diff options
-rw-r--r-- | ACI.txt | 2 | ||||
-rw-r--r-- | ipalib/plugins/trust.py | 3 | ||||
-rw-r--r-- | ipaserver/install/adtrustinstance.py | 44 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 16 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 21 | ||||
-rw-r--r-- | ipaserver/install/service.py | 27 |
6 files changed, 81 insertions, 32 deletions
@@ -299,7 +299,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) dn: cn=trusts,dc=ipa,dc=example -aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) +aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=trusts,dc=ipa,dc=example aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=groups,cn=accounts,dc=ipa,dc=example diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 22fbb9c7c..5b884ca89 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -327,7 +327,8 @@ class trust(LDAPObject): 'cn', 'objectclass', 'ipantflatname', 'ipantsecurityidentifier', 'ipanttrusteddomainsid', 'ipanttrustpartner', - 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' + 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing', + 'ipanttrustdirection' }, }, diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 8591a434a..8343f8182 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -171,6 +171,9 @@ class ADTRUSTInstance(service.Service): self.cifs_agent = DN(('krbprincipalname', self.cifs_principal.lower()), api.env.container_service, self.suffix) + self.host_princ = DN(('fqdn', self.fqdn), + api.env.container_host, + self.suffix) def __gen_sid_string(self): @@ -450,12 +453,11 @@ class ADTRUSTInstance(service.Service): """ self.__add_plugin_conf('CLDAP', 'ipa_cldap', 'ipa-cldap-conf.ldif') - def __add_sidgen_module(self): + def __add_sidgen_task(self): """ Add sidgen directory server plugin configuration and the related task if they not already exist. """ - self.__add_plugin_conf('Sidgen', 'IPA SIDGEN', 'ipa-sidgen-conf.ldif') self.__add_plugin_conf('Sidgen task', 'ipa-sidgen-task', 'ipa-sidgen-task-conf.ldif') @@ -469,14 +471,6 @@ class ADTRUSTInstance(service.Service): except: pass - def __add_extdom_module(self): - """ - Add directory server configuration for the extdom extended operation - if it not already exists. - """ - self.__add_plugin_conf('Extdom', 'ipa_extdom_extop', - 'ipa-extdom-extop-conf.ldif') - def __add_s4u2proxy_target(self): """ Add CIFS principal to S4U2Proxy target @@ -509,6 +503,13 @@ class ADTRUSTInstance(service.Service): finally: os.remove(tmp_name) + def __setup_group_membership(self): + # Add the CIFS and host principals to the 'adtrust agents' group + # as 389-ds only operates with GroupOfNames, we have to use + # the principal's proper dn as defined in self.cifs_agent + service.add_principals_to_group(self.admin_conn, self.smb_dn, "member", + [self.cifs_agent, self.host_princ]) + def __setup_principal(self): try: api.Command.service_add(unicode(self.cifs_principal)) @@ -520,24 +521,6 @@ class ADTRUSTInstance(service.Service): except Exception, e: self.print_msg("Cannot add CIFS service: %s" % e) - # Add the principal to the 'adtrust agents' group - # as 389-ds only operates with GroupOfNames, we have to use - # the principal's proper dn as defined in self.cifs_agent - try: - current = self.admin_conn.get_entry(self.smb_dn) - members = current.get('member', []) - if not(self.cifs_agent in members): - current["member"] = members + [self.cifs_agent] - self.admin_conn.update_entry(current) - except errors.NotFound: - entry = self.admin_conn.make_entry( - self.smb_dn, - objectclass=["top", "GroupOfNames"], - cn=[self.smb_dn['cn']], - member=[self.cifs_agent], - ) - self.admin_conn.add_entry(entry) - self.clean_samba_keytab() try: @@ -846,14 +829,15 @@ class ADTRUSTInstance(service.Service): self.step("creating samba config registry", self.__write_smb_registry) self.step("writing samba config file", self.__write_smb_conf) self.step("adding cifs Kerberos principal", self.__setup_principal) + self.step("adding cifs and host Kerberos principals to the adtrust agents group", \ + self.__setup_group_membership) self.step("check for cifs services defined on other replicas", self.__check_replica) self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target) self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("adding RID bases", self.__add_rid_bases) self.step("updating Kerberos config", self.