summaryrefslogtreecommitdiffstats
path: root/client
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2016-01-14 14:15:49 +0100
committerJan Cholasta <jcholast@redhat.com>2016-01-27 12:09:02 +0100
commit840de9bb48b37508e11fc0514761161e7cd0f9ef (patch)
tree2be322c04c238096923b2216a48249afa5d52bd7 /client
parent7dae5c09d5a6bf084661511bef4811223da64252 (diff)
downloadfreeipa-840de9bb48b37508e11fc0514761161e7cd0f9ef.tar.gz
freeipa-840de9bb48b37508e11fc0514761161e7cd0f9ef.tar.xz
freeipa-840de9bb48b37508e11fc0514761161e7cd0f9ef.zip
Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)
Make ipaclient a Python library like ipapython, ipalib, etc. Use setup.py instead of autotools for installing it. Move C client tools, Python scripts, and man pages, to client/. Remove old, empty or outdated, boilerplate files (NEWS, README, AUTHORS). Remove /setup-client.py (ipalib/setup.py should be used instead). Update Makefiles and the spec file accordingly. https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'client')
-rw-r--r--client/Makefile.am126
-rw-r--r--client/config.c174
-rw-r--r--client/configure.ac244
-rwxr-xr-xclient/ipa-certupdate23
-rwxr-xr-xclient/ipa-client-automount505
-rw-r--r--client/ipa-client-common.c48
-rw-r--r--client/ipa-client-common.h33
-rwxr-xr-xclient/ipa-client-install3144
-rw-r--r--client/ipa-getkeytab.c913
-rw-r--r--client/ipa-join.c1161
-rw-r--r--client/ipa-rmkeytab.c268
-rw-r--r--client/man/Makefile.am24
-rw-r--r--client/man/default.conf.5246
-rw-r--r--client/man/ipa-certupdate.139
-rw-r--r--client/man/ipa-client-automount.189
-rw-r--r--client/man/ipa-client-install.1288
-rw-r--r--client/man/ipa-getkeytab.1147
-rw-r--r--client/man/ipa-join.1142
-rw-r--r--client/man/ipa-rmkeytab.189
-rw-r--r--client/version.m4.in1
20 files changed, 7704 insertions, 0 deletions
diff --git a/client/Makefile.am b/client/Makefile.am
new file mode 100644
index 000000000..3d135a344
--- /dev/null
+++ b/client/Makefile.am
@@ -0,0 +1,126 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+AM_CFLAGS = $(NULL)
+if HAVE_GCC
+ AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
+ -Wcast-align -Werror-implicit-function-declaration \
+ $(NULL)
+endif
+export AM_CFLAGS
+
+KRB5_UTIL_DIR=../util
+KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
+ASN1_UTIL_DIR=../asn1
+IPA_CONF_FILE=$(sysconfdir)/ipa/default.conf
+
+AM_CPPFLAGS = \
+ -I. \
+ -I$(srcdir) \
+ -I$(KRB5_UTIL_DIR) \
+ -I$(ASN1_UTIL_DIR) \
+ -DPREFIX=\""$(prefix)"\" \
+ -DBINDIR=\""$(bindir)"\" \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+ -DLOCALEDIR=\""$(localedir)"\" \
+ -DIPACONFFILE=\""$(IPA_CONF_FILE)"\" \
+ $(KRB5_CFLAGS) \
+ $(OPENLDAP_CFLAGS) \
+ $(SASL_CFLAGS) \
+ $(POPT_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(INI_CFLAGS) \
+ $(NULL)
+
+sbin_PROGRAMS = \
+ ipa-getkeytab \
+ ipa-rmkeytab \
+ ipa-join \
+ $(NULL)
+
+sbin_SCRIPTS = \
+ ipa-client-install \
+ ipa-client-automount \
+ ipa-certupdate \
+ $(NULL)
+
+ipa_getkeytab_SOURCES = \
+ ipa-getkeytab.c \
+ ipa-client-common.c \
+ $(KRB5_UTIL_SRCS) \
+ $(NULL)
+
+ipa_getkeytab_LDADD = \
+ ../asn1/libipaasn1.la \
+ $(KRB5_LIBS) \
+ $(OPENLDAP_LIBS) \
+ $(SASL_LIBS) \
+ $(POPT_LIBS) \
+ $(LIBINTL_LIBS) \
+ $(INI_LIBS) \
+ $(NULL)
+
+ipa_rmkeytab_SOURCES = \
+ ipa-rmkeytab.c \
+ ipa-client-common.c \
+ $(NULL)
+
+ipa_rmkeytab_LDADD = \
+ $(KRB5_LIBS) \
+ $(POPT_LIBS) \
+ $(LIBINTL_LIBS) \
+ $(NULL)
+
+ipa_join_SOURCES = \
+ config.c \
+ ipa-client-common.c \
+ ipa-join.c \
+ $(NULL)
+
+ipa_join_LDADD = \
+ $(KRB5_LIBS) \
+ $(OPENLDAP_LIBS) \
+ $(SASL_LIBS) \
+ $(CURL_LIBS) \
+ $(XMLRPC_LIBS) \
+ $(POPT_LIBS) \
+ $(LIBINTL_LIBS) \
+ $(NULL)
+
+SUBDIRS = \
+ ../asn1 \
+ man \
+ $(NULL)
+
+EXTRA_DIST = \
+ $(sbin_SCRIPTS) \
+ $(NULL)
+
+DISTCLEANFILES = \
+ $(NULL)
+
+MAINTAINERCLEANFILES = \
+ *~ \
+ intltool-*.in \
+ compile \
+ configure \
+ COPYING \
+ INSTALL \
+ install-sh \
+ missing \
+ mkinstalldirs \
+ config.guess \
+ ltmain.sh \
+ config.sub \
+ depcomp \
+ Makefile.in \
+ config.h.* \
+ aclocal.m4 \
+ version.m4 \
+ $(NULL)
+
diff --git a/client/config.c b/client/config.c
new file mode 100644
index 000000000..ecc126ff4
--- /dev/null
+++ b/client/config.c
@@ -0,0 +1,174 @@
+/* Authors: Rob Crittenden <rcritten@redhat.com>
+ *
+ * Copyright (C) 2009 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* Simple and INI-style file reader.
+ *
+ * usage is:
+ * char * data = read_config_file("/path/to/something.conf")
+ * char * entry = get_config_entry(data, "section", "mykey")
+ *
+ * caller must free data and entry.
+ */
+
+#define _GNU_SOURCE
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#include <errno.h>
+#include "config.h"
+
+#include "ipa-client-common.h"
+
+char *
+read_config_file(const char *filename)
+{
+ int fd = -1;
+ struct stat st;
+ char *data = NULL;
+ char *dest;
+ size_t left;
+
+ fd = open(filename, O_RDONLY);
+ if (fd == -1) {
+ fprintf(stderr, _("cannot open configuration file %s\n"), filename);
+ goto error_out;
+ }
+
+ /* stat() the file so we know the size and can pre-allocate the right
+ * amount of memory. */
+ if (fstat(fd, &st) == -1) {
+ fprintf(stderr, _("cannot stat() configuration file %s\n"), filename);
+ goto error_out;
+ }
+ left = st.st_size;
+ data = malloc(st.st_size + 1);
+ if (data == NULL) {
+ fprintf(stderr, _("out of memory\n"));
+ goto error_out;
+ }
+ dest = data;
+ while (left != 0) {
+ ssize_t res;
+
+ res = read(fd, dest, left);
+ if (res == 0)
+ break;
+ if (res < 0) {
+ fprintf(stderr, _("read error\n"));
+ goto error_out;
+ }
+ dest += res;
+ left -= res;
+ }
+ close(fd);
+ *dest = 0;
+ return data;
+
+error_out:
+ if (fd != -1) close(fd);
+ free(data);
+ return NULL;
+}
+
+char *
+get_config_entry(char * in_data, const char *section, const char *key)
+{
+ char *ptr = NULL, *p, *tmp;
+ char *line;
+ int in_section = 0;
+ char * data;
+
+ if (NULL == in_data)
+ return NULL;
+ else
+ data = strdup(in_data);
+
+ for (line = strtok_r(data, "\n", &ptr); line != NULL;
+ line = strtok_r(NULL, "\n", &ptr)) {
+ /* Skip initial whitespace. */
+ while (isspace((unsigned char)*line) && (*line != '\0'))
+ line++;
+
+ /* If it's a comment, bail. */
+ if (*line == '#') {
+ continue;
+ }
+
+ /* If it's the beginning of a section, process it and clear the key
+ * and value values. */
+ if (*line == '[') {
+ line++;
+ p = strchr(line, ']');
+ if (p) {
+ tmp = strndup(line, p - line);
+ if (in_section) {
+ /* We exited the matching section without a match */
+ free(data);
+ return NULL;
+ }
+ if (strcmp(section, tmp) == 0) {
+ free(tmp);
+ in_section = 1;
+ continue;
+ }
+ }
+ } /* [ */
+
+ p = strchr(line, '=');
+ if (p != NULL && in_section) {
+ /* Trim any trailing whitespace off the key name. */
+ while (p != line && isspace((unsigned char)p[-1]))
+ p--;
+
+ /* Save the key. */
+ tmp = strndup(line, p - line);
+ if (strcmp(key, tmp) != 0) {
+ free(tmp);
+ } else {
+ free(tmp);
+
+ /* Skip over any whitespace after the equal sign. */
+ line = strchr(line, '=');
+ line++;
+ while (isspace((unsigned char)*line) && (*line != '\0'))
+ line++;
+
+ /* Trim off any trailing whitespace. */
+ p = strchr(line, '\0');
+ while (p != line && isspace((unsigned char)p[-1]))
+ p--;
+
+ /* Save the value. */
+ tmp = strndup(line, p - line);
+
+ free(data);
+ return tmp;
+ }
+ }
+ }
+ free(data);
+ return NULL;
+}
diff --git a/client/configure.ac b/client/configure.ac
new file mode 100644
index 000000000..8e3a71f7b
--- /dev/null
+++ b/client/configure.ac
@@ -0,0 +1,244 @@
+AC_PREREQ(2.59)
+m4_include(version.m4)
+AC_INIT([ipa-client],
+ IPA_VERSION,
+ [https://hosted.fedoraproject.org/projects/freeipa/newticket])
+LT_INIT()
+AC_PROG_LIBTOOL
+
+AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_SUBDIRS([../asn1])
+
+AM_INIT_AUTOMAKE([foreign])
+
+AM_MAINTAINER_MODE
+
+AC_PROG_CC_C99
+AC_STDC_HEADERS
+AC_DISABLE_STATIC
+
+AC_HEADER_STDC
+
+AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
+
+AC_SUBST(VERSION)
+AC_SUBST([INSTALL_DATA], ['$(INSTALL) -m 644 -p'])
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for KRB5
+dnl ---------------------------------------------------------------------------
+
+KRB5_LIBS=
+AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([krb5.h not found])])
+
+krb5_impl=mit
+
+if test "x$ac_cv_header_krb5_h" = "xyes" ; then
+ dnl lazy check for Heimdal Kerberos
+ AC_CHECK_HEADERS(heim_err.h)
+ if test $ac_cv_header_heim_err_h = yes ; then
+ krb5_impl=heimdal
+ else
+ krb5_impl=mit
+ fi
+
+ if test "x$krb5_impl" = "xmit"; then
+ AC_CHECK_LIB(k5crypto, main,
+ [krb5crypto=k5crypto],
+ [krb5crypto=crypto])
+
+ AC_CHECK_LIB(krb5, main,
+ [have_krb5=yes
+ KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err"],
+ [have_krb5=no],
+ [-l$krb5crypto -lcom_err])
+
+ elif test "x$krb5_impl" = "xheimdal"; then
+ AC_CHECK_LIB(des, main,
+ [krb5crypto=des],
+ [krb5crypto=crypto])
+
+ AC_CHECK_LIB(krb5, main,
+ [have_krb5=yes
+ KRB5_LIBS="-lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err"],
+ [have_krb5=no],
+ [-l$krb5crypto -lasn1 -lroken -lcom_err])
+
+ AC_DEFINE(HAVE_HEIMDAL_KERBEROS, 1,
+ [define if you have HEIMDAL Kerberos])
+
+ else
+ have_krb5=no
+ AC_MSG_WARN([Unrecognized Kerberos5 Implementation])
+ fi
+
+ if test "x$have_krb5" = "xyes" ; then
+ ol_link_krb5=yes
+
+ AC_DEFINE(HAVE_KRB5, 1,
+ [define if you have Kerberos V])
+
+ else
+ AC_MSG_ERROR([Required Kerberos 5 support not available])
+ fi
+
+fi
+
+AC_SUBST(KRB5_LIBS)
+
+dnl ---------------------------------------------------------------------------
+dnl - OpenLDAP SDK
+dnl ---------------------------------------------------------------------------
+
+AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes)
+dnl Check for other libraries we need to link with to get the main routines.
+test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) }
+test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) }
+test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) }
+dnl Recently, we need -lber even though the main routines are elsewhere,
+dnl because otherwise be get link errors w.r.t. ber_pvt_opt_on. So just
+dnl check for that (it's a variable not a fun but that doesn't seem to
+dnl matter in these checks) and stick in -lber if so. Can't hurt (even to
+dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who
+dnl #### understands LDAP needs to fix this properly.
+test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) }
+
+if test "$with_ldap" = "yes"; then
+ if test "$with_ldap_des" = "yes" ; then
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes"
+ fi
+ if test "$with_ldap_krb" = "yes" ; then
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -lkrb"
+ fi
+ if test "$with_ldap_lber" = "yes" ; then
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
+ fi
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
+else
+ AC_MSG_ERROR([OpenLDAP not found])
+fi
+
+AC_SUBST(OPENLDAP_LIBS)
+
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for POPT
+dnl ---------------------------------------------------------------------------
+
+POPT_LIBS=
+AC_CHECK_HEADER(popt.h, [], [AC_MSG_ERROR([popt.h not found])])
+AC_CHECK_LIB(popt, poptGetContext, [POPT_LIBS="-lpopt"])
+AC_SUBST(POPT_LIBS)
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for SASL
+dnl ---------------------------------------------------------------------------
+
+SASL_LIBS=
+AC_CHECK_HEADER(sasl/sasl.h, [], [AC_MSG_ERROR([sasl/sasl.h not found])])
+AC_CHECK_LIB(sasl2, sasl_client_init, [SASL_LIBS="-lsasl2"])
+AC_SUBST(SASL_LIBS)
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for CURL
+dnl ---------------------------------------------------------------------------
+
+CURL_LIBS=
+AC_CHECK_HEADER(curl/curl.h, [], [AC_MSG_ERROR([curl/curl.h not found])])
+AC_CHECK_LIB(curl, curl_easy_init, [CURL_LIBS="-lcurl"])
+if test "x$CURL_LIBS" = "x" ; then
+ AC_MSG_ERROR([curl not found])
+fi
+AC_SUBST(CURL_LIBS)
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for XMLRPC-C
+dnl ---------------------------------------------------------------------------
+
+XMLRPC_LIBS=
+AC_CHECK_HEADER(xmlrpc-c/base.h, [], [AC_MSG_ERROR([xmlrpc-c/base.h not found])])
+AC_CHECK_LIB(xmlrpc_client, xmlrpc_client_init2, [XMLRPC_LIBS="-lxmlrpc -lxmlrpc_client -lxmlrpc_util"])
+if test "x$XMLRPC_LIBS" = "x" ; then
+ AC_MSG_ERROR([xmlrpc-c not found])
+fi
+AC_SUBST(XMLRPC_LIBS)
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for libintl
+dnl ---------------------------------------------------------------------------
+SAVE_LIBS="$LIBS"
+LIBINTL_LIBS=
+AC_CHECK_HEADER(libintl.h, [], [AC_MSG_ERROR([libintl.h not found, please install xgettext])])
+AC_SEARCH_LIBS([bindtextdomain], [libintl],[], [])
+if test "x$ac_cv_search_bindtextdomain" = "xno" ; then
+ AC_MSG_ERROR([libintl is not found and your libc does not support gettext, please install xgettext])
+elif test "x$ac_cv_search_bindtextdomain" != "xnone required" ; then
+ LIBINTL_LIBS="$ac_cv_search_bindtextdomain"
+fi
+LIBS="$SAVELIBS"
+AC_SUBST(LIBINTL_LIBS)
+
+dnl ---------------------------------------------------------------------------
+dnl - Check for libini_config
+dnl ---------------------------------------------------------------------------
+PKG_CHECK_MODULES([LIBINI_CONFIG], [ini_config >= 1.2.0], [have_libini_config=1], [have_libini_config=])
+if test x$have_libini_config = x; then
+ AC_MSG_WARN([Could not find LIBINI_CONFIG headers])
+else
+ INI_CONFIG_CFLAGS="`$PKG_CONFIG --cflags ini_config`"
+ INI_CONFIG_LIBS="`$PKG_CONFIG --libs ini_config`"
+ AC_CHECK_LIB(ini_config, ini_config_file_open, [],
+ [AC_MSG_WARN([ini_config library must support ini_config_file_open])],
+ [$INI_CONFIG_LIBS])
+ AC_CHECK_LIB(ini_config, ini_config_augment, [],
+ [AC_MSG_WARN([ini_config library must support ini_config_augment])],
+ [$INI_CONFIG_LIBS])
+fi
+
+if test x$have_libini_config = x1; then
+ INI_CFLAGS="$INI_CONFIG_CFLAGS"
+ INI_LIBS="$INI_CONFIG_LIBS"
+else
+ AC_MSG_ERROR([ini_config development packages not available])
+fi
+
+AC_SUBST(INI_LIBS)
+AC_SUBST(INI_CFLAGS)
+
+
+dnl ---------------------------------------------------------------------------
+dnl - Set the data install directory since we don't use pkgdatadir
+dnl ---------------------------------------------------------------------------
+
+IPA_DATA_DIR="$datadir/ipa"
+AC_SUBST(IPA_DATA_DIR)
+
+dnl ---------------------------------------------------------------------------
+dnl Finish
+dnl ---------------------------------------------------------------------------
+
+# Files
+
+AC_CONFIG_FILES([
+ Makefile
+ ../asn1/Makefile
+ man/Makefile
+])
+
+AC_OUTPUT
+
+echo "
+ IPA client $VERSION
+ ========================
+
+ prefix: ${prefix}
+ exec_prefix: ${exec_prefix}
+ libdir: ${libdir}
+ bindir: ${bindir}
+ sbindir: ${sbindir}
+ sysconfdir: ${sysconfdir}
+ localstatedir: ${localstatedir}
+ datadir: ${datadir}
+ source code location: ${srcdir}
+ Maintainer mode: ${USE_MAINTAINER_MODE}
+"
diff --git a/client/ipa-certupdate b/client/ipa-certupdate
new file mode 100755
index 000000000..072c451bc
--- /dev/null
+++ b/client/ipa-certupdate
@@ -0,0 +1,23 @@
+#! /usr/bin/python2 -E
+# Authors: Jan Cholasta <jcholast@redhat.com>
+#
+# Copyright (C) 2014 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ipaclient.ipa_certupdate import CertUpdate
+
+CertUpdate.run_cli()
diff --git a/client/ipa-client-automount b/client/ipa-client-automount
new file mode 100755
index 000000000..f06aa7f8d
--- /dev/null
+++ b/client/ipa-client-automount
@@ -0,0 +1,505 @@
+#!/usr/bin/python2 -E
+#
+# Authors:
+# Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# Configure the automount client for ldap.
+
+from __future__ import print_function
+
+import sys
+import os
+import time
+import tempfile
+import gssapi
+
+import SSSDConfig
+from six.moves.urllib.parse import urlsplit
+
+from optparse import OptionParser
+from ipalib import api, errors
+from ipapython import sysrestore
+from ipapython import ipautil
+from ipaclient import ipadiscovery
+from ipaclient import ipachangeconf
+from ipapython.ipa_log_manager import root_logger, standard_logging_setup
+from ipapython.dn import DN
+from ipaplatform.constants import constants
+from ipaplatform.tasks import tasks
+from ipaplatform import services
+from ipaplatform.paths import paths
+
+
+def parse_options():
+ usage = "%prog [options]\n"
+ parser = OptionParser(usage=usage)
+ parser.add_option("--server", dest="server", help="IPA server")
+ parser.add_option("--location", dest="location", help="Automount location",
+ default="default")
+ parser.add_option("-S", "--no-sssd", dest="sssd",
+ action="store_false", default=True,
+ help="Do not configure the client to use SSSD for automount")
+ parser.add_option("--debug", dest="debug", action="store_true",
+ default=False, help="enable debugging")
+ parser.add_option("-U", "--unattended", dest="unattended",
+ action="store_true", default=False,
+ help="unattended installation never prompts the user")
+ parser.add_option("--uninstall", dest="uninstall", action="store_true",
+ default=False, help="Unconfigure automount")
+
+ options, args = parser.parse_args()
+ return options, args
+
+def wait_for_sssd():
+ """
+ It takes a bit for sssd to get going, lets loop until it is
+ serving data.
+
+ This function returns nothing.
+ """
+ n = 0
+ found = False
+ time.sleep(1)
+ while n < 10 and not found:
+ try:
+ ipautil.run(["getent", "passwd", "admin@%s" % api.env.realm])
+ found = True
+ except Exception as e:
+ time.sleep(1)
+ n = n + 1
+
+ # This should never happen but if it does, may as well warn the user
+ if not found:
+ err_msg = ("Unable to find 'admin' user with "
+ "'getent passwd admin@%s'!" % api.env.realm)
+ root_logger.debug(err_msg)
+ print(err_msg)
+ print("This may mean that sssd didn't re-start properly after the configuration changes.")
+
+def configure_xml(fstore):
+ from lxml import etree
+
+ fstore.backup_file(paths.AUTOFS_LDAP_AUTH_CONF)
+
+ try:
+ f = open(paths.AUTOFS_LDAP_AUTH_CONF, 'r')
+ lines = f.read()
+ f.close()
+
+ saslconf = etree.fromstring(lines)
+ element = saslconf.xpath('//autofs_ldap_sasl_conf')
+ root = saslconf.getroottree()
+ except IOError as e:
+ root_logger.debug('Unable to open file %s' % e)
+ root_logger.debug('Creating new from template')
+ element = [etree.Element('autofs_ldap_sasl_conf')]
+ root = element[0].getroottree()
+
+ if len(element) != 1:
+ raise RuntimeError('Unable to parse %s' % paths.AUTOFS_LDAP_AUTH_CONF)
+
+ element[0].set('usetls', 'no')
+ element[0].set('tlsrequired', 'no')
+ element[0].set('authrequired', 'yes')
+ element[0].set('authtype', 'GSSAPI')
+ element[0].set('clientprinc', 'host/%s@%s' % (api.env.host, api.env.realm))
+
+ newconf = open(paths.AUTOFS_LDAP_AUTH_CONF, 'w')
+ try:
+ root.write(newconf, pretty_print=True, xml_declaration=True, encoding='UTF-8')
+ newconf.close()
+ except IOError as e:
+ print("Unable to write %s: %s" % (paths.AUTOFS_LDAP_AUTH_CONF, e))
+ print("Configured %s" % paths.AUTOFS_LDAP_AUTH_CONF)
+
+def configure_nsswitch(fstore, options):
+ """
+ Point automount to ldap in nsswitch.conf. This function is for non-SSSD
+ setups only
+ """
+ fstore.backup_file(paths.NSSWITCH_CONF)
+
+ conf = ipachangeconf.IPAChangeConf("IPA Installer")
+ conf.setOptionAssignment(':')
+
+ nss_value = ' files ldap'
+
+ opts = [{'name':'automount', 'type':'option', 'action':'set', 'value':nss_value},
+ {'name':'empty', 'type':'empty'}]
+
+ conf.changeConf(paths.NSSWITCH_CONF, opts)
+
+ print("Configured %s" % paths.NSSWITCH_CONF)
+
+def configure_autofs_sssd(fstore, statestore, autodiscover, options):
+ try:
+ sssdconfig = SSSDConfig.SSSDConfig()
+ sssdconfig.import_config()
+ domains = sssdconfig.list_active_domains()
+ except Exception as e:
+ sys.exit(e)
+
+ try:
+ sssdconfig.new_service('autofs')
+ except SSSDConfig.ServiceAlreadyExists:
+ pass
+ except SSSDConfig.ServiceNotRecognizedError:
+ root_logger.error("Unable to activate the Autofs service in SSSD config.")
+ root_logger.info(
+ "Please make sure you have SSSD built with autofs support installed.")
+ root_logger.info(
+ "Configure autofs support manually in /etc/sssd/sssd.conf.")
+ sys.exit("Cannot create the autofs service in sssd.conf")
+
+ sssdconfig.activate_service('autofs')
+
+ domain = None
+ for name in domains:
+ domain = sssdconfig.get_domain(name)
+ try:
+ provider = domain.get_option('id_provider')
+ except SSSDConfig.NoOptionError:
+ continue
+ if provider == "ipa":
+ domain.add_provider('ipa', 'autofs')
+ try:
+ location = domain.get_option('ipa_automount_location')
+ sys.exit('An automount location is already configured')
+ except SSSDConfig.NoOptionError:
+ domain.set_option('ipa_automount_location', options.location)
+ break
+
+ if domain is None:
+ sys.exit('SSSD is not configured.')
+
+ sssdconfig.save_domain(domain)
+ sssdconfig.write(paths.SSSD_CONF)
+ statestore.backup_state('autofs', 'sssd', True)
+
+ sssd = services.service('sssd')
+ sssd.restart()
+ print("Restarting sssd, waiting for it to become available.")
+ wait_for_sssd()
+
+def configure_autofs(fstore, statestore, autodiscover, server, options):
+ """
+ fstore: the FileStore to back up files in
+ options.server: the IPA server to use
+ options.location: the Automount location to use
+ """
+ if not autodiscover:
+ ldap_uri = "ldap://%s" % server
+ else:
+ ldap_uri = "ldap:///%s" % api.env.basedn
+
+ search_base = str(DN(('cn', options.location), api.env.container_automount, api.env.basedn))
+ replacevars = {
+ 'MAP_OBJECT_CLASS': 'automountMap',
+ 'ENTRY_OBJECT_CLASS': 'automount',
+ 'MAP_ATTRIBUTE': 'automountMapName',
+ 'ENTRY_ATTRIBUTE': 'automountKey',
+ 'VALUE_ATTRIBUTE': 'automountInformation',
+ 'SEARCH_BASE': search_base,
+ 'LDAP_URI': ldap_uri,
+ }
+
+ ipautil.backup_config_and_replace_variables(fstore,
+ paths.SYSCONFIG_AUTOFS, replacevars=replacevars)
+ tasks.restore_context(paths.SYSCONFIG_AUTOFS)
+ statestore.backup_state('autofs', 'sssd', False)
+
+ print("Configured %s" % paths.SYSCONFIG_AUTOFS)
+
+def configure_autofs_common(fstore, statestore, options):
+ autofs = services.knownservices.autofs
+ statestore.backup_state('autofs', 'enabled', autofs.is_enabled())
+ statestore.backup_state('autofs', 'running', autofs.is_running())
+ try:
+ autofs.restart()
+ print("Started %s" % autofs.service_name)
+ except Exception as e:
+ root_logger.error("%s failed to restart: %s", autofs.service_name, e)
+ try:
+ autofs.enable()
+ except Exception as e:
+ print("Failed to configure automatic startup of the %s daemon" % (autofs.service_name))
+ root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (autofs.service_name, str(e)))
+
+def uninstall(fstore, statestore):
+ print("Restoring configuration")
+ if fstore.has_file(paths.SYSCONFIG_AUTOFS):
+ fstore.restore_file(paths.SYSCONFIG_AUTOFS)
+ if fstore.has_file(paths.NSSWITCH_CONF):
+ fstore.restore_file(paths.NSSWITCH_CONF)
+ if fstore.has_file(paths.AUTOFS_LDAP_AUTH_CONF):
+ fstore.restore_file(paths.AUTOFS_LDAP_AUTH_CONF)
+ if fstore.has_file(paths.SYSCONFIG_NFS):
+ fstore.restore_file(paths.SYSCONFIG_NFS)
+ if fstore.has_file(paths.IDMAPD_CONF):
+ fstore.restore_file(paths.IDMAPD_CONF)
+ if statestore.has_state('autofs'):
+ enabled = statestore.restore_state('autofs', 'enabled')
+ running = statestore.restore_state('autofs', 'running')
+ sssd = statestore.restore_state('autofs', 'sssd')
+ autofs = services.knownservices.autofs
+ if not enabled:
+ autofs.disable()
+ if not running:
+ autofs.stop()
+ if sssd:
+ try:
+ sssdconfig = SSSDConfig.SSSDConfig()
+ sssdconfig.import_config()
+ sssdconfig.deactivate_service('autofs')
+ domains = sssdconfig.list_active_domains()
+ for name in domains:
+ domain = sssdconfig.get_domain(name)
+ try:
+ provider = domain.get_option('id_provider')
+ except SSSDConfig.NoOptionError:
+ continue
+ if provider == "ipa":
+ domain.remove_option('ipa_automount_location')
+ domain.remove_provider('autofs')
+ break
+ sssdconfig.save_domain(domain)
+ sssdconfig.write(paths.SSSD_CONF)
+ sssd = services.service('sssd')
+ sssd.restart()
+ wait_for_sssd()
+ except Exception as e:
+ print('Unable to restore SSSD configuration: %s' % str(e))
+ root_logger.debug('Unable to restore SSSD configuration: %s' % str(e))
+ if statestore.has_state('rpcidmapd'):
+ enabled = statestore.restore_state('rpcidmapd', 'enabled')
+ running = statestore.restore_state('rpcidmapd', 'running')
+ rpcidmapd = services.knownservices.rpcidmapd
+ if not enabled:
+ rpcidmapd.disable()
+ if not running:
+ rpcidmapd.stop()
+ if statestore.has_state('rpcgssd'):
+ enabled = statestore.restore_state('rpcgssd', 'enabled')
+ running = statestore.restore_state('rpcgssd', 'running')
+ rpcgssd = services.knownservices.rpcgssd
+ if not enabled:
+ rpcgssd.disable()
+ if not running:
+ rpcgssd.stop()
+
+ return 0
+
+def configure_nfs(fstore, statestore):
+ """
+ Configure secure NFS
+ """
+ replacevars = {
+ constants.SECURE_NFS_VAR: 'yes',
+ }
+ ipautil.backup_config_and_replace_variables(fstore,
+ paths.SYSCONFIG_NFS, replacevars=replacevars)
+ tasks.restore_context(paths.SYSCONFIG_NFS)
+
+ print("Configured %s" % paths.SYSCONFIG_NFS)
+
+ # Prepare the changes
+ # We need to use IPAChangeConf as simple regexp substitution
+ # does not cut it here
+ conf = ipachangeconf.IPAChangeConf("IPA automount installer")
+ conf.case_insensitive_sections = False
+ conf.setOptionAssignment(" = ")
+ conf.setSectionNameDelimiters(("[", "]"))
+
+ changes = [conf.setOption('Domain', api.env.domain)]
+ section_with_changes = [conf.setSection('General', changes)]
+
+ # Backup the file and apply the changes
+ fstore.backup_file(paths.IDMAPD_CONF)
+ conf.changeConf(paths.IDMAPD_CONF, section_with_changes)
+
+ tasks.restore_context(paths.IDMAPD_CONF)
+
+ print("Configured %s" % paths.IDMAPD_CONF)
+
+ rpcidmapd = services.knownservices.rpcidmapd
+ statestore.backup_state('rpcidmapd', 'enabled', rpcidmapd.is_enabled())
+ statestore.backup_state('rpcidmapd', 'running', rpcidmapd.is_running())
+ try:
+ rpcidmapd.restart()
+ print("Started %s" % rpcidmapd.service_name)
+ except Exception as e:
+ root_logger.error("%s failed to restart: %s", rpcidmapd.service_name, e)
+ try:
+ rpcidmapd.enable()
+ except Exception as e:
+ print("Failed to configure automatic startup of the %s daemon" % (rpcidmapd.service_name))
+ root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcidmapd.service_name, str(e)))
+
+ rpcgssd = services.knownservices.rpcgssd
+ statestore.backup_state('rpcgssd', 'enabled', rpcgssd.is_enabled())
+ statestore.backup_state('rpcgssd', 'running', rpcgssd.is_running())
+ try:
+ rpcgssd.restart()
+ print("Started %s" % rpcgssd.service_name)
+ except Exception as e:
+ root_logger.error("%s failed to restart: %s", rpcgssd.service_name, e)
+ try:
+ rpcgssd.enable()
+ except Exception as e:
+ print("Failed to configure automatic startup of the %s daemon" % (rpcgssd.service_name))
+ root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcgssd.service_name, str(e)))
+
+def main():
+
+ fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+ statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
+ if not fstore.has_files() and not os.path.exists(paths.IPA_DEFAULT_CONF):
+ sys.exit('IPA client is not configured on this system.\n')
+
+ options, args = parse_options()
+
+ standard_logging_setup(
+ paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
+ filemode='a', console_format='%(message)s')
+
+ cfg = dict(
+ context='cli_installer',
+ in_server=False,
+ debug=options.debug,
+ verbose=0,
+ )
+
+ api.bootstrap(**cfg)
+ api.finalize()
+
+ ca_cert_path = None
+ if os.path.exists(paths.IPA_CA_CRT):
+ ca_cert_path = paths.IPA_CA_CRT
+
+ if options.uninstall:
+ return uninstall(fstore, statestore)
+
+ if statestore.has_state('autofs'):
+ sys.exit('automount is already configured on this system.\n')
+
+ autodiscover = False
+ servers = []
+ ds = ipadiscovery.IPADiscovery()
+ if not options.server:
+ print("Searching for IPA server...")
