>On 12.10.2015 12:50, Tomas Babej wrote:
>>
>> ----- Original Message -----
>> From: "Martin Basti" <mba...@redhat.com>
>> To: "Tomas Babej" <tba...@redhat.com>
>> Cc: "freeipa-devel" <freeipa-devel@redhat.com>
>> Sent: Monday, October 12, 2015 12:41:13 PM
>> Subject: Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling
>> improvements
>>
>>
>>
>>> On 09.10.2015 19:11, Tomas Babej wrote:
>>>> On 09/23/2015 02:40 PM, Martin Basti wrote:
>>>>> On 09/22/2015 02:23 PM, Tomas Babej wrote:
>>>>>> On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:
>>>>>>> On Thu, 03 Sep 2015, Tomas Babej wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
>>>>>>>> and improve our handling of realmdomains in general.
>>>>>>> The code looks good to me. I haven't tested it yet, though.
>>>>>>>
>>>>>> Rebased on top of current master.
>>>>> Please fix tests too.
>>>>>
>>>> Updated patchset attached. Also fixed a minor spelling and syntax issues
>>>> in the original patches.
>>>>
>>>> Tomas
>>> ACK,
>>> unfortunately, patch "realmdomains: Issue a warning when automated
>>> management of realmdomains" failed to apply on top of ipa-4-2 branch.
>> Attaching rebased patchset.
>Pushed to master: 12840e0bfa545341c448276c4803a49cbae63e8a
>You sent different patch 362 for ipa-4-2 than it should be.
Yeah, I shifted the whole patchset by one patch somehow..
Correct version attached.
From 8480b286b0fe199b8639dc8fb1c94b7c26dd441a Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 12:13:32 +0200
Subject: [PATCH] util: Add detect_dns_zone_realm_type helper
https://fedorahosted.org/freeipa/ticket/5278
---
ipalib/util.py | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/ipalib/util.py b/ipalib/util.py
index a3500ae29b56ac6a289fbec97d15cf026baf7068..182da20dde39fd19497543410a3ea040ccbab170 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -810,3 +810,58 @@ def get_topology_connection_errors(graph):
if not_visited:
connect_errors.append((m, list(visited), list(not_visited)))
return connect_errors
+
+def detect_dns_zone_realm_type(api, domain):
+ """
+ Detects the type of the realm that the given DNS zone belongs to.
+ Note: This method is heuristic. Possible values:
+ - 'current': For IPA domains belonging in the current realm.
+ - 'foreign': For domains belonging in a foreing kerberos realm.
+ - 'unknown': For domains whose allegiance could not be detected.
+ """
+
+ # First, try to detect _kerberos TXT record in the domain
+ # This would indicate that the domain belongs to IPA realm
+
+ kerberos_prefix = DNSName('_kerberos')
+ domain_suffix = DNSName(domain)
+ kerberos_record_name = kerberos_prefix + domain_suffix
+
+ response = None
+
+ try:
+ result = resolver.query(kerberos_record_name, rdatatype.TXT)
+ answer = result.response.answer
+
+ # IPA domain will have only one _kerberos TXT record
+ if (len(answer) == 1 and
+ len(answer[0]) == 1 and
+ answer[0].rdtype == rdatatype.TXT):
+
+ record = answer[0][0]
+
+ # If the record contains our current realm, it is 'ipa-current'
+ if record.to_text() == '"{0}"'.format(api.env.realm):
+ return 'current'
+ else:
+ return 'foreign'
+
+ except DNSException as e:
+ pass
+
+ # Try to detect AD specific record in the zone.
