[Freeipa-devel] [PATCH] Add ipasam samba passdb backend
Sumit Bose
sbose at redhat.com
Tue Nov 29 21:09:26 UTC 2011
On Mon, Nov 28, 2011 at 06:22:27PM +0100, Sumit Bose wrote:
> On Wed, Nov 23, 2011 at 04:48:02PM +0100, Sumit Bose wrote:
> > Hi,
> >
> > this set of patches basically adds a samba passwd backend for IPA with
> > can be build in the freeipa tree, plus the needed new objectclasses and
> > attributes and enables the CLDAP service from Simo which is already
> > committed.
> >
> > I compressed "Add-ipasam-samba-passdb-backend" to save some bandwidth.
> > The backend is based on the old IPA passdb backend form the samba tree
> > and various modified parts from the samba LDAP backend to make it work.
> > As the result there are parts of the code which are not very pretty,
> > but will work as planned. I will start refactoring the code together
> > with fixing the first Coverity findings.
> >
> > bye,
> > Sumit
>
> Please find attached a rebased version on top of Alexander's latest
> patch.
>
and now rebased on top of the current master.
bye,
Sumit
-------------- next part --------------
From 3be1e8ffbc785099d1679771a1e7291d24b4f924 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 7 Nov 2011 11:56:57 +0100
Subject: [PATCH 1/6] Move our own domain info into cn=etc
https://fedorahosted.org/freeipa/ticket/2001
---
ipaserver/install/adtrustinstance.py | 26 +++++++++++++++++---------
1 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index ee50a43061e76bd9e8c6744bc66b13ce10802521..7142d79aba6412e336229e07e531654d3b3b578b 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -183,17 +183,24 @@ class ADTRUSTInstance(service.Service):
except errors.NotFound:
pass
- try:
- self.admin_conn.getEntry(self.trust_dn, ldap.SCOPE_BASE)
- except errors.NotFound:
- entry = ipaldap.Entry(self.trust_dn)
- entry.setValues("objectclass", ["nsContainer"])
- entry.setValues("cn", "trusts")
- self.admin_conn.add_s(entry)
+ for new_dn in (self.trust_dn, \
+ "cn=ad,"+self.trust_dn, \
+ "cn=ad,cn=etc,"+self.suffix):
+ try:
+ self.admin_conn.getEntry(dn, ldap.SCOPE_BASE)
+ except errors.NotFound:
+ entry = ipaldap.Entry(dn)
+ entry.setValues("objectclass", ["nsContainer"])
+ name = dn.split('=')[1].split(',')[0]
+ if not name:
+ print "Cannot extract RDN attribute value from [%s]" % dn
+ return
+ entry.setValues("cn", name)
+ self.admin_conn.addEntry(entry)
entry = ipaldap.Entry(self.smb_dom_dn)
entry.setValues("objectclass", ["sambaDomain", "nsContainer"])
- entry.setValues("cn", "ad")
+ entry.setValues("cn", self.domain_name)
entry.setValues("sambaDomainName", self.netbios_name)
entry.setValues("sambaSID", self.__gen_sid_string())
#TODO: which MAY attributes do we want to set ?
