[Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation

David Kupka Wed, 27 Aug 2014 04:58:08 -0700

Usually it isn't wise to allow something like this. But in environmentwith broken DNS (described in ticket) there is probably not manyalternatives.


https://fedorahosted.org/freeipa/ticket/4444
--
David Kupka

From 6cfa293bffc03610bfc0391a96f0b95021f34c4e Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 27 Aug 2014 12:31:09 +0200
Subject: [PATCH] Allow user to force Kerberos realm during installation.


User can set realm not matching one resolved from DNS. This is useful especially
when DNS is missconfigured.

https://fedorahosted.org/freeipa/ticket/4444
---
 ipa-client/ipa-install/ipa-client-install |  2 +-
 ipa-client/ipaclient/ipadiscovery.py      | 42 ++++++++++++++++++++-----------
 2 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 08fefc86d31392e9abf66ee4f8fff54a88179795..4eb3b3b8dcf5e31f08e9895b33ca0419eaf2195a 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2126,7 +2126,7 @@ def install(options, env, fstore, statestore):
     # Create the discovery instance
     ds = ipadiscovery.IPADiscovery()
 
-    ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
+    ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
 
     if options.server and ret != 0:
         # There is no point to continue with installation as server list was
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 0532f618e81d215c4416f62f81af2add48c7dc8e..589ca7ca856c288f68e2152489db2d43e075afd9 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -139,7 +139,7 @@ class IPADiscovery(object):
                 domain = domain[p+1:]
         return (None, None)
 
-    def search(self, domain = "", servers = "", hostname=None, ca_cert_path=None):
+    def search(self, domain = "", servers = "", realm=None, hostname=None, ca_cert_path=None):
         """
         Use DNS discovery to identify valid IPA servers.
 
@@ -148,6 +148,7 @@ class IPADiscovery(object):
 
         Returns a constant representing the overall search result.
         """
+        root_logger.debug("realm provided: %s" % realm)
         root_logger.debug("[IPA Discovery]")
         root_logger.debug(
             'Starting IPA discovery with domain=%s, servers=%s, hostname=%s',
@@ -218,13 +219,22 @@ class IPADiscovery(object):
 
         #search for kerberos
         root_logger.debug("[Kerberos realm search]")
-        krb_realm, kdc = self.ipadnssearchkrb(self.domain)
-        if not servers and not krb_realm:
+        root_logger.debug("realm provided: %s" % realm)
+        if realm:
+            root_logger.debug("Kerberos realm forced")
+            self.realm = realm
+            self.realm_source = 'Forced'
+        else:
+            realm = self.ipadnssearchkrbrealm()
+            self.realm = realm
+            self.realm_source = (
+                'Discovered Kerberos DNS records from %s' % self.domain)
+
+        if not servers and not realm:
             return REALM_NOT_FOUND
 
-        self.realm = krb_realm
-        self.kdc = kdc
-        self.realm_source = self.kdc_source = (
+        self.kdc = self.ipadnssearchkrbkdc()
+        self.kdc_source = (
             'Discovered Kerberos DNS records from %s' % self.domain)
 
         # We may have received multiple servers corresponding to the domain
@@ -452,11 +462,12 @@ class IPADiscovery(object):
 
         return servers
 
-    def ipadnssearchkrb(self, tdomain):
+    def ipadnssearchkrbrealm(self, domain=None):
         realm = None
-        kdc = None
+        if not domain:
+            domain = self.domain
         # now, check for a Kerberos realm the local host or domain is in
-        qname = "_kerberos." + tdomain
+        qname = "_kerberos." + domain
 
         root_logger.debug("Search DNS for TXT record of %s", qname)
 
@@ -472,10 +483,13 @@ class IPADiscovery(object):
                 realm = answer.strings[0]
                 if realm:
                     break
+        return realm
 
-        if realm:
-            # now fetch server information for the realm
-            domain = realm.lower()
+    def ipadnssearchkrbkdc(self, domain=None):
+        kdc = None
+
+        if not domain:
+            domain = self.domain
 
             kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88,
                     break_on_first=False)
@@ -483,7 +497,7 @@ class IPADiscovery(object):
             if kdc:
                 kdc = ','.join(kdc)
             else:
-                root_logger.debug("SRV record for KDC not found! Realm: %s, SRV record: %s" % (realm, qname))
+                root_logger.debug("SRV record for KDC not found! Domain: %s" % domain)
                 kdc = None
 
-        return realm, kdc
+        return kdc
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation

Reply via email to