+ # This would indicate that the domain belongs to foreign (AD) realm
+
+ gc_prefix = DNSName('_ldap._tcp.gc._msdcs')
+ ad_specific_record_name = gc_prefix + domain_suffix
+
+ try:
+ # The presence of this record is enough, return foreign in such case
+ result = resolver.query(ad_specific_record_name, rdatatype.SRV)
+ return 'foreign'
+
+ except DNSException as e:
+ pass
+
+ # If we could not detect type with certainity, return unknown
+ return 'unknown'
--
2.1.0
From df317dceec52fc5003d3f175e9260bd279b0ff1e Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 12:40:17 +0200
Subject: [PATCH] realmdomains: Minor style and wording improvements
https://fedorahosted.org/freeipa/ticket/5278
---
ipalib/plugins/realmdomains.py | 75 +++++++++++++++++++++++++++++++++---------
1 file changed, 60 insertions(+), 15 deletions(-)
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index c53340591bd0f0f02fcc9db3142b74197aff551b..4617ec7e084cb58e90ab627ce0cbb4ed71878506 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -133,16 +133,46 @@ class realmdomains_mod(LDAPUpdate):
del_domain = entry_attrs.get('del_domain')
force = options.get('force')
+ current_domain = get_domain_name()
+
+ missing_soa_ns_record_error = _(
+ "DNS zone for each realmdomain must contain "
+ "SOA or NS records. No records found for: %s"
+ )
+
+ # User specified the list of domains explicitly
if associateddomain:
if add_domain or del_domain:
- raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain"))
- if get_domain_name() not in associateddomain:
- raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server"))
+ raise errors.MutuallyExclusiveError(
+ reason=_(
+ "The --domain option cannot be used together "
+ "with --add-domain or --del-domain. Use --domain "
+ "to specify the whole realm domain list explicitly, "
+ "to add/remove individual domains, use "
+ "--add-domain/del-domain.")
+ )
+
+ # Make sure our domain is included in the list
+ if current_domain not in associateddomain:
+ raise errors.ValidationError(
+ name='realmdomain list',
+ error=_("IPA server domain cannot be omitted")
+ )
+
+ # Unless forced, check that each domain has SOA or NS records
if not force:
- bad_domains = [d for d in associateddomain if not has_soa_or_ns_record(d)]
+ bad_domains = [
+ d for d in associateddomain
+ if not has_soa_or_ns_record(d)
+ ]
+
if bad_domains:
bad_domains = ', '.join(bad_domains)
- raise errors.ValidationError(name='domain', error=_("no SOA or NS records found for domains: %s" % bad_domains))
+ raise errors.ValidationError(
+ name='domain',
+ error=missing_soa_ns_record_error % bad_domains
+ )
+
return dn
# If --add-domain or --del-domain options were provided, read
@@ -151,18 +181,29 @@ class realmdomains_mod(LDAPUpdate):
if add_domain:
if not force and not has_soa_or_ns_record(add_domain):
- raise errors.ValidationError(name='add_domain', error=_("no SOA or NS records found for domain %s" % add_domain))
+ raise errors.ValidationError(
+ name='add_domain',
+ error=missing_soa_ns_record_error % add_domain
+ )
+
del entry_attrs['add_domain']
domains.append(add_domain)
if del_domain:
- if del_domain == get_domain_name():
- raise errors.ValidationError(name='del_domain', error=_("cannot delete domain of IPA server"))
+ if del_domain == current_domain:
+ raise errors.ValidationError(
+ name='del_domain',
+ error=_("IPA server domain cannot be deleted")
+ )
del entry_attrs['del_domain']
+
try:
domains.remove(del_domain)
except ValueError:
- raise errors.AttrValueNotFound(attr='associateddomain', value=del_domain)
+ raise errors.AttrValueNotFound(
+ attr='associateddomain',
+ value=del_domain
+ )
entry_attrs['associateddomain'] = domains
return dn
@@ -180,13 +221,15 @@ class realmdomains_mod(LDAPUpdate):
# Add a _kerberos TXT record for zones that correspond with
# domains which were added
- for d in domains_added:
+ for domain in domains_added:
+
# Skip our own domain
- if d == api.env.domain:
+ if domain == api.env.domain:
continue
+
try:
api.Command['dnsrecord_add'](
- unicode(d),
+ unicode(domain),
u'_kerberos',
txtrecord=api.env.realm
)
@@ -195,13 +238,15 @@ class realmdomains_mod(LDAPUpdate):
# Delete _kerberos TXT record from zones that correspond with
# domains which were deleted
- for d in domains_deleted:
+ for domain in domains_deleted:
+
# Skip our own domain
- if d == api.env.domain:
+ if domain == api.env.domain:
continue
+
try:
api.Command['dnsrecord_del'](
- unicode(d),
+ unicode(domain),
u'_kerberos',
txtrecord=api.env.realm
)
--
2.1.0
From e0323b01cb9df87dba3f1cf4e4a6c9ef33618ace Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 13:22:41 +0200
Subject: [PATCH] realmdomains: Add validation that realmdomain being added is
indeed from our realm
https://fedorahosted.org/freeipa/ticket/5278
---
ipalib/plugins/realmdomains.py | 100 +++++++++++++++++++++++++++++++----------
1 file changed, 76 insertions(+), 24 deletions(-)
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index 4617ec7e084cb58e90ab627ce0cbb4ed71878506..66c4ccda1c1beae7b66d10fe1c8be03559a77da3 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -23,6 +23,7 @@ from ipalib import _
from ipalib.plugable import Registry
from ipalib.plugins.baseldap import LDAPObject, LDAPUpdate, LDAPRetrieve
from ipalib.util import has_soa_or_ns_record, validate_domain_name
+from ipalib.util import detect_dns_zone_realm_type
from ipapython.dn import DN
from ipapython.ipautil import get_domain_name
@@ -126,6 +127,77 @@ class realmdomains_mod(LDAPUpdate):
),
)
+ def validate_domains(self, domains, force):
+ """
+ Validates the list of domains as candidates for additions to the
+ realmdomains list.