@@ -346,7 +353,8 @@ class ADTRUSTInstance(service.Service):
self.smb_dn_pwd = ipautil.ipa_generate_password()
self.trust_dn = "cn=trusts,%s" % self.suffix
- self.smb_dom_dn = "cn=ad,%s" % self.trust_dn
+ self.smb_dom_dn = "cn=%s,cn=ad,cn=etc,%s" % (self.domain_name, \
+ self.suffix)
self.__setup_sub_dict()
--
1.7.6
-------------- next part --------------
From 4e3568c920d730cecc54630bf577eb85a5f6c076 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Wed, 9 Nov 2011 16:38:10 +0100
Subject: [PATCH 2/6] Add trust objectclass and attributes to v3 schema
---
install/share/60basev3.ldif | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index f518541586b2df9ed08718098a7f170563aa4e1d..6db644addf298216e2b85dc68b616e8351457cf5 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -14,7 +14,18 @@ attributeTypes: (2.16.840.1.113730.3.8.11.7 NAME 'ipaNTProfilePath' DESC 'User P
attributeTypes: (2.16.840.1.113730.3.8.11.8 NAME 'ipaNTHomeDirectory' DESC 'User Home Directory Path' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.9 NAME 'ipaNTHomeDirectoryDrive' DESC 'User Home Drive Letter' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.10 NAME 'ipaNTDomainGUID' DESC 'NT Domain GUID' EQUALITY caseIgnoreIA5Match OREDRING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.11 NAME 'ipaNTTrustType' DESC 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.12 NAME 'ipaNTTrustAttributes' DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.13 NAME 'ipaNTTrustDirection' DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.14 NAME 'ipaNTTrustPartner' DESC 'Fully qualified name of the domain with which a trust exists' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.15 NAME 'ipaNTTrustAuthOutgoing' DESC 'Authentication information for the outgoing portion of a trust' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.16 NAME 'ipaNTTrustAuthIncoming' DESC 'Authentication information for the incoming portion of a trust' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.17 NAME 'ipaNTTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.18 NAME 'ipaNTTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 2.16.840.1.113730.3.8.11.19 NAME 'ipaNTSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTSecurityIdentifier $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes) )
+
--
1.7.6
-------------- next part --------------
From 861ef6683df8ae7f2c8643840770aae2c26231a3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 7 Nov 2011 12:48:10 +0100
Subject: [PATCH 3/6] Use new objectclasses and attributes for trust
---
ipaserver/install/adtrustinstance.py | 46 +++++++++++++++++++++++----------
1 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 7142d79aba6412e336229e07e531654d3b3b578b..0bdedfd2b42df38ec98a3bd3532c9ba05fd3e0df 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -22,7 +22,7 @@ import errno
import ldap
import service
import tempfile
-import installutils
+import uuid
from ipaserver import ipaldap
from ipaserver.install.dsinstance import realm_to_serverid
from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
@@ -75,6 +75,14 @@ def make_netbios_name(s):
return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15]
class ADTRUSTInstance(service.Service):
+
+ ATTR_SID = "ipaNTSecurityIdentifier"
+ ATTR_FLAT_NAME = "ipaNTFlatName"
+ ATTR_GUID = "ipaNTDomainGUID"
+ OBJC_USER = "ipaNTUserAttrs"
+ OBJC_GROUP = "ipaNTGroupAttrs"
+ OBJC_DOMAIN = "ipaNTDomainAttrs"
+
def __init__(self, fstore=None, dm_password=None):
service.Service.__init__(self, "smb", dm_password=dm_password)
@@ -107,13 +115,22 @@ class ADTRUSTInstance(service.Service):
