def __setup_group_membership(self): # Add the CIFS and host principals to the 'adtrust agents' group # as 389-ds only operates with GroupOfNames, we have to use # the principal's proper dn as defined in self.cifs_agent service.add_principals_to_group(api.Backend.ldap2, self.smb_dn, "member", [self.cifs_agent, self.host_princ])
def __setup_group_membership(self): # Add the CIFS and host principals to the 'adtrust agents' group # as 389-ds only operates with GroupOfNames, we have to use # the principal's proper dn as defined in self.cifs_agent service.add_principals_to_group( api.Backend.ldap2, self.smb_dn, "member", [self.cifs_agent, self.host_princ])
def add_hosts_to_adtrust_agents(api, host_list): """ Add the CIFS and host principals to the 'adtrust agents' group as 389-ds only operates with GroupOfNames, we have to use the principal's proper dn as defined in self.cifs_agent :param api: API instance :param host_list: list of potential AD trust agent FQDNs """ agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), api.env.basedn) service.add_principals_to_group( api.Backend.ldap2, agents_dn, "member", [api.Object.host.get_dn(x) for x in host_list])
def add_hosts_to_adtrust_agents(api, host_list): """ Add the CIFS and host principals to the 'adtrust agents' group as 389-ds only operates with GroupOfNames, we have to use the principal's proper dn as defined in self.cifs_agent :param api: API instance :param host_list: list of potential AD trust agent FQDNs """ agents_dn = DN( ('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), api.env.basedn) service.add_principals_to_group( api.Backend.ldap2, agents_dn, "member", [api.Object.host.get_dn(x) for x in host_list])
def execute(self, **options): ldap = self.api.Backend.ldap2 # First, see if trusts are enabled on the server if not self.api.Command.adtrust_is_enabled()['result']: logger.debug('AD Trusts are not enabled on this server') return False, [] agents_dn = DN( ('cn', 'adtrust agents'), self.api.env.container_sysaccounts, self.api.env.basedn) try: agents_entry = ldap.get_entry(agents_dn, ['member']) except errors.NotFound: logger.error("No adtrust agents group found") return False, [] # Build a list of agents from the cifs/.. members agents_list = [] members = agents_entry.get('member', []) suffix = '@{}'.format(self.api.env.realm).lower() for amember in members: if amember[0].attr.lower() == 'krbprincipalname': # Extract krbprincipalname=cifs/hostname@realm from the DN value = amember[0].value if (value.lower().startswith('cifs/') and value.lower().endswith(suffix)): # 5 = length of 'cifs/' hostname = value[5:-len(suffix)] agents_list.append(DN(('fqdn', hostname), self.api.env.container_host, self.api.env.basedn)) # Add the fqdn=hostname... to the group service.add_principals_to_group( ldap, agents_dn, "member", agents_list) return False, []
def install(options, fstore, api): if not options.unattended: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") smb = adtrustinstance.ADTRUSTInstance(fstore) smb.realm = api.env.realm smb.autobind = ipaldap.AUTOBIND_ENABLED smb.setup(api.env.host, api.env.realm, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, options.add_sids, enable_compat=options.enable_compat) smb.find_local_id_range() smb.create_instance() if options.add_agents: # Find out IPA masters which are not part of the cn=adtrust agents # and propose them to be added to the list base_dn = api.env.basedn masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn) agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), base_dn) new_agents = [] entries_m = [] entries_a = [] try: # Search only masters which have support for domain levels # because only these masters will have SSSD recent enough # to support AD trust agents entries_m, _truncated = api.Backend.ldap2.find_entries( filter=("(&(objectclass=ipaSupportedDomainLevelConfig)" "(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))"), base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL) except errors.NotFound: pass except (errors.DatabaseError, errors.NetworkError) as e: print("Could not retrieve a list of existing IPA masters:") print(unicode(e)) try: entries_a, _truncated = api.Backend.ldap2.find_entries( filter="", base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE) except errors.NotFound: pass except (errors.DatabaseError, errors.NetworkError) as e: print("Could not retrieve a list of adtrust agents:") print(unicode(e)) if len(entries_m) > 0: existing_masters = [x['cn'][0] for x in entries_m] adtrust_agents = entries_a[0]['member'] potential_agents = [] for m in existing_masters: mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn) found = False for a in adtrust_agents: if mdn == a: found = True break if not found: potential_agents += [[m, mdn]] object_count = len(potential_agents) if object_count > 0: print("") print("WARNING: %d IPA masters are not yet able to serve " "information about users from trusted forests." % (object_count)) print("Installer can add them to the list of IPA masters " "allowed to access information about trusts.") print("If you choose to do so, you also need to restart " "LDAP service on those masters.") print("Refer to ipa-adtrust-install(1) man page for details.") print("") if options.unattended: print("Unattended mode was selected, installer will NOT " "add other IPA masters to the list of allowed to") print("access information about trusted forests!") else: print( "Do you want to allow following IPA masters to " "serve information about users from trusted forests?") for (name, dn) in potential_agents: if name == api.env.host: # Don't add this host here # it shouldn't be here as it was added by the # adtrustinstance setup code continue if ipautil.user_input("IPA master [%s]?" % (name), default=False, allow_empty=False): new_agents += [[name, dn]] if len(new_agents) > 0: # Add the CIFS and host principals to the 'adtrust agents' # group as 389-ds only operates with GroupOfNames, we have to # use the principal's proper dn as defined in self.cifs_agent service.add_principals_to_group(api.Backend.ldap2, agents_dn, "member", [x[1] for x in new_agents])