+
+ Requirements:
+ - Each domain has SOA or NS record
+ - Each domain belongs to the current realm
+ """
+
+ # Unless forced, check that each domain has SOA or NS records
+ if not force:
+ invalid_domains = [
+ d for d in domains
+ if not has_soa_or_ns_record(d)
+ ]
+
+ if invalid_domains:
+ raise errors.ValidationError(
+ name='domain',
+ error= _(
+ "DNS zone for each realmdomain must contain "
+ "SOA or NS records. No records found for: %s"
+ ) % ','.join(invalid_domains)
+ )
+
+ # Check realm alliegence for each domain
+ domains_with_realm = [
+ (domain, detect_dns_zone_realm_type(self.api, domain))
+ for domain in domains
+ ]
+
+ foreign_domains = [
+ domain for domain, realm in domains_with_realm
+ if realm == 'foreign'
+ ]
+
+ unknown_domains = [
+ domain for domain, realm in domains_with_realm
+ if realm == 'unknown'
+ ]
+
+ # If there are any foreing realm domains, bail out
+ if foreign_domains:
+ raise errors.ValidationError(
+ name='domain',
+ error=_(
+ 'The following domains do not belong '
+ 'to this realm: %(domains)s'
+ ) % dict(domains=','.join(foreign_domains))
+ )
+
+ # If there are any unknown domains, error out,
+ # asking for _kerberos TXT records
+
+ # Note: This can be forced, since realmdomains-mod
+ # is called from dnszone-add where we know that
+ # the domain being added belongs to our realm
+ if not force and unknown_domains:
+ raise errors.ValidationError(
+ name='domain',
+ error=_(
+ 'The realm of the folllowing domains could '
+ 'not be detected: %(domains)s. If these are '
+ 'domains that belong to the this realm, please '
+ 'create a _kerberos TXT record containing "%(realm)s" '
+ 'in each of them.'
