IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Allow user to force Kerberos realm during installation.

Browse Source 
User can set realm not matching one resolved from DNS. This is useful especially
when DNS is missconfigured.

https://fedorahosted.org/freeipa/ticket/4444

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
David Kupka 2014-08-27 12:31:09 +02:00 committed by Petr Viktorin
parent be65682340
commit a28d9b8f0a
2 changed files with 33 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ipa-client/ipa-install/ipa-client-install
View File

@ -2132,7 +2132,7 @@ def install(options, env, fstore, statestore):
# Create the discovery instance
ds = ipadiscovery.IPADiscovery()
ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file))
if options.server and ret != 0:
# There is no point to continue with installation as server list was

52
ipa-client/ipaclient/ipadiscovery.py
View File

@ -139,7 +139,7 @@ class IPADiscovery(object):
domain = domain[p+1:]
return (None, None)
def search(self, domain = "", servers = "", hostname=None, ca_cert_path=None):
def search(self, domain="", servers="", realm=None, hostname=None, ca_cert_path=None):
"""
Use DNS discovery to identify valid IPA servers.
@ -218,13 +218,21 @@ class IPADiscovery(object):
#search for kerberos
root_logger.debug("[Kerberos realm search]")
krb_realm, kdc = self.ipadnssearchkrb(self.domain)
if not servers and not krb_realm:
if realm:
root_logger.debug("Kerberos realm forced")
self.realm = realm
self.realm_source = 'Forced'
else:
realm = self.ipadnssearchkrbrealm()
self.realm = realm
self.realm_source = (
'Discovered Kerberos DNS records from %s' % self.domain)
if not servers and not realm:
return REALM_NOT_FOUND
self.realm = krb_realm
self.kdc = kdc
self.realm_source = self.kdc_source = (
self.kdc = self.ipadnssearchkrbkdc()
self.kdc_source = (
'Discovered Kerberos DNS records from %s' % self.domain)
# We may have received multiple servers corresponding to the domain
@ -452,11 +460,12 @@ class IPADiscovery(object):
return servers
def ipadnssearchkrb(self, tdomain):
def ipadnssearchkrbrealm(self, domain=None):
realm = None
kdc = None
if not domain:
domain = self.domain
# now, check for a Kerberos realm the local host or domain is in
qname = "_kerberos." + tdomain
qname = "_kerberos." + domain
root_logger.debug("Search DNS for TXT record of %s", qname)
@ -472,18 +481,21 @@ class IPADiscovery(object):
realm = answer.strings[0]
if realm:
break
return realm
if realm:
# now fetch server information for the realm
domain = realm.lower()
def ipadnssearchkrbkdc(self, domain=None):
kdc = None
kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88,
break_on_first=False)
if not domain:
domain = self.domain
if kdc:
kdc = ','.join(kdc)
else:
root_logger.debug("SRV record for KDC not found! Realm: %s, SRV record: %s" % (realm, qname))
kdc = None
kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88,
break_on_first=False)
return realm, kdc
if kdc:
kdc = ','.join(kdc)
else:
root_logger.debug("SRV record for KDC not found! Domain: %s" % domain)
kdc = None
return kdc