+ ret = ds.search(ca_cert_path=ca_cert_path)
+ root_logger.debug('Executing DNS discovery')
+ if ret == ipadiscovery.NO_LDAP_SERVER:
+ root_logger.debug('Autodiscovery did not find LDAP server')
+ s = urlsplit(api.env.xmlrpc_uri)
+ server = [s.netloc]
+ root_logger.debug('Setting server to %s' % s.netloc)
+ else:
+ autodiscover = True
+ if not ds.servers:
+ sys.exit('Autodiscovery was successful but didn\'t return a server')
+ root_logger.debug('Autodiscovery success, possible servers %s' % ','.join(ds.servers))
+ server = ds.servers[0]
+ else:
+ server = options.server
+ root_logger.debug("Verifying that %s is an IPA server" % server)
+ ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
+ if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
+ print("Anonymous access to the LDAP server is disabled.")
+ print("Proceeding without strict verification.")
+ print("Note: This is not an error if anonymous access has been explicitly restricted.")
+ elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
+ root_logger.warning("Unencrypted access to LDAP is not supported.")
+ elif ldapret[0] != 0:
+ sys.exit('Unable to confirm that %s is an IPA server' % server)
+
+ if not autodiscover:
+ print("IPA server: %s" % server)
+ root_logger.debug('Using fixed server %s' % server)
+ else:
+ print("IPA server: DNS discovery")
+ root_logger.debug('Configuring to use DNS discovery')
+
+ search_base = str(DN(('cn', options.location), api.env.container_automount, api.env.basedn))
+ print("Location: %s" % options.location)
+ root_logger.debug('Using automount location %s' % options.location)
+
+ ccache_dir = tempfile.mkdtemp()
+ ccache_name = os.path.join(ccache_dir, 'ccache')
+ try:
+ try:
+ host_princ = str('host/%s@%s' % (api.env.host, api.env.realm))
+ ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
+ os.environ['KRB5CCNAME'] = ccache_name
+ except gssapi.exceptions.GSSError as e:
+ sys.exit("Failed to obtain host TGT: %s" % e)
+ # Now we have a TGT, connect to IPA
+ try:
+ api.Backend.rpcclient.connect()
+ except errors.KerberosError as e:
+ sys.exit('Cannot connect to the server due to ' + str(e))
+ try:
+ # Use the RPC directly so older servers are supported
+ result = api.Backend.rpcclient.forward(
+ 'automountlocation_show',
+ ipautil.fsdecode(options.location),
+ version=u'2.0',
+ )
+ except errors.VersionError as e:
+ sys.exit('This client is incompatible: ' + str(e))
+ except errors.NotFound:
+ sys.exit("Automount location '%s' does not exist" % options.location)
+ except errors.PublicError as e:
+ sys.exit("Cannot connect to the server due to generic error: %s" % str(e))
+ finally:
+ os.remove(ccache_name)
+ os.rmdir(ccache_dir)
+
+ if not options.unattended and not ipautil.user_input("Continue to configure the system with these values?", False):
+ sys.exit("Installation aborted")
+
+ try:
+ if not options.sssd:
+ configure_nsswitch(fstore, options)
+ configure_nfs(fstore, statestore)
+ if options.sssd:
+ configure_autofs_sssd(fstore, statestore, autodiscover, options)
+ else:
+ configure_xml(fstore)
+ configure_autofs(fstore, statestore, autodiscover, server, options)
+ configure_autofs_common(fstore, statestore, options)
+ except Exception as e:
+ root_logger.debug('Raised exception %s' % e)
+ print("Installation failed. Rolling back changes.")
+ uninstall(fstore, statestore)
+ return 1
+
+ return 0
+
+try:
+ if not os.geteuid()==0:
+ sys.exit("\nMust be run as root\n")
+
+ sys.exit(main())
+except SystemExit as e:
+ sys.exit(e)
+except RuntimeError as e:
+ sys.exit(e)
+except (KeyboardInterrupt, EOFError):
+ sys.exit(1)
diff --git a/client/ipa-client-common.c b/client/ipa-client-common.c
new file mode 100644
index 000000000..23f384a6e
--- /dev/null
+++ b/client/ipa-client-common.c
@@ -0,0 +1,48 @@
+/* Authors: Jakub Hrozek <jhrozek@redhat.com>
+ *
+ * Copyright (C) 2010 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <locale.h>
+#include <libintl.h>
+#include <errno.h>
+
+#include "config.h"
+
+int init_gettext(void)
+{
+ char *c;
+
+ c = setlocale(LC_ALL, "");
+ if (!c) {
+ return EIO;
+ }
+
+ errno = 0;
+ c = bindtextdomain("ipa", LOCALEDIR);
+ if (c == NULL) {
+ return errno;
+ }
+
+ errno = 0;
+ c = textdomain("ipa");
+ if (c == NULL) {
+ return errno;
+ }
+
+ return 0;
+}
diff --git a/client/ipa-client-common.h b/client/ipa-client-common.h
new file mode 100644
index 000000000..e831c596c
--- /dev/null
+++ b/client/ipa-client-common.h
@@ -0,0 +1,33 @@
+/* Authors: Jakub Hrozek <jhrozek@redhat.com>
+ *
+ * Copyright (C) 2010 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __IPA_CLIENT_COMMON_H
+#define __IPA_CLIENT_COMMON_H
+
+#include <libintl.h>
+#define _(STRING) gettext(STRING)
+
+#include <stdint.h>
+#ifndef discard_const
+#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
+#endif
+
+int init_gettext(void);
+
+#endif /* __IPA_CLIENT_COMMON_H */
diff --git a/client/ipa-client-install b/client/ipa-client-install
new file mode 100755
index 000000000..072bf9d17
--- /dev/null
+++ b/client/ipa-client-install
@@ -0,0 +1,3144 @@
+#! /usr/bin/python2 -E
+# Authors: Simo Sorce <ssorce@redhat.com>
+# Karl MacMillan <kmacmillan@mentalrootkit.com>
+#
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from __future__ import print_function
+
+try:
+ import sys
+
+ import os
+ import time
+ import socket
+ import tempfile
+ import getpass
+ from six.moves.configparser import RawConfigParser
+ from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError
+ import dns
+ import gssapi
+
+ import nss.nss as nss
+ import SSSDConfig
+ from six.moves.urllib.parse import urlparse, urlunparse
+
+ from ipapython.ipa_log_manager import standard_logging_setup, root_logger
+ from ipaclient import ipadiscovery
+ import ipaclient.ipachangeconf
+ import ipaclient.ntpconf
+ from ipapython.ipautil import (
+ run, user_input, CalledProcessError, file_exists, dir_exists,
+ realm_to_suffix)
+ from ipaplatform.tasks import tasks
+ from ipaplatform import services
+ from ipaplatform.paths import paths
+ from ipapython import ipautil, sysrestore, version, certmonger, ipaldap
+ from ipapython import kernel_keyring, certdb
+ from ipapython.config import IPAOptionParser
+ from ipalib import api, errors
+ from ipalib import x509, certstore
+ from ipalib.util import verify_host_resolvable
+ from ipalib.constants import CACERT
+ from ipapython.dn import DN
+ from ipapython.ssh import SSHPublicKey
+ from ipalib.rpc import delete_persistent_client_session_data
+
+except ImportError as e:
+ print("""\
+There was a problem importing one of the required Python modules. The
+error was:
+
+ %s
+""" % e, file=sys.stderr)
+ sys.exit(1)
+
+SUCCESS = 0
+CLIENT_INSTALL_ERROR = 1
+CLIENT_NOT_CONFIGURED = 2
+CLIENT_ALREADY_CONFIGURED = 3
+CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state
+
+def parse_options():
+ def validate_ca_cert_file_option(option, opt, value, parser):
+ if not os.path.exists(value):
+ raise OptionValueError("%s option '%s' does not exist" % (opt, value))
+ if not os.path.isfile(value):
+ raise OptionValueError("%s option '%s' is not a file" % (opt, value))
+ if not os.path.isabs(value):
+ raise OptionValueError("%s option '%s' is not an absolute file path" % (opt, value))
+
+ initialized = nss.nss_is_initialized()
+ try:
+ cert = x509.load_certificate_from_file(value)
+ except Exception as e:
+ raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value))
+ else:
+ del(cert)
+ if not initialized:
+ nss.nss_shutdown()
+
+ parser.values.ca_cert_file = value
+
+ def kinit_attempts_callback(option, opt, value, parser):
+ if value < 1:
+ raise OptionValueError(
+ "Option %s expects an integer greater than 0."
+ % opt)
+
+ parser.values.kinit_attempts = value
+
+ parser = IPAOptionParser(version=version.VERSION)
+
+ basic_group = OptionGroup(parser, "basic options")
+ basic_group.add_option("--domain", dest="domain", help="domain name")
+ basic_group.add_option("--server", dest="server", help="IPA server", action="append")
+ basic_group.add_option("--realm", dest="realm_name", help="realm name")
+ basic_group.add_option("--fixed-primary", dest="primary", action="store_true",
+ default=False, help="Configure sssd to use fixed server as primary IPA server")
+ basic_group.add_option("-p", "--principal", dest="principal",
+ help="principal to use to join the IPA realm")
+ basic_group.add_option("-w", "--password", dest="password", sensitive=True,
+ help="password to join the IPA realm (assumes bulk "
+ "password unless principal is also set)")
+ basic_group.add_option("-k", "--keytab", dest="keytab",
+ help="path to backed up keytab from previous enrollment")
+ basic_group.add_option("-W", dest="prompt_password", action="store_true",
+ default=False,
+ help="Prompt for a password to join the IPA realm")
+ basic_group.add_option("--mkhomedir", dest="mkhomedir",
+ action="store_true", default=False,
+ help="create home directories for users on their first login")
+ basic_group.add_option("", "--hostname", dest="hostname",
+ help="The hostname of this machine (FQDN). If specified, the hostname will be set and "
+ "the system configuration will be updated to persist over reboot. "
+ "By default a nodename result from uname(2) is used.")
+ basic_group.add_option("", "--force-join", dest="force_join",
+ action="store_true", default=False,
+ help="Force client enrollment even if already enrolled")
+ basic_group.add_option("--ntp-server", dest="ntp_servers", action="append",
+ help="ntp server to use. This option can be used "
+ "multiple times")
+ basic_group.add_option("-N", "--no-ntp", action="store_false",
+ help="do not configure ntp", default=True, dest="conf_ntp")
+ basic_group.add_option("", "--force-ntpd", dest="force_ntpd",
+ action="store_true", default=False,
+ help="Stop and disable any time&date synchronization services besides ntpd")
+ basic_group.add_option("--nisdomain", dest="nisdomain",
+ help="NIS domain name")
+ basic_group.add_option("--no-nisdomain", action="store_true", default=False,
+ help="do not configure NIS domain name",
+ dest="no_nisdomain")
+ basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
+ help="configure OpenSSH client to trust DNS SSHFP records")
+ basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
+ help="do not configure OpenSSH client")
+ basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
+ help="do not configure OpenSSH server")
+ basic_group.add_option("--no-sudo", dest="conf_sudo", default=True,
+ action="store_false",
+ help="do not configure SSSD as data source for sudo")
+ basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false",
+ help="do not automatically create DNS SSHFP records")
+ basic_group.add_option("--noac", dest="no_ac", default=False, action="store_true",
+ help="do not modify the nsswitch.conf and PAM configuration")
+ basic_group.add_option("-f", "--force", dest="force", action="store_true",
+ default=False, help="force setting of LDAP/Kerberos conf")
+ basic_group.add_option('--kinit-attempts', dest='kinit_attempts',
+ action='callback', type='int', default=5,
+ callback=kinit_attempts_callback,
+ help=("number of attempts to obtain host TGT"
+ " (defaults to %default)."))
+ basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
+ default=False, help="print debugging information")
+ basic_group.add_option("-U", "--unattended", dest="unattended",
+ action="store_true",
+ help="unattended (un)installation never prompts the user")
+ basic_group.add_option("--ca-cert-file", dest="ca_cert_file",
+ type="string", action="callback", callback=validate_ca_cert_file_option,
+ help="load the CA certificate from this file")
+ basic_group.add_option("--request-cert", dest="request_cert",
+ action="store_true", default=False,
+ help="request certificate for the machine")
+ # --on-master is used in ipa-server-install and ipa-replica-install
+ # only, it isn't meant to be used on clients.
+ basic_group.add_option("--on-master", dest="on_master", action="store_true",
+ help=SUPPRESS_HELP, default=False)
+ basic_group.add_option("--automount-location", dest="location",
+ help="Automount location")
+ basic_group.add_option("--configure-firefox", dest="configure_firefox",
+ action="store_true", default=False,
+ help="configure Firefox to use IPA domain credentials")
+ basic_group.add_option("--firefox-dir", dest="firefox_dir", default=None,
+ help="specify directory where Firefox is installed (for example: '/usr/lib/firefox')")
+ basic_group.add_option("--ip-address", dest="ip_addresses", default=[],
+ action="append", help="Specify IP address that should be added to DNS."
+ " This option can be used multiple times")
+ basic_group.add_option("--all-ip-addresses", dest="all_ip_addresses",
+ default=False, action="store_true", help="All routable IP"
+ " addresses configured on any inteface will be added to DNS")
+ parser.add_option_group(basic_group)
+
+ sssd_group = OptionGroup(parser, "SSSD options")
+ sssd_group.add_option("--permit", dest="permit",
+ action="store_true", default=False,
+ help="disable access rules by default, permit all access.")
+ sssd_group.add_option("", "--enable-dns-updates", dest="dns_updates",
+ action="store_true", default=False,
+ help="Configures the machine to attempt dns updates when the ip address changes.")
+ sssd_group.add_option("--no-krb5-offline-passwords", dest="krb5_offline_passwords",
+ action="store_false", default=True,
+ help="Configure SSSD not to store user password when the server is offline")
+ sssd_group.add_option("-S", "--no-sssd", dest="sssd",
+ action="store_false", default=True,
+ help="Do not configure the client to use SSSD for authentication")
+ sssd_group.add_option("--preserve-sssd", dest="preserve_sssd",
+ action="store_true", default=False,
+ help="Preserve old SSSD configuration if possible")
+ parser.add_option_group(sssd_group)
+
+ uninstall_group = OptionGroup(parser, "uninstall options")
+ uninstall_group.add_option("", "--uninstall", dest="uninstall", action="store_true",
+ default=False, help="uninstall an existing installation. The uninstall can " \
+ "be run with --unattended option")
+ parser.add_option_group(uninstall_group)
+
+ options, args = parser.parse_args()
+ safe_opts = parser.get_safe_opts(options)
+
+ if (options.server and not options.domain):
+ parser.error("--server cannot be used without providing --domain")
+
+ if options.force_ntpd and not options.conf_ntp:
+ parser.error("--force-ntpd cannot be used together with --no-ntp")
+
+ if options.firefox_dir and not options.configure_firefox:
+ parser.error("--firefox-dir cannot be used without --configure-firefox option")
+
+ if options.no_nisdomain and options.nisdomain:
+ parser.error("--no-nisdomain cannot be used together with --nisdomain")
+
+ if options.ip_addresses:
+ if options.dns_updates:
+ parser.error("--ip-address cannot be used together with"
+ " --enable-dns-updates")
+
+ if options.all_ip_addresses:
+ parser.error("--ip-address cannot be used together with"
+ " --all-ip-addresses")
+
+ return safe_opts, options
+
+def logging_setup(options):
+ log_file = paths.IPACLIENT_INSTALL_LOG
+
+ if options.uninstall:
+ log_file = paths.IPACLIENT_UNINSTALL_LOG
+
+ standard_logging_setup(
+ filename=log_file, verbose=True, debug=options.debug,
+ console_format='%(message)s')
+
+
+def remove_file(filename):
+ """
+ Deletes a file. If the file does not exist (OSError 2) does nothing.
+ Otherwise logs an error message and instructs the user to remove the
+ offending file manually
+ :param filename: name of the file to be removed
+ """
+
+ try:
+ os.remove(filename)
+ except OSError as e:
+ if e.errno == 2:
+ return
+
+ root_logger.error("Failed to remove file %s: %s", filename, e)
+ root_logger.error('Please remove %s manually, as it can cause '
+ 'subsequent installation to fail.', filename)
+
+
+def log_service_error(name, action, error):
+ root_logger.error("%s failed to %s: %s", name, action, str(error))
+
+def cert_summary(msg, certs, indent=' '):
+ if msg:
+ s = '%s\n' % msg
+ else:
+ s = ''
+ for cert in certs:
+ s += '%sSubject: %s\n' % (indent, cert.subject)
+ s += '%sIssuer: %s\n' % (indent, cert.issuer)
+ s += '%sValid From: %s\n' % (indent, cert.valid_not_before_str)
+ s += '%sValid Until: %s\n' % (indent, cert.valid_not_after_str)
+ s += '\n'
+ s = s[:-1]
+
+ return s
+
+def get_cert_path(cert_path):
+ """
+ If a CA certificate is passed in on the command line, use that.
+
+ Else if a CA file exists in CACERT then use that.
+
+ Otherwise return None.
+ """
+ if cert_path is not None:
+ return cert_path
+
+ if os.path.exists(CACERT):
+ return CACERT
+
+ return None
+
+
+def save_state(service):
+ enabled = service.is_enabled()
+ running = service.is_running()
+
+ if enabled or running:
+ statestore.backup_state(service.service_name, 'enabled', enabled)
+ statestore.backup_state(service.service_name, 'running', running)
+
+
+def restore_state(service):
+ enabled = statestore.restore_state(service.service_name, 'enabled')
+ running = statestore.restore_state(service.service_name, 'running')
+
+ if enabled:
+ try:
+ service.enable()
+ except Exception:
+ root_logger.warning(
+ "Failed to configure automatic startup of the %s daemon",
+ service.service_name
+ )
+ if running:
+ try:
+ service.start()
+ except Exception:
+ root_logger.warning(
+ "Failed to restart the %s daemon",
+ service.service_name
+ )
+
+
+# Checks whether nss_ldap or nss-pam-ldapd is installed. If anyone of mandatory files was found returns True and list of all files found.
+def nssldap_exists():
+ files_to_check = [{'function':'configure_ldap_conf', 'mandatory':[paths.LDAP_CONF,paths.NSS_LDAP_CONF,paths.LIBNSS_LDAP_CONF], 'optional':[paths.PAM_LDAP_CONF]},
+ {'function':'configure_nslcd_conf', 'mandatory':[paths.NSLCD_CONF]}]
+ files_found = {}
+ retval = False
+
+ for function in files_to_check:
+ files_found[function['function']]=[]
+ for file_type in ['mandatory','optional']:
+ try:
+ for filename in function[file_type]:
+ if file_exists(filename):
+ files_found[function['function']].append(filename)
+ if file_type == 'mandatory':
+ retval = True
+ except KeyError:
+ pass
+
+ return (retval, files_found)
+
+# helper function for uninstall
+# deletes IPA domain from sssd.conf
+def delete_ipa_domain():
+ sssd = services.service('sssd')
+ try:
+ sssdconfig = SSSDConfig.SSSDConfig()
+ sssdconfig.import_config()
+ domains = sssdconfig.list_active_domains()
+
+ ipa_domain_name = None
+
+ for name in domains:
+ domain = sssdconfig.get_domain(name)
+ try:
+ provider = domain.get_option('id_provider')
+ if provider == "ipa":
+ ipa_domain_name = name
+ break
+ except SSSDConfig.NoOptionError:
+ continue
+
+ if ipa_domain_name is not None:
+ sssdconfig.delete_domain(ipa_domain_name)
+ sssdconfig.write()
+ else:
+ root_logger.warning("IPA domain could not be found in "
+ "/etc/sssd/sssd.conf and therefore not deleted")
+ except IOError:
+ root_logger.warning("IPA domain could not be deleted. "
+ "No access to the /etc/sssd/sssd.conf file.")
+
+def is_ipa_client_installed(on_master=False):
+ """
+ Consider IPA client not installed if nothing is backed up
+ and default.conf file does not exist. If on_master is set to True,
+ the existence of default.conf file is not taken into consideration,
+ since it has been already created by ipa-server-install.
+ """
+
+ installed = fstore.has_files() or \
+ (not on_master and os.path.exists(paths.IPA_DEFAULT_CONF))
+
+ return installed
+
+def configure_nsswitch_database(fstore, database, services, preserve=True,
+ append=True, default_value=()):
+ """
+ Edits the specified nsswitch.conf database (e.g. passwd, group, sudoers)
+ to use the specified service(s).
+
+ Arguments:
+ fstore - FileStore to backup the nsswitch.conf
+ database - database configuration that should be ammended, e.g 'sudoers'
+ service - list of services that should be added, e.g. ['sss']
+ preserve - if True, the already configured services will be preserved
+
+ The next arguments modify the behaviour if preserve=True:
+ append - if True, the services will be appended, if False, prepended
+ default_value - list of services that are considered as default (if
+ the database is not mentioned in nsswitch.conf), e.g.
+ ['files']
+ """
+
+ # Backup the original version of nsswitch.conf, we're going to edit it now
+ if not fstore.has_file(paths.NSSWITCH_CONF):
+ fstore.backup_file(paths.NSSWITCH_CONF)
+
+ conf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+ conf.setOptionAssignment(':')
+
+ if preserve:
+ # Read the existing configuration
+ with open(paths.NSSWITCH_CONF, 'r') as f:
+ opts = conf.parse(f)
+ raw_database_entry = conf.findOpts(opts, 'option', database)[1]
+
+ # Detect the list of already configured services
+ if not raw_database_entry:
+ # If there is no database entry, database is not present in
+ # the nsswitch.conf. Set the list of services to the
+ # default list, if passed.
+ configured_services = list(default_value)
+ else:
+ configured_services = raw_database_entry['value'].strip().split()
+
+ # Make sure no service is added if already mentioned in the list
+ added_services = [s for s in services
+ if s not in configured_services]
+
+ # Prepend / append the list of new services
+ if append:
+ new_value = ' ' + ' '.join(configured_services + added_services)
+ else:
+ new_value = ' ' + ' '.join(added_services + configured_services)
+
+ else:
+ # Preserve not set, let's rewrite existing configuration
+ new_value = ' ' + ' '.join(services)
+
+ # Set new services as sources for database
+ opts = [{'name': database,
+ 'type':'option',
+ 'action':'set',
+ 'value': new_value
+ },
+ {'name':'empty',
+ 'type':'empty'
+ }]
+
+ conf.changeConf(paths.NSSWITCH_CONF, opts)
+ root_logger.info("Configured %s in %s" % (database, paths.NSSWITCH_CONF))
+
+
+def uninstall(options, env):
+
+ if not is_ipa_client_installed():
+ root_logger.error("IPA client is not configured on this system.")
+ return CLIENT_NOT_CONFIGURED
+
+ server_fstore = sysrestore.FileStore(paths.SYSRESTORE)
+ if server_fstore.has_files() and not options.on_master:
+ root_logger.error(
+ "IPA client is configured as a part of IPA server on this system.")
+ root_logger.info("Refer to ipa-server-install for uninstallation.")
+ return CLIENT_NOT_CONFIGURED
+
+ try:
+ run(["ipa-client-automount", "--uninstall", "--debug"])
+ except Exception as e:
+ root_logger.error(
+ "Unconfigured automount client failed: %s", str(e))
+
+ # Reload the state as automount unconfigure may have modified it
+ fstore._load()
+ statestore._load()
+
+ hostname = None
+ ipa_domain = None
+ was_sssd_configured = False
+ try:
+ sssdconfig = SSSDConfig.SSSDConfig()
+ sssdconfig.import_config()
+ domains = sssdconfig.list_active_domains()
+ all_domains = sssdconfig.list_domains()
+
+ # we consider all the domains, because handling sssd.conf
+ # during uninstall is dependant on was_sssd_configured flag
+ # so the user does not lose info about inactive domains
+ if len(all_domains) > 1:
+ # There was more than IPA domain configured
+ was_sssd_configured = True
+ for name in domains:
+ domain = sssdconfig.get_domain(name)
+ try:
+ provider = domain.get_option('id_provider')
+ except SSSDConfig.NoOptionError:
+ continue
+ if provider == "ipa":
+ try:
+ hostname = domain.get_option('ipa_hostname')
+ except SSSDConfig.NoOptionError:
+ continue
+ try:
+ ipa_domain = domain.get_option('ipa_domain')
+ except SSSDConfig.NoOptionError:
+ pass
+ except Exception as e:
+ # We were unable to read existing SSSD config. This might mean few things:
+ # - sssd wasn't installed
+ # - sssd was removed after install and before uninstall
+ # - there are no active domains
+ # in both cases we cannot continue with SSSD
+ pass
+
+ if hostname is None:
+ hostname = socket.getfqdn()
+
+ ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+ sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
+
+ cmonger = services.knownservices.certmonger
+ if ipa_db.has_nickname('Local IPA host'):
+ try:
+ certmonger.stop_tracking(paths.IPA_NSSDB_DIR,
+ nickname='Local IPA host')
+ except RuntimeError as e:
+ root_logger.error("%s failed to stop tracking certificate: %s",
+ cmonger.service_name, e)
+
+ client_nss_nickname = 'IPA Machine Certificate - %s' % hostname
+ if sys_db.has_nickname(client_nss_nickname):
+ try:
+ certmonger.stop_tracking(paths.NSS_DB_DIR,
+ nickname=client_nss_nickname)
+ except RuntimeError as e:
+ root_logger.error("%s failed to stop tracking certificate: %s",
+ cmonger.service_name, e)
+
+ # Remove our host cert and CA cert
+ try:
+ ipa_certs = ipa_db.list_certs()
+ except CalledProcessError as e:
+ root_logger.error(
+ "Failed to list certificates in %s: %s", ipa_db.secdir, e)
+ ipa_certs = []
+
+ for filename in (os.path.join(ipa_db.secdir, 'cert8.db'),
+ os.path.join(ipa_db.secdir, 'key3.db'),
+ os.path.join(ipa_db.secdir, 'secmod.db'),
+ os.path.join(ipa_db.secdir, 'pwdfile.txt')):
+ remove_file(filename)
+
+ for nickname, trust_flags in ipa_certs:
+ while sys_db.has_nickname(nickname):
+ try:
+ sys_db.delete_cert(nickname)
+ except Exception as e:
+ root_logger.error("Failed to remove %s from %s: %s",
+ nickname, sys_db.secdir, e)
+ break
+
+ # Remove any special principal names we added to the IPA CA helper
+ certmonger.remove_principal_from_cas()
+
+ try:
+ cmonger.stop()
+ except Exception as e:
+ log_service_error(cmonger.service_name, 'stop', e)
+
+ try:
+ cmonger.disable()
+ except Exception as e:
+ root_logger.error(
+ "Failed to disable automatic startup of the %s service: %s",
+ cmonger.service_name, str(e))
+
+ if not options.on_master and os.path.exists(paths.IPA_DEFAULT_CONF):
+ root_logger.info("Unenrolling client from IPA server")
+ join_args = [paths.SBIN_IPA_JOIN, "--unenroll", "-h", hostname]
+ if options.debug:
+ join_args.append("-d")
+ env['XMLRPC_TRACE_CURL'] = 'yes'
+ result = run(join_args, raiseonerr=False, env=env)
+ if result.returncode != 0:
+ root_logger.error("Unenrolling host failed: %s", result.error_log)
+
+ if os.path.exists(paths.IPA_DEFAULT_CONF):
+ root_logger.info(
+ "Removing Kerberos service principals from /etc/krb5.keytab")
+ try:
+ parser = RawConfigParser()
+ fp = open(paths.IPA_DEFAULT_CONF, 'r')
+ parser.readfp(fp)
+ fp.close()
+ realm = parser.get('global', 'realm')
+ run([paths.IPA_RMKEYTAB, "-k", paths.KRB5_KEYTAB, "-r", realm])
+ except Exception as e:
+ root_logger.error(
+ "Failed to remove Kerberos service principals: %s", str(e))
+
+ root_logger.info("Disabling client Kerberos and LDAP configurations")
+ was_sssd_installed = False
+ was_sshd_configured = False
+ if fstore.has_files():
+ was_sssd_installed = fstore.has_file(paths.SSSD_CONF)
+
+ sshd_config = os.path.join(services.knownservices.sshd.get_config_dir(), "sshd_config")
+ was_sshd_configured = fstore.has_file(sshd_config)
+ try:
+ tasks.restore_pre_ipa_client_configuration(fstore,
+ statestore,
+ was_sssd_installed,
+ was_sssd_configured)
+ except Exception as e:
+ root_logger.error(
+ "Failed to remove krb5/LDAP configuration: %s", str(e))
+ return CLIENT_INSTALL_ERROR
+
+ # Clean up the SSSD cache before SSSD service is stopped or restarted
+ remove_file(paths.SSSD_MC_GROUP)
+ remove_file(paths.SSSD_MC_PASSWD)
+
+ if ipa_domain:
+ sssd_domain_ldb = "cache_" + ipa_domain + ".ldb"
+ sssd_ldb_file = os.path.join(paths.SSSD_DB, sssd_domain_ldb)
+ remove_file(sssd_ldb_file)
+
+ sssd_domain_ccache = "ccache_" + ipa_domain.upper()
+ sssd_ccache_file = os.path.join(paths.SSSD_DB, sssd_domain_ccache)
+ remove_file(sssd_ccache_file)
+
+ # Next if-elif-elif construction deals with sssd.conf file.
+ # Old pre-IPA domains are preserved due merging the old sssd.conf
+ # during the installation of ipa-client but any new domains are
+ # only present in sssd.conf now, so we don't want to delete them
+ # by rewriting sssd.conf file. IPA domain is removed gracefully.
+
+ # SSSD was installed before our installation and other non-IPA domains
+ # found, restore backed up sssd.conf to sssd.conf.bkp and remove IPA
+ # domain from the current sssd.conf
+ if was_sssd_installed and was_sssd_configured:
+ root_logger.info(
+ "The original configuration of SSSD included other domains than " +
+ "the IPA-based one.")
+
+ delete_ipa_domain()
+
+
+ restored = False
+ try:
+ restored = fstore.restore_file(paths.SSSD_CONF,paths.SSSD_CONF_BKP)
+ except OSError:
+ root_logger.debug("Error while restoring pre-IPA /etc/sssd/sssd.conf.")
+
+ if restored:
+ root_logger.info("Original pre-IPA SSSD configuration file was "
+ "restored to /etc/sssd/sssd.conf.bkp.")
+
+ root_logger.info("IPA domain removed from current one, " +
+ "restarting SSSD service")
+ sssd = services.service('sssd')
+ try:
+ sssd.restart()
+ except CalledProcessError:
+ root_logger.warning("SSSD service restart was unsuccessful.")
+
+ # SSSD was not installed before our installation, but other domains found,
+ # delete IPA domain, but leave other domains intact
+ elif not was_sssd_installed and was_sssd_configured:
+ delete_ipa_domain()
+ root_logger.info("Other domains than IPA domain found, " +
+ "IPA domain was removed from /etc/sssd/sssd.conf.")
+
+ sssd = services.service('sssd')
+ try:
+ sssd.restart()
+ except CalledProcessError:
+ root_logger.warning("SSSD service restart was unsuccessful.")