# Also the premission to create trusted domain objects below the
# domain object is granted.
mod = [(ldap.MOD_ADD, 'aci',
- str('(targetattr = "sambaNTPassword")' \
+ str('(targetattr = "ipaNTHash")' \
'(version 3.0; acl "Samba user can read NT passwords";' \
'allow (read) userdn="ldap:///%s";)' % self.smb_dn)),
(ldap.MOD_ADD, 'aci',
str('(target = "ldap:///cn=ad,cn=trusts,%s")' \
- '(targetattr = "sambaTrustType || sambaTrustAttributes || sambaTrustDirection || sambaTrustPartner || sambaFlatName || sambaTrustAuthOutgoing || sambaTrustAuthIncoming || sambaSecurityIdentifier || sambaTrustForestTrustInfo || sambaTrustPosixOffset || sambaSupportedEncryptionTypes")' \
- '(version 3.0;acl "Allow samba user to create and delete trust accounts";' \
+ '(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ' \
+ 'ipaNTTrustDirection || ' \
+ 'ipaNTTrustPartner || ipaNTFlatName || ' \
+ 'ipaNTTrustAuthOutgoing || ' \
+ 'ipaNTTrustAuthIncoming || ' \
+ 'ipaNTSecurityIdentifier || ' \
+ 'ipaNTTrustForestTrustInfo || ' \
+ 'ipaNTTrustPosixOffset || ' \
+ 'ipaNTSupportedEncryptionTypes")' \
+ '(version 3.0;acl "Allow samba user to create and delete ' \
+ 'trust accounts";' \
'allow (write,add,delete) userdn = "ldap:///%s";)' % \
(self.suffix, self.smb_dn)))]
@@ -137,7 +154,7 @@ class ADTRUSTInstance(service.Service):
print "Samba domain object not found"
return
- dom_sid = dom_entry.getValue("sambaSID")
+ dom_sid = dom_entry.getValue(self.ATTR_SID)
if not dom_sid:
print "Samba domain object does not have a SID"
return
@@ -155,22 +172,22 @@ class ADTRUSTInstance(service.Service):
print "IPA admin group object not found"
return
- if admin_entry.getValue("sambaSID") or \
- admin_group_entry.getValue("sambaSID"):
+ if admin_entry.getValue(self.ATTR_SID) or \
+ admin_group_entry.getValue(self.ATTR_SID):
print "Admin SID already set, nothing to do"
return
try:
self.admin_conn.modify_s(admin_dn, \
- [(ldap.MOD_ADD, "objectclass", "sambaSamAccount"), \
- (ldap.MOD_ADD, "sambaSID", dom_sid + "-500")])
+ [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
+ (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
except:
print "Failed to modify IPA admin object"
try:
self.admin_conn.modify_s(admin_group_dn, \
- [(ldap.MOD_ADD, "objectclass", "sambaSidEntry"), \
- (ldap.MOD_ADD, "sambaSID", dom_sid + "-512")])
+ [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
+ (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
except:
print "Failed to modify IPA admin group object"
@@ -199,10 +216,11 @@ class ADTRUSTInstance(service.Service):
self.admin_conn.addEntry(entry)
entry = ipaldap.Entry(self.smb_dom_dn)
- entry.setValues("objectclass", ["sambaDomain", "nsContainer"])
+ entry.setValues("objectclass", [self.OBJC_DOMAIN, "nsContainer"])
entry.setValues("cn", self.domain_name)
- entry.setValues("sambaDomainName", self.netbios_name)
- entry.setValues("sambaSID", self.__gen_sid_string())
+ entry.setValues(self.ATTR_FLAT_NAME, self.netbios_name)
+ entry.setValues(self.ATTR_SID, self.__gen_sid_string())
+ entry.setValues(self.ATTR_GUID, str(uuid.uuid4()))
#TODO: which MAY attributes do we want to set ?
self.admin_conn.add_s(entry)
--
1.7.6
-------------- next part --------------
From 4632c3ea945af3fab47ed67741a373ec6ec04ade Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Mon, 7 Nov 2011 12:59:20 +0100
Subject: [PATCH 4/6] Fix some pylint warnings
---
install/tools/ipa-adtrust-install | 2 +-
ipaserver/install/adtrustinstance.py | 107 +++++++++++++++++++++-------------
2 files changed, 68 insertions(+), 41 deletions(-)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 87fecbfb4834d65fdccc3f8536a5665ba75e48a5..c6fd3478a28697301cac317dff1bbf25c6d865ce 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -111,7 +111,7 @@ def main():
print ""
# Check if samba packages are installed
- if not adtrustinstance.check_inst(options.unattended):
+ if not adtrustinstance.check_inst():
sys.exit("Aborting installation.")
