diff options
Diffstat (limited to 'ipa-client/ipa-install/ipa-client-install')
| -rw-r--r-- | ipa-client/ipa-install/ipa-client-install | 387 |
1 files changed, 387 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install new file mode 100644 index 00000000..cd5bfdde --- /dev/null +++ b/ipa-client/ipa-install/ipa-client-install @@ -0,0 +1,387 @@ +#! /usr/bin/python -E +# Authors: Simo Sorce <ssorce@redhat.com> +# Karl MacMillan <kmacmillan@mentalrootkit.com> +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +try: + import sys + + import os + import krbV + import socket + import logging + from optparse import OptionParser + import ipaclient.ipadiscovery + import ipaclient.ipachangeconf + import ipaclient.ntpconf + from ipa.ipautil import run, user_input + from ipa import sysrestore + from ipa import version +except ImportError: + print >> sys.stderr, """\ +There was a problem importing one of the required Python modules. The +error was: + + %s +""" % sys.exc_value + sys.exit(1) + + +def parse_options(): + parser = OptionParser(version=version.VERSION) + parser.add_option("--domain", dest="domain", help="domain name") + parser.add_option("--server", dest="server", help="IPA server") + parser.add_option("--realm", dest="realm_name", help="realm name") + parser.add_option("-f", "--force", dest="force", action="store_true", + default=False, help="force setting of ldap/kerberos conf") + parser.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + parser.add_option("-U", "--unattended", dest="unattended", + action="store_true", + help="unattended installation never prompts the user") + parser.add_option("--ntp-server", dest="ntp_server", help="ntp server to use") + parser.add_option("-N", "--no-ntp", action="store_false", + help="do not configure ntp", default=True, dest="conf_ntp") + parser.add_option("--on-master", dest="on_master", action="store_true", + help="use this option when run on a master", default=False) + parser.add_option("", "--uninstall", dest="uninstall", action="store_true", + default=False, help="uninstall an existing installation") + + options, args = parser.parse_args() + + if (options.server and not options.domain): + parser.error("--server cannot be used without providing --domain") + + return options + +def logging_setup(options): + # Always log everything (i.e., DEBUG) to the log + # file. + + log_file = "/var/log/ipaclient-install.log" + if options.uninstall: + log_file = "/var/log/ipaclient-uninstall.log" + + old_umask = os.umask(077) + logging.basicConfig(level=logging.DEBUG, + format='%(asctime)s %(levelname)s %(message)s', + filename=log_file, + filemode='w') + os.umask(old_umask) + + console = logging.StreamHandler() + # If the debug option is set, also log debug messages to the console + if options.debug: + console.setLevel(logging.DEBUG) + else: + # Otherwise, log critical and error messages + console.setLevel(logging.ERROR) + formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s') + console.setFormatter(formatter) + logging.getLogger('').addHandler(console) + +def uninstall(options): + + print "Restoring client configuration files" + fstore.restore_all_files() + + print "Disabling client Kerberos and Ldap configurations" + try: + run(["/usr/sbin/authconfig", "--disableldap", "--disablekrb5", "--update"]) + except Exception, e: + print "Failed to remove krb5/ldap configuration. " +str(e) + sys.exit(1) + + try: + run(["/sbin/service", "nscd", "restart"]) + except: + print "Failed to restart start the NSCD daemon" + + if not options.unattended: + print "The original nsswitch.conf configuration has been restored." + print "You may need to restart services or reboot the machine." + if not options.on_master: + if user_input("Do you want to reboot the machine?", False): + try: + run(["/usr/bin/reboot"]) + except Exception, e: + print "Reboot command failed to exceute. " + str(e) + sys.exit(1) + +def main(): + options = parse_options() + logging_setup(options) + dnsok = True + + global fstore + fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore') + + if options.uninstall: + return uninstall(options) + + cli_domain = None + cli_server = None + cli_realm = None + cli_basedn = None + + # Create the discovery instance + ds = ipaclient.ipadiscovery.IPADiscovery() + + ret = ds.search(domain=options.domain, server=options.server) + if ret == -10: + print "Can't get the fully qualified name of this host" + print "Please check that the client is properly