[Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility

Sumit Bose sbose at redhat.com
Fri Aug 26 15:59:27 UTC 2011 

On Fri, Aug 26, 2011 at 02:08:27PM +0300, Alexander Bokovoy wrote:
> Hi,
> 
> On 26.08.2011 12:39, Sumit Bose wrote:
> > Hi,
> > 
> > with this patch an initial samba configuration for the AD trust feature
> > can be created by calling ipa-adtrust-install. Please be aware that you
> > will need a samba/master build to start smbd with the created
> > configuration, because only here all the needed features are available.
> > Günther is working on a spec file so that we can include a samba package
> > in the IPA development repository
> > (https://fedorahosted.org/freeipa/ticket/1610).
> 
> > +def parse_options():
> > +    parser = IPAOptionParser(version=version.VERSION)
> > +    parser.add_option("-p", "--ds-password", dest="dm_password",
> > +                      sensitive=True, help="admin password")
> If this is the only password you need, then make it --password. And it
> is Directory Manager's account password, right? Would be nice to change
> help to be more explicit.

ipa-server-install and ipa-dns-install use the same option for the same
purpose, so I thought it might be a good idea to use the same. But you
are right "admin password" is misleading here. Maybe the help should be
fixed in ipa-server-install and ipa-dns-install, too?

> 
> > +    parser.add_option("--ip-address", dest="ip_address",
> > +                      type="ip", ip_local=True, help="Master Server IP Address")
> 
> > +def main():
> > +    safe_options, options = parse_options()
> > +
> > +    if os.getegid() != 0:
> > +        sys.exit("Must be root to setup AD trusts on server")
> > +
> > +    installutils.check_server_configuration()
> > +
> > +    standard_logging_setup("/var/log/ipaserver-install.log", options.debug, filemode='a')
> > +    print "\nThe log file for this installation can be found in /var/log/ipaserver-install.log"
> > +
> > +    logging.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
> > +    logging.debug("missing options might be asked for interactively later\n")
> > +
> > +    global fstore
> > +    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
> > +
> > +    print "=============================================================================="
> > +    print "This program will setup components neede to establish trust to AD domains for"
> Typo: "neede_d_"

fixed

> 
> > +    # Check we have a public IP that is associated with the hostname
> > +    if options.ip_address:
> > +        ip = options.ip_address
> I would also run options.ip_address through ipautil.CheckedIPAddress()
> to make sure it is correct and is one of local addresses.
> 
> > +    else:
> > +        hostaddr = resolve_host(api.env.host)
> > +        try:
> > +            ip = hostaddr and ipautil.CheckedIPAddress(hostaddr, match_local=True)
> > +        except Exception, e:
> > +            print "Error: Invalid IP Address %s: %s" % (ip, e)
> > +            ip = None
> > +
> > +    if not ip:
> > +        if options.unattended:
> > +            sys.exit("Unable to resolve IP address for host name")
> > +        else:
> > +            ip = read_ip_address(api.env.host, fstore)
> > +    ip_address = str(ip)
> > +    logging.debug("will use ip_address: %s\n", ip_address)
> And same here. You don't really want to blindly believe into what's entered.

fixed

> 
> > +    print "\tAdditionally you have to make sure the FreeIPA LDAP server cannot reached"
> > +    print "\tby any domain controller in the Active Directory domain by closing the"
> > +    print "\tfollowing ports for these servers:"
> > +    print "\t\tTCP Ports:"
> > +    print "\t\t  * 389, 636: LDAP/LDAPS"
> > +    print "\t\tUDP Ports:"
> > +    print "\t\t  * 389: (C)LDAP"
> > +    print "\tYou may want to choose to REJECT the packages instead of DROPing them to"
> s/packages/network packets/

fixed

> 
> > diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py
> > new file mode 100644
> The code in smbinstance.py assumes Samba has been compiled with
> /etc/ipa/smb.conf as default configuration file location. Is that correct?
> 

no, __write_sysconfig_samba() adds "-s /etc/ipa/smb.conf" to
SMBDOPTIONS in /etc/sysconfig/samba.

Thanks for the review. I will send a new patch when I've fixed the
issues Simo found.

bye,
Sumit

> -- 
> / Alexander Bokovoy
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list