Add ipa-adtrust-install utility

https://fedorahosted.org/freeipa/ticket/1619

1 files changed, 249 insertions, 0 deletions

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
new file mode 100755
index 000000000..cc99b5551
--- /dev/null
+++ b/install/tools/ipa-adtrust-install
@@ -0,0 +1,249 @@
+#! /usr/bin/python
+#
+# Authors: Sumit Bose <sbose@redhat.com>
+# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
+# and ipa-dns-install by Martin Nagy
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import traceback
+
+from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install import adtrustinstance
+from ipaserver.install.installutils import *
+from ipaserver.install import installutils
+from ipapython import version
+from ipapython import ipautil, sysrestore
+from ipalib import api, errors, util
+from ipapython.config import IPAOptionParser
+import krbV
+import ldap
+
+def parse_options():
+    parser = IPAOptionParser(version=version.VERSION)
+    parser.add_option("-p", "--ds-password", dest="dm_password",
+                      sensitive=True, help="directory manager password")
+    parser.add_option("-d", "--debug", dest="debug", action="store_true",
+                      default=False, help="print debugging information")
+    parser.add_option("--ip-address", dest="ip_address",
+                      type="ip", ip_local=True, help="Master Server IP Address")
+    parser.add_option("--netbios-name", dest="netbios_name",
+                      help="NetBIOS name of the IPA domain")
+    parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
+                      default=False, help="unattended installation never prompts the user")
+
+    options, args = parser.parse_args()
+    safe_options = parser.get_safe_opts(options)
+
+    return safe_options, options
+
+def netbios_name_error(name):
+    print "Illegal NetBIOS name [%s].\n" % name
+    print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
+
+def read_netbios_name(netbios_default):
+    netbios_name = ""
+
+    print "Enter the NetBIOS name for the IPA domain."
+    print "Only up to 15 uppercase ASCII letters and digits are allowed."
+    print "Example: EXAMPLE."
+    print ""
+    print ""
+    if not netbios_default:
+        netbios_default = "EXAMPLE"
+    while True:
+        netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
+        print ""
+        if adtrustinstance.check_netbios_name(netbios_name):
+            break
+
+        netbios_name_error(netbios_name)
+
+    return netbios_name
+
+def main():
+    safe_options, options = parse_options()
+
+    if os.getegid() != 0:
+        sys.exit("Must be root to setup AD trusts on server")
+
+    standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a')
+    print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
+
+    logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
+    logging.debug("missing options might be asked for interactively later\n")
+
+    installutils.check_server_configuration()
+
+    global fstore
+    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+
+    print "=============================================================================="
+    print "This program will setup components needed to establish trust to AD domains for"
+    print "the FreeIPA Server."
+    print ""
+    print "This includes:"
+    print "  * Configure Samba"
+    print "  * Add trust related objects to FreeIPA LDAP server"
+    #TODO:
+    #print "  * Add a SID to all users and Posix groups"
+    print ""
+    print "To accept the default shown in brackets, press the Enter key."
+    print ""
+
+    # Check if samba packages are installed
+    if not adtrustinstance.check_inst(options.unattended):
+        sys.exit("Aborting installation.")
+
+    # Initialize the ipalib api
+    cfg = dict(
+        in_server=True,
+        debug=options.debug,
+    )
+    api.bootstrap(**cfg)
+    api.finalize()
+
+    if adtrustinstance.ipa_smb_conf_exists():
+        if not options.unattended:
+            while True:
+                print "IPA generated smb.conf detected."
+                if not ipautil.user_input("Overwrite smb.conf?", default = False, allow_empty = False):
+                    sys.exit("Aborting installation.")
+                break
+
+    # Check we have a public IP that is associated with the hostname
+    try:
+        if options.ip_address:
+            ip = ipautil.CheckedIPAddress(options.ip_address, match_local=True)