+
+ # SSSD was not installed before our installation, and no other domains
+ # than IPA are configured in sssd.conf - make sure config file is removed
+ elif not was_sssd_installed and not was_sssd_configured:
+ try:
+ os.rename(paths.SSSD_CONF,paths.SSSD_CONF_DELETED)
+ except OSError:
+ root_logger.debug("Error while moving /etc/sssd/sssd.conf to %s" %
+ paths.SSSD_CONF_DELETED)
+
+ root_logger.info("Redundant SSSD configuration file " +
+ "/etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted")
+
+ sssd = services.service('sssd')
+ try:
+ sssd.stop()
+ except CalledProcessError:
+ root_logger.warning("SSSD service could not be stopped")
+
+ try:
+ sssd.disable()
+ except CalledProcessError as e:
+ root_logger.warning(
+ "Failed to disable automatic startup of the SSSD daemon: %s", e)
+
+ if fstore.has_files():
+ root_logger.info("Restoring client configuration files")
+ tasks.restore_network_configuration(fstore, statestore)
+ fstore.restore_all_files()
+
+ ipautil.restore_hostname(statestore)
+ unconfigure_nisdomain()
+
+ nscd = services.knownservices.nscd
+ nslcd = services.knownservices.nslcd
+
+ for service in (nscd, nslcd):
+ if service.is_installed():
+ restore_state(service)
+ else:
+ # this is an optional service, just log
+ root_logger.info(
+ "%s daemon is not installed, skip configuration",
+ service.service_name
+ )
+
+ ntp_configured = statestore.has_state('ntp')
+ if ntp_configured:
+ ntp_enabled = statestore.restore_state('ntp', 'enabled')
+ ntp_step_tickers = statestore.restore_state('ntp', 'step-tickers')
+ restored = False
+
+ try:
+ # Restore might fail due to file missing in backup
+ # the reason for it might be that freeipa-client was updated
+ # to this version but not unenrolled/enrolled again
+ # In such case it is OK to fail
+ restored = fstore.restore_file(paths.NTP_CONF)
+ restored |= fstore.restore_file(paths.SYSCONFIG_NTPD)
+ if ntp_step_tickers:
+ restored |= fstore.restore_file(paths.NTP_STEP_TICKERS)
+ except Exception:
+ pass
+
+ if not ntp_enabled:
+ services.knownservices.ntpd.stop()
+ services.knownservices.ntpd.disable()
+ else:
+ if restored:
+ services.knownservices.ntpd.restart()
+
+ try:
+ ipaclient.ntpconf.restore_forced_ntpd(statestore)
+ except CalledProcessError as e:
+ root_logger.error('Failed to start chronyd: %s', e)
+
+ if was_sshd_configured and services.knownservices.sshd.is_running():
+ services.knownservices.sshd.restart()
+
+ # Remove the Firefox configuration
+ if statestore.has_state('firefox'):
+ root_logger.info("Removing Firefox configuration.")
+ preferences_fname = statestore.restore_state('firefox', 'preferences_fname')
+ if preferences_fname is not None:
+ if file_exists(preferences_fname):
+ try:
+ os.remove(preferences_fname)
+ except Exception as e:
+ root_logger.warning("'%s' could not be removed: %s." % preferences_fname, str(e))
+ root_logger.warning("Please remove file '%s' manually." % preferences_fname)
+
+ rv = 0
+
+ if fstore.has_files():
+ root_logger.error('Some files have not been restored, see %s' %
+ paths.SYSRESTORE_INDEX)
+ has_state = False
+ for module in statestore.modules.keys():
+ root_logger.error('Some installation state for %s has not been '
+ 'restored, see /var/lib/ipa/sysrestore/sysrestore.state',
+ module)
+ has_state = True
+ rv = 1
+
+ if has_state:
+ root_logger.warning(
+ 'Some installation state has not been restored.\n'
+ 'This may cause re-installation to fail.\n'
+ 'It should be safe to remove /var/lib/ipa-client/sysrestore.state '
+ 'but it may\n mean your system hasn\'t been restored '
+ 'to its pre-installation state.')
+
+ # Remove the IPA configuration file
+ remove_file(paths.IPA_DEFAULT_CONF)
+
+ # Remove the CA cert from the systemwide certificate store
+ tasks.remove_ca_certs_from_systemwide_ca_store()
+
+ # Remove the CA cert
+ remove_file(CACERT)
+
+ root_logger.info("Client uninstall complete.")
+
+ # The next block of code prompts for reboot, therefore all uninstall
+ # logic has to be done before
+
+ if not options.unattended:
+ root_logger.info(
+ "The original nsswitch.conf configuration has been restored.")
+ root_logger.info(
+ "You may need to restart services or reboot the machine.")
+ if not options.on_master:
+ if user_input("Do you want to reboot the machine?", False):
+ try:
+ run([paths.SBIN_REBOOT])
+ except Exception as e:
+ root_logger.error(
+ "Reboot command failed to exceute: %s", str(e))
+ return CLIENT_UNINSTALL_ERROR
+
+ # IMPORTANT: Do not put any client uninstall logic after the block above
+
+ return rv
+
+def configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, hostname):
+ ipaconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+ ipaconf.setOptionAssignment(" = ")
+ ipaconf.setSectionNameDelimiters(("[","]"))
+
+ opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
+ {'name':'empty', 'type':'empty'}]
+
+ #[global]
+ defopts = [{'name':'basedn', 'type':'option', 'value':cli_basedn},
+ {'name':'realm', 'type':'option', 'value':cli_realm},
+ {'name':'domain', 'type':'option', 'value':cli_domain},
+ {'name':'server', 'type':'option', 'value':cli_server[0]},
+ {'name':'host', 'type':'option', 'value':hostname},
+ {'name':'xmlrpc_uri', 'type':'option', 'value':'https://%s/ipa/xml' % ipautil.format_netloc(cli_server[0])},
+ {'name':'enable_ra', 'type':'option', 'value':'True'}]
+
+ opts.append({'name':'global', 'type':'section', 'value':defopts})
+ opts.append({'name':'empty', 'type':'empty'})
+
+ target_fname = paths.IPA_DEFAULT_CONF
+ fstore.backup_file(target_fname)
+ ipaconf.newConf(target_fname, opts)
+ os.chmod(target_fname, 0o644)
+
+ return 0
+
+
+def disable_ra():
+ """Set the enable_ra option in /etc/ipa/default.conf to False
+
+ Note that api.env will retain the old value (it is readonly).
+ """
+ parser = RawConfigParser()
+ parser.read(paths.IPA_DEFAULT_CONF)
+ parser.set('global', 'enable_ra', 'False')
+ fp = open(paths.IPA_DEFAULT_CONF, 'w')
+ parser.write(fp)
+ fp.close()
+
+
+def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, files):
+ ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+ ldapconf.setOptionAssignment(" ")
+
+ opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
+ {'name':'empty', 'type':'empty'},
+ {'name':'ldap_version', 'type':'option', 'value':'3'},
+ {'name':'base', 'type':'option', 'value':cli_basedn},
+ {'name':'empty', 'type':'empty'},
+ {'name':'nss_base_passwd', 'type':'option', 'value':str(DN(('cn', 'users'), ('cn', 'accounts'), cli_basedn))+'?sub'},
+ {'name':'nss_base_group', 'type':'option', 'value':str(DN(('cn', 'groups'), ('cn', 'accounts'), cli_basedn))+'?sub'},
+ {'name':'nss_schema', 'type':'option', 'value':'rfc2307bis'},
+ {'name':'nss_map_attribute', 'type':'option', 'value':'uniqueMember member'},
+ {'name':'nss_initgroups_ignoreusers', 'type':'option', 'value':'root,dirsrv'},
+ {'name':'empty', 'type':'empty'},
+ {'name':'nss_reconnect_maxsleeptime', 'type':'option', 'value':'8'},
+ {'name':'nss_reconnect_sleeptime', 'type':'option', 'value':'1'},
+ {'name':'bind_timelimit', 'type':'option', 'value':'5'},
+ {'name':'timelimit', 'type':'option', 'value':'15'},
+ {'name':'empty', 'type':'empty'}]
+ if not dnsok or options.force or options.on_master:
+ if options.on_master:
+ opts.append({'name':'uri', 'type':'option', 'value':'ldap://localhost'})
+ else:
+ opts.append({'name':'uri', 'type':'option', 'value':'ldap://'+ipautil.format_netloc(cli_server[0])})
+ else:
+ opts.append({'name':'nss_srv_domain', 'type':'option', 'value':cli_domain})
+
+ opts.append({'name':'empty', 'type':'empty'})
+
+ # Depending on the release and distribution this may exist in any
+ # number of different file names, update what we find
+ for filename in files:
+ try:
+ fstore.backup_file(filename)
+ ldapconf.newConf(filename, opts)
+ except Exception as e:
+ root_logger.error("Creation of %s failed: %s", filename, str(e))
+ return (1, 'LDAP', filename)
+
+ if files:
+ return (0, 'LDAP', ', '.join(files))
+
+ return 0, None, None
+
+def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, files):
+ nslcdconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+ nslcdconf.setOptionAssignment(" ")
+
+ opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
+ {'name':'empty', 'type':'empty'},
+ {'name':'ldap_version', 'type':'option', 'value':'3'},
+ {'name':'base', 'type':'option', 'value':cli_basedn},
+ {'name':'empty', 'type':'empty'},
+ {'name':'base passwd', 'type':'option', 'value':str(DN(('cn', 'users'), ('cn', 'accounts'), cli_basedn))},
+ {'name':'base group', 'type':'option', 'value':str(DN(('cn', 'groups'), ('cn', 'accounts'), cli_basedn))},
+ {'name':'timelimit', 'type':'option', 'value':'15'},
+ {'name':'empty', 'type':'empty'}]
+ if not dnsok or options.force or options.on_master:
+ if options.on_master:
+ opts.append({'name':'uri', 'type':'option', 'value':'ldap://localhost'})
+ else:
+ opts.append({'name':'uri', 'type':'option', 'value':'ldap://'+ipautil.format_netloc(cli_server[0])})
+ else:
+ opts.append({'name':'uri', 'type':'option', 'value':'DNS'})
+
+ opts.append({'name':'empty', 'type':'empty'})
+
+ for filename in files:
+ try:
+ fstore.backup_file(filename)
+ nslcdconf.newConf(filename, opts)
+ except Exception as e:
+ root_logger.error("Creation of %s failed: %s", filename, str(e))
+ return (1, None, None)
+
+ nslcd = services.knownservices.nslcd
+ if nslcd.is_installed():
+ try:
+ nslcd.restart()
+ except Exception as e:
+ log_service_error(nslcd.service_name, 'restart', e)
+
+ try:
+ nslcd.enable()
+ except Exception as e:
+ root_logger.error(
+ "Failed to enable automatic startup of the %s daemon: %s",
+ nslcd.service_name, str(e))
+ else:
+ root_logger.debug("%s daemon is not installed, skip configuration",
+ nslcd.service_name)
+ return (0, None, None)
+
+ return (0, 'NSLCD', ', '.join(files))
+
+def configure_openldap_conf(fstore, cli_basedn, cli_server):
+ ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+ ldapconf.setOptionAssignment((" ", "\t"))
+
+ opts = [{'name':'comment', 'type':'comment',
+ 'value':' File modified by ipa-client-install'},
+ {'name':'empty', 'type':'empty'},
+ {'name':'comment', 'type':'comment',
+ 'value':' We do not want to break your existing configuration, '
+ 'hence:'},
+ # this needs to be kept updated if we change more options
+ {'name':'comment', 'type':'comment',
+ 'value':' URI, BASE and TLS_CACERT have been added if they '
+ 'were not set.'},
+ {'name':'comment', 'type':'comment',
+ 'value':' In case any of them were set, a comment with '
+ 'trailing note'},
+ {'name':'comment', 'type':'comment',
+ 'value':' "# modified by IPA" note has been inserted.'},
+ {'name':'comment', 'type':'comment',
+ 'value':' To use IPA server with openLDAP tools, please comment '
+ 'out your'},
+ {'name':'comment', 'type':'comment',
+ 'value':' existing configuration for these options and '
+ 'uncomment the'},
+ {'name':'comment', 'type':'comment',
+ 'value':' corresponding lines generated by IPA.'},
+ {'name':'empty', 'type':'empty'},
+ {'name':'empty', 'type':'empty'},
+ {'action':'addifnotset', 'name':'URI', 'type':'option',
+ 'value':'ldaps://'+ cli_server[0]},
+ {'action':'addifnotset', 'name':'BASE', 'type':'option',
+ 'value':str(cli_basedn)},
+ {'action':'addifnotset', 'name':'TLS_CACERT', 'type':'option',
+ 'value':CACERT},]
+
+ target_fname = paths.OPENLDAP_LDAP_CONF
+ fstore.backup_file(target_fname)
+
+ error_msg = "Configuring {path} failed with: {err}"
+
+ try:
+ ldapconf.changeConf(target_fname, opts)
+ except SyntaxError as e:
+ root_logger.info("Could not parse {path}".format(path=target_fname))
+ root_logger.debug(error_msg.format(path=target_fname, err=str(e)))
+ return False
+ except IOError as e :
+ root_logger.info("{path} does not exist.".format(path=target_fname))
+ root_logger.debug(error_msg.format(path=target_fname, err=str(e)))
+ return False
+ except Exception as e: # we do not want to fail in an optional step
+ root_logger.debug(error_msg.format(path=target_fname, err=str(e)))
+ return False
+
+ os.chmod(target_fname, 0o644)
+ return True
+
+def hardcode_ldap_server(cli_server):
+ """
+ DNS Discovery didn't return a valid IPA server, hardcode a value into
+ the file instead.
+ """
+ if not file_exists(paths.LDAP_CONF):
+ return
+
+ ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+ ldapconf.setOptionAssignment(" ")
+
+ opts = [{'name':'uri', 'type':'option', 'action':'set', 'value':'ldap://'+ipautil.format_netloc(cli_server[0])},
+ {'name':'empty', 'type':'empty'}]
+
+ # Errors raised by this should be caught by the caller
+ ldapconf.changeConf(paths.LDAP_CONF, opts)
+ root_logger.info("Changed configuration of /etc/ldap.conf to use " +
+ "hardcoded server name: %s", cli_server[0])
+
+ return
+
+def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
+ options, filename, client_domain):
+
+ krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+ krbconf.setOptionAssignment((" = ", " "))
+ krbconf.setSectionNameDelimiters(("[","]"))
+ krbconf.setSubSectionDelimiters(("{","}"))
+ krbconf.setIndent((""," "," "))
+
+ opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
+ {'name':'empty', 'type':'empty'}]
+
+ # SSSD include dir
+ if options.sssd:
+ opts.append({'name':'includedir', 'type':'option', 'value':paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, 'delim':' '})
+ opts.append({'name':'empty', 'type':'empty'})
+
+ #[libdefaults]
+ libopts = [{'name':'default_realm', 'type':'option', 'value':cli_realm}]
+ if not dnsok or not cli_kdc or options.force:
+ libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
+ libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'false'})
+ else:
+ libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'true'})
+ libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
+ libopts.append({'name':'rdns', 'type':'option', 'value':'false'})
+ libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
+ libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
+ libopts.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
+
+ # Configure KEYRING CCACHE if supported
+ if kernel_keyring.is_persistent_keyring_supported():
+ root_logger.debug("Enabling persistent keyring CCACHE")
+ libopts.append({'name':'default_ccache_name', 'type':'option',
+ 'value':'KEYRING:persistent:%{uid}'})
+
+ opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
+ opts.append({'name':'empty', 'type':'empty'})
+
+ #the following are necessary only if DNS discovery does not work
+ kropts = []
+ if not dnsok or not cli_kdc or options.force:
+ #[realms]
+ for server in cli_server:
+ kropts.append({'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)})
+ kropts.append({'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)})
+ kropts.append({'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(server, 749)})
+ kropts.append({'name': 'kpasswd_server',
+ 'type': 'option',
+ 'value': ipautil.format_netloc(server, 464)
+ })
+ kropts.append({'name':'default_domain', 'type':'option', 'value':cli_domain})
+ kropts.append({'name':'pkinit_anchors', 'type':'option', 'value':'FILE:%s' % CACERT})
+ ropts = [{'name':cli_realm, 'type':'subsection', 'value':kropts}]
+
+ opts.append({'name':'realms', 'type':'section', 'value':ropts})
+ opts.append({'name':'empty', 'type':'empty'})
+
+ #[domain_realm]
+ dropts = [{'name':'.'+cli_domain, 'type':'option', 'value':cli_realm},
+ {'name':cli_domain, 'type':'option', 'value':cli_realm}]
+
+ #add client domain mapping if different from server domain
+ if cli_domain != client_domain:
+ dropts.append({'name':'.'+client_domain, 'type':'option', 'value':cli_realm})
+ dropts.append({'name':client_domain, 'type':'option', 'value':cli_realm})
+
+ opts.append({'name':'domain_realm', 'type':'section', 'value':dropts})
+ opts.append({'name':'empty', 'type':'empty'})
+
+ root_logger.debug("Writing Kerberos configuration to %s:", filename)
+ root_logger.debug("%s", krbconf.dump(opts))
+
+ krbconf.newConf(filename, opts)
+ os.chmod(filename, 0o644)
+
+ return 0
+
+def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
+ ca_enabled):
+ if not options.request_cert:
+ return
+
+ if not ca_enabled:
+ root_logger.warning(
+ "An RA is not configured on the server. "
+ "Not requesting host certificate.")
+ return
+
+ principal = 'host/%s@%s' % (hostname, cli_realm)
+
+ if options.hostname:
+ # If the hostname is explicitly set then we need to tell certmonger
+ # which principal name to use when requesting certs.
+ certmonger.add_principal_to_cas(principal)
+
+ cmonger = services.knownservices.certmonger
+ try:
+ cmonger.enable()
+ except Exception as e:
+ root_logger.error(
+ "Failed to configure automatic startup of the %s daemon: %s",
+ cmonger.service_name, str(e))
+ root_logger.warning(
+ "Automatic certificate management will not be available")
+
+ # Request our host cert
+ subject = str(DN(('CN', hostname), subject_base))
+ passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
+ try:
+ certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+ nickname='Local IPA host',
+ subject=subject,
+ principal=principal,
+ passwd_fname=passwd_fname)
+ except Exception:
+ root_logger.error("%s request for host certificate failed",
+ cmonger.service_name)
+
+def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
+ try:
+ sssdconfig = SSSDConfig.SSSDConfig()
+ sssdconfig.import_config()
+ except Exception as e:
+ if os.path.exists(paths.SSSD_CONF) and options.preserve_sssd:
+ # SSSD config is in place but we are unable to read it
+ # In addition, we are instructed to preserve it
+ # This all means we can't use it and have to bail out
+ root_logger.error(
+ "SSSD config exists but cannot be parsed: %s", str(e))
+ root_logger.error(
+ "Was instructed to preserve existing SSSD config")
+ root_logger.info("Correct errors in /etc/sssd/sssd.conf and " +
+ "re-run installation")
+ return 1
+
+ # SSSD configuration does not exist or we are not asked to preserve it, create new one
+ # We do make new SSSDConfig instance because IPAChangeConf-derived classes have no
+ # means to reset their state and ParseError exception could come due to parsing
+ # error from older version which cannot be upgraded anymore, leaving sssdconfig
+ # instance practically unusable
+ # Note that we already backed up sssd.conf before going into this routine
+ if isinstance(e, IOError):
+ pass
+ else:
+ # It was not IOError so it must have been parsing error
+ root_logger.error("Unable to parse existing SSSD config. " +
+ "As option --preserve-sssd was not specified, new config " +
+ "will override the old one.")
+ root_logger.info("The old /etc/sssd/sssd.conf is backed up and " +
+ "will be restored during uninstall.")
+ root_logger.info("New SSSD config will be created")
+ sssdconfig = SSSDConfig.SSSDConfig()
+ sssdconfig.new_config()
+
+ try:
+ domain = sssdconfig.new_domain(cli_domain)
+ except SSSDConfig.DomainAlreadyExistsError:
+ root_logger.info("Domain %s is already configured in existing SSSD " +
+ "config, creating a new one.", cli_domain)
+ root_logger.info("The old /etc/sssd/sssd.conf is backed up and will " +
+ "be restored during uninstall.")
+ sssdconfig = SSSDConfig.SSSDConfig()
+ sssdconfig.new_config()
+ domain = sssdconfig.new_domain(cli_domain)
+
+ ssh_dir = services.knownservices.sshd.get_config_dir()
+ ssh_config = os.path.join(ssh_dir, 'ssh_config')
+ sshd_config = os.path.join(ssh_dir, 'sshd_config')
+
+ if (options.conf_ssh and file_exists(ssh_config)) or (options.conf_sshd and file_exists(sshd_config)):
+ try:
+ sssdconfig.new_service('ssh')
+ except SSSDConfig.ServiceAlreadyExists:
+ pass
+ except SSSDConfig.ServiceNotRecognizedError:
+ root_logger.error("Unable to activate the SSH service in SSSD config.")
+ root_logger.info(
+ "Please make sure you have SSSD built with SSH support installed.")
+ root_logger.info(
+ "Configure SSH support manually in /etc/sssd/sssd.conf.")
+
+ sssdconfig.activate_service('ssh')
+
+ if options.conf_sudo:
+ # Activate the service in the SSSD config
+ try:
+ sssdconfig.new_service('sudo')
+ except SSSDConfig.ServiceAlreadyExists:
+ pass
+ except SSSDConfig.ServiceNotRecognizedError:
+ root_logger.error("Unable to activate the SUDO service in "
+ "SSSD config.")
+
+ sssdconfig.activate_service('sudo')
+ configure_nsswitch_database(fstore, 'sudoers', ['sss'],
+ default_value=['files'])
+
+ domain.add_provider('ipa', 'id')
+
+ #add discovery domain if client domain different from server domain
+ #do not set this config in server mode (#3947)
+ if not options.on_master and cli_domain != client_domain:
+ domain.set_option('dns_discovery_domain', cli_domain)
+
+ if not options.on_master:
+ if options.primary:
+ domain.set_option('ipa_server', ', '.join(cli_server))
+ else:
+ domain.set_option('ipa_server', '_srv_, %s' % ', '.join(cli_server))
+ else:
+ domain.set_option('ipa_server_mode', 'True')
+ # the master should only use itself for Kerberos
+ domain.set_option('ipa_server', cli_server[0])
+
+ # increase memcache timeout to 10 minutes when in server mode
+ try:
+ nss_service = sssdconfig.get_service('nss')
+ except SSSDConfig.NoServiceError:
+ nss_service = sssdconfig.new_service('nss')
+
+ nss_service.set_option('memcache_timeout', 600)
+ sssdconfig.save_service(nss_service)
+
+ domain.set_option('ipa_domain', cli_domain)
+ domain.set_option('ipa_hostname', client_hostname)
+ if cli_domain.lower() != cli_realm.lower():
+ domain.set_option('krb5_realm', cli_realm)
+
+ # Might need this if /bin/hostname doesn't return a FQDN
+ #domain.set_option('ipa_hostname', 'client.example.com')
+
+ domain.add_provider('ipa', 'auth')
+ domain.add_provider('ipa', 'chpass')
+ if not options.permit:
+ domain.add_provider('ipa', 'access')
+ else:
+ domain.add_provider('permit', 'access')
+
+ domain.set_option('cache_credentials', True)
+
+ # SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
+ # Note that SSSD will force StartTLS because the channel is later used for
+ # authentication as well if password migration is enabled. Thus set the option
+ # unconditionally.
+ domain.set_option('ldap_tls_cacert', CACERT)
+
+ if options.dns_updates:
+ domain.set_option('dyndns_update', True)
+ if options.all_ip_addresses:
+ domain.set_option('dyndns_iface', '*')
+ else:
+ iface = get_server_connection_interface(cli_server[0])
+ domain.set_option('dyndns_iface', iface)
+ if options.krb5_offline_passwords:
+ domain.set_option('krb5_store_password_if_offline', True)
+
+ domain.set_active(True)
+
+ sssdconfig.save_domain(domain)
+ sssdconfig.write(paths.SSSD_CONF)
+
+ return 0
+
+def change_ssh_config(filename, changes, sections):
+ if not changes:
+ return True
+
+ try:
+ f = open(filename, 'r')
+ except IOError as e:
+ root_logger.error("Failed to open '%s': %s", filename, str(e))
+ return False
+
+ change_keys = tuple(key.lower() for key in changes)
+ section_keys = tuple(key.lower() for key in sections)
+
+ lines = []
+ in_section = False
+ for line in f:
+ line = line.rstrip('\n')
+ pline = line.strip()
+ if not pline or pline.startswith('#'):
+ lines.append(line)
+ continue
+ option = pline.split()[0].lower()
+ if option in section_keys:
+ in_section = True
+ break
+ if option in change_keys:
+ line = '#' + line
+ lines.append(line)
+ for option, value in changes.items():
+ if value is not None:
+ lines.append('%s %s' % (option, value))
+ if in_section:
+ lines.append('')
+ lines.append(line)
+ for line in f:
+ line = line.rstrip('\n')
+ lines.append(line)
+ lines.append('')
+
+ f.close()
+
+ try:
+ f = open(filename, 'w')
+ except IOError as e:
+ root_logger.error("Failed to open '%s': %s", filename, str(e))
+ return False
+
+ f.write('\n'.join(lines))
+
+ f.close()
+
+ return True
+
+def configure_ssh_config(fstore, options):
+ ssh_dir = services.knownservices.sshd.get_config_dir()
+ ssh_config = os.path.join(ssh_dir, 'ssh_config')
+
+ if not file_exists(ssh_config):
+ root_logger.info("%s not found, skipping configuration" % ssh_config)
+ return
+
+ fstore.backup_file(ssh_config)
+
+ changes = {
+ 'PubkeyAuthentication': 'yes',
+ }
+
+ if options.sssd and file_exists(paths.SSS_SSH_KNOWNHOSTSPROXY):
+ changes['ProxyCommand'] = '%s -p %%p %%h' % paths.SSS_SSH_KNOWNHOSTSPROXY
+ changes['GlobalKnownHostsFile'] = paths.SSSD_PUBCONF_KNOWN_HOSTS
+ if options.trust_sshfp:
+ changes['VerifyHostKeyDNS'] = 'yes'
+ changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
+
+ change_ssh_config(ssh_config, changes, ['Host', 'Match'])
+ root_logger.info('Configured %s', ssh_config)
+
+def configure_sshd_config(fstore, options):
+ sshd = services.knownservices.sshd
+ ssh_dir = sshd.get_config_dir()
+ sshd_config = os.path.join(ssh_dir, 'sshd_config')
+
+ if not file_exists(sshd_config):
+ root_logger.info("%s not found, skipping configuration" % sshd_config)
+ return
+
+ fstore.backup_file(sshd_config)
+
+ changes = {
+ 'PubkeyAuthentication': 'yes',
+ 'KerberosAuthentication': 'no',
+ 'GSSAPIAuthentication': 'yes',
+ 'UsePAM': 'yes',
+ }
+
+ if options.sssd and file_exists(paths.SSS_SSH_AUTHORIZEDKEYS):
+ authorized_keys_changes = None
+
+ candidates = (
+ {
+ 'AuthorizedKeysCommand': paths.SSS_SSH_AUTHORIZEDKEYS,
+ 'AuthorizedKeysCommandUser': 'nobody',
+ },
+ {
+ 'AuthorizedKeysCommand': paths.SSS_SSH_AUTHORIZEDKEYS,
+ 'AuthorizedKeysCommandRunAs': 'nobody',
+ },
+ {
+ 'PubKeyAgent': '%s %%u' % paths.SSS_SSH_AUTHORIZEDKEYS,
+ 'PubKeyAgentRunAs': 'nobody',
+ },
+ )
+
+ for candidate in candidates:
+ args = ['sshd', '-t', '-f', paths.DEV_NULL]
+ for item in candidate.items():
+ args.append('-o')
+ args.append('%s=%s' % item)
+
+ result = ipautil.run(args, raiseonerr=False)
+ if result.returncode == 0:
+ authorized_keys_changes = candidate
+ break
+
+ if authorized_keys_changes is not None:
+ changes.update(authorized_keys_changes)
+ else:
+ root_logger.warning("Installed OpenSSH server does not "
+ "support dynamically loading authorized user keys. "
+ "Public key authentication of IPA users will not be "
+ "available.")
+
+ change_ssh_config(sshd_config, changes, ['Match'])
+ root_logger.info('Configured %s', sshd_config)
+
+ if sshd.is_running():
+ try:
+ sshd.restart()
+ except Exception as e:
+ log_service_error(sshd.service_name, 'restart', e)
+
+
+def configure_automount(options):
+ root_logger.info('\nConfiguring automount:')
+
+ args = [
+ 'ipa-client-automount', '--debug', '-U',
+ '--location', options.location
+ ]
+
+ if options.server:
+ args.extend(['--server', options.server[0]])
+ if not options.sssd:
+ args.append('--no-sssd')
+
+ try:
+ result = run(args)
+ except Exception as e:
+ root_logger.error('Automount configuration failed: %s', str(e))
+ else:
+ root_logger.info(result.output_log)
+
+
+def configure_nisdomain(options, domain):
+ domain = options.nisdomain or domain
+ root_logger.info('Configuring %s as NIS domain.' % domain)
+
+ nis_domain_name = ''
+
+ # First backup the old NIS domain name
+ if os.path.exists(paths.BIN_NISDOMAINNAME):
+ try:
+ result = ipautil.run([paths.BIN_NISDOMAINNAME],
+ capture_output=True)
+ except CalledProcessError as e:
+ pass
+ else:
+ nis_domain_name = result.output
+
+ statestore.backup_state('network', 'nisdomain', nis_domain_name)
+
+ # Backup the state of the domainname service
+ statestore.backup_state("domainname", "enabled",
+ services.knownservices.domainname.is_enabled())
+
+ # Set the new NIS domain name
+ tasks.set_nisdomain(domain)
+
+ # Enable and start the domainname service
+ services.knownservices.domainname.enable()
+ # Restart rather than start so that new NIS domain name is loaded
+ # if the service is already running
+ services.knownservices.domainname.restart()
+
+
+def unconfigure_nisdomain():
+ # Set the nisdomain permanent and current nisdomain configuration as it was
+ if statestore.has_state('network'):
+ old_nisdomain = statestore.restore_state('network','nisdomain') or ''
+
+ if old_nisdomain:
+ root_logger.info('Restoring %s as NIS domain.' % old_nisdomain)
+ else:
+ root_logger.info('Unconfiguring the NIS domain.')
+
+ tasks.set_nisdomain(old_nisdomain)
+
+ # Restore the configuration of the domainname service
+ enabled = statestore.restore_state('domainname', 'enabled')
+ if not enabled:
+ services.knownservices.domainname.disable()
+
+
+def get_iface_from_ip(ip_addr):
+ result = ipautil.run([paths.IP, '-oneline', 'address', 'show'],
+ capture_output=True)
+ for line in result.output.split('\n'):
+ fields = line.split()
+ if len(fields) < 6:
+ continue
+ if fields[2] not in ['inet', 'inet6']:
+ continue
+ (ip, mask) = fields[3].rsplit('/', 1)
+ if ip == ip_addr:
+ return fields[1]
+ else:
+ raise RuntimeError("IP %s not assigned to any interface." % ip_addr)
+
+
+def get_local_ipaddresses(iface=None):
+ args = [paths.IP, '-oneline', 'address', 'show']
+ if iface:
+ args += ['dev', iface]
+ result = ipautil.run(args, capture_output=True)
+ lines = result.output.split('\n')
+ ips = []
+ for line in lines:
+ fields = line.split()
+ if len(fields) < 6:
+ continue
+ if fields[2] not in ['inet', 'inet6']:
+ continue
+ (ip, mask) = fields[3].rsplit('/', 1)
+ try:
+ ips.append(ipautil.CheckedIPAddress(ip))
+ except ValueError:
+ continue
+ return ips
+
+
+def do_nsupdate(update_txt):
+ root_logger.debug("Writing nsupdate commands to %s:", UPDATE_FILE)
+ root_logger.debug("%s", update_txt)
+
+ update_fd = open(UPDATE_FILE, "w")
+ update_fd.write(update_txt)
+ update_fd.flush()
+ update_fd.close()
+
+ result = False
+ try:
+ ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE])
+ result = True
+ except CalledProcessError as e:
+ root_logger.debug('nsupdate failed: %s', str(e))
+
+ try:
+ os.remove(UPDATE_FILE)
+ except Exception:
+ pass
+
+ return result
+
+DELETE_TEMPLATE_A = """
+update delete $HOSTNAME. IN A
+show
+send
+"""
+
+DELETE_TEMPLATE_AAAA = """
+update delete $HOSTNAME. IN AAAA
+show
+send
+"""
+ADD_TEMPLATE_A = """
+update add $HOSTNAME. $TTL IN A $IPADDRESS
+show
+send
+"""
+
+ADD_TEMPLATE_AAAA = """
+update add $HOSTNAME. $TTL IN AAAA $IPADDRESS
+show
+send
+"""
+
+UPDATE_FILE = paths.IPA_DNS_UPDATE_TXT
+CCACHE_FILE = paths.IPA_DNS_CCACHE
+
+def update_dns(server, hostname, options):
+
+ try:
+ ips = get_local_ipaddresses()
+ except CalledProcessError as e:
+ root_logger.error("Cannot update DNS records. %s" % e)
+ root_logger.debug("Unable to get local IP addresses.")
+
+ if options.all_ip_addresses:
+ update_ips = ips
+ elif options.ip_addresses:
+ update_ips = []
+ for ip in options.ip_addresses:
+ update_ips.append(ipautil.CheckedIPAddress(ip))
+ else:
+ try:
+ iface = get_server_connection_interface(server)
+ except RuntimeError as e:
+ root_logger.error("Cannot update DNS records. %s" % e)
+ return
+ try:
+ update_ips = get_local_ipaddresses(iface)
+ except CalledProcessError as e:
+ root_logger.error("Cannot update DNS records. %s" % e)
+ return
+
+ if not update_ips:
+ root_logger.info("Failed to determine this machine's ip address(es).")
