ipatests: fix DNS forwarders setup for AD trust tests with non-root domains

The tests are failing to establish trust with AD subdomain and tree domain
controllers. This happens because IPA server needs to contact root domain
controller to fetch domain-wide UPN suffixes but can not do it because we
setup DNS forwarding only for the domains with which we try to establish
trust.
To establish trust with AD subdomain we now setup forwarder for root AD
domain, and to establish trust with AD treedomain  -- two forwarders:
one for root domain and another one for treedomain.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ipatests/pytest_ipa/integration/tasks.py

@@ -626,48 +626,57 @@ def is_subdomain(subdomain, domain):
 
     return subdomain
 
-def configure_dns_for_trust(master, ad):
+
+def configure_dns_for_trust(master, *ad_hosts):
     """
     This configures DNS on IPA master according to the relationship of the
     IPA's and AD's domains.
     """
 
     kinit_admin(master)
+    dnssec_disabled = False
+    for ad in ad_hosts:
+        if is_subdomain(ad.domain.name, master.domain.name):
+            master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
+                                '%s.%s' % (ad.shortname, ad.netbios),
+                                '--a-ip-address', ad.ip])
 
-    if is_subdomain(ad.domain.name, master.domain.name):
-        master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
-                            '%s.%s' % (ad.shortname, ad.netbios),
-                            '--a-ip-address', ad.ip])
+            master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
+                                ad.netbios,
+                                '--ns-hostname',
+                                '%s.%s' % (ad.shortname, ad.netbios)])
 
-        master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
-                            ad.netbios,
-                            '--ns-hostname',
-                            '%s.%s' % (ad.shortname, ad.netbios)])
-
-        master.run_command(['ipa', 'dnszone-mod', master.domain.name,
-                            '--allow-transfer', ad.ip])
-    else:
-        disable_dnssec_validation(master)
-        master.run_command(['ipa', 'dnsforwardzone-add', ad.domain.name,
-                            '--forwarder', ad.ip,
-                            '--forward-policy', 'only',
-                            ])
+            master.run_command(['ipa', 'dnszone-mod', master.domain.name,
+                                '--allow-transfer', ad.ip])
+        else:
+            if not dnssec_disabled:
+                disable_dnssec_validation(master)
+                dnssec_disabled = True
+            master.run_command(['ipa', 'dnsforwardzone-add', ad.domain.name,
+                                '--forwarder', ad.ip,
+                                '--forward-policy', 'only',
+                                ])
 
 
-def unconfigure_dns_for_trust(master, ad):
+def unconfigure_dns_for_trust(master, *ad_hosts):
     """
     This undoes changes made by configure_dns_for_trust
     """
     kinit_admin(master)
-    if is_subdomain(ad.domain.name, master.domain.name):
-        master.run_command(['ipa', 'dnsrecord-del', master.domain.name,
-                            '%s.%s' % (ad.shortname, ad.netbios),
-                            '--a-rec', ad.ip])
-        master.run_command(['ipa', 'dnsrecord-del', master.domain.name,
-                            ad.netbios,
-                            '--ns-rec', '%s.%s' % (ad.shortname, ad.netbios)])
-    else:
-        master.run_command(['ipa', 'dnsforwardzone-del', ad.domain.name])
+    dnssec_needs_restore = False
+    for ad in ad_hosts:
+        if is_subdomain(ad.domain.name, master.domain.name):
+            master.run_command(['ipa', 'dnsrecord-del', master.domain.name,
+                                '%s.%s' % (ad.shortname, ad.netbios),
+                                '--a-rec', ad.ip])
+            master.run_command(['ipa', 'dnsrecord-del', master.domain.name,
+                                ad.netbios,
+                                '--ns-rec',
+                                '%s.%s' % (ad.shortname, ad.netbios)])
+        else:
+            master.run_command(['ipa', 'dnsforwardzone-del', ad.domain.name])
+            dnssec_needs_restore = True
+    if dnssec_needs_restore:
         restore_dnssec_validation(master)
 
