Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-10-12 Thread Martin Basti



On 09.10.2015 19:11, Tomas Babej wrote:


On 09/23/2015 02:40 PM, Martin Basti wrote:


On 09/22/2015 02:23 PM, Tomas Babej wrote:

On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:

On Thu, 03 Sep 2015, Tomas Babej wrote:

Hi,

this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
and improve our handling of realmdomains in general.

The code looks good to me. I haven't tested it yet, though.


Rebased on top of current master.

Please fix tests too.


Updated patchset attached. Also fixed a minor spelling and syntax issues
in the original patches.

Tomas

ACK,

unfortunately, patch "realmdomains: Issue a warning when automated 
management of realmdomains" failed to apply on top of ipa-4-2 branch.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-10-12 Thread Tomas Babej


- Original Message -
From: "Martin Basti" <mba...@redhat.com>
To: "Tomas Babej" <tba...@redhat.com>
Cc: "freeipa-devel" <freeipa-devel@redhat.com>
Sent: Monday, October 12, 2015 12:41:13 PM
Subject: Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling 
improvements



>On 09.10.2015 19:11, Tomas Babej wrote:
>>
>> On 09/23/2015 02:40 PM, Martin Basti wrote:
>>>
>>> On 09/22/2015 02:23 PM, Tomas Babej wrote:
>>>> On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:
>>>>> On Thu, 03 Sep 2015, Tomas Babej wrote:
>>>>>> Hi,
>>>>>>
>>>>>> this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
>>>>>> and improve our handling of realmdomains in general.
>>>>> The code looks good to me. I haven't tested it yet, though.
>>>>>
>>>> Rebased on top of current master.
>>> Please fix tests too.
>>>
>> Updated patchset attached. Also fixed a minor spelling and syntax issues
>> in the original patches.
>>
>> Tomas
>ACK,

>unfortunately, patch "realmdomains: Issue a warning when automated 
>management of realmdomains" failed to apply on top of ipa-4-2 branch.

Attaching rebased patchset.From 4045b1d946bd830128f64e77037e5b75a734a200 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 24 Sep 2015 11:06:07 +0200
Subject: [PATCH] idoverride: Ignore ValidationErrors when converting the
 anchor

When converting the anchor to a human readable form, SID validation
may fail, i.e. if the domain is no longer trusted.

Ignore such cases and pass along the anchor in the raw format.

https://fedorahosted.org/freeipa/ticket/5322
---
 ipalib/plugins/idviews.py | 19 +++
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index cf5c9b5e8371c89e89a4cf1d334ac0e6b514653a..4e773239fef014c85af7caa913c57bdd718f2c07 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -684,6 +684,11 @@ class baseidoverride(LDAPObject):
 # If we were unable to resolve the anchor,
 # keep it in the raw form
 pass
+except errors.ValidationError:
+# Same as above, ValidationError may be raised when SIDs
+# are attempted to be converted, but the domain is no
+# longer trusted
+pass
 
 def prohibit_ipa_users_in_default_view(self, dn, entry_attrs):
 # Check if parent object is Default Trust View, if so, prohibit
@@ -768,12 +773,7 @@ class baseidoverride_find(LDAPSearch):
 
 def post_callback(self, ldap, entries, truncated, *args, **options):
 for entry in entries:
-try:
-self.obj.convert_anchor_to_human_readable_form(entry, **options)
-except errors.NotFound:
-# If the conversion to readle form went wrong, do not
-# abort the whole find command. Use non-converted entry.
-pass
+self.obj.convert_anchor_to_human_readable_form(entry, **options)
 return truncated
 
 
@@ -783,12 +783,7 @@ class baseidoverride_show(LDAPRetrieve):
 takes_options = LDAPRetrieve.takes_options + (fallback_to_ldap_option,)
 
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-try:
-self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options)
-except errors.NotFound:
-# If the conversion to readle form went wrong, do not
-# abort the whole show command. Use non-converted entry.
-pass
+self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options)
 return dn
 
 
-- 
2.1.0

From fdd568f2319a2a77eb5336c704da4e1da0c36c16 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 12:40:17 +0200
Subject: [PATCH] realmdomains: Minor style and wording improvements