+ ) % dict(domains=','.join(unknown_domains),
+ realm=self.api.env.realm)
+ )
+
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
associateddomain = entry_attrs.get('associateddomain')
@@ -135,11 +207,6 @@ class realmdomains_mod(LDAPUpdate):
current_domain = get_domain_name()
- missing_soa_ns_record_error = _(
- "DNS zone for each realmdomain must contain "
- "SOA or NS records. No records found for: %s"
- )
-
# User specified the list of domains explicitly
if associateddomain:
if add_domain or del_domain:
@@ -159,19 +226,9 @@ class realmdomains_mod(LDAPUpdate):
error=_("IPA server domain cannot be omitted")
)
- # Unless forced, check that each domain has SOA or NS records
- if not force:
- bad_domains = [
- d for d in associateddomain
- if not has_soa_or_ns_record(d)
- ]
-
- if bad_domains:
- bad_domains = ', '.join(bad_domains)
- raise errors.ValidationError(
- name='domain',
- error=missing_soa_ns_record_error % bad_domains
- )
+ # Validate that each domain satisfies the requirements
+ # for realmdomain
+ self.validate_domains(domains=associateddomain, force=force)
return dn
@@ -180,12 +237,7 @@ class realmdomains_mod(LDAPUpdate):
domains = ldap.get_entry(dn)['associateddomain']
if add_domain:
- if not force and not has_soa_or_ns_record(add_domain):
- raise errors.ValidationError(
- name='add_domain',
- error=missing_soa_ns_record_error % add_domain
- )
-
+ self.validate_domains(domains=[add_domain], force=force)
del entry_attrs['add_domain']
domains.append(add_domain)
--
2.1.0
From a225fafd5e17e7bbe5a00bebabbc0a0079adcd99 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 14:00:09 +0200
Subject: [PATCH] realmdomains: Issue a warning when automated management of
realmdomains failed
https://fedorahosted.org/freeipa/ticket/5278
---
ipalib/messages.py | 31 +++++++++++++++++++++++++++++++
ipalib/plugins/realmdomains.py | 28 +++++++++++++++++++++++-----
2 files changed, 54 insertions(+), 5 deletions(-)
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 58ae1f3ecbbf139f6f584c0ea2ebea6eb92e6e2b..823322a585d046203dec05a3dac9ba7388abd391 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -241,6 +241,37 @@ class DNSSECValidationFailingWarning(PublicMessage):
u"validation on all IPA servers.")
+class KerberosTXTRecordCreationFailure(PublicMessage):
+ """
+ **13011** Used when a _kerberos TXT record could not be added to
+ a DNS zone.
+ """
+
+ errno = 13011
+ type = "warning"
+ format = _(
+ "The _kerberos TXT record from domain %(domain)s could not be created "
+ "(%(error)s).\nThis can happen if the zone is not managed by IPA. "
+ "Please create the record manually, containing the following "
+ "value: '%(realm)s'"
+ )
+
+
+class KerberosTXTRecordDeletionFailure(PublicMessage):
+ """
+ **13012** Used when a _kerberos TXT record could not be removed from
+ a DNS zone.
+ """
+
+ errno = 13012
+ type = "warning"
+ format = _(
+ "The _kerberos TXT record from domain %(domain)s could not be removed "
+ "(%(error)s).\nThis can happen if the zone is not managed by IPA. "
+ "Please remove the record manually."
+ )
+
+
def iter_messages(variables, base):
"""Return a tuple with all subclasses
"""
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index 66c4ccda1c1beae7b66d10fe1c8be03559a77da3..e0d45fb8fc24021f00d381e659279ad7e15431c6 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -17,7 +17,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-from ipalib import api, errors
+from ipalib import api, errors, messages
from ipalib import Str, Flag
from ipalib import _
from ipalib.plugable import Registry
@@ -285,8 +285,18 @@ class realmdomains_mod(LDAPUpdate):
u'_kerberos',
txtrecord=api.env.realm
)
- except (errors.EmptyModlist, errors.NotFound):
- pass
+ except (errors.EmptyModlist, errors.NotFound) as error:
+ # If creation of the _kerberos TXT record failed, prompt
+ # for manual intervention
+ messages.add_message(
+ options['version'],
+ result,
+ messages.KerberosTXTRecordCreationFailure(
+ domain=domain,
+ error=unicode(error),
+ realm=self.api.env.realm
+ )
+ )
# Delete _kerberos TXT record from zones that correspond with
# domains which were deleted
@@ -302,8 +312,16 @@ class realmdomains_mod(LDAPUpdate):
