Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.

Both new and current IPA installations are updated.

https://fedorahosted.org/freeipa/ticket/3429
From 323856232e40f9678a599a5392eb4826aca8954d Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 5 Mar 2013 12:02:58 +0100
Subject: [PATCH 1/2] Update named.conf parser

Refactor the named.conf parsing and editing functions in bindinstance
so that both "dynamic-db" and "options" sections of named.conf can
be read and updated

https://fedorahosted.org/freeipa/ticket/3429
---
 ipaserver/install/bindinstance.py | 60 ++++++++++++++++++++++++++++-----------
 1 file changed, 43 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index dff661dd600dfd7933d8094326209fb55884fd5b..057b73f88ba1984a9a82da0bf0fc63dbcf7d1cc9 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -43,8 +43,12 @@ from ipalib.util import (validate_zonemgr, normalize_zonemgr,
 NAMED_CONF = '/etc/named.conf'
 RESOLV_CONF = '/etc/resolv.conf'
 
+named_conf_ipa_start = 'dynamic-db "ipa"'
+named_conf_options_start = 'options {'
 named_conf_ipa_re = re.compile(r'(?P<indent>\s*)arg\s+"(?P<name>\S+)\s(?P<value>[^"]+)";')
+named_conf_options_re = re.compile(r'(?P<indent>\s*)(?P<name>\S+)\s+"(?P<value>[^"]+)"\s*;')
 named_conf_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n"
+named_conf_options_template = "%(indent)s%(name)s \"%(value)s\";\n"
 
 def check_inst(unattended):
     has_bind = True
@@ -86,26 +90,36 @@ def named_conf_exists():
             return True
     return False
 
-def named_conf_get_directive(name):
+NAMED_SECTION_OPTIONS = "options"
+NAMED_SECTION_IPA = "ipa"
+def named_conf_get_directive(name, section=NAMED_SECTION_IPA):
     """Get a configuration option in bind-dyndb-ldap section of named.conf"""
+    if section == NAMED_SECTION_IPA:
+        named_conf_start = named_conf_ipa_start
+        named_conf_re = named_conf_ipa_re
+    elif section == NAMED_SECTION_OPTIONS:
+        named_conf_start = named_conf_options_start
+        named_conf_re = named_conf_options_re
+    else:
+        raise NotImplementedError('Section "%s" is not supported' % section)
 
     with open(NAMED_CONF, 'r') as f:
-        ipa_section = False
+        target_section = False
         for line in f:
-            if line.startswith('dynamic-db "ipa"'):
-                ipa_section = True
+            if line.startswith(named_conf_start):
+                target_section = True
                 continue
             if line.startswith('};'):
-                if ipa_section:
+                if target_section:
                     break
 
-            if ipa_section:
-                match = named_conf_ipa_re.match(line)
+            if target_section:
+                match = named_conf_re.match(line)
 
                 if match and name == match.group('name'):
                     return match.group('value')
 
-def named_conf_set_directive(name, value):
+def named_conf_set_directive(name, value, section=NAMED_SECTION_IPA):
     """
     Set configuration option in bind-dyndb-ldap section of named.conf.
 
@@ -117,25 +131,37 @@ def named_conf_set_directive(name, value):
     """
     new_lines = []
 
+    if section == NAMED_SECTION_IPA:
+        named_conf_start = named_conf_ipa_start
+        named_conf_re = named_conf_ipa_re
+        named_conf_template = named_conf_ipa_template
+    elif section == NAMED_SECTION_OPTIONS:
+        named_conf_start = named_conf_options_start
+        named_conf_re = named_conf_options_re
+        named_conf_template = named_conf_options_template
+    else:
+        raise NotImplementedError('Section "%s" is not supported' % section)
+
     with open(NAMED_CONF, 'r') as f:
-        ipa_section = False
+        target_section = False
         matched = False
         last_indent = "\t"
         for line in f:
-            if line.startswith('dynamic-db "ipa"'):
-                ipa_section = True
+            if line.startswith(named_conf_start):
+                target_section = True
             if line.startswith('};'):
-                if ipa_section and not matched:
+                if target_section and not matched and \
+                        value is not None:
                     # create a new conf
-                    new_conf = named_conf_ipa_template \
+                    new_conf = named_conf_template \
                             % dict(indent=last_indent,
                                    name=name,
                                    value=value)
                     new_lines.append(new_conf)
-                ipa_section = False
+                target_section = False
 
