KDC autodiscovery may fail when domain is not realm

When ipa-client-install autodiscovers IPA server values it doesn't fill the fixed KDC address to Kerberos configuration file. However, when realm != domain or the autodiscovered values are overridden, installation may fail because it cannot find the KDC. This patch adds a failover to use static KDC address in case when such an issue occurs. https://fedorahosted.org/freeipa/ticket/1100
2025-01-11 08:41:55 -06:00 · 2011-03-21 14:50:05 +01:00 · 2011-03-21 14:50:05 +01:00 · 95b4040f6b
commit 95b4040f6b
parent a7f9814ab7
2 changed files with 26 additions and 15 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -386,7 +386,7 @@ def hardcode_ldap_server(cli_server):
    return
-def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, filename):
+def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, filename):
    krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
    krbconf.setOptionAssignment(" = ")
@ -399,7 +399,7 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d
    #[libdefaults]
    libopts = [{'name':'default_realm', 'type':'option', 'value':cli_realm}]
-    if not dnsok or options.force:
+    if not dnsok or not cli_kdc or options.force:
        libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
        libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'false'})
    else:
@ -413,7 +413,7 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d
    opts.append({'name':'empty', 'type':'empty'})
    #the following are necessary only if DNS discovery does not work
-    if not dnsok or options.force:
+    if not dnsok or not cli_kdc or options.force:
        #[realms]
        kropts =[{'name':'kdc', 'type':'option', 'value':cli_server+':88'},
                 {'name':'admin_server', 'type':'option', 'value':cli_server+':749'},
@ -716,6 +716,11 @@ def main():
        print >>sys.stderr, "due to network or firewall settings."
        return ret
    cli_kdc = ds.getKDCName()
    if dnsok and not cli_kdc:
        print >>sys.stderr, "DNS domain '%s' is not configured for automatic KDC address lookup." % ds.getRealmName().lower()
        print >>sys.stderr, "KDC address will be set to fixed value.\n"
    if dnsok:
        print "Discovery was successful!"
    elif not options.unattended:
@ -772,7 +777,7 @@ def main():
        try:
            (krb_fd, krb_name) = tempfile.mkstemp()
            os.close(krb_fd)
-            if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, krb_name):
+            if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
                sys.exit("Test kerberos configuration failed")
            env['KRB5_CONFIG'] = krb_name
            join_args = ["/usr/sbin/ipa-join", "-s", cli_server]
@ -864,7 +869,7 @@ def main():
    if not options.on_master:
        # Configure krb5.conf
        fstore.backup_file("/etc/krb5.conf")
-        if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, "/etc/krb5.conf"):
+        if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, "/etc/krb5.conf"):
            return 1
        print "Configured /etc/krb5.conf for IPA realm " + cli_realm
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@ -68,6 +68,9 @@ class IPADiscovery:
    def getRealmName(self):
        return self.realm
    def getKDCName(self):
        return self.kdc
    def getBaseDN(self):
        return self.basedn
@ -139,20 +142,20 @@ class IPADiscovery:
                else:
                    return -2 #no ldap server found
            #search for kerberos TODO: move this after ipacheckldap()
            logging.debug("[ipadnssearchkrb]")
            krbret = self.ipadnssearchkrb(self.domain)
            if not krbret:
                return -3 #no krb server found
            self.realm = krbret[0]
        else: #server forced on us, this means DNS doesn't work :/
            self.domain = domain
            self.server = server
        #search for kerberos
        logging.debug("[ipadnssearchkrb]")
        krbret = self.ipadnssearchkrb(self.domain)
        if not server and not krbret[0]:
            return -3 # realm for autodiscovery not found
        self.realm = krbret[0]
        self.kdc = krbret[1]
        logging.debug("[ipacheckldap]")
        # check ldap now
        ldapret = self.ipacheckldap(self.server, self.realm)
@ -303,7 +306,7 @@ class IPADiscovery:
        if realm:
            # now fetch server information for the realm
-            qname = "_kerberos._udp." + tdomain
+            qname = "_kerberos._udp." + realm.lower()
            # terminate the name
            if not qname.endswith("."):
                qname += "."
@ -318,4 +321,7 @@ class IPADiscovery:
                    else:
                        kdc = qname
            if not kdc:
                logging.debug("SRV record for KDC not found! Realm: %s, SRV record: %s" % (realm, qname))
        return [realm, kdc]