Add SIDs for existing users and groups at the end of ipa-adtrust-install

Fixes https://fedorahosted.org/freeipa/ticket/3104

6 files changed, 43 insertions, 12 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
index 0d8b74e8..a0d0e9ec 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
@@ -49,6 +49,7 @@ appdir = $(IPA_DATA_DIR)
 app_DATA =				\
 	ipa-sidgen-conf.ldif		\
 	ipa-sidgen-task-conf.ldif	\
+	ipa-sidgen-task-run.ldif	\
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif
deleted file mode 100644
index 9cfded73..00000000
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif
+++ /dev/null
@@ -1,10 +0,0 @@
-dn: cn=sidgen,cn=ipa-sidgen-task,cn=plugins,cn=config
-changetype: add
-objectClass: top
-objectClass: nsSlapdPlugin
-objectClass: extensibleObject
-cn: ipa-sidgen-task
-nsslapd-pluginPath: libipa_sidgen_task
-nsslapd-pluginInitfunc: sidgen_task_init
-nsslapd-basedn: $SUFFIX
-delay: 0
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif
new file mode 100644
index 00000000..663b7597
--- /dev/null
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif
@@ -0,0 +1,10 @@
+dn: cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config
+changetype: add
+objectClass: top
+objectClass: extensibleObject
+cn: sidgen
+# $SUFFIX must be replaced with the base DN of the IPA directory tree
+nsslapd-basedn: $SUFFIX
+# delay specifies the time the task should sleep between the generation of SIDs
+# in nanoseconds
+delay: 0
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 4285642e..52179038 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -61,6 +61,9 @@ def parse_options():
     parser.add_option("-A", "--admin-name",
                       sensitive=True, dest="admin_name", default='admin',
                       help="admin user principal")
+    parser.add_option("--add-sids", dest="add_sids", action="store_true",
+                      default=False, help="Add SIDs for existing users and" \
+                                          "groups as the final step")
 
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
@@ -250,7 +253,7 @@ def main():
     smb.autobind = service.ENABLED
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
               netbios_name, options.rid_base, options.secondary_rid_base,
-              options.no_msdcs)
+              options.no_msdcs, options.add_sids)
     smb.find_local_id_range()
     smb.create_instance()
 
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index fa63bca3..9204b7d5 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -71,6 +71,16 @@ are needed for the IPA domain which should point to all IPA servers:
 .IP
 \(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
 .TP
+\fB\-\-add\-sids\fR
+Add SIDs to existing users and groups as a final step of the
+ipa\-adtrust\-install run. If there a many existing users and groups and a
+couple of replicas in the environment this operation might lead to a high
+replication traffic and a performance degradation of all IPA servers in the
+environment. To avoid this the SID generation can be run after
+ipa\-adtrust\-install is run and scheduled independently. To start this task
+you have to load an edited version of ipa-sidgen-task-run.ldif with the
+ldapmodify command info the directory server.
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .TP
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 79503c46..1a92b288 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -110,6 +110,7 @@ class ADTRUSTInstance(service.Service):
         self.domain_name = None
         self.netbios_name = None
         self.no_msdcs = None
+        self.add_sids = None
         self.smbd_user = None
         self.suffix = DN()
         self.ldapi_socket = None
@@ -360,6 +361,16 @@ class ADTRUSTInstance(service.Service):
         try:
             self._ldap_mod("ipa-sidgen-conf.ldif", self.sub_dict)
             self._ldap_mod("ipa-sidgen-task-conf.ldif", self.sub_dict)
+        except Exception:
+            pass
+
+    def __add_sids(self):
+        """
+        Add SIDs for existing users and groups
+        """
+
+        try:
+            self._ldap_mod("ipa-sidgen-task-run.ldif", self.sub_dict)
         except:
             pass
 
@@ -602,7 +613,8 @@ class ADTRUSTInstance(service.Service):
                              FQDN = self.fqdn)
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
-              rid_base, secondary_rid_base, no_msdcs=False, smbd_user="samba"):
+              rid_base, secondary_rid_base, no_msdcs=False, add_sids=False,
+              smbd_user="samba"):
         self.fqdn = fqdn
         self.ip_address = ip_address
         self.realm = realm_name
@@ -611,6 +623,7 @@ class ADTRUSTInstance(service.Service):
         self.rid_base = rid_base
         self.secondary_rid_base = secondary_rid_base
         self.no_msdcs = no_msdcs
+        self.add_sids = add_sids
         self.smbd_user = smbd_user
         self.suffix = ipautil.realm_to_suffix(self.realm)
         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
@@ -700,6 +713,10 @@ class ADTRUSTInstance(service.Service):
                   self.__configure_selinux_for_smbd)
         self.step("starting CIFS services", self.__start)
 
+        if self.add_sids:
+            self.step("adding SIDs to existing users and groups",
+                      self.__add_sids)
+
         self.start_creation("Configuring CIFS:")
 
     def uninstall(self):