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/plugins/realmdomains.py | 75 +-
 1 file changed, 60 insertions(+), 15 deletions(-)

diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index c53340591bd0f0f02fcc9db3142b74197aff551b..4617ec7e084cb58e90ab627ce0cbb4ed71878506 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -133,16 +133,46 @@ class realmdomains_mod(LDAPUpdate):
 del_domain = entry_attrs.get('del_domain')
 force = options.get('force')
 
+current_domain = get_domain_name()
+
+missing_soa_ns_record_error = _(
+"DNS zone for each realmdomain must contain "
+"SOA or NS records. No

Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-10-12 Thread Tomas Babej
>On 12.10.2015 12:50, Tomas Babej wrote:
>>
>> - Original Message -
>> From: "Martin Basti" <mba...@redhat.com>
>> To: "Tomas Babej" <tba...@redhat.com>
>> Cc: "freeipa-devel" <freeipa-devel@redhat.com>
>> Sent: Monday, October 12, 2015 12:41:13 PM
>> Subject: Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling 
>> improvements
>>
>>
>>
>>> On 09.10.2015 19:11, Tomas Babej wrote:
>>>> On 09/23/2015 02:40 PM, Martin Basti wrote:
>>>>> On 09/22/2015 02:23 PM, Tomas Babej wrote:
>>>>>> On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:
>>>>>>> On Thu, 03 Sep 2015, Tomas Babej wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
>>>>>>>> and improve our handling of realmdomains in general.
>>>>>>> The code looks good to me. I haven't tested it yet, though.
>>>>>>>
>>>>>> Rebased on top of current master.
>>>>> Please fix tests too.
>>>>>
>>>> Updated patchset attached. Also fixed a minor spelling and syntax issues
>>>> in the original patches.
>>>>
>>>> Tomas
>>> ACK,
>>> unfortunately, patch "realmdomains: Issue a warning when automated
>>> management of realmdomains" failed to apply on top of ipa-4-2 branch.
>> Attaching rebased patchset.
>Pushed to master: 12840e0bfa545341c448276c4803a49cbae63e8a

>You sent different patch 362 for ipa-4-2 than it should be.

Yeah, I shifted the whole patchset by one patch somehow..

Correct version attached.From 8480b286b0fe199b8639dc8fb1c94b7c26dd441a Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 12:13:32 +0200
Subject: [PATCH] util: Add detect_dns_zone_realm_type helper

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/util.py | 55 +++
 1 file changed, 55 insertions(+)

diff --git a/ipalib/util.py b/ipalib/util.py
index a3500ae29b56ac6a289fbec97d15cf026baf7068..182da20dde39fd19497543410a3ea040ccbab170 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -810,3 +810,58 @@ def get_topology_connection_errors(graph):
 if not_visited:
 connect_errors.append((m, list(visited), list(not_visited)))
 return connect_errors
+
+def detect_dns_zone_realm_type(api, domain):
+"""
+Detects the type of the realm that the given DNS zone belongs to.
+Note: This method is heuristic. Possible values:
+  - 'current': For IPA domains belonging in the current realm.
+  - 'foreign': For domains belonging in a foreing kerberos realm.
+  - 'unknown': For domains whose allegiance could not be detected.
+"""
+
+# First, try to detect _kerberos TXT record in the domain
+# This would indicate that the domain belongs to IPA realm
+
+kerberos_prefix = DNSName('_kerberos')
+domain_suffix = DNSName(domain)
+kerberos_record_name = kerberos_prefix + domain_suffix
+
+response = None
+
+try:
+result = resolver.query(kerberos_record_name, rdatatype.TXT)
+answer = result.response.answer
+
+# IPA domain will have only one _kerberos TXT record
+if (len(answer) == 1 and
+len(answer[0]) == 1 and
+answer[0].rdtype == rdatatype.TXT):
+
+record = answer[0][0]
+
+# If the record contains our current realm, it is 'ipa-current'
+if record.to_text() == '"{0}"'.format(api.env.realm):
+return 'current'
+else:
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# Try to detect AD specific record in the zone.
+# This would indicate that the domain belongs to foreign (AD) realm
+
+gc_prefix = DNSName('_ldap._tcp.gc._msdcs')
+ad_specific_record_name = gc_prefix + domain_suffix
+
+try:
+# The presence of this record is enough, return foreign in such case
+result = resolver.query(ad_specific_record_name, rdatatype.SRV)
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# If we could not detect type with certainity, return unknown
+return 'unknown'
-- 
2.1.0

