[Freeipa-devel] [freeipa PR#4909][opened] Add unauthenticated nsupdate

fcami via FreeIPA-devel Fri, 10 Jul 2020 07:45:45 -0700

   URL: https://github.com/freeipa/freeipa/pull/4909
Author: fcami
 Title: #4909: Add unauthenticated nsupdate
Action: opened


PR body:
"""
    ipa-client-install: update sssd.conf if nsupdate requires -g
    
    If dynamic DNS updates are selected, sssd will use GSS-TSIG
    by default for nsupdate.
    When ipa-client-install notices that plain nsupdate is required,
    switch sssd to use no authentication for dynamic updates too.
    
    Fixes: https://pagure.io/freeipa/issue/8402

+

    ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
    
    ipa-client-install invokes nsupdate with GSS-TSIG at client
    enrollment time. If that fails, no retry is done.
    Change that behavior to try again without GSS-TSIG.
    
    Fixes: https://pagure.io/freeipa/issue/8402


####
This is purely WIP:
- it needs a proper test
- there are more nsupdate calls that should be adapted.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4909/head:pr4909
git checkout pr4909

From 42d40b843b831949c0bf2953e2e48807af6157ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <[email protected]>
Date: Wed, 8 Jul 2020 09:45:02 +0200
Subject: [PATCH 1/2] ipa-client-install: invoke nsupdate twice (GSS-TSIG,
 plain)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <[email protected]>
---
 ipaclient/install/client.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 1b8bc34329..df5bf74b77 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1338,6 +1338,11 @@ def do_nsupdate(update_txt):
         result = True
     except CalledProcessError as e:
         logger.debug('nsupdate failed: %s', str(e))
+        try:
+            ipautil.run([paths.NSUPDATE, UPDATE_FILE])
+            result = True
+        except CalledProcessError as e:
+            logger.debug('Unauthenticated nsupdate failed: %s', str(e))
 
     try:
         os.remove(UPDATE_FILE)

From 9b6cd087a8fb5f664eb037e91c4103c77abbf6a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <[email protected]>
Date: Thu, 9 Jul 2020 09:45:02 +0200
Subject: [PATCH 2/2] ipa-client-install: update sssd.conf if nsupdate requires
 -g
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <[email protected]>
---
 ipaclient/install/client.py | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index df5bf74b77..43ea626d55 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1337,9 +1337,29 @@ def do_nsupdate(update_txt):
         ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE])
         result = True
     except CalledProcessError as e:
-        logger.debug('nsupdate failed: %s', str(e))
+        logger.debug('nsupdate (GSS-TSIG) failed: %s', str(e))
         try:
             ipautil.run([paths.NSUPDATE, UPDATE_FILE])
+            try:
+                sssd = services.service('sssd', api)
+                sssdconfig = SSSDConfig.SSSDConfig()
+                sssdconfig.import_config()
+                domains = sssdconfig.list_active_domains()
+                for name in domains:
+                    domain = sssdconfig.get_domain(name)
+                    try:
+                        provider = domain.get_option('id_provider')
+                    except SSSDConfig.NoOptionError:
+                        continue
+                    if name == api.env.domain and provider == "ipa":
+                        if domain.get_option('dyndns_update') == True:
+                            # dyndns_update is set by configure_sssd_conf()
+                            domain.set_option('dyndns_auth', 'none')
+                            sssdconfig.save_domain(domain)
+                sssdconfig.write(paths.SSSD_CONF)
+                sssd.restart()
+            except Exception:
+                logger.debug('Unable to update SSSD configuration: %s', str(e))
             result = True
         except CalledProcessError as e:
             logger.debug('Unauthenticated nsupdate failed: %s', str(e))

_______________________________________________
FreeIPA-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

[Freeipa-devel] [freeipa PR#4909][opened] Add unauthenticated nsupdate

Reply via email to