Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
On 09.10.2015 19:11, Tomas Babej wrote: On 09/23/2015 02:40 PM, Martin Basti wrote: On 09/22/2015 02:23 PM, Tomas Babej wrote: On 09/03/2015 04:34 PM, Alexander Bokovoy wrote: On Thu, 03 Sep 2015, Tomas Babej wrote: Hi, this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 and improve our handling of realmdomains in general. The code looks good to me. I haven't tested it yet, though. Rebased on top of current master. Please fix tests too. Updated patchset attached. Also fixed a minor spelling and syntax issues in the original patches. Tomas ACK, unfortunately, patch "realmdomains: Issue a warning when automated management of realmdomains" failed to apply on top of ipa-4-2 branch. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
- Original Message - From: "Martin Basti" <mba...@redhat.com> To: "Tomas Babej" <tba...@redhat.com> Cc: "freeipa-devel" <freeipa-devel@redhat.com> Sent: Monday, October 12, 2015 12:41:13 PM Subject: Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements >On 09.10.2015 19:11, Tomas Babej wrote: >> >> On 09/23/2015 02:40 PM, Martin Basti wrote: >>> >>> On 09/22/2015 02:23 PM, Tomas Babej wrote: >>>> On 09/03/2015 04:34 PM, Alexander Bokovoy wrote: >>>>> On Thu, 03 Sep 2015, Tomas Babej wrote: >>>>>> Hi, >>>>>> >>>>>> this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 >>>>>> and improve our handling of realmdomains in general. >>>>> The code looks good to me. I haven't tested it yet, though. >>>>> >>>> Rebased on top of current master. >>> Please fix tests too. >>> >> Updated patchset attached. Also fixed a minor spelling and syntax issues >> in the original patches. >> >> Tomas >ACK, >unfortunately, patch "realmdomains: Issue a warning when automated >management of realmdomains" failed to apply on top of ipa-4-2 branch. Attaching rebased patchset.From 4045b1d946bd830128f64e77037e5b75a734a200 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Thu, 24 Sep 2015 11:06:07 +0200 Subject: [PATCH] idoverride: Ignore ValidationErrors when converting the anchor When converting the anchor to a human readable form, SID validation may fail, i.e. if the domain is no longer trusted. Ignore such cases and pass along the anchor in the raw format. https://fedorahosted.org/freeipa/ticket/5322 --- ipalib/plugins/idviews.py | 19 +++ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index cf5c9b5e8371c89e89a4cf1d334ac0e6b514653a..4e773239fef014c85af7caa913c57bdd718f2c07 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -684,6 +684,11 @@ class baseidoverride(LDAPObject): # If we were unable to resolve the anchor, # keep it in the raw form pass +except errors.ValidationError: +# Same as above, ValidationError may be raised when SIDs +# are attempted to be converted, but the domain is no +# longer trusted +pass def prohibit_ipa_users_in_default_view(self, dn, entry_attrs): # Check if parent object is Default Trust View, if so, prohibit @@ -768,12 +773,7 @@ class baseidoverride_find(LDAPSearch): def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: -try: -self.obj.convert_anchor_to_human_readable_form(entry, **options) -except errors.NotFound: -# If the conversion to readle form went wrong, do not -# abort the whole find command. Use non-converted entry. -pass +self.obj.convert_anchor_to_human_readable_form(entry, **options) return truncated @@ -783,12 +783,7 @@ class baseidoverride_show(LDAPRetrieve): takes_options = LDAPRetrieve.takes_options + (fallback_to_ldap_option,) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -try: -self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options) -except errors.NotFound: -# If the conversion to readle form went wrong, do not -# abort the whole show command. Use non-converted entry. -pass +self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options) return dn -- 2.1.0 From fdd568f2319a2a77eb5336c704da4e1da0c36c16 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Thu, 3 Sep 2015 12:40:17 +0200 Subject: [PATCH] realmdomains: Minor style and wording improvements https://fedorahosted.org/freeipa/ticket/5278 --- ipalib/plugins/realmdomains.py | 75 +- 1 file changed, 60 insertions(+), 15 deletions(-) diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py index c53340591bd0f0f02fcc9db3142b74197aff551b..4617ec7e084cb58e90ab627ce0cbb4ed71878506 100644 --- a/ipalib/plugins/realmdomains.py +++ b/ipalib/plugins/realmdomains.py @@ -133,16 +133,46 @@ class realmdomains_mod(LDAPUpdate): del_domain = entry_attrs.get('del_domain') force = options.get('force') +current_domain = get_domain_name() + +missing_soa_ns_record_error = _( +"DNS zone for each realmdomain must contain " +"SOA or NS records. No
Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
>On 12.10.2015 12:50, Tomas Babej wrote: >> >> - Original Message - >> From: "Martin Basti" <mba...@redhat.com> >> To: "Tomas Babej" <tba...@redhat.com> >> Cc: "freeipa-devel" <freeipa-devel@redhat.com> >> Sent: Monday, October 12, 2015 12:41:13 PM >> Subject: Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling >> improvements >> >> >> >>> On 09.10.2015 19:11, Tomas Babej wrote: >>>> On 09/23/2015 02:40 PM, Martin Basti wrote: >>>>> On 09/22/2015 02:23 PM, Tomas Babej wrote: >>>>>> On 09/03/2015 04:34 PM, Alexander Bokovoy wrote: >>>>>>> On Thu, 03 Sep 2015, Tomas Babej wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 >>>>>>>> and improve our handling of realmdomains in general. >>>>>>> The code looks good to me. I haven't tested it yet, though. >>>>>>> >>>>>> Rebased on top of current master. >>>>> Please fix tests too. >>>>> >>>> Updated patchset attached. Also fixed a minor spelling and syntax issues >>>> in the original patches. >>>> >>>> Tomas >>> ACK, >>> unfortunately, patch "realmdomains: Issue a warning when automated >>> management of realmdomains" failed to apply on top of ipa-4-2 branch. >> Attaching rebased patchset. >Pushed to master: 12840e0bfa545341c448276c4803a49cbae63e8a >You sent different patch 362 for ipa-4-2 than it should be. Yeah, I shifted the whole patchset by one patch somehow.. Correct version attached.From 8480b286b0fe199b8639dc8fb1c94b7c26dd441a Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Thu, 3 Sep 2015 12:13:32 +0200 Subject: [PATCH] util: Add detect_dns_zone_realm_type helper https://fedorahosted.org/freeipa/ticket/5278 --- ipalib/util.py | 55 +++ 1 file changed, 55 insertions(+) diff --git a/ipalib/util.py b/ipalib/util.py index a3500ae29b56ac6a289fbec97d15cf026baf7068..182da20dde39fd19497543410a3ea040ccbab170 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -810,3 +810,58 @@ def get_topology_connection_errors(graph): if not_visited: connect_errors.append((m, list(visited), list(not_visited))) return connect_errors + +def detect_dns_zone_realm_type(api, domain): +""" +Detects the type of the realm that the given DNS zone belongs to. +Note: This method is heuristic. Possible values: + - 'current': For IPA domains belonging in the current realm. + - 'foreign': For domains belonging in a foreing kerberos realm. + - 'unknown': For domains whose allegiance could not be detected. +""" + +# First, try to detect _kerberos TXT record in the domain +# This would indicate that the domain belongs to IPA realm + +kerberos_prefix = DNSName('_kerberos') +domain_suffix = DNSName(domain) +kerberos_record_name = kerberos_prefix + domain_suffix + +response = None + +try: +result = resolver.query(kerberos_record_name, rdatatype.TXT) +answer = result.response.answer + +# IPA domain will have only one _kerberos TXT record +if (len(answer) == 1 and +len(answer[0]) == 1 and +answer[0].rdtype == rdatatype.TXT): + +record = answer[0][0] + +# If the record contains our current realm, it is 'ipa-current' +if record.to_text() == '"{0}"'.format(api.env.realm): +return 'current' +else: +return 'foreign' + +except DNSException as e: +pass + +# Try to detect AD specific record in the zone. +# This would indicate that the domain belongs to foreign (AD) realm + +gc_prefix = DNSName('_ldap._tcp.gc._msdcs') +ad_specific_record_name = gc_prefix + domain_suffix + +try: +# The presence of this record is enough, return foreign in such case +result = resolver.query(ad_specific_record_name, rdatatype.SRV) +return 'foreign' + +except DNSException as e: +pass + +# If we could not detect type with certainity, return unknown +return 'unknown' -- 2.1.0 From df317dceec52fc5003d3f175e9260bd279b0ff1e Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Thu, 3 Sep 2015 12:40:17 +0200 Subject: [PATCH] realmdomains: Minor style and wording improvements https://fedorahosted.org/freeipa/ticket/5278 --- ipalib/plugins/realmdomains.py | 75 +- 1 file changed, 60 insertions(+), 15 deletions(-) d
Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
