diff options
Diffstat (limited to 'install/tools')
| -rwxr-xr-x | install/tools/ipa-adtrust-install | 81 | ||||
| -rw-r--r-- | install/tools/man/ipa-adtrust-install.1 | 15 |
2 files changed, 95 insertions, 1 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index a4124078f..5340c31d1 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -61,6 +61,9 @@ def parse_options(): parser.add_option("--add-sids", dest="add_sids", action="store_true", default=False, help="Add SIDs for existing users and" \ " groups as the final step") + parser.add_option("--add-agents", dest="add_agents", action="store_true", + default=False, help="Add IPA masters to a list of hosts allowed to serve" \ + "information about users from trusted forests") parser.add_option("--enable-compat", dest="enable_compat", default=False, action="store_true", help="Enable support for trusted domains for old clients") @@ -380,6 +383,84 @@ def main(): smb.find_local_id_range() smb.create_instance() + if options.add_agents: + # Find out IPA masters which are not part of the cn=adtrust agents + # and propose them to be added to the list + base_dn = api.env.basedn + masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn) + agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), base_dn) + new_agents = [] + entries_m = [] + entries_a = [] + try: + # Search only masters which have support for domain levels + # because only these masters will have SSSD recent enough to support AD trust agents + (entries_m, truncated) = smb.admin_conn.find_entries( + filter="(&(objectclass=ipaSupportedDomainLevelConfig)(!(ipaMaxDomainLevel=0)))", + base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL) + except errors.NotFound: + pass + except (errors.DatabaseError, errors.NetworkError), e: + print "Could not retrieve a list of existing IPA masters:" + print unicode(e) + + try: + (entries_a, truncated) = smb.admin_conn.find_entries(filter="", + base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE) + except errors.NotFound: + pass + except (errors.DatabaseError, errors.NetworkError), e: + print "Could not retrieve a list of adtrust agents:" + print unicode(e) + + if len(entries_m) > 0: + existing_masters = [x['cn'][0] for x in entries_m] + adtrust_agents = entries_a[0]['member'] + potential_agents = [] + for m in existing_masters: + mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn) + found = False + for a in adtrust_agents: + if mdn == a: + found = True + break + if not found: + potential_agents += [[m, mdn]] + + object_count = len(potential_agents) + if object_count > 0: + print "" + print "WARNING: %d IPA masters are not yet able to serve information about users from trusted forests." \ + % (object_count) + print "Installer can add them to the list of IPA masters allowed to access infromation about trusts." + print "If you choose to do so, you also need to restart LDAP service on those masters." + print "Refer to ipa-adtrust-install(1) man page for details." + print "" + if options.unattended: + print "Unattended mode was selected, installer will NOT add other IPA masters to the list of allowed to" + print "access information about trusted forests!" + else: + print "Do you want to allow following IPA masters to serve information about users from trusted forests?" + for (name, dn) in potential_agents: + if name == api.env.host: + # Don't add this host here + # it shouldn't be here as it was added by the adtrustinstance setup code + continue + if ipautil.user_input("IPA master [%s]?" % (name), default=False, allow_empty=False): + new_agents += [[name, dn]] + + if len(new_agents) > 0: + # Add the CIFS and host principals to the 'adtrust agents' group + # as 389-ds only operates with GroupOfNames, we have to use + # the principal's proper dn as defined in self.cifs_agent + service.add_principals_to_group(smb.admin_conn, agents_dn, "member", + [x[1] for x in new_agents]) + print """ +WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order +to activate them to serve information about users from trusted forests:""" + for x in new_agents: + print x[0] + print """ ============================================================================= Setup complete diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index a32eefb0e..2658f1957 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -76,7 +76,7 @@ are needed for the IPA domain which should point to all IPA servers: \(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs .TP \fB\-\-add\-sids\fR -Add SIDs to existing users and groups as a final step of the +Add SIDs to existing users and groups as on of final steps of the ipa\-adtrust\-install run. If there a many existing users and groups and a couple of replicas in the environment this operation might lead to a high replication traffic and a performance degradation of all IPA servers in the @@ -85,6 +85,19 @@ ipa\-adtrust\-install is run and scheduled independently. To start this task you have to load an edited version of ipa-sidgen-task-run.ldif with the ldapmodify command info the directory server. .TP +\fB\-\-add\-agents\fR +Add IPA masters to the list that allows to serve information about +users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master +can provide this information to SSSD clients. IPA masters aren't added +to the list automatically as restart of the LDAP service on each of them +is required. The host where ipa\-adtrust\-install is being run is added +automatically. +.IP +Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve +information about users from trusted forests only if they are enabled +via \ipa-adtrust\-install run on any other IPA master. At least SSSD +version 1.13 on IPA master is required to be able to perform as a trust agent. +.TP \fB\-U\fR, \fB\-\-unattended\fR An unattended installation that will never prompt for user input .TP |