Ensure ipa-adtrust-install is run with Kerberos ticket for admin user

When setting up AD trusts support, ipa-adtrust-install utility needs to be run as: - root, for performing Samba configuration and using LDAPI/autobind - kinit-ed IPA admin user, to ensure proper ACIs are granted to fetch keytab As result, we can get rid of Directory Manager credentials in ipa-adtrust-install https://fedorahosted.org/freeipa/ticket/2815
author: Alexander Bokovoy <abokovoy@redhat.com> 2012-07-13 18:12:48 +0300
committer: Martin Kosek <mkosek@redhat.com> 2012-07-31 17:44:35 +0200
commit: 68d5fe1ec7d785f127b3513f84cc632cdb1f9167 (patch)
tree: c0723e680c929f19f4fd2cb61eb7dfd93287d267 /install/tools/ipa-adtrust-install
parent: 16ca564b1004eb672fe4ca3573e542f5a3ce014b (diff)
download: freeipa-68d5fe1ec7d785f127b3513f84cc632cdb1f9167.tar.gz
freeipa-68d5fe1ec7d785f127b3513f84cc632cdb1f9167.tar.xz
freeipa-68d5fe1ec7d785f127b3513f84cc632cdb1f9167.zip
1 files changed, 28 insertions, 20 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 6678018e6..02a309306 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -24,7 +24,7 @@
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import adtrustinstance
 from ipaserver.install.installutils import *
-from ipaserver.install import installutils
+from ipaserver.install import service
 from ipapython import version
 from ipapython import ipautil, sysrestore
 from ipalib import api, errors, util
@@ -37,8 +37,6 @@ log_file_name = "/var/log/ipaserver-install.log"
 
 def parse_options():
     parser = IPAOptionParser(version=version.VERSION)
-    parser.add_option("-p", "--ds-password", dest="dm_password",
-                      sensitive=True, help="directory manager password")
     parser.add_option("-d", "--debug", dest="debug", action="store_true",
                       default=False, help="print debugging information")
     parser.add_option("--ip-address", dest="ip_address",
@@ -98,7 +96,7 @@ def main():
     root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
     root_logger.debug("missing options might be asked for interactively later\n")
 
-    installutils.check_server_configuration()
+    check_server_configuration()
 
     global fstore
     fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
@@ -194,24 +192,34 @@ def main():
     if not options.unattended and ( not netbios_name or not options.netbios_name):
         netbios_name = read_netbios_name(netbios_name)
 
-    dm_password = options.dm_password or read_password("Directory Manager",
-                                             confirm=False, validate=False)
-    smb = adtrustinstance.ADTRUSTInstance(fstore, dm_password)
+    try:
+        ctx = krbV.default_context()
+        ccache = ctx.default_ccache()
+        principal = ccache.principal()
+    except krbV.Krb5Error, e:
+        sys.exit("Must have Kerberos credentials to setup AD trusts on server")
+
+    try:
+        api.Backend.ldap2.connect(ccache.name)
+    except errors.ACIError, e:
+        sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
+    except errors.DatabaseError, e:
+        sys.exit("Cannot connect to the LDAP database. Please check if IPA is running")
 
-    # try the connection
     try:
-        smb.ldap_connect()
-        smb.ldap_disconnect()
-    except ldap.INVALID_CREDENTIALS, e:
-        sys.exit("Password is not valid!")
-
-    if smb.dm_password:
-        api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password)
-    else:
-        # See if our LDAP server is up and we can talk to it over GSSAPI
-        ccache = krbV.default_context().default_ccache().name
-        api.Backend.ldap2.connect(ccache)
+        user = api.Command.user_show(unicode(principal[0]))['result']
+        group = api.Command.group_show(u'admins')['result']
+        if not (user['uid'][0] in group['member_user'] and
+                group['cn'][0] in user['memberof_group']):
+            raise errors.RequirementError(name='admins group membership')
+    except errors.RequirementError, e:
+        sys.exit("Must have administrative privileges to setup AD trusts on server")
+    except Exception, e:
+        sys.exit("Unrecognized error during check of admin rights: %s" % (str(e)))
 
+    smb = adtrustinstance.ADTRUSTInstance(fstore)
+    smb.realm = api.env.realm
+    smb.autobind = service.ENABLED
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
               netbios_name, options.rid_base, options.secondary_rid_base,
               options.no_msdcs)
@@ -250,5 +258,5 @@ information"""
     return 0
 
 if __name__ == '__main__':
-    installutils.run_script(main, log_file_name=log_file_name,
+    run_script(main, log_file_name=log_file_name,
             operation_name='ipa-adtrust-install')
author	Alexander Bokovoy <abokovoy@redhat.com>	2012-07-13 18:12:48 +0300
committer	Martin Kosek <mkosek@redhat.com>	2012-07-31 17:44:35 +0200
commit	68d5fe1ec7d785f127b3513f84cc632cdb1f9167 (patch)
tree	c0723e680c929f19f4fd2cb61eb7dfd93287d267 /install/tools/ipa-adtrust-install
parent	16ca564b1004eb672fe4ca3573e542f5a3ce014b (diff)
download	freeipa-68d5fe1ec7d785f127b3513f84cc632cdb1f9167.tar.gz freeipa-68d5fe1ec7d785f127b3513f84cc632cdb1f9167.tar.xz freeipa-68d5fe1ec7d785f127b3513f84cc632cdb1f9167.zip