2007-09-20 14:10:21 -05:00
|
|
|
# Authors: Simo Sorce <ssorce@redhat.com>
|
|
|
|
#
|
|
|
|
# Copyright (C) 2007 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
# modify it under the terms of the GNU General Public License as
|
2008-02-04 14:15:52 -06:00
|
|
|
# published by the Free Software Foundation; version 2 only
|
2007-09-20 14:10:21 -05:00
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
#
|
|
|
|
|
|
|
|
import tempfile
|
|
|
|
import os
|
2009-06-04 14:33:49 -05:00
|
|
|
import pwd
|
2008-03-27 18:01:38 -05:00
|
|
|
import logging
|
2007-09-20 14:10:21 -05:00
|
|
|
|
2009-06-04 14:33:49 -05:00
|
|
|
import installutils
|
|
|
|
import ldap
|
2007-12-13 03:31:28 -06:00
|
|
|
import service
|
2009-06-04 14:33:49 -05:00
|
|
|
from ipaserver import ipaldap
|
2009-11-24 18:00:26 -06:00
|
|
|
from ipaserver.install.dsinstance import realm_to_serverid
|
2009-02-05 14:03:08 -06:00
|
|
|
from ipapython import sysrestore
|
|
|
|
from ipapython import ipautil
|
2009-11-10 06:21:09 -06:00
|
|
|
|
|
|
|
import ipalib
|
|
|
|
from ipalib import api, util, errors
|
2007-12-13 03:31:28 -06:00
|
|
|
|
2009-11-13 09:57:51 -06:00
|
|
|
def check_inst(unattended):
|
2008-05-28 21:46:08 -05:00
|
|
|
# So far this file is always present in both RHEL5 and Fedora if all the necessary
|
|
|
|
# bind packages are installed (RHEL5 requires also the pkg: caching-nameserver)
|
|
|
|
if not os.path.exists('/etc/named.rfc1912.zones'):
|
2009-11-13 09:57:51 -06:00
|
|
|
print "BIND was not found on this system"
|
|
|
|
print "Please install the bind package and start the installation again"
|
2009-05-12 08:20:24 -05:00
|
|
|
return False
|
|
|
|
|
|
|
|
# Also check for the LDAP BIND plug-in
|
|
|
|
if not os.path.exists('/usr/lib/bind/ldap.so') and \
|
|
|
|
not os.path.exists('/usr/lib64/bind/ldap.so'):
|
2009-11-13 09:57:51 -06:00
|
|
|
print "The BIND LDAP plug-in was not found on this system"
|
|
|
|
print "Please install the bind-dyndb-ldap package and start the installation again"
|
2009-05-12 08:20:24 -05:00
|
|
|
return False
|
2008-05-28 21:46:08 -05:00
|
|
|
|
2009-11-13 09:57:51 -06:00
|
|
|
if not unattended and os.path.exists('/etc/named.conf'):
|
|
|
|
msg = "Existing BIND configuration detected, overwrite?"
|
|
|
|
return ipautil.user_input(msg, False)
|
|
|
|
|
2008-05-28 21:46:08 -05:00
|
|
|
return True
|
|
|
|
|
2009-11-10 06:21:09 -06:00
|
|
|
def get_reverse_zone(ip_address):
|
|
|
|
tmp = ip_address.split(".")
|
|
|
|
tmp.reverse()
|
|
|
|
name = tmp.pop(0)
|
|
|
|
zone = ".".join(tmp) + ".in-addr.arpa"
|
|
|
|
|
|
|
|
return zone, name
|
|
|
|
|
|
|
|
def add_zone(name, update_policy=None):
|
|
|
|
if not update_policy:
|
|
|
|
update_policy = "grant %s krb5-self * A;" % api.env.realm
|
|
|
|
|
|
|
|
try:
|
|
|
|
api.Command.dns_add(unicode(name),
|
|
|
|
idnssoamname=unicode(api.env.host),
|
|
|
|
idnsallowdynupdate=True,
|
|
|
|
idnsupdatepolicy=unicode(update_policy))
|
|
|
|
except (errors.DuplicateEntry, errors.EmptyModlist):
|
|
|
|
pass
|
|
|
|
|
|
|
|
add_rr(name, "@", "NS", api.env.host+".")
|
|
|
|
|
|
|
|
return name
|
|
|
|
|
|
|
|
def add_reverze_zone(ip_address, update_policy=None):
|
|
|
|
zone, name = get_reverse_zone(ip_address)
|
|
|
|
if not update_policy:
|
|
|
|
update_policy = "grant %s krb5-subdomain %s. PTR;" % (api.env.realm, zone)
|
|
|
|
try:
|
|
|
|
api.Command.dns_add(unicode(zone),
|
|
|
|
idnssoamname=unicode(api.env.host),
|
|
|
|
idnsallowdynupdate=True,
|
|
|
|
idnsupdatepolicy=unicode(update_policy))
|
|
|
|
except (errors.DuplicateEntry, errors.EmptyModlist):
|
|
|
|
pass
|
|
|
|
|
|
|
|
add_rr(zone, "@", "NS", api.env.host)
|
|
|
|
|
|
|
|
return zone
|
|
|
|
|
|
|
|
def add_rr(zone, name, type, rdata):
|
|
|
|
try:
|
|
|
|
api.Command.dns_add_rr(unicode(zone), unicode(name),
|
|
|
|
unicode(type), unicode(rdata))
|
|
|
|
except (errors.DuplicateEntry, errors.EmptyModlist):
|
|
|
|
pass
|
|
|
|
|
|
|
|
def add_ptr_rr(ip_address, fqdn):
|
|
|
|
zone, name = get_reverse_zone(ip_address)
|
|
|
|
add_rr(zone, name, "PTR", fqdn+".")
|
|
|
|
|
2007-12-13 03:31:28 -06:00
|
|
|
class BindInstance(service.Service):
|
2009-05-12 08:20:24 -05:00
|
|
|
def __init__(self, fstore=None, dm_password=None):
|
|
|
|
service.Service.__init__(self, "named", dm_password=dm_password)
|
2009-06-04 14:33:49 -05:00
|
|
|
self.named_user = None
|
2007-09-20 14:10:21 -05:00
|
|
|
self.fqdn = None
|
2009-05-12 08:20:24 -05:00
|
|
|
self.domain = None
|
2007-09-20 14:10:21 -05:00
|
|
|
self.host = None
|
|
|
|
self.ip_address = None
|
|
|
|
self.realm = None
|
2009-09-01 16:28:52 -05:00
|
|
|
self.forwarders = None
|
2007-09-20 14:10:21 -05:00
|
|
|
self.sub_dict = None
|
|
|
|
|
2008-03-27 18:01:38 -05:00
|
|
|
if fstore:
|
|
|
|
self.fstore = fstore
|
|
|
|
else:
|
|
|
|
self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
|
|
|
|
|
2009-11-10 08:16:38 -06:00
|
|
|
def setup(self, fqdn, ip_address, realm_name, domain_name, forwarders, ntp, named_user="named"):
|
2009-06-04 14:33:49 -05:00
|
|
|
self.named_user = named_user
|
2007-09-20 14:10:21 -05:00
|
|
|
self.fqdn = fqdn
|
|
|
|
self.ip_address = ip_address
|
|
|
|
self.realm = realm_name
|
2008-02-15 19:47:29 -06:00
|
|
|
self.domain = domain_name
|
2009-09-01 16:28:52 -05:00
|
|
|
self.forwarders = forwarders
|
2008-05-15 10:33:07 -05:00
|
|
|
self.host = fqdn.split(".")[0]
|
2009-05-12 08:20:24 -05:00
|
|
|
self.suffix = util.realm_to_suffix(self.realm)
|
2009-11-10 08:16:38 -06:00
|
|
|
self.ntp = ntp
|
2007-09-20 14:10:21 -05:00
|
|
|
|
2009-06-27 00:53:45 -05:00
|
|
|
tmp = ip_address.split(".")
