[Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records

2017-04-28 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
 Title: #746: KDC proxy URI records
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/746/head:pr746
git checkout pr746
From 0c6e1bf34b92cfe5ff29b29843826181970bcff2 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 26 Apr 2017 18:49:47 +0200
Subject: [PATCH] Automatic creation of KDC URI records

Enables creation of following records per each replica:

KDC URI records:
_kerberos.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kerberos.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"

KDC proxy URI records:
_kerberos.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
_kpasswd.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

KDC URI records (tcp, udp) must have higher priority than KDC proxy
(https) to prefer direct communication with KDC. Also there is a bug
that prevents ipa-client-install to enroll client with using only KDC
proxy in some cases (see https://pagure.io/freeipa/issue/6906).

All records are created for each replica in topology as KDC proxy is enabled
by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be
created anyway)

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337
---
 ipaserver/dns_data_management.py| 88 -
 ipatests/test_integration/test_dns_locations.py | 52 +++
 2 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index d4dc42e..0dbedde 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -37,6 +37,23 @@
 (DNSName(u'_kpasswd._udp'), 464),
 )
 
+IPA_DEFAULT_KDC_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kpasswd'), u'krb5srv:M:udp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:udp:{server}'),
+)
+
+# URI records for KDCProxy must have lower priority than for KDC, clients must
+# prefer to connect directly to KDC
+IPA_KDCPROXY_PRIORITY_PENALIZATION = 10
+IPA_DEFAULT_KDCPROXY_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+(DNSName(u'_kerberos'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+)
+
 IPA_DEFAULT_ADTRUST_SRV_REC = (
 # srv record name, port
 (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389),
@@ -127,6 +144,34 @@ def __add_srv_records(
 r_name, rdatatype.SRV, create=True)
 rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
 
+def __add_kdc_uri_records(
+self, zone_obj, hostname, rname_target_map,
+weight=100, priority=0, location=None
+):
+assert isinstance(hostname, DNSName)
+assert isinstance(priority, int)
+assert isinstance(weight, int)
+
+if location:
+suffix = self.__get_location_suffix(location)
+else:
+suffix = self.domain_abs
+
+for name, target in rname_target_map:
+rd = rdata.from_text(
+rdataclass.IN, rdatatype.URI,
+'{0} {1} {2}'.format(
+priority, weight,
+target.format(server=hostname.ToASCII())
+)
+)
+
+r_name = name.derelativize(suffix)
+
+rdataset = zone_obj.get_rdataset(
+r_name, rdatatype.URI, create=True)
+rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
+
 def __add_ca_records_from_hostname(self, zone_obj, hostname):
 assert isinstance(hostname, DNSName) and hostname.is_absolute()
 r_name = DNSName('ipa-ca') + self.domain_abs
@@ -173,6 +218,7 @@ def _add_base_dns_records_for_server(
 else:
 eff_roles = server['roles']
 hostname_abs = DNSName(hostname).make_absolute()
+hostname_rel = DNSName(hostname)
 
 if include_kerberos_realm:
 self.__add_kerberos_txt_rec(zone_obj)
@@ -185,6 +231,21 @@ def _add_base_dns_records_for_server(
 IPA_DEFAULT_MASTER_SRV_REC,
 weight=server['weight']
 )
+self.__add_kdc_uri_records(
+zone_obj,
+hostname_rel,
+IPA_DEFAULT_KDC_URI_REC,
+weight=server['weight']
+)
+
+# FIXME: create KDC Proxy records only when KDC proxy is enabled
+

[Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records

2017-04-28 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
 Title: #746: KDC proxy URI records
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/746/head:pr746
git checkout pr746
From d79bc35de7315c9a49605c4acb0798441ce67997 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 26 Apr 2017 18:49:47 +0200
Subject: [PATCH] Automatic creation of KDC URI records

Enables creation of following records per each replica:

KDC URI records:
_kerberos.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kerberos.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"

KDC proxy URI records:
_kerberos.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
_kpasswd.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

KDC URI records (tcp, udp) must have higher priority than KDC proxy
(https) to prefer direct communication with KDC. Also there is a bug
that prevents ipa-client-install to enroll client with using only KDC
proxy in some cases (see https://pagure.io/freeipa/issue/6906).

All records are created for each replica in topology as KDC proxy is enabled
by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be
created anyway)

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337
---
 ipaserver/dns_data_management.py| 88 -
 ipatests/test_integration/test_dns_locations.py | 47 +
 2 files changed, 133 insertions(+), 2 deletions(-)

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index d4dc42e..0dbedde 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -37,6 +37,23 @@
 (DNSName(u'_kpasswd._udp'), 464),
 )
 
+IPA_DEFAULT_KDC_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kpasswd'), u'krb5srv:M:udp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:udp:{server}'),
+)
+
+# URI records for KDCProxy must have lower priority than for KDC, clients must
+# prefer to connect directly to KDC
+IPA_KDCPROXY_PRIORITY_PENALIZATION = 10
+IPA_DEFAULT_KDCPROXY_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+(DNSName(u'_kerberos'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+)
+
 IPA_DEFAULT_ADTRUST_SRV_REC = (
 # srv record name, port
 (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389),
@@ -127,6 +144,34 @@ def __add_srv_records(
 r_name, rdatatype.SRV, create=True)
 rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
 
