Require that service principals resolve to a DNS A record.

There is a --force option for those who know what they are doing. 433483
2025-02-25 18:55:28 -06:00 · 2008-02-26 13:51:56 -05:00
parent 111a475b15
commit d6d12e9dc5
7 changed files with 45 additions and 11 deletions
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/principal.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/principal.py
@@ -96,7 +96,7 @@ class PrincipalController(IPAController):
            # The realm is added by add_service_principal
            principal_name = utf8_encode_values(service + "/" + kw.get('hostname'))

-            rv = client.add_service_principal(principal_name)
+            rv = client.add_service_principal(principal_name, 0)
        except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
            turbogears.flash("Service principal '%s' already exists" %
                    principal_name)
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -30,6 +30,7 @@ from ipa import ipaerror
 from ipa import ipautil
 from urllib import quote,unquote
 from ipa import radius_util
+from ipa import dnsclient

 import string
 from types import *
@@ -1702,12 +1703,30 @@ class IPAServer:
        except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
            return True

-    def add_service_principal(self, name, opts=None):
+    def add_service_principal(self, name, force, opts=None):
        """Given a name of the form: service/FQDN create a service
-           principal for it in the default realm."""
+           principal for it in the default realm.
+
+           Ensure that the principal points at a DNS A record so it will
+           work with Kerberos unless force is set to 1"""
        if not name:
            raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)

+        try:
+            f = int(force)
+        except ValueError:
+            f = 1
+        logging.debug("IPA: add service principal %s (%d)" % (name, f))
+
+        if not f:
+            fqdn = name + "."
+            rs = dnsclient.query(fqdn, dnsclient.DNS_C_IN, dnsclient.DNS_T_A)
+            if len(rs) == 0:
+                logging.debug("IPA: DNS A record lookup failed for %s" % name)
+                raise ipaerror.gen_exception(ipaerror.INPUT_NOT_DNS_A_RECORD)
+            else:
+                logging.debug("IPA: found %d records for %s" % (len(rs), name))
+
        service_container = DefaultServiceContainer

        # Don't let the user set the realm