From f0d829754e2e35225f0dfba980c9f4bae011407e Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Fri, 6 Jul 2018 00:04:39 +0200

Subject: [PATCH] Delay enabling services until end of installer

Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer

created as enabled. Instead they are flagged as configuredService. At

the very end of the installer, the service entries are switched from

configured to enabled service.

- SRV records are created at the very end of the installer.

- Dogtag installer only picks fully installed servers

- Certmonger ignores all configured but not yet enabled servers.

Fixes: https://pagure.io/freeipa/issue/7566

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

---

 install/tools/ipa-adtrust-install          |  6 +-

 install/tools/ipa-ca-install               | 12 ++-

 install/tools/ipa-dns-install              |  4 +

 ipaserver/dns_data_management.py           | 18 +++--

 ipaserver/install/adtrustinstance.py       |  6 +-

 ipaserver/install/bindinstance.py          |  6 +-

 ipaserver/install/cainstance.py            |  2 +-

 ipaserver/install/dnskeysyncinstance.py    |  4 +-

 ipaserver/install/httpinstance.py          |  4 +-

 ipaserver/install/ipa_kra_install.py       |  7 ++

 ipaserver/install/krainstance.py           |  2 +-

 ipaserver/install/krbinstance.py           |  4 +-

 ipaserver/install/odsexporterinstance.py   |  4 +-

 ipaserver/install/opendnssecinstance.py    |  6 +-

 ipaserver/install/server/install.py        | 18 +++--

 ipaserver/install/server/replicainstall.py |  9 ++-

 ipaserver/install/service.py               | 90 ++++++++++++++++++++--

 ipaserver/plugins/serverrole.py            |  7 +-

 18 files changed, 161 insertions(+), 48 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install

index 1484598adba5b1237f00cc55e95167d45a6b40d7..4258f489873b4095a6672e20f2ac5f2858b71982 100755

--- a/install/tools/ipa-adtrust-install

+++ b/install/tools/ipa-adtrust-install

@@ -31,7 +31,7 @@ import six

 from optparse import SUPPRESS_HELP  # pylint: disable=deprecated-module

 from ipalib.install import sysrestore

-from ipaserver.install import adtrust

+from ipaserver.install import adtrust, service

 from ipaserver.install.installutils import (

     read_password,

     check_server_configuration,

@@ -210,6 +210,10 @@ def main():

     adtrust.install_check(True, options, api)

     adtrust.install(True, options, fstore, api)

+    # Enable configured services and update DNS SRV records

+    service.enable_services(api.env.host)

+    api.Command.dns_update_system_records()

+

     print("""

 =============================================================================

 Setup complete

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install

index a3694007e5815d1c44f642057c749879d336dfc5..215a60ae744577de73a7260bbf3dea5a09a4d118 100755

--- a/install/tools/ipa-ca-install

+++ b/install/tools/ipa-ca-install

@@ -303,18 +303,26 @@ def main():

     )

     api.finalize()

     api.Backend.ldap2.connect()

-

     domain_level = dsinstance.get_domain_level(api)

+

     if domain_level > DOMAIN_LEVEL_0:

         promote(safe_options, options, filename)

     else:

         install(safe_options, options, filename)

+    # pki-spawn restarts 389-DS, reconnect

+    api.Backend.ldap2.close()

+    api.Backend.ldap2.connect()

+

+    # Enable configured services and update DNS SRV records

+    service.enable_services(api.env.host)

+    api.Command.dns_update_system_records()

+    api.Backend.ldap2.disconnect()

+

     # execute ipactl to refresh services status

     ipautil.run(['ipactl', 'start', '--ignore-service-failures'],

                 raiseonerr=False)

-    api.Backend.ldap2.disconnect()

 fail_message = '''

 Your system may be partly configured.

