IPA: Detect nsupdate support for the realm directive

For older platforms, do not add the 'realm' line in
the update message

3 files changed, 55 insertions, 15 deletions

diff --git a/src/external/nsupdate.m4 b/src/external/nsupdate.m4
index 6e18f017b..9ccff6159 100644
--- a/src/external/nsupdate.m4
+++ b/src/external/nsupdate.m4
@@ -1,8 +1,17 @@
 AC_PATH_PROG(NSUPDATE, nsupdate)
-AC_MSG_CHECKING(for nsupdate)
+AC_MSG_CHECKING(for executable nsupdate)
 if test -x "$NSUPDATE"; then
   AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate])
   AC_MSG_RESULT(yes)
+
+  AC_MSG_CHECKING(for nsupdate 'realm' support')
+  if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then
+    AC_MSG_RESULT([yes])
+    AC_DEFINE_UNQUOTED([HAVE_NSUPDATE_REALM], 1, [Whether to use the 'realm' directive with nsupdate])
+  else
+    AC_MSG_WARN([no. Will build without the 'realm' directive])
+  fi
+
 else
   AC_MSG_ERROR([no. nsupdate is not available])
 fi
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 8d0796afd..6e26d5ae9 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -115,6 +115,11 @@
                             the IP address of this client.
                         </para>
                         <para>
+                            NOTE: On older systems (such as RHEL 5), for this
+                            behavior to work reliably, the default Kerberos
+                            realm must be set properly in /etc/krb5.conf
+                        </para>
+                        <para>
                             Default: false
                         </para>
                     </listitem>
diff --git a/src/providers/ipa/ipa_dyndns.c b/src/providers/ipa/ipa_dyndns.c
index 60bc6ec0c..0d2c34e66 100644
--- a/src/providers/ipa/ipa_dyndns.c
+++ b/src/providers/ipa/ipa_dyndns.c
@@ -797,20 +797,37 @@ static int create_nsupdate_message(struct ipa_nsupdate_ctx *ctx,
     int ret, i;
     char *servername = NULL;
     char *realm;
+    char *realm_directive;
     char *zone;
     char ip_addr[INET6_ADDRSTRLEN];
     const char *ip;
     struct ipa_ipaddress *new_record;
+    TALLOC_CTX *tmp_ctx;
+
+    tmp_ctx = talloc_new(NULL);
+    if (!tmp_ctx) return ENOMEM;
 
     realm = dp_opt_get_string(ctx->dyndns_ctx->ipa_ctx->basic, IPA_KRB5_REALM);
     if (!realm) {
-        return EIO;
+        ret = EIO;
+        goto done;
+    }
+
+#ifdef HAVE_NSUPDATE_REALM
+    realm_directive = talloc_asprintf(tmp_ctx, "realm %s\n", realm);
+#else
+    realm_directive = talloc_asprintf(tmp_ctx, "");
+#endif
+    if (!realm_directive) {
+        ret = ENOMEM;
+        goto done;
     }
 
     zone = dp_opt_get_string(ctx->dyndns_ctx->ipa_ctx->basic,
                              IPA_DOMAIN);
     if (!zone) {
-        return EIO;
+        ret = EIO;
+        goto done;
     }
 
     /* The DNS zone for IPA is the lower-case
@@ -824,26 +841,31 @@ static int create_nsupdate_message(struct ipa_nsupdate_ctx *ctx,
         if (strncmp(ctx->dyndns_ctx->ipa_ctx->service->sdap->uri,
                     "ldap://", 7) != 0) {
             DEBUG(1, ("Unexpected format of LDAP URI.\n"));
-            return EIO;
+            ret = EIO;
+            goto done;
         }
         servername = ctx->dyndns_ctx->ipa_ctx->service->sdap->uri + 7;
         if (!servername) {
-            return EIO;
+            ret = EIO;
+            goto done;
         }
 
-        DEBUG(9, ("Creating update message for server [%s], realm [%s] "
-                  "and zone [%s].\n", servername, realm, zone));
+        DEBUG(SSSDBG_FUNC_DATA,
+              ("Creating update message for server [%s], realm [%s] "
+               "and zone [%s].\n", servername, realm, zone));
 
         /* Add the server, realm and zone headers */
-        ctx->update_msg = talloc_asprintf(ctx, "server %s\nrealm %s\nzone %s.\n",
-                                               servername, realm, zone);
+        ctx->update_msg = talloc_asprintf(ctx, "server %s\n%szone %s.\n",
+                                               servername, realm_directive,
+                                               zone);
     } else {
-        DEBUG(9, ("Creating update message for realm [%s] and zone [%s].\n",
-                  realm, zone));
+        DEBUG(SSSDBG_FUNC_DATA,
+              ("Creating update message for realm [%s] and zone [%s].\n",
+               realm, zone));
 
         /* Add the realm and zone headers */
-        ctx->update_msg = talloc_asprintf(ctx, "realm %s\nzone %s.\n",
-                                               realm, zone);
+        ctx->update_msg = talloc_asprintf(ctx, "%szone %s.\n",
+                                               realm_directive, zone);
     }
     if (ctx->update_msg == NULL) {
         ret = ENOMEM;
@@ -917,12 +939,16 @@ static int create_nsupdate_message(struct ipa_nsupdate_ctx *ctx,
         goto done;
     }
 
-    DEBUG(6, (" -- Begin nsupdate message -- \n%s", ctx->update_msg));
-    DEBUG(6, (" -- End nsupdate message -- \n"));
+    DEBUG(SSSDBG_TRACE_FUNC,
+          (" -- Begin nsupdate message -- \n%s",
+           ctx->update_msg));
+    DEBUG(SSSDBG_TRACE_FUNC,
+          (" -- End nsupdate message -- \n"));
 
     ret = EOK;
 
 done:
+    talloc_free(tmp_ctx);
     return ret;
 }