IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix installation when server hostname is not in a default domain

Browse Source 
When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.

This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.

When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.

https://fedorahosted.org/freeipa/ticket/2602
This commit is contained in:
Martin Kosek
2012-04-04 16:31:04 +02:00
committed by Rob Crittenden
parent dcea80fc17
commit 184a066f4a
3 changed files with 40 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
install/share/krb5.conf.template
View File

@@ -22,7 +22,7 @@
[domain_realm]
.$DOMAIN = $REALM
$DOMAIN = $REALM
$OTHER_DOMAIN_REALM_MAPS
[dbmodules]
$REALM = {
db_library = ipadb.so

38
ipaserver/install/bindinstance.py
View File

@@ -395,7 +395,6 @@ class BindInstance(service.Service):
self.domain = domain_name
self.forwarders = forwarders
self.host = fqdn.split(".")[0]
self.host_domain = '.'.join(fqdn.split(".")[1:])
self.suffix = util.realm_to_suffix(self.realm)
self.ntp = ntp
self.reverse_zone = reverse_zone
@@ -409,6 +408,21 @@ class BindInstance(service.Service):
self.__setup_sub_dict()
@property
def host_domain(self):
return '.'.join(self.fqdn.split(".")[1:])
@property
def host_in_rr(self):
# when a host is not in a default domain, it needs to be referred
# with FQDN and not in a domain-relative host name
if not self.host_in_default_domain():
return normalize_zone(self.fqdn)
return self.host
def host_in_default_domain(self):
return normalize_zone(self.host_domain) == normalize_zone(self.domain)
def create_sample_bind_zone(self):
bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
[bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
@@ -474,7 +488,7 @@ class BindInstance(service.Service):
if self.ntp:
optional_ntp = "\n;ntp server\n"
optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host
optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host_in_rr
else:
optional_ntp = ""
@@ -495,7 +509,7 @@ class BindInstance(service.Service):
self._ldap_mod("dns.ldif", self.sub_dict)
def __setup_zone(self):
if self.host_domain != self.domain:
if not self.host_in_default_domain():
# add DNS domain for host first
root_logger.debug("Host domain (%s) is different from DNS domain (%s)!" \
% (self.host_domain, self.domain))
@@ -512,14 +526,14 @@ class BindInstance(service.Service):
def __add_self(self):
zone = self.domain
resource_records = (
("_ldap._tcp", "SRV", "0 100 389 %s" % self.host),
("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
("_kerberos", "TXT", self.realm),
("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host),
("_kerberos._udp", "SRV", "0 100 88 %s" % self.host),
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host),
("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host),
("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host),
("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host),
("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
)
for (host, type, rdata) in resource_records:
@@ -528,10 +542,10 @@ class BindInstance(service.Service):
else:
add_rr(zone, host, type, rdata)
if self.ntp:
add_rr(zone, "_ntp._udp", "SRV", "0 100 123 %s" % self.host)
add_rr(zone, "_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr)
# Add forward and reverse records to self
add_fwd_rr(zone, self.host, self.ip_address)
add_fwd_rr(self.host_domain, self.host, self.ip_address)
if self.reverse_zone is not None and dns_zone_exists(self.reverse_zone):
add_ptr_rr(self.reverse_zone, self.ip_address, self.fqdn)

13
ipaserver/install/krbinstance.py
View File

@@ -233,6 +233,19 @@ class KrbInstance(service.Service):
SERVER_ID=dsinstance.realm_to_serverid(self.realm),
REALM=self.realm)
# IPA server/KDC is not a subdomain of default domain
# Proper domain-realm mapping needs to be specified
dr_map = ''
if not self.fqdn.endswith(self.domain):
root_logger.debug("IPA FQDN '%s' is not located in default domain '%s'" \
% (self.fqdn, self.domain))
server_host, dot, server_domain = self.fqdn.partition('.')
root_logger.debug("Domain '%s' needs additional mapping in krb5.conf" \
% server_domain)
dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \
% dict(domain=server_domain, realm=self.realm)
self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
def __configure_sasl_mappings(self):
# we need to remove any existing SASL mappings in the directory as otherwise they
# they may conflict.