Hi, this patch adds a new option to ipa-adtrust-install to generate the SID for users and groups at the end of the run. This fixes https://fedorahosted.org/freeipa/ticket/3104 .
bye, Sumit
From 64f5b76c1869dbbc5e63035baa13642b43854839 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 2 Oct 2012 22:11:17 +0200 Subject: [PATCH] Add SIDs for existing users and groups at the end of ipa-adtrust-install Fixes https://fedorahosted.org/freeipa/ticket/3104 --- daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am | 1 + .../ipa-sidgen/ipa-sidgen-task-example.ldif | 10 ---------- .../ipa-sidgen/ipa-sidgen-task-run.ldif | 10 ++++++++++ install/tools/ipa-adtrust-install | 5 ++++- install/tools/man/ipa-adtrust-install.1 | 10 ++++++++++ ipaserver/install/adtrustinstance.py | 19 ++++++++++++++++++- 6 Dateien geändert, 43 Zeilen hinzugefügt(+), 12 Zeilen entfernt(-) delete mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif create mode 100644 daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am index 0d8b74e86369ae9c972e090ff0e6feddc840cfde..a0d0e9ecf366b23cc6f054945544cd88cd846cad 100644 --- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am @@ -49,6 +49,7 @@ appdir = $(IPA_DATA_DIR) app_DATA = \ ipa-sidgen-conf.ldif \ ipa-sidgen-task-conf.ldif \ + ipa-sidgen-task-run.ldif \ $(NULL) EXTRA_DIST = \ diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif deleted file mode 100644 index 9cfded73b1b53461c0c0aa4f563452f51d258aae..0000000000000000000000000000000000000000 --- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-example.ldif +++ /dev/null @@ -1,10 +0,0 @@ -dn: cn=sidgen,cn=ipa-sidgen-task,cn=plugins,cn=config -changetype: add -objectClass: top -objectClass: nsSlapdPlugin -objectClass: extensibleObject -cn: ipa-sidgen-task -nsslapd-pluginPath: libipa_sidgen_task -nsslapd-pluginInitfunc: sidgen_task_init -nsslapd-basedn: $SUFFIX -delay: 0 diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif new file mode 100644 index 0000000000000000000000000000000000000000..663b7597b90a59c88c658dbcc5f483a6693f88dc --- /dev/null +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa-sidgen-task-run.ldif @@ -0,0 +1,10 @@ +dn: cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config +changetype: add +objectClass: top +objectClass: extensibleObject +cn: sidgen +# $SUFFIX must be replaced with the base DN of the IPA directory tree +nsslapd-basedn: $SUFFIX +# delay specifies the time the task should sleep between the generation of SIDs +# in nanoseconds +delay: 0 diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 12e218de62dd4b4d795f7372e0108e6a208f1285..f50bb58213ac0681cd8bda0a449ae21c48e6adb8 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -61,6 +61,9 @@ def parse_options(): parser.add_option("-A", "--admin-name", sensitive=True, dest="admin_name", default='admin', help="admin user principal") + parser.add_option("--add-sids", dest="add_sids", action="store_true", + default=False, help="Add SIDs for existing users and" \ + "groups as the final step") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -254,7 +257,7 @@ def main(): smb.autobind = service.ENABLED smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain, netbios_name, options.rid_base, options.secondary_rid_base, - options.no_msdcs) + options.no_msdcs, options.add_sids) smb.find_local_id_range() smb.create_instance() diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index fa63bca3c4859325acb5891de6ad1e21b97dc754..9204b7d5fde7493a4c268eb71693e86a63a1b4b7 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -71,6 +71,16 @@ are needed for the IPA domain which should point to all IPA servers: .IP \(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs .TP +\fB\-\-add\-sids\fR +Add SIDs to existing users and groups as a final step of the +ipa\-adtrust\-install run. If there a many existing users and groups and a +couple of replicas in the environment this operation might lead to a high +replication traffic and a performance degradation of all IPA servers in the +environment. To avoid this the SID generation can be run after +ipa\-adtrust\-install is run and scheduled independently. To start this task +you have to load an edited version of ipa-sidgen-task-run.ldif with the +ldapmodify command info the directory server. +.TP \fB\-U\fR, \fB\-\-unattended\fR An unattended installation that will never prompt for user input .TP diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 8b8364929a9f063ad66fac0d7bca4d13977f9543..8822c2855eff3b9855914679ac7cedd016ea9185 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -109,6 +109,7 @@ class ADTRUSTInstance(service.Service): self.domain_name = None self.netbios_name = None self.no_msdcs = None + self.add_sids = None self.smbd_user = None self.suffix = DN() self.ldapi_socket = None @@ -332,6 +333,16 @@ class ADTRUSTInstance(service.Service): try: self._ldap_mod("ipa-sidgen-conf.ldif", self.sub_dict) self._ldap_mod("ipa-sidgen-task-conf.ldif", self.sub_dict) + except Exception: + pass + + def __add_sids(self): + """ + Add SIDs for existing users and groups + """ + + try: + self._ldap_mod("ipa-sidgen-task-run.ldif", self.sub_dict) except: pass @@ -574,7 +585,8 @@ class ADTRUSTInstance(service.Service): FQDN = self.fqdn) def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name, - rid_base, secondary_rid_base, no_msdcs=False, smbd_user="samba"): + rid_base, secondary_rid_base, no_msdcs=False, add_sids=False, + smbd_user="samba"): self.fqdn = fqdn self.ip_address = ip_address self.realm = realm_name @@ -583,6 +595,7 @@ class ADTRUSTInstance(service.Service): self.rid_base = rid_base self.secondary_rid_base = secondary_rid_base self.no_msdcs = no_msdcs + self.add_sids = add_sids self.smbd_user = smbd_user self.suffix = ipautil.realm_to_suffix(self.realm) self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \ @@ -671,6 +684,10 @@ class ADTRUSTInstance(service.Service): self.__configure_selinux_for_smbd) self.step("starting CIFS services", self.__start) + if self.add_sids: + self.step("adding SIDs to existing users and groups", + self.__add_sids) + self.start_creation("Configuring CIFS:") def uninstall(self): -- 1.7.11.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel