Allow user to force Kerberos realm during installation.

User can set realm not matching one resolved from DNS. This is useful especially
when DNS is missconfigured.

https://fedorahosted.org/freeipa/ticket/4444

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
David Kupka 2014-08-27 12:31:09 +02:00 committed by Petr Viktorin
parent be65682340
commit a28d9b8f0a
2 changed files with 33 additions and 21 deletions

View File

@ -2132,7 +2132,7 @@ def install(options, env, fstore, statestore):
# Create the discovery instance
ds = ipadiscovery.IPADiscovery()
ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
if options.server and ret != 0:
# There is no point to continue with installation as server list was

View File

@ -139,7 +139,7 @@ class IPADiscovery(object):
domain = domain[p+1:]
return (None, None)
def search(self, domain = "", servers = "", hostname=None, ca_cert_path=None):
def search(self, domain="", servers="", realm=None, hostname=None, ca_cert_path=None):
"""
Use DNS discovery to identify valid IPA servers.
@ -218,13 +218,21 @@ class IPADiscovery(object):
#search for kerberos
root_logger.debug("[Kerberos realm search]")
krb_realm, kdc = self.ipadnssearchkrb(self.domain)
if not servers and not krb_realm:
if realm:
root_logger.debug("Kerberos realm forced")
self.realm = realm
self.realm_source = 'Forced'
else:
realm = self.ipadnssearchkrbrealm()
self.realm = realm
self.realm_source = (
'Discovered Kerberos DNS records from %s' % self.domain)
if not servers and not realm:
return REALM_NOT_FOUND
self.realm = krb_realm
self.kdc = kdc
self.realm_source = self.kdc_source = (
self.kdc = self.ipadnssearchkrbkdc()
self.kdc_source = (
'Discovered Kerberos DNS records from %s' % self.domain)
# We may have received multiple servers corresponding to the domain
@ -452,11 +460,12 @@ class IPADiscovery(object):
return servers
def ipadnssearchkrb(self, tdomain):
def ipadnssearchkrbrealm(self, domain=None):
realm = None
kdc = None
if not domain:
domain = self.domain
# now, check for a Kerberos realm the local host or domain is in
qname = "_kerberos." + tdomain
qname = "_kerberos." + domain
root_logger.debug("Search DNS for TXT record of %s", qname)
@ -472,10 +481,13 @@ class IPADiscovery(object):
realm = answer.strings[0]
if realm:
break
return realm
if realm:
# now fetch server information for the realm
domain = realm.lower()
def ipadnssearchkrbkdc(self, domain=None):
kdc = None
if not domain:
domain = self.domain
kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88,
break_on_first=False)
@ -483,7 +495,7 @@ class IPADiscovery(object):
if kdc:
kdc = ','.join(kdc)
else:
root_logger.debug("SRV record for KDC not found! Realm: %s, SRV record: %s" % (realm, qname))
root_logger.debug("SRV record for KDC not found! Domain: %s" % domain)
kdc = None
return realm, kdc
return kdc