 

ipatests/test_integration/test_trust.py

@@ -40,6 +40,7 @@ class BaseTestTrust(IntegrationTest):
         cls.ad_domain = cls.ad.domain.name
         tasks.install_adtrust(cls.master)
         cls.check_sid_generation()
+        tasks.sync_time(cls.master, cls.ad)
 
         cls.child_ad = cls.ad_subdomains[0]  # pylint: disable=no-member
         cls.ad_subdomain = cls.child_ad.domain.name
@@ -65,10 +66,6 @@ class BaseTestTrust(IntegrationTest):
         tasks.run_repeatedly(cls.master, command,
                              test=lambda x: re.search(stdout_re, x))
 
-    def configure_dns_and_time(self, ad_host):
-        tasks.configure_dns_for_trust(self.master, ad_host)
-        tasks.sync_time(self.master, ad_host)
-
     def check_trustdomains(self, realm, expected_ad_domains):
         """Check that ipa trustdomain-find lists all expected domains"""
         result = self.master.run_command(['ipa', 'trustdomain-find', realm])
@@ -91,7 +88,6 @@ class BaseTestTrust(IntegrationTest):
 
     def remove_trust(self, ad):
         tasks.remove_trust_with_ad(self.master, ad.domain.name)
-        tasks.unconfigure_dns_for_trust(self.master, ad)
         tasks.clear_sssd_cache(self.master)
 
 
@@ -100,7 +96,7 @@ class TestTrust(BaseTestTrust):
     # Tests for non-posix AD trust
 
     def test_establish_nonposix_trust(self):
-        self.configure_dns_and_time(self.ad)
+        tasks.configure_dns_for_trust(self.master, self.ad)
         tasks.establish_trust_with_ad(
             self.master, self.ad_domain,
             extra_args=['--range-type', 'ipa-ad-trust'])
@@ -181,11 +177,12 @@ class TestTrust(BaseTestTrust):
 
     def test_remove_nonposix_trust(self):
         self.remove_trust(self.ad)
+        tasks.unconfigure_dns_for_trust(self.master, self.ad)
 
     # Tests for posix AD trust
 
     def test_establish_posix_trust(self):
-        self.configure_dns_and_time(self.ad)
+        tasks.configure_dns_for_trust(self.master, self.ad)
         tasks.establish_trust_with_ad(
             self.master, self.ad_domain,
             extra_args=['--range-type', 'ipa-ad-trust-posix'])
@@ -335,6 +332,7 @@ class TestTrust(BaseTestTrust):
 
     def test_remove_posix_trust(self):
         self.remove_trust(self.ad)
+        tasks.unconfigure_dns_for_trust(self.master, self.ad)
 
     # Tests for handling invalid trust types
 
@@ -346,7 +344,7 @@ class TestTrust(BaseTestTrust):
                                'random-invalid',
                                're@ll%ybad12!']
 
-        self.configure_dns_and_time(self.ad)
+        tasks.configure_dns_for_trust(self.master, self.ad)
         try:
             for range_type in invalid_range_types:
                 tasks.kinit_admin(self.master)
@@ -367,7 +365,7 @@ class TestTrust(BaseTestTrust):
     # Tests for external trust with AD subdomain
 
     def test_establish_external_subdomain_trust(self):
-        self.configure_dns_and_time(self.child_ad)
+        tasks.configure_dns_for_trust(self.master, self.ad)
         tasks.establish_trust_with_ad(
             self.master, self.ad_subdomain,
             extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
@@ -393,11 +391,12 @@ class TestTrust(BaseTestTrust):
 
     def test_remove_external_subdomain_trust(self):
         self.remove_trust(self.child_ad)
+        tasks.unconfigure_dns_for_trust(self.master, self.ad)
 
     # Tests for non-external trust with AD subdomain
 
     def test_establish_nonexternal_subdomain_trust(self):
-        self.configure_dns_and_time(self.child_ad)
+        tasks.configure_dns_for_trust(self.master, self.ad)
         try:
             tasks.kinit_admin(self.master)
 
