diff options
author | Martin Kosek <mkosek@redhat.com> | 2012-04-04 16:31:04 +0200 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-04-08 20:35:10 -0400 |
commit | 184a066f4abc0ef83434f8cebbec87028258db65 (patch) | |
tree | 743ca11fc1b4effb7ebd04511dc477bc79acbc3b | |
parent | dcea80fc1700aff5a87e3f3bff442e80455243a0 (diff) | |
download | freeipa-184a066f4abc0ef83434f8cebbec87028258db65.tar.gz freeipa-184a066f4abc0ef83434f8cebbec87028258db65.tar.xz freeipa-184a066f4abc0ef83434f8cebbec87028258db65.zip |
Fix installation when server hostname is not in a default domain
When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.
This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.
When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.
https://fedorahosted.org/freeipa/ticket/2602
-rw-r--r-- | install/share/krb5.conf.template | 2 | ||||
-rw-r--r-- | ipaserver/install/bindinstance.py | 38 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 13 |
3 files changed, 40 insertions, 13 deletions
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 3bdbc9995..eda8ba6fe 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -22,7 +22,7 @@ [domain_realm] .$DOMAIN = $REALM $DOMAIN = $REALM - +$OTHER_DOMAIN_REALM_MAPS [dbmodules] $REALM = { db_library = ipadb.so diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index ba8b7b5cc..ce3166122 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -395,7 +395,6 @@ class BindInstance(service.Service): self.domain = domain_name self.forwarders = forwarders self.host = fqdn.split(".")[0] - self.host_domain = '.'.join(fqdn.split(".")[1:]) self.suffix = util.realm_to_suffix(self.realm) self.ntp = ntp self.reverse_zone = reverse_zone @@ -409,6 +408,21 @@ class BindInstance(service.Service): self.__setup_sub_dict() + @property + def host_domain(self): + return '.'.join(self.fqdn.split(".")[1:]) + + @property + def host_in_rr(self): + # when a host is not in a default domain, it needs to be referred + # with FQDN and not in a domain-relative host name + if not self.host_in_default_domain(): + return normalize_zone(self.fqdn) + return self.host + + def host_in_default_domain(self): + return normalize_zone(self.host_domain) == normalize_zone(self.domain) + def create_sample_bind_zone(self): bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict) [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") @@ -474,7 +488,7 @@ class BindInstance(service.Service): if self.ntp: optional_ntp = "\n;ntp server\n" - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host + optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host_in_rr else: optional_ntp = "" @@ -495,7 +509,7 @@ class BindInstance(service.Service): self._ldap_mod("dns.ldif", self.sub_dict) def __setup_zone(self): - if self.host_domain != self.domain: + if not self.host_in_default_domain(): # add DNS domain for host first root_logger.debug("Host domain (%s) is different from DNS domain (%s)!" \ % (self.host_domain, self.domain)) @@ -512,14 +526,14 @@ class BindInstance(service.Service): def __add_self(self): zone = self.domain resource_records = ( - ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host), + ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr), ("_kerberos", "TXT", self.realm), - ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host), - ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host), - ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host), - ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host), - ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host), - ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host), + ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), + ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr), + ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), + ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr), + ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr), + ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr), ) for (host, type, rdata) in resource_records: @@ -528,10 +542,10 @@ class BindInstance(service.Service): else: add_rr(zone, host, type, rdata) if self.ntp: - add_rr(zone, "_ntp._udp", "SRV", "0 100 123 %s" % self.host) + add_rr(zone, "_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr) # Add forward and reverse records to self - add_fwd_rr(zone, self.host, self.ip_address) + add_fwd_rr(self.host_domain, self.host, self.ip_address) if self.reverse_zone is not None and dns_zone_exists(self.reverse_zone): add_ptr_rr(self.reverse_zone, self.ip_address, self.fqdn) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 02890ac96..f38ae9b42 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -233,6 +233,19 @@ class KrbInstance(service.Service): SERVER_ID=dsinstance.realm_to_serverid(self.realm), REALM=self.realm) + # IPA server/KDC is not a subdomain of default domain + # Proper domain-realm mapping needs to be specified + dr_map = '' + if not self.fqdn.endswith(self.domain): + root_logger.debug("IPA FQDN '%s' is not located in default domain '%s'" \ + % (self.fqdn, self.domain)) + server_host, dot, server_domain = self.fqdn.partition('.') + root_logger.debug("Domain '%s' needs additional mapping in krb5.conf" \ + % server_domain) + dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \ + % dict(domain=server_domain, realm=self.realm) + self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map + def __configure_sasl_mappings(self): # we need to remove any existing SASL mappings in the directory as otherwise they # they may conflict. |