENT:
return False
- lines = fd.readlines()
- fd.close()
+ lines = conf_fd.readlines()
+ conf_fd.close()
for line in lines:
if line.startswith('### Added by IPA Installer ###'):
return True
@@ -66,13 +67,15 @@ def ipa_smb_conf_exists():
def check_netbios_name(s):
# NetBIOS names may not be longer than 15 allowed characters
- if not s or len(s) > 15 or ''.join([c for c in s if c not in allowed_netbios_chars]):
+ if not s or len(s) > 15 or \
+ ''.join([c for c in s if c not in ALLOWED_NETBIOS_CHARS]):
return False
return True
def make_netbios_name(s):
- return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15]
+ return ''.join([c for c in s.split('.')[0].upper() \
+ if c in ALLOWED_NETBIOS_CHARS])[:15]
class ADTRUSTInstance(service.Service):
@@ -84,6 +87,22 @@ class ADTRUSTInstance(service.Service):
OBJC_DOMAIN = "ipaNTDomainAttrs"
def __init__(self, fstore=None, dm_password=None):
+ self.fqdn = None
+ self.ip_address = None
+ self.realm_name = None
+ self.domain_name = None
+ self.netbios_name = None
+ self.no_msdcs = None
+ self.smbd_user = None
+ self.suffix = None
+ self.ldapi_socket = None
+ self.smb_conf = None
+ self.smb_dn = None
+ self.smb_dn_pwd = None
+ self.trust_dn = None
+ self.smb_dom_dn = None
+ self.sub_dict = None
+
service.Service.__init__(self, "smb", dm_password=dm_password)
if fstore:
@@ -97,7 +116,8 @@ class ADTRUSTInstance(service.Service):
self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE)
print "Samba user entry exists, resetting password"
- self.admin_conn.modify_s(self.smb_dn, [(ldap.MOD_REPLACE, "userPassword", self.smb_dn_pwd)])
+ self.admin_conn.modify_s(self.smb_dn, \
+ [(ldap.MOD_REPLACE, "userPassword", self.smb_dn_pwd)])
return
except errors.NotFound:
@@ -204,13 +224,14 @@ class ADTRUSTInstance(service.Service):
"cn=ad,"+self.trust_dn, \
"cn=ad,cn=etc,"+self.suffix):
try:
- self.admin_conn.getEntry(dn, ldap.SCOPE_BASE)
+ self.admin_conn.getEntry(new_dn, ldap.SCOPE_BASE)
except errors.NotFound:
- entry = ipaldap.Entry(dn)
+ entry = ipaldap.Entry(new_dn)
entry.setValues("objectclass", ["nsContainer"])
- name = dn.split('=')[1].split(',')[0]
+ name = new_dn.split('=')[1].split(',')[0]
if not name:
- print "Cannot extract RDN attribute value from [%s]" % dn
+ print "Cannot extract RDN attribute value from [%s]" % \
+ new_dn
return
entry.setValues("cn", name)
self.admin_conn.add_s(entry)
@@ -227,18 +248,18 @@ class ADTRUSTInstance(service.Service):
def __write_smb_conf(self):
self.fstore.backup_file(self.smb_conf)
- fd = open(self.smb_conf, "w")
- fd.write('### Added by IPA Installer ###\n')
- fd.write('[global]\n')
- fd.write('config backend = registry\n')
- fd.close()
+ conf_fd = open(self.smb_conf, "w")
+ conf_fd.write('### Added by IPA Installer ###\n')
+ conf_fd.write('[global]\n')
+ conf_fd.write('config backend = registry\n')
+ conf_fd.close()
def __write_smb_registry(self):
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
- [fd, tmp_name] = tempfile.mkstemp()
- os.write(fd, conf)
- os.close(fd)
+ [tmp_fd, tmp_name] = tempfile.mkstemp()
+ os.write(tmp_fd, conf)
+ os.close(tmp_fd)
args = ["/usr/bin/net", "conf", "import", tmp_name]
@@ -250,7 +271,8 @@ class ADTRUSTInstance(service.Service):
def __set_smb_ldap_password(self):
args = ["/usr/bin/smbpasswd", "-c", self.smb_conf, "-s", "-W" ]
- ipautil.run(args, stdin = self.smb_dn_pwd + "\n" + self.smb_dn_pwd + "\n" )
+ ipautil.run(args, stdin = self.smb_dn_pwd + "\n" + \
+ self.smb_dn_pwd + "\n" )
def __setup_principal(self):
cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name
@@ -291,7 +313,7 @@ class ADTRUSTInstance(service.Service):
".dc._msdcs")
err_msg = None
- ret = api.Command.dns_is_enabled()
+ ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg = "DNS management was not enabled at install time."
