[Freeipa-devel] more work on the setup scripts
Karl MacMillan
kmacmill at redhat.com
Thu Jul 19 22:04:35 UTC 2007
On Sun, 2007-07-15 at 09:56 -0400, Simo Sorce wrote:
> On Fri, 2007-07-13 at 22:26 -0400, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > > If there are no objections I will commit this before leaving on Monday.
> > >
> > > - patch for fedroa-ds init scripts bz#248169
> > > - create the keytab for the ldap service
> > > - create the sample bind zone
> > > - test the hostname is set up correctly and resolves to a real IP not
> > > 127.0.01
> > > - use the domain portion of the hostname as the DNS domain
> > > (ie dns domain may be != realm)
> > > - fix the kdb5_ldap_util paramter to actually pass the master password
> > >
> > > I still have a problem with GSSAPI authentication against LDAP
> > > I encoded the same settings I use in my working prototype but SASL auth
> > > does not work in the installation test environment.
> > > Raising the log level of fedora-ds shows that the sasl mapping object is
> > > searched and found, but then fedora-ds tries to find the user account
> > > using the wrong filter: (&(uid=<username>)) instead oh
> > > (krbPrinciplaName=<username>@<REALM>) as specified in the configuration.
> > > The basedn is correct.
> > >
> > > Will digg on this later.
> >
> > You set the fedora-ds user as fds. We should probably create that user
> > if it doesn't already exist.
>
> We do that, it's in the dsinstance.py module IIRC, I added that bit.
>
> > Looks like you have a typo when setting the sample DNS zone:
> >
> > bind_fd, bind_name] = tempfile.mkstemp(".db","sammple.zone.")
>
> This is strange, this code has been tested and worked. I will check,
> maybe I touched it after the last test and before generating the diff.
>
> > Otherwise it looks ok.
>
I committed the attached modified version of this patch.
Karl
-------------- next part --------------
�[?1034hdiff -r 3a76f9007b34 ipa-install/README
--- a/ipa-install/README Wed Jul 18 14:34:40 2007 -0400
+++ b/ipa-install/README Thu Jul 19 14:35:34 2007 -0400
@@ -5,12 +5,17 @@ fedora-ds-base
fedora-ds-base
openldap-clients
krb5-server-ldap
+cyrus-sasl-gssapi
Installation example:
+
+TEMPORARY: (until fedora ds scripts are fixed)
+please use the fedora-ds.init.patch under share/ to patch your init scripts before
+running ipa-server-install
cd ipa-install
make install
cd ..
-/usr/sbin/ipa-server-install -r FREEIPA.ORG -a rc1.freeipa.org -p freeipa -m ipafree
+/usr/sbin/ipa-server-install -u fds -r FREEIPA.ORG -p freeipa -m ipafree
diff -r 3a76f9007b34 ipa-install/share/bind.zone.db.template
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-install/share/bind.zone.db.template Thu Jul 19 14:35:34 2007 -0400
@@ -0,0 +1,26 @@
+$$ORIGIN $DOMAIN.
+$$TTL 86400
+@ IN SOA $DOMAIN. root.$DOMAIN. (
+ 01 ; serial (d. adams)
+ 3H ; refresh
+ 15M ; retry
+ 1W ; expiry
+ 1D ) ; minimum
+
+ IN NS $HOST
+$HOST IN A $IP
+;
+; ldap servers
+_ldap._tcp IN SRV 0 100 389 $HOST
+
+;kerberos realm
+_kerberos IN TXT $REALM
+
+; kerberos servers
+_kerberos._tcp IN SRV 0 100 88 $HOST
+_kerberos._udp IN SRV 0 100 88 $HOST
+_kerberos-master._tcp IN SRV 0 100 88 $HOST
+_kerberos-master._udp IN SRV 0 100 88 $HOST
+_kpasswd._tcp IN SRV 0 100 88 $HOST
+_kpasswd._udp IN SRV 0 100 88 $HOST
+
diff -r 3a76f9007b34 ipa-install/share/fedora-ds.init.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-install/share/fedora-ds.init.patch Thu Jul 19 14:35:34 2007 -0400
@@ -0,0 +1,12 @@
+--- /etc/init.d/fedora-ds.orig 2007-07-06 18:21:30.000000000 -0400
++++ /etc/init.d/fedora-ds 2007-05-18 19:36:24.000000000 -0400
+@@ -10,6 +10,9 @@
+ # datadir: /var/lib/fedora-ds/slapd-<instance name>
+ #
+
++# Get config.