|
|
|
|
tmp.reverse()
|
2009-08-11 16:08:09 -05:00
|
|
|
|
2009-06-27 00:53:45 -05:00
|
|
|
self.reverse_host = tmp.pop(0)
|
|
|
|
self.reverse_subnet = ".".join(tmp)
|
|
|
|
|
2007-09-20 14:10:21 -05:00
|
|
|
self.__setup_sub_dict()
|
|
|
|
|
|
|
|
def create_sample_bind_zone(self):
|
2007-12-13 03:31:28 -06:00
|
|
|
bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
|
2007-09-20 14:10:21 -05:00
|
|
|
[bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
|
|
|
|
os.write(bind_fd, bind_txt)
|
|
|
|
os.close(bind_fd)
|
|
|
|
print "Sample zone file for bind has been created in "+bind_name
|
|
|
|
|
|
|
|
def create_instance(self):
|
|
|
|
|
|
|
|
try:
|
|
|
|
self.stop()
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
|
2009-06-26 12:37:49 -05:00
|
|
|
self.__add_zone_steps()
|
2009-11-10 06:21:09 -06:00
|
|
|
self.step("setting up our zone", self.__setup_zone)
|
|
|
|
self.step("setting up reverse zone", self.__setup_reverse_zone)
|
2009-06-04 14:33:49 -05:00
|
|
|
|
2009-06-27 00:53:45 -05:00
|
|
|
self.step("setting up kerberos principal", self.__setup_principal)
|
|
|
|
self.step("setting up named.conf", self.__setup_named_conf)
|
2008-03-27 18:01:38 -05:00
|
|
|
|
|
|
|
self.step("restarting named", self.__start)
|
|
|
|
self.step("configuring named to start on boot", self.__enable)
|
|
|
|
|
2009-06-27 00:53:45 -05:00
|
|
|
self.step("changing resolv.conf to point to ourselves", self.__setup_resolv_conf)
|
|
|
|
self.start_creation("Configuring named:")
|
2007-09-20 14:10:21 -05:00
|
|
|
|
2009-06-26 12:37:49 -05:00
|
|
|
def __add_zone_steps(self):
|
|
|
|
"""
|
2009-11-10 06:21:09 -06:00
|
|
|
Add a DNS container if it doesn't exist.
|
2009-06-26 12:37:49 -05:00
|
|
|
"""
|
|
|
|
|
|
|
|
def object_exists(dn):
|
|
|
|
"""
|
|
|
|
Test whether the given object exists in LDAP.
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
server.search_ext_s(dn, ldap.SCOPE_BASE)
|
|
|
|
except ldap.NO_SUCH_OBJECT:
|
|
|
|
return False
|
|
|
|
else:
|
|
|
|
return True
|
|
|
|
|
|
|
|
server = ldap.initialize("ldap://" + self.fqdn)
|
|
|
|
server.simple_bind_s()
|
2009-11-10 06:21:09 -06:00
|
|
|
|
|
|
|
if not object_exists("cn=dns,%s" % self.suffix):
|
|
|
|
self.step("adding DNS container", self.__setup_dns_container)
|
2009-06-26 12:37:49 -05:00
|
|
|
|
|
|
|
server.unbind_s()
|
|
|
|
|
2008-03-27 18:01:38 -05:00
|
|
|
def __start(self):
|
2007-10-03 16:37:13 -05:00
|
|
|
try:
|
2008-01-14 11:43:26 -06:00
|
|
|
self.backup_state("running", self.is_running())
|
2008-03-27 18:01:38 -05:00
|
|
|
self.restart()
|
2007-10-03 16:37:13 -05:00
|
|
|
except:
|
|
|
|
print "named service failed to start"
|
2007-09-20 14:10:21 -05:00
|
|
|
|
2008-03-27 18:01:38 -05:00
|
|
|
def __enable(self):
|
|
|
|