From df317dceec52fc5003d3f175e9260bd279b0ff1e Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 12:40:17 +0200
Subject: [PATCH] realmdomains: Minor style and wording improvements

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/plugins/realmdomains.py | 75 +-
 1 file changed, 60 insertions(+), 15 deletions(-)

d

Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-10-12 Thread Martin Basti



On 12.10.2015 12:50, Tomas Babej wrote:


- Original Message -
From: "Martin Basti" <mba...@redhat.com>
To: "Tomas Babej" <tba...@redhat.com>
Cc: "freeipa-devel" <freeipa-devel@redhat.com>
Sent: Monday, October 12, 2015 12:41:13 PM
Subject: Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling 
improvements




On 09.10.2015 19:11, Tomas Babej wrote:

On 09/23/2015 02:40 PM, Martin Basti wrote:

On 09/22/2015 02:23 PM, Tomas Babej wrote:

On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:

On Thu, 03 Sep 2015, Tomas Babej wrote:

Hi,

this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
and improve our handling of realmdomains in general.

The code looks good to me. I haven't tested it yet, though.


Rebased on top of current master.

Please fix tests too.


Updated patchset attached. Also fixed a minor spelling and syntax issues
in the original patches.

Tomas

ACK,
unfortunately, patch "realmdomains: Issue a warning when automated
management of realmdomains" failed to apply on top of ipa-4-2 branch.

Attaching rebased patchset.

Pushed to master: 12840e0bfa545341c448276c4803a49cbae63e8a

You sent different patch 362 for ipa-4-2 than it should be.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-10-12 Thread Martin Basti



On 12.10.2015 14:02, Tomas Babej wrote:

On 12.10.2015 12:50, Tomas Babej wrote:

- Original Message -
From: "Martin Basti" <mba...@redhat.com>
To: "Tomas Babej" <tba...@redhat.com>
Cc: "freeipa-devel" <freeipa-devel@redhat.com>
Sent: Monday, October 12, 2015 12:41:13 PM
Subject: Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling 
improvements




On 09.10.2015 19:11, Tomas Babej wrote:

On 09/23/2015 02:40 PM, Martin Basti wrote:

On 09/22/2015 02:23 PM, Tomas Babej wrote:

On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:

On Thu, 03 Sep 2015, Tomas Babej wrote:

Hi,

this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
and improve our handling of realmdomains in general.

The code looks good to me. I haven't tested it yet, though.


Rebased on top of current master.

Please fix tests too.


Updated patchset attached. Also fixed a minor spelling and syntax issues
in the original patches.

Tomas

ACK,
unfortunately, patch "realmdomains: Issue a warning when automated
management of realmdomains" failed to apply on top of ipa-4-2 branch.

Attaching rebased patchset.

Pushed to master: 12840e0bfa545341c448276c4803a49cbae63e8a
You sent different patch 362 for ipa-4-2 than it should be.

Yeah, I shifted the whole patchset by one patch somehow..

Correct version attached.

Pushed to ipa-4-2: 291aa25acd5df24b8bcc36fc02f6af0cc4f7d0f9

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-10-09 Thread Tomas Babej


On 09/23/2015 02:40 PM, Martin Basti wrote:
> 
> 
> On 09/22/2015 02:23 PM, Tomas Babej wrote:
>> On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:
>>> On Thu, 03 Sep 2015, Tomas Babej wrote:
 Hi,

 this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
 and improve our handling of realmdomains in general.
>>> The code looks good to me. I haven't tested it yet, though.
>>>
>> Rebased on top of current master.
> 
> Please fix tests too.
> 

Updated patchset attached. Also fixed a minor spelling and syntax issues
in the original patches.

