From d6d12e9dc597d6637ae49057a44b51476ff876b0 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 26 Feb 2008 13:51:56 -0500 Subject: Require that service principals resolve to a DNS A record. There is a --force option for those who know what they are doing. 433483 --- ipa-server/xmlrpc-server/funcs.py | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'ipa-server/xmlrpc-server/funcs.py') diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 37523308f..a2031eca9 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -30,6 +30,7 @@ from ipa import ipaerror from ipa import ipautil from urllib import quote,unquote from ipa import radius_util +from ipa import dnsclient import string from types import * @@ -1702,12 +1703,30 @@ class IPAServer: except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): return True - def add_service_principal(self, name, opts=None): + def add_service_principal(self, name, force, opts=None): """Given a name of the form: service/FQDN create a service - principal for it in the default realm.""" + principal for it in the default realm. + + Ensure that the principal points at a DNS A record so it will + work with Kerberos unless force is set to 1""" if not name: raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER) + try: + f = int(force) + except ValueError: + f = 1 + logging.debug("IPA: add service principal %s (%d)" % (name, f)) + + if not f: + fqdn = name + "." + rs = dnsclient.query(fqdn, dnsclient.DNS_C_IN, dnsclient.DNS_T_A) + if len(rs) == 0: + logging.debug("IPA: DNS A record lookup failed for %s" % name) + raise ipaerror.gen_exception(ipaerror.INPUT_NOT_DNS_A_RECORD) + else: + logging.debug("IPA: found %d records for %s" % (len(rs), name)) + service_container = DefaultServiceContainer # Don't let the user set the realm -- cgit