@@ -412,12 +411,12 @@ class TestTrust(BaseTestTrust):
             assert ("Domain '{0}' is not a root domain".format(
                 self.ad_subdomain) in result.stderr_text)
         finally:
-            tasks.unconfigure_dns_for_trust(self.master, self.child_ad)
+            tasks.unconfigure_dns_for_trust(self.master, self.ad)
 
     # Tests for external trust with tree domain
 
     def test_establish_external_treedomain_trust(self):
-        self.configure_dns_and_time(self.tree_ad)
+        tasks.configure_dns_for_trust(self.master, self.ad, self.tree_ad)
         tasks.establish_trust_with_ad(
             self.master, self.ad_treedomain,
             extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
@@ -444,11 +443,12 @@ class TestTrust(BaseTestTrust):
 
     def test_remove_external_treedomain_trust(self):
         self.remove_trust(self.tree_ad)
+        tasks.unconfigure_dns_for_trust(self.master, self.ad, self.tree_ad)
 
     # Test for non-external trust with tree domain
 
     def test_establish_nonexternal_treedomain_trust(self):
-        self.configure_dns_and_time(self.tree_ad)
+        tasks.configure_dns_for_trust(self.master, self.ad, self.tree_ad)
         try:
             tasks.kinit_admin(self.master)
 
@@ -463,12 +463,12 @@ class TestTrust(BaseTestTrust):
             assert ("Domain '{0}' is not a root domain".format(
                 self.ad_treedomain) in result.stderr_text)
         finally:
-            tasks.unconfigure_dns_for_trust(self.master, self.tree_ad)
+            tasks.unconfigure_dns_for_trust(self.master, self.ad, self.tree_ad)
 
     # Tests for external trust with root domain
 
     def test_establish_external_rootdomain_trust(self):
-        self.configure_dns_and_time(self.ad)
+        tasks.configure_dns_for_trust(self.master, self.ad)
         tasks.establish_trust_with_ad(
             self.master, self.ad_domain,
             extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
@@ -478,11 +478,12 @@ class TestTrust(BaseTestTrust):
 
     def test_remove_external_rootdomain_trust(self):
         self.remove_trust(self.ad)
+        tasks.unconfigure_dns_for_trust(self.master, self.ad)
 
     # Test for one-way forest trust with shared secret
 
     def test_establish_forest_trust_with_shared_secret(self):
-        self.configure_dns_and_time(self.ad)
+        tasks.configure_dns_for_trust(self.master, self.ad)
         tasks.configure_windows_dns_for_trust(self.ad, self.master)
 
         # this is a workaround for
@@ -549,11 +550,12 @@ class TestTrust(BaseTestTrust):
              self.srv_gc_record_value])
 
         tasks.unconfigure_windows_dns_for_trust(self.ad, self.master)
+        tasks.unconfigure_dns_for_trust(self.master, self.ad)
 
     # Test for one-way external trust with shared secret
 
     def test_establish_external_trust_with_shared_secret(self):
-        self.configure_dns_and_time(self.ad)
+        tasks.configure_dns_for_trust(self.master, self.ad)
         tasks.configure_windows_dns_for_trust(self.ad, self.master)
 
         # create windows side of trust using netdom.exe utility
@@ -600,6 +602,7 @@ class TestTrust(BaseTestTrust):
         )
         self.remove_trust(self.ad)
         tasks.unconfigure_windows_dns_for_trust(self.ad, self.master)
+        tasks.unconfigure_dns_for_trust(self.master, self.ad)
 
     def test_server_option_with_unreachable_ad(self):
         """
@@ -689,7 +692,7 @@ class TestTrust(BaseTestTrust):
             assert ('List of trust domains successfully refreshed'
                     in result.stdout_text)
         finally:
+            self.remove_trust(self.ad)
             tasks.restore_files(self.master)
             self.master.run_command(['rm', '-f', ad_zone_file])
             tasks.restart_named(self.master)
-            tasks.remove_trust_with_ad(self.master, self.ad_domain)