+ return
+
+ update_txt = "debug\n"
+ update_txt += ipautil.template_str(DELETE_TEMPLATE_A,
+ dict(HOSTNAME=hostname))
+ update_txt += ipautil.template_str(DELETE_TEMPLATE_AAAA,
+ dict(HOSTNAME=hostname))
+
+ for ip in update_ips:
+ sub_dict = dict(HOSTNAME=hostname, IPADDRESS=ip, TTL=1200)
+ if ip.version == 4:
+ template = ADD_TEMPLATE_A
+ elif ip.version == 6:
+ template = ADD_TEMPLATE_AAAA
+ update_txt += ipautil.template_str(template, sub_dict)
+
+ if not do_nsupdate(update_txt):
+ root_logger.error("Failed to update DNS records.")
+ verify_dns_update(hostname, update_ips)
+
+
+def verify_dns_update(fqdn, ips):
+ """
+ Verify that the fqdn resolves to all IP addresses and
+ that there's matching PTR record for every IP address.
+ """
+ # verify A/AAAA records
+ missing_ips = [str(ip) for ip in ips]
+ extra_ips = []
+ for record_type in [dns.rdatatype.A, dns.rdatatype.AAAA]:
+ root_logger.debug('DNS resolver: Query: %s IN %s' %
+ (fqdn, dns.rdatatype.to_text(record_type)))
+ try:
+ answers = dns.resolver.query(fqdn, record_type)
+ except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN):
+ root_logger.debug('DNS resolver: No record.')
+ except dns.resolver.NoNameservers:
+ root_logger.debug('DNS resolver: No nameservers answered the'
+ 'query.')
+ except dns.exception.DNSException:
+ root_logger.debug('DNS resolver error.')
+ else:
+ for rdata in answers:
+ try:
+ missing_ips.remove(rdata.address)
+ except ValueError:
+ extra_ips.append(rdata.address)
+
+ # verify PTR records
+ fqdn_name = dns.name.from_text(fqdn)
+ wrong_reverse = {}
+ missing_reverse = [str(ip) for ip in ips]
+ for ip in ips:
+ ip_str = str(ip)
+ addr = dns.reversename.from_address(ip_str)
+ root_logger.debug('DNS resolver: Query: %s IN PTR' % addr)
+ try:
+ answers = dns.resolver.query(addr, dns.rdatatype.PTR)
+ except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN):
+ root_logger.debug('DNS resolver: No record.')
+ except dns.resolver.NoNameservers:
+ root_logger.debug('DNS resolver: No nameservers answered the'
+ 'query.')
+ except dns.exception.DNSException:
+ root_logger.debug('DNS resolver error.')
+ else:
+ missing_reverse.remove(ip_str)
+ for rdata in answers:
+ if not rdata.target == fqdn_name:
+ wrong_reverse.setdefault(ip_str, []).append(rdata.target)
+
+ if missing_ips:
+ root_logger.warning('Missing A/AAAA record(s) for host %s: %s.' %
+ (fqdn, ', '.join(missing_ips)))
+ if extra_ips:
+ root_logger.warning('Extra A/AAAA record(s) for host %s: %s.' %
+ (fqdn, ', '.join(extra_ips)))
+ if missing_reverse:
+ root_logger.warning('Missing reverse record(s) for address(es): %s.' %
+ ', '.join(missing_reverse))
+ if wrong_reverse:
+ root_logger.warning('Incorrect reverse record(s):')
+ for ip in wrong_reverse:
+ for target in wrong_reverse[ip]:
+ root_logger.warning('%s is pointing to %s instead of %s' %
+ (ip, target, fqdn_name))
+
+def get_server_connection_interface(server):
+ # connect to IPA server, get all ip addresses of inteface used to connect
+ for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, socket.SOCK_STREAM):
+ (af, socktype, proto, canonname, sa) = res
+ try:
+ s = socket.socket(af, socktype, proto)
+ except socket.error as e:
+ last_error = e
+ s = None
+ continue
+ try:
+ s.connect(sa)
+ sockname = s.getsockname()
+ ip = sockname[0]
+ except socket.error as e:
+ last_error = e
+ continue
+ finally:
+ if s:
+ s.close()
+ try:
+ return get_iface_from_ip(ip)
+ except (CalledProcessError, RuntimeError) as e:
+ last_error = e
+ else:
+ msg = "Cannot get server connection interface"
+ if last_error:
+ msg += ": %s" % (last_error)
+ raise RuntimeError(msg)
+
+
+def client_dns(server, hostname, options):
+
+ try:
+ verify_host_resolvable(hostname, root_logger)
+ dns_ok = True
+ except errors.DNSNotARecordError:
+ root_logger.warning("Hostname (%s) does not have A/AAAA record.",
+ hostname)
+ dns_ok = False
+
+ if (options.dns_updates or options.all_ip_addresses or options.ip_addresses
+ or not dns_ok):
+ update_dns(server, hostname, options)
+
+
+def check_ip_addresses(options):
+ if options.ip_addresses:
+ for ip in options.ip_addresses:
+ try:
+ ipautil.CheckedIPAddress(ip, match_local=True)
+ except ValueError as e:
+ root_logger.error(e)
+ return False
+ return True
+
+def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
+ if not os.path.isdir(ssh_dir):
+ return
+
+ pubkeys = []
+ for basename in os.listdir(ssh_dir):
+ if not basename.endswith('.pub'):
+ continue
+ filename = os.path.join(ssh_dir, basename)
+
+ try:
+ f = open(filename, 'r')
+ except IOError as e:
+ root_logger.warning("Failed to open '%s': %s", filename, str(e))
+ continue
+
+ for line in f:
+ line = line[:-1].lstrip()
+ if not line or line.startswith('#'):
+ continue
+ try:
+ pubkey = SSHPublicKey(line)
+ except ValueError as UnicodeDecodeError:
+ continue
+ root_logger.info("Adding SSH public key from %s", filename)
+ pubkeys.append(pubkey)
+
+ f.close()
+
+ try:
+ # Use the RPC directly so older servers are supported
+ api.Backend.rpcclient.forward(
+ 'host_mod',
+ ipautil.fsdecode(hostname),
+ ipasshpubkey=[pk.openssh() for pk in pubkeys],
+ updatedns=False,
+ version=u'2.26', # this version adds support for SSH public keys
+ )
+ except errors.EmptyModlist:
+ pass
+ except Exception as e:
+ root_logger.info("host_mod: %s", str(e))
+ root_logger.warning("Failed to upload host SSH public keys.")
+ return
+
+ if create_sshfp:
+ ttl = 1200
+
+ update_txt = 'debug\n'
+ update_txt += 'update delete %s. IN SSHFP\nshow\nsend\n' % hostname
+ for pubkey in pubkeys:
+ sshfp = pubkey.fingerprint_dns_sha1()
+ if sshfp is not None:
+ update_txt += 'update add %s. %s IN SSHFP %s\n' % (hostname, ttl, sshfp)
+ sshfp = pubkey.fingerprint_dns_sha256()
+ if sshfp is not None:
+ update_txt += 'update add %s. %s IN SSHFP %s\n' % (hostname, ttl, sshfp)
+ update_txt += 'show\nsend\n'
+
+ if not do_nsupdate(update_txt):
+ root_logger.warning("Could not update DNS SSHFP records.")
+
+def print_port_conf_info():
+ root_logger.info(
+ "Please make sure the following ports are opened "
+ "in the firewall settings:\n"
+ " TCP: 80, 88, 389\n"
+ " UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\n"
+ "Also note that following ports are necessary for ipa-client "
+ "working properly after enrollment:\n"
+ " TCP: 464\n"
+ " UDP: 464, 123 (if NTP enabled)")
+
+def get_certs_from_ldap(server, base_dn, realm, ca_enabled):
+ conn = ipaldap.IPAdmin(server, sasl_nocanon=True)
+ try:
+ conn.do_sasl_gssapi_bind()
+ certs = certstore.get_ca_certs(conn, base_dn, realm, ca_enabled)
+ except errors.NotFound:
+ raise errors.NoCertificateError(entry=server)
+ except errors.NetworkError as e:
+ raise errors.NetworkError(uri=conn.ldap_uri, error=str(e))
+ except Exception as e:
+ raise errors.LDAPError(str(e))
+ finally:
+ conn.unbind()
+
+ return certs
+
+def get_ca_certs_from_file(url):
+ '''
+ Get the CA cert from a user supplied file and write it into the
+ CACERT file.
+
+ Raises errors.NoCertificateError if unable to read cert.
+ Raises errors.FileError if unable to write cert.
+ '''
+
+ try:
+ parsed = urlparse(url, 'file')
+ except Exception:
+ raise errors.FileError(reason="unable to parse file url '%s'" % url)
+
+ if parsed.scheme != 'file':
+ raise errors.FileError(reason="url is not a file scheme '%s'" % url)
+
+ filename = parsed.path
+
+ if not os.path.exists(filename):
+ raise errors.FileError(reason="file '%s' does not exist" % filename)
+
+ if not os.path.isfile(filename):
+ raise errors.FileError(reason="file '%s' is not a file" % filename)
+
+ root_logger.debug("trying to retrieve CA cert from file %s", filename)
+ try:
+ certs = x509.load_certificate_list_from_file(filename)
+ except Exception as e:
+ raise errors.NoCertificateError(entry=filename)
+
+ return certs
+
+def get_ca_certs_from_http(url, warn=True):
+ '''
+ Use HTTP to retrieve the CA cert and write it into the CACERT file.
+ This is insecure and should be avoided.
+
+ Raises errors.NoCertificateError if unable to retrieve and write cert.
+ '''
+
+ if warn:
+ root_logger.warning("Downloading the CA certificate via HTTP, " +
+ "this is INSECURE")
+
+ root_logger.debug("trying to retrieve CA cert via HTTP from %s", url)
+ try:
+
+ result = run([paths.BIN_CURL, "-o", "-", url], capture_output=True)
+ except CalledProcessError as e:
+ raise errors.NoCertificateError(entry=url)
+ stdout = result.output
+
+ try:
+ certs = x509.load_certificate_list(stdout)
+ except Exception:
+ raise errors.NoCertificateError(entry=url)
+
+ return certs
+
+def get_ca_certs_from_ldap(server, basedn, realm):
+ '''
+ Retrieve th CA cert from the LDAP server by binding to the
+ server with GSSAPI using the current Kerberos credentials.
+ Write the retrieved cert into the CACERT file.
+
+ Raises errors.NoCertificateError if cert is not found.
+ Raises errors.NetworkError if LDAP connection can't be established.
+ Raises errors.LDAPError for any other generic LDAP error.
+ Raises errors.OnlyOneValueAllowed if more than one cert is found.
+ Raises errors.FileError if unable to write cert.
+ '''
+
+ root_logger.debug("trying to retrieve CA cert via LDAP from %s", server)
+
+ try:
+ certs = get_certs_from_ldap(server, basedn, realm, False)
+ except Exception as e:
+ root_logger.debug("get_ca_certs_from_ldap() error: %s", e)
+ raise
+
+ certs = [x509.load_certificate(c[0], x509.DER) for c in certs
+ if c[2] is not False]
+
+ return certs
+
+def validate_new_ca_certs(existing_ca_certs, new_ca_certs, ask,
+ override=False):
+ if existing_ca_certs is None:
+ root_logger.info(
+ cert_summary("Successfully retrieved CA cert", new_ca_certs))
+ return
+
+ existing_ca_certs = set(existing_ca_certs)
+ new_ca_certs = set(new_ca_certs)
+ if existing_ca_certs > new_ca_certs:
+ root_logger.warning(
+ "The CA cert available from the IPA server does not match the\n"
+ "local certificate available at %s" % CACERT)
+ root_logger.warning(
+ cert_summary("Existing CA cert:", existing_ca_certs))
+ root_logger.warning(
+ cert_summary("Retrieved CA cert:", new_ca_certs))
+ if override:
+ root_logger.warning("Overriding existing CA cert\n")
+ elif not ask or not user_input(
+ "Do you want to replace the local certificate with the CA\n"
+ "certificate retrieved from the IPA server?", True):
+ raise errors.CertificateInvalidError(name='Retrieved CA')
+ else:
+ root_logger.debug(
+ "Existing CA cert and Retrieved CA cert are identical")
+
+def get_ca_certs(fstore, options, server, basedn, realm):
+ '''
+ Examine the different options and determine a method for obtaining
+ the CA cert.
+
+ If successful the CA cert will have been written into CACERT.
+
+ Raises errors.NoCertificateError if not successful.
+
+ The logic for determining how to load the CA cert is as follow:
+
+ In the OTP case (not -p and -w):
+
+ 1. load from user supplied cert file
+ 2. else load from HTTP
+
+ In the 'user_auth' case ((-p and -w) or interactive):
+
+ 1. load from user supplied cert file
+ 2. load from LDAP using SASL/GSS/Krb5 auth
+ (provides mutual authentication, integrity and security)
+ 3. if LDAP failed and interactive ask for permission to
+ use insecure HTTP (default: No)
+
+ In the unattended case:
+
+ 1. load from user supplied cert file
+ 2. load from HTTP if --force specified else fail
+
+ In all cases if HTTP is used emit warning message
+ '''
+
+ ca_file = CACERT + ".new"
+
+ def ldap_url():
+ return urlunparse(('ldap', ipautil.format_netloc(server),
+ '', '', '', ''))
+
+ def file_url():
+ return urlunparse(('file', '', options.ca_cert_file,
+ '', '', ''))
+
+ def http_url():
+ return urlunparse(('http', ipautil.format_netloc(server),
+ '/ipa/config/ca.crt', '', '', ''))
+
+
+ interactive = not options.unattended
+ otp_auth = options.principal is None and options.password is not None
+ existing_ca_certs = None
+ ca_certs = None
+
+ if options.ca_cert_file:
+ url = file_url()
+ try:
+ ca_certs = get_ca_certs_from_file(url)
+ except errors.FileError as e:
+ root_logger.debug(e)
+ raise
+ except Exception as e:
+ root_logger.debug(e)
+ raise errors.NoCertificateError(entry=url)
+ root_logger.debug("CA cert provided by user, use it!")
+ else:
+ if os.path.exists(CACERT):
+ if os.path.isfile(CACERT):
+ try:
+ existing_ca_certs = x509.load_certificate_list_from_file(
+ CACERT)
+ except Exception as e:
+ raise errors.FileError(reason=u"Unable to load existing" +
+ " CA cert '%s': %s" % (CACERT, e))
+ else:
+ raise errors.FileError(reason=u"Existing ca cert '%s' is " +
+ "not a plain file" % (CACERT))
+
+ if otp_auth:
+ if existing_ca_certs:
+ root_logger.info("OTP case, CA cert preexisted, use it")
+ else:
+ url = http_url()
+ override = not interactive
+ if interactive and not user_input(
+ "Do you want to download the CA cert from " + url + " ?\n"
+ "(this is INSECURE)", False):
+ raise errors.NoCertificateError(message=u"HTTP certificate"
+ " download declined by user")
+ try:
+ ca_certs = get_ca_certs_from_http(url, override)
+ except Exception as e:
+ root_logger.debug(e)
+ raise errors.NoCertificateError(entry=url)
+
+ validate_new_ca_certs(existing_ca_certs, ca_certs, False,
+ override)
+ else:
+ # Auth with user credentials
+ try:
+ url = ldap_url()
+ ca_certs = get_ca_certs_from_ldap(server, basedn, realm)
+ validate_new_ca_certs(existing_ca_certs, ca_certs, interactive)
+ except errors.FileError as e:
+ root_logger.debug(e)
+ raise
+ except (errors.NoCertificateError, errors.LDAPError) as e:
+ root_logger.debug(str(e))
+ url = http_url()
+ if existing_ca_certs:
+ root_logger.warning(
+ "Unable to download CA cert from LDAP\n"
+ "but found preexisting cert, using it.\n")
+ elif interactive and not user_input(
+ "Unable to download CA cert from LDAP.\n"
+ "Do you want to download the CA cert from " + url + "?\n"
+ "(this is INSECURE)", False):
+ raise errors.NoCertificateError(message=u"HTTP "
+ "certificate download declined by user")
+ elif not interactive and not options.force:
+ root_logger.error(
+ "In unattended mode without a One Time Password "
+ "(OTP) or without --ca-cert-file\nYou must specify"
+ " --force to retrieve the CA cert using HTTP")
+ raise errors.NoCertificateError(message=u"HTTP "
+ "certificate download requires --force")
+ else:
+ try:
+ ca_certs = get_ca_certs_from_http(url)
+ except Exception as e:
+ root_logger.debug(e)
+ raise errors.NoCertificateError(entry=url)
+ validate_new_ca_certs(existing_ca_certs, ca_certs,
+ interactive)
+ except Exception as e:
+ root_logger.debug(str(e))
+ raise errors.NoCertificateError(entry=url)
+
+ if ca_certs is None and existing_ca_certs is None:
+ raise errors.InternalError(u"expected CA cert file '%s' to "
+ u"exist, but it's absent" % (ca_file))
+
+ if ca_certs is not None:
+ try:
+ ca_certs = [cert.der_data for cert in ca_certs]
+ x509.write_certificate_list(ca_certs, ca_file)
+ except Exception as e:
+ if os.path.exists(ca_file):
+ try:
+ os.unlink(ca_file)
+ except OSError as e:
+ root_logger.error(
+ "Failed to remove '%s': %s", ca_file, e)
+ raise errors.FileError(reason =
+ u"cannot write certificate file '%s': %s" % (ca_file, e))
+
+ os.rename(ca_file, CACERT)
+
+ # Make sure the file permissions are correct
+ try:
+ os.chmod(CACERT, 0o644)
+ except Exception as e:
+ raise errors.FileError(reason=u"Unable set permissions on ca "
+ u"cert '%s': %s" % (CACERT, e))
+
+#IMPORTANT First line of FF config file is ignored
+FIREFOX_CONFIG_TEMPLATE = """
+
+/* Kerberos SSO configuration */
+pref("network.negotiate-auth.trusted-uris", ".$DOMAIN");
+
+/* These are the defaults */
+pref("network.negotiate-auth.gsslib", "");
+pref("network.negotiate-auth.using-native-gsslib", true);
+pref("network.negotiate-auth.allow-proxies", true);
+"""
+
+FIREFOX_PREFERENCES_FILENAME = "all-ipa.js"
+FIREFOX_PREFERENCES_REL_PATH = "browser/defaults/preferences"
+
+def configure_firefox(options, statestore, domain):
+ try:
+ root_logger.debug("Setting up Firefox configuration.")
+
+ preferences_dir = None
+
+ # Check user specified location of firefox install directory
+ if options.firefox_dir is not None:
+ pref_path = os.path.join(options.firefox_dir,
+ FIREFOX_PREFERENCES_REL_PATH)
+ if dir_exists(pref_path):
+ preferences_dir = pref_path
+ else:
+ root_logger.error("Directory '%s' does not exists." % pref_path)
+ else:
+ # test if firefox is installed
+ if file_exists(paths.FIREFOX):
+
+ # find valid preferences path
+ for path in [paths.LIB_FIREFOX, paths.LIB64_FIREFOX]:
+ pref_path = os.path.join(path,
+ FIREFOX_PREFERENCES_REL_PATH)
+ if dir_exists(pref_path):
+ preferences_dir = pref_path
+ break
+ else:
+ root_logger.error("Firefox configuration skipped (Firefox not found).")
+ return
+
+ # setting up firefox
+ if preferences_dir is not None:
+
+ # user could specify relative path, we need to store absolute
+ preferences_dir = os.path.abspath(preferences_dir)
+ root_logger.debug("Firefox preferences directory found '%s'." % preferences_dir)
+ preferences_fname = os.path.join(preferences_dir, FIREFOX_PREFERENCES_FILENAME)
+ update_txt = ipautil.template_str(FIREFOX_CONFIG_TEMPLATE, dict(DOMAIN=domain))
+ root_logger.debug("Firefox trusted uris will be set as '.%s' domain." % domain)
+ root_logger.debug("Firefox configuration will be stored in '%s' file." % preferences_fname)
+
+ try:
+ with open(preferences_fname, 'w') as f:
+ f.write(update_txt)
+ root_logger.info("Firefox sucessfully configured.")
+ statestore.backup_state('firefox', 'preferences_fname', preferences_fname)
+ except Exception as e:
+ root_logger.debug("An error occured during creating preferences file: %s." % str(e))
+ root_logger.error("Firefox configuration failed.")
+ else:
+ root_logger.debug("Firefox preferences directory not found.")
+ root_logger.error("Firefox configuration failed.")
+
+ except Exception as e:
+ root_logger.debug(str(e))
+ root_logger.error("Firefox configuration failed.")
+
+
+def install(options, env, fstore, statestore):
+ dnsok = False
+
+ cli_domain = None
+ cli_server = None
+ subject_base = None
+
+ cli_domain_source = 'Unknown source'
+ cli_server_source = 'Unknown source'
+
+ if options.conf_ntp and not options.on_master and not options.force_ntpd:
+ try:
+ ipaclient.ntpconf.check_timedate_services()
+ except ipaclient.ntpconf.NTPConflictingService as e:
+ print("WARNING: ntpd time&date synchronization service will not" \
+ " be configured as")
+ print("conflicting service (%s) is enabled" % e.conflicting_service)
+ print("Use --force-ntpd option to disable it and force configuration" \
+ " of ntpd")
+ print("")
+
+ # configuration of ntpd is disabled in this case
+ options.conf_ntp = False
+ except ipaclient.ntpconf.NTPConfigurationError:
+ pass
+
+ if options.unattended and (options.password is None and
+ options.principal is None and
+ options.keytab is None and
+ options.prompt_password is False and
+ not options.on_master):
+ root_logger.error("One of password / principal / keytab is required.")
+ return CLIENT_INSTALL_ERROR
+
+ if options.hostname:
+ hostname = options.hostname
+ hostname_source = 'Provided as option'
+ else:
+ hostname = socket.getfqdn()
+ hostname_source = "Machine's FQDN"
+ if hostname != hostname.lower():
+ root_logger.error(
+ "Invalid hostname '%s', must be lower-case.", hostname)
+ return CLIENT_INSTALL_ERROR
+ if (hostname == 'localhost') or (hostname == 'localhost.localdomain'):
+ root_logger.error("Invalid hostname, '%s' must not be used.", hostname)
+ return CLIENT_INSTALL_ERROR
+
+ # when installing with '--no-sssd' option, check whether nss-ldap is installed
+ if not options.sssd:
+ (nssldap_installed, nosssd_files) = nssldap_exists()
+ if not nssldap_installed:
+ root_logger.error("One of these packages must be installed: " +
+ "nss_ldap or nss-pam-ldapd")
+ return CLIENT_INSTALL_ERROR
+
+ if options.keytab and options.principal:
+ root_logger.error("Options 'principal' and 'keytab' cannot be used "
+ "together.")
+ return CLIENT_INSTALL_ERROR
+
+ if options.keytab and options.force_join:
+ root_logger.warning("Option 'force-join' has no additional effect "
+ "when used with together with option 'keytab'.")
+
+ # Check if old certificate exist and show warning
+ if not options.ca_cert_file and get_cert_path(options.ca_cert_file) == CACERT:
+ root_logger.warning("Using existing certificate '%s'.", CACERT)
+
+ if not check_ip_addresses(options):
+ return CLIENT_INSTALL_ERROR
+
+ # Create the discovery instance
+ ds = ipadiscovery.IPADiscovery()
+
+ ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
+
+ if options.server and ret != 0:
+ # There is no point to continue with installation as server list was
+ # passed as a fixed list of server and thus we cannot discover any
+ # better result
+ root_logger.error("Failed to verify that %s is an IPA Server.",
+ ', '.join(options.server))
+ root_logger.error("This may mean that the remote server is not up "
+ "or is not reachable due to network or firewall settings.")
+ print_port_conf_info()
+ return CLIENT_INSTALL_ERROR
+
+ if ret == ipadiscovery.BAD_HOST_CONFIG:
+ root_logger.error("Can't get the fully qualified name of this host")
+ root_logger.info("Check that the client is properly configured")
+ return CLIENT_INSTALL_ERROR
+ if ret == ipadiscovery.NOT_FQDN:
+ root_logger.error("%s is not a fully-qualified hostname", hostname)
+ return CLIENT_INSTALL_ERROR
+ if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
+ or not ds.domain:
+ if ret == ipadiscovery.NO_LDAP_SERVER:
+ if ds.server:
+ root_logger.debug("%s is not an LDAP server" % ds.server)
+ else:
+ root_logger.debug("No LDAP server found")
+ elif ret == ipadiscovery.NOT_IPA_SERVER:
+ if ds.server:
+ root_logger.debug("%s is not an IPA server" % ds.server)
+ else:
+ root_logger.debug("No IPA server found")
+ else:
+ root_logger.debug("Domain not found")
+ if options.domain:
+ cli_domain = options.domain
+ cli_domain_source = 'Provided as option'
+ elif options.unattended:
+ root_logger.error(
+ "Unable to discover domain, not provided on command line")
+ return CLIENT_INSTALL_ERROR
+ else:
+ root_logger.info(
+ "DNS discovery failed to determine your DNS domain")
+ cli_domain = user_input("Provide the domain name of your IPA server (ex: example.com)", allow_empty = False)
+ cli_domain_source = 'Provided interactively'
+ root_logger.debug(
+ "will use interactively provided domain: %s", cli_domain)
+ ret = ds.search(domain=cli_domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
+
+ if not cli_domain:
+ if ds.domain:
+ cli_domain = ds.domain
+ cli_domain_source = ds.domain_source
+ root_logger.debug("will use discovered domain: %s", cli_domain)
+
+ client_domain = hostname[hostname.find(".")+1:]
+
+ if ret in (ipadiscovery.NO_LDAP_SERVER, ipadiscovery.NOT_IPA_SERVER) \
+ or not ds.server:
+ root_logger.debug("IPA Server not found")
+ if options.server:
+ cli_server = options.server
+ cli_server_source = 'Provided as option'
+ elif options.unattended:
+ root_logger.error("Unable to find IPA Server to join")
+ return CLIENT_INSTALL_ERROR
+ else:
+ root_logger.debug("DNS discovery failed to find the IPA Server")
+ cli_server = [user_input("Provide your IPA server name (ex: ipa.example.com)", allow_empty = False)]
+ cli_server_source = 'Provided interactively'
+ root_logger.debug("will use interactively provided server: %s", cli_server[0])
+ ret = ds.search(domain=cli_domain, servers=cli_server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
+
+ else:
+ # Only set dnsok to True if we were not passed in one or more servers
+ # and if DNS discovery actually worked.
+ if not options.server:
+ (server, domain) = ds.check_domain(ds.domain, set(), "Validating DNS Discovery")
+ if server and domain:
+ root_logger.debug("DNS validated, enabling discovery")
+ dnsok = True
+ else:
+ root_logger.debug("DNS discovery failed, disabling discovery")
+ else:
+ root_logger.debug("Using servers from command line, disabling DNS discovery")
+
+ if not cli_server:
+ if options.server:
+ cli_server = ds.servers
+ cli_server_source = 'Provided as option'
+ root_logger.debug("will use provided server: %s", ', '.join(options.server))
+ elif ds.server:
+ cli_server = ds.servers
+ cli_server_source = ds.server_source
+ root_logger.debug("will use discovered server: %s", cli_server[0])
+
+ if ret == ipadiscovery.NOT_IPA_SERVER:
+ root_logger.error("%s is not an IPA v2 Server.", cli_server[0])
+ print_port_conf_info()
+ root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
+ return CLIENT_INSTALL_ERROR
+
+ if ret == ipadiscovery.NO_ACCESS_TO_LDAP:
+ root_logger.warning("Anonymous access to the LDAP server is disabled.")
+ root_logger.info("Proceeding without strict verification.")
+ root_logger.info("Note: This is not an error if anonymous access " +
+ "has been explicitly restricted.")
+ ret = 0
+
+ if ret == ipadiscovery.NO_TLS_LDAP:
+ root_logger.warning("The LDAP server requires TLS is but we do not " +
+ "have the CA.")
+ root_logger.info("Proceeding without strict verification.")
+ ret = 0
+
+ if ret != 0:
+ root_logger.error("Failed to verify that %s is an IPA Server.",
+ cli_server[0])
+ root_logger.error("This may mean that the remote server is not up "
+ "or is not reachable due to network or firewall settings.")
+ print_port_conf_info()
+ root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
+ return CLIENT_INSTALL_ERROR
+
+ cli_kdc = ds.kdc
+ if dnsok and not cli_kdc:
+ root_logger.error("DNS domain '%s' is not configured for automatic " +
+ "KDC address lookup.", ds.realm.lower())
+ root_logger.debug("(%s: %s)", ds.realm, ds.realm_source)
+ root_logger.error("KDC address will be set to fixed value.")
+
+ if dnsok:
+ root_logger.info("Discovery was successful!")
+ elif not options.unattended:
+ if not options.server:
+ root_logger.warning("The failure to use DNS to find your IPA" +
+ " server indicates that your resolv.conf file is not properly" +
+ " configured.")
+ root_logger.info("Autodiscovery of servers for failover cannot work " +
+ "with this configuration.")
+ root_logger.info("If you proceed with the installation, services " +
+ "will be configured to always access the discovered server for " +
+ "all operations and will not fail over to other servers in case " +
+ "of failure.")
+ if not user_input("Proceed with fixed values and no DNS discovery?", False):
+ return CLIENT_INSTALL_ERROR
+
+ cli_realm = ds.realm
+ cli_realm_source = ds.realm_source
+ root_logger.debug("will use discovered realm: %s", cli_realm)
+
+ if options.realm_name and options.realm_name != cli_realm:
+ root_logger.error(
+ "The provided realm name [%s] does not match discovered one [%s]",
+ options.realm_name, cli_realm)
+ root_logger.debug("(%s: %s)", cli_realm, cli_realm_source)
+ return CLIENT_INSTALL_ERROR
+
+ cli_basedn = ds.basedn
+ cli_basedn_source = ds.basedn_source
+ root_logger.debug("will use discovered basedn: %s", cli_basedn)
+ subject_base = DN(('O', cli_realm))
+
+ root_logger.info("Client hostname: %s", hostname)
+ root_logger.debug("Hostname source: %s", hostname_source)
+ root_logger.info("Realm: %s", cli_realm)
+ root_logger.debug("Realm source: %s", cli_realm_source)
+ root_logger.info("DNS Domain: %s", cli_domain)
+ root_logger.debug("DNS Domain source: %s", cli_domain_source)
+ root_logger.info("IPA Server: %s", ', '.join(cli_server))
+ root_logger.debug("IPA Server source: %s", cli_server_source)
+ root_logger.info("BaseDN: %s", cli_basedn)
+ root_logger.debug("BaseDN source: %s", cli_basedn_source)
+
+ # ipa-join would fail with IP address instead of a FQDN
+ for srv in cli_server:
+ try:
+ socket.inet_pton(socket.AF_INET, srv)
+ is_ipaddr = True
+ except:
+ try:
+ socket.inet_pton(socket.AF_INET6, srv)
+ is_ipaddr = True
+ except:
+ is_ipaddr = False
+
+ if is_ipaddr:
+ print()
+ root_logger.warning("It seems that you are using an IP address "
+ "instead of FQDN as an argument to --server. The "
+ "installation may fail.")
+ break
+
+ print()
+ if not options.unattended and not user_input("Continue to configure the system with these values?", False):
+ return CLIENT_INSTALL_ERROR
+
+ if not options.on_master:
+ # Try removing old principals from the keytab
+ try:
+ ipautil.run([paths.IPA_RMKEYTAB,
+ '-k', paths.KRB5_KEYTAB, '-r', cli_realm])
+ except CalledProcessError as e:
+ if e.returncode not in (3, 5):
+ # 3 - Unable to open keytab
+ # 5 - Principal name or realm not found in keytab
+ root_logger.error("Error trying to clean keytab: " +
+ "/usr/sbin/ipa-rmkeytab returned %s" % e.returncode)
+ else:
+ root_logger.info("Removed old keys for realm %s from %s" % (
+ cli_realm, paths.KRB5_KEYTAB))
+
+ if options.hostname and not options.on_master:
+ # configure /etc/sysconfig/network to contain the hostname we set.
+ # skip this step when run by ipa-server-install as it always configures
+ # hostname if different from system hostname
+ tasks.backup_and_replace_hostname(fstore, statestore, options.hostname)
+
+ ntp_srv_servers = []
+ if not options.on_master and options.conf_ntp:
+ # Attempt to sync time with IPA server.
+ # If we're skipping NTP configuration, we also skip the time sync here.
+ # We assume that NTP servers are discoverable through SRV records in the DNS
+ # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+ root_logger.info('Synchronizing time with KDC...')
