Improve kerberos install patch from Simo.

author: Karl MacMillan <kmacmillan@mentalrootkit.com> 2007-07-19 18:02:54 -0400
committer: Karl MacMillan <kmacmillan@mentalrootkit.com> 2007-07-19 18:02:54 -0400
commit: 326b37371b9f6331c176651c4504f1c9dec57eb8 (patch)
tree: f635697f63ecee066294eda58799b5b00c2a04e1
parent: a53a4e71bb3e8710fd5373f9ac80c258c9f08e3d (diff)
download: freeipa.git-326b37371b9f6331c176651c4504f1c9dec57eb8.tar.gz
freeipa.git-326b37371b9f6331c176651c4504f1c9dec57eb8.tar.xz
freeipa.git-326b37371b9f6331c176651c4504f1c9dec57eb8.zip
6 files changed, 135 insertions, 19 deletions
diff --git a/ipa-install/README b/ipa-install/README
index a1921505..31e7375f 100644
--- a/ipa-install/README
+++ b/ipa-install/README
@@ -5,12 +5,17 @@ krb5-server
 fedora-ds-base
 openldap-clients
 krb5-server-ldap
+cyrus-sasl-gssapi
 
 
 Installation example:
 
+TEMPORARY: (until fedora ds scripts are fixed)
+please use the fedora-ds.init.patch under share/ to patch your init scripts before
+running ipa-server-install
+
 cd ipa-install
 make install
 cd ..
-/usr/sbin/ipa-server-install -r FREEIPA.ORG -a rc1.freeipa.org -p freeipa -m ipafree
+/usr/sbin/ipa-server-install -u fds -r FREEIPA.ORG -p freeipa -m ipafree
 
diff --git a/ipa-install/share/bind.zone.db.template b/ipa-install/share/bind.zone.db.template
new file mode 100644
index 00000000..e846c4f2
--- /dev/null
+++ b/ipa-install/share/bind.zone.db.template
@@ -0,0 +1,26 @@
+$$ORIGIN $DOMAIN.
+$$TTL	86400
+@			IN SOA	$DOMAIN. root.$DOMAIN. (
+				01		; serial (d. adams)
+				3H		; refresh
+				15M		; retry
+				1W		; expiry
+				1D )		; minimum
+
+        		IN NS			$HOST
+$HOST			IN A			$IP
+;
+; ldap servers
+_ldap._tcp		IN SRV 0 100 389	$HOST
+
+;kerberos realm
+_kerberos		IN TXT $REALM
+
+; kerberos servers
+_kerberos._tcp		IN SRV 0 100 88		$HOST
+_kerberos._udp		IN SRV 0 100 88		$HOST
+_kerberos-master._tcp	IN SRV 0 100 88		$HOST
+_kerberos-master._udp	IN SRV 0 100 88		$HOST
+_kpasswd._tcp		IN SRV 0 100 88		$HOST
+_kpasswd._udp		IN SRV 0 100 88		$HOST
+
diff --git a/ipa-install/share/fedora-ds.init.patch b/ipa-install/share/fedora-ds.init.patch
new file mode 100644
index 00000000..88a04fc2
--- /dev/null
+++ b/ipa-install/share/fedora-ds.init.patch
@@ -0,0 +1,12 @@
+--- /etc/init.d/fedora-ds.orig	2007-07-06 18:21:30.000000000 -0400
++++ /etc/init.d/fedora-ds	2007-05-18 19:36:24.000000000 -0400
+@@ -10,6 +10,9 @@
+ # datadir:     /var/lib/fedora-ds/slapd-<instance name>
+ #
+ 
++# Get config.
++[ -r /etc/sysconfig/fedora-ds ] && . /etc/sysconfig/fedora-ds
++
+ # Source function library.
+ if [ -f /etc/rc.d/init.d/functions ] ; then
+ . /etc/rc.d/init.d/functions
diff --git a/ipa-install/share/krb5.conf.template b/ipa-install/share/krb5.conf.template
index 5030df4f..23a24703 100644
--- a/ipa-install/share/krb5.conf.template
+++ b/ipa-install/share/krb5.conf.template
@@ -10,6 +10,13 @@
  ticket_lifetime = 24h
  forwardable = yes
 
