Allow user to force Kerberos realm during installation.

User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/4444 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-08-27 12:31:09 +02:00 · 2014-08-27 12:31:09 +02:00 · a28d9b8f0a
commit a28d9b8f0a
parent be65682340
2 changed files with 33 additions and 21 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -2132,7 +2132,7 @@ def install(options, env, fstore, statestore):
    # Create the discovery instance
    ds = ipadiscovery.IPADiscovery()
-    ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
+    ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
    if options.server and ret != 0:
        # There is no point to continue with installation as server list was
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@ -139,7 +139,7 @@ class IPADiscovery(object):
                domain = domain[p+1:]
        return (None, None)
-    def search(self, domain = "", servers = "", hostname=None, ca_cert_path=None):
+    def search(self, domain="", servers="", realm=None, hostname=None, ca_cert_path=None):
        """
        Use DNS discovery to identify valid IPA servers.
@ -218,13 +218,21 @@ class IPADiscovery(object):
        #search for kerberos
        root_logger.debug("[Kerberos realm search]")
-        krb_realm, kdc = self.ipadnssearchkrb(self.domain)
+        if realm:
-        if not servers and not krb_realm:
+            root_logger.debug("Kerberos realm forced")
            self.realm = realm
            self.realm_source = 'Forced'
        else:
            realm = self.ipadnssearchkrbrealm()
            self.realm = realm
            self.realm_source = (
                'Discovered Kerberos DNS records from %s' % self.domain)
        if not servers and not realm:
            return REALM_NOT_FOUND
-        self.realm = krb_realm
+        self.kdc = self.ipadnssearchkrbkdc()
-        self.kdc = kdc
+        self.kdc_source = (
        self.realm_source = self.kdc_source = (
            'Discovered Kerberos DNS records from %s' % self.domain)
        # We may have received multiple servers corresponding to the domain
@ -452,11 +460,12 @@ class IPADiscovery(object):
        return servers
-    def ipadnssearchkrb(self, tdomain):
+    def ipadnssearchkrbrealm(self, domain=None):
        realm = None
-        kdc = None
+        if not domain:
            domain = self.domain
        # now, check for a Kerberos realm the local host or domain is in
-        qname = "_kerberos." + tdomain
+        qname = "_kerberos." + domain
        root_logger.debug("Search DNS for TXT record of %s", qname)
@ -472,10 +481,13 @@ class IPADiscovery(object):
                realm = answer.strings[0]
                if realm:
                    break
        return realm
-        if realm:
+    def ipadnssearchkrbkdc(self, domain=None):
-            # now fetch server information for the realm
+        kdc = None
-            domain = realm.lower()
+
        if not domain:
            domain = self.domain
        kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88,
                                     break_on_first=False)
@ -483,7 +495,7 @@ class IPADiscovery(object):
        if kdc:
            kdc = ','.join(kdc)
        else:
-                root_logger.debug("SRV record for KDC not found! Realm: %s, SRV record: %s" % (realm, qname))
+            root_logger.debug("SRV record for KDC not found! Domain: %s" % domain)
            kdc = None
-        return realm, kdc
+        return kdc