# Initialize the ipalib api
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 0bdedfd2b42df38ec98a3bd3532c9ba05fd3e0df..7808b3dea809d237299527ed107bc161b565c834 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -20,10 +20,11 @@
import os
import errno
import ldap
-import service
import tempfile
import uuid
from ipaserver import ipaldap
+from ipaserver.install import installutils
+from ipaserver.install import service
from ipaserver.install.dsinstance import realm_to_serverid
from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
dns_zone_exists
@@ -32,17 +33,17 @@ from ipapython import sysrestore
from ipapython import ipautil
from ipapython.ipa_log_manager import *
-import random
import string
import struct
-allowed_netbios_chars = string.ascii_uppercase + string.digits
+ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
-def check_inst(unattended):
- for f in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']:
- if not os.path.exists(f):
- print "%s was not found on this system" % f
- print "Please install the 'samba' packages and start the installation again"
+def check_inst():
+ for smbfile in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']:
+ if not os.path.exists(smbfile):
+ print "%s was not found on this system" % file
+ print "Please install the 'samba' packages and " \
+ "start the installation again"
return False
#TODO: Add check for needed samba4 libraries
@@ -51,13 +52,13 @@ def check_inst(unattended):
def ipa_smb_conf_exists():
try:
- fd = open('/etc/samba/smb.conf', 'r')
- except IOError, e:
- if e.errno == errno.ENOENT:
+ conf_fd = open('/etc/samba/smb.conf', 'r')
+ except IOError, err:
+ if err.errno == errno.ENOENT:
return False
- lines = fd.readlines()
- fd.close()
+ lines = conf_fd.readlines()
+ conf_fd.close()
for line in lines:
if line.startswith('### Added by IPA Installer ###'):
return True
@@ -66,13 +67,15 @@ def ipa_smb_conf_exists():
def check_netbios_name(s):
# NetBIOS names may not be longer than 15 allowed characters
- if not s or len(s) > 15 or ''.join([c for c in s if c not in allowed_netbios_chars]):
+ if not s or len(s) > 15 or \
+ ''.join([c for c in s if c not in ALLOWED_NETBIOS_CHARS]):
return False
return True
def make_netbios_name(s):
- return ''.join([c for c in s.split('.')[0].upper() if c in allowed_netbios_chars])[:15]
+ return ''.join([c for c in s.split('.')[0].upper() \
+ if c in ALLOWED_NETBIOS_CHARS])[:15]
class ADTRUSTInstance(service.Service):
@@ -84,6 +87,22 @@ class ADTRUSTInstance(service.Service):
OBJC_DOMAIN = "ipaNTDomainAttrs"
def __init__(self, fstore=None, dm_password=None):
+ self.fqdn = None
+ self.ip_address = None
+ self.realm_name = None
+ self.domain_name = None
+ self.netbios_name = None
+ self.no_msdcs = None
+ self.smbd_user = None
+ self.suffix = None
+ self.ldapi_socket = None
+ self.smb_conf = None
+ self.smb_dn = None
+ self.smb_dn_pwd = None
+ self.trust_dn = None
+ self.smb_dom_dn = None
+ self.sub_dict = None
+
service.Service.__init__(self, "smb", dm_password=dm_password)
if fstore:
@@ -97,7 +116,8 @@ class ADTRUSTInstance(service.Service):
self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE)
print "Samba user entry exists, resetting password"
- self.admin_conn.modify_s(self.smb_dn, [(ldap.MOD_REPLACE, "userPassword", self.smb_dn_pwd)])
+ self.admin_conn.modify_s(self.smb_dn, \
+ [(ldap.MOD_REPLACE, "userPassword", self.smb_dn_pwd)])
return
except errors.NotFound:
@@ -108,7 +128,7 @@ class ADTRUSTInstance(service.Service):
entry.setValues("objectclass", ["account", "simplesecurityobject"])
entry.setValues("uid", "samba")
entry.setValues("userPassword", self.smb_dn_pwd)
- self.admin_conn.add_s(entry)
+ self.admin_conn.addEntry(entry)
