[Freeipa-devel] [PATCH] 6 Add admin SIDs

Sumit Bose sbose at redhat.com
Fri Sep 23 13:20:08 UTC 2011


Hi,

this patch extends the ipa-adtrust-install utility by adding SIDs to the
IPA admin user and the admins group.

bye,
Sumit
-------------- next part --------------
From 9d24a20c8d81440398f38e71efd024320b20577d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 23 Sep 2011 15:11:23 +0200
Subject: [PATCH] Add admin SIDs

The admin SID DOMAIN-SID-500 will be assigned to the IPA admin user and the
admin group SID DOMAIN-SID-512 to the admins group.
---
 ipaserver/install/adtrustinstance.py |   62 ++++++++++++++++++++++++++++++---
 1 files changed, 56 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 1bd37d4eb1f93db6609f8c9a06ac02923e9db20b..f525d2d3861bab46b89594935d5e4003087e0b09 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -125,26 +125,72 @@ class ADTRUSTInstance(service.Service):
         sub_ids = struct.unpack("<LLL", os.urandom(12))
         return "S-1-5-21-%d-%d-%d" % (sub_ids[0], sub_ids[1], sub_ids[2])
 
+    def __add_admin_sids(self):
+        admin_dn = "uid=admin,cn=users,cn=accounts,%s" % self.suffix
+        admin_group_dn = "cn=admins,cn=groups,cn=accounts,%s" % self.suffix
+
+        try:
+            dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
+                                                 ldap.SCOPE_BASE)
+        except errors.NotFound:
+            print "Samba domain object not found"
+            return
+
+        dom_sid = dom_entry.getValue("sambaSID")
+        if not dom_sid:
+            print "Samba domain object does not have a SID"
+            return
+
+        try:
+            admin_entry = self.admin_conn.getEntry(admin_dn, ldap.SCOPE_BASE)
+        except:
+            print "IPA admin object not found"
+            return
+
+        try:
+            admin_group_entry = self.admin_conn.getEntry(admin_group_dn, \
+                                                         ldap.SCOPE_BASE)
+        except:
+            print "IPA admin group object not found"
+            return
+
+        if admin_entry.getValue("sambaSID") or \
+           admin_group_entry.getValue("sambaSID"):
+            print "Admin SID already set, nothing to do"
+            return
+
+        try:
+            self.admin_conn.modify_s(admin_dn, \
+                        [(ldap.MOD_ADD, "objectclass", "sambaSamAccount"), \
+                         (ldap.MOD_ADD, "sambaSID", self.dom_sid + "-500")])
+        except:
+            print "Failed to modify IPA admin object"
+
+        try:
+            self.admin_conn.modify_s(admin_group_dn, \
+                        [(ldap.MOD_ADD, "objectclass", "sambaSidEntry"), \
+                         (ldap.MOD_ADD, "sambaSID", self.dom_sid + "-512")])
+        except:
+            print "Failed to modify IPA admin group object"
+
     def __create_samba_domain_object(self):
-        trust_dn = "cn=trusts,%s" % self.suffix
-        smb_dom_dn = "cn=ad,%s" % trust_dn
 
         try:
-            self.admin_conn.getEntry(smb_dom_dn, ldap.SCOPE_BASE)
+            self.admin_conn.getEntry(self.smb_dom_dn, ldap.SCOPE_BASE)
             print "Samba domain object already exists"
             return
         except errors.NotFound:
             pass
 
         try:
-            self.admin_conn.getEntry(trust_dn, ldap.SCOPE_BASE)
+            self.admin_conn.getEntry(self.trust_dn, ldap.SCOPE_BASE)
         except errors.NotFound:
-            entry = ipaldap.Entry(trust_dn)
+            entry = ipaldap.Entry(self.trust_dn)
             entry.setValues("objectclass", ["nsContainer"])
             entry.setValues("cn", "trusts")
             self.admin_conn.add_s(entry)
 
-        entry = ipaldap.Entry(smb_dom_dn)
+        entry = ipaldap.Entry(self.smb_dom_dn)
         entry.setValues("objectclass", ["sambaDomain", "nsContainer"])
         entry.setValues("cn", "ad")
         entry.setValues("sambaDomainName", self.netbios_name)
@@ -247,6 +293,9 @@ class ADTRUSTInstance(service.Service):
         self.smb_dn = "uid=samba,cn=sysaccounts,cn=etc,%s" % self.suffix
         self.smb_dn_pwd = ipautil.ipa_generate_password()
 
+        self.trust_dn = "cn=trusts,%s" % self.suffix
+        self.smb_dom_dn = "cn=ad,%s" % self.trust_dn
+
         self.__setup_sub_dict()
 
 
@@ -261,6 +310,7 @@ class ADTRUSTInstance(service.Service):
         self.step("writing samba config file", self.__write_smb_conf)
         self.step("setting password for the samba user", self.__set_smb_ldap_password)
         self.step("Adding cifs Kerberos principal", self.__setup_principal)
+        self.step("Adding admin(group) SIDs", self.__add_admin_sids)
         self.step("configuring smbd to start on boot", self.__enable)
         self.step("starting smbd", self.__start)
 
-- 
1.7.6



More information about the Freeipa-devel mailing list