+def __add_kdc_uri_records(
+self, zone_obj, hostname, rname_target_map,
+weight=100, priority=0, location=None
+):
+assert isinstance(hostname, DNSName)
+assert isinstance(priority, int)
+assert isinstance(weight, int)
+
+if location:
+suffix = self.__get_location_suffix(location)
+else:
+suffix = self.domain_abs
+
+for name, target in rname_target_map:
+rd = rdata.from_text(
+rdataclass.IN, rdatatype.URI,
+'{0} {1} {2}'.format(
+priority, weight,
+target.format(server=hostname.ToASCII())
+)
+)
+
+r_name = name.derelativize(suffix)
+
+rdataset = zone_obj.get_rdataset(
+r_name, rdatatype.URI, create=True)
+rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
+
 def __add_ca_records_from_hostname(self, zone_obj, hostname):
 assert isinstance(hostname, DNSName) and hostname.is_absolute()
 r_name = DNSName('ipa-ca') + self.domain_abs
@@ -173,6 +218,7 @@ def _add_base_dns_records_for_server(
 else:
 eff_roles = server['roles']
 hostname_abs = DNSName(hostname).make_absolute()
+hostname_rel = DNSName(hostname)
 
 if include_kerberos_realm:
 self.__add_kerberos_txt_rec(zone_obj)
@@ -185,6 +231,21 @@ def _add_base_dns_records_for_server(
 IPA_DEFAULT_MASTER_SRV_REC,
 weight=server['weight']
 )
+self.__add_kdc_uri_records(
+zone_obj,
+hostname_rel,
+IPA_DEFAULT_KDC_URI_REC,
+weight=server['weight']
+)
+
+# FIXME: create KDC Proxy records only when KDC proxy is enabled
+

[Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records

2017-04-28 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
 Title: #746: KDC proxy URI records
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/746/head:pr746
git checkout pr746
From 342158b9f427057c08b9a115b68825f918554ee1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 26 Apr 2017 18:49:47 +0200
Subject: [PATCH] Automatic creation of KDC URI records

Enables creation of following records per each replica:

KDC URI records:
_kerberos.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kerberos.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"

KDC proxy URI records:
_kerberos.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
_kpasswd.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

KDC URI records (tcp, udp) must have higher priority than KDC proxy
(https) to prefer direct communication with KDC. Also there is a bug
that prevents ipa-client-install to enroll client with using only KDC
proxy in some cases (see https://pagure.io/freeipa/issue/6906).

All records are created for each replica in topology as KDC proxy is enabled
by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be
created anyway)

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337
---
 ipaserver/dns_data_management.py| 88 -
 ipatests/test_integration/test_dns_locations.py | 47 +
 2 files changed, 133 insertions(+), 2 deletions(-)

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index d4dc42e..0dbedde 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -37,6 +37,23 @@
 (DNSName(u'_kpasswd._udp'), 464),
 )
 
+IPA_DEFAULT_KDC_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kpasswd'), u'krb5srv:M:udp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:udp:{server}'),
+)
+
+# URI records for KDCProxy must have lower priority than for KDC, clients must
+# prefer to connect directly to KDC
+IPA_KDCPROXY_PRIORITY_PENALIZATION = 10
+IPA_DEFAULT_KDCPROXY_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+(DNSName(u'_kerberos'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+)
+
 IPA_DEFAULT_ADTRUST_SRV_REC = (
 # srv record name, port
 (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389),
@@ -127,6 +144,34 @@ def __add_srv_records(
 r_name, rdatatype.SRV, create=True)
 rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
 
+def __add_kdc_uri_records(
+self, zone_obj, hostname, rname_target_map,
+weight=100, priority=0, location=None
+):
+assert isinstance(hostname, DNSName)
+assert isinstance(priority, int)
+assert isinstance(weight, int)
+
+if location:
+suffix = self.__get_location_suffix(location)
+else:
+suffix = self.domain_abs
+
+for name, target in rname_target_map:
+rd = rdata.from_text(
+rdataclass.IN, rdatatype.URI,
+'{0} {1} {2}'.format(
+priority, weight,
+target.format(server=hostname.ToASCII())
+)
+)
+
+r_name = name.derelativize(suffix)
+
+rdataset = zone_obj.get_rdataset(
+r_name, rdatatype.URI, create=True)
+rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
+
 def __add_ca_records_from_hostname(self, zone_obj, hostname):
 assert isinstance(hostname, DNSName) and hostname.is_absolute()
 r_name = DNSName('ipa-ca') + self.domain_abs
@@ -173,6 +218,7 @@ def _add_base_dns_records_for_server(
 else:
 eff_roles = server['roles']
 hostname_abs = DNSName(hostname).make_absolute()
+hostname_rel = DNSName(hostname)
 
 if include_kerberos_realm:
 self.__add_kerberos_txt_rec(zone_obj)
@@ -185,6 +231,21 @@ def _add_base_dns_records_for_server(
 IPA_DEFAULT_MASTER_SRV_REC,
 weight=server['weight']
 )
+self.__add_kdc_uri_records(
+zone_obj,
+hostname_rel,
+IPA_DEFAULT_KDC_URI_REC,
+weight=server['weight']
+)
+
+# FIXME: create KDC Proxy records only when KDC proxy is enabled
+