On 12.10.2015 12:50, Tomas Babej wrote: - Original Message - From: "Martin Basti" <mba...@redhat.com> To: "Tomas Babej" <tba...@redhat.com> Cc: "freeipa-devel" <freeipa-devel@redhat.com> Sent: Monday, October 12, 2015 12:41:13 PM Subject: Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements On 09.10.2015 19:11, Tomas Babej wrote: On 09/23/2015 02:40 PM, Martin Basti wrote: On 09/22/2015 02:23 PM, Tomas Babej wrote: On 09/03/2015 04:34 PM, Alexander Bokovoy wrote: On Thu, 03 Sep 2015, Tomas Babej wrote: Hi, this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 and improve our handling of realmdomains in general. The code looks good to me. I haven't tested it yet, though. Rebased on top of current master. Please fix tests too. Updated patchset attached. Also fixed a minor spelling and syntax issues in the original patches. Tomas ACK, unfortunately, patch "realmdomains: Issue a warning when automated management of realmdomains" failed to apply on top of ipa-4-2 branch. Attaching rebased patchset. Pushed to master: 12840e0bfa545341c448276c4803a49cbae63e8a You sent different patch 362 for ipa-4-2 than it should be. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
On 12.10.2015 14:02, Tomas Babej wrote: On 12.10.2015 12:50, Tomas Babej wrote: - Original Message - From: "Martin Basti" <mba...@redhat.com> To: "Tomas Babej" <tba...@redhat.com> Cc: "freeipa-devel" <freeipa-devel@redhat.com> Sent: Monday, October 12, 2015 12:41:13 PM Subject: Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements On 09.10.2015 19:11, Tomas Babej wrote: On 09/23/2015 02:40 PM, Martin Basti wrote: On 09/22/2015 02:23 PM, Tomas Babej wrote: On 09/03/2015 04:34 PM, Alexander Bokovoy wrote: On Thu, 03 Sep 2015, Tomas Babej wrote: Hi, this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 and improve our handling of realmdomains in general. The code looks good to me. I haven't tested it yet, though. Rebased on top of current master. Please fix tests too. Updated patchset attached. Also fixed a minor spelling and syntax issues in the original patches. Tomas ACK, unfortunately, patch "realmdomains: Issue a warning when automated management of realmdomains" failed to apply on top of ipa-4-2 branch. Attaching rebased patchset. Pushed to master: 12840e0bfa545341c448276c4803a49cbae63e8a You sent different patch 362 for ipa-4-2 than it should be. Yeah, I shifted the whole patchset by one patch somehow.. Correct version attached. Pushed to ipa-4-2: 291aa25acd5df24b8bcc36fc02f6af0cc4f7d0f9 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
On 09/23/2015 02:40 PM, Martin Basti wrote: > > > On 09/22/2015 02:23 PM, Tomas Babej wrote: >> On 09/03/2015 04:34 PM, Alexander Bokovoy wrote: >>> On Thu, 03 Sep 2015, Tomas Babej wrote: Hi, this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 and improve our handling of realmdomains in general. >>> The code looks good to me. I haven't tested it yet, though. >>> >> Rebased on top of current master. > > Please fix tests too. > Updated patchset attached. Also fixed a minor spelling and syntax issues in the original patches. Tomas From e02e5cd1d084f7faef76f3995e9236b7ea0bb3f7 Mon Sep 17 00:00:00 2001 From: Tomas BabejDate: Thu, 3 Sep 2015 12:13:32 +0200 Subject: [PATCH] util: Add detect_dns_zone_realm_type helper https://fedorahosted.org/freeipa/ticket/5278 --- ipalib/util.py | 55 +++ 1 file changed, 55 insertions(+) diff --git a/ipalib/util.py b/ipalib/util.py index a37f67342259c1ef8bd31af1d9c40e453c3bf1cf..29b4ca160f1e63dfc2c233547028b5982242a3af 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -801,3 +801,58 @@ def get_topology_connection_errors(graph): if not_visited: connect_errors.append((m, list(visited), list(not_visited))) return connect_errors + +def detect_dns_zone_realm_type(api, domain): +""" +Detects the type of the realm that the given DNS zone belongs to. +Note: This method is heuristic. Possible values: + - 'current': For IPA domains belonging in the current realm. + - 'foreign': For domains belonging in a foreing kerberos realm. + - 'unknown': For domains whose allegiance could not be detected. +""" + +# First, try to detect _kerberos TXT record in the domain +# This would indicate that the domain belongs to IPA realm + +kerberos_prefix = DNSName('_kerberos') +domain_suffix = DNSName(domain) +kerberos_record_name = kerberos_prefix + domain_suffix + +response = None + +try: +result = resolver.query(kerberos_record_name, rdatatype.TXT) +answer = result.response.answer + +# IPA domain will have only one _kerberos TXT record +if (len(answer) == 1 and +len(answer[0]) == 1 and +answer[0].rdtype == rdatatype.TXT): + +record = answer[0][0] + +# If the record contains our