diff options
| author | David Kupka <dkupka@redhat.com> | 2014-08-27 12:31:09 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@dhcp-31-13.brq.redhat.com> | 2014-09-05 14:50:36 +0200 |
| commit | dc4bdd327ffffa639877b7d4553810b69943d996 (patch) | |
| tree | 138eb65ad7443e5561b6680ba83e30ef73807d88 | |
| parent | 6ad8c464a43260f8f58dc262f841c35be35b57b5 (diff) | |
| download | freeipa-dc4bdd327ffffa639877b7d4553810b69943d996.tar.gz freeipa-dc4bdd327ffffa639877b7d4553810b69943d996.tar.xz freeipa-dc4bdd327ffffa639877b7d4553810b69943d996.zip | |
Allow user to force Kerberos realm during installation.
User can set realm not matching one resolved from DNS. This is useful especially
when DNS is missconfigured.
https://fedorahosted.org/freeipa/ticket/4444
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 2 | ||||
| -rw-r--r-- | ipa-client/ipaclient/ipadiscovery.py | 52 |
2 files changed, 33 insertions, 21 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 30a532227..05adf0dad 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2132,7 +2132,7 @@ def install(options, env, fstore, statestore): # Create the discovery instance ds = ipadiscovery.IPADiscovery() - ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) + ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) if options.server and ret != 0: # There is no point to continue with installation as server list was diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0532f618e..0d574825a 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -139,7 +139,7 @@ class IPADiscovery(object): domain = domain[p+1:] return (None, None) - def search(self, domain = "", servers = "", hostname=None, ca_cert_path=None): + def search(self, domain="", servers="", realm=None, hostname=None, ca_cert_path=None): """ Use DNS discovery to identify valid IPA servers. @@ -218,13 +218,21 @@ class IPADiscovery(object): #search for kerberos root_logger.debug("[Kerberos realm search]") - krb_realm, kdc = self.ipadnssearchkrb(self.domain) - if not servers and not krb_realm: + if realm: + root_logger.debug("Kerberos realm forced") + self.realm = realm + self.realm_source = 'Forced' + else: + realm = self.ipadnssearchkrbrealm() + self.realm = realm + self.realm_source = ( + 'Discovered Kerberos DNS records from %s' % self.domain) + + if not servers and not realm: return REALM_NOT_FOUND - self.realm = krb_realm - self.kdc = kdc - self.realm_source = self.kdc_source = ( + self.kdc = self.ipadnssearchkrbkdc() + self.kdc_source = ( 'Discovered Kerberos DNS records from %s' % self.domain) # We may have received multiple servers corresponding to the domain @@ -452,11 +460,12 @@ class IPADiscovery(object): return servers - def ipadnssearchkrb(self, tdomain): + def ipadnssearchkrbrealm(self, domain=None): realm = None - kdc = None + if not domain: + domain = self.domain # now, check for a Kerberos realm the local host or domain is in - qname = "_kerberos." + tdomain + qname = "_kerberos." + domain root_logger.debug("Search DNS for TXT record of %s", qname) @@ -472,18 +481,21 @@ class IPADiscovery(object): realm = answer.strings[0] if realm: break + return realm - if realm: - # now fetch server information for the realm - domain = realm.lower() + def ipadnssearchkrbkdc(self, domain=None): + kdc = None - kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, - break_on_first=False) + if not domain: + domain = self.domain - if kdc: - kdc = ','.join(kdc) - else: - root_logger.debug("SRV record for KDC not found! Realm: %s, SRV record: %s" % (realm, qname)) - kdc = None + kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, + break_on_first=False) + + if kdc: + kdc = ','.join(kdc) + else: + root_logger.debug("SRV record for KDC not found! Domain: %s" % domain) + kdc = None - return realm, kdc + return kdc |