On 27.06.2016 10:56, Petr Spacek wrote:
On 24.6.2016 12:25, Martin Basti wrote:

On 23.06.2016 18:26, Petr Spacek wrote:
On 23.6.2016 16:38, Martin Basti wrote:
Patches attached.


https://fedorahosted.org/freeipa/ticket/2008


freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch


  From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 21 Jun 2016 18:04:13 +0200
Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records
   for unused locations"

This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230.

After deeper investigation, we found out that empty locations are needed
for clients, because clients may have cached records for longer time for
that particular location. Only way how to remove location is to remove
it using location-del

https://fedorahosted.org/freeipa/ticket/2008
---
   ipaserver/dns_data_management.py | 11 ++++-------
   1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/ipaserver/dns_data_management.py
b/ipaserver/dns_data_management.py
index
a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117
100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -68,7 +68,6 @@ class IPASystemRecords(object):
           self.api_instance = api_instance
           self.domain_abs =
DNSName(self.api_instance.env.domain).make_absolute()
           self.servers_data = {}
-        self.used_locations = set()
           self.__init_data()
         def reload_data(self):
@@ -92,7 +91,6 @@ class IPASystemRecords(object):
         def __init_data(self):
           self.servers_data = {}
-        self.used_locations = set()
             servers_result = self.api_instance.Command.server_find(
               pkey_only=True)['result']
@@ -104,8 +102,6 @@ class IPASystemRecords(object):
                   'location': location,
                   'roles': roles,
               }
-            if location:
-                self.used_locations.add(location)
         def __add_srv_records(
           self, zone_obj, hostname, rname_port_map,
@@ -353,12 +349,13 @@ class IPASystemRecords(object):
                   pkey_only=True)['result']
               servers = [s['cn'][0] for s in servers_result]
   -        # generate only records for used location, records for unassigned
-        # locations are useless
+        locations_result =
self.api_instance.Command.location_find()['result']
+        locations = [l['idnsname'][0] for l in locations_result]
+
           for server in servers:
               self._get_location_dns_records_for_server(
                   zone_obj, server,
-                self.used_locations, roles=roles,
+                locations, roles=roles,
                   include_master_role=include_master_role)
           return zone_obj
   -- 2.5.5


freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch


  From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 21 Jun 2016 18:17:55 +0200
Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in adtrust-install

Since DNS location mechanism is active, this option has no effect,
because records are generate dynamically.

https://fedorahosted.org/freeipa/ticket/2008
---
   install/tools/ipa-adtrust-install    | 10 +++++++---
   ipaserver/install/adtrustinstance.py | 21 ++++++++-------------
   2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/install/tools/ipa-adtrust-install
b/install/tools/ipa-adtrust-install
index
5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c
100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -29,6 +29,8 @@ import ldap
     import six
   +from optparse import SUPPRESS_HELP
+
   from ipaserver.install import adtrustinstance
   from ipaserver.install.installutils import (
       read_password,
@@ -54,9 +56,11 @@ def parse_options():
                         default=False, help="print debugging information")
       parser.add_option("--netbios-name", dest="netbios_name",
                         help="NetBIOS name of the IPA domain")
+
+    # no-msdcs has not effect, option is here just for backward compatibility
       parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
-                      default=False, help="Do not create DNS service
records " \
-                                          "for Windows in managed DNS
server")
+                      default=False, help=SUPPRESS_HELP)
+
       parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
                         help="Start value for mapping UIDs and GIDs to RIDs")
       parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
@@ -390,7 +394,7 @@ def main():
       smb.setup(api.env.host, api.env.realm,
                 netbios_name, reset_netbios_name,
                 options.rid_base, options.secondary_rid_base,
-              options.no_msdcs, options.add_sids,
+              options.add_sids,
                 enable_compat = options.enable_compat)
       smb.find_local_id_range()
       smb.create_instance()
diff --git a/ipaserver/install/adtrustinstance.py
b/ipaserver/install/adtrustinstance.py
index
6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85
100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service):
       def __init__(self, fstore=None):
           self.netbios_name = None
           self.reset_netbios_name = None
-        self.no_msdcs = None
           self.add_sids = None
           self.smbd_user = None
           self.smb_dn_pwd = None
@@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service):
             err_msg = None
   -        if self.no_msdcs:
-            err_msg = '--no-msdcs was given, special DNS service records ' \
-                      'are not added to local DNS server'
+        ret = api.Command['dns_is_enabled']()
+        if not ret['result']:
+            err_msg = "DNS management was not enabled at install time."
           else:
-            ret = api.Command['dns_is_enabled']()
-            if not ret['result']:
-                err_msg = "DNS management was not enabled at install time."
-            else:
-                if not dns_zone_exists(zone):
-                    err_msg = "DNS zone %s cannot be managed " \
-                              "as it is not defined in IPA" % zone
+            if not dns_zone_exists(zone):
+                err_msg = (
+                    "DNS zone %s cannot be managed as it is not defined in "
+                    "IPA" % zone)
             if err_msg:
               self.print_msg(err_msg)
@@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service):
         def setup(self, fqdn, realm_name, netbios_name,
                 reset_netbios_name, rid_base, secondary_rid_base,
-              no_msdcs=False, add_sids=False, smbd_user="samba",
+              add_sids=False, smbd_user="samba",
                 enable_compat=False):
           self.fqdn = fqdn
           self.realm = realm_name
@@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service):
           self.reset_netbios_name = reset_netbios_name
           self.rid_base = rid_base
           self.secondary_rid_base = secondary_rid_base
-        self.no_msdcs = no_msdcs
           self.add_sids = add_sids
           self.enable_compat = enable_compat
           self.smbd_user = smbd_user
-- 2.5.5


freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch


  From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 22 Jun 2016 13:12:52 +0200
Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get
   information

Because separated calls for of server-show, getting server data is quite
slow. This commit replaces several server-show with one server-find
command. There are future plans to improve speed of server-find that
will be beneficial for DNS locations.

https://fedorahosted.org/freeipa/ticket/2008
---
   ipaserver/dns_data_management.py | 10 ++++------
   1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/ipaserver/dns_data_management.py
b/ipaserver/dns_data_management.py
index
eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4
100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -78,8 +78,7 @@ class IPASystemRecords(object):
           """
           self.__init_data()
   -    def __get_server_attrs(self, hostname):
-        server_result =
self.api_instance.Command.server_show(hostname)['result']
+    def __get_server_attrs(self, server_result):
           weight = int(server_result.get('ipaserviceweight', [u'100'])[0])
           location = server_result.get('ipalocation_location', [None])[0]
           roles = set(server_result.get('enabled_role_servrole', ()))
@@ -93,11 +92,10 @@ class IPASystemRecords(object):
           self.servers_data = {}
             servers_result = self.api_instance.Command.server_find(
-            pkey_only=True)['result']
-        servers = [s['cn'][0] for s in servers_result]
-        for s in servers:
+            no_members=False)['result']
+        for s in servers_result:
               weight, location, roles = self.__get_server_attrs(s)
-            self.servers_data[s] = {
+            self.servers_data[s['cn'][0]] = {
                   'weight': weight,
                   'location': location,
                   'roles': roles,
-- 2.5.5


freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch


  From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 23 Jun 2016 14:50:11 +0200
Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance

We don't need anymore:
* sample of zone file - list of all records required by IPa will be
provided

* NTP related params - DNS records will be updated automatically,
based on LDAP values

* CA related params - DNS records will be updated automatically based
* on LDAP values

https://fedorahosted.org/freeipa/ticket/2008
---
   install/share/bind.zone.db.template        | 29 ---------------
   ipaserver/dns_data_management.py           |  9 +++++
   ipaserver/install/bindinstance.py          | 58
++++++++----------------------
   ipaserver/install/dns.py                   |  5 ++-
   ipaserver/install/server/install.py        |  8 ++---
   ipaserver/install/server/replicainstall.py |  4 +--
   6 files changed, 30 insertions(+), 83 deletions(-)
   delete mode 100644 install/share/bind.zone.db.template

diff --git a/install/share/bind.zone.db.template
b/install/share/bind.zone.db.template
deleted file mode 100644
index
ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000

--- a/install/share/bind.zone.db.template
+++ /dev/null
@@ -1,29 +0,0 @@
-$$ORIGIN $DOMAIN.
-$$TTL    86400
-@            IN SOA    $DOMAIN. $ZONEMGR (
-                01        ; serial
-                3H        ; refresh
-                15M        ; retry
-                1W        ; expiry
-                1D )        ; minimum
-
-                IN NS            $HOST
-$HOST            IN A            $IP
-;
-; ldap servers
-_ldap._tcp        IN SRV 0 100 389    $HOST
-
-;kerberos realm
-_kerberos        IN TXT $REALM
-
-; kerberos servers
-_kerberos._tcp        IN SRV 0 100 88        $HOST
-_kerberos._udp        IN SRV 0 100 88        $HOST
-_kerberos-master._tcp    IN SRV 0 100 88        $HOST
-_kerberos-master._udp    IN SRV 0 100 88        $HOST
-_kpasswd._tcp        IN SRV 0 100 464    $HOST
-_kpasswd._udp        IN SRV 0 100 464    $HOST
-$OPTIONAL_NTP
-
-; CNAME for IPA CA replicas (used for CRL, OCSP)
-$IPA_CA_RECORD
diff --git a/ipaserver/dns_data_management.py
b/ipaserver/dns_data_management.py
index
e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b
100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -477,3 +477,12 @@ class IPASystemRecords(object):
                       )
                   )
           return records
+
+    @classmethod
+    def records_list_from_zone(cls, zone_obj, sort=True):
+        records = []
+        for name, node in zone_obj.items():
+            records.extend(IPASystemRecords.records_list_from_node(name,
node))
+        if sort:
+            records.sort()
+        return records
diff --git a/ipaserver/install/bindinstance.py
b/ipaserver/install/bindinstance.py
index
08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf
100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -623,9 +623,9 @@ class BindInstance(service.Service):
       suffix = ipautil.dn_attribute_property('_suffix')
         def setup(self, fqdn, ip_addresses, realm_name, domain_name,
forwarders,
-              forward_policy, ntp, reverse_zones,
+              forward_policy, reverse_zones,
                 named_user=constants.NAMED_USER, zonemgr=None,
-              ca_configured=None, no_dnssec_validation=False):
+              no_dnssec_validation=False):
           self.named_user = named_user
           self.fqdn = fqdn
           self.ip_addresses = ip_addresses
@@ -635,9 +635,7 @@ class BindInstance(service.Service):
           self.forward_policy = forward_policy
           self.host = fqdn.split(".")[0]
           self.suffix = ipautil.realm_to_suffix(self.realm)
-        self.ntp = ntp
           self.reverse_zones = reverse_zones
-        self.ca_configured = ca_configured
           self.no_dnssec_validation=no_dnssec_validation
             if not zonemgr:
@@ -666,12 +664,17 @@ class BindInstance(service.Service):
       def host_in_default_domain(self):
           return normalize_zone(self.host_domain) ==
normalize_zone(self.domain)
   -    def create_sample_bind_zone(self):
-        bind_txt = ipautil.template_file(ipautil.SHARE_DIR +
"bind.zone.db.template", self.sub_dict)
-        [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
-        os.write(bind_fd, bind_txt)
-        os.close(bind_fd)
-        print("Sample zone file for bind has been created in "+bind_name)
+    def create_file_with_system_records(self):
+        system_records = IPASystemRecords(self.api)
+        text = u'\n'.join(
+            IPASystemRecords.records_list_from_zone(
+                system_records.get_base_records()
+            )
+        )
+        [fd, name] = tempfile.mkstemp(".db","ipa.system.records.")
+        os.write(fd, text)
+        os.close(fd)
+        print("Please add records in this file to your DNS system:", name)
         def create_instance(self):
   @@ -761,41 +764,10 @@ class BindInstance(service.Service):
               root_logger.debug("Unable to mask named (%s)", e)
         def __setup_sub_dict(self):
-        if self.forwarders:
-            fwds = "\n"
-            for forwarder in self.forwarders:
-                fwds += "\t\t%s;\n" % forwarder
-            fwds += "\t"
-        else:
-            fwds = " "
-
-        if self.ntp:
-            optional_ntp =  "\n;ntp server\n"
-            optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" %
self.host_in_rr
-        else:
-            optional_ntp = ""
-
-        ipa_ca = ""
-        for addr in self.ip_addresses:
-            if addr.version in (4, 6):
-                ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % (
-                    IPA_CA_RECORD,
-                    "A" if addr.version == 4 else "AAAA",
-                    str(addr))
-
           self.sub_dict = dict(
               FQDN=self.fqdn,
-            IP=[str(ip) for ip in self.ip_addresses],
-            DOMAIN=self.domain,
-            HOST=self.host,
-            REALM=self.realm,
               SERVER_ID=installutils.realm_to_serverid(self.realm),
-            FORWARDERS=fwds,
-            FORWARD_POLICY=self.forward_policy,
               SUFFIX=self.suffix,
-            OPTIONAL_NTP=optional_ntp,
-            ZONEMGR=self.zonemgr,
-            IPA_CA_RECORD=ipa_ca,
               BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE,
               MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR,
               ROOT_KEY=paths.NAMED_ROOT_KEY,
@@ -1026,16 +998,14 @@ class BindInstance(service.Service):
           ipautil.run([paths.GENERATE_RNDC_KEY])
         def add_master_dns_records(self, fqdn, ip_addresses, realm_name,
domain_name,
-                               reverse_zones, ntp=False, ca_configured=None):
+                               reverse_zones):
           self.fqdn = fqdn
           self.ip_addresses = ip_addresses
           self.realm = realm_name
           self.domain = domain_name
           self.host = fqdn.split(".")[0]
           self.suffix = ipautil.realm_to_suffix(self.realm)
-        self.ntp = ntp
           self.reverse_zones = reverse_zones
-        self.ca_configured = ca_configured
           self.first_instance = False
           self.zonemgr = 'hostmaster.%s' % self.domain
   diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index
2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0
100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api):
       bind = bindinstance.BindInstance(fstore, ldapi=True, api=api,
                                        autobind=AUTOBIND_ENABLED)
       bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
-               options.forwarders, options.forward_policy, conf_ntp,
+               options.forwarders, options.forward_policy,
                  reverse_zones, zonemgr=options.zonemgr,
-               no_dnssec_validation=options.no_dnssec_validation,
-               ca_configured=options.setup_ca)
+               no_dnssec_validation=options.no_dnssec_validation)
         if standalone and not options.unattended:
           print("")
diff --git a/ipaserver/install/server/install.py
b/ipaserver/install/server/install.py
index
930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1
100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -848,17 +848,17 @@ def install(installer):
       if setup_ca:
           services.knownservices['pki_tomcatd'].restart('pki-tomcat')
   +    api.Backend.ldap2.connect(autobind=True)
       if options.setup_dns:
-        api.Backend.ldap2.connect(autobind=True)
           dns.install(False, False, options)
       else:
           # Create a BIND instance
           bind = bindinstance.BindInstance(fstore, dm_password)
           bind.setup(host_name, ip_addresses, realm_name,
-                   domain_name, (), 'first', not options.no_ntp, (),
-                   zonemgr=options.zonemgr, ca_configured=setup_ca,
+                   domain_name, (), 'first', (),
+                   zonemgr=options.zonemgr,
                      no_dnssec_validation=options.no_dnssec_validation)
-        bind.create_sample_bind_zone()
+        bind.create_file_with_system_records()
         # Restart httpd to pick up the new IPA configuration
       service.print_msg("Restarting the web server")
diff --git a/ipaserver/install/server/replicainstall.py
b/ipaserver/install/server/replicainstall.py
index
52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10
100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api):
                                           str(ip),
                                           config.realm_name,
                                           config.domain_name,
-                                        reverse_zone,
-                                        not options.no_ntp,
-                                        options.setup_ca)
+                                        reverse_zone)
       except errors.NotFound as e:
           root_logger.debug('Replica DNS records could not be added '
                             'on master: %s', str(e))
-- 2.5.5
While testing this patch I've found out that ipa-dns-install does not work
idempotently anymore and explodes when re-run.

I'm not sure what is the root cause yet.

# ipa-dns-install --forwarder 10.34.78.1

WARNING: yacc table file version is out of date

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the FreeIPA Server.

This includes:
    * Configure DNS (bind)
    * Configure SoftHSM (required by DNSSEC)
    * Configure ipa-dnskeysyncd (required by DNSSEC)

NOTE: DNSSEC zone signing is not enabled by default


To accept the default shown in brackets, press the Enter key.

Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring DNS (named)
    [1/8]: generating rndc key file
    [2/8]: setting up our own record
ipa         : ERROR    DNS query for
vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed
out after 30.0012078285 seconds
    [error] DNSResolverError: The DNS operation timed out after 30.0012078285
seconds
Unexpected error - see /var/log/ipaserver-install.log for details:
DNSResolverError: The DNS operation timed out after 30.0012078285 seconds

2016-06-23T15:41:54Z DEBUG   [2/8]: setting up our own record
2016-06-23T15:41:54Z DEBUG raw:
dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199')
2016-06-23T15:41:54Z DEBUG dnszone_show(<DNS name
abc.idm.lab.eng.brq.redhat.com.>, rights=False, all=False, raw=False,
version=u'2.199')
2016-06-23T15:42:24Z ERROR DNS query for
vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed
out after 30.0012078285 seconds
2016-06-23T15:42:24Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
448, in start_creation
      run_step(full_msg, method)
    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
438, in run_step
      method()
    File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
line 860, in __add_self
      self.__add_master_records(self.fqdn, self.ip_addresses)
    File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
line 843, in __add_master_records
      verify_host_resolvable(fqdn)
    File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in
verify_host_resolvable
      raise errors.DNSResolverError(exception=ex)
DNSResolverError: The DNS operation timed out after 30.0012078285 seconds
IMO this the same case as https://fedorahosted.org/freeipa/ticket/5962  we
changed resolving of server hostname from gethosbyname() to pure DNS

Workaround is to set nameserver to /etc/resolv.conf


I was not able to test replica installation because of some weird ACI problem
somewhere, replica install is failing with ACIError while adding ldap/replica
principal. This is probably a regression from some other patchset.

https://fedorahosted.org/freeipa/ticket/5996
NACK

make[5]: *** No rule to make target 'bind.zone.db.template', needed by
'all-am'.  Stop.

I'm not exactly sure how I missed this before, possibly git clean -xdf was
missing ...

My bad

updated patches attached.
From ff8926bb651772e4ff0ea1c4781690387243e638 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 21 Jun 2016 18:04:13 +0200
Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records
 for unused locations"

This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230.

After deeper investigation, we found out that empty locations are needed
for clients, because clients may have cached records for longer time for
that particular location. Only way how to remove location is to remove
it using location-del

https://fedorahosted.org/freeipa/ticket/2008
---
 ipaserver/dns_data_management.py | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -68,7 +68,6 @@ class IPASystemRecords(object):
         self.api_instance = api_instance
         self.domain_abs = DNSName(self.api_instance.env.domain).make_absolute()
         self.servers_data = {}
-        self.used_locations = set()
         self.__init_data()
 
     def reload_data(self):
@@ -92,7 +91,6 @@ class IPASystemRecords(object):
 
     def __init_data(self):
         self.servers_data = {}
-        self.used_locations = set()
 
         servers_result = self.api_instance.Command.server_find(
             pkey_only=True)['result']
@@ -104,8 +102,6 @@ class IPASystemRecords(object):
                 'location': location,
                 'roles': roles,
             }
-            if location:
-                self.used_locations.add(location)
 
     def __add_srv_records(
         self, zone_obj, hostname, rname_port_map,
@@ -353,12 +349,13 @@ class IPASystemRecords(object):
                 pkey_only=True)['result']
             servers = [s['cn'][0] for s in servers_result]
 
-        # generate only records for used location, records for unassigned
-        # locations are useless
+        locations_result = self.api_instance.Command.location_find()['result']
+        locations = [l['idnsname'][0] for l in locations_result]
+
         for server in servers:
             self._get_location_dns_records_for_server(
                 zone_obj, server,
-                self.used_locations, roles=roles,
+                locations, roles=roles,
                 include_master_role=include_master_role)
         return zone_obj
 
-- 
2.5.5

From 4cea3673c01dac3dd6342b0949f3894eba9a515c Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 21 Jun 2016 18:17:55 +0200
Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in adtrust-install

Since DNS location mechanism is active, this option has no effect,
because records are generate dynamically.

https://fedorahosted.org/freeipa/ticket/2008
---
 install/tools/ipa-adtrust-install    | 10 +++++++---
 ipaserver/install/adtrustinstance.py | 21 ++++++++-------------
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -29,6 +29,8 @@ import ldap
 
 import six
 
+from optparse import SUPPRESS_HELP
+
 from ipaserver.install import adtrustinstance
 from ipaserver.install.installutils import (
     read_password,
@@ -54,9 +56,11 @@ def parse_options():
                       default=False, help="print debugging information")
     parser.add_option("--netbios-name", dest="netbios_name",
                       help="NetBIOS name of the IPA domain")
+
+    # no-msdcs has not effect, option is here just for backward compatibility
     parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
-                      default=False, help="Do not create DNS service records " \
-                                          "for Windows in managed DNS server")
+                      default=False, help=SUPPRESS_HELP)
+
     parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
                       help="Start value for mapping UIDs and GIDs to RIDs")
     parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
@@ -390,7 +394,7 @@ def main():
     smb.setup(api.env.host, api.env.realm,
               netbios_name, reset_netbios_name,
               options.rid_base, options.secondary_rid_base,
-              options.no_msdcs, options.add_sids,
+              options.add_sids,
               enable_compat = options.enable_compat)
     smb.find_local_id_range()
     smb.create_instance()
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service):
     def __init__(self, fstore=None):
         self.netbios_name = None
         self.reset_netbios_name = None
-        self.no_msdcs = None
         self.add_sids = None
         self.smbd_user = None
         self.smb_dn_pwd = None
@@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service):
 
         err_msg = None
 
-        if self.no_msdcs:
-            err_msg = '--no-msdcs was given, special DNS service records ' \
-                      'are not added to local DNS server'
+        ret = api.Command['dns_is_enabled']()
+        if not ret['result']:
+            err_msg = "DNS management was not enabled at install time."
         else:
-            ret = api.Command['dns_is_enabled']()
-            if not ret['result']:
-                err_msg = "DNS management was not enabled at install time."
-            else:
-                if not dns_zone_exists(zone):
-                    err_msg = "DNS zone %s cannot be managed " \
-                              "as it is not defined in IPA" % zone
+            if not dns_zone_exists(zone):
+                err_msg = (
+                    "DNS zone %s cannot be managed as it is not defined in "
+                    "IPA" % zone)
 
         if err_msg:
             self.print_msg(err_msg)
@@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service):
 
     def setup(self, fqdn, realm_name, netbios_name,
               reset_netbios_name, rid_base, secondary_rid_base,
-              no_msdcs=False, add_sids=False, smbd_user="samba",
+              add_sids=False, smbd_user="samba",
               enable_compat=False):
         self.fqdn = fqdn
         self.realm = realm_name
@@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service):
         self.reset_netbios_name = reset_netbios_name
         self.rid_base = rid_base
         self.secondary_rid_base = secondary_rid_base
-        self.no_msdcs = no_msdcs
         self.add_sids = add_sids
         self.enable_compat = enable_compat
         self.smbd_user = smbd_user
-- 
2.5.5

From 0c736a88d29509f3017660eec39af663a5d62a09 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 22 Jun 2016 13:12:52 +0200
Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get
 information

Because separated calls for of server-show, getting server data is quite
slow. This commit replaces several server-show with one server-find
command. There are future plans to improve speed of server-find that
will be beneficial for DNS locations.

https://fedorahosted.org/freeipa/ticket/2008
---
 ipaserver/dns_data_management.py | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -78,8 +78,7 @@ class IPASystemRecords(object):
         """
         self.__init_data()
 
-    def __get_server_attrs(self, hostname):
-        server_result = self.api_instance.Command.server_show(hostname)['result']
+    def __get_server_attrs(self, server_result):
         weight = int(server_result.get('ipaserviceweight', [u'100'])[0])
         location = server_result.get('ipalocation_location', [None])[0]
         roles = set(server_result.get('enabled_role_servrole', ()))
@@ -93,11 +92,10 @@ class IPASystemRecords(object):
         self.servers_data = {}
 
         servers_result = self.api_instance.Command.server_find(
-            pkey_only=True)['result']
-        servers = [s['cn'][0] for s in servers_result]
-        for s in servers:
+            no_members=False)['result']
+        for s in servers_result:
             weight, location, roles = self.__get_server_attrs(s)
-            self.servers_data[s] = {
+            self.servers_data[s['cn'][0]] = {
                 'weight': weight,
                 'location': location,
                 'roles': roles,
-- 
2.5.5

From 34e549e3711b14d911b5854d436de098aa2a53f5 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 23 Jun 2016 14:50:11 +0200
Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance

We don't need anymore:
* sample of zone file - list of all records required by IPa will be
provided

* NTP related params - DNS records will be updated automatically,
based on LDAP values