+ ntp_srv_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp',
+ None, break_on_first=False)
+ synced_ntp = False
+ ntp_servers = ntp_srv_servers
+
+ # use user specified NTP servers if there are any
+ if options.ntp_servers:
+ ntp_servers = options.ntp_servers
+
+ for s in ntp_servers:
+ synced_ntp = ipaclient.ntpconf.synconce_ntp(s, options.debug)
+ if synced_ntp:
+ break
+
+ if not synced_ntp and not options.ntp_servers:
+ synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0],
+ options.debug)
+ if not synced_ntp:
+ root_logger.warning("Unable to sync time with NTP " +
+ "server, assuming the time is in sync. Please check " +
+ "that 123 UDP port is opened.")
+ else:
+ root_logger.info('Skipping synchronizing time with NTP server.')
+
+ if not options.unattended:
+ if (options.principal is None and options.password is None and
+ options.prompt_password is False and options.keytab is None):
+ options.principal = user_input("User authorized to enroll "
+ "computers", allow_empty=False)
+ root_logger.debug(
+ "will use principal provided as option: %s", options.principal)
+
+ host_principal = 'host/%s@%s' % (hostname, cli_realm)
+ if not options.on_master:
+ nolog = tuple()
+ # First test out the kerberos configuration
+ try:
+ (krb_fd, krb_name) = tempfile.mkstemp()
+ os.close(krb_fd)
+ if configure_krb5_conf(
+ cli_realm=cli_realm,
+ cli_domain=cli_domain,
+ cli_server=cli_server,
+ cli_kdc=cli_kdc,
+ dnsok=False,
+ options=options,
+ filename=krb_name,
+ client_domain=client_domain):
+ root_logger.error("Test kerberos configuration failed")
+ return CLIENT_INSTALL_ERROR
+ env['KRB5_CONFIG'] = krb_name
+ ccache_dir = tempfile.mkdtemp(prefix='krbcc')
+ ccache_name = os.path.join(ccache_dir, 'ccache')
+ join_args = [paths.SBIN_IPA_JOIN,
+ "-s", cli_server[0],
+ "-b", str(realm_to_suffix(cli_realm)),
+ "-h", hostname]
+ if options.debug:
+ join_args.append("-d")
+ env['XMLRPC_TRACE_CURL'] = 'yes'
+ if options.force_join:
+ join_args.append("-f")
+ if options.principal is not None:
+ stdin = None
+ principal = options.principal
+ if principal.find('@') == -1:
+ principal = '%s@%s' % (principal, cli_realm)
+ if options.password is not None:
+ stdin = options.password
+ else:
+ if not options.unattended:
+ try:
+ stdin = getpass.getpass("Password for %s: " % principal)
+ except EOFError:
+ stdin = None
+ if not stdin:
+ root_logger.error(
+ "Password must be provided for %s.", principal)
+ return CLIENT_INSTALL_ERROR
+ else:
+ if sys.stdin.isatty():
+ root_logger.error("Password must be provided in " +
+ "non-interactive mode.")
+ root_logger.info("This can be done via " +
+ "echo password | ipa-client-install ... " +
+ "or with the -w option.")
+ return CLIENT_INSTALL_ERROR
+ else:
+ stdin = sys.stdin.readline()
+
+ try:
+ ipautil.kinit_password(principal, stdin, ccache_name,
+ config=krb_name)
+ except RuntimeError as e:
+ print_port_conf_info()
+ root_logger.error("Kerberos authentication failed: %s" % e)
+ return CLIENT_INSTALL_ERROR
+ elif options.keytab:
+ join_args.append("-f")
+ if os.path.exists(options.keytab):
+ try:
+ ipautil.kinit_keytab(host_principal, options.keytab,
+ ccache_name,
+ config=krb_name,
+ attempts=options.kinit_attempts)
+ except gssapi.exceptions.GSSError as e:
+ print_port_conf_info()
+ root_logger.error("Kerberos authentication failed: %s"
+ % e)
+ return CLIENT_INSTALL_ERROR
+ else:
+ root_logger.error("Keytab file could not be found: %s"
+ % options.keytab)
+ return CLIENT_INSTALL_ERROR
+ elif options.password:
+ nolog = (options.password,)
+ join_args.append("-w")
+ join_args.append(options.password)
+ elif options.prompt_password:
+ if options.unattended:
+ root_logger.error(
+ "Password must be provided in non-interactive mode")
+ return CLIENT_INSTALL_ERROR
+ try:
+ password = getpass.getpass("Password: ")
+ except EOFError:
+ password = None
+ if not password:
+ root_logger.error("Password must be provided.")
+ return CLIENT_INSTALL_ERROR
+ join_args.append("-w")
+ join_args.append(password)
+ nolog = (password,)
+
+ env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name
+ # Get the CA certificate
+ try:
+ os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG']
+ get_ca_certs(fstore, options, cli_server[0], cli_basedn,
+ cli_realm)
+ del os.environ['KRB5_CONFIG']
+ except errors.FileError as e:
+ root_logger.error(e)
+ return CLIENT_INSTALL_ERROR
+ except Exception as e:
+ root_logger.error("Cannot obtain CA certificate\n%s", e)
+ return CLIENT_INSTALL_ERROR
+
+ # Now join the domain
+ result = run(
+ join_args, raiseonerr=False, env=env, nolog=nolog,
+ capture_error=True)
+ stderr = result.error_output
+
+ if result.returncode != 0:
+ root_logger.error("Joining realm failed: %s", stderr)
+ if not options.force:
+ if result.returncode == 13:
+ root_logger.info("Use --force-join option to override "
+ "the host entry on the server "
+ "and force client enrollment.")
+ return CLIENT_INSTALL_ERROR
+ root_logger.info("Use ipa-getkeytab to obtain a host " +
+ "principal for this server.")
+ else:
+ root_logger.info("Enrolled in IPA realm %s", cli_realm)
+
+ start = stderr.find('Certificate subject base is: ')
+ if start >= 0:
+ start = start + 29
+ subject_base = stderr[start:]
+ subject_base = subject_base.strip()
+ subject_base = DN(subject_base)
+
+ if options.principal is not None:
+ run(["kdestroy"], raiseonerr=False, env=env)
+
+ # Obtain the TGT. We do it with the temporary krb5.conf, so that
+ # only the KDC we're installing under is contacted.
+ # Other KDCs might not have replicated the principal yet.
+ # Once we have the TGT, it's usable on any server.
+ try:
+ ipautil.kinit_keytab(host_principal, paths.KRB5_KEYTAB,
+ CCACHE_FILE,
+ config=krb_name,
+ attempts=options.kinit_attempts)
+ env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
+ except gssapi.exceptions.GSSError as e:
+ print_port_conf_info()
+ root_logger.error("Failed to obtain host TGT: %s" % e)
+ # failure to get ticket makes it impossible to login and bind
+ # from sssd to LDAP, abort installation and rollback changes
+ return CLIENT_INSTALL_ERROR
+
+ finally:
+ try:
+ os.remove(krb_name)
+ except OSError:
+ root_logger.error("Could not remove %s", krb_name)
+ try:
+ os.rmdir(ccache_dir)
+ except OSError:
+ pass
+ try:
+ os.remove(krb_name + ".ipabkp")
+ except OSError:
+ root_logger.error("Could not remove %s.ipabkp", krb_name)
+
+ # Configure ipa.conf
+ if not options.on_master:
+ configure_ipa_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, hostname)
+ root_logger.info("Created /etc/ipa/default.conf")
+
+ api.bootstrap(context='cli_installer', debug=options.debug)
+ api.finalize()
+ if 'config_loaded' not in api.env:
+ root_logger.error("Failed to initialize IPA API.")
+ return CLIENT_INSTALL_ERROR
+
+ # Always back up sssd.conf. It gets updated by authconfig --enablekrb5.
+ fstore.backup_file(paths.SSSD_CONF)
+ if options.sssd:
+ if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, hostname):
+ return CLIENT_INSTALL_ERROR
+ root_logger.info("Configured /etc/sssd/sssd.conf")
+
+ if options.on_master:
+ # If on master assume kerberos is already configured properly.
+ # Get the host TGT.
+ try:
+ ipautil.kinit_keytab(host_principal, paths.KRB5_KEYTAB,
+ CCACHE_FILE,
+ attempts=options.kinit_attempts)
+ os.environ['KRB5CCNAME'] = CCACHE_FILE
+ except gssapi.exceptions.GSSError as e:
+ root_logger.error("Failed to obtain host TGT: %s" % e)
+ return CLIENT_INSTALL_ERROR
+ else:
+ # Configure krb5.conf
+ fstore.backup_file(paths.KRB5_CONF)
+ if configure_krb5_conf(
+ cli_realm=cli_realm,
+ cli_domain=cli_domain,
+ cli_server=cli_server,
+ cli_kdc=cli_kdc,
+ dnsok=dnsok,
+ options=options,
+ filename=paths.KRB5_CONF,
+ client_domain=client_domain):
+ return CLIENT_INSTALL_ERROR
+
+ root_logger.info(
+ "Configured /etc/krb5.conf for IPA realm %s", cli_realm)
+
+ # Clear out any current session keyring information
+ try:
+ delete_persistent_client_session_data(host_principal)
+ except ValueError:
+ pass
+
+ ca_certs = x509.load_certificate_list_from_file(CACERT)
+ ca_certs = [cert.der_data for cert in ca_certs]
+
+ with certdb.NSSDatabase() as tmp_db:
+ # Add CA certs to a temporary NSS database
+ try:
+ pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
+ tmp_db.create_db(pwd_file.name)
+
+ for i, cert in enumerate(ca_certs):
+ tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+ except CalledProcessError as e:
+ root_logger.info("Failed to add CA to temporary NSS database.")
+ return CLIENT_INSTALL_ERROR
+
+ # Now, let's try to connect to the server's RPC interface
+ connected = False
+ try:
+ api.Backend.rpcclient.connect(nss_dir=tmp_db.secdir)
+ connected = True
+ root_logger.debug("Try RPC connection")
+ api.Backend.rpcclient.forward('ping')
+ except errors.KerberosError as e:
+ if connected:
+ api.Backend.rpcclient.disconnect()
+ root_logger.info(
+ "Cannot connect to the server due to Kerberos error: %s. "
+ "Trying with delegate=True", e)
+ try:
+ api.Backend.rpcclient.connect(delegate=True,
+ nss_dir=tmp_db.secdir)
+ root_logger.debug("Try RPC connection")
+ api.Backend.rpcclient.forward('ping')
+
+ root_logger.info("Connection with delegate=True successful")
+
+ # The remote server is not capable of Kerberos S4U2Proxy
+ # delegation. This features is implemented in IPA server
+ # version 2.2 and higher
+ root_logger.warning(
+ "Target IPA server has a lower version than the enrolled "
+ "client")
+ root_logger.warning(
+ "Some capabilities including the ipa command capability "
+ "may not be available")
+ except errors.PublicError as e2:
+ root_logger.warning(
+ "Second connect with delegate=True also failed: %s", e2)
+ root_logger.error(
+ "Cannot connect to the IPA server RPC interface: %s", e2)
+ return CLIENT_INSTALL_ERROR
+ except errors.PublicError as e:
+ root_logger.error(
+ "Cannot connect to the server due to generic error: %s", e)
+ return CLIENT_INSTALL_ERROR
+
+ # Use the RPC directly so older servers are supported
+ try:
+ result = api.Backend.rpcclient.forward(
+ 'ca_is_enabled',
+ version=u'2.107',
+ )
+ ca_enabled = result['result']
+ except (errors.CommandError, errors.NetworkError):
+ result = api.Backend.rpcclient.forward(
+ 'env',
+ server=True,
+ version=u'2.0',
+ )
+ ca_enabled = result['result']['enable_ra']
+ if not ca_enabled:
+ disable_ra()
+
+ # Create IPA NSS database
+ try:
+ certdb.create_ipa_nssdb()
+ except ipautil.CalledProcessError as e:
+ root_logger.error("Failed to create IPA NSS database: %s", e)
+ return CLIENT_INSTALL_ERROR
+
+ # Get CA certificates from the certificate store
+ try:
+ ca_certs = get_certs_from_ldap(cli_server[0], cli_basedn, cli_realm,
+ ca_enabled)
+ except errors.NoCertificateError:
+ if ca_enabled:
+ ca_subject = DN(('CN', 'Certificate Authority'), subject_base)
+ else:
+ ca_subject = None
+ ca_certs = certstore.make_compat_ca_certs(ca_certs, cli_realm,
+ ca_subject)
+ ca_certs_trust = [(c, n, certstore.key_policy_to_trust_flags(t, True, u))
+ for (c, n, t, u) in ca_certs]
+
+ # Add the CA certificates to the IPA NSS database
+ root_logger.debug("Adding CA certificates to the IPA NSS database.")
+ ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+ for cert, nickname, trust_flags in ca_certs_trust:
+ try:
+ ipa_db.add_cert(cert, nickname, trust_flags)
+ except CalledProcessError as e:
+ root_logger.error(
+ "Failed to add %s to the IPA NSS database.", nickname)
+ return CLIENT_INSTALL_ERROR
+
+ # Add the CA certificates to the platform-dependant systemwide CA store
+ tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
+
+ # Add the CA certificates to the default NSS database
+ root_logger.debug(
+ "Attempting to add CA certificates to the default NSS database.")
+ sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
+ for cert, nickname, trust_flags in ca_certs_trust:
+ try:
+ sys_db.add_cert(cert, nickname, trust_flags)
+ except CalledProcessError as e:
+ root_logger.error(
+ "Failed to add %s to the default NSS database.", nickname)
+ return CLIENT_INSTALL_ERROR
+ root_logger.info("Added CA certificates to the default NSS database.")
+
+ if not options.on_master:
+ client_dns(cli_server[0], hostname, options)
+ configure_certmonger(fstore, subject_base, cli_realm, hostname,
+ options, ca_enabled)
+
+ update_ssh_keys(cli_server[0], hostname, services.knownservices.sshd.get_config_dir(), options.create_sshfp)
+
+ try:
+ os.remove(CCACHE_FILE)
+ except Exception:
+ pass
+
+ #Name Server Caching Daemon. Disable for SSSD, use otherwise (if installed)
+ nscd = services.knownservices.nscd
+ if nscd.is_installed():
+ save_state(nscd)
+
+ try:
+ if options.sssd:
+ nscd_service_action = 'stop'
+ nscd.stop()
+ else:
+ nscd_service_action = 'restart'
+ nscd.restart()
+ except Exception:
+ root_logger.warning("Failed to %s the %s daemon",
+ nscd_service_action, nscd.service_name)
+ if not options.sssd:
+ root_logger.warning(
+ "Caching of users/groups will not be available")
+
+ try:
+ if options.sssd:
+ nscd.disable()
+ else:
+ nscd.enable()
+ except Exception:
+ if not options.sssd:
+ root_logger.warning(
+ "Failed to configure automatic startup of the %s daemon",
+ nscd.service_name)
+ root_logger.info("Caching of users/groups will not be " +
+ "available after reboot")
+ else:
+ root_logger.warning(
+ "Failed to disable %s daemon. Disable it manually.",
+ nscd.service_name)
+
+ else:
+ # this is optional service, just log
+ if not options.sssd:
+ root_logger.info("%s daemon is not installed, skip configuration",
+ nscd.service_name)
+
+ nslcd = services.knownservices.nslcd
+ if nscd.is_installed():
+ save_state(nslcd)
+
+ retcode, conf, filename = (0, None, None)
+
+ if not options.no_ac:
+ # Modify nsswitch/pam stack
+ tasks.modify_nsswitch_pam_stack(sssd=options.sssd,
+ mkhomedir=options.mkhomedir,
+ statestore=statestore)
+
+ root_logger.info("%s enabled", "SSSD" if options.sssd else "LDAP")
+
+ if options.sssd:
+ sssd = services.service('sssd')
+ try:
+ sssd.restart()
+ except CalledProcessError:
+ root_logger.warning("SSSD service restart was unsuccessful.")
+
+ try:
+ sssd.enable()
+ except CalledProcessError as e:
+ root_logger.warning(
+ "Failed to enable automatic startup of the SSSD daemon: %s", e)
+
+ if not options.sssd:
+ tasks.modify_pam_to_use_krb5(statestore)
+ root_logger.info("Kerberos 5 enabled")
+
+ # Update non-SSSD LDAP configuration after authconfig calls as it would
+ # change its configuration otherways
+ if not options.sssd:
+ for configurer in [configure_ldap_conf, configure_nslcd_conf]:
+ (retcode, conf, filenames) = configurer(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, nosssd_files[configurer.__name__])
+ if retcode:
+ return CLIENT_INSTALL_ERROR
+ if conf:
+ root_logger.info(
+ "%s configured using configuration file(s) %s",
+ conf, filenames)
+
+ if configure_openldap_conf(fstore, cli_basedn, cli_server):
+ root_logger.info("Configured /etc/openldap/ldap.conf")
+ else:
+ root_logger.info("Failed to configure /etc/openldap/ldap.conf")
+
+ #Check that nss is working properly
+ if not options.on_master:
+ n = 0
+ found = False
+ # Loop for up to 10 seconds to see if nss is working properly.
+ # It can sometimes take a few seconds to connect to the remote provider.
+ # Particulary, SSSD might take longer than 6-8 seconds.
+ while n < 10 and not found:
+ try:
+ ipautil.run(["getent", "passwd", "admin@%s" % cli_domain])
+ found = True
+ except Exception as e:
+ time.sleep(1)
+ n = n + 1
+
+ if not found:
+ root_logger.error(
+ "Unable to find 'admin' user with "
+ "'getent passwd admin@%s'!" % cli_domain)
+ if conf:
+ root_logger.info("Recognized configuration: %s", conf)
+ else:
+ root_logger.error("Unable to reliably detect " +
+ "configuration. Check NSS setup manually.")
+
+ try:
+ hardcode_ldap_server(cli_server)
+ except Exception as e:
+ root_logger.error("Adding hardcoded server name to " +
+ "/etc/ldap.conf failed: %s", str(e))
+
+ if options.conf_ntp and not options.on_master:
+ # disable other time&date services first
+ if options.force_ntpd:
+ ipaclient.ntpconf.force_ntpd(statestore)
+
+ if options.ntp_servers:
+ ntp_servers = options.ntp_servers
+ elif ntp_srv_servers:
+ ntp_servers = ntp_srv_servers
+ else:
+ root_logger.warning("No SRV records of NTP servers found. IPA "
+ "server address will be used")
+ ntp_servers = cli_server
+
+ ipaclient.ntpconf.config_ntp(ntp_servers, fstore, statestore)
+ root_logger.info("NTP enabled")
+
+ if options.conf_ssh:
+ configure_ssh_config(fstore, options)
+
+ if options.conf_sshd:
+ configure_sshd_config(fstore, options)
+
+ if options.location:
+ configure_automount(options)
+
+ if options.configure_firefox:
+ configure_firefox(options, statestore, cli_domain)
+
+ if not options.no_nisdomain:
+ configure_nisdomain(options=options, domain=cli_domain)
+
+ root_logger.info('Client configuration complete.')
+
+ return 0
+
+def main():
+ safe_options, options = parse_options()
+
+ if not os.getegid() == 0:
+ sys.exit("\nYou must be root to run ipa-client-install.\n")
+ tasks.check_selinux_status()
+ logging_setup(options)
+ root_logger.debug(
+ '%s was invoked with options: %s', sys.argv[0], safe_options)
+ root_logger.debug("missing options might be asked for interactively later")
+ root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
+
+ env={"PATH":"/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin"}
+
+ global fstore
+ fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+
+ global statestore
+ statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
+
+ if options.uninstall:
+ return uninstall(options, env)
+
+ if is_ipa_client_installed(on_master=options.on_master):
+ root_logger.error("IPA client is already configured on this system.")
+ root_logger.info(
+ "If you want to reinstall the IPA client, uninstall it first " +
+ "using 'ipa-client-install --uninstall'.")
+ return CLIENT_ALREADY_CONFIGURED
+
+ rval = install(options, env, fstore, statestore)
+ if rval == CLIENT_INSTALL_ERROR:
+ if options.force:
+ root_logger.warning(
+ "Installation failed. Force set so not rolling back changes.")
+ elif options.on_master:
+ root_logger.warning(
+ "Installation failed. As this is IPA server, changes will not "
+ "be rolled back."
+ )
+ else:
+ root_logger.error("Installation failed. Rolling back changes.")
+ options.unattended = True
+ uninstall(options, env)
+
+ return rval
+
+try:
+ if __name__ == "__main__":
+ sys.exit(main())
+except SystemExit as e:
+ sys.exit(e)
+except KeyboardInterrupt:
+ sys.exit(1)
+except RuntimeError as e:
+ sys.exit(e)
+finally:
+ try:
+ os.remove(CCACHE_FILE)
+ except Exception:
+ pass
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
new file mode 100644
index 000000000..3592d9970
--- /dev/null
+++ b/client/ipa-getkeytab.c
@@ -0,0 +1,913 @@
+/* Authors: Simo Sorce <ssorce@redhat.com>
+ *
+ * Copyright (C) 2007 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define _GNU_SOURCE
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+#include <errno.h>
+#include <time.h>
+#include <krb5.h>
+#include <ldap.h>
+#include <sasl/sasl.h>
+#include <popt.h>
+#include <ini_configobj.h>
+
+#include "config.h"
+
+#include "ipa_krb5.h"
+#include "ipa_asn1.h"
+#include "ipa-client-common.h"
+
+static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit)
+{
+ sasl_interact_t *in = NULL;
+ int ret = LDAP_OTHER;
+ krb5_principal princ = (krb5_principal)priv_data;
+ krb5_context krbctx;
+ char *outname = NULL;
+ krb5_error_code krberr;
+
+ if (!ld) return LDAP_PARAM_ERROR;
+
+ for (in = sit; in && in->id != SASL_CB_LIST_END; in++) {
+ switch(in->id) {
+ case SASL_CB_USER:
+ krberr = krb5_init_context(&krbctx);
+
+ if (krberr) {
+ fprintf(stderr, _("Kerberos context initialization failed: %1$s (%2$d)\n"),
+ error_message(krberr), krberr);
+ in->result = NULL;
+ in->len = 0;
+ ret = LDAP_LOCAL_ERROR;
+ break;
+ }
+
+ krberr = krb5_unparse_name(krbctx, princ, &outname);
+
+ if (krberr) {
+ fprintf(stderr, _("Unable to parse principal: %1$s (%2$d)\n"),
+ error_message(krberr), krberr);
+ in->result = NULL;
+ in->len = 0;
+ ret = LDAP_LOCAL_ERROR;
+ break;
+ }
+
+ in->result = outname;
+ in->len = strlen(outname);
+ ret = LDAP_SUCCESS;
+
+ krb5_free_context(krbctx);
+
+ break;
+ case SASL_CB_GETREALM:
+ in->result = princ->realm.data;
+ in->len = princ->realm.length;
+ ret = LDAP_SUCCESS;
+ break;
+ default:
+ in->result = NULL;
+ in->len = 0;
+ ret = LDAP_OTHER;
+ }
+ }
+ return ret;
+}
+
+int filter_keys(krb5_context krbctx, struct keys_container *keys,
+ ber_int_t *enctypes)
+{
+ struct krb_key_salt *ksdata;
+ int i, j, n;
+
+ n = keys->nkeys;
+ ksdata = keys->ksdata;
+ for (i = 0; i < n; i++) {
+ if (ksdata[i].enctype == enctypes[i]) continue;
+ if (enctypes[i] == 0) {
+ /* remove unsupported one */
+ krb5_free_keyblock_contents(krbctx, &ksdata[i].key);
+ krb5_free_data_contents(krbctx, &ksdata[i].salt);
+ for (j = i; j < n-1; j++) {
+ ksdata[j] = ksdata[j + 1];
+ enctypes[j] = enctypes[j + 1];
+ }
+ n--;
+ /* new key has been moved to this position, make sure
+ * we do not skip it, by neutralizing next i increment */
+ i--;
+ }
+ }
+
+ if (n == 0) {
+ fprintf(stderr, _("No keys accepted by KDC\n"));
+ return 0;
+ }
+
+ keys->nkeys = n;
+ return n;
+}
+
+static int ipa_ldap_init(LDAP ** ld, const char * scheme, const char * servername, const int port)
+{
+ char* url = NULL;
+ int url_len = snprintf(url,0,"%s://%s:%d",scheme,servername,port) +1;
+
+ url = (char *)malloc (url_len);
+ if (!url){
+ fprintf(stderr, _("Out of memory \n"));
+ return LDAP_NO_MEMORY;
+ }
+ sprintf(url,"%s://%s:%d",scheme,servername,port);
+ int rc = ldap_initialize(ld, url);
+
+ free(url);
+ return rc;
+}
+
+const char *ca_cert_file = "/etc/ipa/ca.crt";
+
+static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ,
+ const char *bind_dn, const char *bind_pw, LDAP **_ld)
+{
+ char *msg = NULL;
+ struct berval bv;
+ int version;
+ LDAP *ld;
+ int ssl;
+ int ret;
+
+ /* TODO: support referrals ? */
+ if (bind_dn) {
+ ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
+ if (ret != LDAP_OPT_SUCCESS) {
+ fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CERTIFICATE\n"));
+ return ret;
+ }
+
+ ret = ipa_ldap_init(&ld, "ldaps", server_name, 636);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Unable to init for ldaps(636) connection\n"));
+ return ret;
+ }
+
+ ssl = LDAP_OPT_X_TLS_HARD;;
+ ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl);
+ if (ret != LDAP_OPT_SUCCESS) {
+ fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS\n"));
+ goto done;
+ }
+ } else {
+ ret = ipa_ldap_init(&ld, "ldap", server_name, 389);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Unable to init for ldap(389) connection\n"));
+ return ret;
+ }
+ }
+
+ if (ld == NULL) {
+ fprintf(stderr, _("Unable to initialize ldap library!\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+#ifdef LDAP_OPT_X_SASL_NOCANON
+ /* Don't do DNS canonicalization */
+ ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+ goto done;
+ }
+#endif
+
+ version = LDAP_VERSION3;
+ ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
+ goto done;
+ }
+
+ if (bind_dn) {
+ bv.bv_val = discard_const(bind_pw);
+ bv.bv_len = strlen(bind_pw);
+
+ ret = ldap_sasl_bind_s(ld, bind_dn, LDAP_SASL_SIMPLE,
+ &bv, NULL, NULL, NULL);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Simple bind failed\n"));
+ goto done;
+ }
+ } else {
+ ret = ldap_sasl_interactive_bind_s(ld, NULL, "GSSAPI",
+ NULL, NULL, LDAP_SASL_QUIET,
+ ldap_sasl_interact, bind_princ);
+ if (ret != LDAP_SUCCESS) {
+#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
+ ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
+#endif
+ fprintf(stderr, "SASL Bind failed %s (%d) %s!\n",
+ ldap_err2string(ret), ret, msg ? msg : "");
+ goto done;
+ }
+ }
+
+ ret = LDAP_SUCCESS;
+
+done:
+ if (ret != LDAP_SUCCESS) {
+ if (ld) ldap_unbind_ext(ld, NULL, NULL);
+ } else {
+ *_ld = ld;
+ }
+ return ret;
+}
+
+static int ipa_ldap_extended_op(LDAP *ld, const char *reqoid,
+ struct berval *control,
+ LDAPControl ***srvctrl)
+{
+ struct berval *retdata = NULL;
+ LDAPMessage *res = NULL;
+ char *retoid = NULL;
+ struct timeval tv;
+ char *err = NULL;
+ int msgid;
+ int ret, rc;
+
+ ret = ldap_extended_operation(ld, reqoid, control,
+ NULL, NULL, &msgid);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Operation failed: %s\n"), ldap_err2string(ret));
+ return ret;
+ }
+
+ /* wait max 10 secs for the answer */
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+ ret = ldap_result(ld, msgid, 1, &tv, &res);
+ if (ret == -1) {
+ fprintf(stderr, _("Failed to get result: %s\n"), ldap_err2string(ret));
+ goto done;
+ }
+
+ ret = ldap_parse_extended_result(ld, res, &retoid, &retdata, 0);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Failed to parse extended result: %s\n"),
+ ldap_err2string(ret));
+ goto done;
+ }
+
+ ret = ldap_parse_result(ld, res, &rc, NULL, &err, NULL, srvctrl, 0);
+ if (ret != LDAP_SUCCESS || rc != LDAP_SUCCESS) {
+ fprintf(stderr, _("Failed to parse result: %s\n"),
+ err ? err : ldap_err2string(ret));
+ if (ret == LDAP_SUCCESS) ret = rc;
+ goto done;
+ }
+
+done:
+ if (err) ldap_memfree(err);
+ if (res) ldap_msgfree(res);
+ return ret;
+}
+
+static int find_control_data(LDAPControl **list, const char *repoid,
+ struct berval *data)
+{
+ LDAPControl *control = NULL;
+ int i;
+
+ if (!list) {
+ fprintf(stderr, _("Missing reply control list!\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ for (i = 0; list[i]; i++) {
+ if (strcmp(list[i]->ldctl_oid, repoid) == 0) {
+ control = list[i];
+ }
+ }
+ if (!control) {
+ fprintf(stderr, _("Missing reply control!\n"));
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ *data = control->ldctl_value;
+ return LDAP_SUCCESS;
+}
+
+static BerElement *get_control_data(LDAPControl **list, const char *repoid)
+{
+ struct berval data;
+ int ret;
+
+ ret = find_control_data(list, repoid, &data);
+ if (ret != LDAP_SUCCESS) return NULL;
+
+ return ber_init(&data);
+}
+
+static int ldap_set_keytab(krb5_context krbctx,
+ const char *servername,
+ const char *principal_name,
+ krb5_principal princ,
+ const char *binddn,
+ const char *bindpw,
+ struct keys_container *keys)
+{
+ LDAP *ld = NULL;
+ BerElement *sctrl = NULL;
+ struct berval *control = NULL;
+ LDAPControl **srvctrl = NULL;
+ int ret;
+ int kvno, i;
+ ber_tag_t rtag;
+ ber_int_t *encs = NULL;
+ int successful_keys = 0;
+
+ /* cant' return more than nkeys, sometimes less */
+ encs = calloc(keys->nkeys + 1, sizeof(ber_int_t));
+ if (!encs) {
+ fprintf(stderr, _("Out of Memory!\n"));
+ return 0;
+ }
+
+ /* build password change control */
+ control = create_key_control(keys, principal_name);
+ if (!control) {
+ fprintf(stderr, _("Failed to create control!\n"));
+ goto error_out;
+ }
+
+ ret = ipa_ldap_bind(servername, princ, binddn, bindpw, &ld);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Failed to bind to server!\n"));
+ goto error_out;
+ }
+
+ /* perform password change */
+ ret = ipa_ldap_extended_op(ld, KEYTAB_SET_OID, control, &srvctrl);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Failed to get keytab!\n"));
+ goto error_out;
+ }
+
+ ber_bvfree(control);
+ control = NULL;
+
+ sctrl = get_control_data(srvctrl, KEYTAB_RET_OID);
+ if (!sctrl) {
+ fprintf(stderr, _("ber_init() failed, Invalid control ?!\n"));
+ goto error_out;
+ }
+
+ /* Format of response
+ *
+ * KeytabGetRequest ::= SEQUENCE {
+ * new_kvno Int32
+ * SEQUENCE OF KeyTypes
+ * }
+ *
+ * * List of accepted enctypes *
+ * KeyTypes ::= SEQUENCE {
+ * enctype Int32
+ * }
+ */
+
+ rtag = ber_scanf(sctrl, "{i{", &kvno);
+ if (rtag == LBER_ERROR) {
+ fprintf(stderr, _("ber_scanf() failed, unable to find kvno ?!\n"));
+ goto error_out;
+ }
+
+ for (i = 0; i < keys->nkeys; i++) {
+ ret = ber_scanf(sctrl, "{i}", &encs[i]);
+ if (ret == LBER_ERROR) {
+ char enc[79]; /* fit std terminal or truncate */
+ krb5_error_code krberr;
+ krberr = krb5_enctype_to_string(
+ keys->ksdata[i].enctype, enc, 79);
+ if (krberr) {
