def install(standalone, options, fstore, api):
if not options.unattended and standalone:
print("")
print("The following operations may take some minutes to complete.")
print("Please wait until the prompt is returned.")
print("")
smb = adtrustinstance.ADTRUSTInstance(fstore, options.setup_adtrust)
smb.realm = api.env.realm
smb.autobind = ipaldap.AUTOBIND_ENABLED
smb.setup(api.env.host, api.env.realm,
netbios_name, reset_netbios_name,
options.rid_base, options.secondary_rid_base,
options.add_sids,
enable_compat=options.enable_compat)
smb.find_local_id_range()
smb.create_instance()
# Update Samba keytab with host keys
ad_update = update_host_cifs_keytabs(api)
if ad_update:
result = ad_update()
# this particular update does not require restarting DS but
# the plugin might require that in future
if result[0]:
logger.debug('Restarting directory server to apply updates')
installutils.restart_dirsrv()
if options.add_agents:
# Find out IPA masters which are not part of the cn=adtrust agents
# and propose them to be added to the list
add_new_adtrust_agents(api, options)
def install(standalone, options, fstore, api):
if not options.unattended and standalone:
print("")
print("The following operations may take some minutes to complete.")
print("Please wait until the prompt is returned.")
print("")
smb = adtrustinstance.ADTRUSTInstance(fstore)
smb.realm = api.env.realm
smb.autobind = ipaldap.AUTOBIND_ENABLED
smb.setup(api.env.host,
api.env.realm,
netbios_name,
reset_netbios_name,
options.rid_base,
options.secondary_rid_base,
options.add_sids,
enable_compat=options.enable_compat)
smb.find_local_id_range()
smb.create_instance()
if options.add_agents:
# Find out IPA masters which are not part of the cn=adtrust agents
# and propose them to be added to the list
add_new_adtrust_agents(api, options)
def install(options, fstore, api):
if not options.unattended:
print("")
print("The following operations may take some minutes to complete.")
print("Please wait until the prompt is returned.")
print("")
smb = adtrustinstance.ADTRUSTInstance(fstore)
smb.realm = api.env.realm
smb.autobind = ipaldap.AUTOBIND_ENABLED
smb.setup(api.env.host,
api.env.realm,
netbios_name,
reset_netbios_name,
options.rid_base,
options.secondary_rid_base,
options.add_sids,
enable_compat=options.enable_compat)
smb.find_local_id_range()
smb.create_instance()
if options.add_agents:
# Find out IPA masters which are not part of the cn=adtrust agents
# and propose them to be added to the list
base_dn = api.env.basedn
masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
base_dn)
agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'),
('cn', 'etc'), base_dn)
new_agents = []
entries_m = []
entries_a = []
try:
# Search only masters which have support for domain levels
# because only these masters will have SSSD recent enough
# to support AD trust agents
entries_m, _truncated = api.Backend.ldap2.find_entries(
filter=("(&(objectclass=ipaSupportedDomainLevelConfig)"
"(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))"),
base_dn=masters_dn,
attrs_list=['cn'],
scope=ldap.SCOPE_ONELEVEL)
except errors.NotFound:
pass
except (errors.DatabaseError, errors.NetworkError) as e:
print("Could not retrieve a list of existing IPA masters:")
print(unicode(e))
try:
entries_a, _truncated = api.Backend.ldap2.find_entries(
filter="",
base_dn=agents_dn,
attrs_list=['member'],
scope=ldap.SCOPE_BASE)
except errors.NotFound:
pass
except (errors.DatabaseError, errors.NetworkError) as e:
print("Could not retrieve a list of adtrust agents:")
print(unicode(e))
if len(entries_m) > 0:
existing_masters = [x['cn'][0] for x in entries_m]
adtrust_agents = entries_a[0]['member']
potential_agents = []
for m in existing_masters:
mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn)
found = False
for a in adtrust_agents:
if mdn == a:
found = True
break
if not found:
potential_agents += [[m, mdn]]
object_count = len(potential_agents)
if object_count > 0:
print("")
print("WARNING: %d IPA masters are not yet able to serve "
"information about users from trusted forests." %
(object_count))
print("Installer can add them to the list of IPA masters "
"allowed to access information about trusts.")
