Call certmonger after krb5, avoid uninstall errors, better password handling.

- Move the ipa-getcert request to after we set up /etc/krb5.conf
- Don't try removing certificates that don't exist
- Don't tell certmonger to stop tracking a cert that doesn't exist
- Allow --password/-w to be the kerberos password
- Print an error if prompting for a password would happen in unattended mode
- Still support echoing a password in when in unattended mode

2 files changed, 52 insertions, 23 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 4b7a22c2c..99ac39a4a 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -64,7 +64,7 @@ def parse_options():
     parser.add_option("-N", "--no-ntp", action="store_false",
                       help="do not configure ntp", default=True, dest="conf_ntp")
     parser.add_option("-w", "--password", dest="password",
-                      help="password to join the IPA realm"),
+                      help="password to join the IPA realm (assumes bulk password unless principal is also set)"),
     parser.add_option("-W", dest="prompt_password", action="store_true",
                       default=False,
                       help="Prompt for a password to join the IPA realm"),
@@ -112,21 +112,31 @@ def logging_setup(options):
     console.setFormatter(formatter)
     logging.getLogger('').addHandler(console)
 
+def nickname_exists(nickname):
+        (sout, serr, returncode) = run(["/usr/bin/certutil", "-L", "-d", "/etc/pki/nssdb", "-n", nickname], raiseonerr=False)
+
+        if returncode == 0:
+            return True
+        else:
+            return False
+
 def uninstall(options):
 
     # Remove our host cert and CA cert
-    try:
-        run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"])
-    except Exception, e:
-        print "Failed to remove IPA CA from /etc/pki/nssdb: %s" % str(e)
-    try:
-        run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
-    except Exception, e:
-        print "Failed to remove Server-Cert from /etc/pki/nssdb: %s" % str(e)
-    try:
-        run(["/usr/bin/ipa-getcert", "stop-tracking", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
-    except Exception, e:
-        print "Failed to stop tracking Server-Cert in certmonger: %s" % str(e)
+    if nickname_exists("IPA CA"):
+        try:
+            run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "IPA CA"])
+        except Exception, e:
+            print "Failed to remove IPA CA from /etc/pki/nssdb: %s" % str(e)
+    if nickname_exists("Server-Cert"):
+        try:
+            run(["/usr/bin/certutil", "-D", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
+        except Exception, e:
+            print "Failed to remove Server-Cert from /etc/pki/nssdb: %s" % str(e)
+        try:
+            run(["/usr/bin/ipa-getcert", "stop-tracking", "-d", "/etc/pki/nssdb", "-n", "Server-Cert"])
+        except Exception, e:
+            print "Failed to stop tracking Server-Cert in certmonger: %s" % str(e)
 
     try:
         run(["/sbin/service", "certmonger", "stop"])
@@ -480,12 +490,24 @@ def main():
             if options.debug:
                 join_args.append("-d")
             if options.principal is not None:
+                stdin = None
                 principal = options.principal
                 if principal.find('@') == -1:
                     principal = '%s@%s' % (principal, cli_realm)
-                print "Password for %s: " % principal,
-                sys.stdout.flush()
-                (stderr, stdout, returncode) = run(["/usr/kerberos/bin/kinit", principal], raiseonerr=False)
+                if options.password is not None:
+                    stdin = options.password
+                else:
+                    if not options.unattended:
+                        print "Password for %s: " % principal,
+                        sys.stdout.flush()
+                    else:
+                        if sys.stdin.isatty():
+                            print "Password must be provided in non-interactive mode"
+                            return 1
+                        else:
+                            stdin = sys.stdin.readline()
+
+                (stderr, stdout, returncode) = run(["/usr/kerberos/bin/kinit", principal], raiseonerr=False, stdin=stdin)
                 print ""
                 if returncode != 0:
                     print stdout
@@ -494,6 +516,9 @@ def main():
                 join_args.append("-w")
                 join_args.append(options.password)
             elif options.prompt_password:
+                if options.unattended:
+                    print "Password must be provided in non-interactive mode"
+                    return 1
                 password = getpass.getpass("Password: ")
                 join_args.append("-w")
                 join_args.append(password)
@@ -539,8 +564,6 @@ def main():
     # Add the CA to the default NSS database and trust it
     run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
 
-    if not options.on_master:
-        configure_certmonger(fstore, subject_base, cli_realm, options)
 
     # If on master assume kerberos is already configured properly.
     if not options.on_master:
@@ -551,6 +574,8 @@ def main():
 
         print "Configured /etc/krb5.conf for IPA realm " + cli_realm
 
+        configure_certmonger(fstore, subject_base, cli_realm, options)
+
     # Modify nsswitch/pam stack
     if options.sssd:
         cmd = ["/usr/sbin/authconfig", "--enablesssd", "--enablesssdauth", "--update"]
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index 9eb0b39d9..4a1fcb543 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -50,26 +50,30 @@ Unattended installation. The user will not be prompted.
 \fB\-N\fR, \fB\-\-no\-ntp\fR
 Do not configure or enable NTP.
 .TP 
+\fB\-\-ntp-server\fR=\fINTP_SERVER\fR
+Configure ntpd to use this NTP server.
+Do not configure or enable NTP.
+.TP
 \fB\-S\fR, \fB\-\-no\-sssd\fR
 Do not configure the client to use SSSD for authentication, use nss_ldap instead.
 .TP
 \fB\-\-on\-master\fB
 The client is being configured on an IPA server.
 .TP 
-\fB\-w\fR, \fB\-\-password\fR
-Password for joining a machine to the IPA realm.
+\fB\-w\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
+Password for joining a machine to the IPA realm. Assumes bulk password unless principal is also set.
 .TP 
 \fB\-W\fR
 Prompt for the password for joining a machine to the IPA realm.
 .TP 
 \fB\-p\fR, \fB\-\-principal\fR
-Principal to use to join the IPA realm.
+Authorized kerberos principal to use to join the IPA realm.
 .TP 
 \fB\-\-permit\fR
-Set the SSSD access rules to permit all access. Otherwise the machine will be controlled by the Host-based Access Controls on the IPA server.
+Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host-based Access Controls (HBAC) on the IPA server.
 .TP 
 \fB\-\-mkhomedir\fR
-Create a users home directory if it does not exist.
+Configure pam to create a users home directory if it does not exist.
 .TP
 \fB\-\-uninstall\fR
 Remove the IPA client software and restore the configuration to the pre-IPA state.