Tomas
From e02e5cd1d084f7faef76f3995e9236b7ea0bb3f7 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Sep 2015 12:13:32 +0200
Subject: [PATCH] util: Add detect_dns_zone_realm_type helper

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/util.py | 55 +++
 1 file changed, 55 insertions(+)

diff --git a/ipalib/util.py b/ipalib/util.py
index a37f67342259c1ef8bd31af1d9c40e453c3bf1cf..29b4ca160f1e63dfc2c233547028b5982242a3af 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -801,3 +801,58 @@ def get_topology_connection_errors(graph):
 if not_visited:
 connect_errors.append((m, list(visited), list(not_visited)))
 return connect_errors
+
+def detect_dns_zone_realm_type(api, domain):
+"""
+Detects the type of the realm that the given DNS zone belongs to.
+Note: This method is heuristic. Possible values:
+  - 'current': For IPA domains belonging in the current realm.
+  - 'foreign': For domains belonging in a foreing kerberos realm.
+  - 'unknown': For domains whose allegiance could not be detected.
+"""
+
+# First, try to detect _kerberos TXT record in the domain
+# This would indicate that the domain belongs to IPA realm
+
+kerberos_prefix = DNSName('_kerberos')
+domain_suffix = DNSName(domain)
+kerberos_record_name = kerberos_prefix + domain_suffix
+
+response = None
+
+try:
+result = resolver.query(kerberos_record_name, rdatatype.TXT)
+answer = result.response.answer
+
+# IPA domain will have only one _kerberos TXT record
+if (len(answer) == 1 and
+len(answer[0]) == 1 and
+answer[0].rdtype == rdatatype.TXT):
+
+record = answer[0][0]
+
+# If the record contains our current realm, it is 'ipa-current'
+if record.to_text() == '"{0}"'.format(api.env.realm):
+return 'current'
+else:
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# Try to detect AD specific record in the zone.
+# This would indicate that the domain belongs to foreign (AD) realm
+
+gc_prefix = DNSName('_ldap._tcp.gc._msdcs')
+ad_specific_record_name = gc_prefix + domain_suffix
+
+try:
+# The presence of this record is enough, return foreign in such case
+result = resolver.query(ad_specific_record_name, rdatatype.SRV)
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# If we could not detect type with certainity, return unknown
+return 'unknown'
-- 
2.1.0

From c1f93910a6f5cfaa0f46252b0c6f165e9257a5ae Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Sep 2015 12:40:17 +0200
Subject: [PATCH] realmdomains: Minor style and wording improvements

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/plugins/realmdomains.py | 75 +-
 1 file changed, 60 insertions(+), 15 deletions(-)

diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index f8f838d0ede85ee747a4b2f19129dc757fe837eb..27c4fa228b455e8de5e40dafb8be0e4a4e1d0d65 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -137,16 +137,46 @@ class realmdomains_mod(LDAPUpdate):
 del_domain = entry_attrs.get('del_domain')
 force = options.get('force')
 
+current_domain = get_domain_name()
+
+missing_soa_ns_record_error = _(
+"DNS zone for each realmdomain must contain "
+"SOA or NS records. No records found for: %s"
+)
+
+# User specified the list of domains explicitly
 if associateddomain:
 if add_domain or del_domain:
-raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain"))
-if get_domain_name() not in associateddomain:
-raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server"))
+raise errors.MutuallyExclusiveError(
+reason=_(
+"The --domain option cannot be used together "
+"with --add-domain or --del-domain. Use --domain "
+"to specify the whole realm domain list explicitly, "
+  

Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-09-23 Thread Martin Basti



On 09/22/2015 02:23 PM, Tomas Babej wrote:

On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:

On Thu, 03 Sep 2015, Tomas Babej wrote:

Hi,

this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
and improve our handling of realmdomains in general.

The code looks good to me. I haven't tested it yet, though.


Rebased on top of current master.


Please fix tests too.

[root@vm-065 ~]# ipa-run-tests test_xmlrpc/test_realmdomains_plugin.py 
--verbose
=== 
test session starts 
===
platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.6.4 -- 
/usr/bin/python

plugins: multihost, sourceorder
collected 13 items

test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[: 
realmdomains_show: Retrieve realm domains] PASSED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0001: 
realmdomains_show: Retrieve realm domains - print all attributes] PASSED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0002: 
realmdomains_mod: Replace list of realm domains with 
"[u'abc.idm.lab.eng.brq.redhat.com', u'example1.com']"] FAILED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0003: 
realmdomains_mod: Add domain "example2.com" to list] FAILED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0004: 
realmdomains_mod: Delete domain "example2.com" from list] FAILED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0005: 
realmdomains_mod: Add domain "example2.com" and delete domain 
"example1.com"] FAILED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0006: 
realmdomains_mod: Try to specify --domain and --add-domain options 
together] FAILED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0007: 
realmdomains_mod: Try to replace list of realm domains with a list 
without our domain] FAILED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0008: 
realmdomains_mod: Try to replace list of realm domains with a list with 
an invalid domain "doesnotexist.test"] FAILED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0009: 
realmdomains_mod: Try to add an invalid domain "doesnotexist.test"] FAILED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0010: 
realmdomains_mod: Try to delete our domain] FAILED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0011: 
realmdomains_mod: Try to delete domain which is not in list] PASSED
test_xmlrpc/test_realmdomains_plugin.py <- 
test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0012: 
realmdomains_mod: Add an invalid domain "doesnotexist.test" with --force 
option] FAILED