++[ -r /etc/sysconfig/fedora-ds ] && . /etc/sysconfig/fedora-ds
++
+ # Source function library.
+ if [ -f /etc/rc.d/init.d/functions ] ; then
+ . /etc/rc.d/init.d/functions
diff -r 3a76f9007b34 ipa-install/share/krb5.conf.template
--- a/ipa-install/share/krb5.conf.template Wed Jul 18 14:34:40 2007 -0400
+++ b/ipa-install/share/krb5.conf.template Thu Jul 19 14:35:34 2007 -0400
@@ -9,6 +9,13 @@
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
+
+[realms]
+ $REALM = {
+ kdc = $FQDN:88
+ admin_server = $FQDN:749
+ default_domain = $DOMAIN
+}
[domain_realm]
.$DOMAIN = $REALM
@@ -29,7 +36,7 @@
ldap_servers = ldap://127.0.0.1/
ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
ldap_kdc_dn = uid=kdc,cn=kerberos,$SUFFIX
-; ldap_kadmind_dn = cn=Directory Manager
+ ldap_kadmind_dn = uid=kdc,cn=kerberos,$SUFFIX
ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
}
diff -r 3a76f9007b34 ipa-install/src/ipa-server-install
--- a/ipa-install/src/ipa-server-install Wed Jul 18 14:34:40 2007 -0400
+++ b/ipa-install/src/ipa-server-install Thu Jul 19 15:09:10 2007 -0400
@@ -26,6 +26,7 @@
VERSION = "%prog .1"
+import socket
import logging
from optparse import OptionParser
import ipa.dsinstance
@@ -37,19 +38,18 @@ def parse_options():
help="ds user")
parser.add_option("-r", "--realm", dest="realm_name",
help="realm name")
- parser.add_option("-a", "--host-address", dest="host_name",
- help="host address (name or IP address)")
parser.add_option("-p", "--password", dest="password",
help="admin password")
parser.add_option("-m", "--master-password", dest="master_password",
help="kerberos master password")
parser.add_option("-d", "--debug", dest="debug", action="store_true",
dest="debug", default=False, help="print debugging information")
+ parser.add_option("--hostname", dest="host_name", help="fully qualified name of server")
options, args = parser.parse_args()
- if not options.realm_name or not options.host_name or not options.password:
- parser.error("error: password, realm, and host name required")
+ if not options.ds_user or not options.realm_name or not options.password or not options.master_password:
+ parser.error("error: all options are required")
return options
@@ -76,13 +76,39 @@ def main():
options = parse_options()
logging_setup(options)
+ # check the hostname is correctly configured, it must be as the kldap
+ # utilities just use the hostname as returned by gethostbyname to set
+ # up some of the standard entries
+
+ if options.host_name:
+ host_name = options.host_name
+ else:
+ host_name = socket.gethostname()
+ if len(host_name.split(".")) < 2:
+ print "Invalid hostname <"+host_name+">"
+ print "Check the /etc/hosts file and make sure to have a valid FQDN"
+ return "-Fatal Error-"
+
+ if socket.gethostbyname(host_name) == "127.0.0.1":
+ print "The hostname resolves to the localhost address (127.0.0.1)"
+ print "Please change your /etc/hosts file or your DNS so that the"
+ print "hostname resolves to the ip address of your network interface."
+ print "The KDC service does not listen on 127.0.0.1"
+ return "-Fatal Error-"
+
+ print "The Final KDC Host Name will be: " + host_name
+
+
# Create a directory server instance
ds = ipa.dsinstance.DsInstance()
- ds.create_instance(options.ds_user, options.realm_name, options.host_name, options.password)
+ ds.create_instance(options.ds_user, options.realm_name, host_name,
+ options.password)
# Create a kerberos instance
krb = ipa.krbinstance.KrbInstance()
- krb.create_instance(options.ds_user, options.realm_name, options.host_name, options.password, options.master_password)
+ krb.create_instance(options.ds_user, options.realm_name, host_name,
+ options.password, options.master_password)
+
#restart ds after the krb instance have add the sasl map
ds.restart()
diff -r 3a76f9007b34 ipa-install/src/ipa/krbinstance.py
--- a/ipa-install/src/ipa/krbinstance.py Wed Jul 18 14:34:40 2007 -0400
+++ b/ipa-install/src/ipa/krbinstance.py Thu Jul 19 15:01:40 2007 -0400
@@ -25,6 +25,9 @@ import logging
import logging
from random import Random
from time import gmtime
+import os
+import pwd
+import socket
SHARE_DIR = "/usr/share/ipa/"
@@ -32,6 +35,10 @@ def realm_to_suffix(realm_name):
s = realm_name.split(".")
terms = ["dc=" + x.lower() for x in s]
return ",".join(terms)
+
+def host_to_domain(fqdn):
+ s = fqdn.split(".")
