IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-client-install: update sssd.conf if nsupdate requires -g

Browse Source 
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
François Cami 2021-04-09 10:29:31 +01:00 committed by Alexander Bokovoy
parent 20c7bd5eba
commit 2e31e8479a
2 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
client/man/ipa-client-install.1
View File

@ -205,7 +205,11 @@ Create DNS A/AAAA record for each IP address on this host.
Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server. Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server.
.TP .TP
\fB\-\-enable\-dns\-updates\fR \fB\-\-enable\-dns\-updates\fR
This option tells SSSD to automatically update DNS with the IP address of this client. This option tells SSSD to automatically update DNS with the IP address of this
client.
The default is to use GSS-TSIG. However, if using GSS-TSIG fails for any reason
at install time, \fBipa\-client\-install\fR will configure SSSD to use
unauthenticated nsupdates instead.
.TP .TP
\fB\-\-no\-krb5\-offline\-passwords\fR \fB\-\-no\-krb5\-offline\-passwords\fR
Configure SSSD not to store user password when the server is offline. Configure SSSD not to store user password when the server is offline.

28
ipaclient/install/client.py
View File

@ -1369,9 +1369,35 @@ def do_nsupdate(update_txt):
ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE]) ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE])
result = True result = True
except CalledProcessError as e: except CalledProcessError as e:
logger.debug('nsupdate failed: %s', str(e)) logger.debug('nsupdate (GSS-TSIG) failed: %s', str(e))
try: try:
ipautil.run([paths.NSUPDATE, UPDATE_FILE]) ipautil.run([paths.NSUPDATE, UPDATE_FILE])
try:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
domains = sssdconfig.list_active_domains()
for name in domains:
domain = sssdconfig.get_domain(name)
try:
provider = domain.get_option('id_provider')
except SSSDConfig.NoOptionError:
continue
if name == api.env.domain and provider == "ipa":
try:
if domain.get_option('dyndns_update') is True:
domain.set_option('dyndns_auth', 'none')
sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
break
except SSSDConfig.NoOptionError:
break
except Exception as e:
logger.debug('Unable to update SSSD configuration: %s', str(e))
logger.info(
'Failed to configure SSSD for unauthenticated DNS '
'dynamic updates. SSSD might be unable to update DNS '
'entries for this host.'
)
result = True result = True
except CalledProcessError as e: except CalledProcessError as e:
logger.debug('Unauthenticated nsupdate failed: %s', str(e)) logger.debug('Unauthenticated nsupdate failed: %s', str(e))