configured" + return ret + if ret == -1 or not ds.getDomainName(): + logging.debug("Domain not found") + if options.domain: + cli_domain = options.domain + elif options.unattended: + return ret + else: + print "DNS discovery failed to determine your DNS domain" + cli_domain = user_input("Please provide the domain name of your IPA server (ex: example.com)", allow_empty = False) + ret = ds.search(domain=cli_domain, server=options.server) + if not cli_domain: + if ds.getDomainName(): + cli_domain = ds.getDomainName() + + if ret == -2 or not ds.getServerName(): + dnsok = False + logging.debug("IPA Server not found") + if options.server: + cli_server = options.server + elif options.unattended: + return ret + else: + print "DNS discovery failed to find the IPA Server" + cli_server = user_input("Please provide your IPA server name (ex: ipa.example.com)", allow_empty = False) + ret = ds.search(domain=cli_domain, server=cli_server) + if not cli_server: + if ds.getServerName(): + cli_server = ds.getServerName() + + if ret != 0: + print "Failed to verify that "+cli_server+" is an IPA Server." + print "This may mean that the remote server is not up or is not reachable" + print "due to network or firewall settings." + return ret + + if dnsok: + print "Discovery was successful!" + elif not options.unattended: + print "\nThe failure to use DNS to find your IPA server indicates that your" + print "resolv.conf file is not properly configured.\n" + print "Autodiscovery of servers for failover cannot work with this configuration.\n" + print "If you proceed with the installation, services will be configured to always" + print "access the discovered server for all operation and will not fail over to" + print "other servers in case of failure.\n" + if not user_input("Do you want to proceed and configure the system with fixed values with no DNS discovery?", False): + return ret + + if options.realm_name and options.realm_name != ds.getRealmName(): + if not options.unattended: + print "ERROR: The provided realm name: ["+options.realm_name+"] does not match with the discovered one: ["+ds.getRealmName()+"]\n" + return -3 + + cli_realm = ds.getRealmName() + cli_basedn = ds.getBaseDN() + + print "Realm: "+cli_realm + print "DNS Domain: "+cli_domain + print "IPA Server: "+cli_server + print "BaseDN: "+cli_basedn + + print "\n" + if not options.unattended and not user_input("Continue to configure the system with these values?", False): + return 1 + + # Configure ipa.conf + if not options.on_master: + ipaconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + ipaconf.setOptionAssignment(" = ") + ipaconf.setSectionNameDelimiters(("[","]")) + + opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'}, + {'name':'empty', 'type':'empty'}] + + #[defaults] + defopts = [{'name':'server', 'type':'option', 'value':cli_server}, + {'name':'realm', 'type':'option', 'value':cli_realm}, + {'name':'domain', 'type':'option', 'value':cli_domain}] + + opts.append({'name':'defaults', 'type':'section', 'value':defopts}) + opts.append({'name':'empty', 'type':'empty'}) + + fstore.backup_file("/etc/ipa/ipa.conf") + ipaconf.newConf("/etc/ipa/ipa.conf", opts) + print "Created /etc/ipa/ipa.conf" + + + # Configure ldap.conf + ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + ldapconf.setOptionAssignment(" ") + + opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'}, + {'name':'empty', 'type':'empty'}, + {'name':'ldap_version', 'type':'option', 'value':'3'}, + {'name':'base', 'type':'option', 'value':cli_basedn}, + {'name':'empty', 'type':'empty'}, + {'name':'nss_base_passwd', 'type':'option', 'value':'cn=users,cn=accounts,'+cli_basedn+'?sub'}, + {'name':'nss_base_group', 'type':'option', 'value':'cn=groups,cn=accounts,'+cli_basedn+'?sub'}, + {'name':'nss_schema', 'type':'option', 'value':'rfc2307bis'}, + {'name':'nss_map_attribute', 'type':'option', 'value':'uniqueMember member'}, + {'name':'nss_initgroups_ignoreusers', 'type':'option', 'value':'root,dirsrv'}, + {'name':'empty', 'type':'empty'}, + {'name':'nss_reconnect_maxsleeptime', 'type':'option', 'value':'8'}, + {'name':'nss_reconnect_sleeptime', 'type':'option', 'value':'1'}, + {'name':'bind_timelimit', 'type':'option', 'value':'5'}, + {'name':'timelimit', 'type':'option', 'value':'15'}, + {'name':'empty', 'type':'empty'}] + if not dnsok or options.force or options.on_master: + if options.on_master: + opts.append({'name':'uri', 'type':'option', 'value':'ldap://localhost'}) + else: + opts.append({'name':'uri', 'type':'option', 'value':'ldap://'+cli_server}) + else: + opts.append({'name':'nss_srv_domain', 'type':'option', 'value':cli_domain}) + + opts.append({'name':'empty', 'type':'empty'}) + try: + fstore.backup_file("/etc/ldap.conf") + ldapconf.newConf("/etc/ldap.conf", opts) + print "Configured /etc/ldap.conf" + except Exception, e: + print "Creation of /etc/ldap.conf: " + str(e) + return 1 + + #If on master assume kerberos is already configured properly. + if not options.on_master: + + #Configure krb5.conf + krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + krbconf.setOptionAssignment(" = ") + krbconf.setSectionNameDelimiters(("[","]")) + krbconf.setSubSectionDelimiters(("{","}")) + krbconf.setIndent((""," "," ")) + + opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'}, + {'name':'empty', 'type':'empty'}] + + #[libdefaults] + libopts = [{'name':'default_realm', 'type':'option', 'value':cli_realm}] + if not dnsok or options.force: + libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'}) + libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'false'}) + else: + libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'true'}) + libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'}) + libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) + libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + + opts.append({'name':'libdefaults', 'type':'section', 'value':libopts}) + opts.append({'name':'empty', 'type':'empty'}) + + #the following are necessary only if DNS discovery does not work + if not dnsok or options.force: + #[realms] + kropts =[{'name':'kdc', 'type':'option', 'value':cli_server+':88'}, + {'name':'admin_server', 'type':'option', 'value':cli_server+':749'}, + {'name':'default_domain', 'type':'option', 'value':cli_domain}] + ropts = [{'name':cli_realm, 'type':'subsection', 'value':kropts}] + opts.append({'name':'realms', 'type':'section', 'value':ropts}) + opts.append({'name':'empty', 'type':'empty'}) + + #[domain_realm] + dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm}, + {'name':cli_domain, 'type':'option', 'value':cli_realm}] + opts.append({'name':'domain_realm', 'type':'section', 'value':dropts}) + opts.append({'name':'empty', 'type':'empty'}) + + #[appdefaults] + pamopts = [{'name':'debug', 'type':'option', 'value':'false'}, + {'name':'ticket_lifetime', 'type':'option', 'value':'36000'}, + {'name':'renew_lifetime', 'type':'option', 'value':'36000'}, + {'name':'forwardable', 'type':'option', 'value':'true'}, + {'name':'krb4_convert', 'type':'option', 'value':'false'}] + appopts = [{'name':'pam', 'type':'subsection', 'value':pamopts}] + opts.append({'name':'appdefaults', 'type':'section', 'value':appopts}) + + fstore.backup_file("/etc/krb5.conf") + krbconf.newConf("/etc/krb5.conf", opts); + print "Configured /etc/krb5.conf for IPA realm " + cli_realm + + #Modify nsswitch to add nss_ldap + run(["/usr/sbin/authconfig", "--enableldap", "--update"]) + print "LDAP enabled" + + #Check nss_ldap is working properly + if not options.on_master: + try: + run(["getent", "passwd", "admin"]) + except Exception, e: + print "nss_ldap is not able to use DNS discovery!" + print "Changing configuration to use hardcoded server name: " +cli_server + + opts = [{'name':'uri', 'type':'option', 'action':'set', 'value':'ldap://'+cli_server}, + {'name':'empty', 'type':'empty'}] + try: + ldapconf.changeConf("/etc/ldap.conf", opts) + except Exception, e: + print "Adding hardcoded server name to /etc/ldap.conf failed: " + str(e) + return 1 + + #Modify pam to add pam_krb5 + run(["/usr/sbin/authconfig", "--enablekrb5", "--update"]) + print "Kerberos 5 enabled" + + if options.conf_ntp and not options.on_master: + if options.ntp_server: + ntp_server = options.ntp_server + else: + ntp_server = cli_server + ipaclient.ntpconf.config_ntp(ntp_server, fstore) + print "NTP enabled" + + #Activate Name Server Caching Daemon + try: + run(["/sbin/service", "nscd", "restart"]) + except: + print "Failed to start the NSCD daemon" + print "Caching of users/groups will not be available" + pass + + try: + run(["/sbin/chkconfig", "nscd", "on"]) + except: + print "Failed to configure automatic startup of the NSCD daemon" + print "Caching of users/groups will not be available after reboot" + pass + + print "Client configuration complete." + + return 0 + +try: + if __name__ == "__main__": + sys.exit(main()) +except SystemExit, e: + sys.exit(e) +except KeyboardInterrupt: + sys.exit(1) |