print("If you choose to do so, you also need to restart "
"LDAP service on those masters.")
print("Refer to ipa-adtrust-install(1) man page for details.")
print("")
if options.unattended:
print("Unattended mode was selected, installer will NOT "
"add other IPA masters to the list of allowed to")
print("access information about trusted forests!")
else:
print(
"Do you want to allow following IPA masters to "
"serve information about users from trusted forests?")
for (name, dn) in potential_agents:
if name == api.env.host:
# Don't add this host here
# it shouldn't be here as it was added by the
# adtrustinstance setup code
continue
if ipautil.user_input("IPA master [%s]?" % (name),
default=False,
allow_empty=False):
new_agents += [[name, dn]]
if len(new_agents) > 0:
# Add the CIFS and host principals to the 'adtrust agents'
# group as 389-ds only operates with GroupOfNames, we have to
# use the principal's proper dn as defined in self.cifs_agent
service.add_principals_to_group(api.Backend.ldap2, agents_dn,
"member",
[x[1] for x in new_agents])
def uninstall(installer):
fstore = installer._fstore
sstore = installer._sstore
rv = 0
# further steps assumes that temporary directories exists so rather
# ensure they are created
tasks.create_tmpfiles_dirs()
print("Shutting down all IPA services")
try:
services.knownservices.ipa.stop()
except Exception:
# Fallback to direct ipactl stop only if system command fails
try:
run([paths.IPACTL, "stop"], raiseonerr=False)
except Exception:
pass
ntpinstance.NTPInstance(fstore).uninstall()
kra.uninstall()
ca.uninstall()
dns.uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
dsinstance.DsInstance(fstore=fstore).uninstall()
if _server_trust_ad_installed:
adtrustinstance.ADTRUSTInstance(fstore).uninstall()
custodiainstance.CustodiaInstance().uninstall()
otpdinstance.OtpdInstance().uninstall()
tasks.restore_hostname(fstore, sstore)
fstore.restore_all_files()
try:
os.remove(paths.ROOT_IPA_CACHE)
except Exception:
pass
try:
os.remove(paths.ROOT_IPA_CSR)
except Exception:
pass
# ipa-client-install removes /etc/ipa/default.conf
sstore._load()
ipaclient.install.ntpconf.restore_forced_ntpd(sstore)
# Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
sstore.restore_state("install", "group_exists")
services.knownservices.ipa.disable()
# remove upgrade state file
sysupgrade.remove_upgrade_file()
if fstore.has_files():
root_logger.error('Some files have not been restored, see '
'%s/sysrestore.index' % SYSRESTORE_DIR_PATH)
has_state = False
for module in IPA_MODULES: # from installutils
if sstore.has_state(module):
root_logger.error('Some installation state for %s has not been '
'restored, see %s/sysrestore.state' %
(module, SYSRESTORE_DIR_PATH))
has_state = True
rv = 1
if has_state:
root_logger.error('Some installation state has not been restored.\n'
'This may cause re-installation to fail.\n'
'It should be safe to remove %s/sysrestore.state '
'but it may\n'
'mean your system hasn\'t be restored to its '
'pre-installation state.' % SYSRESTORE_DIR_PATH)
# Note that this name will be wrong after the first uninstall.
dirname = dsinstance.config_dirname(
installutils.realm_to_serverid(api.env.realm))
dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR]
ids = certmonger.check_state(dirs)
if ids:
root_logger.error('Some certificates may still be tracked by '
'certmonger.\n'
'This will cause re-installation to fail.\n'
'Start the certmonger service and list the '
'certificates being tracked\n'
' # getcert list\n'
'These may be untracked by executing\n'
' # getcert stop-tracking -i <request_id>\n'
'for each id in: %s' % ', '.join(ids))
# Remove the cert renewal lock file
try:
os.remove(paths.IPA_RENEWAL_LOCK)
except OSError as e:
if e.errno != errno.ENOENT:
root_logger.warning("Failed to remove file %s: %s",
paths.IPA_RENEWAL_LOCK, e)
print("Removing IPA client configuration")
try:
result = run([
paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended",
"--uninstall"
],
raiseonerr=False,
redirect_output=True)
if result.returncode not in [0, 2]:
raise RuntimeError("Failed to configure the client")
except Exception:
rv = 1
print("Uninstall of client side components failed!")