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-09-22 Thread Tomas Babej
On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:
> On Thu, 03 Sep 2015, Tomas Babej wrote:
>> Hi,
>>
>> this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
>> and improve our handling of realmdomains in general.
> The code looks good to me. I haven't tested it yet, though.
> 

Rebased on top of current master.
From 6071024ee951221685c283f23dd9c43667cc4bd9 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Sep 2015 12:13:32 +0200
Subject: [PATCH] util: Add detect_dns_zone_realm_type helper

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/util.py | 55 +++
 1 file changed, 55 insertions(+)

diff --git a/ipalib/util.py b/ipalib/util.py
index 7c7da6af7bbb290dd25832e188d5445a23e5571e..e5e0b5c40d39c4761405c35130e5cdc077d717eb 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -802,3 +802,58 @@ def get_topology_connection_errors(graph):
 if not_visited:
 connect_errors.append((m, list(visited), list(not_visited)))
 return connect_errors
+
+def detect_dns_zone_realm_type(api, domain):
+"""
+Detects the type of the realm that the given DNS zone belongs to.
+Note: This method is heuristic. Possible values:
+  - 'current': For IPA domains belonging in the current realm.
+  - 'foreign': For domains belonging in a foreing kerberos realm.
+  - 'unknown': For domains whose allegiance could not be detected.
+"""
+
+# First, try to detect _kerberos TXT record in the domain
+# This would indicate that the domain belongs to IPA realm
+
+kerberos_prefix = DNSName('_kerberos')
+domain_suffix = DNSName(domain)
+kerberos_record_name = kerberos_prefix + domain_suffix
+
+response = None
+
+try:
+result = resolver.query(kerberos_record_name, rdatatype.TXT)
+answer = result.response.answer
+
+# IPA domain will have only one _kerberos TXT record
+if (len(answer) == 1 and
+len(answer[0]) == 1 and
+answer[0].rdtype == rdatatype.TXT):
+
+record = answer[0][0]
+
+# If the record contains our current realm, it is 'ipa-current'
+if record.to_text() == '"{0}"'.format(api.env.realm):
+return 'current'
+else:
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# Try to detect AD specific record in the zone.
+# This would indicate that the domain belongs to foreign (AD) realm
+
+gc_prefix = DNSName('_ldap._tcp.gc._msdcs')
+ad_specific_record_name = gc_prefix + domain_suffix
+
+try:
+# The presence of this record is enough, return foreign in such case
+result = resolver.query(ad_specific_record_name, rdatatype.SRV)
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# If we could not detect type with certainity, return unknown
+return 'unknown'
-- 
2.1.0

From 2099722b982866537ed11f21cee328d9ff17af4d Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Sep 2015 12:40:17 +0200
Subject: [PATCH] realmdomains: Minor style and wording improvements

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/plugins/realmdomains.py | 75 +-
 1 file changed, 60 insertions(+), 15 deletions(-)

diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index f8f838d0ede85ee747a4b2f19129dc757fe837eb..4e618f1d1a71ba2133b03384bc056d069c505f43 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -137,16 +137,46 @@ class realmdomains_mod(LDAPUpdate):
 del_domain = entry_attrs.get('del_domain')
 force = options.get('force')
 
+current_domain = get_domain_name()
+
+missing_soa_ns_record_error = _(
+"DNS zone for each realmdomain must contain "
+"SOA or NS records. No records found for: %s"
+)
+
+# User specified the list of domains explicitly
 if associateddomain:
 if add_domain or del_domain:
-raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain"))
-if get_domain_name() not in associateddomain:
-raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server"))
+raise errors.MutuallyExclusiveError(
+reason=_(
+"The --domain option cannot be used together "
+"with --add-domain or --del-domain. Use --domain "
+"to specify the whole realm domain list explicitly, "
+"to add/remove individual domains, use "
+"--add-domain/del-domain.")
+)
+
+# Make sure our domain is included in the list
+if current_domain not in associateddomain:
+ 

Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-09-03 Thread Alexander Bokovoy

On Thu, 03 Sep 2015, Tomas Babej wrote:

Hi,

this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
and improve our handling of realmdomains in general.

