diff options
| -rw-r--r-- | ipa-admintools/ipa-addservice | 9 | ||||
| -rw-r--r-- | ipa-admintools/man/ipa-addservice.1 | 9 | ||||
| -rw-r--r-- | ipa-python/ipaclient.py | 4 | ||||
| -rw-r--r-- | ipa-python/ipaerror.py | 5 | ||||
| -rw-r--r-- | ipa-python/rpcclient.py | 4 | ||||
| -rw-r--r-- | ipa-server/ipa-gui/ipagui/subcontrollers/principal.py | 2 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 23 |
7 files changed, 45 insertions, 11 deletions
diff --git a/ipa-admintools/ipa-addservice b/ipa-admintools/ipa-addservice index fd94038fe..24e92ce46 100644 --- a/ipa-admintools/ipa-addservice +++ b/ipa-admintools/ipa-addservice @@ -36,12 +36,17 @@ import getpass import errno def usage(): - print "ipa-addservice principal" + print "ipa-addservice [--force] principal" sys.exit(1) def parse_options(): parser = OptionParser() + parser.add_option("--force", action="store_true", default=False, + help="Force a service principal name") + parser.add_option("--usage", action="store_true", + help="Program usage") + args = ipa.config.init_config(sys.argv) options, args = parser.parse_args(args) @@ -60,7 +65,7 @@ def main(): client = ipaclient.IPAClient() try: - client.add_service_principal(princ_name) + client.add_service_principal(princ_name, "%d" % options.force) except Exception, e: print str(e) diff --git a/ipa-admintools/man/ipa-addservice.1 b/ipa-admintools/man/ipa-addservice.1 index 4e3060fcc..f680db28e 100644 --- a/ipa-admintools/man/ipa-addservice.1 +++ b/ipa-admintools/man/ipa-addservice.1 @@ -21,8 +21,7 @@ ipa\-addservice \- Add a service principal .SH "SYNOPSIS" -ipa\-addservice \fIprincipal\fR - +ipa\-addservice [\fIOPTION\fR]... \fIprincipal\fR .SH "DESCRIPTION" Adds a service principal \fIprincipal\fR. @@ -42,6 +41,12 @@ rpc snmp The IPA server automatically appends the Kerberos realm for which it is configured. You cannot specify a different realm. + +The hostname must resolve to a DNS A record in order to ensure that it will work with Kerberos. Use the \-\-force flag to force the creation of a principal. +.SH "OPTIONS" +.TP +\fB\-\-force\fR +Force the creation of the given principal name. .SH "EXAMPLES" .TP ipa\-addservice HTTP/www.example.com diff --git a/ipa-python/ipaclient.py b/ipa-python/ipaclient.py index 83cdf0e6b..b685be38c 100644 --- a/ipa-python/ipaclient.py +++ b/ipa-python/ipaclient.py @@ -381,8 +381,8 @@ class IPAClient: result = self.transport.update_password_policy(policy.origDataDict(), policy.toDict()) return result - def add_service_principal(self, princ_name): - return self.transport.add_service_principal(princ_name) + def add_service_principal(self, princ_name, force): + return self.transport.add_service_principal(princ_name, force) def delete_service_principal(self, principal_dn): return self.transport.delete_service_principal(principal_dn) diff --git a/ipa-python/ipaerror.py b/ipa-python/ipaerror.py index 570cbb938..c5ed7e778 100644 --- a/ipa-python/ipaerror.py +++ b/ipa-python/ipaerror.py @@ -143,6 +143,11 @@ INPUT_SAME_GROUP = gen_error_code( 0x0002, "You can't add a group to itself") +INPUT_NOT_DNS_A_RECORD = gen_error_code( + INPUT_CATEGORY, + 0x0003, + "The requested hostname is not a DNS A record. This is required by Kerberos.") + # # Connection errors # diff --git a/ipa-python/rpcclient.py b/ipa-python/rpcclient.py index 2359c5d65..c3835568f 100644 --- a/ipa-python/rpcclient.py +++ b/ipa-python/rpcclient.py @@ -704,11 +704,11 @@ class RPCClient: return ipautil.unwrap_binary_data(result) - def add_service_principal(self, princ_name): + def add_service_principal(self, princ_name, force): server = self.setup_server() try: - result = server.add_service_principal(princ_name) + result = server.add_service_principal(princ_name, force) except xmlrpclib.Fault, fault: raise ipaerror.gen_exception(fault.faultCode, fault.faultString) except socket.error, (value, msg): diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/principal.py b/ipa-server/ipa-gui/ipagui/subcontrollers/principal.py index d7b25d8c3..28a221fb1 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/principal.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/principal.py @@ -96,7 +96,7 @@ class PrincipalController(IPAController): # The realm is added by add_service_principal principal_name = utf8_encode_values(service + "/" + kw.get('hostname')) - rv = client.add_service_principal(principal_name) + rv = client.add_service_principal(principal_name, 0) except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE): turbogears.flash("Service principal '%s' already exists" % principal_name) diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 37523308f..a2031eca9 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -30,6 +30,7 @@ from ipa import ipaerror from ipa import ipautil from urllib import quote,unquote from ipa import radius_util +from ipa import dnsclient import string from types import * @@ -1702,12 +1703,30 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): return True - def add_service_principal(self, name, opts=None): + def add_service_principal(self, name, force, opts=None): """Given a name of the form: service/FQDN create a service - principal for it in the default realm.""" + principal for it in the default realm. + + Ensure that the principal points at a DNS A record so it will + work with Kerberos unless force is set to 1""" if not name: raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER) + try: + f = int(force) + except ValueError: + f = 1 + logging.debug("IPA: add service principal %s (%d)" % (name, f)) + + if not f: + fqdn = name + "." + rs = dnsclient.query(fqdn, dnsclient.DNS_C_IN, dnsclient.DNS_T_A) + if len(rs) == 0: + logging.debug("IPA: DNS A record lookup failed for %s" % name) + raise ipaerror.gen_exception(ipaerror.INPUT_NOT_DNS_A_RECORD) + else: + logging.debug("IPA: found %d records for %s" % (len(rs), name)) + service_container = DefaultServiceContainer # Don't let the user set the realm |