Merge AD trust installer into composite ones #479
Conversation
|
Bump for review. |
|
I have added a basic integration tests for the built-in AD trust installation, you can run them on 3 machines (master + 2 replicas) by running # ipa-run-tests --verbose /usr/lib/python2.7/site-packages/ipatests/test_integration/test_installation.py -k TestADTrustInstalland having a properly configured test config. |
ipaserver/install/server/__init__.py
Outdated
| @@ -331,6 +336,13 @@ def dirsrv_config_file(self, value): | |||
| ) | |||
| pkinit_cert_name = prepare_only(pkinit_cert_name) | |||
|
|
|||
| # TODO: --add-agents makes no sense on server install (since it is a first | |||
| # master | |||
There was a problem hiding this comment.
That's already resolved, isn't it?
| @@ -548,6 +560,10 @@ def dm_password(self, value): | |||
| def admin_password(self, value): | |||
| validate_admin_password(value) | |||
|
|
|||
| # always run sidgen task and do not allow adding agents on first master | |||
| add_sids = True | |||
There was a problem hiding this comment.
AFAICT add_sids is only relevant when upgrading from an old server which did not have the sidgen plugin enabled, so it in fact should always be False on first master.
There was a problem hiding this comment.
The problem is that (for some reason) the 389-ds is populated by several default groups during bootstrap. One of these groups is cn=editors which is POSIX one has no SID assigned when I hardcoded add_sids to False (cn=admins have SID assinged directly by CIFS installer since it has to have special RID of 512).
@rcritten is there any reason why are these groups created during bootstrap and not during LDAP update phase?
martbab
force-pushed
the
adtrust-as-part-of-server-replica-install
branch
from
aae365b
to
e936f49
Compare
|
Works for me, except, ipa-server-install --setup-adtrust works even without freeipa-server-trust-ad package. Please fix this in a new PR in way how DNS is done. |
|
I have noticed that the check for installed dependencies is buggy, I will have to fix it before pushing. Also we would need to move the 'editors' group addition to the LDAP update phase since it remains with missing SID during ipa-server-install when |
|
If you can differentiate how the installer is being run, then for composite installer always run add_sids. |
|
@abbra I think that I am confused by the way sidgen plugin works. During LDAP configuration I can see that sidgen/extdom plugins are activated. e.g: Yet unless I install AD trust related bits, there are no SIDs generated on entries I am added (user or groups). When the AD trust installer is run, I see that the sidgen task is activated: The admin user now has SID added by installer, yet the existing POSIX groups (editors) have no SIDs associated with them, only the new user I add afterwards. Do we have a documentation about the semantics of different sidgen-related operations somewhere? If not, can you please explain the behavior I am seeing here? |
|
Unless you specified --add-sids to ipa-adtrust-install (or |
|
OK I will then hard-code |
martbab
force-pushed
the
adtrust-as-part-of-server-replica-install
branch
from
e936f49
to
936d286
Compare
|
I have added a commit that fixes the choeck for missing dependencies in composite installers. |
|
Please rebase |
Decompose the individual sub-tasks into separate functions. Also perform the lookup only when LDAP is connected. https://fedorahosted.org/freeipa/ticket/6630
This is to prevent errors due to non-existent LDAP connection such as when installing first IPA master. https://fedorahosted.org/freeipa/ticket/6630
Use newly implemented APIs for searching and presenting potential trust agents. https://fedorahosted.org/freeipa/ticket/6639
Plain print messages are a) not logged into files and b) get lost in the output from composite installer. https://fedorahosted.org/freeipa/ticket/6630
There is no point in emitting this message during server/replica install. https://fedorahosted.org/freeipa/ticket/6630
The condition that controls when to check for samba dependencies was misformulated. The check should be run when the installer is *not* run as standalone. In standalone mode the check is already made in different place so the original code triggered it twice. https://fedorahosted.org/freeipa/ticket/6630
This interface is to be used to provide AD trust-related options in server and replica installer. https://fedorahosted.org/freeipa/ticket/6630
ipa-server-install is now able to configure Samba and winbind services
and manage trusts to Active Directory right off the bat with following
alterations from standalone installer:
* sidgen task is always triggered since there are only a few entries
to tag in the beginning
* the `--add-agents` option is hardcoded to False, as there are no
potential agents to resolve and addd when setting up the first
master in topology
https://fedorahosted.org/freeipa/ticket/6630
`ipa-replica-install` is now able to configure Samba and winbind services in order to manage Active Directory trusts. `--add-agents` option is exposed in replica installer, while `--add-sids` now defaults to `False` since adding a first AD trust controller to an existing sizeable deployment can result in stuck installation as sidgen tasks can take a long time to complete. That's why adding SIDs should be a conscious decision in this case. https://fedorahosted.org/freeipa/ticket/6630
`--rid-base` and `--secondary-rid-base` had `-U` option assigned by error in the man page. Remove it as these options have not short alias. https://fedorahosted.org/freeipa/ticket/6630
Since AD trust installer is now a part of composite installers, their man pages were updated with separate section documenting relevant AD trust-related option descriptions. https://fedorahosted.org/freeipa/ticket/6630
A couple of tests were added to server/replica install integration suite to test AD trust install w/ various combinations of other optional components. https://fedorahosted.org/freeipa/ticket/6630
martbab
force-pushed
the
adtrust-as-part-of-server-replica-install
branch
from
936d286
to
301f8e1
Compare
|
master:
|
This PR implements setup of Samba/Winbind as a part of server/replica install.
I will update installation tests in a separate PR in order not to inflate an
already sizeable amount of code touched in this one.
I also updated man pages of ipa-server/replica-install, but since the entries
are a bit chatty, it may be a good idea to write a more terse option
descriptions and provide a link to
ipa-adtrust-installfor more thoroughexplanation.
The commits from #457 are on the bottom
of the branch in order to provide working AD trust installer in cases where
admin password is not provided.