# And finally grant it permission to read NT passwords, we do not want
# to support LM passwords so there is no need to allow access to them.
@@ -204,13 +224,14 @@ class ADTRUSTInstance(service.Service):
"cn=ad,"+self.trust_dn, \
"cn=ad,cn=etc,"+self.suffix):
try:
- self.admin_conn.getEntry(dn, ldap.SCOPE_BASE)
+ self.admin_conn.getEntry(new_dn, ldap.SCOPE_BASE)
except errors.NotFound:
- entry = ipaldap.Entry(dn)
+ entry = ipaldap.Entry(new_dn)
entry.setValues("objectclass", ["nsContainer"])
- name = dn.split('=')[1].split(',')[0]
+ name = new_dn.split('=')[1].split(',')[0]
if not name:
- print "Cannot extract RDN attribute value from [%s]" % dn
+ print "Cannot extract RDN attribute value from [%s]" % \
+ new_dn
return
entry.setValues("cn", name)
self.admin_conn.addEntry(entry)
@@ -222,23 +243,23 @@ class ADTRUSTInstance(service.Service):
entry.setValues(self.ATTR_SID, self.__gen_sid_string())
entry.setValues(self.ATTR_GUID, str(uuid.uuid4()))
#TODO: which MAY attributes do we want to set ?
- self.admin_conn.add_s(entry)
+ self.admin_conn.addEntry(entry)
def __write_smb_conf(self):
self.fstore.backup_file(self.smb_conf)
- fd = open(self.smb_conf, "w")
- fd.write('### Added by IPA Installer ###\n')
- fd.write('[global]\n')
- fd.write('config backend = registry\n')
- fd.close()
+ conf_fd = open(self.smb_conf, "w")
+ conf_fd.write('### Added by IPA Installer ###\n')
+ conf_fd.write('[global]\n')
+ conf_fd.write('config backend = registry\n')
+ conf_fd.close()
def __write_smb_registry(self):
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
- [fd, tmp_name] = tempfile.mkstemp()
- os.write(fd, conf)
- os.close(fd)
+ [tmp_fd, tmp_name] = tempfile.mkstemp()
+ os.write(tmp_fd, conf)
+ os.close(tmp_fd)
args = ["/usr/bin/net", "conf", "import", tmp_name]
@@ -250,7 +271,8 @@ class ADTRUSTInstance(service.Service):
def __set_smb_ldap_password(self):
args = ["/usr/bin/smbpasswd", "-c", self.smb_conf, "-s", "-W" ]
- ipautil.run(args, stdin = self.smb_dn_pwd + "\n" + self.smb_dn_pwd + "\n" )
+ ipautil.run(args, stdin = self.smb_dn_pwd + "\n" + \
+ self.smb_dn_pwd + "\n" )
def __setup_principal(self):
cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name
@@ -291,7 +313,7 @@ class ADTRUSTInstance(service.Service):
".dc._msdcs")
err_msg = None
- ret = api.Command.dns_is_enabled()
+ ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg = "DNS management was not enabled at install time."
else:
@@ -341,7 +363,8 @@ class ADTRUSTInstance(service.Service):
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
try:
- self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, self.suffix)
+ self.ldap_enable('ADTRUST', self.fqdn, self.dm_password, \
+ self.suffix)
except ldap.ALREADY_EXISTS:
root_logger.critical("ADTRUST Service startup entry already exists.")
