def install(standalone, options, fstore, api): if not options.unattended and standalone: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") smb = adtrustinstance.ADTRUSTInstance(fstore, options.setup_adtrust) smb.realm = api.env.realm smb.autobind = ipaldap.AUTOBIND_ENABLED smb.setup(api.env.host, api.env.realm, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, options.add_sids, enable_compat=options.enable_compat) smb.find_local_id_range() smb.create_instance() # Update Samba keytab with host keys ad_update = update_host_cifs_keytabs(api) if ad_update: result = ad_update() # this particular update does not require restarting DS but # the plugin might require that in future if result[0]: logger.debug('Restarting directory server to apply updates') installutils.restart_dirsrv() if options.add_agents: # Find out IPA masters which are not part of the cn=adtrust agents # and propose them to be added to the list add_new_adtrust_agents(api, options)
def install(standalone, options, fstore, api): if not options.unattended and standalone: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") smb = adtrustinstance.ADTRUSTInstance(fstore) smb.realm = api.env.realm smb.autobind = ipaldap.AUTOBIND_ENABLED smb.setup(api.env.host, api.env.realm, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, options.add_sids, enable_compat=options.enable_compat) smb.find_local_id_range() smb.create_instance() if options.add_agents: # Find out IPA masters which are not part of the cn=adtrust agents # and propose them to be added to the list add_new_adtrust_agents(api, options)
def install(options, fstore, api): if not options.unattended: print("") print("The following operations may take some minutes to complete.") print("Please wait until the prompt is returned.") print("") smb = adtrustinstance.ADTRUSTInstance(fstore) smb.realm = api.env.realm smb.autobind = ipaldap.AUTOBIND_ENABLED smb.setup(api.env.host, api.env.realm, netbios_name, reset_netbios_name, options.rid_base, options.secondary_rid_base, options.add_sids, enable_compat=options.enable_compat) smb.find_local_id_range() smb.create_instance() if options.add_agents: # Find out IPA masters which are not part of the cn=adtrust agents # and propose them to be added to the list base_dn = api.env.basedn masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn) agents_dn = DN(('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ('cn', 'etc'), base_dn) new_agents = [] entries_m = [] entries_a = [] try: # Search only masters which have support for domain levels # because only these masters will have SSSD recent enough # to support AD trust agents entries_m, _truncated = api.Backend.ldap2.find_entries( filter=("(&(objectclass=ipaSupportedDomainLevelConfig)" "(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))"), base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL) except errors.NotFound: pass except (errors.DatabaseError, errors.NetworkError) as e: print("Could not retrieve a list of existing IPA masters:") print(unicode(e)) try: entries_a, _truncated = api.Backend.ldap2.find_entries( filter="", base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE) except errors.NotFound: pass except (errors.DatabaseError, errors.NetworkError) as e: print("Could not retrieve a list of adtrust agents:") print(unicode(e)) if len(entries_m) > 0: existing_masters = [x['cn'][0] for x in entries_m] adtrust_agents = entries_a[0]['member'] potential_agents = [] for m in existing_masters: mdn = DN(('fqdn', m), api.env.container_host, api.env.basedn) found = False for a in adtrust_agents: if mdn == a: found = True break if not found: potential_agents += [[m, mdn]] object_count = len(potential_agents) if object_count > 0: print("") print("WARNING: %d IPA masters are not yet able to serve " "information about users from trusted forests." % (object_count)) print("Installer can add them to the list of IPA masters " "allowed to access information about trusts.") print("If you choose to do so, you also need to restart " "LDAP service on those masters.") print("Refer to ipa-adtrust-install(1) man page for details.") print("") if options.unattended: print("Unattended mode was selected, installer will NOT " "add other IPA masters to the list of allowed to") print("access information about trusted forests!") else: print( "Do you want to allow following IPA masters to " "serve information about users from trusted forests?") for (name, dn) in potential_agents: if name == api.env.host: # Don't add this host here # it shouldn't be here as it was added by the # adtrustinstance setup code continue if ipautil.user_input("IPA master [%s]?" % (name), default=False, allow_empty=False): new_agents += [[name, dn]] if len(new_agents) > 0: # Add the CIFS and host principals to the 'adtrust agents' # group as 389-ds only operates with GroupOfNames, we have to # use the principal's proper dn as defined in self.cifs_agent service.add_principals_to_group(api.Backend.ldap2, agents_dn, "member", [x[1] for x in new_agents])