self.backup_state("enabled", self.is_running())
|
|
|
|
self.chkconfig_on()
|
|
|
|
|
2007-09-20 14:10:21 -05:00
|
|
|
def __setup_sub_dict(self):
|
2009-09-01 16:28:52 -05:00
|
|
|
if self.forwarders:
|
|
|
|
fwds = "\n"
|
|
|
|
for forwarder in self.forwarders:
|
|
|
|
fwds += "\t\t%s;\n" % forwarder
|
|
|
|
fwds += "\t"
|
|
|
|
else:
|
|
|
|
fwds = " "
|
|
|
|
|
2009-11-10 08:16:38 -06:00
|
|
|
if self.ntp:
|
|
|
|
optional_ntp = "\n;ntp server\n"
|
|
|
|
optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host
|
|
|
|
else:
|
|
|
|
optional_ntp = ""
|
|
|
|
|
2007-09-20 14:10:21 -05:00
|
|
|
self.sub_dict = dict(FQDN=self.fqdn,
|
|
|
|
IP=self.ip_address,
|
|
|
|
DOMAIN=self.domain,
|
|
|
|
HOST=self.host,
|
2009-05-12 08:20:24 -05:00
|
|
|
REALM=self.realm,
|
2009-11-24 18:00:26 -06:00
|
|
|
SERVER_ID=realm_to_serverid(self.realm),
|
2009-09-01 16:28:52 -05:00
|
|
|
FORWARDERS=fwds,
|
2009-11-10 08:16:38 -06:00
|
|
|
SUFFIX=self.suffix,
|
|
|
|
OPTIONAL_NTP=optional_ntp)
|
2007-09-20 14:10:21 -05:00
|
|
|
|
2009-11-10 06:21:09 -06:00
|
|
|
def __setup_dns_container(self):
|
2009-05-12 08:20:24 -05:00
|
|
|
self._ldap_mod("dns.ldif", self.sub_dict)
|
2009-06-27 00:53:45 -05:00
|
|
|
|
2009-11-10 06:21:09 -06:00
|
|
|
def __setup_zone(self):
|
|
|
|
resource_records = (
|
|
|
|
(self.host, "A", self.ip_address),
|
|
|
|
("_ldap._tcp", "SRV", "0 100 389 %s" % self.host),
|
|
|
|
("_kerberos", "TXT", self.realm),
|
|
|
|
("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host),
|
|
|
|
("_kerberos._udp", "SRV", "0 100 88 %s" % self.host),
|
|
|
|
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host),
|
|
|
|
("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host),
|
|
|
|
("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host),
|
|
|
|
("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host),
|
|
|
|
)
|
|
|
|
|
|
|
|
zone = add_zone(self.domain)
|
|
|
|
for (host, type, rdata) in resource_records:
|
|
|
|
add_rr(zone, host, type, rdata)
|
2009-11-10 08:16:38 -06:00
|
|
|
if self.ntp:
|
|
|
|
add_rr(zone, "_ntp._udp", "SRV", "0 100 123 "+self.host)
|
2009-09-02 09:22:50 -05:00
|
|
|
|
2009-11-10 06:21:09 -06:00
|
|
|
def __setup_reverse_zone(self):
|
|
|
|
add_reverze_zone(self.ip_address)
|
|
|
|
add_ptr_rr(self.ip_address, self.fqdn)
|
2009-09-02 09:22:50 -05:00
|
|
|
|
2009-06-04 14:33:49 -05:00
|
|
|
def __setup_principal(self):
|
|
|
|
dns_principal = "DNS/" + self.fqdn + "@" + self.realm
|
|
|
|
installutils.kadmin_addprinc(dns_principal)
|
|
|
|
|
|
|
|
# Store the keytab on disk
|
|
|
|
self.fstore.backup_file("/etc/named.keytab")
|
|
|
|
installutils.create_keytab("/etc/named.keytab", dns_principal)
|
2009-12-07 22:17:00 -06:00
|
|
|
dns_principal = self.move_service(dns_principal)
|