+ return ".".join(s[1:])
def generate_kdc_password():
rndpwd = ''
@@ -75,8 +82,10 @@ class KrbInstance:
class KrbInstance:
def __init__(self):
self.ds_user = None
- self.realm_name = None
- self.host_name = None
+ self.fqdn = None
+ self.realm = None
+ self.domain = None
+ self.host = None
self.admin_password = None
self.master_password = None
self.suffix = None
@@ -85,12 +94,15 @@ class KrbInstance:
def create_instance(self, ds_user, realm_name, host_name, admin_password, master_password):
self.ds_user = ds_user
- self.realm_name = realm_name.upper()
- self.host_name = host_name
+ self.fqdn = host_name
+ self.ip = socket.gethostbyname(host_name)
+ self.realm = realm_name.upper()
+ self.host = host_name.split(".")[0]
+ self.domain = host_to_domain(host_name)
self.admin_password = admin_password
self.master_password = master_password
- self.suffix = realm_to_suffix(self.realm_name)
+ self.suffix = realm_to_suffix(self.realm)
self.kdc_password = generate_kdc_password()
self.__configure_kdc_account_password()
@@ -99,6 +111,10 @@ class KrbInstance:
self.__configure_ldap()
self.__create_instance()
+
+ self.__create_ds_keytab()
+
+ self.__create_sample_bind_zone()
self.start()
@@ -120,12 +136,13 @@ class KrbInstance:
pwd_fd.close()
def __setup_sub_dict(self):
- #FIXME: can DOMAIN be different than REALM ?
- self.sub_dict = dict(FQHN=self.host_name,
+ self.sub_dict = dict(FQDN=self.fqdn,
+ IP=self.ip,
PASSWORD=self.kdc_password,
SUFFIX=self.suffix,
- DOMAIN= self.realm_name.lower(),
- REALM=self.realm_name)
+ DOMAIN=self.domain,
+ HOST=self.host,
+ REALM=self.realm)
def __configure_ldap(self):
@@ -153,7 +170,7 @@ class KrbInstance:
krb5_fd.close()
#populate the directory with the realm structure
- args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-r", self.realm_name, "-subtrees", self.suffix, "-sscope", "sub"]
+ args = ["/usr/kerberos/sbin/kdb5_ldap_util", "-D", "uid=kdc,cn=kerberos,"+self.suffix, "-w", self.kdc_password, "create", "-s", "-P", self.master_password, "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"]
run(args)
# TODO: NOT called yet, need to find out how to make sure the plugin is available first
@@ -165,5 +182,28 @@ class KrbInstance:
extop_fd.close()
#add an ACL to let the DS user read the master key
- args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm_name]
+ args = ["/usr/bin/setfacl", "-m", "u:"+self.ds_user+":r", "/var/kerberos/krb5kdc/.k5."+self.realm]
run(args)
+
+ def __create_sample_bind_zone(self):
+ bind_txt = template_file(SHARE_DIR + "bind.zone.db.template", self.sub_dict)
+ [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
+ os.write(bind_fd, bind_txt)
+ os.close(bind_fd)
+ print "Sample zone file for bind has been created in "+bind_name
+
+ def __create_ds_keytab(self):
+ (kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
+ kwrite.write("addprinc -randkey ldap/"+self.fqdn+"@"+self.realm+"\n")
+ kwrite.flush()
+ kwrite.write("ktadd -k /etc/fedora-ds/ds.keytab ldap/"+self.fqdn+"@"+self.realm+"\n")
+ kwrite.flush()
+ kwrite.close()
+ kread.close()
+ kerr.close()
+
+ cfg_fd = open("/etc/sysconfig/fedora-ds", "a")
+ cfg_fd.write("export KRB5_KTNAME=/etc/fedora-ds/ds.keytab\n")
+ cfg_fd.close()
+ pent = pwd.getpwnam(self.ds_user)
+ os.chown("/etc/sysconfig/fedora-ds", pent.pw_uid, pent.pw_gid)
More information about the Freeipa-devel
mailing list