* CA related params - DNS records will be updated automatically based
* on LDAP values

https://fedorahosted.org/freeipa/ticket/2008
---
 install/share/Makefile.am                  |  1 -
 install/share/bind.zone.db.template        | 29 ---------------
 ipaserver/dns_data_management.py           |  9 +++++
 ipaserver/install/bindinstance.py          | 58 ++++++++----------------------
 ipaserver/install/dns.py                   |  5 ++-
 ipaserver/install/server/install.py        |  8 ++---
 ipaserver/install/server/replicainstall.py |  4 +--
 7 files changed, 30 insertions(+), 84 deletions(-)
 delete mode 100644 install/share/bind.zone.db.template

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 3a3bd2699efaf45ab79dd0257c2d26e7952891eb..cd1c164e372e1daf8ac59bbc3f9edc10ea6a2853 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -43,7 +43,6 @@ app_DATA =				\
 	kerberos.ldif			\
 	indices.ldif			\
 	bind.named.conf.template	\
-	bind.zone.db.template		\
 	certmap.conf.template		\
 	kdc.conf.template		\
 	kdc_extensions.template		\
diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template
deleted file mode 100644
index ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000
--- a/install/share/bind.zone.db.template
+++ /dev/null
@@ -1,29 +0,0 @@
-$$ORIGIN $DOMAIN.
-$$TTL	86400
-@			IN SOA	$DOMAIN. $ZONEMGR (
-				01		; serial 
-				3H		; refresh
-				15M		; retry
-				1W		; expiry
-				1D )		; minimum
-
-        		IN NS			$HOST
-$HOST			IN A			$IP
-;
-; ldap servers
-_ldap._tcp		IN SRV 0 100 389	$HOST
-
-;kerberos realm
-_kerberos		IN TXT $REALM
-
-; kerberos servers
-_kerberos._tcp		IN SRV 0 100 88		$HOST
-_kerberos._udp		IN SRV 0 100 88		$HOST
-_kerberos-master._tcp	IN SRV 0 100 88		$HOST
-_kerberos-master._udp	IN SRV 0 100 88		$HOST
-_kpasswd._tcp		IN SRV 0 100 464	$HOST
-_kpasswd._udp		IN SRV 0 100 464	$HOST
-$OPTIONAL_NTP
-
-; CNAME for IPA CA replicas (used for CRL, OCSP)
-$IPA_CA_RECORD
diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -477,3 +477,12 @@ class IPASystemRecords(object):
                     )
                 )
         return records
+
+    @classmethod
+    def records_list_from_zone(cls, zone_obj, sort=True):
+        records = []
+        for name, node in zone_obj.items():
+            records.extend(IPASystemRecords.records_list_from_node(name, node))
+        if sort:
+            records.sort()
+        return records
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -623,9 +623,9 @@ class BindInstance(service.Service):
     suffix = ipautil.dn_attribute_property('_suffix')
 
     def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders,
-              forward_policy, ntp, reverse_zones,
+              forward_policy, reverse_zones,
               named_user=constants.NAMED_USER, zonemgr=None,
-              ca_configured=None, no_dnssec_validation=False):
+              no_dnssec_validation=False):
         self.named_user = named_user
         self.fqdn = fqdn
         self.ip_addresses = ip_addresses
@@ -635,9 +635,7 @@ class BindInstance(service.Service):
         self.forward_policy = forward_policy
         self.host = fqdn.split(".")[0]
         self.suffix = ipautil.realm_to_suffix(self.realm)
-        self.ntp = ntp
         self.reverse_zones = reverse_zones
-        self.ca_configured = ca_configured
         self.no_dnssec_validation=no_dnssec_validation
 
         if not zonemgr:
@@ -666,12 +664,17 @@ class BindInstance(service.Service):
     def host_in_default_domain(self):
         return normalize_zone(self.host_domain) == normalize_zone(self.domain)
 
-    def create_sample_bind_zone(self):
-        bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
-        [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
-        os.write(bind_fd, bind_txt)
-        os.close(bind_fd)
-        print("Sample zone file for bind has been created in "+bind_name)
+    def create_file_with_system_records(self):
+        system_records = IPASystemRecords(self.api)
+        text = u'\n'.join(
+            IPASystemRecords.records_list_from_zone(
+                system_records.get_base_records()
+            )
+        )
+        [fd, name] = tempfile.mkstemp(".db","ipa.system.records.")
+        os.write(fd, text)
+        os.close(fd)
+        print("Please add records in this file to your DNS system:", name)
 
     def create_instance(self):
 
