[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From 5d9103248e510a3c64314fe59284a8420a6f3a67 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6838 Signed-off-by: Simo Sorce --- ipaserver/install/custodiainstance.py | 25 - 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..d60276a 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,6 +1,7 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from custodia.message.kem import KEY_USAGE_ENC +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants @@ -18,6 +19,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +124,23 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') +def __wait_keys(self, host, timeout=300): +ldap_uri = 'ldap://%s' % host +principal = 'host/%s@%s' % (self.fqdn, self.realm) +deadline = int(time.time()) + timeout +root_logger.info("Waiting up to {} seconds to see our keys " + "appear on host: {}".format(timeout, host)) + +konn = KEMLdap(ldap_uri) +while True: +try: +konn.get_key(KEY_USAGE_ENC, principal) +return +except Exception: +if int(time.time()) > deadline: +raise +time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +148,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +self.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Nevermind they are not duplicates. I'll fix the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291557263 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys pvoborni commented: """ Shouldn't the ticket number be: https://pagure.io/freeipa/issue/6838 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291553067 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-add: properly handle empty --dom-name option flo-renaud commented: """ Hi @stlaz I fixed the commit message. In contrary to what I told you offline, you need to configure an AD trust with ipa-adtrust-install and ipa trust-add ... in order to reproduce the original issue. My bad... """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291540393 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][edited] idrange-add: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-add: properly handle empty --dom-name option Action: edited Changed field: title Original value: """ idrange-mod: properly handle empty --dom-name option """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][edited] idrange-mod: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-mod: properly handle empty --dom-name option Action: edited Changed field: body Original value: """ When idrange-mod is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][synchronized] idrange-mod: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Author: flo-renaud Title: #667: idrange-mod: properly handle empty --dom-name option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/667/head:pr667 git checkout pr667 From be273e1a9a8f7f3d17029b71054091bc3d44edeb Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 28 Mar 2017 16:02:45 +0200 Subject: [PATCH] idrange-add: properly handle empty --dom-name option When idrange-add is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 --- ipaserver/plugins/idrange.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py index 5b88a6b..c8ea95a 100644 --- a/ipaserver/plugins/idrange.py +++ b/ipaserver/plugins/idrange.py @@ -411,7 +411,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): # This needs to stay in options since there is no # ipanttrusteddomainname attribute in LDAP -if 'ipanttrusteddomainname' in options: +if options.get('ipanttrusteddomainname'): if is_set('ipanttrusteddomainsid'): raise errors.ValidationError(name='ID Range setup', error=_('Options dom-sid and dom-name ' -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#667][comment] idrange-mod: properly handle empty --dom-name option
URL: https://github.com/freeipa/freeipa/pull/667 Title: #667: idrange-mod: properly handle empty --dom-name option stlaz commented: """ LGTM, except you're talking about `idrange-mod` in the commit message but are fixing `idrange-add` (`idrange-mod` does not have the option at all). """ See the full comment at https://github.com/freeipa/freeipa/pull/667#issuecomment-291523802 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing stlaz commented: """ What worries me the most is that the tests are green even though this is potentially a serious problem. """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-291471139 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#690][opened] server-install: remove broken no-pkinit check
