diff options
author | Simo Sorce <ssorce@redhat.com> | 2008-03-30 20:00:43 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2008-03-30 20:00:43 -0400 |
commit | 9d80ec5daf69f977005052b5c691dd3310dc6a99 (patch) | |
tree | fb583fc09044d91ac8d44e38b77df00ad5e7ffb7 /ipa-server | |
parent | 6340de3fb86b5036870612f69b7db35e52427b06 (diff) | |
download | freeipa-9d80ec5daf69f977005052b5c691dd3310dc6a99.tar.gz freeipa-9d80ec5daf69f977005052b5c691dd3310dc6a99.tar.xz freeipa-9d80ec5daf69f977005052b5c691dd3310dc6a99.zip |
Better check for IPA nServer own address, avoid manually parsing /etc/hosts by
using nsswitch calls that read it and also take in account any other name
resolution mechanism that might be installed (like NIS lol :-).
This also should make the check support IPv6 transparently too (not tested)
Diffstat (limited to 'ipa-server')
-rw-r--r-- | ipa-server/ipaserver/installutils.py | 90 |
1 files changed, 54 insertions, 36 deletions
diff --git a/ipa-server/ipaserver/installutils.py b/ipa-server/ipaserver/installutils.py index c261e530..2624ae14 100644 --- a/ipa-server/ipaserver/installutils.py +++ b/ipa-server/ipaserver/installutils.py @@ -43,58 +43,76 @@ def get_fqdn(): fqdn = "" return fqdn -def reverse_ip(ipaddr): - i = ipaddr.split('.') - i.reverse() - return '.'.join(i) - def verify_fqdn(host_name): + if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain": raise RuntimeError("Invalid hostname: " + host_name) + try: + hostaddr = socket.getaddrinfo(host_name, None) + except: + raise RuntimeError("Unable to resolve host name, check /etc/hosts or DNS name resolution") + + if len(hostaddr) == 0: + raise RuntimeError("Unable to resolve host name, check /etc/hosts or DNS name resolution") + + for a in hostaddr: + if a[4][0] == '127.0.0.1' or a[4][0] == '::1': + raise RuntimeError("The IPA Server hostanme cannot resolve to localhost (%s), a routable IP address must be used." % a[4][0]) + try: + revname = socket.gethostbyaddr(a[4][0])[0] + except: + raise RuntimeError("Unable to resolve the reverse ip address, check /etc/hosts or DNS name resolution") + if revname != host_name: + raise RuntimeError("The host name %s does not match the reverse lookup %s" % (host_name, revname)) + + # Verify this is NOT a CNAME + rs = dnsclient.query(host_name+".", dnsclient.DNS_C_IN, dnsclient.DNS_T_CNAME) + if len(rs) != 0: + for rsn in rs: + if rsn.dns_type == dnsclient.DNS_T_CNAME: + raise RuntimeError("The IPA Server Hostname cannot be a CNAME, only A names are allowed.") + # Verify that it is a DNS A record rs = dnsclient.query(host_name+".", dnsclient.DNS_C_IN, dnsclient.DNS_T_A) if len(rs) == 0: - raise RuntimeError("hostname %s is not found or is not a DNS A record" % host_name) + print "Warning: Hostname (%s) not found in DNS" % host_name + return + + rec = None + for rsn in rs: + if rsn.dns_type == dnsclient.DNS_T_A: + rec = rsn + break + + if rec == None: + print "Warning: Hostname (%s) not found in DNS" % host_name + return # Compare the forward and reverse - forward = rs[0].dns_name + forward = rec.dns_name - addr = socket.inet_ntoa(struct.pack('=L',rs[0].rdata.address)) - addr = addr + ".in-addr.arpa." + addr = socket.inet_ntoa(struct.pack('<L',rec.rdata.address)) + ipaddr = socket.inet_ntoa(struct.pack('!L',rec.rdata.address)) + addr = addr + ".in-addr.arpa." rs = dnsclient.query(addr, dnsclient.DNS_C_IN, dnsclient.DNS_T_PTR) if len(rs) == 0: - raise RuntimeError("Cannot find PTR record for %s" % addr) - reverse = rs[0].rdata.ptrdname + raise RuntimeError("Cannot find Reverse Address for %s (%s)" % (host_name, addr)) - if forward != reverse: - raise RuntimeError("The DNS forward record %s does not match the reverse lookup %s" % (forward, reverse)) + rev = None + for rsn in rs: + if rsn.dns_type == dnsclient.DNS_T_PTR: + rev = rsn + break - # Look in /etc/hosts for this IP - try: - fd = open("/etc/hosts", "r") - except: - raise RuntimeError("Unable to open /etc/hosts for reading. Check file permissions.") - - p = re.compile('([a-zA-Z0-9\.:]+)\s+([a-zA-Z0-9\.\-]+)') - while True: - line = fd.readline() - if not line: break - if len(line) > 0 and line[0] == "#": - continue - m = p.match(line) - hname = None - try: - if m.group(1) == ipaddr: - hname = m.group(2) + "." - except: - pass - if hname and hname != forward: - fd.close() - raise RuntimeError("The IP address in /etc/hosts defines the hostname as '%s' but DNS says it is '%s'. The fully-qualified hostname needs to appear on the list first in /etc/hosts" % (hname, forward)) + if rev == None: + raise RuntimeError("Cannot find Reverse Address for %s (%s)" % (host_name, addr)) - fd.close() + reverse = rev.rdata.ptrdname + + if forward != reverse: + raise RuntimeError("The DNS forward record %s does not match the reverse address %s" % (forward, reverse)) def port_available(port): """Try to bind to a port on the wildcard host |