+[realms]
+ $REALM = {
+  kdc = $FQDN:88
+  admin_server = $FQDN:749
+  default_domain = $DOMAIN
+}
+
 [domain_realm]
  .$DOMAIN = $REALM
  $DOMAIN = $REALM
@@ -29,7 +36,7 @@
     ldap_servers = ldap://127.0.0.1/
     ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
     ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX
-;    ldap_kadmind_dn = cn=Directory Manager
+    ldap_kadmind_dn = uid=kdc,cn=kerberos,$SUFFIX
     ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
   }
 
diff --git a/ipa-install/src/ipa-server-install b/ipa-install/src/ipa-server-install
index 67fba74f..52143eda 100644
--- a/ipa-install/src/ipa-server-install
+++ b/ipa-install/src/ipa-server-install
@@ -26,6 +26,7 @@
 
 VERSION = "%prog .1"
 
+import socket
 import logging
 from optparse import OptionParser
 import ipa.dsinstance
@@ -37,19 +38,18 @@ def parse_options():
                       help="ds user")
     parser.add_option("-r", "--realm", dest="realm_name",
                       help="realm name")
-    parser.add_option("-a", "--host-address", dest="host_name",
-                      help="host address (name or IP address)")
     parser.add_option("-p", "--password", dest="password",
                       help="admin password")
     parser.add_option("-m", "--master-password", dest="master_password",
                       help="kerberos master password")
     parser.add_option("-d", "--debug", dest="debug", action="store_true",
                      dest="debug", default=False, help="print debugging information")
+    parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
 
     options, args = parser.parse_args()
 
-    if not options.realm_name or not options.host_name or not options.password:
-        parser.error("error: password, realm, and host name required")
+    if not options.ds_user or not options.realm_name or not options.password or not options.master_password:
+        parser.error("error: all options are required")
 
     return options
 
@@ -76,13 +76,39 @@ def main():
     options = parse_options()
     logging_setup(options)
 
+    # check the hostname is correctly configured, it must be as the kldap
+    # utilities just use the hostname as returned by gethostbyname to set
+    # up some of the standard entries
+
+    if options.host_name:
+        host_name = options.host_name
+    else:
+        host_name = socket.gethostname()
+    if len(host_name.split(".")) < 2:
+        print "Invalid hostname <"+host_name+">"
+        print "Check the /etc/hosts file and make sure to have a valid FQDN"
+        return "-Fatal Error-"
+
+    if socket.gethostbyname(host_name) == "127.0.0.1":
+        print "The hostname resolves to the localhost address (127.0.0.1)"
+        print "Please change your /etc/hosts file or your DNS so that the"
+        print "hostname resolves to the ip address of your network interface."
+        print "The KDC service does not listen on 127.0.0.1"
+        return "-Fatal Error-"
+
+    print "The Final KDC Host Name will be: " + host_name
+
+
     # Create a directory server instance
     ds = ipa.dsinstance.DsInstance()
-    ds.create_instance(options.ds_user, options.realm_name, options.host_name, options.password)
+    ds.create_instance(options.ds_user, options.realm_name, host_name,
+                       options.password)
 
     # Create a kerberos instance
     krb = ipa.krbinstance.KrbInstance()
-    krb.create_instance(options.ds_user, options.realm_name, options.host_name, options.password, options.master_password)
+    krb.create_instance(options.ds_user, options.realm_name, host_name,
+                        options.password, options.master_password)
+
     #restart ds after the krb instance have add the sasl map
     ds.restart()
 
diff --git a/ipa-install/src/ipa/krbinstance.py b/ipa-install/src/ipa/krbinstance.py
index 498f0506..e10f9c7a 100644
--- a/ipa-install/src/ipa/krbinstance.py
+++ b/ipa-install/src/ipa/krbinstance.py
@@ -25,6 +25,9 @@ import shutil
 import logging
 from random import Random
 from time import gmtime
+import os
+import pwd
+import socket
 
 SHARE_DIR = "/usr/share/ipa/"
 
