From 14f27d299e4ef3a9fc0deb642e6cd4e48796364d Mon Sep 17 00:00:00 2001 From: Sergey Orlov Date: Tue, 26 Mar 2019 16:41:30 +0100 Subject: [PATCH] ipatests: disable bind dns validation when preparing to establish AD trust Before establishing trust with AD it is recommended in documentation (and for many setups necessary) to create add DNS forwarder for AD domain. Bind config supplied by ipa server has dnssec validation enabled. If Windows server DNS does not have DNSSEC enabled with valid certificate, then bind will not be able to use it as forwarder and trust will not be established. Related to https://pagure.io/freeipa/issue/7889 Reviewed-By: Alexander Bokovoy --- ipatests/pytest_ipa/integration/tasks.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index ff818ff46..459531c68 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -567,6 +567,14 @@ def install_adtrust(host): run_repeatedly(host, dig_command, test=dig_test) +def disable_dnssec_validation(host): + named_conf = host.get_file_contents(paths.NAMED_CONF) + named_conf = re.sub(br'dnssec-validation\s*yes;', b'dnssec-validation no;', + named_conf) + host.put_file_contents(paths.NAMED_CONF, named_conf) + restart_named(host) + + def configure_dns_for_trust(master, ad): """ This configures DNS on IPA master according to the relationship of the @@ -606,6 +614,7 @@ def configure_dns_for_trust(master, ad): master.run_command(['ipa', 'dnszone-mod', master.domain.name, '--allow-transfer', ad.ip]) else: + disable_dnssec_validation(master) master.run_command(['ipa', 'dnsforwardzone-add', ad.domain.name, '--forwarder', ad.ip, '--forward-policy', 'only',