Require that service principals resolve to a DNS A record.

There is a --force option for those who know what they are doing.

433483

3 files changed, 9 insertions, 4 deletions

diff --git a/ipa-python/ipaclient.py b/ipa-python/ipaclient.py
index 83cdf0e6b..b685be38c 100644
--- a/ipa-python/ipaclient.py
+++ b/ipa-python/ipaclient.py
@@ -381,8 +381,8 @@ class IPAClient:
         result = self.transport.update_password_policy(policy.origDataDict(), policy.toDict())
         return result
 
-    def add_service_principal(self, princ_name):
-        return self.transport.add_service_principal(princ_name)
+    def add_service_principal(self, princ_name, force):
+        return self.transport.add_service_principal(princ_name, force)
 
     def delete_service_principal(self, principal_dn):
         return self.transport.delete_service_principal(principal_dn)
diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py
index 570cbb938..c5ed7e778 100644
--- a/ipa-python/ipaerror.py
+++ b/ipa-python/ipaerror.py
@@ -143,6 +143,11 @@ INPUT_SAME_GROUP = gen_error_code(
         0x0002,
         "You can't add a group to itself")
 
+INPUT_NOT_DNS_A_RECORD = gen_error_code(
+        INPUT_CATEGORY,
+        0x0003,
+        "The requested hostname is not a DNS A record. This is required by Kerberos.")
+
 #
 # Connection errors
 #
diff --git a/ipa-python/rpcclient.py b/ipa-python/rpcclient.py
index 2359c5d65..c3835568f 100644
--- a/ipa-python/rpcclient.py
+++ b/ipa-python/rpcclient.py
@@ -704,11 +704,11 @@ class RPCClient:
 
         return ipautil.unwrap_binary_data(result)
 
-    def add_service_principal(self, princ_name):
+    def add_service_principal(self, princ_name, force):
         server = self.setup_server()
     
         try:
-            result = server.add_service_principal(princ_name)
+            result = server.add_service_principal(princ_name, force)
         except xmlrpclib.Fault, fault:
             raise ipaerror.gen_exception(fault.faultCode, fault.faultString)
         except socket.error, (value, msg):