The code looks good to me. I haven't tested it yet, though.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-09-03 Thread Tomas Babej
Hi,

this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
and improve our handling of realmdomains in general.

Tomas
From 7298b240843b5a86569b3e99cd793f42fd007acf Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Sep 2015 12:13:32 +0200
Subject: [PATCH] util: Add detect_dns_zone_realm_type helper

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/util.py | 55 +++
 1 file changed, 55 insertions(+)

diff --git a/ipalib/util.py b/ipalib/util.py
index 5a761fb0f7ee6c0851d6f1128cecc4ddd8b397f2..23f36a63dd5747239102e6153b6c0c1e774daa59 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -799,3 +799,58 @@ def get_topology_connection_errors(graph):
 if not_visited:
 connect_errors.append((m, list(visited), list(not_visited)))
 return connect_errors
+
+def detect_dns_zone_realm_type(api, domain):
+"""
+Detects the type of the realm that the given DNS zone belongs to.
+Note: This method is heuristic. Possible values:
+  - 'current': For IPA domains belonging in the current realm.
+  - 'foreign': For domains belonging in a foreing kerberos realm.
+  - 'unknown': For domains whose allegiance could not be detected.
+"""
+
+# First, try to detect _kerberos TXT record in the domain
+# This would indicate that the domain belongs to IPA realm
+
+kerberos_prefix = DNSName('_kerberos')
+domain_suffix = DNSName(domain)
+kerberos_record_name = kerberos_prefix + domain_suffix
+
+response = None
+
+try:
+result = resolver.query(kerberos_record_name, rdatatype.TXT)
+answer = result.response.answer
+
+# IPA domain will have only one _kerberos TXT record
+if (len(answer) == 1 and
+len(answer[0]) == 1 and
+answer[0].rdtype == rdatatype.TXT):
+
+record = answer[0][0]
+
+# If the record contains our current realm, it is 'ipa-current'
+if record.to_text() == '"{0}"'.format(api.env.realm):
+return 'current'
+else:
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# Try to detect AD specific record in the zone.
+# This would indicate that the domain belongs to foreign (AD) realm
+
+gc_prefix = DNSName('_ldap._tcp.gc._msdcs')
+ad_specific_record_name = gc_prefix + domain_suffix
+
+try:
+# The presence of this record is enough, return foreign in such case
+result = resolver.query(ad_specific_record_name, rdatatype.SRV)
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# If we could not detect type with certainity, return unknown
+return 'unknown'
-- 
2.1.0

From cb6efd05e12b441f70385c7e8c5cdf605c173456 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Sep 2015 12:40:17 +0200
Subject: [PATCH] realmdomains: Minor style and wording improvements

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/plugins/realmdomains.py | 75 +-
 1 file changed, 60 insertions(+), 15 deletions(-)

diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index 871ea79c4b6225919d2700420a56eebb816bc025..83c8abd76a220f365f751ec399e6b1535a8e575e 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -133,16 +133,46 @@ class realmdomains_mod(LDAPUpdate):
 del_domain = entry_attrs.get('del_domain')
 force = options.get('force')
 
+current_domain = get_domain_name()
+
+missing_soa_ns_record_error = _(
+"DNS zone for each realmdomain must contain "
+"SOA or NS records. No records found for: %s"
+)
+
+# User specified the list of domains explicitly
 if associateddomain:
 if add_domain or del_domain:
-raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain"))
-if get_domain_name() not in associateddomain:
-raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server"))
+raise errors.MutuallyExclusiveError(
+reason=_(
+"The --domain option cannot be used together "
+"with --add-domain or --del-domain. Use --domain "
+"to specify the whole realm domain list explicitly, "
+"to add/remove individual domains, use "
+"--add-domain/del-domain.")
+)
+
+# Make sure our domain is included in the list
+if current_domain not in associateddomain:
+raise errors.ValidationError(
+name='realmdomain list',
+error=_("IPA server domain cannot by omitted")
+)
+
+#