From bae291def780c81144c8f4d71ced5007e1ee3867 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Wed, 18 Sep 2013 12:56:00 +0200
Subject: Warn user about realm-domain mismatch in install scripts

If the IPA server is setup with non-matching domain and realm
names, it will not be able to estabilish trust with the Active
Directory.

Adds warnings to the ipa-server-install and warning to the
ipa-adtrust-install (which has to be confirmed).

Man pages for the ipa-server-install and ipa-adtrust-install were
updated with the relevant notes.

https://fedorahosted.org/freeipa/ticket/3924
---
 install/tools/ipa-adtrust-install       | 16 ++++++++++++++++
 install/tools/ipa-server-install        | 11 +++++++++++
 install/tools/man/ipa-adtrust-install.1 |  3 +++
 install/tools/man/ipa-server-install.1  |  2 +-
 4 files changed, 31 insertions(+), 1 deletion(-)

(limited to 'install/tools')

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 838f7226b..2af2df92f 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -248,6 +248,22 @@ def main():
     api.bootstrap(**cfg)
     api.finalize()
 
+    # If domain name and realm does not match, IPA server will not be able
+    # to estabilish trust with Active Directory. Print big fat warning.
+
+    realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
+
+    if realm_not_matching_domain:
+        print("WARNING: Realm name does not match the domain name.\n"
+              "You will not be able to estabilish trusts with Active "
+              "Directory unless\nthe realm name of the IPA server matches its "
+              "domain name.\n\n")
+        if not options.unattended:
+            if not ipautil.user_input("Do you wish to continue?",
+                                      default = False,
+                                      allow_empty = False):
+                sys.exit("Aborting installation.")
+
     if adtrustinstance.ipa_smb_conf_exists():
         if not options.unattended:
             while True:
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 028cca097..cf8d3d01b 100644
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -968,6 +968,17 @@ def main():
                 or reverse_zone is None else reverse_zone)
         print
 
+    # If domain name and realm does not match, IPA server will not be able
+    # to estabilish trust with Active Directory. Print big fat warning.
+
+    realm_not_matching_domain = (domain_name.upper() != realm_name)
+
+    if realm_not_matching_domain:
+        print("WARNING: Realm name does not match the domain name.\n"
+              "You will not be able to estabilish trusts with Active "
+              "Directory unless\nythe realm name of the IPA server matches "
+              "its domain name.\n\n")
+
     if not options.unattended and not user_input("Continue to configure the system with these values?", False):
         sys.exit("Installation aborted")
 
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 7f0566e13..b0aa8ceef 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -26,6 +26,9 @@ Adds all necessary objects and configuration to allow an IPA server to create a
 trust to an Active Directory domain. This requires that the IPA server is
 already installed and configured.
 
+Please note you will not be able to estabilish an trust to an Active Directory
+domain unless the realm name of the IPA server matches its domain name.
+
 ipa\-adtrust\-install can be run multiple times to reinstall deleted objects or
 broken configuration files. E.g. a fresh samba configuration (smb.conf file and
 registry based configuration can be created. Other items like e.g. the
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 5f81cec94..a093078cb 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -28,7 +28,7 @@ Configures the services needed by an IPA server. This includes setting up a Kerb
 .SS "BASIC OPTIONS"
 .TP
 \fB\-r\fR \fIREALM_NAME\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
-The Kerberos realm name for the IPA server
+The Kerberos realm name for the IPA server. You will not be able to estabilish trust with Active Directory unless the realm name is uppercased domain name.
 .TP
 \fB\-n\fR \fIDOMAIN_NAME\fR, \fB\-\-domain\fR=\fIDOMAIN_NAME\fR
 Your DNS domain name
-- 
cgit