Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Oh, you're right, again :) Thanks. Honza -- David Kupka From e3dfea228328da6d520180515426095ce0985c47 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 27 Aug 2014 12:31:09 +0200 Subject: [PATCH] Allow user to force Kerberos realm during installation. User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/ --- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/ipaclient/ipadiscovery.py | 52 +++ 2 files changed, 33 insertions(+), 21 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 08fefc86d31392e9abf66ee4f8fff54a88179795..4eb3b3b8dcf5e31f08e9895b33ca0419eaf2195a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2126,7 +2126,7 @@ def install(options, env, fstore, statestore): # Create the discovery instance ds = ipadiscovery.IPADiscovery() -ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) +ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) if options.server and ret != 0: # There is no point to continue with installation as server list was diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0532f618e81d215c4416f62f81af2add48c7dc8e..0d574825aa493a8d565afe30077b74aec03924a3 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -139,7 +139,7 @@ class IPADiscovery(object): domain = domain[p+1:] return (None, None) -def search(self, domain = , servers = , hostname=None, ca_cert_path=None): +def search(self, domain=, servers=, realm=None, hostname=None, ca_cert_path=None): Use DNS discovery to identify valid IPA servers. @@ -218,13 +218,21 @@ class IPADiscovery(object): #search for kerberos root_logger.debug([Kerberos realm search]) -krb_realm, kdc = self.ipadnssearchkrb(self.domain) -if not servers and not krb_realm: +if realm: +root_logger.debug(Kerberos realm forced) +self.realm = realm +self.realm_source = 'Forced' +else: +realm = self.ipadnssearchkrbrealm() +self.realm = realm +self.realm_source = ( +'Discovered Kerberos DNS records from %s' % self.domain) + +if not servers and not realm: return REALM_NOT_FOUND -self.realm = krb_realm -self.kdc = kdc -self.realm_source = self.kdc_source = ( +self.kdc = self.ipadnssearchkrbkdc() +self.kdc_source = ( 'Discovered Kerberos DNS records from %s' % self.domain) # We may have received multiple servers corresponding to the domain @@ -452,11 +460,12 @@ class IPADiscovery(object): return servers -def ipadnssearchkrb(self, tdomain): +def ipadnssearchkrbrealm(self, domain=None): realm = None -kdc = None
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
Dne 5.9.2014 v 09:25 David Kupka napsal(a): On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Oh, you're right, again :) Thanks. Honza ACK. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
On 09/05/2014 02:44 PM, Jan Cholasta wrote: Dne 5.9.2014 v 09:25 David Kupka napsal(a): On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Oh, you're right, again :) Thanks. Honza ACK. Pushed to: master: dc4bdd327a639877b7d4553810b69943d996 ipa-4-1: a28d9b8f0a87633ac298676f47eadf0d7dc31cfb ipa-4-0: 0e077319046b8f8089b7b8590fafb824df4b8077 -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. Honza -- David Kupka From 0f86ce45975933311f327a29d8d26dc60b4b4d73 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 27 Aug 2014 12:31:09 +0200 Subject: [PATCH] Allow user to force Kerberos realm during installation. User can set realm not matching one resolved from DNS. This is useful especially when DNS is missconfigured. https://fedorahosted.org/freeipa/ticket/ --- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/ipaclient/ipadiscovery.py | 42 --- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 08fefc86d31392e9abf66ee4f8fff54a88179795..4eb3b3b8dcf5e31f08e9895b33ca0419eaf2195a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2126,7 +2126,7 @@ def install(options, env, fstore, statestore): # Create the discovery instance ds = ipadiscovery.IPADiscovery() -ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) +ret = ds.search(domain=options.domain, servers=options.server, realm=options.realm_name, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) if options.server and ret != 0: # There is no point to continue with installation as server list was diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 0532f618e81d215c4416f62f81af2add48c7dc8e..919b26695c13ad9b216c27f293f1207bf94bdff1 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -139,7 +139,7 @@ class IPADiscovery(object): domain = domain[p+1:] return (None, None) -def search(self, domain = , servers = , hostname=None, ca_cert_path=None): +def search(self, domain=, servers=, realm=None, hostname=None, ca_cert_path=None): Use DNS discovery to identify valid IPA servers. @@ -218,13 +218,21 @@ class IPADiscovery(object): #search for kerberos root_logger.debug([Kerberos realm search]) -krb_realm, kdc = self.ipadnssearchkrb(self.domain) -if not servers and not krb_realm: +if realm: +root_logger.debug(Kerberos realm forced) +self.realm = realm +self.realm_source = 'Forced' +else: +realm = self.ipadnssearchkrbrealm() +self.realm = realm +self.realm_source = ( +'Discovered Kerberos DNS records from %s' % self.domain) + +if not servers and not realm: return REALM_NOT_FOUND -self.realm = krb_realm -self.kdc = kdc -self.realm_source = self.kdc_source = ( +self.kdc = self.ipadnssearchkrbkdc() +self.kdc_source = ( 'Discovered Kerberos DNS records from %s' % self.domain) # We may have received multiple servers corresponding to the domain @@ -452,11 +460,12 @@ class IPADiscovery(object): return servers -def ipadnssearchkrb(self, tdomain): +def ipadnssearchkrbrealm(self, domain=None): realm = None -kdc = None +if not domain: +domain = self.domain # now, check for a Kerberos realm the local host or domain is in -qname = _kerberos. + tdomain +qname = _kerberos. + domain root_logger.debug(Search DNS for TXT record of %s, qname) @@ -472,18 +481,21 @@ class IPADiscovery(object): realm = answer.strings[0] if realm: break +return realm -if realm: -# now fetch server information for the realm -domain = realm.lower() +def ipadnssearchkrbkdc(self, domain=None): +kdc = None + +if not domain: +domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, -break_on_first=False) + break_on_first=False) if kdc: kdc = ','.join(kdc) else: -root_logger.debug(SRV record for KDC not found! Realm: %s, SRV record: %s % (realm, qname)) +root_logger.debug(SRV record
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). I forget to remove some redundant debug prints. 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Fixed, thanks. What I meant is that this: def ipadnssearchkrbkdc(self, domain=None): kdc = None if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc should be this: def ipadnssearchkrbkdc(self, domain=None): if not domain: domain = self.domain kdc = self.ipadns_search_srv(domain, '_kerberos._udp', 88, break_on_first=False) if kdc: kdc = ','.join(kdc) else: root_logger.debug(SRV record for KDC not found! Domain: %s % domain) kdc = None return kdc Isn't that right? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation
Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket) there is probably not many alternatives. https://fedorahosted.org/freeipa/ticket/ 1) I think you can log realm in search() as part of the Starting IPA discovery ... message instead of a separate message. 2) Also, no need to log the realm twice in search(). 3) It looks like you forgot to un-indent some code in ipadnssearchkrbkdc(). Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel