Hi,

If the IPA server is setup with non-matching domain and realm
names, it will not be able to estabilish trust with the Active
Directory.

Adds warnings to the ipa-server-install and warning to the
ipa-adtrust-install (which has to be confirmed).

Man pages for the ipa-server-install and ipa-adtrust-install were
updated with the relevant notes.

https://fedorahosted.org/freeipa/ticket/3924

--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org


From 0909d5fe4803cefced1efb79043062615d5f6dbe Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 18 Sep 2013 12:56:00 +0200
Subject: [PATCH 108/110] Warn user about realm-domain mismatch in install
 scripts

If the IPA server is setup with non-matching domain and realm
names, it will not be able to estabilish trust with the Active
Directory.

Adds warnings to the ipa-server-install and warning to the
ipa-adtrust-install (which has to be confirmed).

Man pages for the ipa-server-install and ipa-adtrust-install were
updated with the relevant notes.

https://fedorahosted.org/freeipa/ticket/3924
---
 install/tools/ipa-adtrust-install       | 16 ++++++++++++++++
 install/tools/ipa-server-install        | 11 +++++++++++
 install/tools/man/ipa-adtrust-install.1 |  3 +++
 install/tools/man/ipa-server-install.1  |  2 +-
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 838f7226bca66f4980c1144d7907bc42fcd31a22..5e3fd798c4f00c62567b44ea9bdc0b41445a6f8d 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -248,6 +248,22 @@ def main():
     api.bootstrap(**cfg)
     api.finalize()
 
+    # If domain name and realm does not match, IPA server will not be able
+    # to estabilish trust with Active Directory. Print big fat warning.
+
+    realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
+
+    if realm_not_matching_domain:
+        print("WARNING: Realm name does not match the domain name.\n"
+              "You will not be able to estabilish trusts with Active "
+              "Directory unless the realm name of the IPA server matches its "
+              "domain name.\n\n")
+        if not options.unattended:
+            if not ipautil.user_input("Do you wish to continue?",
+                                      default = False,
+                                      allow_empty = False):
+                sys.exit("Aborting installation.")
+
     if adtrustinstance.ipa_smb_conf_exists():
         if not options.unattended:
             while True:
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 028cca097b3710a7c5ae60395562e987430e5a25..fc4af548170b63a6f585616bcb383e1a0d4b7add 100644
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -968,6 +968,17 @@ def main():
                 or reverse_zone is None else reverse_zone)
         print
 
+    # If domain name and realm does not match, IPA server will not be able
+    # to estabilish trust with Active Directory. Print big fat warning.
+
+    realm_not_matching_domain = (domain_name.upper() != realm_name)
+
+    if realm_not_matching_domain:
+        print("WARNING: Realm name does not match the domain name.\n"
+              "You will not be able to estabilish trusts with Active "
+              "Directory unless the realm name of the IPA server matches "
+              "its domain name.\n\n")
+
     if not options.unattended and not user_input("Continue to configure the system with these values?", False):
         sys.exit("Installation aborted")
 
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 7f0566e135ce1eec049987ff99e922f76c53177b..b0aa8ceefc34698329b2a13d3adbcb204f08b3a9 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -26,6 +26,9 @@ Adds all necessary objects and configuration to allow an IPA server to create a
 trust to an Active Directory domain. This requires that the IPA server is
 already installed and configured.
 
+Please note you will not be able to estabilish an trust to an Active Directory
+domain unless the realm name of the IPA server matches its domain name.
+
 ipa\-adtrust\-install can be run multiple times to reinstall deleted objects or
 broken configuration files. E.g. a fresh samba configuration (smb.conf file and
 registry based configuration can be created. Other items like e.g. the
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 5f81cec94afa241449c5d7dbde573d0c2c687d71..a093078cbe8c11d93a6c254f39066b0e9a6329e5 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -28,7 +28,7 @@ Configures the services needed by an IPA server. This includes setting up a Kerb
 .SS "BASIC OPTIONS"
 .TP
 \fB\-r\fR \fIREALM_NAME\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
-The Kerberos realm name for the IPA server
+The Kerberos realm name for the IPA server. You will not be able to estabilish trust with Active Directory unless the realm name is uppercased domain name.
 .TP
 \fB\-n\fR \fIDOMAIN_NAME\fR, \fB\-\-domain\fR=\fIDOMAIN_NAME\fR
 Your DNS domain name
-- 
1.8.3.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to