__update_krb5_conf) self.step("activating CLDAP plugin", self.__add_cldap_module) - self.step("activating sidgen plugin and task", self.__add_sidgen_module) - self.step("activating extdom plugin", self.__add_extdom_module) + self.step("activating sidgen task", self.__add_sidgen_task) self.step("configuring smbd to start on boot", self.__enable) self.step("adding special DNS service records", \ self.__add_dns_service_records) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2e54bf94b..b2558024f 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -265,6 +265,8 @@ class DsInstance(service.Service): self.step("adding replication acis", self.__add_replication_acis) self.step("enabling compatibility plugin", self.__enable_compat_plugin) + self.step("activating sidgen plugin", self._add_sidgen_plugin) + self.step("activating extdom plugin", self._add_extdom_plugin) self.step("tuning directory server", self.__tuning) self.step("configuring directory to start on boot", self.__enable) @@ -923,6 +925,20 @@ class DsInstance(service.Service): def __add_range_check_plugin(self): self._ldap_mod("range-check-conf.ldif", self.sub_dict) + # These two methods are not local, they are also called from the upgrade code + def _add_sidgen_plugin(self): + """ + Add sidgen directory server plugin configuration if it does not already exist. + """ + self._ldap_mod('ipa-sidgen-conf.ldif', self.sub_dict) + + def _add_extdom_plugin(self): + """ + Add directory server configuration for the extdom extended operation + if it does not already exist. + """ + self._ldap_mod('ipa-extdom-extop-conf.ldif', self.sub_dict) + def replica_populate(self): self.ldap_connect() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 740f04634..84a5b06ac 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -18,6 +18,7 @@ import ipalib.errors from ipaplatform import services from ipaplatform.tasks import tasks from ipapython import ipautil, sysrestore, version, certdb +from ipapython import ipaldap from ipapython.ipa_log_manager import * from ipapython import certmonger from ipapython import dogtag @@ -1254,6 +1255,18 @@ def update_mod_nss_protocol(http): sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True) +def ds_enable_sidgen_extdom_plugins(ds): + """For AD trust agents, make sure we enable sidgen and extdom plugins + """ + root_logger.info('[Enable sidgen and extdom plugins by default]') + + if sysupgrade.get_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins'): + root_logger.info('sidgen and extdom plugins are enabled already') + return + + ds._add_sidgen_plugin() + ds._add_extdom_plugin() + sysupgrade.set_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins', True) def ca_upgrade_schema(ca): root_logger.info('[Upgrading CA schema]') @@ -1412,6 +1425,14 @@ def upgrade_configuration(): remove_ds_ra_cert(subject_base) ds.start(ds_serverid) + # Force enabling plugins via LDAPI and external bind + ds.ldapi = True + ds.autobind = ipaldap.AUTOBIND_ENABLED + ds.fqdn = fqdn + ds.realm = api.env.realm + ds.suffix = ipautil.realm_to_suffix(api.env.realm) + ds_enable_sidgen_extdom_plugins(ds) + uninstall_selfsign(ds, http) simple_service_list = ( diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 88307a077..2f5f565b1 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -71,6 +71,33 @@ def format_seconds(seconds): parts[-1] += 's' return ' '.join(parts) +def add_principals_to_group(admin_conn, group, member_attr, principals): + """Add principals to a GroupOfNames LDAP group + admin_conn -- LDAP connection with admin rights + group -- DN of the group + member_attr -- attribute to represent members + principals -- list of DNs to add as members + """ + try: + current = admin_conn.get_entry(group) + members = current.get(member_attr, []) + if len(members) == 0: + current[member_attr] = [] + for amember in principals: + if not(amember in members): + current[member_attr].extend([amember]) + admin_conn.update_entry(current) + except errors.NotFound: + entry = admin_conn.make_entry( + group, + objectclass=["top", "GroupOfNames"], + cn=[group['cn']], + member=principals, + ) + admin_conn.add_entry(entry) + except errors.EmptyModlist: + # If there are no changes just pass + pass class Service(object): def __init__(self, service_name, service_desc=None, sstore=None, |