URL: https://github.com/freeipa/freeipa/pull/690 Author: stlaz Title: #690: server-install: remove broken no-pkinit check Action: opened PR body: """ Don't check for no-pkinit option in case pkinit cert file was provided. Setting no-pkinit is prohibited in this case, so without this fix we have an impossible option-check if we want to provide an own pkinit certificate and private key. https://pagure.io/freeipa/issue/6807 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/690/head:pr690 git checkout pr690 From 1eac866d04d804a77bded2e8768d4125f555c8a9 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 4 Apr 2017 10:41:23 +0200 Subject: [PATCH] server-install: remove broken no-pkinit check Don't check for no-pkinit option in case pkinit cert file was provided. Setting no-pkinit is prohibited in this case, so without this fix we have an impossible option-check if we want to provide an own pkinit certificate and private key. https://pagure.io/freeipa/issue/6807 --- ipaserver/install/server/install.py | 5 - 1 file changed, 5 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index d7eb0bf..714b86f 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -513,11 +513,6 @@ def install_check(installer): dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin) if options.pkinit_cert_files: -if not options.no_pkinit: -raise ScriptError("Cannot create KDC PKINIT certificate and use " - "provided external PKINIT certificate at the " - "same time. Please choose one of them.") - if options.pkinit_pin is None: options.pkinit_pin = read_password( "Enter Kerberos KDC private key unlock", -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#684][comment] httpinstance: make sure NSS database is backed up
URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up HonzaCholasta commented: """ master: * 5f5a3b29dba7cc736ba334aefb55484baeefeb76 httpinstance: make sure NSS database is backed up ipa-4-5: * 471dfcbe1cc3f319da788add3661cb6d63e3c0f0 httpinstance: make sure NSS database is backed up """ See the full comment at https://github.com/freeipa/freeipa/pull/684#issuecomment-291428766 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#684][+pushed] httpinstance: make sure NSS database is backed up
URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#684][closed] httpinstance: make sure NSS database is backed up
URL: https://github.com/freeipa/freeipa/pull/684 Author: HonzaCholasta Title: #684: httpinstance: make sure NSS database is backed up Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/684/head:pr684 git checkout pr684 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#689][opened] Sort SRV records by priority
URL: https://github.com/freeipa/freeipa/pull/689 Author: alex-zel Title: #689: Sort SRV records by priority Action: opened PR body: """ In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment. ## Replication: DNS configuration (using PfSense): ``` srv-host=_kerberos._udp.example.com,server01.example.com,88,0,1 srv-host=_kerberos._tcp.example.com,server01.example.com,88,0,1 srv-host=_kerberos-master._tcp.example.com,server01.example.com,88,0,1 srv-host=_kerberos-master._udp.example.com,server01.example.com,88,0,1 srv-host=_kpasswd._tcp.example.com,server01.example.com,88,0,1 srv-host=_kpasswd._udp.example.com,server01.example.com,88,0,1 srv-host=_ldap._tcp.example.com,server01.example.com,389,0,1 srv-host=_kerberos._udp.example.com,server02.example.com,88,0,2 srv-host=_kerberos._tcp.example.com,server02.example.com,88,0,2 srv-host=_kerberos-master._tcp.example.com,server02.example.com,88,0,2 srv-host=_kerberos-master._udp.example.com,server02.example.com,88,0,2 srv-host=_kpasswd._tcp.example.com,server02.example.com,88,0,2 srv-host=_kpasswd._udp.example.com,server02.example.com,88,0,2 srv-host=_ldap._tcp.example.com,server02.example.com,389,0,2 txt-record=_kerberos.example.com,EXAMPLE.COM ``` Client installation: Host record is added beforehand from web UI on server01.example.com ONLY. `/usr/sbin/ipa-client-install --force-join --principal=bind_user --password=bind_pass --hostname=`hostname -f` --unattended` /var/log/ipaclient-install.log: > 2017-04-02T10:54:09Z DEBUG [IPA Discovery] > 2017-04-02T10:54:09Z DEBUG Starting IPA discovery with domain=None, > servers=None, hostname=client01.example.com > 2017-04-02T10:54:09Z DEBUG Start searching for LDAP SRV record in > "example.com" (domain of the hostname) and its sub-domains > 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of _ldap._tcp.example.com > 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 389 