Ask for admin password in ipa-adtrust-install

The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command. https://fedorahosted.org/freeipa/ticket/2852
author: Alexander Bokovoy <abokovoy@redhat.com> 2012-08-17 15:26:58 +0300
committer: Alexander Bokovoy <abokovoy@redhat.com> 2012-08-24 16:16:58 +0300
commit: 191f5146401db8d6aa693b08b18322ef7df2aab2 (patch)
tree: d7b5d8e7564ee2824ea517a7057ea993b36b79a8
parent: 1328f984d060b944fb8734a51edc0946cd42bbb3 (diff)
download: freeipa-191f5146401db8d6aa693b08b18322ef7df2aab2.tar.gz
freeipa-191f5146401db8d6aa693b08b18322ef7df2aab2.tar.xz
freeipa-191f5146401db8d6aa693b08b18322ef7df2aab2.zip
2 files changed, 46 insertions, 0 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 8cea077cc..12e218de6 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -55,6 +55,12 @@ def parse_options():
                            "UIDs and GIDs to RIDs")
     parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                       default=False, help="unattended installation never prompts the user")
+    parser.add_option("-a", "--admin-password",
+                      sensitive=True, dest="admin_password",
+                      help="admin user kerberos password")
+    parser.add_option("-A", "--admin-name",
+                      sensitive=True, dest="admin_name", default='admin',
+                      help="admin user principal")
 
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
@@ -85,6 +91,21 @@ def read_netbios_name(netbios_default):
 
     return netbios_name
 
+def read_admin_password(admin_name):
+    print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
+    print "This user is a regular system account used for IPA server administration."
+    print ""
+    admin_password = read_password(admin_name, confirm=False, validate=None)
+    return admin_password
+
+def ensure_admin_kinit(admin_name, admin_password):
+    try:
+        ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
+    except ipautil.CalledProcessError, e:
+        print "There was error to automatically re-kinit your admin user ticket."
+        return False
+    return True
+
 def main():
     safe_options, options = parse_options()
 
@@ -193,6 +214,16 @@ def main():
     if not options.unattended and ( not netbios_name or not options.netbios_name):
         netbios_name = read_netbios_name(netbios_name)
 
+    admin_password = options.admin_password
+    if not (options.unattended or admin_password):
+        admin_password = read_admin_password(options.admin_name)
+
+    admin_kinited = None
+    if admin_password:
+        admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
+        if not admin_kinited:
+            print "Proceeding with credentials that existed before"
+
     try:
         ctx = krbV.default_context()
         ccache = ctx.default_ccache()
@@ -252,6 +283,12 @@ You may want to choose to REJECT the network packets instead of DROPing
 them to avoid timeouts on the AD domain controllers.
 
 =============================================================================
+"""
+    if admin_password:
+        admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
+
+    if not admin_kinited:
+        print """
 WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
 family in order to re-generate Kerberos tickets to include AD-specific
 information"""
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 22337c3df..936e04c24 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -41,6 +41,15 @@ Do not create DNS service records for Windows in managed DNS server
 .TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
+.TP
+\fB\-A\fR, \fB\-\-admin\-name\fR=\fIADMIN_NAME\fR
+The name of the user with administrative privileges for this IPA server. Defaults to 'admin'.
+.TP
+\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
+The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
+.TP
+The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
+.TP
 .SH "EXIT STATUS"
 0 if the installation was successful
author	Alexander Bokovoy <abokovoy@redhat.com>	2012-08-17 15:26:58 +0300
committer	Alexander Bokovoy <abokovoy@redhat.com>	2012-08-24 16:16:58 +0300
commit	191f5146401db8d6aa693b08b18322ef7df2aab2 (patch)
tree	d7b5d8e7564ee2824ea517a7057ea993b36b79a8
parent	1328f984d060b944fb8734a51edc0946cd42bbb3 (diff)
download	freeipa-191f5146401db8d6aa693b08b18322ef7df2aab2.tar.gz freeipa-191f5146401db8d6aa693b08b18322ef7df2aab2.tar.xz freeipa-191f5146401db8d6aa693b08b18322ef7df2aab2.zip