summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2012-04-04 16:31:04 +0200
committerRob Crittenden <rcritten@redhat.com>2012-04-08 20:35:10 -0400
commit184a066f4abc0ef83434f8cebbec87028258db65 (patch)
tree743ca11fc1b4effb7ebd04511dc477bc79acbc3b
parentdcea80fc1700aff5a87e3f3bff442e80455243a0 (diff)
downloadfreeipa-184a066f4abc0ef83434f8cebbec87028258db65.tar.gz
freeipa-184a066f4abc0ef83434f8cebbec87028258db65.tar.xz
freeipa-184a066f4abc0ef83434f8cebbec87028258db65.zip
Fix installation when server hostname is not in a default domain
When IPA server is configured with DNS and its hostname is not located in a default domain, SRV records are not valid. Additionally, httpd does not serve XMLRPC interface because it IPA server domain-realm mapping is missing in krb5.conf. All CLI commands were then failing. This patch amends this configuration. It fixes SRV records in served domain to include full FQDN instead of relative hostname when the IPA server hostname is not located in served domain. IPA server forward record is also placed to correct zone. When IPA server is not in a served domain a proper domain-realm mapping is configured to krb5.conf. The template was improved in order to be able to hold this information. https://fedorahosted.org/freeipa/ticket/2602
-rw-r--r--install/share/krb5.conf.template2
-rw-r--r--ipaserver/install/bindinstance.py38
-rw-r--r--ipaserver/install/krbinstance.py13
3 files changed, 40 insertions, 13 deletions
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 3bdbc9995..eda8ba6fe 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -22,7 +22,7 @@
[domain_realm]
.$DOMAIN = $REALM
$DOMAIN = $REALM
-
+$OTHER_DOMAIN_REALM_MAPS
[dbmodules]
$REALM = {
db_library = ipadb.so
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index ba8b7b5cc..ce3166122 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -395,7 +395,6 @@ class BindInstance(service.Service):
self.domain = domain_name
self.forwarders = forwarders
self.host = fqdn.split(".")[0]
- self.host_domain = '.'.join(fqdn.split(".")[1:])
self.suffix = util.realm_to_suffix(self.realm)
self.ntp = ntp
self.reverse_zone = reverse_zone
@@ -409,6 +408,21 @@ class BindInstance(service.Service):
self.__setup_sub_dict()
+ @property
+ def host_domain(self):
+ return '.'.join(self.fqdn.split(".")[1:])
+
+ @property
+ def host_in_rr(self):
+ # when a host is not in a default domain, it needs to be referred
+ # with FQDN and not in a domain-relative host name
+ if not self.host_in_default_domain():
+ return normalize_zone(self.fqdn)
+ return self.host
+
+ def host_in_default_domain(self):
+ return normalize_zone(self.host_domain) == normalize_zone(self.domain)
+
def create_sample_bind_zone(self):
bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
[bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
@@ -474,7 +488,7 @@ class BindInstance(service.Service):
if self.ntp:
optional_ntp = "\n;ntp server\n"
- optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host
+ optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host_in_rr
else:
optional_ntp = ""
@@ -495,7 +509,7 @@ class BindInstance(service.Service):
self._ldap_mod("dns.ldif", self.sub_dict)
def __setup_zone(self):
- if self.host_domain != self.domain:
+ if not self.host_in_default_domain():
# add DNS domain for host first
root_logger.debug("Host domain (%s) is different from DNS domain (%s)!" \
% (self.host_domain, self.domain))
@@ -512,14 +526,14 @@ class BindInstance(service.Service):
def __add_self(self):
zone = self.domain
resource_records = (
- ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host),
+ ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
("_kerberos", "TXT", self.realm),
- ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host),
- ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host),
- ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host),
- ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host),
- ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host),
- ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host),
+ ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
+ ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
+ ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
+ ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
+ ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
+ ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
)
for (host, type, rdata) in resource_records:
@@ -528,10 +542,10 @@ class BindInstance(service.Service):
else:
add_rr(zone, host, type, rdata)
if self.ntp:
- add_rr(zone, "_ntp._udp", "SRV", "0 100 123 %s" % self.host)
+ add_rr(zone, "_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr)
# Add forward and reverse records to self
- add_fwd_rr(zone, self.host, self.ip_address)
+ add_fwd_rr(self.host_domain, self.host, self.ip_address)
if self.reverse_zone is not None and dns_zone_exists(self.reverse_zone):
add_ptr_rr(self.reverse_zone, self.ip_address, self.fqdn)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 02890ac96..f38ae9b42 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -233,6 +233,19 @@ class KrbInstance(service.Service):
SERVER_ID=dsinstance.realm_to_serverid(self.realm),
REALM=self.realm)
+ # IPA server/KDC is not a subdomain of default domain
+ # Proper domain-realm mapping needs to be specified
+ dr_map = ''
+ if not self.fqdn.endswith(self.domain):
+ root_logger.debug("IPA FQDN '%s' is not located in default domain '%s'" \
+ % (self.fqdn, self.domain))
+ server_host, dot, server_domain = self.fqdn.partition('.')
+ root_logger.debug("Domain '%s' needs additional mapping in krb5.conf" \
+ % server_domain)
+ dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \
+ % dict(domain=server_domain, realm=self.realm)
+ self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
+
def __configure_sasl_mappings(self):
# we need to remove any existing SASL mappings in the directory as otherwise they
# they may conflict.