server01.example.com. > 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 389 server02.example.com. > 2017-04-02T10:54:09Z DEBUG [Kerberos realm search] > 2017-04-02T10:54:09Z DEBUG Search DNS for TXT record of _kerberos.example.com > 2017-04-02T10:54:09Z DEBUG DNS record not found: NoAnswer > 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of > _kerberos._udp.example.com > 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 88 server02.example.com. > 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 88 server01.example.com. Notice the records are not in the same order, ipa-client-install did not return any error and the client machine could see user, groups, netgroups, but users could not authenticate. Looking at the web UI, server01.example.com shows the client is not enrolled and no kerberos key is present, but server02.example.com shows the client is enrolled and has a key. In cases were either server01 or server02 were returned first in IPA Discovery the installation and replication went fine. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/689/head:pr689 git checkout pr689 From 283da88845c65d5cd3b4ce6b5e32c17fc3c5fb98 Mon Sep 17 00:00:00 2001 From: Alex ZeleznikovDate: Tue, 4 Apr 2017 09:42:10 +0300 Subject: [PATCH] Sort SRV records by priority In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment. --- ipaclient/install/ipadiscovery.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py index 46e05c9..b30e7de 100644 --- a/ipaclient/install/ipadiscovery.py +++ b/ipaclient/install/ipadiscovery.py @@ -22,13 +22,14 @@ import six from ipapython.ipa_log_manager import root_logger -from dns import resolver, rdatatype from dns.exception import DNSException +from dns import resolver, rdatatype from ipalib import errors from ipapython import ipaldap from ipaplatform.paths import paths from ipapython.ipautil import valid_ip, realm_to_suffix from ipapython.dn import DN +from operator import attrgetter NOT_FQDN = -1 NO_LDAP_SERVER = -2 @@ -493,6 +494,7 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port, try: answers = resolver.query(qname, rdatatype.SRV) +answers = sorted(answers, key=attrgetter('priority')) except DNSException as e: root_logger.debug("DNS record not found: %s", e.__class__.__name__) answers = [] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#687][synchronized] Add pki_pin only when needed
URL: https://github.com/freeipa/freeipa/pull/687 Author: stlaz Title: #687: Add pki_pin only when needed Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/687/head:pr687 git checkout pr687 From 429f8dae4ea3b53894068d37e49ae2a5a05c29a0 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Mon, 3 Apr 2017 14:08:46 +0200 Subject: [PATCH] Add pki_pin only when needed If both the pki-tomcat NSS database and its password.conf have been created, don't try to override the password.conf file. https://pagure.io/freeipa/issue/6839 --- ipaserver/install/cainstance.py | 10 +++--- ipaserver/install/krainstance.py | 10 +++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2d33a97..1d44c0d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -541,9 +541,13 @@ def __spawn_instance(self): # CA key algorithm config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm) -# generate pin which we know can be used for FIPS NSS database -pki_pin = ipautil.ipa_generate_password() -config.set("CA", "pki_pin", pki_pin) +if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and +os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)): +# generate pin which we know can be used for FIPS NSS database +pki_pin = ipautil.ipa_generate_password() +config.set("CA", "pki_pin", pki_pin) +else: +pki_pin = None if self.clone: diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 6fa4f0f..c39d687 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -235,9 +235,13 @@ def __spawn_instance(self): "KRA", "pki_share_dbuser_dn", str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca' -# generate pin which we know can be used for FIPS NSS database -pki_pin = ipautil.ipa_generate_password() -config.set("KRA", "pki_pin", pki_pin) +if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and +os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)): +# generate pin which we know can be used for FIPS NSS database +pki_pin = ipautil.ipa_generate_password() +config.set("KRA", "pki_pin", pki_pin) +else: +pki_pin = None _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#684][+ack] httpinstance: make sure NSS database is backed up
URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#684][comment] httpinstance: make sure NSS database is backed up
URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up stlaz commented: """ Without this patch, I encountered a different issue but with the same root cause. The patch fixes it, so ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/684#issuecomment-291411099 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#681][closed] Fix ipadiscovery
URL: https://github.com/freeipa/freeipa/pull/681 Author: alex-zel Title: #681: Fix ipadiscovery Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/681/head:pr681 git checkout pr681 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#681][synchronized] Fix ipadiscovery
URL: https://github.com/freeipa/freeipa/pull/681 Author: alex-zel Title: #681: Fix ipadiscovery Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/681/head:pr681 git checkout pr681 From 3ac30ca118685134dd38b07e4b55ecbb4c880a3a Mon Sep 17 00:00:00 2001 From: Alex ZeleznikovDate: Sun, 2 Apr 2017 11:53:11 +0300 Subject: [PATCH 1/3] ipadiscovery sort SRV record by priority Sort SRV records for LDAP/KRB based on priority. --- ipaclient/install/ipadiscovery.py | 22 -- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py index 46e05c9..c6fc240 100644 --- a/ipaclient/install/ipadiscovery.py +++ b/ipaclient/install/ipadiscovery.py @@ -492,7 +492,16 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port, root_logger.debug("Search DNS for SRV record of %s", qname) try: -answers = resolver.query(qname, rdatatype.SRV) +answers = [] + dns_answers = resolver.query(qname, rdatatype.SRV) + for answer in dns_answers: +if not len(answers): + answers.append(answer) +else: + i = 0 + while i < len(answers) and answer.priority > answers[i].priority: + i += 1 + answers.insert(i, answer) except DNSException as e: root_logger.debug("DNS record not found: %s", e.__class__.__name__) answers = [] @@ -521,7 +530,16 @@ def ipadnssearchkrbrealm(self, domain=None): root_logger.debug("Search DNS for TXT record of %s", qname) try: -answers = resolver.query(qname, rdatatype.TXT) +answers = [] + dns_answers = resolver.query(qname, rdatatype.SRV) + for answer in dns_answers: +if not len(answers): + answers.append(answer) +else: + i = 0 + while i < len(answers) and answer.priority > answers[i].priority: + i += 1 + answers.insert(i, answer) except DNSException as e: root_logger.debug("DNS record not found: %s", e.__class__.__name__) answers = [] From 993c99868f3e033122bfe6fc95f53c701243d3f0 Mon Sep 17 00:00:00 2001 From: Alex Zel Date: Sun, 2 Apr 2017 12:04:11 +0300 Subject: [PATCH 2/3] fix indentation --- ipaclient/install/ipadiscovery.py | 36 ++-- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py index c6fc240..4f18398 100644 --- a/ipaclient/install/ipadiscovery.py +++ b/ipaclient/install/ipadiscovery.py @@ -493,15 +493,15 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port, try: answers = [] - dns_answers = resolver.query(qname, rdatatype.SRV) - for answer in dns_answers: -if not len(answers): - answers.append(answer) -else: - i = 0 - while i < len(answers) and answer.priority > answers[i].priority: - i += 1 - answers.insert(i, answer) +dns_answers = resolver.query(qname, rdatatype.SRV) +for answer in dns_answers: +if not len(answers): +answers.append(answer) +else: +i = 0 +while i < len(answers) and answer.priority > answers[i].priority: +i += 1 +answers.insert(i, answer) except DNSException as e: root_logger.debug("DNS record not found: %s", e.__class__.__name__) answers = [] @@ -531,15 +531,15 @@ def ipadnssearchkrbrealm(self, domain=None): try: answers = [] - dns_answers = resolver.query(qname, rdatatype.SRV) - for answer in dns_answers: -if not len(answers): - answers.append(answer) -else: - i = 0 - while i < len(answers) and answer.priority > answers[i].priority: - i += 1 - answers.insert(i, answer) +dns_answers = resolver.query(qname, rdatatype.SRV) +for answer in dns_answers: +if not len(answers): +answers.append(answer) +else: +i = 0 +while i < len(answers) and answer.priority > answers[i].priority: +i += 1 +answers.insert(i, answer) except DNSException as e: root_logger.debug("DNS record not found: %s", e.__class__.__name__) answers = [] From 73fc5dc8cf1b8c6f34ff767079aa2209b26c2aa1 Mon Sep 17 00:00:00 2001 From: Alex Zel Date: Tue, 4 Apr 2017 08:57:04 +0300 Subject: [PATCH 3/3] Update ipadiscovery.py --- ipaclient/install/ipadiscovery.py | 24 1 file changed, 4 insertions(+), 20 deletions(-) diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py index