From 1e1d6d15c65357b1475917597ffa715ad9d6c8c1 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 3 Sep 2015 14:00:09 +0200
Subject: [PATCH] realmdomains: Issue a warning when automated management of
 realmdomains failed

https://fedorahosted.org/freeipa/ticket/5278

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipalib/messages.py             | 31 +++++++++++++++++++++++++++++++
 ipalib/plugins/realmdomains.py | 28 +++++++++++++++++++++++-----
 2 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/ipalib/messages.py b/ipalib/messages.py
index 375da2443..3b982f473 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -246,6 +246,37 @@ class DNSSECValidationFailingWarning(PublicMessage):
                u"validation on all IPA servers.")
 
 
+class KerberosTXTRecordCreationFailure(PublicMessage):
+    """
+    **13011** Used when a _kerberos TXT record could not be added to
+    a DNS zone.
+    """
+
+    errno = 13011
+    type = "warning"
+    format = _(
+        "The _kerberos TXT record from domain %(domain)s could not be created "
+        "(%(error)s).\nThis can happen if the zone is not managed by IPA. "
+        "Please create the record manually, containing the following "
+        "value: '%(realm)s'"
+    )
+
+
+class KerberosTXTRecordDeletionFailure(PublicMessage):
+    """
+    **13012** Used when a _kerberos TXT record could not be removed from
+    a DNS zone.
+    """
+
+    errno = 13012
+    type = "warning"
+    format = _(
+        "The _kerberos TXT record from domain %(domain)s could not be removed "
+        "(%(error)s).\nThis can happen if the zone is not managed by IPA. "
+        "Please remove the record manually."
+    )
+
+
 def iter_messages(variables, base):
     """Return a tuple with all subclasses
     """
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index 2da54309b..db9c5ccc2 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -19,7 +19,7 @@
 
 import six
 
-from ipalib import api, errors
+from ipalib import api, errors, messages
 from ipalib import Str, Flag
 from ipalib import _
 from ipalib.plugable import Registry
@@ -289,8 +289,18 @@ class realmdomains_mod(LDAPUpdate):
                     u'_kerberos',
                     txtrecord=api.env.realm
                 )
-            except (errors.EmptyModlist, errors.NotFound):
-                pass
+            except (errors.EmptyModlist, errors.NotFound) as error:
+                # If creation of the _kerberos TXT record failed, prompt
+                # for manual intervention
+                messages.add_message(
+                    options['version'],
+                    result,
+                    messages.KerberosTXTRecordCreationFailure(
+                        domain=domain,
+                        error=unicode(error),
+                        realm=self.api.env.realm
+                    )
+                )
 
         # Delete _kerberos TXT record from zones that correspond with
         # domains which were deleted
@@ -306,8 +316,16 @@ class realmdomains_mod(LDAPUpdate):
                     u'_kerberos',
                     txtrecord=api.env.realm
                 )
-            except (errors.AttrValueNotFound, errors.NotFound):
-                pass
+            except (errors.AttrValueNotFound, errors.NotFound) as error:
+                # If deletion of the _kerberos TXT record failed, prompt
+                # for manual intervention
+                messages.add_message(
+                    options['version'],
+                    result,
+                    messages.KerberosTXTRecordDeletionFailure(
+                        domain=domain, error=unicode(error)
+                    )
+                )
 
         return result