2009-06-04 14:33:49 -05:00
|
|
|
|
|
|
|
# Make sure access is strictly reserved to the named user
|
|
|
|
pent = pwd.getpwnam(self.named_user)
|
|
|
|
os.chown("/etc/named.keytab", pent.pw_uid, pent.pw_gid)
|
|
|
|
os.chmod("/etc/named.keytab", 0400)
|
|
|
|
|
|
|
|
# modify the principal so that it is marked as an ipa service so that
|
|
|
|
# it can host the memberof attribute, then also add it to the
|
|
|
|
# dnsserver role group, this way the DNS is allowed to perform
|
|
|
|
# DNS Updates
|
|
|
|
conn = None
|
|
|
|
|
|
|
|
try:
|
|
|
|
conn = ipaldap.IPAdmin("127.0.0.1")
|
|
|
|
conn.simple_bind_s("cn=directory manager", self.dm_password)
|
|
|
|
except Exception, e:
|
|
|
|
logging.critical("Could not connect to the Directory Server on %s" % self.fqdn)
|
|
|
|
raise e
|
|
|
|
|
|
|
|
dns_group = "cn=dnsserver,cn=rolegroups,cn=accounts,%s" % self.suffix
|
2009-12-07 22:17:00 -06:00
|
|
|
mod = [(ldap.MOD_ADD, 'member', dns_principal)]
|
2009-06-04 14:33:49 -05:00
|
|
|
|
|
|
|
try:
|
|
|
|
conn.modify_s(dns_group, mod)
|
|
|
|
except Exception, e:
|
|
|
|
logging.critical("Could not modify principal's %s entry" % dns_principal)
|
|
|
|
raise e
|
|
|
|
|
|
|
|
conn.unbind()
|
|
|
|
|
2007-09-20 14:10:21 -05:00
|
|
|
def __setup_named_conf(self):
|
2008-03-27 18:01:38 -05:00
|
|
|
self.fstore.backup_file('/etc/named.conf')
|
2007-12-13 03:31:28 -06:00
|
|
|
named_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.named.conf.template", self.sub_dict)
|
2007-09-20 14:10:21 -05:00
|
|
|
named_fd = open('/etc/named.conf', 'w')
|
|
|
|
named_fd.seek(0)
|
|
|
|
named_fd.truncate(0)
|
|
|
|
named_fd.write(named_txt)
|
|
|
|
named_fd.close()
|
|
|
|
|
2008-05-13 12:35:20 -05:00
|
|
|
def __setup_resolv_conf(self):
|
|
|
|
self.fstore.backup_file('/etc/resolv.conf')
|
|
|
|
resolv_txt = "search "+self.domain+"\nnameserver "+self.ip_address+"\n"
|
|
|
|
resolv_fd = open('/etc/resolv.conf', 'w')
|
|
|
|
resolv_fd.seek(0)
|
|
|
|
resolv_fd.truncate(0)
|
|
|
|
resolv_fd.write(resolv_txt)
|
|
|
|
resolv_fd.close()
|
2007-09-20 14:10:21 -05:00
|
|
|
|
2008-01-11 05:57:36 -06:00
|
|
|
def uninstall(self):
|
|
|
|
running = self.restore_state("running")
|
2008-03-27 18:01:38 -05:00
|
|
|
enabled = self.restore_state("enabled")
|
2008-01-11 05:57:36 -06:00
|
|
|
|
|
|
|
if not running is None:
|
|
|
|
self.stop()
|
|
|
|
|
2008-05-13 12:35:20 -05:00
|
|
|
for f in ["/etc/named.conf", "/etc/resolv.conf"]:
|
2008-03-27 18:01:38 -05:00
|
|
|
try:
|
|
|
|
self.fstore.restore_file(f)
|
|
|
|
except ValueError, error:
|
|
|
|
logging.debug(error)
|
|
|
|
pass
|
|
|
|
|
|
|
|
if not enabled is None and not enabled:
|
|
|
|
self.chkconfig_off()
|
2008-01-11 05:57:36 -06:00
|
|
|
|
|
|
|
if not running is None and running:
|
|
|
|
self.start()
|