ipa-client-install: update sssd.conf if nsupdate requires -g

If dynamic DNS updates are selected, sssd will use GSS-TSIG by default for nsupdate. When ipa-client-install notices that plain nsupdate is required, switch sssd to use no authentication for dynamic updates too. Fixes: https://pagure.io/freeipa/issue/8402 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-01-26 16:16:31 -06:00 · 2021-04-09 10:29:31 +01:00 · 2021-04-09 10:29:31 +01:00 · 2e31e8479a
commit 2e31e8479a
parent 20c7bd5eba
2 changed files with 32 additions and 2 deletions
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@ -205,7 +205,11 @@ Create DNS A/AAAA record for each IP address on this host.
 Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server.
 .TP
 \fB\-\-enable\-dns\-updates\fR
-This option tells SSSD to automatically update DNS with the IP address of this client.
+This option tells SSSD to automatically update DNS with the IP address of this
+client.
+The default is to use GSS-TSIG. However, if using GSS-TSIG fails for any reason
+at install time, \fBipa\-client\-install\fR will configure SSSD to use
+unauthenticated nsupdates instead.
 .TP
 \fB\-\-no\-krb5\-offline\-passwords\fR
 Configure SSSD not to store user password when the server is offline.
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@ -1369,9 +1369,35 @@ def do_nsupdate(update_txt):
        ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE])
        result = True
    except CalledProcessError as e:
-        logger.debug('nsupdate failed: %s', str(e))
+        logger.debug('nsupdate (GSS-TSIG) failed: %s', str(e))
        try:
            ipautil.run([paths.NSUPDATE, UPDATE_FILE])
+            try:
+                sssdconfig = SSSDConfig.SSSDConfig()
+                sssdconfig.import_config()
+                domains = sssdconfig.list_active_domains()
+                for name in domains:
+                    domain = sssdconfig.get_domain(name)
+                    try:
+                        provider = domain.get_option('id_provider')
+                    except SSSDConfig.NoOptionError:
+                        continue
+                    if name == api.env.domain and provider == "ipa":
+                        try:
+                            if domain.get_option('dyndns_update') is True:
+                                domain.set_option('dyndns_auth', 'none')
+                                sssdconfig.save_domain(domain)
+                                sssdconfig.write(paths.SSSD_CONF)
+                                break
+                        except SSSDConfig.NoOptionError:
+                            break
+            except Exception as e:
+                logger.debug('Unable to update SSSD configuration: %s', str(e))
+                logger.info(
+                    'Failed to configure SSSD for unauthenticated DNS '
+                    'dynamic updates. SSSD might be unable to update DNS '
+                    'entries for this host.'
+                )
            result = True
        except CalledProcessError as e:
            logger.debug('Unauthenticated nsupdate failed: %s', str(e))