Warn user about realm-domain mismatch in install scripts

If the IPA server is setup with non-matching domain and realm names, it will not be able to estabilish trust with the Active Directory. Adds warnings to the ipa-server-install and warning to the ipa-adtrust-install (which has to be confirmed). Man pages for the ipa-server-install and ipa-adtrust-install were updated with the relevant notes. https://fedorahosted.org/freeipa/ticket/3924
2025-02-25 18:55:28 -06:00 · 2013-09-18 12:56:00 +02:00 · 2013-09-18 12:56:00 +02:00 · bae291def7
commit bae291def7
parent 8ebb76177d
4 changed files with 31 additions and 1 deletions
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@ -248,6 +248,22 @@ def main():
    api.bootstrap(**cfg)
    api.finalize()

+    # If domain name and realm does not match, IPA server will not be able
+    # to estabilish trust with Active Directory. Print big fat warning.
+
+    realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
+
+    if realm_not_matching_domain:
+        print("WARNING: Realm name does not match the domain name.\n"
+              "You will not be able to estabilish trusts with Active "
+              "Directory unless\nthe realm name of the IPA server matches its "
+              "domain name.\n\n")
+        if not options.unattended:
+            if not ipautil.user_input("Do you wish to continue?",
+                                      default = False,
+                                      allow_empty = False):
+                sys.exit("Aborting installation.")
+
    if adtrustinstance.ipa_smb_conf_exists():
        if not options.unattended:
            while True:
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -968,6 +968,17 @@ def main():
                or reverse_zone is None else reverse_zone)
        print

+    # If domain name and realm does not match, IPA server will not be able
+    # to estabilish trust with Active Directory. Print big fat warning.
+
+    realm_not_matching_domain = (domain_name.upper() != realm_name)
+
+    if realm_not_matching_domain:
+        print("WARNING: Realm name does not match the domain name.\n"
+              "You will not be able to estabilish trusts with Active "
+              "Directory unless\nythe realm name of the IPA server matches "
+              "its domain name.\n\n")
+
    if not options.unattended and not user_input("Continue to configure the system with these values?", False):
        sys.exit("Installation aborted")

--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@ -26,6 +26,9 @@ Adds all necessary objects and configuration to allow an IPA server to create a
 trust to an Active Directory domain. This requires that the IPA server is
 already installed and configured.

+Please note you will not be able to estabilish an trust to an Active Directory
+domain unless the realm name of the IPA server matches its domain name.
+
 ipa\-adtrust\-install can be run multiple times to reinstall deleted objects or
 broken configuration files. E.g. a fresh samba configuration (smb.conf file and
 registry based configuration can be created. Other items like e.g. the
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@ -28,7 +28,7 @@ Configures the services needed by an IPA server. This includes setting up a Kerb
 .SS "BASIC OPTIONS"
 .TP
 \fB\-r\fR \fIREALM_NAME\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
-The Kerberos realm name for the IPA server
+The Kerberos realm name for the IPA server. You will not be able to estabilish trust with Active Directory unless the realm name is uppercased domain name.
 .TP
 \fB\-n\fR \fIDOMAIN_NAME\fR, \fB\-\-domain\fR=\fIDOMAIN_NAME\fR
 Your DNS domain name