pass
@@ -355,7 +378,7 @@ class ADTRUSTInstance(service.Service):
def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
no_msdcs=False, smbd_user="samba"):
- self.fqdn =fqdn
+ self.fqdn = fqdn
self.ip_address = ip_address
self.realm_name = realm_name
self.domain_name = domain_name
@@ -363,7 +386,8 @@ class ADTRUSTInstance(service.Service):
self.no_msdcs = no_msdcs
self.smbd_user = smbd_user
self.suffix = ipautil.realm_to_suffix(self.realm_name)
- self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % realm_to_serverid(self.realm_name)
+ self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
+ realm_to_serverid(self.realm_name)
self.smb_conf = "/etc/samba/smb.conf"
@@ -383,15 +407,18 @@ class ADTRUSTInstance(service.Service):
self.step("stopping smbd", self.__stop)
self.step("create samba user", self.__create_samba_user)
- self.step("create samba domain object", self.__create_samba_domain_object)
+ self.step("create samba domain object", \
+ self.__create_samba_domain_object)
self.step("create samba config registry", self.__write_smb_registry)
self.step("writing samba config file", self.__write_smb_conf)
- self.step("setting password for the samba user", self.__set_smb_ldap_password)
+ self.step("setting password for the samba user", \
+ self.__set_smb_ldap_password)
self.step("Adding cifs Kerberos principal", self.__setup_principal)
self.step("Adding admin(group) SIDs", self.__add_admin_sids)
self.step("configuring smbd to start on boot", self.__enable)
if not self.no_msdcs:
- self.step("adding special DNS service records", self.__add_dns_service_records)
+ self.step("adding special DNS service records", \
+ self.__add_dns_service_records)
self.step("starting smbd", self.__start)
self.start_creation("Configuring smbd:")
@@ -408,9 +435,9 @@ class ADTRUSTInstance(service.Service):
except:
pass
- for f in [self.smb_conf]:
+ for r_file in [self.smb_conf]:
try:
- self.fstore.restore_file(f)
+ self.fstore.restore_file(r_file)
except ValueError, error:
root_logger.debug(error)
pass
--
1.7.6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-sbose-0013-3-Add-ipasam-samba-passdb-backend.patch.bz2
Type: application/x-bzip2
Size: 17026 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111129/0ae7b7f2/attachment.bz2>
-------------- next part --------------
From 7c5ef0443c0ded32a467d78ca950c4667d26163e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 18 Nov 2011 14:04:09 +0100
Subject: [PATCH 6/6] activate CLDAP
---
install/tools/ipa-adtrust-install | 3 +--
ipaserver/install/adtrustinstance.py | 4 ++++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index c6fd3478a28697301cac317dff1bbf25c6d865ce..248ea35eaa86dd59ebbc871b86df780cfd71ccf6 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -214,6 +214,7 @@ def main():
print "\t\tUDP Ports:"
print "\t\t * 138: netbios-dgm"
print "\t\t * 139: netbios-ssn"
+ print "\t\t * 389: (C)LDAP"
print "\t\t * 445: microsoft-ds"
print ""
print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached"
@@ -221,8 +222,6 @@ def main():
print "\tfollowing ports for these servers:"
print "\t\tTCP Ports:"
print "\t\t * 389, 636: LDAP/LDAPS"
- print "\t\tUDP Ports:"
- print "\t\t * 389: (C)LDAP"
print "\tYou may want to choose to REJECT the network packets instead of DROPing them"
print "\tto avoid timeouts on the AD domain controllers."
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 7808b3dea809d237299527ed107bc161b565c834..f4379019dfe2c61c9b3a4b13d71cf148112a4d85 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -254,6 +254,9 @@ class ADTRUSTInstance(service.Service):
conf_fd.write('config backend = registry\n')
conf_fd.close()
+ def __add_cldap_module(self):
+ self._ldap_mod("ipa-cldap-conf.ldif", self.sub_dict)
+
def __write_smb_registry(self):
template = os.path.join(ipautil.SHARE_DIR, "smb.conf.template")
conf = ipautil.template_file(template, self.sub_dict)
@@ -415,6 +418,7 @@ class ADTRUSTInstance(service.Service):
self.__set_smb_ldap_password)
self.step("Adding cifs Kerberos principal", self.__setup_principal)
self.step("Adding admin(group) SIDs", self.__add_admin_sids)
+ self.step("Activation CLDAP plugin", self.__add_cldap_module)
self.step("configuring smbd to start on boot", self.__enable)
if not self.no_msdcs:
self.step("adding special DNS service records", \
--
1.7.6
More information about the Freeipa-devel
mailing list