+        else:
+            hostaddr = resolve_host(api.env.host)
+            ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True)
+    except Exception, e:
+        print "Error: Invalid IP Address %s: %s" % (ip, e)
+        ip = None
+
+    if not ip:
+        if options.unattended:
+            sys.exit("Unable to resolve IP address for host name")
+        else:
+            read_ip = read_ip_address(api.env.host, fstore)
+            try:
+                ip = ipautil.CheckedIPAddress(read_ip, match_local=True)
+            except Exception, e:
+                print "Error: Invalid IP Address %s: %s" % (ip, e)
+                sys.exit("Aborting installation.")
+
+    ip_address = str(ip)
+    logging.debug("will use ip_address: %s\n", ip_address)
+
+    if not options.unattended:
+        print ""
+        print "The following operations may take some minutes to complete."
+        print "Please wait until the prompt is returned."
+        print ""
+
+    # Create a Adtrust instance
+    if options.unattended and not options.dm_password:
+        sys.exit("\nIn unattended mode you need to provide at least the -p option")
+
+    netbios_name = options.netbios_name
+    if not netbios_name:
+        netbios_name = adtrustinstance.make_netbios_name(api.env.domain)
+
+    if not adtrustinstance.check_netbios_name(netbios_name):
+        if options.unattended:
+            netbios_name_error(netbios_name)
+            sys.exit("Aborting installation.")
+        else:
+            netbios_name = None
+            if options.netbios_name:
+                netbios_name_error(options.netbios_name)
+
+    if not options.unattended and ( not netbios_name or not options.netbios_name):
+        netbios_name = read_netbios_name(netbios_name)
+
+    dm_password = options.dm_password or read_password("Directory Manager",
+                                             confirm=False, validate=False)
+    smb = adtrustinstance.ADTRUSTInstance(fstore, dm_password)
+
+    # try the connection
+    try:
+        smb.ldap_connect()
+        smb.ldap_disconnect()
+    except ldap.INVALID_CREDENTIALS, e:
+        sys.exit("Password is not valid!")
+
+    if smb.dm_password:
+        api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=smb.dm_password)
+    else:
+        # See if our LDAP server is up and we can talk to it over GSSAPI
+        ccache = krbV.default_context().default_ccache().name
+        api.Backend.ldap2.connect(ccache)
+
+    smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
+              netbios_name)
+    smb.create_instance()
+
+    print "=============================================================================="
+    print "Setup complete"
+    print ""
+    print "\tYou must make sure these network ports are open:"
+    print "\t\tTCP Ports:"
+    print "\t\t  * 138: netbios-dgm"
+    print "\t\t  * 139: netbios-ssn"
+    print "\t\t  * 445: microsoft-ds"
+    print "\t\tUDP Ports:"
+    print "\t\t  * 138: netbios-dgm"
+    print "\t\t  * 139: netbios-ssn"
+    print "\t\t  * 445: microsoft-ds"
+    print ""
+    print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached"
+    print "\tby any domain controller in the Active Directory domain by closing the"
+    print "\tfollowing ports for these servers:"
+    print "\t\tTCP Ports:"
+    print "\t\t  * 389, 636: LDAP/LDAPS"
+    print "\t\tUDP Ports:"
+    print "\t\t  * 389: (C)LDAP"
+    print "\tYou may want to choose to REJECT the network packets instead of DROPing them"
+    print "\tto avoid timeouts on the AD domain controllers."
+
+    return 0
+
+try:
+    sys.exit(main())
+except SystemExit, e:
+    sys.exit(e)
+except KeyboardInterrupt:
+    print "Installation cancelled."
+except RuntimeError, e:
+    print str(e)
+except HostnameLocalhost:
+    print "The hostname resolves to the localhost address (127.0.0.1/::1)"
+    print "Please change your /etc/hosts file so that the hostname"
+    print "resolves to the ip address of your network interface."
+    print "The KDC service does not listen on localhost"
+    print ""
+    print "Please fix your /etc/hosts file and restart the setup program"
+except Exception, e:
+    message = "Unexpected error - see ipaserver-install.log for details:\n %s" % str(e)
+    print message
+    message = str(e)
+    for str in traceback.format_tb(sys.exc_info()[2]):
+        message = message + "\n" + str
+    logging.debug(message)
+    sys.exit(1)