sys.exit(rv)
def uninstall(installer):
fstore = installer._fstore
sstore = installer._sstore
rv = 0
# Uninstall the KRA prior to shutting the services down so it
# can un-register with the CA.
kra.uninstall()
print("Shutting down all IPA services")
try:
services.knownservices.ipa.stop()
except Exception:
# Fallback to direct ipactl stop only if system command fails
try:
run([paths.IPACTL, "stop"], raiseonerr=False)
except Exception:
pass
restore_time_sync(sstore, fstore)
ca.uninstall()
dns.uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
dsinstance.DsInstance(fstore=fstore).uninstall()
adtrustinstance.ADTRUSTInstance(fstore).uninstall()
# realm isn't used, but IPAKEMKeys parses /etc/ipa/default.conf
# otherwise, see https://pagure.io/freeipa/issue/7474 .
custodiainstance.CustodiaInstance(realm='REALM.INVALID').uninstall()
otpdinstance.OtpdInstance().uninstall()
tasks.restore_hostname(fstore, sstore)
tasks.restore_pkcs11_modules(fstore)
fstore.restore_all_files()
try:
os.remove(paths.ROOT_IPA_CACHE)
except Exception:
pass
try:
os.remove(paths.ROOT_IPA_CSR)
except Exception:
pass
# ipa-client-install removes /etc/ipa/default.conf
sstore._load()
timeconf.restore_forced_timeservices(sstore)
# Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
sstore.restore_state("install", "group_exists")
services.knownservices.ipa.disable()
# remove upgrade state file
sysupgrade.remove_upgrade_file()
if fstore.has_files():
logger.error('Some files have not been restored, see '
'%s/sysrestore.index', SYSRESTORE_DIR_PATH)
sstore.delete_state('installation', 'complete')
has_state = False
for module in IPA_MODULES: # from installutils
if sstore.has_state(module):
logger.error('Some installation state for %s has not been '
'restored, see %s/sysrestore.state',
module, SYSRESTORE_DIR_PATH)
has_state = True
rv = 1
if has_state:
logger.error('Some installation state has not been restored.\n'
'This may cause re-installation to fail.\n'
'It should be safe to remove %s/sysrestore.state '
'but it may\n'
'mean your system hasn\'t be restored to its '
'pre-installation state.', SYSRESTORE_DIR_PATH)
else:
# sysrestore.state has no state left, remove it
sysrestore = os.path.join(SYSRESTORE_DIR_PATH, 'sysrestore.state')
ipautil.remove_file(sysrestore)
# Note that this name will be wrong after the first uninstall.
dirname = dsinstance.config_dirname(
ipaldap.realm_to_serverid(api.env.realm))
dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR]
ids = certmonger.check_state(dirs)
if ids:
logger.error('Some certificates may still be tracked by '
'certmonger.\n'
'This will cause re-installation to fail.\n'
'Start the certmonger service and list the '
'certificates being tracked\n'
' # getcert list\n'
'These may be untracked by executing\n'
' # getcert stop-tracking -i <request_id>\n'
'for each id in: %s', ', '.join(ids))
# Remove the cert renewal lock file
try:
os.remove(paths.IPA_RENEWAL_LOCK)
except OSError as e:
if e.errno != errno.ENOENT:
logger.warning("Failed to remove file %s: %s",
paths.IPA_RENEWAL_LOCK, e)
print("Removing IPA client configuration")
try:
result = run([paths.IPA_CLIENT_INSTALL, "--on-master",
"--unattended", "--uninstall"],
raiseonerr=False, redirect_output=True)
if result.returncode not in [0, 2]:
raise RuntimeError("Failed to configure the client")
except Exception:
rv = 1
print("Uninstall of client side components failed!")
sys.exit(rv)
