On 09/04/2014 01:22 PM, Jan Cholasta wrote:
Dne 4.9.2014 v 12:42 David Kupka napsal(a):
On 09/03/2014 05:09 PM, Jan Cholasta wrote:
Hi,
Dne 27.8.2014 v 13:56 David Kupka napsal(a):
Usually it isn't wise to allow something like this. But in environment
with broken DNS (described in ticket) there is probably not many
alternatives.
https://fedorahosted.org/freeipa/ticket/4444
1) I think you can log realm in search() as part of the "Starting IPA
discovery ..." message instead of a separate message.
2) Also, no need to log the realm twice in search().
I forget to remove some redundant debug prints.
3) It looks like you forgot to un-indent some code in
ipadnssearchkrbkdc().
Fixed, thanks.
What I meant is that this:
def ipadnssearchkrbkdc(self, domain=None):
kdc = None
if not domain:
domain = self.domain
kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88,
break_on_first=False)
if kdc:
kdc = ','.join(kdc)
else:
root_logger.debug("SRV record for KDC not found!
Domain: %s" % domain)
kdc = None
return kdc
should be this:
def ipadnssearchkrbkdc(self, domain=None):
if not domain:
domain = self.domain
kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88,
break_on_first=False)
if kdc:
kdc = ','.join(kdc)
else:
root_logger.debug("SRV record for KDC not found! Domain:
%s" % domain)
kdc = None
return kdc
Isn't that right?
Oh, you're right, again :) Thanks.
Honza
--
David Kupka
From e3dfea228328da6d520180515426095ce0985c47 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 27 Aug 2014 12:31:09 +0200
Subject: [PATCH] Allow user to force Kerberos realm during installation.
User can set realm not matching one resolved from DNS. This is useful especially
when DNS is missconfigured.
https://fedorahosted.org/freeipa/ticket/4444
---
ipa-client/ipa-install/ipa-client-install | 2 +-
ipa-client/ipaclient/ipadiscovery.py | 52 +++++++++++++++++++------------
2 files changed, 33 insertions(+), 21 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 08fefc86d31392e9abf66ee4f8fff54a88179795..4eb3b3b8dcf5e31f08e9895b33ca0419eaf2195a 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2126,7 +2126,7 @@ def install(options, env, fstore, statestore):
# Create the discovery instance
ds = ipadiscovery.IPADiscovery()
- ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
+ ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
if options.server and ret != 0:
# There is no point to continue with installation as server list was
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 0532f618e81d215c4416f62f81af2add48c7dc8e..0d574825aa493a8d565afe30077b74aec03924a3 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -139,7 +139,7 @@ class IPADiscovery(object):
domain = domain[p+1:]
return (None, None)
- def search(self, domain = "", servers = "", hostname=None, ca_cert_path=None):
+ def search(self, domain="", servers="", realm=None, hostname=None, ca_cert_path=None):
"""
Use DNS discovery to identify valid IPA servers.
@@ -218,13 +218,21 @@ class IPADiscovery(object):
#search for kerberos
root_logger.debug("[Kerberos realm search]")
- krb_realm, kdc = self.ipadnssearchkrb(self.domain)
- if not servers and not krb_realm:
+ if realm:
+ root_logger.debug("Kerberos realm forced")
+ self.realm = realm
+ self.realm_source = 'Forced'
+ else:
+ realm = self.ipadnssearchkrbrealm()
+ self.realm = realm
+ self.realm_source = (
+ 'Discovered Kerberos DNS records from %s' % self.domain)
+
+ if not servers and not realm:
return REALM_NOT_FOUND
- self.realm = krb_realm
- self.kdc = kdc
- self.realm_source = self.kdc_source = (
+ self.kdc = self.ipadnssearchkrbkdc()
+ self.kdc_source = (
'Discovered Kerberos DNS records from %s' % self.domain)
# We may have received multiple servers corresponding to the domain
@@ -452,11 +460,12 @@ class IPADiscovery(object):
return servers
- def ipadnssearchkrb(self, tdomain):
+ def ipadnssearchkrbrealm(self, domain=None):
realm = None
- kdc = None
+ if not domain:
+ domain = self.domain
# now, check for a Kerberos realm the local host or domain is in
- qname = "_kerberos." + tdomain
+ qname = "_kerberos." + domain
root_logger.debug("Search DNS for TXT record of %s", qname)
@@ -472,18 +481,21 @@ class IPADiscovery(object):
realm = answer.strings[0]
if realm:
break
+ return realm
- if realm:
- # now fetch server information for the realm
- domain = realm.lower()
+ def ipadnssearchkrbkdc(self, domain=None):
+ kdc = None
- kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88,
- break_on_first=False)
+ if not domain:
+ domain = self.domain
- if kdc:
- kdc = ','.join(kdc)
- else:
- root_logger.debug("SRV record for KDC not found! Realm: %s, SRV record: %s" % (realm, qname))
- kdc = None
+ kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88,
+ break_on_first=False)
- return realm, kdc
+ if kdc:
+ kdc = ','.join(kdc)
+ else:
+ root_logger.debug("SRV record for KDC not found! Domain: %s" % domain)
+ kdc = None
+
+ return kdc
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
