From 191f5146401db8d6aa693b08b18322ef7df2aab2 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 17 Aug 2012 15:26:58 +0300 Subject: Ask for admin password in ipa-adtrust-install The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command. https://fedorahosted.org/freeipa/ticket/2852 --- install/tools/ipa-adtrust-install | 37 +++++++++++++++++++++++++++++++++ install/tools/man/ipa-adtrust-install.1 | 9 ++++++++ 2 files changed, 46 insertions(+) (limited to 'install') diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 8cea077cc..12e218de6 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -55,6 +55,12 @@ def parse_options(): "UIDs and GIDs to RIDs") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") + parser.add_option("-a", "--admin-password", + sensitive=True, dest="admin_password", + help="admin user kerberos password") + parser.add_option("-A", "--admin-name", + sensitive=True, dest="admin_name", default='admin', + help="admin user principal") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -85,6 +91,21 @@ def read_netbios_name(netbios_default): return netbios_name +def read_admin_password(admin_name): + print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name) + print "This user is a regular system account used for IPA server administration." + print "" + admin_password = read_password(admin_name, confirm=False, validate=None) + return admin_password + +def ensure_admin_kinit(admin_name, admin_password): + try: + ipautil.run(['kinit', admin_name], stdin=admin_password+'\n') + except ipautil.CalledProcessError, e: + print "There was error to automatically re-kinit your admin user ticket." + return False + return True + def main(): safe_options, options = parse_options() @@ -193,6 +214,16 @@ def main(): if not options.unattended and ( not netbios_name or not options.netbios_name): netbios_name = read_netbios_name(netbios_name) + admin_password = options.admin_password + if not (options.unattended or admin_password): + admin_password = read_admin_password(options.admin_name) + + admin_kinited = None + if admin_password: + admin_kinited = ensure_admin_kinit(options.admin_name, admin_password) + if not admin_kinited: + print "Proceeding with credentials that existed before" + try: ctx = krbV.default_context() ccache = ctx.default_ccache() @@ -252,6 +283,12 @@ You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= +""" + if admin_password: + admin_kinited = ensure_admin_kinit(options.admin_name, admin_password) + + if not admin_kinited: + print """ WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands family in order to re-generate Kerberos tickets to include AD-specific information""" diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index 22337c3df..936e04c24 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -41,6 +41,15 @@ Do not create DNS service records for Windows in managed DNS server .TP \fB\-U\fR, \fB\-\-unattended\fR An unattended installation that will never prompt for user input +.TP +\fB\-A\fR, \fB\-\-admin\-name\fR=\fIADMIN_NAME\fR +The name of the user with administrative privileges for this IPA server. Defaults to 'admin'. +.TP +\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR +The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified. +.TP +The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command. +.TP .SH "EXIT STATUS" 0 if the installation was successful -- cgit