current realm, it is 'ipa-current' +if record.to_text() == '"{0}"'.format(api.env.realm): +return 'current' +else: +return 'foreign' + +except DNSException as e: +pass + +# Try to detect AD specific record in the zone. +# This would indicate that the domain belongs to foreign (AD) realm + +gc_prefix = DNSName('_ldap._tcp.gc._msdcs') +ad_specific_record_name = gc_prefix + domain_suffix + +try: +# The presence of this record is enough, return foreign in such case +result = resolver.query(ad_specific_record_name, rdatatype.SRV) +return 'foreign' + +except DNSException as e: +pass + +# If we could not detect type with certainity, return unknown +return 'unknown' -- 2.1.0 From c1f93910a6f5cfaa0f46252b0c6f165e9257a5ae Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 3 Sep 2015 12:40:17 +0200 Subject: [PATCH] realmdomains: Minor style and wording improvements https://fedorahosted.org/freeipa/ticket/5278 --- ipalib/plugins/realmdomains.py | 75 +- 1 file changed, 60 insertions(+), 15 deletions(-) diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py index f8f838d0ede85ee747a4b2f19129dc757fe837eb..27c4fa228b455e8de5e40dafb8be0e4a4e1d0d65 100644 --- a/ipalib/plugins/realmdomains.py +++ b/ipalib/plugins/realmdomains.py @@ -137,16 +137,46 @@ class realmdomains_mod(LDAPUpdate): del_domain = entry_attrs.get('del_domain') force = options.get('force') +current_domain = get_domain_name() + +missing_soa_ns_record_error = _( +"DNS zone for each realmdomain must contain " +"SOA or NS records. No records found for: %s" +) + +# User specified the list of domains explicitly if associateddomain: if add_domain or del_domain: -raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain")) -if get_domain_name() not in associateddomain: -raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server")) +raise errors.MutuallyExclusiveError( +reason=_( +"The --domain option cannot be used together " +"with --add-domain or --del-domain. Use --domain " +"to specify the whole realm domain list explicitly, " +
Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
On 09/22/2015 02:23 PM, Tomas Babej wrote: On 09/03/2015 04:34 PM, Alexander Bokovoy wrote: On Thu, 03 Sep 2015, Tomas Babej wrote: Hi, this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 and improve our handling of realmdomains in general. The code looks good to me. I haven't tested it yet, though. Rebased on top of current master. Please fix tests too. [root@vm-065 ~]# ipa-run-tests test_xmlrpc/test_realmdomains_plugin.py --verbose === test session starts === platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.6.4 -- /usr/bin/python plugins: multihost, sourceorder collected 13 items test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[: realmdomains_show: Retrieve realm domains] PASSED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0001: realmdomains_show: Retrieve realm domains - print all attributes] PASSED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0002: realmdomains_mod: Replace list of realm domains with "[u'abc.idm.lab.eng.brq.redhat.com', u'example1.com']"] FAILED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0003: realmdomains_mod: Add domain "example2.com" to list] FAILED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0004: realmdomains_mod: Delete domain "example2.com" from list] FAILED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0005: realmdomains_mod: Add domain "example2.com" and delete domain "example1.com"] FAILED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0006: realmdomains_mod: Try to specify --domain and --add-domain options together] FAILED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0007: realmdomains_mod: Try to replace list of realm domains with a list without our domain] FAILED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0008: realmdomains_mod: Try to replace list of realm domains with a list with an invalid domain "doesnotexist.test"] FAILED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0009: realmdomains_mod: Try to add an invalid domain "doesnotexist.test"] FAILED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0010: realmdomains_mod: Try to delete our domain] FAILED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0011: realmdomains_mod: Try to delete domain which is not in list] PASSED test_xmlrpc/test_realmdomains_plugin.py <- test_xmlrpc/xmlrpc_test.py::test_realmdomains::test_command[0012: realmdomains_mod: Add an invalid domain "doesnotexist.test" with --force option] FAILED -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