u'_kerberos',
txtrecord=api.env.realm
)
- except (errors.AttrValueNotFound, errors.NotFound):
- pass
+ except (errors.AttrValueNotFound, errors.NotFound) as error:
+ # If deletion of the _kerberos TXT record failed, prompt
+ # for manual intervention
+ messages.add_message(
+ options['version'],
+ result,
+ messages.KerberosTXTRecordDeletionFailure(
+ domain=domain, error=unicode(error)
+ )
+ )
return result
--
2.1.0
From 0ff1aef59520b4d587bd8db0cdc4dd6666ee9238 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 14:03:09 +0200
Subject: [PATCH] realmdomains: Do not fail due the ValidationError when adding
_kerberos TXT record
https://fedorahosted.org/freeipa/ticket/5278
---
ipalib/plugins/realmdomains.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index e0d45fb8fc24021f00d381e659279ad7e15431c6..92f5cab7f4b75f2826fda97ba23103e17331f779 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -285,7 +285,9 @@ class realmdomains_mod(LDAPUpdate):
u'_kerberos',
txtrecord=api.env.realm
)
- except (errors.EmptyModlist, errors.NotFound) as error:
+ except (errors.EmptyModlist, errors.NotFound,
+ errors.ValidationError) as error:
+
# If creation of the _kerberos TXT record failed, prompt
# for manual intervention
messages.add_message(
@@ -312,7 +314,8 @@ class realmdomains_mod(LDAPUpdate):
u'_kerberos',
txtrecord=api.env.realm
)
- except (errors.AttrValueNotFound, errors.NotFound) as error:
+ except (errors.AttrValueNotFound, errors.NotFound,
+ errors.ValidationError) as error:
# If deletion of the _kerberos TXT record failed, prompt
# for manual intervention
messages.add_message(
--
2.1.0
From dffcfc817ddf55373ef76eec98bdef2b5bc71840 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Fri, 9 Oct 2015 12:21:27 +0200
Subject: [PATCH] tests: Amend result assertions in realmdomains tests
* Nonexistent domains have to be added/deleted with force
* Warning messages are emitted
* Some error messages have been altered
https://fedorahosted.org/freeipa/ticket/5278
---
ipatests/test_xmlrpc/test_realmdomains_plugin.py | 76 +++++++++++++++++++++---
1 file changed, 68 insertions(+), 8 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_realmdomains_plugin.py b/ipatests/test_xmlrpc/test_realmdomains_plugin.py
index 703f77d1ea8dd12be82fc08411b2748500bfbf4f..a3490bdeabb6f5beebaff0459fee70339329b04b 100644
--- a/ipatests/test_xmlrpc/test_realmdomains_plugin.py
+++ b/ipatests/test_xmlrpc/test_realmdomains_plugin.py
@@ -92,10 +92,20 @@ class test_realmdomains(Declarative):
),
dict(
desc='Replace list of realm domains with "%s"' % [our_domain, new_domain_1],
- command=('realmdomains_mod', [], {'associateddomain': [our_domain, new_domain_1]}),
+ command=('realmdomains_mod', [], {'associateddomain': [our_domain, new_domain_1], 'force':True}),
expected=dict(
value=None,
summary=None,
+ messages=({u'message': u"The _kerberos TXT record from domain "
+ "example1.com could not be created (%s.: "
+ "DNS zone not found).\nThis can happen if the zone "
+ "is not managed by IPA. Please create the record "
+ "manually, containing the following value: "
+ "'%s'" % (new_domain_1, api.env.realm),
+ u'code': 13011,
+ u'type': u'warning',
+ u'name': u'KerberosTXTRecordCreationFailure'},
+ ),
result=dict(
associateddomain=[our_domain, new_domain_1],
),
@@ -103,13 +113,24 @@ class test_realmdomains(Declarative):
),
dict(
desc='Add domain "%s" to list' % new_domain_2,
- command=('realmdomains_mod', [], {'add_domain': new_domain_2}),
+ command=('realmdomains_mod', [], {'add_domain': new_domain_2, 'force': True}),
expected=dict(
value=None,
summary=None,
result=dict(
associateddomain=[our_domain, new_domain_1, new_domain_2],
),
+ messages=({u'message': u"The _kerberos TXT record from domain "
+ "%(domain)s could not be created (%(domain)s.: "
+ "DNS zone not found).\nThis can happen if the zone "
+ "is not managed by IPA. Please create the record "
+ "manually, containing the following value: "
+ "'%(realm)s'" % dict(domain=new_domain_2,
+ realm=api.env.realm),
+ u'code': 13011,
+ u'type': u'warning',
+ u'name': u'KerberosTXTRecordCreationFailure'},
+ ),
),
),
dict(
@@ -121,17 +142,45 @@ class test_realmdomains(Declarative):
