Use tkey-gssapi-keytab in named.conf

Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential and tkey-domain and replace them with tkey-gssapi-keytab which avoids unnecessary Kerberos checks on BIND startup and can cause issues when KDC is not available. Both new and current IPA installations are updated. https://fedorahosted.org/freeipa/ticket/3429
author: Martin Kosek <mkosek@redhat.com> 2013-03-14 10:30:32 +0100
committer: Rob Crittenden <rcritten@redhat.com> 2013-03-14 10:50:24 -0400
commit: 7a2d3804af8e477cf8bfcc36eed78b72c8d8c980 (patch)
tree: 988b9d15c16861d52f361123f5fa499b99ff54d5
parent: ca6f7f24509de8aa6346f847a3647c582cb913b4 (diff)
download: freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.tar.gz
freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.tar.xz
freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.zip
2 files changed, 69 insertions, 3 deletions
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 9fdd91319..b12df593a 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -14,8 +14,7 @@ options {
 	// Any host is permitted to issue recursive queries
 	allow-recursion { any; };
 
-	tkey-gssapi-credential "DNS/$FQDN";
-	tkey-domain "$REALM";
+	tkey-gssapi-keytab "/etc/named.keytab";
 };
 
 /* If you want to enable debugging, eg. using the 'rndc trace' command,
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 9bd706ad0..f310ff76d 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -451,6 +451,72 @@ def named_enable_serial_autoincrement():
 
     return changed
 
+def named_update_gssapi_configuration():
+    """
+    Update GSSAPI configuration in named.conf to a recent API.
+    tkey-gssapi-credential and tkey-domain is replaced with tkey-gssapi-keytab.
+    Details can be found in https://fedorahosted.org/freeipa/ticket/3429.
+
+    When some change in named.conf is done, this functions returns True
+    """
+
+    root_logger.info('[Updating GSSAPI configuration in DNS]')
+
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    if sysupgrade.get_upgrade_state('named.conf', 'gssapi_updated'):
+        root_logger.debug('Skip GSSAPI configuration check')
+        return False
+
+    try:
+        gssapi_keytab = bindinstance.named_conf_get_directive('tkey-gssapi-keytab',
+                bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot retrieve tkey-gssapi-keytab option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        if gssapi_keytab:
+            root_logger.debug('GSSAPI configuration already updated')
+            sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
+            return False
+
+    try:
+        tkey_credential = bindinstance.named_conf_get_directive('tkey-gssapi-credential',
+                bindinstance.NAMED_SECTION_OPTIONS)
+        tkey_domain = bindinstance.named_conf_get_directive('tkey-domain',
+                bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot retrieve tkey-gssapi-credential option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+
+    if not tkey_credential or not tkey_domain:
+        root_logger.error('Either tkey-gssapi-credential or tkey-domain is missing in %s. '
+            'Skip update.', bindinstance.NAMED_CONF)
+        return False
+
+    try:
+        bindinstance.named_conf_set_directive('tkey-gssapi-credential', None,
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+        bindinstance.named_conf_set_directive('tkey-domain', None,
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+        bindinstance.named_conf_set_directive('tkey-gssapi-keytab', '/etc/named.keytab',
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot update GSSAPI configuration in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        root_logger.debug('GSSAPI configuration updated')
+
+    sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
+    return True
+
+
 def enable_certificate_renewal(ca):
     """
     If the CA subsystem certificates are not being tracked for renewal then
@@ -741,7 +807,8 @@ def main():
     add_server_cname_records()
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
-    if changed_psearch or changed_autoincrement:
+    changed_gssapi_conf = named_update_gssapi_configuration()
+    if changed_psearch or changed_autoincrement or changed_gssapi_conf:
         # configuration has changed, restart the name server
         root_logger.info('Changes to named.conf have been made, restart named')
         bind = bindinstance.BindInstance(fstore)
author	Martin Kosek <mkosek@redhat.com>	2013-03-14 10:30:32 +0100
committer	Rob Crittenden <rcritten@redhat.com>	2013-03-14 10:50:24 -0400
commit	7a2d3804af8e477cf8bfcc36eed78b72c8d8c980 (patch)
tree	988b9d15c16861d52f361123f5fa499b99ff54d5
parent	ca6f7f24509de8aa6346f847a3647c582cb913b4 (diff)
download	freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.tar.gz freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.tar.xz freeipa-7a2d3804af8e477cf8bfcc36eed78b72c8d8c980.zip