else:
@@ -341,7 +363,8 @@ class ADTRUSTInstance(service.Service):
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
try:
- self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, self.suffix)
+ self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \
+ self.suffix)
except ldap.ALREADY_EXISTS:
root_logger.critical("ADTRUST Service startup entry already exists.")
pass
@@ -355,7 +378,7 @@ class ADTRUSTInstance(service.Service):
def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
no_msdcs=False, smbd_user="samba"):
- self.fqdn =fqdn
+ self.fqdn = fqdn
self.ip_address = ip_address
self.realm_name = realm_name
self.domain_name = domain_name
@@ -363,7 +386,8 @@ class ADTRUSTInstance(service.Service):
self.no_msdcs = no_msdcs
self.smbd_user = smbd_user
self.suffix = ipautil.realm_to_suffix(self.realm_name)
- self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % realm_to_serverid(self.realm_name)
+ self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
+ realm_to_serverid(self.realm_name)
self.smb_conf = "/etc/samba/smb.conf"
@@ -383,15 +407,18 @@ class ADTRUSTInstance(service.Service):
self.step("stopping smbd", self.__stop)
self.step("create samba user", self.__create_samba_user)
- self.step("create samba domain object", self.__create_samba_domain_object)
+ self.step("create samba domain object", \
+ self.__create_samba_domain_object)
self.step("create samba config registry", self.__write_smb_registry)
self.step("writing samba config file", self.__write_smb_conf)
- self.step("setting password for the samba user", self.__set_smb_ldap_password)
+ self.step("setting password for the samba user", \
+ self.__set_smb_ldap_password)
self.step("Adding cifs Kerberos principal", self.__setup_principal)
self.step("Adding admin(group) SIDs", self.__add_admin_sids)
self.step("configuring smbd to start on boot", self.__enable)
if not self.no_msdcs:
- self.step("adding special DNS service records", self.__add_dns_service_records)
+ self.step("adding special DNS service records", \
+ self.__add_dns_service_records)
self.step("starting smbd", self.__start)
self.start_creation("Configuring smbd:")
@@ -408,9 +435,9 @@ class ADTRUSTInstance(service.Service):
except:
pass
- for f in [self.smb_conf]:
+ for r_file in [self.smb_conf]:
try:
- self.fstore.restore_file(f)
+ self.fstore.restore_file(r_file)
except ValueError, error:
root_logger.debug(error)
pass
--
1.7.6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-sbose-0013-Add-ipasam-samba-passdb-backend.patch.bz2
Type: application/x-bzip2
Size: 16879 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111123/ac6a0c56/attachment.bz2>
-------------- next part --------------
From 3cd9e920377b4f37aaedde08f92346e0a6623337 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 18 Nov 2011 14:04:09 +0100
Subject: [PATCH 6/6] activate CLDAP
---
install/tools/ipa-adtrust-install | 3 +--
ipaserver/install/adtrustinstance.py | 4 ++++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index c6fd3478a28697301cac317dff1bbf25c6d865ce..248ea35eaa86dd59ebbc871b86df780cfd71ccf6 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -214,6 +214,7 @@ def main():
print "\t\tUDP Ports:"
print "\t\t * 138: netbios-dgm"
print "\t\t * 139: netbios-ssn"
+ print "\t\t * 389: (C)LDAP"
print "\t\t * 445: microsoft-ds"
print ""
print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached"
@@ -221,8 +222,6 @@ def main():
print "\tfollowing ports for these servers:"
print "\t\tTCP Ports:"
print "\t\t * 389, 636: LDAP/LDAPS"
- print "\t\tUDP Ports:"
- print "\t\t * 389: (C)LDAP"
print "\tYou may want to choose to REJECT the network packets instead of DROPing them"
print "\tto avoid timeouts on the AD domain controllers."
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 390ab5efda679ca039189722e46d32b90cd99b6d..86599956511a2a1e7695582247d374c9946f743d 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -254,6 +254,9 @@ class ADTRUSTInstance(service.Service):
conf_fd.write('config backend = registry\n')
conf_fd.close()
+ def __add_cldap_module(self):
+ self._ldap_mod("ipa-cldap-conf.ldif", self.sub_dict)
+
def __write_smb_registry(self):
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
@@ -415,6 +418,7 @@ class ADTRUSTInstance(service.Service):
self.__set_smb_ldap_password)
self.step("Adding cifs Kerberos principal", self.__setup_principal)
self.step("Adding admin(group) SIDs", self.__add_admin_sids)
+ self.step("Activation CLDAP plugin", self.__add_cldap_module)
self.step("configuring smbd to start on boot", self.__enable)
if not self.no_msdcs:
self.step("adding special DNS service records", \
--
1.7.6
More information about the Freeipa-devel
mailing list