Revert "Tests: Remove DNS configuration from trust tests"

This reverts commit 1d9e1521c5. The reverted commit message states: "Since DNS configuration is no longer needed for running trust tests, this method's contents are removed." In fact tests can run without DNS configuration only in case if test setup has a DNS server with DNSSEC support and there are A records for Windows machines and SRV records Windows AD services and this DNS server is used as forwarder by bind. If one of these in not true then tests fail when trying to establish trust (ipa trust-add) as --server option is not used and ipa can not find the AD machine. If we specify --server option and add Windows hosts to /etc/hosts, then trust will be established, but then sssd will fail to find the host to talk for getting users from AD. So for general case we should setup DNS forwarders prior to establishing trust, as stated in https://www.freeipa.org/page/Active_Directory_trust_setup Related to https://pagure.io/freeipa/issue/7889 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-03-25 17:41:21 +01:00 · 2019-03-25 17:41:21 +01:00 · cc1fb2fac5
commit cc1fb2fac5
parent c3fc551c2a
1 changed files with 40 additions and 3 deletions
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@ -569,11 +569,48 @@ def install_adtrust(host):

 def configure_dns_for_trust(master, ad):
    """
-    This method is intentionally left empty. Originally it served for DNS
-    configuration on IPA master according to the relationship of the IPA's
-    and AD's domains.
+    This configures DNS on IPA master according to the relationship of the
+    IPA's and AD's domains.
    """

+    def is_subdomain(subdomain, domain):
+        subdomain_unpacked = subdomain.split('.')
+        domain_unpacked = domain.split('.')
+
+        subdomain_unpacked.reverse()
+        domain_unpacked.reverse()
+
+        subdomain = False
+
+        if len(subdomain_unpacked) > len(domain_unpacked):
+            subdomain = True
+
+            for subdomain_segment, domain_segment in zip(subdomain_unpacked,
+                                                         domain_unpacked):
+                subdomain = subdomain and subdomain_segment == domain_segment
+
+        return subdomain
+
+    kinit_admin(master)
+
+    if is_subdomain(ad.domain.name, master.domain.name):
+        master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
+                            '%s.%s' % (ad.shortname, ad.netbios),
+                            '--a-ip-address', ad.ip])
+
+        master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
+                            ad.netbios,
+                            '--ns-hostname',
+                            '%s.%s' % (ad.shortname, ad.netbios)])
+
+        master.run_command(['ipa', 'dnszone-mod', master.domain.name,
+                            '--allow-transfer', ad.ip])
+    else:
+        master.run_command(['ipa', 'dnsforwardzone-add', ad.domain.name,
+                            '--forwarder', ad.ip,
+                            '--forward-policy', 'only',
+                            ])
+

 def establish_trust_with_ad(master, ad_domain, extra_args=()):
    """