+ fprintf(stderr, _("Failed to retrieve "
+ "encryption type type #%d\n"),
+ keys->ksdata[i].enctype);
+ } else {
+ fprintf(stderr, _("Failed to retrieve "
+ "encryption type %1$s (#%2$d)\n"),
+ enc, keys->ksdata[i].enctype);
+ }
+ } else {
+ successful_keys++;
+ }
+ }
+
+ if (successful_keys == 0) {
+ fprintf(stderr, _("Failed to retrieve any keys"));
+ goto error_out;
+ }
+
+ ret = filter_keys(krbctx, keys, encs);
+ if (ret == 0) goto error_out;
+
+ ber_free(sctrl, 1);
+ ldap_controls_free(srvctrl);
+ ldap_unbind_ext(ld, NULL, NULL);
+ free(encs);
+ return kvno;
+
+error_out:
+ if (sctrl) ber_free(sctrl, 1);
+ if (srvctrl) ldap_controls_free(srvctrl);
+ if (ld) ldap_unbind_ext(ld, NULL, NULL);
+ if (control) ber_bvfree(control);
+ free(encs);
+ return -1;
+}
+
+/* use asn1c generated code to fill up control */
+static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,
+ const char *password,
+ struct krb_key_salt *encsalts,
+ int num_encsalts)
+{
+ struct berval *result = NULL;
+ void *buffer = NULL;
+ size_t buflen;
+ long ets[num_encsalts];
+ bool ret;
+ int i;
+
+ if (gen) {
+ for (i = 0; i < num_encsalts; i++) {
+ ets[i] = encsalts[i].enctype;
+ }
+ }
+ ret = ipaasn1_enc_getkt(gen, svc_princ,
+ password, ets, num_encsalts,
+ &buffer, &buflen);
+ if (!ret) goto done;
+
+ result = malloc(sizeof(struct berval));
+ if (!result) goto done;
+
+ result->bv_val = buffer;
+ result->bv_len = buflen;
+
+done:
+ if (result == NULL) {
+ if (buffer) {
+ free(buffer);
+ }
+ }
+ return result;
+}
+
+#define GK_REPLY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
+#define GKREP_KEY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
+#define GKREP_SALT_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
+
+static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
+ const char *enctypes, const char *bind_server,
+ const char *svc_princ, krb5_principal bind_princ,
+ const char *bind_dn, const char *bind_pw,
+ struct keys_container *keys, int *kvno,
+ char **err_msg)
+{
+ struct krb_key_salt *es = NULL;
+ int num_es = 0;
+ struct berval *control = NULL;
+ LDAP *ld = NULL;
+ LDAPControl **srvctrl = NULL;
+ struct berval data;
+ bool res;
+ int ret;
+
+ *err_msg = NULL;
+
+ if (enctypes) {
+ ret = ipa_string_to_enctypes(enctypes, &es, &num_es, err_msg);
+ if (ret || num_es == 0) {
+ return LDAP_OPERATIONS_ERROR;
+ }
+ }
+
+ control = create_getkeytab_control(svc_princ, generate,
+ password, es, num_es);
+ if (!control) {
+ *err_msg = _("Failed to create control!\n");
+ ret = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, &ld);
+ if (ret != LDAP_SUCCESS) {
+ *err_msg = _("Failed to bind to server!\n");
+ goto done;
+ }
+
+ /* perform extedned opt to get keytab */
+ ret = ipa_ldap_extended_op(ld, KEYTAB_GET_OID, control, &srvctrl);
+ if (ret != LDAP_SUCCESS) {
+ goto done;
+ }
+
+ ret = find_control_data(srvctrl, KEYTAB_GET_OID, &data);
+ if (ret != LDAP_SUCCESS) goto done;
+
+ res = ipaasn1_dec_getktreply(data.bv_val, data.bv_len, kvno, keys);
+ if (!res) {
+ *err_msg = _("Failed to decode control reply!\n");
+ ret = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ ret = LDAP_SUCCESS;
+
+done:
+ if (ld) ldap_unbind_ext(ld, NULL, NULL);
+ if (control) ber_bvfree(control);
+ free(es);
+ if (ret) {
+ free_keys_contents(krbctx, keys);
+ }
+ return ret;
+}
+
+static char *ask_password(krb5_context krbctx)
+{
+ krb5_prompt ap_prompts[2];
+ krb5_data k5d_pw0;
+ krb5_data k5d_pw1;
+ char pw0[256];
+ char pw1[256];
+ char *password;
+
+ k5d_pw0.length = sizeof(pw0);
+ k5d_pw0.data = pw0;
+ ap_prompts[0].prompt = _("New Principal Password");
+ ap_prompts[0].hidden = 1;
+ ap_prompts[0].reply = &k5d_pw0;
+
+ k5d_pw1.length = sizeof(pw1);
+ k5d_pw1.data = pw1;
+ ap_prompts[1].prompt = _("Verify Principal Password");
+ ap_prompts[1].hidden = 1;
+ ap_prompts[1].reply = &k5d_pw1;
+
+ krb5_prompter_posix(krbctx, NULL,
+ NULL, NULL,
+ 2, ap_prompts);
+
+ if (strcmp(pw0, pw1)) {
+ fprintf(stderr, _("Passwords do not match!"));
+ return NULL;
+ }
+
+ password = malloc(k5d_pw0.length + 1);
+ if (!password) return NULL;
+ memcpy(password, pw0, k5d_pw0.length);
+ password[k5d_pw0.length] = '\0';
+
+ return password;
+}
+
+struct ipa_config {
+ const char *server_name;
+};
+
+static int config_from_file(struct ini_cfgobj *cfgctx)
+{
+ struct ini_cfgfile *fctx = NULL;
+ char **errors = NULL;
+ int ret;
+
+ ret = ini_config_file_open(IPACONFFILE, 0, &fctx);
+ if (ret) {
+ fprintf(stderr, _("Failed to open config file %s\n"), IPACONFFILE);
+ return ret;
+ }
+
+ ret = ini_config_parse(fctx,
+ INI_STOP_ON_ANY,
+ INI_MS_MERGE | INI_MV1S_ALLOW | INI_MV2S_ALLOW,
+ INI_PARSE_NOWRAP,
+ cfgctx);
+ if (ret) {
+ fprintf(stderr, _("Failed to parse config file %s\n"), IPACONFFILE);
+ if (ini_config_error_count(cfgctx)) {
+ ini_config_get_errors(cfgctx, &errors);
+ if (errors) {
+ ini_config_print_errors(stderr, errors);
+ ini_config_free_errors(errors);
+ }
+ }
+ ini_config_file_destroy(fctx);
+ return ret;
+ }
+
+ ini_config_file_destroy(fctx);
+ return 0;
+}
+
+int read_ipa_config(struct ipa_config **ipacfg)
+{
+ struct ini_cfgobj *cfgctx = NULL;
+ struct value_obj *obj = NULL;
+ int ret;
+
+ *ipacfg = calloc(1, sizeof(struct ipa_config));
+ if (!*ipacfg) {
+ return ENOMEM;
+ }
+
+ ret = ini_config_create(&cfgctx);
+ if (ret) {
+ return ENOENT;
+ }
+
+ ret = config_from_file(cfgctx);
+ if (ret) {
+ ini_config_destroy(cfgctx);
+ return EINVAL;
+ }
+
+ ret = ini_get_config_valueobj("global", "server", cfgctx,
+ INI_GET_LAST_VALUE, &obj);
+ if (ret != 0 || obj == NULL) {
+ /* if called on an IPA server we need to look for 'host' instead */
+ ret = ini_get_config_valueobj("global", "host", cfgctx,
+ INI_GET_LAST_VALUE, &obj);
+ }
+
+ if (ret == 0 && obj != NULL) {
+ (*ipacfg)->server_name = ini_get_string_config_value(obj, &ret);
+ }
+
+ return 0;
+}
+
+int main(int argc, const char *argv[])
+{
+ static const char *server = NULL;
+ static const char *principal = NULL;
+ static const char *keytab = NULL;
+ static const char *enctypes_string = NULL;
+ static const char *binddn = NULL;
+ static const char *bindpw = NULL;
+ int quiet = 0;
+ int askpass = 0;
+ int permitted_enctypes = 0;
+ int retrieve = 0;
+ struct poptOption options[] = {
+ { "quiet", 'q', POPT_ARG_NONE, &quiet, 0,
+ _("Print as little as possible"), _("Output only on errors")},
+ { "server", 's', POPT_ARG_STRING, &server, 0,
+ _("Contact this specific KDC Server"),
+ _("Server Name") },
+ { "principal", 'p', POPT_ARG_STRING, &principal, 0,
+ _("The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)"),
+ _("Kerberos Service Principal Name") },
+ { "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
+ _("File were to store the keytab information"),
+ _("Keytab File Name") },
+ { "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0,
+ _("Encryption types to request"),
+ _("Comma separated encryption types list") },
+ { "permitted-enctypes", 0, POPT_ARG_NONE, &permitted_enctypes, 0,
+ _("Show the list of permitted encryption types and exit"),
+ _("Permitted Encryption Types") },
+ { "password", 'P', POPT_ARG_NONE, &askpass, 0,
+ _("Asks for a non-random password to use for the principal"), NULL },
+ { "binddn", 'D', POPT_ARG_STRING, &binddn, 0,
+ _("LDAP DN"), _("DN to bind as if not using kerberos") },
+ { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
+ _("LDAP password"), _("password to use if not using kerberos") },
+ { "retrieve", 'r', POPT_ARG_NONE, &retrieve, 0,
+ _("Retrieve current keys without changing them"), NULL },
+ POPT_AUTOHELP
+ POPT_TABLEEND
+ };
+ poptContext pc;
+ char *ktname;
+ char *password = NULL;
+ krb5_context krbctx;
+ krb5_ccache ccache;
+ krb5_principal uprinc = NULL;
+ krb5_principal sprinc;
+ krb5_error_code krberr;
+ struct keys_container keys = { 0 };
+ krb5_keytab kt;
+ int kvno;
+ int i, ret;
+ char *err_msg;
+
+ ret = init_gettext();
+ if (ret) {
+ fprintf(stderr, "Failed to load translations\n");
+ }
+
+ krberr = krb5_init_context(&krbctx);
+ if (krberr) {
+ fprintf(stderr, _("Kerberos context initialization failed\n"));
+ exit(1);
+ }
+
+ pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0);
+ ret = poptGetNextOpt(pc);
+ if (ret == -1 && permitted_enctypes &&
+ !(server || principal || keytab || quiet)) {
+ krb5_enctype *ktypes;
+ char enc[79]; /* fit std terminal or truncate */
+
+ krberr = krb5_get_permitted_enctypes(krbctx, &ktypes);
+ if (krberr) {
+ fprintf(stderr, _("No system preferred enctypes ?!\n"));
+ exit(1);
+ }
+ fprintf(stdout, _("Supported encryption types:\n"));
+ for (i = 0; ktypes[i]; i++) {
+ krberr = krb5_enctype_to_string(ktypes[i], enc, 79);
+ if (krberr) {
+ fprintf(stderr, _("Warning: "
+ "failed to convert type (#%d)\n"), i);
+ continue;
+ }
+ fprintf(stdout, "%s\n", enc);
+ }
+ ipa_krb5_free_ktypes(krbctx, ktypes);
+ exit (0);
+ }
+
+ if (ret != -1 || !principal || !keytab || permitted_enctypes) {
+ if (!quiet) {
+ poptPrintUsage(pc, stderr, 0);
+ }
+ exit(2);
+ }
+
+ if (NULL!=binddn && NULL==bindpw) {
+ fprintf(stderr,
+ _("Bind password required when using a bind DN.\n"));
+ if (!quiet)
+ poptPrintUsage(pc, stderr, 0);
+ exit(10);
+ }
+
+ if (!server) {
+ struct ipa_config *ipacfg = NULL;
+
+ ret = read_ipa_config(&ipacfg);
+ if (ret == 0) {
+ server = ipacfg->server_name;
+ ipacfg->server_name = NULL;
+ }
+ free(ipacfg);
+ if (!server) {
+ fprintf(stderr, _("Server name not provided and unavailable\n"));
+ exit(2);
+ }
+ }
+
+ if (askpass && retrieve) {
+ fprintf(stderr, _("Incompatible options provided (-r and -P)\n"));
+ exit(2);
+ }
+
+ if (askpass) {
+ password = ask_password(krbctx);
+ if (!password) {
+ exit(2);
+ }
+ } else if (enctypes_string && strchr(enctypes_string, ':')) {
+ if (!quiet) {
+ fprintf(stderr, _("Warning: salt types are not honored"
+ " with randomized passwords (see opt. -P)\n"));
+ }
+ }
+
+ ret = asprintf(&ktname, "WRFILE:%s", keytab);
+ if (ret == -1) {
+ exit(3);
+ }
+
+ krberr = krb5_parse_name(krbctx, principal, &sprinc);
+ if (krberr) {
+ fprintf(stderr, _("Invalid Service Principal Name\n"));
+ exit(4);
+ }
+
+ if (NULL == bindpw) {
+ krberr = krb5_cc_default(krbctx, &ccache);
+ if (krberr) {
+ fprintf(stderr,
+ _("Kerberos Credential Cache not found. "
+ "Do you have a Kerberos Ticket?\n"));
+ exit(5);
+ }
+
+ krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc);
+ if (krberr) {
+ fprintf(stderr,
+ _("Kerberos User Principal not found. "
+ "Do you have a valid Credential Cache?\n"));
+ exit(6);
+ }
+ }
+
+ krberr = krb5_kt_resolve(krbctx, ktname, &kt);
+ if (krberr) {
+ fprintf(stderr, _("Failed to open Keytab\n"));
+ exit(7);
+ }
+
+ kvno = -1;
+ ret = ldap_get_keytab(krbctx, (retrieve == 0), password, enctypes_string,
+ server, principal, uprinc, binddn, bindpw,
+ &keys, &kvno, &err_msg);
+ if (ret) {
+ if (!quiet && err_msg != NULL) {
+ fprintf(stderr, "%s", err_msg);
+ }
+ }
+
+ if (retrieve == 0 && kvno == -1) {
+ if (!quiet) {
+ fprintf(stderr,
+ _("Retrying with pre-4.0 keytab retrieval method...\n"));
+ }
+
+ /* create key material */
+ ret = create_keys(krbctx, sprinc, password, enctypes_string, &keys, &err_msg);
+ if (!ret) {
+ if (err_msg != NULL) {
+ fprintf(stderr, "%s", err_msg);
+ }
+
+ fprintf(stderr, _("Failed to create key material\n"));
+ exit(8);
+ }
+
+ kvno = ldap_set_keytab(krbctx, server, principal, uprinc, binddn, bindpw, &keys);
+ }
+
+ if (kvno == -1) {
+ fprintf(stderr, _("Failed to get keytab\n"));
+ exit(9);
+ }
+
+ for (i = 0; i < keys.nkeys; i++) {
+ krb5_keytab_entry kt_entry;
+ memset((char *)&kt_entry, 0, sizeof(kt_entry));
+ kt_entry.principal = sprinc;
+ kt_entry.key = keys.ksdata[i].key;
+ kt_entry.vno = kvno;
+
+ krberr = krb5_kt_add_entry(krbctx, kt, &kt_entry);
+ if (krberr) {
+ fprintf(stderr,
+ _("Failed to add key to the keytab\n"));
+ exit (11);
+ }
+ }
+
+ free_keys_contents(krbctx, &keys);
+
+ krberr = krb5_kt_close(krbctx, kt);
+ if (krberr) {
+ fprintf(stderr, _("Failed to close the keytab\n"));
+ exit (12);
+ }
+
+ if (!quiet) {
+ fprintf(stderr,
+ _("Keytab successfully retrieved and stored in: %s\n"),
+ keytab);
+ }
+ exit(0);
+}
diff --git a/client/ipa-join.c b/client/ipa-join.c
new file mode 100644
index 000000000..ac8251fef
--- /dev/null
+++ b/client/ipa-join.c
@@ -0,0 +1,1161 @@
+/* Authors: Rob Crittenden <rcritten@redhat.com>
+ *
+ * Copyright (C) 2009 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define _GNU_SOURCE
+
+#include "config.h"
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+#include <sys/utsname.h>
+#include <krb5.h>
+/* Doesn't work w/mozldap */
+#include <ldap.h>
+#include <popt.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/wait.h>
+
+#include "xmlrpc-c/base.h"
+#include "xmlrpc-c/client.h"
+
+#include "ipa-client-common.h"
+
+#define NAME "ipa-join"
+
+#define JOIN_OID "2.16.840.1.113730.3.8.10.3"
+
+#define CAFILE "/etc/ipa/ca.crt"
+
+#define IPA_CONFIG "/etc/ipa/default.conf"
+
+char * read_config_file(const char *filename);
+char * get_config_entry(char * data, const char *section, const char *key);
+
+static int debug = 0;
+
+/*
+ * Translate some IPA exceptions into specific errors in this context.
+ */
+static int
+handle_fault(xmlrpc_env * const envP) {
+ if (envP->fault_occurred) {
+ switch(envP->fault_code) {
+ case 2100: /* unable to add new host entry or write objectClass */
+ fprintf(stderr,
+ _("No permission to join this host to the IPA domain.\n"));
+ break;
+ default:
+ fprintf(stderr, "%s\n", envP->fault_string);
+ }
+ return 1;
+ }
+ return 0;
+}
+
+/* Get the IPA server from the configuration file.
+ * The caller is responsible for freeing this value
+ */
+static char *
+getIPAserver(char * data) {
+ return get_config_entry(data, "global", "server");
+}
+
+/* Make sure that the keytab is writable before doing anything */
+static int check_perms(const char *keytab)
+{
+ int ret;
+ int fd;
+
+ ret = access(keytab, W_OK);
+ if (ret == -1) {
+ switch(errno) {
+ case EACCES:
+ fprintf(stderr,
+ _("No write permissions on keytab file '%s'\n"),
+ keytab);
+ break;
+ case ENOENT:
+ /* file doesn't exist, lets touch it and see if writable */
+ fd = open(keytab, O_WRONLY | O_CREAT, 0600);
+ if (fd != -1) {
+ close(fd);
+ unlink(keytab);
+ return 0;
+ }
+ fprintf(stderr,
+ _("No write permissions on keytab file '%s'\n"),
+ keytab);
+ break;
+ default:
+ fprintf(stderr,
+ _("access() on %1$s failed: errno = %2$d\n"),
+ keytab, errno);
+ break;
+ }
+ return 1;
+ }
+
+ return 0;
+}
+
+/*
+ * There is no API in xmlrpc-c to set arbitrary headers but we can fake it
+ * by using a specially-crafted User-Agent string.
+ *
+ * The caller is responsible for freeing the return value.
+ */
+char *
+set_user_agent(const char *ipaserver) {
+ int ret;
+ char *user_agent = NULL;
+
+ ret = asprintf(&user_agent, "%s/%s\r\nReferer: https://%s/ipa/xml\r\nX-Original-User-Agent:", NAME, VERSION, ipaserver);
+ if (ret == -1) {
+ fprintf(stderr, _("Out of memory!"));
+ return NULL;
+ }
+ return user_agent;
+}
+
+/*
+ * Make an XML-RPC call to methodName. This uses the curl client to make
+ * a connection over SSL using the CA cert that should have been installed
+ * by ipa-client-install.
+ */
+static void
+callRPC(char * user_agent,
+ xmlrpc_env * const envP,
+ xmlrpc_server_info * const serverInfoP,
+ const char * const methodName,
+ xmlrpc_value * const paramArrayP,
+ xmlrpc_value ** const resultPP) {
+
+ struct xmlrpc_clientparms clientparms;
+ struct xmlrpc_curl_xportparms * curlXportParmsP = NULL;
+ xmlrpc_client * clientP = NULL;
+
+ memset(&clientparms, 0, sizeof(clientparms));
+
+ XMLRPC_ASSERT(xmlrpc_value_type(paramArrayP) == XMLRPC_TYPE_ARRAY);
+
+ curlXportParmsP = malloc(sizeof(*curlXportParmsP));
+ if (curlXportParmsP == NULL) {
+ xmlrpc_env_set_fault(envP, XMLRPC_INTERNAL_ERROR, _("Out of memory!"));
+ return;
+ }
+ memset(curlXportParmsP, 0, sizeof(*curlXportParmsP));
+
+ /* Have curl do SSL certificate validation */
+ curlXportParmsP->no_ssl_verifypeer = 0;
+ curlXportParmsP->no_ssl_verifyhost = 0;
+ curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
+ curlXportParmsP->user_agent = user_agent;
+ /* Enable GSSAPI credentials delegation */
+ curlXportParmsP->gssapi_delegation = 1;
+
+ clientparms.transport = "curl";
+ clientparms.transportparmsP = (struct xmlrpc_xportparms *)
+ curlXportParmsP;
+ clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation);
+ xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
+ &clientparms, sizeof(clientparms),
+ &clientP);
+
+ /* Set up kerberos negotiate authentication in curl. */
+ xmlrpc_server_info_set_user(envP, serverInfoP, ":", "");
+ xmlrpc_server_info_allow_auth_negotiate(envP, serverInfoP);
+
+ /* Perform the XML-RPC call */
+ if (!envP->fault_occurred) {
+ xmlrpc_client_call2(envP, clientP, serverInfoP, methodName, paramArrayP, resultPP);
+ }
+
+ /* Cleanup */
+ xmlrpc_server_info_free(serverInfoP);
+ xmlrpc_client_destroy(clientP);
+ free((void*)clientparms.transportparmsP);
+}
+
+/* The caller is responsible for unbinding the connection if ld is not NULL */
+static LDAP *
+connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
+ LDAP *ld = NULL;
+ int ssl = LDAP_OPT_X_TLS_HARD;
+ int version = LDAP_VERSION3;
+ int ret;
+ int ldapdebug = 0;
+ char *uri;
+ struct berval bindpw_bv;
+
+ if (debug) {
+ ldapdebug = 2;
+ ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
+ if (ret != LDAP_OPT_SUCCESS) {
+ goto fail;
+ }
+ }
+
+ if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS)
+ goto fail;
+
+ ret = asprintf(&uri, "ldaps://%s:636", hostname);
+ if (ret == -1) {
+ fprintf(stderr, _("Out of memory!"));
+ goto fail;
+ }
+
+ ret = ldap_initialize(&ld, uri);
+ free(uri);
+ if(ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Unable to initialize connection to ldap server: %s"),
+ ldap_err2string(ret));
+ goto fail;
+ }
+
+ if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) {
+ fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
+ goto fail;
+ }
+
+ /* Don't do DNS canonicalization */
+ ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+ goto fail;
+ }
+
+ ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Unable to set LDAP version\n"));
+ goto fail;
+ }
+
+ if (bindpw) {
+ bindpw_bv.bv_val = discard_const(bindpw);
+ bindpw_bv.bv_len = strlen(bindpw);
+ } else {
+ bindpw_bv.bv_val = NULL;
+ bindpw_bv.bv_len = 0;
+ }
+
+ ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
+ NULL, NULL, NULL);
+
+ if (ret != LDAP_SUCCESS) {
+ int err;
+
+ ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &err);
+ if (debug)
+ fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(err));
+ goto fail;
+ }
+
+ return ld;
+
+fail:
+ if (ld != NULL) {
+ ldap_unbind_ext(ld, NULL, NULL);
+ }
+ return NULL;
+}
+
+/*
+ * Given a list of naming contexts check each one to see if it has
+ * an IPA v2 server in it. The first one we find wins.
+ */
+static int
+check_ipa_server(LDAP *ld, char **ldap_base, struct berval **vals)
+{
+ struct berval **infovals;
+ LDAPMessage *entry, *res = NULL;
+ char *info_attrs[] = {"info", NULL};
+ int i, ret = 0;
+
+ for (i = 0; !*ldap_base && vals[i]; i++) {
+ ret = ldap_search_ext_s(ld, vals[i]->bv_val,
+ LDAP_SCOPE_BASE, "(info=IPA*)", info_attrs,
+ 0, NULL, NULL, NULL, 0, &res);
+
+ if (ret != LDAP_SUCCESS) {
+ break;
+ }
+
+ entry = ldap_first_entry(ld, res);
+ infovals = ldap_get_values_len(ld, entry, info_attrs[0]);
+ if (!strcmp(infovals[0]->bv_val, "IPA V2.0"))
+ *ldap_base = strdup(vals[i]->bv_val);
+ ldap_msgfree(res);
+ res = NULL;
+ }
+
+ return ret;
+}
+
+/*
+ * Determine the baseDN of the remote server. Look first for a
+ * defaultNamingContext, otherwise fall back to reviewing each
+ * namingContext.
+ */
+static int
+get_root_dn(const char *ipaserver, char **ldap_base)
+{
+ LDAP *ld = NULL;
+ char *root_attrs[] = {"namingContexts", "defaultNamingContext", NULL};
+ LDAPMessage *entry, *res = NULL;
+ struct berval **ncvals;
+ struct berval **defvals;
+ int ret, rval = 0;
+
+ ld = connect_ldap(ipaserver, NULL, NULL);
+ if (!ld) {
+ rval = 14;
+ goto done;
+ }
+
+ ret = ldap_search_ext_s(ld, "", LDAP_SCOPE_BASE,
+ "objectclass=*", root_attrs, 0,
+ NULL, NULL, NULL, 0, &res);
+
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Search for %1$s on rootdse failed with error %2$d\n"),
+ root_attrs[0], ret);
+ rval = 14;
+ goto done;
+ }
+
+ *ldap_base = NULL;
+
+ entry = ldap_first_entry(ld, res);
+
+ defvals = ldap_get_values_len(ld, entry, root_attrs[1]);
+ if (defvals) {
+ ret = check_ipa_server(ld, ldap_base, defvals);
+ }
+ ldap_value_free_len(defvals);
+
+ /* loop through to find the IPA context */
+ if (ret == LDAP_SUCCESS && !*ldap_base) {
+ ncvals = ldap_get_values_len(ld, entry, root_attrs[0]);
+ if (!ncvals) {
+ fprintf(stderr, _("No values for %s"), root_attrs[0]);
+ rval = 14;
+ ldap_value_free_len(ncvals);
+ goto done;
+ }
+ ret = check_ipa_server(ld, ldap_base, ncvals);
+ ldap_value_free_len(ncvals);
+ }
+
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Search for IPA namingContext failed with error %d\n"), ret);
+ rval = 14;
+ goto done;
+ }
+
+ if (!*ldap_base) {
+ fprintf(stderr, _("IPA namingContext not found\n"));
+ rval = 14;
+ goto done;
+ }
+
+
+done:
+ if (res) ldap_msgfree(res);
+ if (ld != NULL) {
+ ldap_unbind_ext(ld, NULL, NULL);
+ }
+
+ return rval;
+}
+
+/*
+ * Get the certificate subject base from the IPA configuration.
+ *
+ * Not considered a show-stopper if this fails for some reason.
+ *
+ * The caller is responsible for binding/unbinding to LDAP.
+ */
+static int
+get_subject(LDAP *ld, char *ldap_base, const char **subject, int quiet)
+{
+ char *attrs[] = {"ipaCertificateSubjectBase", NULL};
+ char *base = NULL;
+ LDAPMessage *entry, *res = NULL;
+ struct berval **ncvals;
+ int ret, rval = 0;
+
+ ret = asprintf(&base, "cn=ipaconfig,cn=etc,%s", ldap_base);
+ if (ret == -1)
+ {
+ if (!quiet)
+ fprintf(stderr, _("Out of memory!\n"));
+ rval = 3;
+ goto done;
+ }
+
+ ret = ldap_search_ext_s(ld, base, LDAP_SCOPE_BASE,
+ "objectclass=*", attrs, 0,
+ NULL, NULL, NULL, 0, &res);
+
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr,
+ _("Search for ipaCertificateSubjectBase failed with error %d"),
+ ret);
+ rval = 14;
+ goto done;
+ }
+
+ entry = ldap_first_entry(ld, res);
+ ncvals = ldap_get_values_len(ld, entry, attrs[0]);
+ if (!ncvals) {
+ fprintf(stderr, _("No values for %s"), attrs[0]);
+ rval = 14;
+ goto done;
+ }
+
+ *subject = strdup(ncvals[0]->bv_val);
+
+ ldap_value_free_len(ncvals);
+
+done:
+ free(base);
+ if (res) ldap_msgfree(res);
+
+ return rval;
+}
+
+/* Join a host to the current IPA realm.
+ *
+ * There are several scenarios for this:
+ * 1. You are an IPA admin user with fullrights to add hosts and generate
+ * keytabs.
+ * 2. You are an IPA admin user with rights to generate keytabs but not
+ * write hosts.
+ * 3. You are a regular IPA user with a password that can be used to
+ * generate the host keytab.
+ *
+ * If a password is presented it will be used regardless of the rights of
+ * the user.
+ */
+
+/* If we only have a bindpw then try to join in a bit of a degraded mode.
+ * This is going to duplicate some of the server-side code to determine
+ * the state of the entry.
+ */
+static int
+join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bindpw, const char *basedn, const char **princ, const char **subject, int quiet)
+{
+ LDAP *ld;
+ int rval = 0;
+ char *oidresult = NULL;
+ struct berval valrequest;
+ struct berval *valresult = NULL;
+ int rc, ret;
+ char *ldap_base = NULL;
+
+ *binddn = NULL;
+ *princ = NULL;
+ *subject = NULL;
+
+ if (NULL != basedn) {
+ ldap_base = strdup(basedn);
+ if (!ldap_base) {
+ if (!quiet)
+ fprintf(stderr, _("Out of memory!\n"));
+ rval = 3;
+ goto done;
+ }
+ } else {
+ if (get_root_dn(ipaserver, &ldap_base) != 0) {
+ if (!quiet)
+ fprintf(stderr, _("Unable to determine root DN of %s\n"),
+ ipaserver);
+ rval = 14;
+ goto done;
+ }
+ }
+
+ ret = asprintf(binddn, "fqdn=%s,cn=computers,cn=accounts,%s", hostname, ldap_base);
+ if (ret == -1)
+ {
+ if (!quiet)
+ fprintf(stderr, _("Out of memory!\n"));
+ rval = 3;
+ goto done;
+ }
+ ld = connect_ldap(ipaserver, *binddn, bindpw);
+ if (!ld) {
+ if (!quiet)
+ fprintf(stderr, _("Incorrect password.\n"));
+ rval = 15;
+ goto done;
+ }
+
+ if (get_subject(ld, ldap_base, subject, quiet) != 0) {
+ if (!quiet)
+ fprintf(stderr,
+ _("Unable to determine certificate subject of %s\n"),
+ ipaserver);
+ /* Not a critical failure */
+ }
+
+ valrequest.bv_val = (char *)hostname;
+ valrequest.bv_len = strlen(hostname);
+
+ if ((rc = ldap_extended_operation_s(ld, JOIN_OID, &valrequest, NULL, NULL, &oidresult, &valresult)) != LDAP_SUCCESS) {
+ char *s = NULL;
+#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
+ ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, &s);
+#else
+ ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &s);
+#endif
+ if (!quiet)
+ fprintf(stderr, _("Enrollment failed. %s\n"), s);
+ if (debug) {
+ fprintf(stderr, "ldap_extended_operation_s failed: %s",
+ ldap_err2string(rc));
+ }
+ rval = 13;
+ goto ldap_done;
+ }
+
+ /* Get the value from the result returned by the server. */
+ *princ = strdup(valresult->bv_val);
+
+ldap_done:
+ if (ld != NULL) {
+ ldap_unbind_ext(ld, NULL, NULL);
+ }
+
+done:
+ free(ldap_base);
+ if (valresult) ber_bvfree(valresult);
+ if (oidresult) free(oidresult);
+ return rval;
+}
+
+static int
+join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **princ, const char **subject, int force, int quiet) {
+ xmlrpc_env env;
+ xmlrpc_value * argArrayP = NULL;
+ xmlrpc_value * paramArrayP = NULL;
+ xmlrpc_value * paramP = NULL;
+ xmlrpc_value * optionsP = NULL;
+ xmlrpc_value * resultP = NULL;
+ xmlrpc_value * structP = NULL;
+ xmlrpc_server_info * serverInfoP = NULL;
+ struct utsname uinfo;
+ xmlrpc_value *princP = NULL;
+ xmlrpc_value *krblastpwdchangeP = NULL;
+ xmlrpc_value *subjectP = NULL;
+ xmlrpc_value *hostdnP = NULL;
+ const char *krblastpwdchange = NULL;
+ char * url = NULL;
+ char * user_agent = NULL;
+ int rval = 0;
+ int ret;
+
+ *hostdn = NULL;
+ *subject = NULL;
+ *princ = NULL;
+
+ /* Start up our XML-RPC client library. */
+ xmlrpc_client_init(XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION);
+
+ uname(&uinfo);
+
+ xmlrpc_env_init(&env);
+
+ xmlrpc_client_setup_global_const(&env);
+
+#if 1
+ ret = asprintf(&url, "https://%s:443/ipa/xml", ipaserver);
+#else
+ ret = asprintf(&url, "http://%s:8888/", ipaserver);
+#endif
+ if (ret == -1)
+ {
+ if (!quiet)
+ fprintf(stderr, _("Out of memory!\n"));
+ rval = 3;
+ goto cleanup;
+ }
+
+ serverInfoP = xmlrpc_server_info_new(&env, url);
+
+ argArrayP = xmlrpc_array_new(&env);
+ paramArrayP = xmlrpc_array_new(&env);
+
+ if (hostname == NULL)
+ paramP = xmlrpc_string_new(&env, uinfo.nodename);
+ else
+ paramP = xmlrpc_string_new(&env, hostname);
+ xmlrpc_array_append_item(&env, argArrayP, paramP);
+#ifdef REALM
+ if (!quiet)
+ printf("Joining %s to IPA realm %s\n", uinfo.nodename, iparealm);
+#endif
+ xmlrpc_array_append_item(&env, paramArrayP, argArrayP);
+ xmlrpc_DECREF(paramP);
+
+ optionsP = xmlrpc_build_value(&env, "{s:s,s:s}",
+ "nsosversion", uinfo.release,
+ "nshardwareplatform", uinfo.machine);
+ xmlrpc_array_append_item(&env, paramArrayP, optionsP);
+ xmlrpc_DECREF(optionsP);
+
+ if ((user_agent = set_user_agent(ipaserver)) == NULL) {
+ rval = 3;
+ goto cleanup;
+ }
+ callRPC(user_agent, &env, serverInfoP, "join", paramArrayP, &resultP);
+ if (handle_fault(&env)) {
+ rval = 17;
+ goto cleanup_xmlrpc;
+ }
+
+ /* Return value is the form of an array. The first value is the
+ * DN, the second a struct of attribute values
+ */
+ xmlrpc_array_read_item(&env, resultP, 0, &hostdnP);
+ xmlrpc_read_string(&env, hostdnP, (const char **)hostdn);
+ xmlrpc_DECREF(hostdnP);
+ xmlrpc_array_read_item(&env, resultP, 1, &structP);
+
+ xmlrpc_struct_find_value(&env, structP, "krbprincipalname", &princP);
+ if (princP) {
+ xmlrpc_value * singleprincP = NULL;
+
+ /* FIXME: all values are returned as lists currently. Once this is
+ * fixed we can read the string directly.