def uninstall(installer): fstore = installer._fstore sstore = installer._sstore rv = 0 # further steps assumes that temporary directories exists so rather # ensure they are created tasks.create_tmpfiles_dirs() print("Shutting down all IPA services") try: services.knownservices.ipa.stop() except Exception: # Fallback to direct ipactl stop only if system command fails try: run([paths.IPACTL, "stop"], raiseonerr=False) except Exception: pass ntpinstance.NTPInstance(fstore).uninstall() kra.uninstall() ca.uninstall() dns.uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() if _server_trust_ad_installed: adtrustinstance.ADTRUSTInstance(fstore).uninstall() custodiainstance.CustodiaInstance().uninstall() otpdinstance.OtpdInstance().uninstall() tasks.restore_hostname(fstore, sstore) fstore.restore_all_files() try: os.remove(paths.ROOT_IPA_CACHE) except Exception: pass try: os.remove(paths.ROOT_IPA_CSR) except Exception: pass # ipa-client-install removes /etc/ipa/default.conf sstore._load() ipaclient.install.ntpconf.restore_forced_ntpd(sstore) # Clean up group_exists (unused since IPA 2.2, not being set since 4.1) sstore.restore_state("install", "group_exists") services.knownservices.ipa.disable() # remove upgrade state file sysupgrade.remove_upgrade_file() if fstore.has_files(): root_logger.error('Some files have not been restored, see ' '%s/sysrestore.index' % SYSRESTORE_DIR_PATH) has_state = False for module in IPA_MODULES: # from installutils if sstore.has_state(module): root_logger.error('Some installation state for %s has not been ' 'restored, see %s/sysrestore.state' % (module, SYSRESTORE_DIR_PATH)) has_state = True rv = 1 if has_state: root_logger.error('Some installation state has not been restored.\n' 'This may cause re-installation to fail.\n' 'It should be safe to remove %s/sysrestore.state ' 'but it may\n' 'mean your system hasn\'t be restored to its ' 'pre-installation state.' % SYSRESTORE_DIR_PATH) # Note that this name will be wrong after the first uninstall. dirname = dsinstance.config_dirname( installutils.realm_to_serverid(api.env.realm)) dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR] ids = certmonger.check_state(dirs) if ids: root_logger.error('Some certificates may still be tracked by ' 'certmonger.\n' 'This will cause re-installation to fail.\n' 'Start the certmonger service and list the ' 'certificates being tracked\n' ' # getcert list\n' 'These may be untracked by executing\n' ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s' % ', '.join(ids)) # Remove the cert renewal lock file try: os.remove(paths.IPA_RENEWAL_LOCK) except OSError as e: if e.errno != errno.ENOENT: root_logger.warning("Failed to remove file %s: %s", paths.IPA_RENEWAL_LOCK, e) print("Removing IPA client configuration") try: result = run([ paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--uninstall" ], raiseonerr=False, redirect_output=True) if result.returncode not in [0, 2]: raise RuntimeError("Failed to configure the client") except Exception: rv = 1 print("Uninstall of client side components failed!") sys.exit(rv)
def uninstall(installer): fstore = installer._fstore sstore = installer._sstore rv = 0 # Uninstall the KRA prior to shutting the services down so it # can un-register with the CA. kra.uninstall() print("Shutting down all IPA services") try: services.knownservices.ipa.stop() except Exception: # Fallback to direct ipactl stop only if system command fails try: run([paths.IPACTL, "stop"], raiseonerr=False) except Exception: pass restore_time_sync(sstore, fstore) ca.uninstall() dns.uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() adtrustinstance.ADTRUSTInstance(fstore).uninstall() # realm isn't used, but IPAKEMKeys parses /etc/ipa/default.conf # otherwise, see https://pagure.io/freeipa/issue/7474 . custodiainstance.CustodiaInstance(realm='REALM.INVALID').uninstall() otpdinstance.OtpdInstance().uninstall() tasks.restore_hostname(fstore, sstore) tasks.restore_pkcs11_modules(fstore) fstore.restore_all_files() try: os.remove(paths.ROOT_IPA_CACHE) except Exception: pass try: os.remove(paths.ROOT_IPA_CSR) except Exception: pass # ipa-client-install removes /etc/ipa/default.conf sstore._load() timeconf.restore_forced_timeservices(sstore) # Clean up group_exists (unused since IPA 2.2, not being set since 4.1) sstore.restore_state("install", "group_exists") services.knownservices.ipa.disable() # remove upgrade state file sysupgrade.remove_upgrade_file() if fstore.has_files(): logger.error('Some files have not been restored, see ' '%s/sysrestore.index', SYSRESTORE_DIR_PATH) sstore.delete_state('installation', 'complete') has_state = False for module in IPA_MODULES: # from installutils if sstore.has_state(module): logger.error('Some installation state for %s has not been ' 'restored, see %s/sysrestore.state', module, SYSRESTORE_DIR_PATH) has_state = True rv = 1 if has_state: logger.error('Some installation state has not been restored.\n' 'This may cause re-installation to fail.\n' 'It should be safe to remove %s/sysrestore.state ' 'but it may\n' 'mean your system hasn\'t be restored to its ' 'pre-installation state.', SYSRESTORE_DIR_PATH) else: # sysrestore.state has no state left, remove it sysrestore = os.path.join(SYSRESTORE_DIR_PATH, 'sysrestore.state') ipautil.remove_file(sysrestore) # Note that this name will be wrong after the first uninstall. dirname = dsinstance.config_dirname( ipaldap.realm_to_serverid(api.env.realm)) dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR] ids = certmonger.check_state(dirs) if ids: logger.error('Some certificates may still be tracked by ' 'certmonger.\n' 'This will cause re-installation to fail.\n' 'Start the certmonger service and list the ' 'certificates being tracked\n' ' # getcert list\n' 'These may be untracked by executing\n' ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s', ', '.join(ids)) # Remove the cert renewal lock file try: os.remove(paths.IPA_RENEWAL_LOCK) except OSError as e: if e.errno != errno.ENOENT: logger.warning("Failed to remove file %s: %s", paths.IPA_RENEWAL_LOCK, e) print("Removing IPA client configuration") try: result = run([paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--uninstall"], raiseonerr=False, redirect_output=True) if result.returncode not in [0, 2]: raise RuntimeError("Failed to configure the client") except Exception: rv = 1 print("Uninstall of client side components failed!") sys.exit(rv)