@@ -761,41 +764,10 @@ class BindInstance(service.Service):
             root_logger.debug("Unable to mask named (%s)", e)
 
     def __setup_sub_dict(self):
-        if self.forwarders:
-            fwds = "\n"
-            for forwarder in self.forwarders:
-                fwds += "\t\t%s;\n" % forwarder
-            fwds += "\t"
-        else:
-            fwds = " "
-
-        if self.ntp:
-            optional_ntp =  "\n;ntp server\n"
-            optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" % self.host_in_rr
-        else:
-            optional_ntp = ""
-
-        ipa_ca = ""
-        for addr in self.ip_addresses:
-            if addr.version in (4, 6):
-                ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % (
-                    IPA_CA_RECORD,
-                    "A" if addr.version == 4 else "AAAA",
-                    str(addr))
-
         self.sub_dict = dict(
             FQDN=self.fqdn,
-            IP=[str(ip) for ip in self.ip_addresses],
-            DOMAIN=self.domain,
-            HOST=self.host,
-            REALM=self.realm,
             SERVER_ID=installutils.realm_to_serverid(self.realm),
-            FORWARDERS=fwds,
-            FORWARD_POLICY=self.forward_policy,
             SUFFIX=self.suffix,
-            OPTIONAL_NTP=optional_ntp,
-            ZONEMGR=self.zonemgr,
-            IPA_CA_RECORD=ipa_ca,
             BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE,
             MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR,
             ROOT_KEY=paths.NAMED_ROOT_KEY,
@@ -1026,16 +998,14 @@ class BindInstance(service.Service):
         ipautil.run([paths.GENERATE_RNDC_KEY])
 
     def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name,
-                               reverse_zones, ntp=False, ca_configured=None):
+                               reverse_zones):
         self.fqdn = fqdn
         self.ip_addresses = ip_addresses
         self.realm = realm_name
         self.domain = domain_name
         self.host = fqdn.split(".")[0]
         self.suffix = ipautil.realm_to_suffix(self.realm)
-        self.ntp = ntp
         self.reverse_zones = reverse_zones
-        self.ca_configured = ca_configured
         self.first_instance = False
         self.zonemgr = 'hostmaster.%s' % self.domain
 
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api):
     bind = bindinstance.BindInstance(fstore, ldapi=True, api=api,
                                      autobind=AUTOBIND_ENABLED)
     bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
-               options.forwarders, options.forward_policy, conf_ntp,
+               options.forwarders, options.forward_policy,
                reverse_zones, zonemgr=options.zonemgr,
-               no_dnssec_validation=options.no_dnssec_validation,
-               ca_configured=options.setup_ca)
+               no_dnssec_validation=options.no_dnssec_validation)
 
     if standalone and not options.unattended:
         print("")
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -848,17 +848,17 @@ def install(installer):
     if setup_ca:
         services.knownservices['pki_tomcatd'].restart('pki-tomcat')
 
+    api.Backend.ldap2.connect(autobind=True)
     if options.setup_dns:
-        api.Backend.ldap2.connect(autobind=True)
         dns.install(False, False, options)
     else:
         # Create a BIND instance
         bind = bindinstance.BindInstance(fstore, dm_password)
         bind.setup(host_name, ip_addresses, realm_name,
-                   domain_name, (), 'first', not options.no_ntp, (),
-                   zonemgr=options.zonemgr, ca_configured=setup_ca,
+                   domain_name, (), 'first', (),
+                   zonemgr=options.zonemgr,
                    no_dnssec_validation=options.no_dnssec_validation)
-        bind.create_sample_bind_zone()
+        bind.create_file_with_system_records()
 
     # Restart httpd to pick up the new IPA configuration
     service.print_msg("Restarting the web server")
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api):
                                         str(ip),
                                         config.realm_name,
                                         config.domain_name,
-                                        reverse_zone,
-                                        not options.no_ntp,
-                                        options.setup_ca)
+                                        reverse_zone)
     except errors.NotFound as e:
         root_logger.debug('Replica DNS records could not be added '
                           'on master: %s', str(e))
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to