-            if ipa_section and not matched:
-                match = named_conf_ipa_re.match(line)
+            if target_section and not matched:
+                match = named_conf_re.match(line)
 
                 if match:
                     last_indent = match.group('indent')
@@ -144,7 +170,7 @@ def named_conf_set_directive(name, value):
                         if value is not None:
                             if not isinstance(value, basestring):
                                 value = str(value)
-                            new_conf = named_conf_ipa_template \
+                            new_conf = named_conf_template \
                                     % dict(indent=last_indent,
                                            name=name,
                                            value=value)
-- 
1.8.1.4

From 3a4575c77ff814ad4fbf2cd5f15a00ee0de51332 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 5 Mar 2013 12:04:58 +0100
Subject: [PATCH 2/2] Use tkey-gssapi-keytab in named.conf

Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.

Both new and current IPA installations are updated.

https://fedorahosted.org/freeipa/ticket/3429
---
 install/share/bind.named.conf.template |  3 +-
 install/tools/ipa-upgradeconfig        | 69 +++++++++++++++++++++++++++++++++-
 2 files changed, 69 insertions(+), 3 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index 9fdd91319947f6cfd3034f8d2a4fe8bb60d1af77..b12df593ad902dfbe815c2292992f26204756cd8 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -14,8 +14,7 @@ options {
 	// Any host is permitted to issue recursive queries
 	allow-recursion { any; };
 
-	tkey-gssapi-credential "DNS/$FQDN";
-	tkey-domain "$REALM";
+	tkey-gssapi-keytab "/etc/named.keytab";
 };
 
 /* If you want to enable debugging, eg. using the 'rndc trace' command,
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 9bd706ad0beb45ba7a4b20f30f564f5e234bd133..f310ff76d283e582b2191d26c9773b388f24482b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -451,6 +451,72 @@ def named_enable_serial_autoincrement():
 
     return changed
 
+def named_update_gssapi_configuration():
+    """
+    Update GSSAPI configuration in named.conf to a recent API.
+    tkey-gssapi-credential and tkey-domain is replaced with tkey-gssapi-keytab.
+    Details can be found in https://fedorahosted.org/freeipa/ticket/3429.
+
+    When some change in named.conf is done, this functions returns True
+    """
+
+    root_logger.info('[Updating GSSAPI configuration in DNS]')
+
+    if not bindinstance.named_conf_exists():
+        # DNS service may not be configured
+        root_logger.info('DNS is not configured')
+        return False
+
+    if sysupgrade.get_upgrade_state('named.conf', 'gssapi_updated'):
+        root_logger.debug('Skip GSSAPI configuration check')
+        return False
+
+    try:
+        gssapi_keytab = bindinstance.named_conf_get_directive('tkey-gssapi-keytab',
+                bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot retrieve tkey-gssapi-keytab option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        if gssapi_keytab:
+            root_logger.debug('GSSAPI configuration already updated')
+            sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
+            return False
+
+    try:
+        tkey_credential = bindinstance.named_conf_get_directive('tkey-gssapi-credential',
+                bindinstance.NAMED_SECTION_OPTIONS)
+        tkey_domain = bindinstance.named_conf_get_directive('tkey-domain',
+                bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot retrieve tkey-gssapi-credential option from %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+
+    if not tkey_credential or not tkey_domain:
+        root_logger.error('Either tkey-gssapi-credential or tkey-domain is missing in %s. '
+            'Skip update.', bindinstance.NAMED_CONF)
+        return False
+
+    try:
+        bindinstance.named_conf_set_directive('tkey-gssapi-credential', None,
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+        bindinstance.named_conf_set_directive('tkey-domain', None,
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+        bindinstance.named_conf_set_directive('tkey-gssapi-keytab', '/etc/named.keytab',
+                                              bindinstance.NAMED_SECTION_OPTIONS)
+    except IOError, e:
+        root_logger.error('Cannot update GSSAPI configuration in %s: %s',
+                bindinstance.NAMED_CONF, e)
+        return False
+    else:
+        root_logger.debug('GSSAPI configuration updated')
+
+    sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
+    return True
+
+
 def enable_certificate_renewal(ca):
     """
     If the CA subsystem certificates are not being tracked for renewal then
@@ -741,7 +807,8 @@ def main():
     add_server_cname_records()
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
-    if changed_psearch or changed_autoincrement:
+    changed_gssapi_conf = named_update_gssapi_configuration()
+    if changed_psearch or changed_autoincrement or changed_gssapi_conf:
         # configuration has changed, restart the name server
         root_logger.info('Changes to named.conf have been made, restart named')
         bind = bindinstance.BindInstance(fstore)
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to