From 7cb9691078aaefbf018a35b93cdfca9c834952e9 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 13 Jan 2012 08:45:27 -0500
Subject: IPA: Detect nsupdate support for the realm directive

For older platforms, do not add the 'realm' line in
the update message
---
 src/external/nsupdate.m4       | 11 ++++++++-
 src/man/sssd-ipa.5.xml         |  5 ++++
 src/providers/ipa/ipa_dyndns.c | 54 +++++++++++++++++++++++++++++++-----------
 3 files changed, 55 insertions(+), 15 deletions(-)

diff --git a/src/external/nsupdate.m4 b/src/external/nsupdate.m4
index 6e18f017b..9ccff6159 100644
--- a/src/external/nsupdate.m4
+++ b/src/external/nsupdate.m4
@@ -1,8 +1,17 @@
 AC_PATH_PROG(NSUPDATE, nsupdate)
-AC_MSG_CHECKING(for nsupdate)
+AC_MSG_CHECKING(for executable nsupdate)
 if test -x "$NSUPDATE"; then
   AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate])
   AC_MSG_RESULT(yes)
+
+  AC_MSG_CHECKING(for nsupdate 'realm' support')
+  if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then
+    AC_MSG_RESULT([yes])
+    AC_DEFINE_UNQUOTED([HAVE_NSUPDATE_REALM], 1, [Whether to use the 'realm' directive with nsupdate])
+  else
+    AC_MSG_WARN([no. Will build without the 'realm' directive])
+  fi
+
 else
   AC_MSG_ERROR([no. nsupdate is not available])
 fi
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index fb5927923..01d116df7 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -111,6 +111,11 @@
                             update the DNS server built into FreeIPA v2 with
                             the IP address of this client.
                         </para>
+                        <para>
+                            NOTE: On older systems (such as RHEL 5), for this
+                            behavior to work reliably, the default Kerberos
+                            realm must be set properly in /etc/krb5.conf
+                        </para>
                         <para>
                             Default: false
                         </para>
diff --git a/src/providers/ipa/ipa_dyndns.c b/src/providers/ipa/ipa_dyndns.c
index 72e4ba4db..ee5116bf3 100644
--- a/src/providers/ipa/ipa_dyndns.c
+++ b/src/providers/ipa/ipa_dyndns.c
@@ -365,20 +365,37 @@ static int create_nsupdate_message(struct ipa_nsupdate_ctx *ctx,
     int ret, i;
     char *servername = NULL;
     char *realm;
+    char *realm_directive;
     char *zone;
     char ip_addr[INET6_ADDRSTRLEN];
     const char *ip;
     struct ipa_ipaddress *new_record;
+    TALLOC_CTX *tmp_ctx;
+
+    tmp_ctx = talloc_new(NULL);
+    if (!tmp_ctx) return ENOMEM;
 
     realm = dp_opt_get_string(ctx->dyndns_ctx->ipa_ctx->basic, IPA_KRB5_REALM);
     if (!realm) {
-        return EIO;
+        ret = EIO;
+        goto done;
+    }
+
+#ifdef HAVE_NSUPDATE_REALM
+    realm_directive = talloc_asprintf(tmp_ctx, "realm %s\n", realm);
+#else
+    realm_directive = talloc_asprintf(tmp_ctx, "");
+#endif
+    if (!realm_directive) {
+        ret = ENOMEM;
+        goto done;
     }
 
     zone = dp_opt_get_string(ctx->dyndns_ctx->ipa_ctx->basic,
                              IPA_DOMAIN);
     if (!zone) {
-        return EIO;
+        ret = EIO;
+        goto done;
     }
 
     /* The DNS zone for IPA is the lower-case
@@ -392,26 +409,31 @@ static int create_nsupdate_message(struct ipa_nsupdate_ctx *ctx,
         if (strncmp(ctx->dyndns_ctx->ipa_ctx->service->sdap->uri,
                     "ldap://", 7) != 0) {
             DEBUG(1, ("Unexpected format of LDAP URI.\n"));
-            return EIO;
+            ret = EIO;
+            goto done;
         }
         servername = ctx->dyndns_ctx->ipa_ctx->service->sdap->uri + 7;
         if (!servername) {
-            return EIO;
+            ret = EIO;
+            goto done;
         }
 
-        DEBUG(9, ("Creating update message for server [%s], realm [%s] "
-                  "and zone [%s].\n", servername, realm, zone));
+        DEBUG(4,
+              ("Creating update message for server [%s], realm [%s] "
+               "and zone [%s].\n", servername, realm, zone));
 
         /* Add the server, realm and zone headers */
-        ctx->update_msg = talloc_asprintf(ctx, "server %s\nrealm %s\nzone %s.\n",
-                                               servername, realm, zone);
+        ctx->update_msg = talloc_asprintf(ctx, "server %s\n%szone %s.\n",
+                                               servername, realm_directive,
+                                               zone);
     } else {
-        DEBUG(9, ("Creating update message for realm [%s] and zone [%s].\n",
-                  realm, zone));
+        DEBUG(4,
+              ("Creating update message for realm [%s] and zone [%s].\n",
+               realm, zone));
 
         /* Add the realm and zone headers */
-        ctx->update_msg = talloc_asprintf(ctx, "realm %s\nzone %s.\n",
-                                               realm, zone);
+        ctx->update_msg = talloc_asprintf(ctx, "%szone %s.\n",
+                                               realm_directive, zone);
     }
     if (ctx->update_msg == NULL) {
         ret = ENOMEM;
@@ -476,12 +498,16 @@ static int create_nsupdate_message(struct ipa_nsupdate_ctx *ctx,
         goto done;
     }
 
-    DEBUG(6, (" -- Begin nsupdate message -- \n%s", ctx->update_msg));
-    DEBUG(6, (" -- End nsupdate message -- \n"));
+    DEBUG(5,
+          (" -- Begin nsupdate message -- \n%s",
+           ctx->update_msg));
+    DEBUG(5,
+          (" -- End nsupdate message -- \n"));
 
     ret = EOK;
 
 done:
+    talloc_free(tmp_ctx);
     return ret;
 }
 
-- 
cgit