def __setup_group_membership(self):
# Add the CIFS and host principals to the 'adtrust agents' group
# as 389-ds only operates with GroupOfNames, we have to use
# the principal's proper dn as defined in self.cifs_agent
service.add_principals_to_group(api.Backend.ldap2, self.smb_dn,
"member",
[self.cifs_agent, self.host_princ])
def __setup_group_membership(self):
# Add the CIFS and host principals to the 'adtrust agents' group
# as 389-ds only operates with GroupOfNames, we have to use
# the principal's proper dn as defined in self.cifs_agent
service.add_principals_to_group(
api.Backend.ldap2, self.smb_dn, "member",
[self.cifs_agent, self.host_princ])
def add_hosts_to_adtrust_agents(api, host_list):
"""
Add the CIFS and host principals to the 'adtrust agents'
group as 389-ds only operates with GroupOfNames, we have to
use the principal's proper dn as defined in self.cifs_agent
:param api: API instance
:param host_list: list of potential AD trust agent FQDNs
"""
agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'),
('cn', 'etc'), api.env.basedn)
service.add_principals_to_group(
api.Backend.ldap2, agents_dn, "member",
[api.Object.host.get_dn(x) for x in host_list])
def add_hosts_to_adtrust_agents(api, host_list):
"""
Add the CIFS and host principals to the 'adtrust agents'
group as 389-ds only operates with GroupOfNames, we have to
use the principal's proper dn as defined in self.cifs_agent
:param api: API instance
:param host_list: list of potential AD trust agent FQDNs
"""
agents_dn = DN(
('cn', 'adtrust agents'), ('cn', 'sysaccounts'),
('cn', 'etc'), api.env.basedn)
service.add_principals_to_group(
api.Backend.ldap2,
agents_dn,
"member",
[api.Object.host.get_dn(x) for x in host_list])
def execute(self, **options):
ldap = self.api.Backend.ldap2
# First, see if trusts are enabled on the server
if not self.api.Command.adtrust_is_enabled()['result']:
logger.debug('AD Trusts are not enabled on this server')
return False, []
agents_dn = DN(
('cn', 'adtrust agents'), self.api.env.container_sysaccounts,
self.api.env.basedn)
try:
agents_entry = ldap.get_entry(agents_dn, ['member'])
except errors.NotFound:
logger.error("No adtrust agents group found")
return False, []
# Build a list of agents from the cifs/.. members
agents_list = []
members = agents_entry.get('member', [])
suffix = '@{}'.format(self.api.env.realm).lower()
for amember in members:
if amember[0].attr.lower() == 'krbprincipalname':
# Extract krbprincipalname=cifs/hostname@realm from the DN
value = amember[0].value
if (value.lower().startswith('cifs/') and
value.lower().endswith(suffix)):
# 5 = length of 'cifs/'
hostname = value[5:-len(suffix)]
agents_list.append(DN(('fqdn', hostname),
self.api.env.container_host,
self.api.env.basedn))
# Add the fqdn=hostname... to the group
service.add_principals_to_group(
ldap,
agents_dn,
"member",
agents_list)
return False, []
def install(options, fstore, api):
if not options.unattended:
print("")
print("The following operations may take some minutes to complete.")
print("Please wait until the prompt is returned.")
print("")
smb = adtrustinstance.ADTRUSTInstance(fstore)
smb.realm = api.env.realm
smb.autobind = ipaldap.AUTOBIND_ENABLED
smb.setup(api.env.host,
api.env.realm,
netbios_name,
reset_netbios_name,
options.rid_base,
options.secondary_rid_base,
options.add_sids,
enable_compat=options.enable_compat)
smb.find_local_id_range()
smb.create_instance()
if options.add_agents:
# Find out IPA masters which are not part of the cn=adtrust agents
# and propose them to be added to the list
base_dn = api.env.basedn
masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
base_dn)
agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'),
('cn', 'etc'), base_dn)
new_agents = []
entries_m = []
entries_a = []
try:
# Search only masters which have support for domain levels
# because only these masters will have SSSD recent enough
# to support AD trust agents
entries_m, _truncated = api.Backend.ldap2.find_entries(
filter=("(&(objectclass=ipaSupportedDomainLevelConfig)"
"(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))"),
base_dn=masters_dn,
attrs_list=['cn'],
scope=ldap.SCOPE_ONELEVEL)
except errors.NotFound:
pass
except (errors.DatabaseError, errors.NetworkError) as e:
print("Could not retrieve a list of existing IPA masters:")
print(unicode(e))
try:
entries_a, _truncated = api.Backend.ldap2.find_entries(
filter="",
base_dn=agents_dn,
attrs_list=['member'],
scope=ldap.SCOPE_BASE)
except errors.NotFound:
pass
except (errors.DatabaseError, errors.NetworkError) as e:
print("Could not retrieve a list of adtrust agents:")
print(unicode(e))
if len(entries_m) > 0:
existing_masters = [x['cn'][0] for x in entries_m]
adtrust_agents = entries_a[0]['member']
potential_agents = []
for m in existing_masters:
mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn)
found = False
for a in adtrust_agents:
if mdn == a:
found = True
break
if not found:
potential_agents += [[m, mdn]]
object_count = len(potential_agents)
if object_count > 0:
print("")
print("WARNING: %d IPA masters are not yet able to serve "
"information about users from trusted forests." %
(object_count))
print("Installer can add them to the list of IPA masters "
"allowed to access information about trusts.")
print("If you choose to do so, you also need to restart "
"LDAP service on those masters.")
print("Refer to ipa-adtrust-install(1) man page for details.")
print("")
if options.unattended:
print("Unattended mode was selected, installer will NOT "
"add other IPA masters to the list of allowed to")
print("access information about trusted forests!")
else:
print(
"Do you want to allow following IPA masters to "
"serve information about users from trusted forests?")
for (name, dn) in potential_agents:
if name == api.env.host:
# Don't add this host here
# it shouldn't be here as it was added by the
# adtrustinstance setup code
continue
if ipautil.user_input("IPA master [%s]?" % (name),
default=False,
allow_empty=False):
new_agents += [[name, dn]]
if len(new_agents) > 0:
# Add the CIFS and host principals to the 'adtrust agents'
# group as 389-ds only operates with GroupOfNames, we have to
# use the principal's proper dn as defined in self.cifs_agent
service.add_principals_to_group(api.Backend.ldap2, agents_dn,
"member",
[x[1] for x in new_agents])