+ */
+ xmlrpc_array_read_item(&env, princP, 0, &singleprincP);
+ xmlrpc_read_string(&env, singleprincP, &*princ);
+ xmlrpc_DECREF(princP);
+ xmlrpc_DECREF(singleprincP);
+ } else {
+ if (!quiet)
+ fprintf(stderr, _("principal not found in XML-RPC response\n"));
+ rval = 12;
+ goto cleanup;
+ }
+ xmlrpc_struct_find_value(&env, structP, "krblastpwdchange", &krblastpwdchangeP);
+ if (krblastpwdchangeP && !force) {
+ xmlrpc_value * singleprincP = NULL;
+
+ /* FIXME: all values are returned as lists currently. Once this is
+ * fixed we can read the string directly.
+ */
+ xmlrpc_array_read_item(&env, krblastpwdchangeP, 0, &singleprincP);
+ xmlrpc_read_string(&env, singleprincP, &krblastpwdchange);
+ xmlrpc_DECREF(krblastpwdchangeP);
+ if (!quiet)
+ fprintf(stderr, _("Host is already joined.\n"));
+ rval = 13;
+ goto cleanup;
+ }
+
+ xmlrpc_struct_find_value(&env, structP, "ipacertificatesubjectbase", &subjectP);
+ if (subjectP) {
+ xmlrpc_value * singleprincP = NULL;
+
+ /* FIXME: all values are returned as lists currently. Once this is
+ * fixed we can read the string directly.
+ */
+ xmlrpc_array_read_item(&env, subjectP, 0, &singleprincP);
+ xmlrpc_read_string(&env, singleprincP, *&subject);
+ xmlrpc_DECREF(subjectP);
+ }
+
+cleanup:
+ if (argArrayP) xmlrpc_DECREF(argArrayP);
+ if (paramArrayP) xmlrpc_DECREF(paramArrayP);
+ if (resultP) xmlrpc_DECREF(resultP);
+
+cleanup_xmlrpc:
+ free(user_agent);
+ free(url);
+ free((char *)krblastpwdchange);
+ xmlrpc_env_clean(&env);
+ xmlrpc_client_cleanup();
+
+ return rval;
+}
+
+static int
+unenroll_host(const char *server, const char *hostname, const char *ktname, int quiet)
+{
+ int rval = 0;
+ int ret;
+ char *ipaserver = NULL;
+ char *host = NULL;
+ struct utsname uinfo;
+ char *principal = NULL;
+ char *realm = NULL;
+
+ krb5_context krbctx = NULL;
+ krb5_keytab keytab = NULL;
+ krb5_ccache ccache = NULL;
+ krb5_principal princ = NULL;
+ krb5_error_code krberr;
+ krb5_creds creds;
+ krb5_get_init_creds_opt gicopts;
+ char tgs[LINE_MAX];
+
+ xmlrpc_env env;
+ xmlrpc_value * argArrayP = NULL;
+ xmlrpc_value * paramArrayP = NULL;
+ xmlrpc_value * paramP = NULL;
+ xmlrpc_value * resultP = NULL;
+ xmlrpc_server_info * serverInfoP = NULL;
+ xmlrpc_value *princP = NULL;
+ char * url = NULL;
+ char * user_agent = NULL;
+
+ /* Start up our XML-RPC client library. */
+ xmlrpc_client_init(XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION);
+
+ xmlrpc_env_init(&env);
+
+ xmlrpc_client_setup_global_const(&env);
+
+ if (server) {
+ ipaserver = strdup(server);
+ } else {
+ char * conf_data = read_config_file(IPA_CONFIG);
+ if ((ipaserver = getIPAserver(conf_data)) == NULL) {
+ if (!quiet)
+ fprintf(stderr, _("Unable to determine IPA server from %s\n"),
+ IPA_CONFIG);
+ exit(1);
+ }
+ free(conf_data);
+ }
+
+ if (NULL == hostname) {
+ uname(&uinfo);
+ host = strdup(uinfo.nodename);
+ } else {
+ host = strdup(hostname);
+ }
+
+ if (NULL == host) {
+ rval = 3;
+ goto cleanup;
+ }
+
+ if (NULL == strstr(host, ".")) {
+ if (!quiet)
+ fprintf(stderr, _("The hostname must be fully-qualified: %s\n"),
+ host);
+ rval = 16;
+ goto cleanup;
+ }
+
+ krberr = krb5_init_context(&krbctx);
+ if (krberr) {
+ if (!quiet)
+ fprintf(stderr, _("Unable to join host: "
+ "Kerberos context initialization failed\n"));
+ rval = 1;
+ goto cleanup;
+ }
+ krberr = krb5_kt_resolve(krbctx, ktname, &keytab);
+ if (krberr != 0) {
+ if (!quiet)
+ fprintf(stderr, _("Error resolving keytab: %s.\n"),
+ error_message(krberr));
+ rval = 7;
+ goto cleanup;
+ }
+
+ krberr = krb5_get_default_realm(krbctx, &realm);
+ if (krberr != 0) {
+ if (!quiet)
+ fprintf(stderr, _("Error getting default Kerberos realm: %s.\n"),
+ error_message(krberr));
+ rval = 21;
+ goto cleanup;
+ }
+
+ ret = asprintf(&principal, "host/%s@%s", host, realm);
+ if (ret == -1)
+ {
+ if (!quiet)
+ fprintf(stderr, _("Out of memory!\n"));
+ rval = 3;
+ goto cleanup;
+ }
+
+ krberr = krb5_parse_name(krbctx, principal, &princ);
+ if (krberr != 0) {
+ if (!quiet)
+ fprintf(stderr, _("Error parsing \"%1$s\": %2$s.\n"),
+ principal, error_message(krberr));
+ rval = 4;
+ goto cleanup;
+ }
+ strcpy(tgs, KRB5_TGS_NAME);
+ snprintf(tgs + strlen(tgs), sizeof(tgs) - strlen(tgs), "/%.*s",
+ (krb5_princ_realm(krbctx, princ))->length,
+ (krb5_princ_realm(krbctx, princ))->data);
+ snprintf(tgs + strlen(tgs), sizeof(tgs) - strlen(tgs), "@%.*s",
+ (krb5_princ_realm(krbctx, princ))->length,
+ (krb5_princ_realm(krbctx, princ))->data);
+ memset(&creds, 0, sizeof(creds));
+ krb5_get_init_creds_opt_init(&gicopts);
+ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
+ krberr = krb5_get_init_creds_keytab(krbctx, &creds, princ, keytab,
+ 0, tgs, &gicopts);
+ if (krberr != 0) {
+ if (!quiet)
+ fprintf(stderr, _("Error obtaining initial credentials: %s.\n"),
+ error_message(krberr));
+ rval = 19;
+ goto cleanup;
+ }
+
+ krberr = krb5_cc_resolve(krbctx, "MEMORY:ipa-join", &ccache);
+ if (krberr == 0) {
+ krberr = krb5_cc_initialize(krbctx, ccache, creds.client);
+ } else {
+ if (!quiet)
+ fprintf(stderr,
+ _("Unable to generate Kerberos Credential Cache\n"));
+ rval = 19;
+ goto cleanup;
+ }
+ krberr = krb5_cc_store_cred(krbctx, ccache, &creds);
+ if (krberr != 0) {
+ if (!quiet)
+ fprintf(stderr,
+ _("Error storing creds in credential cache: %s.\n"),
+ error_message(krberr));
+ rval = 19;
+ goto cleanup;
+ }
+ krb5_cc_close(krbctx, ccache);
+ ccache = NULL;
+ putenv("KRB5CCNAME=MEMORY:ipa-join");
+
+#if 1
+ ret = asprintf(&url, "https://%s:443/ipa/xml", ipaserver);
+#else
+ ret = asprintf(&url, "http://%s:8888/", ipaserver);
+#endif
+ if (ret == -1)
+ {
+ if (!quiet)
+ fprintf(stderr, _("Out of memory!\n"));
+ rval = 3;
+ goto cleanup;
+ }
+ serverInfoP = xmlrpc_server_info_new(&env, url);
+
+ argArrayP = xmlrpc_array_new(&env);
+ paramArrayP = xmlrpc_array_new(&env);
+
+ paramP = xmlrpc_string_new(&env, host);
+ xmlrpc_array_append_item(&env, argArrayP, paramP);
+ xmlrpc_array_append_item(&env, paramArrayP, argArrayP);
+ xmlrpc_DECREF(paramP);
+
+ if ((user_agent = set_user_agent(ipaserver)) == NULL) {
+ rval = 3;
+ goto cleanup;
+ }
+ callRPC(user_agent, &env, serverInfoP, "host_disable", paramArrayP, &resultP);
+ if (handle_fault(&env)) {
+ rval = 17;
+ goto cleanup;
+ }
+
+ xmlrpc_struct_find_value(&env, resultP, "result", &princP);
+ if (princP) {
+ xmlrpc_bool result;
+
+ xmlrpc_read_bool(&env, princP, &result);
+ if (result == 1) {
+ if (!quiet)
+ fprintf(stderr, _("Unenrollment successful.\n"));
+ } else {
+ if (!quiet)
+ fprintf(stderr, _("Unenrollment failed.\n"));
+ }
+
+ xmlrpc_DECREF(princP);
+ } else {
+ fprintf(stderr, _("result not found in XML-RPC response\n"));
+ rval = 20;
+ goto cleanup;
+ }
+
+cleanup:
+
+ free(user_agent);
+ if (keytab) krb5_kt_close(krbctx, keytab);
+ free(host);
+ free((char *)principal);
+ free((char *)ipaserver);
+ if (princ) krb5_free_principal(krbctx, princ);
+ if (ccache) krb5_cc_close(krbctx, ccache);
+ if (krbctx) krb5_free_context(krbctx);
+
+ free(url);
+ xmlrpc_env_clean(&env);
+ xmlrpc_client_cleanup();
+
+ return rval;
+}
+
+
+static int
+join(const char *server, const char *hostname, const char *bindpw, const char *basedn, const char *keytab, int force, int quiet)
+{
+ int rval = 0;
+ pid_t childpid = 0;
+ int status = 0;
+ char *ipaserver = NULL;
+ char *iparealm = NULL;
+ char * host = NULL;
+ const char * princ = NULL;
+ const char * subject = NULL;
+ char * hostdn = NULL;
+ struct utsname uinfo;
+
+ krb5_context krbctx = NULL;
+ krb5_ccache ccache = NULL;
+ krb5_principal uprinc = NULL;
+ krb5_error_code krberr;
+
+ if (server) {
+ ipaserver = strdup(server);
+ } else {
+ char * conf_data = read_config_file(IPA_CONFIG);
+ if ((ipaserver = getIPAserver(conf_data)) == NULL) {
+ fprintf(stderr, _("Unable to determine IPA server from %s\n"),
+ IPA_CONFIG);
+ exit(1);
+ }
+ free(conf_data);
+ }
+
+ if (NULL == hostname) {
+ uname(&uinfo);
+ host = strdup(uinfo.nodename);
+ } else {
+ host = strdup(hostname);
+ }
+
+ if (NULL == strstr(host, ".")) {
+ fprintf(stderr, _("The hostname must be fully-qualified: %s\n"), host);
+ rval = 16;
+ goto cleanup;
+ }
+
+ if ((!strcmp(host, "localhost")) || (!strcmp(host, "localhost.localdomain"))){
+ fprintf(stderr, _("The hostname must not be: %s\n"), host);
+ rval = 16;
+ goto cleanup;
+ }
+
+ if (bindpw)
+ rval = join_ldap(ipaserver, host, &hostdn, bindpw, basedn, &princ, &subject, quiet);
+ else {
+ krberr = krb5_init_context(&krbctx);
+ if (krberr) {
+ fprintf(stderr, _("Unable to join host: "
+ "Kerberos context initialization failed\n"));
+ rval = 1;
+ goto cleanup;
+ }
+ krberr = krb5_cc_default(krbctx, &ccache);
+ if (krberr) {
+ fprintf(stderr, _("Unable to join host:"
+ " Kerberos Credential Cache not found\n"));
+ rval = 5;
+ goto cleanup;
+ }
+
+ krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc);
+ if (krberr) {
+ fprintf(stderr, _("Unable to join host: Kerberos User Principal "
+ "not found and host password not provided.\n"));
+ rval = 6;
+ goto cleanup;
+ }
+ rval = join_krb5(ipaserver, host, &hostdn, &princ, &subject, force,
+ quiet);
+ }
+
+ if (rval) goto cleanup;
+
+ /* Fork off and let ipa-getkeytab generate the keytab for us */
+ childpid = fork();
+
+ if (childpid < 0) {
+ fprintf(stderr, _("fork() failed\n"));
+ rval = 1;
+ goto cleanup;
+ }
+
+ if (childpid == 0) {
+ char *argv[12];
+ char *path = "/usr/sbin/ipa-getkeytab";
+ int arg = 0;
+ int err;
+
+ argv[arg++] = path;
+ argv[arg++] = "-s";
+ argv[arg++] = ipaserver;
+ argv[arg++] = "-p";
+ argv[arg++] = (char *)princ;
+ argv[arg++] = "-k";
+ argv[arg++] = (char *)keytab;
+ if (bindpw) {
+ argv[arg++] = "-D";
+ argv[arg++] = (char *)hostdn;
+ argv[arg++] = "-w";
+ argv[arg++] = (char *)bindpw;
+ }
+ argv[arg++] = NULL;
+ err = execv(path, argv);
+ if (err == -1) {
+ switch(errno) {
+ case ENOENT:
+ fprintf(stderr, _("ipa-getkeytab not found\n"));
+ break;
+ case EACCES:
+ fprintf(stderr, _("ipa-getkeytab has bad permissions?\n"));
+ break;
+ default:
+ fprintf(stderr, _("executing ipa-getkeytab failed, "
+ "errno %d\n"), errno);
+ break;
+ }
+ }
+ } else {
+ wait(&status);
+ }
+
+ if WIFEXITED(status) {
+ rval = WEXITSTATUS(status);
+ if (rval != 0) {
+ fprintf(stderr, _("child exited with %d\n"), rval);
+ }
+ }
+
+cleanup:
+ if (NULL != subject && !quiet && rval == 0)
+ fprintf(stderr, _("Certificate subject base is: %s\n"), subject);
+
+ free((char *)princ);
+ free((char *)subject);
+ free(host);
+
+ if (bindpw)
+ ldap_memfree((void *)hostdn);
+ else
+ free((char *)hostdn);
+
+ free((char *)ipaserver);
+ free((char *)iparealm);
+ if (uprinc) krb5_free_principal(krbctx, uprinc);
+ if (ccache) krb5_cc_close(krbctx, ccache);
+ if (krbctx) krb5_free_context(krbctx);
+
+ return rval;
+}
+
+/*
+ * Note, an intention with return values is so that this is compatible with
+ * ipa-getkeytab. This is so based on the return value you can distinguish
+ * between errors common between the two (no kerbeors ccache) and those
+ * unique (host already added).
+ */
+int
+main(int argc, const char **argv) {
+ static const char *hostname = NULL;
+ static const char *server = NULL;
+ static const char *keytab = NULL;
+ static const char *bindpw = NULL;
+ static const char *basedn = NULL;
+ int quiet = 0;
+ int unenroll = 0;
+ int force = 0;
+ struct poptOption options[] = {
+ { "debug", 'd', POPT_ARG_NONE, &debug, 0,
+ _("Print the raw XML-RPC output in GSSAPI mode"), NULL },
+ { "quiet", 'q', POPT_ARG_NONE, &quiet, 0,
+ _("Quiet mode. Only errors are displayed."), NULL },
+ { "unenroll", 'u', POPT_ARG_NONE, &unenroll, 0,
+ _("Unenroll this host from IPA server"), NULL },
+ { "hostname", 'h', POPT_ARG_STRING, &hostname, 0,
+ _("Hostname of this server"), _("hostname") },
+ { "server", 's', POPT_ARG_STRING, &server, 0,
+ _("IPA Server to use"), _("hostname") },
+ { "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
+ _("Specifies where to store keytab information."), _("filename") },
+ { "force", 'f', POPT_ARG_NONE, &force, 0,
+ _("Force the host join. Rejoin even if already joined."), NULL },
+ { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
+ _("LDAP password (if not using Kerberos)"), _("password") },
+ { "basedn", 'b', POPT_ARG_STRING, &basedn, 0,
+ _("LDAP basedn"), _("basedn") },
+ POPT_AUTOHELP
+ POPT_TABLEEND
+ };
+ poptContext pc;
+ int ret;
+
+ ret = init_gettext();
+ if (ret) {
+ exit(2);
+ }
+
+ pc = poptGetContext("ipa-join", argc, (const char **)argv, options, 0);
+ ret = poptGetNextOpt(pc);
+ if (ret != -1) {
+ if (!quiet) {
+ poptPrintUsage(pc, stderr, 0);
+ }
+ exit(2);
+ }
+ poptFreeContext(pc);
+ if (debug)
+ setenv("XMLRPC_TRACE_XML", "1", 1);
+
+
+ if (!keytab)
+ keytab = "/etc/krb5.keytab";
+
+ if (unenroll) {
+ ret = unenroll_host(server, hostname, keytab, quiet);
+ } else {
+ ret = check_perms(keytab);
+ if (ret == 0)
+ ret = join(server, hostname, bindpw, basedn, keytab, force, quiet);
+ }
+
+ exit(ret);
+}
diff --git a/client/ipa-rmkeytab.c b/client/ipa-rmkeytab.c
new file mode 100644
index 000000000..3687b1dc7
--- /dev/null
+++ b/client/ipa-rmkeytab.c
@@ -0,0 +1,268 @@
+/* Authors: Rob Crittenden <rcritten@redhat.com>
+ *
+ * Copyright (C) 2009 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <krb5.h>
+#include <popt.h>
+#include <errno.h>
+
+#include "ipa-client-common.h"
+#include "config.h"
+
+int
+remove_principal(krb5_context context, krb5_keytab ktid, const char *principal, int debug)
+{
+ krb5_error_code krberr;
+ krb5_keytab_entry entry, entry2;
+ int rval = 0;
+ int removed = 0;
+
+ memset(&entry, 0, sizeof(entry));
+ krberr = krb5_parse_name(context, principal, &entry.principal);
+ if (krberr) {
+ fprintf(stderr, _("Unable to parse principal name\n"));
+ if (debug)
+ fprintf(stderr, _("krb5_parse_name %1$d: %2$s\n"),
+ krberr, error_message(krberr));
+ rval = 4;
+ goto done;
+ }
+
+ /* Loop through the keytab and remove all entries with this principal name
+ * irrespective of the encryption type. A failure to find one after the
+ * first means we're done.
+ */
+ fprintf(stderr, _("Removing principal %s\n"), principal);
+ while (1) {
+ memset(&entry2, 0, sizeof(entry2));
+ krberr = krb5_kt_get_entry(context, ktid,
+ entry.principal,
+ 0,
+ 0,
+ &entry2);
+ if (krberr) {
+ if (removed > 0)
+ /* not found but we've removed some, we're done */
+ break;
+ if (krberr == ENOENT) {
+ fprintf(stderr, _("Failed to open keytab\n"));
+ rval = 3;
+ goto done;
+ }
+ fprintf(stderr, _("principal not found\n"));
+ if (debug)
+ fprintf(stderr, _("krb5_kt_get_entry %1$d: %2$s\n"),
+ krberr, error_message(krberr));
+ rval = 5;
+ break;
+ }
+
+ krberr = krb5_kt_remove_entry(context, ktid, &entry2);
+ if (krberr) {
+ fprintf(stderr, _("Unable to remove entry\n"));
+ if (debug) {
+ fprintf(stdout, _("kvno %d\n"), entry2.vno);
+ fprintf(stderr, _("krb5_kt_remove_entry %1$d: %2$s\n"),
+ krberr, error_message(krberr));
+ }
+ rval = 6;
+ break;
+ }
+
+ krb5_free_keytab_entry_contents(context, &entry2);
+ removed++;
+ }
+
+ if (entry2.principal)
+ krb5_free_keytab_entry_contents(context, &entry2);
+
+done:
+
+ return rval;
+}
+
+int
+remove_realm(krb5_context context, krb5_keytab ktid, const char *realm, int debug)
+{
+ krb5_error_code krberr;
+ krb5_keytab_entry entry;
+ krb5_kt_cursor kt_cursor;
+ char * entry_princ_s = NULL;
+ int rval = 0;
+ bool realm_found = false;
+
+ krberr = krb5_kt_start_seq_get(context, ktid, &kt_cursor);
+ memset(&entry, 0, sizeof(entry));
+ while (krb5_kt_next_entry(context, ktid, &entry, &kt_cursor) == 0) {
+ krberr = krb5_unparse_name(context, entry.principal, &entry_princ_s);
+ if (krberr) {
+ fprintf(stderr, _("Unable to parse principal\n"));
+ if (debug) {
+ fprintf(stderr, _("krb5_unparse_name %1$d: %2$s\n"),
+ krberr, error_message(krberr));
+ }
+ rval = 4;
+ goto done;
+ }
+
+ /* keytab entries are locked when looping. Temporarily suspend
+ * the looping. */
+ krb5_kt_end_seq_get(context, ktid, &kt_cursor);
+
+ if (strstr(entry_princ_s, realm) != NULL) {
+ realm_found = true;
+ rval = remove_principal(context, ktid, entry_princ_s, debug);
+ if (rval != 0)
+ goto done;
+ /* Have to reset the cursor */
+ krberr = krb5_kt_start_seq_get(context, ktid, &kt_cursor);
+ }
+ }
+
+ if (!realm_found) {
+ fprintf(stderr, _("realm not found\n"));
+ return 5;
+ }
+
+done:
+
+ return rval;
+}
+
+int
+main(int argc, const char **argv)
+{
+ krb5_context context;
+ krb5_error_code krberr;
+ krb5_keytab ktid;
+ krb5_kt_cursor cursor;
+ char * ktname = NULL;
+ char * atrealm = NULL;
+ poptContext pc;
+ static const char *keytab = NULL;
+ static const char *principal = NULL;
+ static const char *realm = NULL;
+ int debug = 0;
+ int ret, rval = 0;
+ struct poptOption options[] = {
+ { "debug", 'd', POPT_ARG_NONE, &debug, 0,
+ _("Print debugging information"), _("Debugging output") },
+ { "principal", 'p', POPT_ARG_STRING, &principal, 0,
+ _("The principal to remove from the keytab (ex: ftp/ftp.example.com@EXAMPLE.COM)"),
+ _("Kerberos Service Principal Name") },
+ { "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
+ _("The keytab file to remove the principcal(s) from"), _("Keytab File Name") },
+ { "realm", 'r', POPT_ARG_STRING, &realm, 0,
+ _("Remove all principals in this realm"), _("Realm name") },
+ POPT_AUTOHELP
+ POPT_TABLEEND
+ };
+
+ ret = init_gettext();
+ if (ret) {
+ exit(1);
+ }
+
+ memset(&ktid, 0, sizeof(ktid));
+
+ krberr = krb5_init_context(&context);
+ if (krberr) {
+ fprintf(stderr, _("Kerberos context initialization failed\n"));
+ exit(1);
+ }
+
+ pc = poptGetContext("ipa-rmkeytab", argc, (const char **)argv, options, 0);
+ ret = poptGetNextOpt(pc);
+ if (ret != -1 || (!principal && !realm) || !keytab) {
+ poptPrintUsage(pc, stderr, 0);
+ rval = 1;
+ goto cleanup;
+ }
+
+ ret = asprintf(&ktname, "WRFILE:%s", keytab);
+ if (ret == -1) {
+ rval = 2;
+ goto cleanup;
+ }
+
+ /* The remove_realm function just does a substring match. Ensure that
+ * the string we pass in looks like a realm.
+ */
+ if (realm) {
+ if (realm[0] != '@') {
+ ret = asprintf(&atrealm, "@%s", realm);
+ if (ret == -1) {
+ rval = 2;
+ goto cleanup;
+ }
+ } else {
+ atrealm = strdup(realm);
+
+ if (NULL == atrealm) {
+ rval = 2;
+ goto cleanup;
+ }
+ }
+ }
+
+ krberr = krb5_kt_resolve(context, ktname, &ktid);
+ if (krberr) {
+ fprintf(stderr, _("Failed to open keytab '%1$s': %2$s\n"), keytab,
+ error_message(krberr));
+ rval = 3;
+ goto cleanup;
+ }
+ krberr = krb5_kt_start_seq_get(context, ktid, &cursor);
+ if (krberr) {
+ fprintf(stderr, _("Failed to open keytab '%1$s': %2$s\n"), keytab,
+ error_message(krberr));
+ rval = 3;
+ goto cleanup;
+ }
+ krb5_kt_end_seq_get(context, ktid, &cursor);
+
+ if (principal)
+ rval = remove_principal(context, ktid, principal, debug);
+ else if (realm)
+ rval = remove_realm(context, ktid, atrealm, debug);
+
+cleanup:
+ if (rval == 0 || rval > 3) {
+ krberr = krb5_kt_close(context, ktid);
+ if (krberr) {
+ fprintf(stderr, _("Closing keytab failed\n"));
+ if (debug)
+ fprintf(stderr, _("krb5_kt_close %1$d: %2$s\n"),
+ krberr, error_message(krberr));
+ }
+ }
+
+ krb5_free_context(context);
+
+ poptFreeContext(pc);
+
+ free(atrealm);
+ free(ktname);
+
+ return rval;
+}
diff --git a/client/man/Makefile.am b/client/man/Makefile.am
new file mode 100644
index 000000000..9d8a9c03d
--- /dev/null
+++ b/client/man/Makefile.am
@@ -0,0 +1,24 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+man1_MANS = \
+ ipa-getkeytab.1 \
+ ipa-rmkeytab.1 \
+ ipa-client-install.1 \
+ ipa-client-automount.1 \
+ ipa-certupdate.1 \
+ ipa-join.1
+
+man5_MANS = \
+ default.conf.5
+
+install-data-hook:
+ @for i in $(man1_MANS) ; do gzip -f $(DESTDIR)$(man1dir)/$$i ; done
+ @for i in $(man5_MANS) ; do gzip -f $(DESTDIR)$(man5dir)/$$i ; done
+
+MAINTAINERCLEANFILES = \
+ Makefile.in \
+ $(NULL)
diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
new file mode 100644
index 000000000..35ce6bb9f
--- /dev/null
+++ b/client/man/default.conf.5
@@ -0,0 +1,246 @@
+.\" A man page for default.conf
+.\" Copyright (C) 2011 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@@redhat.com>
+.\"
+.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+default.conf \- IPA configuration file
+.SH "SYNOPSIS"
+/etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf, /etc/ipa/cli.conf
+.SH "DESCRIPTION"
+The \fIdefault.conf \fRconfiguration file is used to set system\-wide defaults to be applied when running IPA clients and servers.
+
+Users may create an optional configuration file in \fI~/.ipa/default.conf\fR which will be merged into the system\-wide defaults file.
+
+The following files are read, in order:
+.nf
+ ~/.ipa/default.conf
+ /etc/ipa/<context>.conf
+ /etc/ipa/default.conf
+ built\-in constants
+.fi
+
+The IPA server does not read ~/.ipa/default.conf.
+
+The first setting wins.
+.SH "SYNTAX"
+The configuration options are not case sensitive. The values may be case sensitive, depending on the option.
+
+Blank lines are ignored.
+Lines beginning with # are comments and are ignored.
+
+Valid lines consist of an option name, an equals sign and a value. Spaces surrounding equals sign are ignored. An option terminates at the end of a line.
+
+Values should not be quoted, the quotes will not be stripped.
+
+.DS L
+ # Wrong \- don't include quotes
+ verbose = "True"
+
+ # Right \- Properly formatted options
+ verbose = True
+ verbose=True
+.DE
+
+Options must appear in the section named [global]. There are no other sections defined or used currently.
+
+Options may be defined that are not used by IPA. Be careful of misspellings, they will not be rejected.
+.SH "OPTIONS"
+The following options are relevant for the server:
+.TP
+.B basedn\fR <base>
+Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
+.TP
+.B ca_agent_port <port>
+Specifies the secure CA agent port. The default is 8443.
+.TP
+.B ca_ee_port <port>
+Specifies the secure CA end user port. The default is 8443.
+.TP
+.B ca_host <hostname>
+Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
+.TP
+.B ca_port <port>
+Specifies the insecure CA end user port. The default is 8080.
+.TP
+.B context <context>
+Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
+.TP
+.B debug <boolean>
+When True provides detailed information. Specifically this set the global log level to "debug". Default is False.
+.TP
+.B dogtag_version <version>
+Stores the version of Dogtag. Value 9 is assumed if not specified otherwise.
+.TP
+.B domain <domain>
+The domain of the IPA server e.g. example.com.
+.TP
+.B enable_ra <boolean>
+Specifies whether the CA is acting as an RA agent, such as when dogtag is being used as the Certificate Authority. This setting only applies to the IPA server configuration.
+.TP
+.B fallback <boolean>
+Specifies whether an IPA client should attempt to fall back and try other services if the first connection fails.
+.TP
+.B host <hostname>
+Specifies the local system hostname.
+.TP
+.B in_server <boolean>
+Specifies whether requests should be forwarded to an IPA server or handled locally. This is used internally by IPA in a similar way as context. The same IPA framework is used by the ipa command\-line tool and the server. This setting tells the framework whether it should execute the command as if on the server or forward it via XML\-RPC to a remote server.
+.TP
+.B in_tree <boolean>
+This is used in development and is generally a detected value. It means that the code is being executed within a source tree.
+.TP
+.B interactive <boolean>
+Specifies whether values should be prompted for or not. The default is True.
+.TP
+.B ldap_uri <URI>
+Specifies the URI of the IPA LDAP server to connect to. The URI scheme may be one of \fBldap\fR or \fBldapi\fR. The default is to use ldapi, e.g. ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-COM.socket
+.TP
+.B log_logger_XXX <comma separated list of regexps>
+loggers matching regexp will be assigned XXX level.
+.IP
+Logger levels can be explicitly specified for specific loggers as
+opposed to a global logging level. Specific loggers are indicated
+by a list of regular expressions bound to a level. If a logger's
+name matches the regexp then it is assigned that level. This config item
+must begin with "log_logger_level_" and then be
+followed by a symbolic or numeric log level, for example:
+.IP
+ log_logger_level_debug = ipalib\\.dn\\..*
+.IP
+ log_logger_level_35 = ipalib\\.plugins\\.dogtag
+.IP
+The first line says any logger belonging to the ipalib.dn module
+will have it's level configured to debug.
+.IP
+The second line say the ipa.plugins.dogtag logger will be
+configured to level 35.
+.IP
+This config item is useful when you only want to see the log output from
+one or more selected loggers. Turning on the global debug flag will produce
+an enormous amount of output. This allows you to leave the global debug flag
+off and selectively enable output from a specific logger. Typically loggers
+are bound to classes and plugins.
+.IP
+Note: logger names are a dot ('.') separated list forming a path
+in the logger tree. The dot character is also a regular
+expression metacharacter (matches any character) therefore you
+will usually need to escape the dot in the logger names by
+preceding it with a backslash.
+.TP
+.B mode <mode>
+Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.
+.TP
+.B mount_ipa <URI>
+Specifies the mount point that the development server will register. The default is /ipa/
+.TP
+.B prompt_all <boolean>
+Specifies that all options should be prompted for in the IPA client, even optional values. Default is False.
+.TP
+.B ra_plugin <name>
+Specifies the name of the CA back end to use. The current options are \fBdogtag\fR and \fBnone\fR. This is a server\-side setting. Changing this value is not recommended as the CA back end is only set up during initial installation.
+.TP
+.B realm <realm>
+Specifies the Kerberos realm.
+.TP
+.B session_auth_duration <time duration spec>
+Specifies the length of time authentication credentials cached in the session are valid. After the duration expires credentials will be automatically reacquired. Examples are "2 hours", "1h:30m", "10 minutes", "5min, 30sec".