@@ -33,6 +36,10 @@ def realm_to_suffix(realm_name):
     terms = ["dc=" + x.lower() for x in s]
     return ",".join(terms)
 
+def host_to_domain(fqdn):
+    s = fqdn.split(".")
+    return ".".join(s[1:])
+
 def generate_kdc_password():
     rndpwd = ''
     r = Random()
@@ -75,8 +82,10 @@ def run(args, stdin=None):
 class KrbInstance:
     def __init__(self):
         self.ds_user = None
-        self.realm_name = None
-        self.host_name = None
+        self.fqdn = None
+        self.realm = None
+	self.domain = None
+        self.host = None
         self.admin_password = None
         self.master_password = None
         self.suffix = None
@@ -85,12 +94,15 @@ class KrbInstance:
 
     def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
         self.ds_user = ds_user
-        self.realm_name = realm_name.upper()
-        self.host_name = host_name
+        self.fqdn = host_name
+        self.ip = socket.gethostbyname(host_name)
+        self.realm = realm_name.upper()
+        self.host = host_name.split(".")[0]
+        self.domain = host_to_domain(host_name)
         self.admin_password = admin_password
         self.master_password = master_password
         
-	self.suffix = realm_to_suffix(self.realm_name)
+	self.suffix = realm_to_suffix(self.realm)
         self.kdc_password = generate_kdc_password()
 	self.__configure_kdc_account_password()
 
@@ -100,6 +112,10 @@ class KrbInstance:
 
         self.__create_instance()
 
+        self.__create_ds_keytab()
+
+        self.__create_sample_bind_zone()
+
         self.start()
 
     def stop(self):
@@ -120,12 +136,13 @@ class KrbInstance:
         pwd_fd.close()
 
     def __setup_sub_dict(self):
-	#FIXME: can DOMAIN be different than REALM ?
-        self.sub_dict = dict(FQHN=self.host_name,
+        self.sub_dict = dict(FQDN=self.fqdn,
+                             IP=self.ip,
                              PASSWORD=self.kdc_password,
                              SUFFIX=self.suffix,
-                             DOMAIN= self.realm_name.lower(),
-                             REALM=self.realm_name)
+                             DOMAIN=self.domain,
+                             HOST=self.host,
+                             REALM=self.realm)
 
     def __configure_ldap(self):
 
@@ -153,7 +170,7 @@ class KrbInstance:
         krb5_fd.close()
 
         #populate the directory with the realm structure
-        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"]
+        args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
         run(args)
 
     # TODO: NOT called yet, need to find out how to make sure the plugin is available first
@@ -165,5 +182,28 @@ class KrbInstance:
 	extop_fd.close()
 
 	#add an ACL to let the DS user read the master key
-	args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm_name]
+	args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
 	run(args)
+
+    def __create_sample_bind_zone(self):
+        bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
+        [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
+        os.write(bind_fd, bind_txt)
+        os.close(bind_fd)
+        print "Sample zone file for bind has been created in "+bind_name
+
+    def __create_ds_keytab(self):
+        (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
+        kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
+        kwrite.flush()
+        kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
+        kwrite.flush()
+        kwrite.close()
+        kread.close()
+        kerr.close()
+
+	cfg_fd = open("/etc/sysconfig/fedora-ds", "a")
+        cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n")
+        cfg_fd.close()
+	pent = pwd.getpwnam(self.ds_user)
+        os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)
author	Karl MacMillan <kmacmillan@mentalrootkit.com>	2007-07-19 18:02:54 -0400
committer	Karl MacMillan <kmacmillan@mentalrootkit.com>	2007-07-19 18:02:54 -0400
commit	326b37371b9f6331c176651c4504f1c9dec57eb8 (patch)
tree	f635697f63ecee066294eda58799b5b00c2a04e1
parent	a53a4e71bb3e8710fd5373f9ac80c258c9f08e3d (diff)
download	freeipa.git-326b37371b9f6331c176651c4504f1c9dec57eb8.tar.gz freeipa.git-326b37371b9f6331c176651c4504f1c9dec57eb8.tar.xz freeipa.git-326b37371b9f6331c176651c4504f1c9dec57eb8.zip