On 09/03/2015 04:34 PM, Alexander Bokovoy wrote: > On Thu, 03 Sep 2015, Tomas Babej wrote: >> Hi, >> >> this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 >> and improve our handling of realmdomains in general. > The code looks good to me. I haven't tested it yet, though. > Rebased on top of current master. From 6071024ee951221685c283f23dd9c43667cc4bd9 Mon Sep 17 00:00:00 2001 From: Tomas BabejDate: Thu, 3 Sep 2015 12:13:32 +0200 Subject: [PATCH] util: Add detect_dns_zone_realm_type helper https://fedorahosted.org/freeipa/ticket/5278 --- ipalib/util.py | 55 +++ 1 file changed, 55 insertions(+) diff --git a/ipalib/util.py b/ipalib/util.py index 7c7da6af7bbb290dd25832e188d5445a23e5571e..e5e0b5c40d39c4761405c35130e5cdc077d717eb 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -802,3 +802,58 @@ def get_topology_connection_errors(graph): if not_visited: connect_errors.append((m, list(visited), list(not_visited))) return connect_errors + +def detect_dns_zone_realm_type(api, domain): +""" +Detects the type of the realm that the given DNS zone belongs to. +Note: This method is heuristic. Possible values: + - 'current': For IPA domains belonging in the current realm. + - 'foreign': For domains belonging in a foreing kerberos realm. + - 'unknown': For domains whose allegiance could not be detected. +""" + +# First, try to detect _kerberos TXT record in the domain +# This would indicate that the domain belongs to IPA realm + +kerberos_prefix = DNSName('_kerberos') +domain_suffix = DNSName(domain) +kerberos_record_name = kerberos_prefix + domain_suffix + +response = None + +try: +result = resolver.query(kerberos_record_name, rdatatype.TXT) +answer = result.response.answer + +# IPA domain will have only one _kerberos TXT record +if (len(answer) == 1 and +len(answer[0]) == 1 and +answer[0].rdtype == rdatatype.TXT): + +record = answer[0][0] + +# If the record contains our current realm, it is 'ipa-current' +if record.to_text() == '"{0}"'.format(api.env.realm): +return 'current' +else: +return 'foreign' + +except DNSException as e: +pass + +# Try to detect AD specific record in the zone. +# This would indicate that the domain belongs to foreign (AD) realm + +gc_prefix = DNSName('_ldap._tcp.gc._msdcs') +ad_specific_record_name = gc_prefix + domain_suffix + +try: +# The presence of this record is enough, return foreign in such case +result = resolver.query(ad_specific_record_name, rdatatype.SRV) +return 'foreign' + +except DNSException as e: +pass + +# If we could not detect type with certainity, return unknown +return 'unknown' -- 2.1.0 From 2099722b982866537ed11f21cee328d9ff17af4d Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 3 Sep 2015 12:40:17 +0200 Subject: [PATCH] realmdomains: Minor style and wording improvements https://fedorahosted.org/freeipa/ticket/5278 --- ipalib/plugins/realmdomains.py | 75 +- 1 file changed, 60 insertions(+), 15 deletions(-) diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py index f8f838d0ede85ee747a4b2f19129dc757fe837eb..4e618f1d1a71ba2133b03384bc056d069c505f43 100644 --- a/ipalib/plugins/realmdomains.py +++ b/ipalib/plugins/realmdomains.py @@ -137,16 +137,46 @@ class realmdomains_mod(LDAPUpdate): del_domain = entry_attrs.get('del_domain') force = options.get('force') +current_domain = get_domain_name() + +missing_soa_ns_record_error = _( +"DNS zone for each realmdomain must contain " +"SOA or NS records. No records found for: %s" +) + +# User specified the list of domains explicitly if associateddomain: if add_domain or del_domain: -raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain")) -if get_domain_name() not in associateddomain: -raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server")) +raise errors.MutuallyExclusiveError( +reason=_( +"The --domain option cannot be used together " +"with --add-domain or --del-domain. Use --domain " +"to specify the whole realm domain list explicitly, " +"to add/remove individual domains, use " +"--add-domain/del-domain.") +) + +# Make sure our domain is included in the list +if current_domain not in associateddomain: +
Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements
On Thu, 03 Sep 2015, Tomas Babej wrote: Hi, this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278 and improve our handling of realmdomains in general. The code looks good to me. I haven't tested it yet, though. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code