Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Oh, you're right, again :) Thanks. Honza -- David Kupka From e3dfea228328da6d520180515426095ce0985c47 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 27 Aug 2014 12:31:09 +0200 Subject: [PATCH] Allow user to force Kerberos realm during installation. User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/ --- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/ipaclient/ipadiscovery.py | 52 +++ 2 files changed, 33 insertions(+), 21 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 08fefc86d31392e9abf66ee4f8fff54a88179795..4eb3b3b8dcf5e31f08e9895b33ca0419eaf2195a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2126,7 +2126,7 @@ def install(options, env, fstore, statestore): # Create the discovery instance ds = ipadiscovery.IPADiscovery() -ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) +ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) if options.server and ret != 0: # There is no point to continue with installation as server list was diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0532f618e81d215c4416f62f81af2add48c7dc8e..0d574825aa493a8d565afe30077b74aec03924a3 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -139,7 +139,7 @@ class IPADiscovery(object): domain = domain[p+1:] return (None, None) -def search(self, domain = , servers = , hostname=None, ca_cert_path=None): +def search(self, domain=, servers=, realm=None, hostname=None, ca_cert_path=None): Use DNS discovery to identify valid IPA servers. @@ -218,13 +218,21 @@ class IPADiscovery(object): #search for kerberos root_logger.debug([Kerberos realm search]) -krb_realm, kdc = self.ipadnssearchkrb(self.domain) -if not servers and not krb_realm: +if realm: +root_logger.debug(Kerberos realm forced) +self.realm = realm +self.realm_source = 'Forced' +else: +realm = self.ipadnssearchkrbrealm() +self.realm = realm +self.realm_source = ( +'Discovered Kerberos DNS records from %s' % self.domain) + +if not servers and not realm: return REALM_NOT_FOUND -self.realm = krb_realm -self.kdc = kdc -self.realm_source = self.kdc_source = ( +self.kdc = self.ipadnssearchkrbkdc() +self.kdc_source = ( 'Discovered Kerberos DNS records from %s' % self.domain) # We may have received multiple servers corresponding to the domain @@ -452,11 +460,12 @@ class IPADiscovery(object): return servers -def ipadnssearchkrb(self, tdomain): +def ipadnssearchkrbrealm(self, domain=None): realm = None -kdc = None
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
Dne 5.9.2014 v 09:25 David Kupka napsal(a): On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Oh, you're right, again :) Thanks. Honza ACK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
On 09/05/2014 02:44 PM, Jan Cholasta wrote: Dne 5.9.2014 v 09:25 David Kupka napsal(a): On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Oh, you're right, again :) Thanks. Honza ACK. Pushed to: master: dc4bdd327a639877b7d4553810b69943d996 ipa-4-1: a28d9b8f0a87633ac298676f47eadf0d7dc31cfb ipa-4-0: 0e077319046b8f8089b7b8590fafb824df4b8077 -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. Honza -- David Kupka From 0f86ce45975933311f327a29d8d26dc60b4b4d73 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 27 Aug 2014 12:31:09 +0200 Subject: [PATCH] Allow user to force Kerberos realm during installation. User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/ --- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/ipaclient/ipadiscovery.py | 42 --- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 08fefc86d31392e9abf66ee4f8fff54a88179795..4eb3b3b8dcf5e31f08e9895b33ca0419eaf2195a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2126,7 +2126,7 @@ def install(options, env, fstore, statestore): # Create the discovery instance ds = ipadiscovery.IPADiscovery() -ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) +ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) if options.server and ret != 0: # There is no point to continue with installation as server list was diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0532f618e81d215c4416f62f81af2add48c7dc8e..919b26695c13ad9b216c27f293f1207bf94bdff1 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -139,7 +139,7 @@ class IPADiscovery(object): domain = domain[p+1:] return (None, None) -def search(self, domain = , servers = , hostname=None, ca_cert_path=None): +def search(self, domain=, servers=, realm=None, hostname=None, ca_cert_path=None): Use DNS discovery to identify valid IPA servers. @@ -218,13 +218,21 @@ class IPADiscovery(object): #search for kerberos root_logger.debug([Kerberos realm search]) -krb_realm, kdc = self.ipadnssearchkrb(self.domain) -if not servers and not krb_realm: +if realm: +root_logger.debug(Kerberos realm forced) +self.realm = realm +self.realm_source = 'Forced' +else: +realm = self.ipadnssearchkrbrealm() +self.realm = realm +self.realm_source = ( +'Discovered Kerberos DNS records from %s' % self.domain) + +if not servers and not realm: return REALM_NOT_FOUND -self.realm = krb_realm -self.kdc = kdc -self.realm_source = self.kdc_source = ( +self.kdc = self.ipadnssearchkrbkdc() +self.kdc_source = ( 'Discovered Kerberos DNS records from %s' % self.domain) # We may have received multiple servers corresponding to the domain @@ -452,11 +460,12 @@ class IPADiscovery(object): return servers -def ipadnssearchkrb(self, tdomain): +def ipadnssearchkrbrealm(self, domain=None): realm = None -kdc = None +if not domain: +domain = self.domain # now, check for a Kerberos realm the local host or domain is in -qname = _kerberos. + tdomain +qname = _kerberos. + domain root_logger.debug(Search DNS for TXT record of %s, qname) @@ -472,18 +481,21 @@ class IPADiscovery(object): realm = answer.strings[0] if realm: break +return realm -if realm: -# now fetch server information for the realm -domain = realm.lower() +def ipadnssearchkrbkdc(self, domain=None): +kdc = None + +if not domain: +domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, -break_on_first=False) + break_on_first=False) if kdc: kdc = ','.join(kdc) else: -root_logger.debug(SRV record for KDC not found! Realm: %s, SRV record: %s % (realm, qname)) +root_logger.debug(SRV record
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ -- David Kupka From 6cfa293bffc03610bfc0391a96f0b95021f34c4e Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 27 Aug 2014 12:31:09 +0200 Subject: [PATCH] Allow user to force Kerberos realm during installation. User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/ --- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/ipaclient/ipadiscovery.py | 42 --- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 08fefc86d31392e9abf66ee4f8fff54a88179795..4eb3b3b8dcf5e31f08e9895b33ca0419eaf2195a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2126,7 +2126,7 @@ def install(options, env, fstore, statestore): # Create the discovery instance ds = ipadiscovery.IPADiscovery() -ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) +ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) if options.server and ret != 0: # There is no point to continue with installation as server list was diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0532f618e81d215c4416f62f81af2add48c7dc8e..589ca7ca856c288f68e2152489db2d43e075afd9 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -139,7 +139,7 @@ class IPADiscovery(object): domain = domain[p+1:] return (None, None) -def search(self, domain = , servers = , hostname=None, ca_cert_path=None): +def search(self, domain = , servers = , realm=None, hostname=None, ca_cert_path=None): Use DNS discovery to identify valid IPA servers. @@ -148,6 +148,7 @@ class IPADiscovery(object): Returns a constant representing the overall search result. +root_logger.debug(realm provided: %s % realm) root_logger.debug([IPA Discovery]) root_logger.debug( 'Starting IPA discovery with domain=%s, servers=%s, hostname=%s', @@ -218,13 +219,22 @@ class IPADiscovery(object): #search for kerberos root_logger.debug([Kerberos realm search]) -krb_realm, kdc = self.ipadnssearchkrb(self.domain) -if not servers and not krb_realm: +root_logger.debug(realm provided: %s % realm) +if realm: +root_logger.debug(Kerberos realm forced) +self.realm = realm +self.realm_source = 'Forced' +else: +realm = self.ipadnssearchkrbrealm() +self.realm = realm +self.realm_source = ( +'Discovered Kerberos DNS records from %s' % self.domain) + +if not servers and not realm: return REALM_NOT_FOUND -self.realm = krb_realm -self.kdc = kdc -self.realm_source = self.kdc_source = ( +self.kdc = self.ipadnssearchkrbkdc() +self.kdc_source = ( 'Discovered Kerberos DNS records from %s' % self.domain) # We may have received multiple servers corresponding to the domain @@ -452,11 +462,12 @@ class IPADiscovery(object): return servers -def ipadnssearchkrb(self, tdomain): +def ipadnssearchkrbrealm(self, domain=None): realm = None -kdc = None +if not domain: +domain = self.domain # now, check for a Kerberos realm the local host or domain is in -qname = _kerberos. + tdomain +qname = _kerberos. + domain root_logger.debug(Search DNS for TXT record of %s, qname) @@ -472,10 +483,13 @@ class IPADiscovery(object): realm = answer.strings[0] if realm: break +return realm -if realm: -# now fetch server information for the realm -domain = realm.lower() +def ipadnssearchkrbkdc(self, domain=None): +kdc = None + +if not domain: +domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) @@ -483,7 +497,7 @@ class IPADiscovery(object): if kdc: kdc = ','.join(kdc) else: -root_logger.debug(SRV record for KDC not found! Realm: %s, SRV record: %s % (realm, qname)) +root_logger.debug(SRV record for KDC not found! Domain: %s % domain)