diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-05-15 20:03:16 +0300 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-06-07 09:39:10 +0200 |
commit | bd0d85804320e840db9b5cf19a5e69b3a0804e20 (patch) | |
tree | 0741271180b207f68b652570c9930ebc3fdbe105 /ipaserver/install/adtrustinstance.py | |
parent | 000bcfe34f318f613ec7c8744b3f886ef4ffb8ba (diff) | |
download | freeipa-bd0d85804320e840db9b5cf19a5e69b3a0804e20.tar.gz freeipa-bd0d85804320e840db9b5cf19a5e69b3a0804e20.tar.xz freeipa-bd0d85804320e840db9b5cf19a5e69b3a0804e20.zip |
Add trust-related ACIs
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html
Ticket #1731
Diffstat (limited to 'ipaserver/install/adtrustinstance.py')
-rw-r--r-- | ipaserver/install/adtrustinstance.py | 90 |
1 files changed, 22 insertions, 68 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index d9609f4c2..fffa062cd 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -103,6 +103,8 @@ class ADTRUSTInstance(service.Service): self.trust_dn = None self.smb_dom_dn = None self.sub_dict = None + self.cifs_principal = None + self.cifs_agent = None service.Service.__init__(self, "smb", dm_password=dm_password) @@ -111,55 +113,6 @@ class ADTRUSTInstance(service.Service): else: self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - def __create_samba_user(self): - print "The user for Samba is %s" % self.smb_dn - try: - self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) - root_logger.info("Samba user entry exists, resetting password") - - self.admin_conn.modify_s(self.smb_dn, \ - [(ldap.MOD_REPLACE, "userPassword", self.smb_dn_pwd)]) - return - - except errors.NotFound: - pass - - # The user doesn't exist, add it - entry = ipaldap.Entry(self.smb_dn) - entry.setValues("objectclass", ["account", "simplesecurityobject"]) - entry.setValues("uid", "samba") - entry.setValues("userPassword", self.smb_dn_pwd) - self.admin_conn.addEntry(entry) - - # And finally grant it permission to read NT passwords, we do not want - # to support LM passwords so there is no need to allow access to them. - # Also the premission to create trusted domain objects below the - # domain object is granted. - mod = [(ldap.MOD_ADD, 'aci', - str('(targetattr = "ipaNTHash")' \ - '(version 3.0; acl "Samba user can read NT passwords";' \ - 'allow (read) userdn="ldap:///%s";)' % self.smb_dn)), - (ldap.MOD_ADD, 'aci', - str('(target = "ldap:///cn=ad,cn=trusts,%s")' \ - '(targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ' \ - 'ipaNTTrustDirection || ' \ - 'ipaNTTrustPartner || ipaNTFlatName || ' \ - 'ipaNTTrustAuthOutgoing || ' \ - 'ipaNTTrustAuthIncoming || ' \ - 'ipaNTSecurityIdentifier || ' \ - 'ipaNTTrustForestTrustInfo || ' \ - 'ipaNTTrustPosixOffset || ' \ - 'ipaNTSupportedEncryptionTypes")' \ - '(version 3.0;acl "Allow samba user to create and delete ' \ - 'trust accounts";' \ - 'allow (write,add,delete) userdn = "ldap:///%s";)' % \ - (self.suffix, self.smb_dn)))] - - try: - self.admin_conn.modify_s(self.suffix, mod) - except ldap.TYPE_OR_VALUE_EXISTS: - root_logger.debug("samba user aci already exists in suffix %s on %s" % (self.suffix, self.admin_conn.host)) - def __gen_sid_string(self): sub_ids = struct.unpack("<LLL", os.urandom(12)) return "S-1-5-21-%d-%d-%d" % (sub_ids[0], sub_ids[1], sub_ids[2]) @@ -275,17 +228,18 @@ class ADTRUSTInstance(service.Service): finally: os.remove(tmp_name) - def __set_smb_ldap_password(self): - args = ["/usr/bin/smbpasswd", "-c", self.smb_conf, "-s", "-W" ] - - ipautil.run(args, stdin = self.smb_dn_pwd + "\n" + \ - self.smb_dn_pwd + "\n" ) - def __setup_principal(self): - cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name - try: - api.Command.service_add(unicode(cifs_principal)) + api.Command.service_add(unicode(self.cifs_principal)) + # Add the principal to the 'adtrust agents' group + # as 389-ds only operates with GroupOfNames, we have to use + # the principal's proper dn as defined in self.cifs_agent + entry = self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) + current = ipaldap.Entry(self.smb_dn, entry.toDict()) + if not('member' in current): + current['member'] = [] + entry.setValues("member", current['member'] + [self.cifs_agent]) + self.admin_conn.updateEntry(self.smb_dn, current, entry) except Exception, e: # CIFS principal already exists, it is not the first time adtrustinstance is managed # That's fine, we we'll re-extract the key again. @@ -294,18 +248,18 @@ class ADTRUSTInstance(service.Service): samba_keytab = "/etc/samba/samba.keytab" if os.path.exists(samba_keytab): try: - ipautil.run(["ipa-rmkeytab", "--principal", cifs_principal, + ipautil.run(["ipa-rmkeytab", "--principal", self.cifs_principal, "-k", samba_keytab]) except ipautil.CalledProcessError, e: if e.returncode != 5: - root_logger.critical("Failed to remove old key for %s" % cifs_principal) + root_logger.critical("Failed to remove old key for %s" % self.cifs_principal) try: ipautil.run(["ipa-getkeytab", "--server", self.fqdn, - "--principal", cifs_principal, + "--principal", self.cifs_principal, "-k", samba_keytab]) except ipautil.CalledProcessError, e: - root_logger.critical("Failed to add key for %s" % cifs_principal) + root_logger.critical("Failed to add key for %s" % self.cifs_principal) def __add_dns_service_records(self): """ @@ -393,7 +347,8 @@ class ADTRUSTInstance(service.Service): SUFFIX = self.suffix, NETBIOS_NAME = self.netbios_name, SMB_DN = self.smb_dn, - LDAPI_SOCKET = self.ldapi_socket) + LDAPI_SOCKET = self.ldapi_socket, + FQDN = self.fqdn) def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name, no_msdcs=False, smbd_user="samba"): @@ -410,12 +365,14 @@ class ADTRUSTInstance(service.Service): self.smb_conf = "/etc/samba/smb.conf" - self.smb_dn = "uid=samba,cn=sysaccounts,cn=etc,%s" % self.suffix - self.smb_dn_pwd = ipautil.ipa_generate_password() + self.smb_dn = "cn=adtrust agents,cn=sysaccounts,cn=etc,%s" % self.suffix self.trust_dn = "cn=trusts,%s" % self.suffix self.smb_dom_dn = "cn=%s,cn=ad,cn=etc,%s" % (self.domain_name, \ self.suffix) + self.cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name + self.cifs_agent = "krbprincipalname=%s,cn=services,cn=accounts,%s" % \ + (self.cifs_principal.lower(), self.suffix) self.__setup_sub_dict() @@ -425,13 +382,10 @@ class ADTRUSTInstance(service.Service): self.ldap_connect() self.step("stopping smbd", self.__stop) - self.step("creating samba user", self.__create_samba_user) self.step("creating samba domain object", \ self.__create_samba_domain_object) self.step("creating samba config registry", self.__write_smb_registry) self.step("writing samba config file", self.__write_smb_conf) - self.step("setting password for the samba user", \ - self.__set_smb_ldap_password) self.step("adding cifs Kerberos principal", self.__setup_principal) self.step("adding admin(group) SIDs", self.__add_admin_sids) self.step("activating CLDAP plugin", self.__add_cldap_module) |