Hi,

those two patches should fix
https://fedorahosted.org/freeipa/ticket/2515 . The first makes the
needed change for fresh installations. The second adds the changes
during ipa-adtrust-install if needed. I prefer to do the changes here
instead of during updates, because during updates it is not easy to see
that the Kerberos configuration was changes.

bye,
Sumit
From af51c4e31fe691a05498c29d334b5958c60dface Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Thu, 16 Aug 2012 13:16:55 +0200
Subject: [PATCH 67/68] Set master_kdc and dns_lookup_kdc to true

---
 contrib/RHEL4/ipa-client-setup            | 3 ++-
 install/share/krb5.conf.template          | 3 ++-
 install/share/krb5.ini.template           | 1 +
 install/tools/ipa-replica-conncheck       | 3 ++-
 ipa-client/ipa-install/ipa-client-install | 1 +
 5 Dateien geändert, 8 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)

diff --git a/contrib/RHEL4/ipa-client-setup b/contrib/RHEL4/ipa-client-setup
index 
1a8761036e1b7230b1524c45d565126ff73030b4..4d1fead981d0e10232e974527222a2f9a62252b4
 100644
--- a/contrib/RHEL4/ipa-client-setup
+++ b/contrib/RHEL4/ipa-client-setup
@@ -307,7 +307,7 @@ def main():
         #[libdefaults]
         libopts = [{'name':'default_realm', 'type':'option', 
'value':ipasrv.getRealmName()}]
         libopts.append({'name':'dns_lookup_realm', 'type':'option', 
'value':'false'})
-        libopts.append({'name':'dns_lookup_kdc', 'type':'option', 
'value':'false'})
+        libopts.append({'name':'dns_lookup_kdc', 'type':'option', 
'value':'true'})
         libopts.append({'name':'ticket_lifetime', 'type':'option', 
'value':'24h'})
         libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
 
@@ -316,6 +316,7 @@ def main():
 
         #[realms]
         kropts =[{'name':'kdc', 'type':'option', 
'value':ipasrv.getServerName()+':88'},
+                 {'name':'master_kdc', 'type':'option', 
'value':ipasrv.getServerName()+':88'},
                  {'name':'admin_server', 'type':'option', 
'value':ipasrv.getServerName()+':749'},
                  {'name':'default_domain', 'type':'option', 
'value':ipasrv.getDomainName()}]
         ropts = [{'name':ipasrv.getRealmName(), 'type':'subsection', 
'value':kropts}]
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 
eda8ba6fe647d54d5feef1acda41c482b0dbcefa..f8b1a6f09868c55e47f21279b6d061fbd8251171
 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -6,7 +6,7 @@
 [libdefaults]
  default_realm = $REALM
  dns_lookup_realm = false
- dns_lookup_kdc = false
+ dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
@@ -14,6 +14,7 @@
 [realms]
  $REALM = {
   kdc = $FQDN:88
+  master_kdc = $FQDN:88
   admin_server = $FQDN:749
   default_domain = $DOMAIN
   pkinit_anchors = FILE:/etc/ipa/ca.crt
diff --git a/install/share/krb5.ini.template b/install/share/krb5.ini.template
index 
89f4a370143ac0848b7eeed24085d897242595f1..01cc1369f518f8e903d175d5c41e40040eaa1784
 100644
--- a/install/share/krb5.ini.template
+++ b/install/share/krb5.ini.template
@@ -8,6 +8,7 @@
         $REALM = {
                 admin_server = $FQDN
                 kdc = $FQDN
+                master_kdc = $FQDN
                 default_domain = $REALM
         }
 
diff --git a/install/tools/ipa-replica-conncheck 
b/install/tools/ipa-replica-conncheck
index 
8e4536cf67cafb907a3e330607a81b4bc034015b..169e9dc9f1d28dcc7c36b09f4382b8948d5ae831
 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -177,7 +177,7 @@ def configure_krb5_conf(realm, kdc, filename):
     #[libdefaults]
     libdefaults = [{'name':'default_realm', 'type':'option', 'value':realm}]
     libdefaults.append({'name':'dns_lookup_realm', 'type':'option', 
'value':'false'})
-    libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 
'value':'false'})
+    libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 
'value':'true'})
     libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
     libdefaults.append({'name':'ticket_lifetime', 'type':'option', 
'value':'24h'})
     libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'})
@@ -188,6 +188,7 @@ def configure_krb5_conf(realm, kdc, filename):
     #the following are necessary only if DNS discovery does not work
     #[realms]
     realms_info =[{'name':'kdc', 'type':'option', 
'value':ipautil.format_netloc(kdc, 88)},
+                 {'name':'master_kdc', 'type':'option', 
'value':ipautil.format_netloc(kdc, 88)},
                  {'name':'admin_server', 'type':'option', 
'value':ipautil.format_netloc(kdc, 749)}]
     realms = [{'name':realm, 'type':'subsection', 'value':realms_info}]
 
diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
d87fcc2a662b73c8ff269b65437d7d3023509b62..38b632220a1397b73acc042bd343b7638eb96230
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -671,6 +671,7 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, 
cli_domain, cli_server, c
         #[realms]
         for server in cli_server:
             kropts.append({'name':'kdc', 'type':'option', 
'value':ipautil.format_netloc(server, 88)})
+            kropts.append({'name':'master_kdc', 'type':'option', 
'value':ipautil.format_netloc(server, 88)})
             kropts.append({'name':'admin_server', 'type':'option', 
'value':ipautil.format_netloc(server, 749)})
         kropts.append({'name':'default_domain', 'type':'option', 
'value':cli_domain})
     kropts.append({'name':'pkinit_anchors', 'type':'option', 
'value':'FILE:/etc/ipa/ca.crt'})
-- 
1.7.11.4

From 8328a84bbfeacf95231956c112e970035f367bb9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Fri, 7 Sep 2012 12:40:58 +0200
Subject: [PATCH 68/68] Update krb5.conf during ipa-adtrust-install

---
 ipaserver/install/adtrustinstance.py | 62 ++++++++++++++++++++++++++++++++++++
 1 Datei geändert, 62 Zeilen hinzugefügt(+)

diff --git a/ipaserver/install/adtrustinstance.py 
b/ipaserver/install/adtrustinstance.py
index 
078c54dbe6ab520e5e3e7e186d4059b5a0fa252b..a23354c0ddb648d74be7fd8170e38da3a116c18e
 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -36,8 +36,11 @@ from ipapython.ipa_log_manager import *
 from ipapython import services as ipaservices
 from ipapython.dn import DN
 
+import ipaclient.ipachangeconf
+
 import string
 import struct
+import re
 
 ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
 
@@ -100,6 +103,7 @@ class ADTRUSTInstance(service.Service):
     def __init__(self, fstore=None):
         self.fqdn = None
         self.ip_address = None
+        self.realm = None
         self.domain_name = None
         self.netbios_name = None
         self.no_msdcs = None
@@ -410,6 +414,63 @@ class ADTRUSTInstance(service.Service):
                 except:
                     self.print_msg(SELINUX_WARNING % 
dict(var=','.join(sebools)))
 
+    def __mod_krb5_conf(self):
+        """
+        Set dns_lookup_kdc to true and master_kdc in /etc/krb5.conf
+        """
+
+        if not self.fqdn or not self.realm:
+            self.print_msg("Cannot modify /etc/krb5.conf")
+
+        krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+        krbconf.setOptionAssignment(" = ")
+        krbconf.setSectionNameDelimiters(("[", "]"))
+        krbconf.setSubSectionDelimiters(("{", "}"))
+        krbconf.setIndent(("", "  ", "    "))
+
+        libopts = [{'name':'dns_lookup_kdc', 'type':'option', 'action':'set',
+                    'value':'true'}]
+
+        master_kdc = self.fqdn + ":88"
+        kropts = [{'name':'master_kdc', 'type':'option', 'action':'set',
+                   'value':master_kdc}]
+
+        ropts = [{'name':self.realm, 'type':'subsection', 'action':'set',
+                  'value':kropts}]
+
+        opts = [{'name':'libdefaults', 'type':'section', 'action':'set',
+                 'value':libopts},
+                {'name':'realms', 'type':'section', 'action':'set',
+                 'value':ropts}]
+
+        krbconf.changeConf("/etc/krb5.conf", opts)
+
+    def __update_krb5_conf(self):
+        """
+        Update /etc/krb5.conf if needed
+        """
+
+        try:
+            krb5conf = open("/etc/krb5.conf", 'r')
+        except IOError, e:
+            self.print_msg("Cannot open /etc/krb5.conf (%s)\n" % str(e))
+            return
+
+        has_dns_lookup_kdc_true = False
+        for line in krb5conf:
+            if re.match("^\s*dns_lookup_kdc\s*=\s*[Tt][Rr][Uu][Ee]\s*$", line):
+                has_dns_lookup_kdc_true = True
+                break
+        krb5conf.close()
+
+        if not has_dns_lookup_kdc_true:
+            self.__mod_krb5_conf()
+        else:
+            self.print_msg("'dns_lookup_kdc' already set to 'true', "
+                           "nothing to do.")
+
+       
+
     def __start(self):
         try:
             self.start()
@@ -541,6 +602,7 @@ class ADTRUSTInstance(service.Service):
         self.step("adding cifs Kerberos principal", self.__setup_principal)
         self.step("adding admin(group) SIDs", self.__add_admin_sids)
         self.step("adding RID bases", self.__add_rid_bases)
+        self.step("updating Kerberos config", self.__update_krb5_conf)
         self.step("activating CLDAP plugin", self.__add_cldap_module)
         self.step("activating sidgen plugin and task", 
self.__add_sidgen_module)
         self.step("activating extdom plugin", self.__add_extdom_module)
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to