def establish_trust_with_ad(master, ad_domain, extra_args=()): """ Establishes trust with Active Directory. Trust type is detected depending on the presence of SfU (Services for Unix) support on the AD. Use extra arguments to pass extra arguments to the trust-add command, such as --range-type="ipa-ad-trust" to enfroce a particular range type. """ # Force KDC to reload MS-PAC info by trying to get TGT for HTTP master.run_command(['kinit', '-kt', paths.IPA_KEYTAB, 'HTTP/%s' % master.hostname]) master.run_command(['systemctl', 'restart', 'krb5kdc.service']) master.run_command(['kdestroy', '-A']) kinit_admin(master) master.run_command(['klist']) master.run_command(['smbcontrol', 'all', 'debug', '100']) util.run_repeatedly(master, ['ipa', 'trust-add', '--type', 'ad', ad_domain, '--admin', 'Administrator', '--password'] + list(extra_args), stdin_text=master.config.ad_admin_password) master.run_command(['smbcontrol', 'all', 'debug', '1']) clear_sssd_cache(master)
def establish_trust_with_ad(master, ad_domain, extra_args=()): """ Establishes trust with Active Directory. Trust type is detected depending on the presence of SfU (Services for Unix) support on the AD. Use extra arguments to pass extra arguments to the trust-add command, such as --range-type="ipa-ad-trust" to enfroce a particular range type. """ # Force KDC to reload MS-PAC info by trying to get TGT for HTTP master.run_command( ['kinit', '-kt', paths.HTTP_KEYTAB, 'HTTP/%s' % master.hostname]) master.run_command(['systemctl', 'restart', 'krb5kdc.service']) master.run_command(['kdestroy', '-A']) kinit_admin(master) master.run_command(['klist']) master.run_command(['smbcontrol', 'all', 'debug', '100']) util.run_repeatedly(master, [ 'ipa', 'trust-add', '--type', 'ad', ad_domain, '--admin', 'Administrator', '--password' ] + list(extra_args), stdin_text=master.config.ad_admin_password) master.run_command(['smbcontrol', 'all', 'debug', '1']) clear_sssd_cache(master) master.run_command(['systemctl', 'restart', 'krb5kdc.service']) time.sleep(60)
def install_adtrust(host): """ Runs ipa-adtrust-install on the client and generates SIDs for the entries. Configures the compat tree for the legacy clients. """ setup_server_logs_collecting(host) kinit_admin(host) host.run_command(['ipa-adtrust-install', '-U', '--enable-compat', '--netbios-name', host.netbios, '-a', host.config.admin_password, '--add-sids']) # Restart named because it lost connection to dirsrv # (Directory server restarts during the ipa-adtrust-install) # we use two services named and named-pkcs11, # if named is masked restart named-pkcs11 result = host.run_command(['systemctl', 'is-enabled', 'named'], raiseonerr=False) if result.stdout_text.startswith("masked"): host.run_command(['systemctl', 'restart', 'named-pkcs11']) else: host.run_command(['systemctl', 'restart', 'named']) # Check that named is running and has loaded the information from LDAP dig_command = ['dig', 'SRV', '+short', '@localhost', '_ldap._tcp.%s' % host.domain.name] dig_output = '0 100 389 %s.' % host.hostname dig_test = lambda x: re.search(re.escape(dig_output), x) util.run_repeatedly(host, dig_command, test=dig_test)
def install_adtrust(host): """ Runs ipa-adtrust-install on the client and generates SIDs for the entries. Configures the compat tree for the legacy clients. """ setup_server_logs_collecting(host) kinit_admin(host) host.run_command([ 'ipa-adtrust-install', '-U', '--enable-compat', '--netbios-name', host.netbios, '-a', host.config.admin_password, '--add-sids' ]) # Restart named because it lost connection to dirsrv # (Directory server restarts during the ipa-adtrust-install) # we use two services named and named-pkcs11, # if named is masked restart named-pkcs11 result = host.run_command(['systemctl', 'is-enabled', 'named'], raiseonerr=False) if result.stdout_text.startswith("masked"): host.run_command(['systemctl', 'restart', 'named-pkcs11']) else: host.run_command(['systemctl', 'restart', 'named']) # Check that named is running and has loaded the information from LDAP dig_command = [ 'dig', 'SRV', '+short', '@localhost', '_ldap._tcp.%s' % host.domain.name ] dig_output = '0 100 389 %s.' % host.hostname dig_test = lambda x: re.search(re.escape(dig_output), x) util.run_repeatedly(host, dig_command, test=dig_test)
def establish_trust_with_ad(master, ad, extra_args=()): """ Establishes trust with Active Directory. Trust type is detected depending on the presence of SfU (Services for Unix) support on the AD. Use extra arguments to pass extra arguments to the trust-add command, such as --range-type="ipa-ad-trust" to enfroce a particular range type. """ # Force KDC to reload MS-PAC info by trying to get TGT for HTTP master.run_command(["kinit", "-kt", paths.IPA_KEYTAB, "HTTP/%s" % master.hostname]) master.run_command(["systemctl", "restart", "krb5kdc.service"]) master.run_command(["kdestroy", "-A"]) kinit_admin(master) master.run_command(["klist"]) master.run_command(["smbcontrol", "all", "debug", "100"]) util.run_repeatedly( master, ["ipa", "trust-add", "--type", "ad", ad.domain.name, "--admin", "Administrator", "--password"] + list(extra_args), stdin_text=master.config.ad_admin_password, ) master.run_command(["smbcontrol", "all", "debug", "1"]) clear_sssd_cache(master)
def install_adtrust(host): """ Runs ipa-adtrust-install on the client and generates SIDs for the entries. Configures the compat tree for the legacy clients. """ # ipa-adtrust-install appends to ipaserver-install.log host.collect_log('/var/log/ipaserver-install.log') inst = host.domain.realm.replace('.', '-') host.collect_log('/var/log/dirsrv/slapd-%s/errors' % inst) host.collect_log('/var/log/dirsrv/slapd-%s/access' % inst) kinit_admin(host) host.run_command(['ipa-adtrust-install', '-U', '--enable-compat', '--netbios-name', host.netbios, '-a', host.config.admin_password, '--add-sids']) # Restart named because it lost connection to dirsrv # (Directory server restarts during the ipa-adtrust-install) host.run_command(['systemctl', 'restart', 'named']) # Check that named is running and has loaded the information from LDAP dig_command = ['dig', 'SRV', '+short', '@localhost', '_ldap._tcp.%s' % host.domain.name] dig_output = '0 100 389 %s.' % host.hostname dig_test = lambda x: re.search(re.escape(dig_output), x) util.run_repeatedly(host, dig_command, test=dig_test)
def check_sid_generation(cls): """Test SID generation""" command = ['ipa', 'user-show', 'admin', '--all', '--raw'] # TODO: remove duplicate definition and import from common module _sid_identifier_authority = '(0x[0-9a-f]{1,12}|[0-9]{1,10})' sid_regex = 'S-1-5-21-%(idauth)s-%(idauth)s-%(idauth)s'\ % dict(idauth=_sid_identifier_authority) stdout_re = re.escape(' ipaNTSecurityIdentifier: ') + sid_regex util.run_repeatedly(cls.master, command, test=lambda x: re.search(stdout_re, x))
def install_adtrust(host): """ Runs ipa-adtrust-install on the client and generates SIDs for the entries. Configures the compat tree for the legacy clients. """ # ipa-adtrust-install appends to ipaserver-install.log host.collect_log(paths.IPASERVER_INSTALL_LOG) inst = host.domain.realm.replace(".", "-") host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst) host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst) kinit_admin(host) host.run_command( [ "ipa-adtrust-install", "-U", "--enable-compat", "--netbios-name", host.netbios, "-a", host.config.admin_password, "--add-sids", ] ) # Restart named because it lost connection to dirsrv # (Directory server restarts during the ipa-adtrust-install) # we use two services named and named-pkcs11, # if named is masked restart named-pkcs11 result = host.run_command(["systemctl", "is-enabled", "named"], raiseonerr=False) if result.stdout_text.startswith("masked"): host.run_command(["systemctl", "restart", "named-pkcs11"]) else: host.run_command(["systemctl", "restart", "named"]) # Check that named is running and has loaded the information from LDAP dig_command = ["dig", "SRV", "+short", "@localhost", "_ldap._tcp.%s" % host.domain.name] dig_output = "0 100 389 %s." % host.hostname dig_test = lambda x: re.search(re.escape(dig_output), x) util.run_repeatedly(host, dig_command, test=dig_test)