+.TP
+.B session_duration_type <inactivity_timeout|from_start>
+Specifies how the expiration of a session is computed. With \fBinactivity_timeout\fR the expiration time is advanced by the value of session_auth_duration everytime the user accesses the service. With \fBfrom_start\fR the session expiration is the start of the user's session plus the value of session_auth_duration.
+.TP
+.B server <hostname>
+Specifies the IPA Server hostname.
+.TP
+.B skip_version_check <boolean>
+Skip client vs. server API version checking. Can lead to errors/strange behavior when newer clients talk to older servers. Use with caution.
+.TP
+.B startup_timeout <time in seconds>
+Controls the amount of time waited when starting a service. The default value is 120 seconds.
+.TP
+.B startup_traceback <boolean>
+If the IPA server fails to start and this value is True the server will attempt to generate a python traceback to make identifying the underlying problem easier.
+.TP
+.B validate_api <boolean>
+Used internally in the IPA source package to verify that the API has not changed. This is used to prevent regressions. If it is true then some errors are ignored so enough of the IPA framework can be loaded to verify all of the API, even if optional components are not installed. The default is False.
+.TP
+.B verbose <boolean>
+When True provides more information. Specifically this sets the global log level to "info".
+.TP
+.B wait_for_dns <number of attempts>
+Controls whether the IPA commands dnsrecord\-{add,mod,del} work synchronously or not. The DNS commands will repeat DNS queries up to the specified number of attempts until the DNS server returns an up-to-date answer to a query for modified records. Delay between retries is one second.
+.IP
+The DNS commands will raise a DNSDataMismatch exception if the answer doesn't match the expected value even after the specified number of attempts.
+.IP
+The DNS queries will be sent to the resolver configured in /etc/resolv.conf on the IPA server.
+.IP
+Do not enable this in production! This will cause problems if the resolver on IPA server uses a caching server instead of a local authoritative server or e.g. if DNS answers are modified by DNS64. The default is disabled (the option is not present).
+.TP
+.B xmlrpc_uri <URI>
+Specifies the URI of the XML\-RPC server for a client. This may be used by IPA, and is used by some external tools, such as ipa\-getcert. Example: https://ipa.example.com/ipa/xml
+.TP
+.B jsonrpc_uri <URI>
+Specifies the URI of the JSON server for a client. This is used by IPA. If not given, it is derived from xmlrpc_uri. Example: https://ipa.example.com/ipa/json
+.TP
+.B rpc_protocol <URI>
+Specifies the type of RPC calls IPA makes: 'jsonrpc' or 'xmlrpc'. Defaults to 'jsonrpc'.
+.TP
+The following define the containers for the IPA server. Containers define where in the DIT that objects can be found. The full location is the value of container + basedn.
+ container_accounts: cn=accounts
+ container_applications: cn=applications,cn=configs,cn=policies
+ container_automount: cn=automount
+ container_configs: cn=configs,cn=policies
+ container_dns: cn=dns
+ container_group: cn=groups,cn=accounts
+ container_hbac: cn=hbac
+ container_hbacservice: cn=hbacservices,cn=hbac
+ container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
+ container_host: cn=computers,cn=accounts
+ container_hostgroup: cn=hostgroups,cn=accounts
+ container_netgroup: cn=ng,cn=alt
+ container_permission: cn=permissions,cn=pbac
+ container_policies: cn=policies
+ container_policygroups: cn=policygroups,cn=configs,cn=policies
+ container_policylinks: cn=policylinks,cn=configs,cn=policies
+ container_privilege: cn=privileges,cn=pbac
+ container_rolegroup: cn=roles,cn=accounts
+ container_roles: cn=roles,cn=policies
+ container_service: cn=services,cn=accounts
+ container_sudocmd: cn=sudocmds,cn=sudo
+ container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
+ container_sudorule: cn=sudorules,cn=sudo
+ container_user: cn=users,cn=accounts
+ container_vault: cn=vaults,cn=kra
+ container_virtual: cn=virtual operations,cn=etc
+
+.SH "FILES"
+.TP
+.I /etc/ipa/default.conf
+system\-wide IPA configuration file
+.TP
+.I $HOME/.ipa/default.conf
+user IPA configuration file
+.TP
+It is also possible to define context\-specific configuration files. The \fBcontext\fR is set when the IPA api is initialized. The two currently defined contexts in IPA are \fBcli\fR and \fBserver\fR. This is helpful, for example, if you only want \fBdebug\fR enabled on the server and not in the client. If this is set to True in \fIdefault.conf\fR it will affect both the ipa client tool and the IPA server. If it is only set in \fIserver.conf\fR then only the server will have \fBdebug\fR set. These files will be loaded if they exist:
+.TP
+.I /etc/ipa/cli.conf
+system\-wide IPA client configuration file
+.TP
+.I /etc/ipa/server.conf
+system\-wide IPA server configuration file
+.SH "SEE ALSO"
+.BR ipa (1)
diff --git a/client/man/ipa-certupdate.1 b/client/man/ipa-certupdate.1
new file mode 100644
index 000000000..d95790a36
--- /dev/null
+++ b/client/man/ipa-certupdate.1
@@ -0,0 +1,39 @@
+.\" A man page for ipa-certupdate
+.\" Copyright (C) 2014 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Jan Cholasta <jcholast@redhat.com>
+.\"
+.TH "ipa-certupdate" "1" "Jul 2 2014" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-certupdate \- Update local IPA certificate databases with certificates from the server
+.SH "SYNOPSIS"
+\fBipa\-certupdate\fR [\fIOPTIONS\fR...]
+.SH "DESCRIPTION"
+\fBipa\-certupdate\fR can be used to update local IPA certificate databases with certificates from the server.
+.SH "OPTIONS"
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Print debugging information.
+.TP
+\fB\-q\fR, \fB\-\-quiet\fR
+Output only errors.
+.TP
+\fB\-\-log\-file\fR=\fIFILE\fR
+Log to the given file.
+.SH "EXIT STATUS"
+0 if the command was successful
+
+1 if an error occurred
diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1
new file mode 100644
index 000000000..5b60503f1
--- /dev/null
+++ b/client/man/ipa-client-automount.1
@@ -0,0 +1,89 @@
+.\" A man page for ipa-client-automount
+.\" Copyright (C) 2012 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "ipa-client-automount" "1" "May 25 2012" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-client\-automount \- Configure automount and NFS for IPA
+.SH "SYNOPSIS"
+ipa\-client\-automount [\fIOPTION\fR]... <location>
+.SH "DESCRIPTION"
+Configures automount for IPA.
+
+The automount configuration consists of three files:
+.PP
+.IP o
+/etc/nsswitch.conf
+.IP o
+/etc/sysconfig/autofs
+.IP o
+/etc/autofs_ldap_auth.conf
+
+.TP
+By default this will use DNS discovery to attempt to determine the IPA server(s) to use. If IPA servers are discovered then the automount client will be configured to use DNS discovery.
+.TP
+If DNS discovery fails or a specific server is desired, use the \-\-server option.
+.TP
+The default automount location is named default. To specify a different one use the \-\-location option.
+.TP
+The IPA client must already be configured in order to configure automount. The IPA client is configured as part of a server installation.
+.TP
+There are two ways to configure automount. The default is to use sssd to manage the automount maps. Alternatively autofs can configured to bind to LDAP over GSSAPI and authenticate using the machine's host principal.
+.TP
+The nsswitch automount service is configured to use either sss or ldap and files depending on whether SSSD is configured or not.
+.TP
+NFSv4 is also configured. The rpc.gssd and rpc.idmapd are started on clients to support Kerberos\-secured mounts.
+.SH "OPTIONS"
+\fB\-\-server\fR=\fISERVER\fR
+Set the IPA server to connect to
+.TP
+\fB\-\-location\fR=\fILOCATION\fR
+Automount location
+.TP
+\fB\-S\fR, \fB\-\-no\-sssd\fR
+Do not configure the client to use SSSD for automount
+.TP
+\fB\-d\fR, \fB\-\-debug\fR
+Print debugging information to stdout
+.TP
+\fB\-U\fR, \fB\-\-unattended\fR
+Unattended installation. The user will not be prompted
+.TP
+\fB\-\-uninstall\fR
+Restore the automount configuration files
+
+.SH "FILES"
+.TP
+Files that will be always be configured:
+
+/etc/nsswitch.conf
+.TP
+Files that will be configured when SSSD is the automount client (default):
+
+/etc/sssd/sssd.conf
+
+.TP
+Files that will be configured when using the ldap automount client:
+
+/etc/sysconfig/autofs
+
+/etc/autofs_ldap_auth.conf
+
+.SH "EXIT STATUS"
+0 if the installation was successful
+
+1 if an error occurred
diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
new file mode 100644
index 000000000..494fd4952
--- /dev/null
+++ b/client/man/ipa-client-install.1
@@ -0,0 +1,288 @@
+.\" A man page for ipa-client-install
+.\" Copyright (C) 2008 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "ipa-client-install" "1" "Jan 31 2013" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-client\-install \- Configure an IPA client
+.SH "SYNOPSIS"
+ipa\-client\-install [\fIOPTION\fR]...
+.SH "DESCRIPTION"
+Configures a client machine to use IPA for authentication and identity services.
+
+By default this configures SSSD to connect to an IPA server for authentication and authorization. Optionally one can instead configure PAM and NSS (Name Switching Service) to work with an IPA server over Kerberos and LDAP.
+
+An authorized user is required to join a client machine to IPA. This can take the form of a kerberos principal or a one\-time password associated with the machine.
+
+This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the principal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable <fqdn>).
+
+.SS "Assumptions"
+The ipa\-client\-install script assumes that the machine has already generated SSH keys. It will not generate SSH keys of its own accord. If SSH keys are not present (e.g when running the ipa\-client\-install in a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server.
+
+.SS "Hostname Requirements"
+Client must use a \fBstatic hostname\fR. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication.
+
+\-\-hostname option may be used to specify a static hostname that persists over reboot.
+
+.SS "DNS Autodiscovery"
+Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for all domains that are parent to its hostname. For example, if a client machine has a hostname 'client1.lab.example.com', the installer will try to retrieve an IPA server hostname from _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com DNS SRV records, respectively. The discovered domain is then used to configure client components (e.g. SSSD and Kerberos 5 configuration) on the machine.
+
+When the client machine hostname is not in a subdomain of an IPA server, its domain can be passed with \-\-domain option. In that case, both SSSD and Kerberos components have the domain set in the configuration files and will use it to autodiscover IPA servers.
+
+Client machine can also be configured without a DNS autodiscovery at all. When both \-\-server and \-\-domain options are used, client installer will use the specified server and domain directly. \-\-server option accepts multiple server hostnames which can be used for failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of KDC and Admin servers. SSSD is still configured to either try to read domain's SRV records or the specified fixed list of servers. When \-\-fixed\-primary option is specified, SSSD will not try to read DNS SRV record at all (see sssd\-ipa(5) for details).
+
+.SS "The Failover Mechanism"
+When some of the IPA servers is not available, client components are able to fallback to other IPA replica and thus preserving a continued service. When client machine is configured to use DNS SRV record autodiscovery (no fixed server was passed to the installer), client components do the fallback automatically, based on the IPA server hostnames and priorities discovered from the DNS SRV records.
+
+If DNS autodiscovery is not available, clients should be configured at least with a fixed list of IPA servers that can be used in case of a failure. When only one IPA server is configured, IPA client services will not be available in case of a failure of the IPA server. Please note, that in case of a fixed list of IPA servers, the fixed server lists in client components need to be updated when a new IPA server is enrolled or a current IPA server is decommissioned.
+
+.SS "Coexistence With Other Directory Servers"
+Other directory servers deployed in the network (e.g. Microsoft Active Directory) may use the same DNS SRV records to denote hosts with a directory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the installation if the installer discovers these DNS records before it finds DNS SRV records pointing to IPA servers. The installer would then fail to discover the IPA server and exit with error.
+
+In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname should be in a domain with properly defined DNS SRV records pointing to IPA servers, either manually with a custom DNS server or with IPA DNS integrated solution. A second approach would be to avoid autodiscovery and configure the installer to use a fixed list of IPA server hostnames using the \-\-server option and with a \-\-fixed\-primary option disabling DNS SRV record autodiscovery in SSSD.
+
+.SS "Re\-enrollment of the host"
+Requirements:
+
+1. Host has not been un\-enrolled (the ipa\-client\-install \-\-uninstall command has not been run).
+.br
+2. The host entry has not been disabled via the ipa host\-disable command.
+
+If this has been the case, host can be re\-enrolled using the usual methods.
+
+There are two method of authenticating a re\-enrollment:
+
+1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credentials provided via the \-w/\-\-password option.
+.br
+2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option.
+
+Consequences of the re\-enrollment on the host entry:
+
+1. A new host certificate is issued
+.br
+2. The old host certificate is revoked
+.br
+3. New SSH keys are generated
+.br
+4. ipaUniqueID is preserved
+
+.SH "OPTIONS"
+.SS "BASIC OPTIONS"
+.TP
+\fB\-\-domain\fR=\fIDOMAIN\fR
+Set the domain name to DOMAIN. When no \-\-server option is specified, the installer will try to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details).
+.TP
+\fB\-\-server\fR=\fISERVER\fR
+Set the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf or krb5.conf. Only the first value is considered when used with \-\-no\-sssd. When this option is used, DNS autodiscovery for Kerberos is disabled and a fixed list of KDC and Admin servers is configured.
+.TP
+\fB\-\-realm\fR=\fIREALM_NAME\fR
+Set the IPA realm name to REALM_NAME. Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server.
+.TP
+\fB\-\-fixed\-primary\fR
+Configure SSSD to use a fixed server as the primary IPA server. The default is to use DNS SRV records to determine the primary server to use and fall back to the server the client is enrolled with. When used in conjunction with \-\-server then no _srv_ value is set in the ipa_server option in sssd.conf.
+.TP
+\fB\-p\fR, \fB\-\-principal\fR
+Authorized kerberos principal to use to join the IPA realm.
+.TP
+\fB\-w\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
+Password for joining a machine to the IPA realm. Assumes bulk password unless principal is also set.
+.TP
+\fB\-W\fR
+Prompt for the password for joining a machine to the IPA realm.
+.TP
+\fB\-k\fR, \fB\-\-keytab\fR
+Path to backed up host keytab from previous enrollment. Joins the host even if it is already enrolled.
+.TP
+\fB\-\-mkhomedir\fR
+Configure PAM to create a users home directory if it does not exist.
+.TP
+\fB\-\-hostname\fR
+The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot. By default a nodename result from uname(2) is used.
+.TP
+\fB\-\-force\-join\fR
+Join the host even if it is already enrolled.
+.TP
+\fB\-\-ntp\-server\fR=\fINTP_SERVER\fR
+Configure ntpd to use this NTP server. This option can be used multiple times.
+.TP
+\fB\-N\fR, \fB\-\-no\-ntp\fR
+Do not configure or enable NTP.
+.TP
+\fB\-\-force\-ntpd\fR
+Stop and disable any time&date synchronization services besides ntpd.
+.TP
+\fB\-\-nisdomain\fR=\fINIS_DOMAIN\fR
+Set the NIS domain name as specified. By default, this is set to the IPA domain name.
+.TP
+\fB\-\-no\-nisdomain\fR
+Do not configure NIS domain name.
+.TP
+\fB\-\-ssh\-trust\-dns\fR
+Configure OpenSSH client to trust DNS SSHFP records.
+.TP
+\fB\-\-no\-ssh\fR
+Do not configure OpenSSH client.
+.TP
+\fB\-\-no\-sshd\fR
+Do not configure OpenSSH server.
+.TP
+\fB\-\-no\-sudo\fR
+Do not configure SSSD as a data source for sudo.
+.TP
+\fB\-\-no\-dns\-sshfp\fR
+Do not automatically create DNS SSHFP records.
+.TP
+\fB\-\-noac\fR
+Do not use Authconfig to modify the nsswitch.conf and PAM configuration.
+.TP
+\fB\-f\fR, \fB\-\-force\fR
+Force the settings even if errors occur
+.TP
+\fB\-\-kinit\-attempts\fR=\fIKINIT_ATTEMPTS\fR
+In case of unresponsive KDC (e.g. when enrolling multiple hosts at once in a
+heavy load environment) repeat the request for host Kerberos ticket up to a
+total number of \fIKINIT_ATTEMPTS\fR times before giving up and aborting client
+installation. Default number of attempts is 5. The request is not repeated when
+there is a problem with host credentials themselves (e.g. wrong keytab format
+or invalid principal) so using this option will not lead to account lockouts.
+.TP
+\fB\-d\fR, \fB\-\-debug\fR
+Print debugging information to stdout
+.TP
+\fB\-U\fR, \fB\-\-unattended\fR
+Unattended installation. The user will not be prompted.
+.TP
+\fB\-\-ca\-cert\-file\fR=\fICA_FILE\fR
+Do not attempt to acquire the IPA CA certificate via automated means,
+instead use the CA certificate found locally in in \fICA_FILE\fR. The
+\fICA_FILE\fR must be an absolute path to a PEM formatted certificate
+file. The CA certificate found in \fICA_FILE\fR is considered
+authoritative and will be installed without checking to see if it's
+valid for the IPA domain.
+.TP
+\fB\-\-request\-cert\fR
+Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host".
+.TP
+\fB\-\-automount\-location\fR=\fILOCATION\fR
+Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as
+automount location.
+.TP
+\fB\-\-configure\-firefox\fR
+Configure Firefox to use IPA domain credentials.
+.TP
+\fB\-\-firefox\-dir\fR=\fIDIR\fR
+Specify Firefox installation directory. For example: '/usr/lib/firefox'
+.TP
+\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
+Use \fIIP_ADDRESS\fR in DNS A/AAAA record for this host. May be specified multiple times to add multiple DNS records.
+.TP
+\fB\-\-all\-ip\-addresses\fR
+Create DNS A/AAAA record for each IP address on this host.
+
+.SS "SSSD OPTIONS"
+.TP
+\fB\-\-permit\fR
+Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server.
+.TP
+\fB\-\-enable\-dns\-updates\fR
+This option tells SSSD to automatically update DNS with the IP address of this client.
+.TP
+\fB\-\-no\-krb5\-offline\-passwords\fR
+Configure SSSD not to store user password when the server is offline.
+.TP
+\fB\-S\fR, \fB\-\-no\-sssd\fR
+Do not configure the client to use SSSD for authentication, use nss_ldap instead.
+.TP
+\fB\-\-preserve\-sssd\fR
+Disabled by default. When enabled, preserves old SSSD configuration if it is
+not possible to merge it with a new one. Effectively, if the merge is not
+possible due to SSSDConfig reader encountering unsupported options,
+\fBipa\-client\-install\fR will not run further and ask to fix SSSD config
+first. When this option is not specified, \fBipa\-client\-install\fR will back
+up SSSD config and create new one. The back up version will be restored during
+uninstall.
+
+.SS "UNINSTALL OPTIONS"
+.TP
+\fB\-\-uninstall\fR
+Remove the IPA client software and restore the configuration to the pre\-IPA state.
+.TP
+\fB\-U\fR, \fB\-\-unattended\fR
+Unattended uninstallation. The user will not be prompted.
+
+.SH "FILES"
+.TP
+Files that will be replaced if SSSD is configured (default):
+
+/etc/sssd/sssd.conf
+.TP
+Files that will be replaced if they exist and SSSD is not configured (\-\-no\-sssd):
+
+/etc/ldap.conf
+.br
+/etc/nss_ldap.conf
+.br
+/etc/libnss\-ldap.conf
+.br
+/etc/pam_ldap.conf
+.br
+/etc/nslcd.conf
+.TP
+Files replaced if NTP is enabled:
+
+/etc/ntp.conf
+.br
+/etc/sysconfig/ntpd
+.br
+/etc/ntp/step\-tickers
+.TP
+Files always created (replacing existing content):
+
+/etc/krb5.conf
+.br
+/etc/ipa/ca.crt
+.br
+/etc/ipa/default.conf
+.br
+/etc/ipa/nssdb
+.br
+/etc/openldap/ldap.conf
+.TP
+Files updated, existing content is maintained:
+
+/etc/nsswitch.conf
+.br
+/etc/pki/nssdb
+.br
+/etc/krb5.keytab
+.br
+/etc/sysconfig/network
+.SH "EXIT STATUS"
+0 if the installation was successful
+
+1 if an error occurred
+
+2 if uninstalling and the client is not configured
+
+3 if installing and the client is already configured
+
+4 if an uninstall error occurred
+
+.SH "SEE ALSO"
+.BR ipa\-client\-automount(1),
+.BR krb5.conf(5),
+.BR sssd.conf(5)
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
new file mode 100644
index 000000000..1c270729e
--- /dev/null
+++ b/client/man/ipa-getkeytab.1
@@ -0,0 +1,147 @@
+.\" A man page for ipa-getkeytab
+.\" Copyright (C) 2007 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Karl MacMillan <kmacmill@redhat.com>
+.\" Author: Simo Sorce <ssorce@redhat.com>
+.\"
+.TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-getkeytab \- Get a keytab for a Kerberos principal
+.SH "SYNOPSIS"
+ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-r\fR ]
+
+.SH "DESCRIPTION"
+Retrieves a Kerberos \fIkeytab\fR.
+
+Kerberos keytabs are used for services (like sshd) to
+perform Kerberos authentication. A keytab is a file
+with one or more secrets (or keys) for a Kerberos
+principal.
+
+A Kerberos service principal is a Kerberos identity
+that can be used for authentication. Service principals
+contain the name of the service, the hostname of the
+server, and the realm name. For example, the following
+is an example principal for an ldap server:
+
+ ldap/foo.example.com@EXAMPLE.COM
+
+When using ipa\-getkeytab the realm name is already
+provided, so the principal name is just the service
+name and hostname (ldap/foo.example.com from the
+example above).
+
+\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
+This renders all other keytabs for that principal invalid.
+
+This is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
+.SH "OPTIONS"
+.TP
+\fB\-p principal\-name\fR
+The non\-realm part of the full principal name.
+.TP
+\fB\-k keytab\-file\fR
+The keytab file where to append the new key (will be
+created if it does not exist).
+.TP
+\fB\-e encryption\-types\fR
+The list of encryption types to use to generate keys.
+ipa\-getkeytab will use local client defaults if not provided.
+Valid values depend on the Kerberos library version and configuration.
+Common values are:
+aes256\-cts
+aes128\-cts
+des3\-hmac\-sha1
+arcfour\-hmac
+des\-hmac\-sha1
+des\-cbc\-md5
+des\-cbc\-crc
+.TP
+\fB\-s ipaserver\fR
+The IPA server to retrieve the keytab from (FQDN). If this option is not
+provided the server name is read from the IPA configuration file
+(/etc/ipa/default.conf)
+.TP
+\fB\-q\fR
+Quiet mode. Only errors are displayed.
+.TP
+\fB\-\-permitted\-enctypes\fR
+This options returns a description of the permitted encryption types, like this:
+Supported encryption types:
+AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
+AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
+Triple DES cbc mode with HMAC/sha1
+ArcFour with HMAC/md5
+DES cbc mode with CRC\-32
+DES cbc mode with RSA\-MD5
+DES cbc mode with RSA\-MD4
+.TP
+\fB\-P, \-\-password\fR
+Use this password for the key instead of one randomly generated.
+.TP
+\fB\-D, \-\-binddn\fR
+The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option.
+.TP
+\fB\-w, \-\-bindpw\fR
+The LDAP password to use when not binding with Kerberos.
+.TP
+\fB\-r\fR
+Retrieve mode. Retrieve an existing key from the server instead of generating a
+new one. This is incompatibile with the \-\-password option, and will work only
+against a FreeIPA server more recent than version 3.3. The user requesting the
+keytab must have access to the keys for this operation to succeed.
+.SH "EXAMPLES"
+Add and retrieve a keytab for the NFS service principal on
+the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
+
+ # ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
+
+Add and retrieve a keytab for the ldap service principal on
+the host foo.example.com and save it in the file /tmp/ldap.keytab.
+
+ # ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab
+
+Retrieve a keytab using LDAP credentials (this will typically be done by \fBipa\-join(1)\fR when enrolling a client using the \fBipa\-client\-install(1)\fR command:
+
+ # ipa\-getkeytab \-s ipaserver.example.com \-p host/foo.example.com \-k /etc/krb5.keytab \-D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com \-w password
+.SH "EXIT STATUS"
+The exit status is 0 on success, nonzero on error.
+
+0 Success
+
+1 Kerberos context initialization failed
+
+2 Incorrect usage
+
+3 Out of memory
+
+4 Invalid service principal name
+
+5 No Kerberos credentials cache
+
+6 No Kerberos principal and no bind DN and password
+
+7 Failed to open keytab
+
+8 Failed to create key material
+
+9 Setting keytab failed
+
+10 Bind password required when using a bind DN
+
+11 Failed to add key to keytab
+
+12 Failed to close keytab
diff --git a/client/man/ipa-join.1 b/client/man/ipa-join.1
new file mode 100644
index 000000000..d88160784
--- /dev/null
+++ b/client/man/ipa-join.1
@@ -0,0 +1,142 @@
+.\" A man page for ipa-join
+.\" Copyright (C) 2009 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "ipa-join" "1" "Oct 8 2009" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
+.SH "SYNOPSIS"
+ipa\-join [\fB\-d\fR|\fB\-\-debug\fR] [\fB\-q\fR|\fB\-\-quiet\fR] [\fB\-u\fR|\fB\-\-unenroll\fR] [\fB\-h\fR|\fB\-\-hostname\fR hostname] [\fB\-s\fR|\fB\-\-server\fR hostname] [\fB\-k\fR|\fB\-\-keytab\fR filename] [\fB\-w\fR|\fB\-\-bindpw\fR password] [\fB-b\fR|\-\-\fBbasedn basedn\fR] [\fB\-?\fR|\fB\-\-help\fR] [\fB\-\-usage\fR]
+
+.SH "DESCRIPTION"
+Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal, or unenrolls an enrolled host from an IPA server.
+
+Kerberos keytabs are used for services (like sshd) to perform kerberos authentication. A keytab is a file with one or more secrets (or keys) for a kerberos principal.
+
+The ipa\-join command will create and retrieve a service principal for host/foo.example.com@EXAMPLE.COM and place it by default into /etc/krb5.keytab. The location can be overridden with the \-k option.
+
+The IPA server to contact is set in /etc/ipa/default.conf by default and can be overridden using the \-s,\-\-server option.
+
+In order to join the machine needs to be authenticated. This can happen in one of two ways:
+
+* Authenticate using the current kerberos principal
+
+* Provide a password to authenticate with
+
+If a client host has already been joined to the IPA realm the ipa\-join command will fail. The host will need to be removed from the server using `ipa host\-del FQDN` in order to join the client to the realm.
+
+This command is normally executed by the ipa\-client\-install command as part of the enrollment process.
+
+The reverse is unenrollment. Unenrolling a host removes the Kerberos key on the IPA server. This prepares the host to be re\-enrolled. This uses the host principal stored in /etc/krb5.conf to authenticate to the IPA server to perform the unenrollment.
+
+Please note, that while the ipa\-join option removes the client from the domain, it does not actually uninstall the client or properly remove all of the IPA\-related configuration. The only way to uninstall a client completely is to use ipa\-client\-install \-\-uninstall
+(see
+.BR ipa\-client\-install (1)).
+
+.SH "OPTIONS"
+.TP
+\fB\-h,\-\-hostname hostname\fR
+The hostname of this server (FQDN). By default of nodename from uname(2) is used.
+.TP
+\fB\-s,\-\-server server\fR
+The hostname of the IPA server (FQDN). Note that by default there is no /etc/ipa/default.conf, in most cases it needs to be supplied.
+.TP
+\fB\-k,\-\-keytab keytab\-file\fR
+The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab
+.TP
+\fB\-w,\-\-bindpw password\fR
+The password to use if not using Kerberos to authenticate. Use a password of this particular host (one time password created on IPA server)
+.TP
+\fB\-b,\-\-basedn basedn\fR
+The basedn of the IPA server (of the form dc=example,dc=com). This is only needed when not using Kerberos to authenticate and anonymous binds are disallowed in the IPA LDAP server.
+.TP
+\fB\-f,\-\-force\fR
+Force enrolling the host even if host entry exists.
+.TP
+\fB\-u,\-\-unenroll\fR
+Unenroll this host from the IPA server. No keytab entry is removed in the process
+(see
+.BR ipa-rmkeytab (1)).
+.TP
+\fB\-q,\-\-quiet\fR
+Quiet mode. Only errors are displayed.
+.TP
+\fB\-d,\-\-debug\fR
+Print the raw XML-RPC output in GSSAPI mode.
+.SH "EXAMPLES"
+Join IPA domain and retrieve a keytab with kerberos credentials.
+
+ # kinit admin
+ # ipa\-join
+
+Join IPA domain and retrieve a keytab using a one\-time password.
+
+ # ipa\-join \-w secret123
+
+Join IPA domain and save the keytab in another location.
+
+ # ipa\-join \-k /tmp/host.keytab
+.SH "EXIT STATUS"
+The exit status is 0 on success, nonzero on error.
+
+0 Success
+
+1 Kerberos context initialization failed
+
+2 Incorrect usage
+
+3 Out of memory
+
+4 Invalid service principal name
+
+5 No Kerberos credentials cache
+
+6 No Kerberos principal and no bind DN and password
+
+7 Failed to open keytab
+
+8 Failed to create key material
+
+9 Setting keytab failed
+
+10 Bind password required when using a bind DN
+
+11 Failed to add key to keytab
+
+12 Failed to close keytab
+
+13 Host is already enrolled
+
+14 LDAP failure
+
+15 Incorrect bulk password
+
+16 Host name must be fully\-qualified
+
+17 XML\-RPC fault
+
+18 Principal not found in host entry
+
+19 Unable to generate Kerberos credentials cache
+
+20 Unenrollment result not in XML\-RPC response
+
+21 Failed to get default Kerberos realm
+
+.SH "SEE ALSO"
+.BR ipa-rmkeytab (1)
+.BR ipa-client-install (1)
diff --git a/client/man/ipa-rmkeytab.1 b/client/man/ipa-rmkeytab.1
new file mode 100644
index 000000000..53f775439
--- /dev/null
+++ b/client/man/ipa-rmkeytab.1
@@ -0,0 +1,89 @@
+.\" A man page for ipa-rmkeytab
+.\" Copyright (C) 2009 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.\"
+.TH "ipa-rmkeytab" "1" "Oct 30 2009" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-rmkeytab \- Remove a kerberos principal from a keytab
+.SH "SYNOPSIS"
+ipa\-rmkeytab [ \fB\-p\fR principal\-name ] [ \fB\-k\fR keytab\-file ] [ \fB\-r\fR realm ] [ \fB\-d\fR ]
+
+.SH "DESCRIPTION"
+Removes a kerberos principal from a \fIkeytab\fR.
+
+Kerberos keytabs are used for services (like sshd) to
+perform kerberos authentication. A keytab is a file
+with one or more secrets (or keys) for a kerberos
+principal.
+
+A kerberos service principal is a kerberos identity
+that can be used for authentication. Service principals
+contain the name of the service, the hostname of the
+server, and the realm name.
+
+ipa\-rmkeytab provides two ways to remove principals.
+A specific principal can be removed or all
+principals for a given realm can be removed.
+
+All encryption types and versions of a principal are removed.
+
+The realm may be included when removing a specific principal but
+it is not required.
+
+\fBNOTE:\fR removing a principal from the keytab does not affect
+the Kerberos principal stored in the IPA server. It merely removes
+the entry from the local keytab.
+.SH "OPTIONS"
+.TP
+\fB\-p principal\-name\fR
+The non\-realm part of the full principal name.
+.TP
+\fB\-k keytab\-file\fR
+The keytab file to remove the principal(s) from.
+.TP
+\fB\-r realm\fR
+A realm to remove all principals for.
+.TP
+\fB\-d\fR
+Debug mode. Additional information is displayed.
+.SH "EXAMPLES"
+Remove the NFS service principal on the host foo.example.com from /tmp/nfs.keytab.
+
+ # ipa\-rmkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab
+
+Remove the ldap service principal on the host foo.example.com from /etc/krb5.keytab.
+
+ # ipa\-rmkeytab \-p ldap/foo.example.com \-k /etc/krb5.keytab
+
+Remove all principals for the realm EXAMPLE.COM.
+
+ # ipa\-rmkeytab \-r EXAMPLE.COM \-k /etc/krb5.keytab
+.SH "EXIT STATUS"
+The exit status is 0 on success, nonzero on error.
+
+1 Kerberos initialization failed
+
+2 Memory allocation error
+
+3 Unable to open keytab
+
+4 Unable to parse the principal name
+
+5 Principal name or realm not found in keytab
+
+6 Unable to remove principal from keytab
diff --git a/client/version.m4.in b/client/version.m4.in
new file mode 100644
index 000000000..5ddc8cea3
--- /dev/null
+++ b/client/version.m4.in
@@ -0,0 +1 @@
+define([IPA_VERSION], [__VERSION__])
generated by cgit (git 2.34.1) at 2024-05-01 17:52:09 +0000