diff options
-rwxr-xr-x | install/tools/ipa-adtrust-install | 18 | ||||
-rw-r--r-- | install/tools/man/ipa-adtrust-install.1 | 23 | ||||
-rw-r--r-- | ipaserver/install/adtrustinstance.py | 22 |
3 files changed, 61 insertions, 2 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 5744c6f67..838f7226b 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -62,6 +62,9 @@ def parse_options(): parser.add_option("--add-sids", dest="add_sids", action="store_true", default=False, help="Add SIDs for existing users and" \ " groups as the final step") + parser.add_option("--enable-compat", + dest="enable_compat", default=False, action="store_true", + help="Enable support for trusted domains for old clients") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -194,6 +197,15 @@ def ensure_admin_kinit(admin_name, admin_password): return False return True +def enable_compat_tree(): + print "Do you want to enable support for trusted domains in Schema Compatibility plugin?" + print "This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users." + print "" + enable_compat = ipautil.user_input("Enable trusted domains support in slapi-nis?", default = False, allow_empty = False) + print "" + return enable_compat + + def main(): safe_options, options = parse_options() @@ -244,6 +256,9 @@ def main(): sys.exit("Aborting installation.") break + if not options.unattended and not options.enable_compat: + options.enable_compat = enable_compat_tree() + # Check we have a public IP that is associated with the hostname ip = None try: @@ -363,7 +378,8 @@ def main(): smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, - options.no_msdcs, options.add_sids) + options.no_msdcs, options.add_sids, + enable_compat = options.enable_compat) smb.find_local_id_range() smb.create_instance() diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index 38957f3a4..7f0566e13 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -106,6 +106,29 @@ The password of the user with administrative privileges for this IPA server. Wil .TP The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command. .TP +\fB\-\-enable\-compat\fR +Enables support for trusted domains users for old clients through Schema Compatibility plugin. +SSSD supports trusted domains natively starting with version 1.9. For platforms that +lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package +needs to be installed and schema\-compat\-plugin will be configured to provide lookup of +users and groups from trusted domains via SSSD on IPA server. These users and groups will be +available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees. +SSSD will normalize names of users and groups to lower case. +.IP +In addition to providing these users and groups through the compat tree, this option enables +authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN +\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR. +.IP +LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service. +This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth. +If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure +to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC +rule to allow access to anyone to this rule on IPA masters. +.IP +As '\fBsystem\-auth\fR' PAM service is not used directly by any other +application, it is safe to use it for trusted domain users via compatibility +path. +.TP .SH "EXIT STATUS" 0 if the installation was successful diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 4eb20d951..f072a6a32 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -664,6 +664,20 @@ class ADTRUSTInstance(service.Service): except Exception, e: root_logger.critical("Checking replicas for cifs principals failed with error '%s'" % e) + def __enable_compat_tree(self): + try: + compat_plugin_dn = DN("cn=Schema Compatibility,cn=plugins,cn=config") + lookup_sssd_name = "schema-compat-lookup-sssd" + for config in (("cn=users", "user"), ("cn=groups", "group")): + entry_dn = DN(config[0], compat_plugin_dn) + current = self.admin_conn.get_entry(entry_dn) + lookup_sssd = current.get(lookup_sssd_name, []) + if not(config[1] in lookup_sssd): + current[lookup_sssd_name] = [config[1]] + self.admin_conn.update_entry(entry_dn, current) + except Exception, e: + root_logger.critical("Enabling SSSD support in slapi-nis failed with error '%s'" % e) + def __start(self): try: self.start() @@ -713,7 +727,7 @@ class ADTRUSTInstance(service.Service): def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name, reset_netbios_name, rid_base, secondary_rid_base, - no_msdcs=False, add_sids=False, smbd_user="samba"): + no_msdcs=False, add_sids=False, smbd_user="samba", enable_compat=False): self.fqdn = fqdn self.ip_address = ip_address self.realm = realm_name @@ -724,6 +738,7 @@ class ADTRUSTInstance(service.Service): self.secondary_rid_base = secondary_rid_base self.no_msdcs = no_msdcs self.add_sids = add_sids + self.enable_compat = enable_compat self.smbd_user = smbd_user self.suffix = ipautil.realm_to_suffix(self.realm) self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \ @@ -811,6 +826,11 @@ class ADTRUSTInstance(service.Service): self.step("configuring smbd to start on boot", self.__enable) self.step("adding special DNS service records", \ self.__add_dns_service_records) + + if self.enable_compat: + self.step("enabling trusted domains support for older clients via Schema Compatibility plugin", + self.__enable_compat_tree) + self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \ self.__restart_dirsrv) self.step("adding fallback group", self.__add_fallback_group) |