def _fetch(self, client, ignore_cache=False): if not client.isconnected(): client.connect(verbose=False) fps = [] if not ignore_cache: try: fps = [fsdecode(f) for f in os.listdir(self._DIR)] except EnvironmentError: pass kwargs = {u'version': u'2.170'} if fps: kwargs[u'known_fingerprints'] = fps try: schema = client.forward(u'schema', **kwargs)['result'] except errors.CommandError: raise NotAvailable() try: fp = schema['fingerprint'] ttl = schema.pop('ttl') schema.pop('version') for key, value in schema.items(): if key in self.namespaces: value = {m['full_name']: m for m in value} self._dict[key] = value except KeyError as e: logger.warning("Failed to fetch schema: %s", e) raise NotAvailable() return (fp, ttl,)
def configure_automount(): try: check_client_configuration() except ScriptError as e: print(e.msg) sys.exit(e.rval) fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) options, _args = parse_options() standard_logging_setup( paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug, filemode='a', console_format='%(message)s', ) cfg = dict( context='cli_installer', confdir=paths.ETC_IPA, in_server=False, debug=options.debug, verbose=0, ) # Bootstrap API early so that env object is available api.bootstrap(**cfg) if options.uninstall: return uninstall(fstore, statestore) ca_cert_path = None if os.path.exists(paths.IPA_CA_CRT): ca_cert_path = paths.IPA_CA_CRT if statestore.has_state('autofs'): print('An automount location is already configured') sys.exit(CLIENT_ALREADY_CONFIGURED) autodiscover = False ds = ipadiscovery.IPADiscovery() if not options.server: print("Searching for IPA server...") ret = ds.search(ca_cert_path=ca_cert_path) logger.debug('Executing DNS discovery') if ret == ipadiscovery.NO_LDAP_SERVER: logger.debug('Autodiscovery did not find LDAP server') s = urlsplit(api.env.xmlrpc_uri) server = [s.netloc] logger.debug('Setting server to %s', s.netloc) else: autodiscover = True if not ds.servers: sys.exit( 'Autodiscovery was successful but didn\'t return a server' ) logger.debug( 'Autodiscovery success, possible servers %s', ','.join(ds.servers), ) server = ds.servers[0] else: server = options.server logger.debug("Verifying that %s is an IPA server", server) ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path) if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP: print("Anonymous access to the LDAP server is disabled.") print("Proceeding without strict verification.") print( "Note: This is not an error if anonymous access has been " "explicitly restricted." ) elif ldapret[0] == ipadiscovery.NO_TLS_LDAP: logger.warning("Unencrypted access to LDAP is not supported.") elif ldapret[0] != 0: sys.exit('Unable to confirm that %s is an IPA server' % server) if not autodiscover: print("IPA server: %s" % server) logger.debug('Using fixed server %s', server) else: print("IPA server: DNS discovery") logger.debug('Configuring to use DNS discovery') print("Location: %s" % options.location) logger.debug('Using automount location %s', options.location) ccache_dir = tempfile.mkdtemp() ccache_name = os.path.join(ccache_dir, 'ccache') try: try: host_princ = str('host/%s@%s' % (api.env.host, api.env.realm)) kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name) os.environ['KRB5CCNAME'] = ccache_name except gssapi.exceptions.GSSError as e: sys.exit("Failed to obtain host TGT: %s" % e) # Finalize API when TGT obtained using host keytab exists api.finalize() # Now we have a TGT, connect to IPA try: api.Backend.rpcclient.connect() except errors.KerberosError as e: sys.exit('Cannot connect to the server due to ' + str(e)) try: # Use the RPC directly so older servers are supported api.Backend.rpcclient.forward( 'automountlocation_show', ipautil.fsdecode(options.location), version=u'2.0', ) except errors.VersionError as e: sys.exit('This client is incompatible: ' + str(e)) except errors.NotFound: sys.exit( "Automount location '%s' does not exist" % options.location ) except errors.PublicError as e: sys.exit( "Cannot connect to the server due to generic error: %s" % str(e) ) finally: shutil.rmtree(ccache_dir) if not options.unattended and not ipautil.user_input( "Continue to configure the system with these values?", False ): sys.exit("Installation aborted") try: if not options.sssd: tasks.enable_ldap_automount(statestore) configure_nfs(fstore, statestore, options) if options.sssd: configure_autofs_sssd(fstore, statestore, autodiscover, options) else: configure_xml(fstore) configure_autofs( fstore, statestore, autodiscover, server, options ) configure_autofs_common(fstore, statestore, options) except Exception as e: logger.debug('Raised exception %s', e) print("Installation failed. Rolling back changes.") uninstall(fstore, statestore) return 1 return 0
def add_new_adtrust_agents(api, options): """ Find out IPA masters which are not part of the cn=adtrust agents and propose them to be added to the list :param api: API instance :param options: parsed CLI options """ potential_agents_cns = retrieve_potential_adtrust_agents(api) if potential_agents_cns: print("") print("WARNING: %d IPA masters are not yet able to serve " "information about users from trusted forests." % len(potential_agents_cns)) print("Installer can add them to the list of IPA masters " "allowed to access information about trusts.") print("If you choose to do so, you also need to restart " "LDAP service on those masters.") print("Refer to ipa-adtrust-install(1) man page for details.") print("") if options.unattended: print("Unattended mode was selected, installer will NOT " "add other IPA masters to the list of allowed to") print("access information about trusted forests!") return new_agents = [] for name in sorted(potential_agents_cns): if ipautil.user_input( "IPA master [%s]?" % (name), default=False, allow_empty=False): new_agents.append(name) if new_agents: add_hosts_to_adtrust_agents(api, new_agents) # The method trust_enable_agent was added on API version 2.236 # Specifically request this version in the remote call kwargs = {u'version': u'2.236', u'enable_compat': options.enable_compat} failed_agents = [] for agent in new_agents: # Try to run the ipa-trust-enable-agent script on the agent # If the agent is too old and does not support this, # print a msg logger.info("Execute trust_enable_agent on remote server %s", agent) client = None try: xmlrpc_uri = 'https://{}/ipa/xml'.format( ipautil.format_netloc(agent)) remote_api = create_api(mode=None) remote_api.bootstrap(context='installer', confdir=paths.ETC_IPA, xmlrpc_uri=xmlrpc_uri, fallback=False) client = rpc.jsonclient(remote_api) client.finalize() client.connect() result = client.forward( u'trust_enable_agent', ipautil.fsdecode(agent), **kwargs) except errors.CommandError as e: logger.debug( "Remote server %s does not support agent enablement " "over RPC: %s", agent, e) failed_agents.append(agent) except (errors.PublicError, ConnectionRefusedError) as e: logger.debug( "Remote call to trust_enable_agent failed on server %s: " "%s", agent, e) failed_agents.append(agent) else: for message in result.get('messages'): logger.debug('%s', message['message']) if not int(result['result']): logger.debug( "ipa-trust-enable-agent returned non-zero exit code " " on server %s", agent) failed_agents.append(agent) finally: if client and client.isconnected(): client.disconnect() # if enablement failed on some agents, print a WARNING: if failed_agents: if options.enable_compat: print(""" WARNING: you MUST manually enable the Schema compatibility Plugin and """) print(""" WARNING: you MUST restart (both "ipactl restart" and "systemctl restart sssd") the following IPA masters in order to activate them to serve information about users from trusted forests: """) for x in failed_agents: print(x)