[Freeipa-devel] [PATCH] 0070 Ask for admin password in ipa-adtrust-install
Alexander Bokovoy
abokovoy at redhat.com
Fri Aug 17 15:04:51 UTC 2012
Hi,
The credentials of the admin user will be used to obtain Kerberos ticket
before configuring cross-realm trusts support and afterwards, to
ensure that the ticket contains MS-PAC information required to actually
add a trust with Active Directory domain via 'ipa trust-add --type=ad'
command.
We discussed few other approaches with Simo and decided to go for this
one as the simplest. By default Kerberos tickets issued in IPA install
are not renewable so it is not possible to use 'kinit -R' to renew
existing ticket. Another approach was to modify our KDB driver to attach
MS-PAC to selected service tickets rather than to TGT but this means we
are losing advantage of 'caching' MS-PAC creation (which may be costly
due to LDAP lookups for gathering group membership) as part of TGT
ticket.
In the end, adding two options to ipa-adtrust-install which is run only
once is simpler.
-A (--admin-name, defaults to 'admin') allows to specify admin user
-a (--admin-password) allows to specify admin user's password
If admin password is not specified, existing default ccache credentials
are used and warning message about need to re-kinit is shown at the end.
Unattended install is treated as if admin password was not specified.
http://fedorahosted.org/freeipa/ticket/2852
--
/ Alexander Bokovoy
-------------- next part --------------
>From 6012df490ba4de0c69d048bef590f184b4194154 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Fri, 17 Aug 2012 15:26:58 +0300
Subject: [PATCH] Ask for admin password in ipa-adtrust-install
The credentials of the admin user will be used to obtain Kerberos ticket before
configuring cross-realm trusts support and afterwards, to ensure that the
ticket contains MS-PAC information required to actually add a trust with Active
Directory domain via 'ipa trust-add --type=ad' command.
https://fedorahosted.org/freeipa/ticket/2852
---
install/tools/ipa-adtrust-install | 37 +++++++++++++++++++++++++++++++++
install/tools/man/ipa-adtrust-install.1 | 9 ++++++++
2 files changed, 46 insertions(+)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 8cea077cca20cc6c35cff43630c422b0c869cf08..d6a35371f39b00dc750c1dbbff5c95c8e8e9f689 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -55,6 +55,12 @@ def parse_options():
"UIDs and GIDs to RIDs")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
+ parser.add_option("-a", "--admin-password",
+ sensitive=True, dest="admin_password",
+ help="admin user kerberos password")
+ parser.add_option("-A", "--admin-name",
+ sensitive=True, dest="admin_name", default='admin',
+ help="admin user principal")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -85,6 +91,21 @@ def read_netbios_name(netbios_default):
return netbios_name
+def read_admin_password(admin_name):
+ print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
+ print "This user is a regular system account used for IPA server administration."
+ print ""
+ admin_password = read_password(admin_name,confirm=False,validate=None)
+ return admin_password
+
+def ensure_admin_kinit(admin_name, admin_password):
+ try:
+ ipautil.run(['kinit', admin_name],stdin=admin_password+'\n')
+ except ipautil.CalledProcessError, e:
+ print "There was error to automatically re-kinit your admin user ticket."
+ return False
+ return True
+
def main():
safe_options, options = parse_options()
@@ -193,6 +214,16 @@ def main():
if not options.unattended and ( not netbios_name or not options.netbios_name):
netbios_name = read_netbios_name(netbios_name)
+ admin_password = options.admin_password
+ if not (options.unattended or admin_password):
+ admin_password = read_admin_password(options.admin_name)
+
+ admin_kinited = None
+ if admin_password:
+ admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
+ if not admin_kinited:
+ print "Proceeding with credentials that existed before"
+
try:
ctx = krbV.default_context()
ccache = ctx.default_ccache()
@@ -252,6 +283,12 @@ You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.
=============================================================================
+"""
+ if admin_password:
+ admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
+
+ if not admin_kinited:
+ print """
WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
family in order to re-generate Kerberos tickets to include AD-specific
information"""
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 22337c3df8827670657bf405b6c49ba2f8624d6d..936e04c2472c272180124aa8b84749722dde0bc2 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -41,6 +41,15 @@ Do not create DNS service records for Windows in managed DNS server
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
+.TP
+\fB\-A\fR, \fB\-\-admin\-name\fR=\fIADMIN_NAME\fR
+The name of the user with administrative privileges for this IPA server. Defaults to 'admin'.
+.TP
+\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
+The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
+.TP
+The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
+.TP
.SH "EXIT STATUS"
0 if the installation was successful
--
1.7.11.4
More information about the Freeipa-devel
mailing list