result=dict(
associateddomain=[our_domain, new_domain_1],
),
+ messages=({u'message': u"The _kerberos TXT record from domain "
+ "%(domain)s could not be removed (%(domain)s.: "
+ "DNS zone not found).\nThis can happen if the zone "
+ "is not managed by IPA. Please remove the record "
+ "manually." % dict(domain=new_domain_2),
+ u'code': 13012,
+ u'type': u'warning',
+ u'name': u'KerberosTXTRecordDeletionFailure'},
+ ),
),
),
dict(
desc='Add domain "%s" and delete domain "%s"' % (new_domain_2, new_domain_1),
- command=('realmdomains_mod', [], {'add_domain': new_domain_2, 'del_domain': new_domain_1}),
+ command=('realmdomains_mod', [], {'add_domain': new_domain_2, 'del_domain': new_domain_1, 'force': True}),
expected=dict(
value=None,
summary=None,
result=dict(
associateddomain=[our_domain, new_domain_2],
),
+ messages=({u'message': u"The _kerberos TXT record from domain "
+ "%(domain)s could not be created (%(domain)s.: "
+ "DNS zone not found).\nThis can happen if the zone "
+ "is not managed by IPA. Please create the record "
+ "manually, containing the following value: "
+ "'%(realm)s'" % dict(domain=new_domain_2,
+ realm=api.env.realm),
+ u'code': 13011,
+ u'type': u'warning',
+ u'name': u'KerberosTXTRecordCreationFailure'},
+ {u'message': u"The _kerberos TXT record from domain "
+ "%(domain)s could not be removed (%(domain)s.: "
+ "DNS zone not found).\nThis can happen if the zone "
+ "is not managed by IPA. Please remove the record "
+ "manually." % dict(domain=new_domain_1),
+ u'code': 13012,
+ u'type': u'warning',
+ u'name': u'KerberosTXTRecordDeletionFailure'},
+ ),
),
),
dict(
@@ -141,31 +190,31 @@ class test_realmdomains(Declarative):
'add_domain': new_domain_1,
}),
expected=errors.MutuallyExclusiveError(
- reason='you cannot specify the --domain option together with --add-domain or --del-domain'),
+ reason='The --domain option cannot be used together with --add-domain or --del-domain. Use --domain to specify the whole realm domain list explicitly, to add/remove individual domains, use --add-domain/del-domain.'),
),
dict(
desc='Try to replace list of realm domains with a list without our domain',
command=('realmdomains_mod', [], {'associateddomain': [new_domain_1]}),
expected=errors.ValidationError(
- name='domain', error='cannot delete domain of IPA server'),
+ name='realmdomain list', error='IPA server domain cannot be omitted'),
),
dict(
desc='Try to replace list of realm domains with a list with an invalid domain "%s"' % bad_domain,
command=('realmdomains_mod', [], {'associateddomain': [our_domain, bad_domain]}),
expected=errors.ValidationError(
- name='domain', error='no SOA or NS records found for domains: %s' % bad_domain),
+ name='domain', error='DNS zone for each realmdomain must contain SOA or NS records. No records found for: %s' % bad_domain),
),
dict(
desc='Try to add an invalid domain "%s"' % bad_domain,
command=('realmdomains_mod', [], {'add_domain': bad_domain}),
expected=errors.ValidationError(
- name='add_domain', error='no SOA or NS records found for domain %s' % bad_domain),
+ name='domain', error='DNS zone for each realmdomain must contain SOA or NS records. No records found for: %s' % bad_domain),
),
dict(
desc='Try to delete our domain',
command=('realmdomains_mod', [], {'del_domain': our_domain}),
expected=errors.ValidationError(
- name='del_domain', error='cannot delete domain of IPA server'),
+ name='del_domain', error='IPA server domain cannot be deleted'),
),
dict(
desc='Try to delete domain which is not in list',
@@ -182,6 +231,17 @@ class test_realmdomains(Declarative):
result=dict(
associateddomain=[our_domain, new_domain_2, bad_domain],
),
+ messages=({u'message': u"The _kerberos TXT record from domain "
+ "%(domain)s could not be created (%(domain)s.: "
+ "DNS zone not found).\nThis can happen if the zone "
+ "is not managed by IPA. Please create the record "
+ "manually, containing the following value: "
+ "'%(realm)s'" % dict(domain=bad_domain,
+ realm=api.env.realm),
+ u'code': 13011,
+ u'type': u'warning',
+ u'name': u'KerberosTXTRecordCreationFailure'},
+ ),
),
),
]
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code