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install

index cb6c5d887f101135ca593ea6d4ed0caf51478a4c..04d1b140d2c79a0fa72d7df47d556643751bddb7 100755

--- a/install/tools/ipa-dns-install

+++ b/install/tools/ipa-dns-install

@@ -36,6 +36,7 @@ from ipapython.config import IPAOptionParser

 from ipapython.ipa_log_manager import standard_logging_setup, root_logger

 from ipaserver.install import dns as dns_installer

+from ipaserver.install import service

 log_file_name = paths.IPASERVER_INSTALL_LOG

@@ -145,6 +146,9 @@ def main():

     dns_installer.install_check(True, api, False, options, hostname=api.env.host)

     dns_installer.install(True, False, options)

+    # Enable configured services and update DNS SRV records

+    service.enable_services(api.env.host)

+    api.Command.dns_update_system_records()

     # execute ipactl to refresh services status

     ipautil.run(['ipactl', 'start', '--ignore-service-failures'],

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py

index 6016d8a0044d487c3118f43f199b2a433facfa9a..e5987b4bd7b43d3920e9da917258153e448206b7 100644

--- a/ipaserver/dns_data_management.py

+++ b/ipaserver/dns_data_management.py

@@ -65,11 +65,11 @@ class IPASystemRecords(object):

     PRIORITY_HIGH = 0

     PRIORITY_LOW = 50

-    def __init__(self, api_instance):

+    def __init__(self, api_instance, all_servers=False):

         self.api_instance = api_instance

         self.domain_abs = DNSName(self.api_instance.env.domain).make_absolute()

         self.servers_data = {}

-        self.__init_data()

+        self.__init_data(all_servers=all_servers)

     def reload_data(self):

         """

@@ -89,14 +89,16 @@ class IPASystemRecords(object):

     def __get_location_suffix(self, location):

         return location + DNSName('_locations') + self.domain_abs

-    def __init_data(self):

+    def __init_data(self, all_servers=False):

         self.servers_data = {}

-        servers_result = self.api_instance.Command.server_find(

-            no_members=False,

-            servrole=u"IPA master",  # only active, fully installed masters

-        )['result']

-        for s in servers_result:

+        kwargs = dict(no_members=False)

+        if not all_servers:

+            # only active, fully installed masters]

+            kwargs["servrole"] = u"IPA master"

+        servers = self.api_instance.Command.server_find(**kwargs)

+

+        for s in servers['result']:

             weight, location, roles = self.__get_server_attrs(s)

             self.servers_data[s['cn'][0]] = {

                 'weight': weight,

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py

index b4db055045823ce8ae7e3b264e1442a085f81b2d..a7261b92ac227228b5b6af41db621ed2e5e96668 100644

--- a/ipaserver/install/adtrustinstance.py

+++ b/ipaserver/install/adtrustinstance.py

@@ -581,7 +581,7 @@ class ADTRUSTInstance(service.Service):

             self.print_msg(err_msg)

             self.print_msg("Add the following service records to your DNS " \

                            "server for DNS zone %s: " % zone)

-            system_records = IPASystemRecords(api)

+            system_records = IPASystemRecords(api, all_servers=True)

             adtrust_records = system_records.get_base_records(

                 [self.fqdn], ["AD trust controller"],

                 include_master_role=False, include_kerberos_realm=False)

@@ -734,12 +734,12 @@ class ADTRUSTInstance(service.Service):

         # Note that self.dm_password is None for ADTrustInstance because

         # we ensure to be called as root and using ldapi to use autobind

         try:

-            self.ldap_enable('ADTRUST', self.fqdn, None, self.suffix)

+            self.ldap_configure('ADTRUST', self.fqdn, None, self.suffix)

         except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):

             root_logger.info("ADTRUST Service startup entry already exists.")

         try:

-            self.ldap_enable('EXTID', self.fqdn, None, self.suffix)

+            self.ldap_configure('EXTID', self.fqdn, None, self.suffix)

         except (ldap.ALREADY_EXISTS, errors.DuplicateEntry):

             root_logger.info("EXTID Service startup entry already exists.")

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py

index 03dce56aa0610b3dc530e6b2a185515be7956e8b..771c6b0483d07b20fbc8470397eed306651f4a8f 100644

--- a/ipaserver/install/bindinstance.py

+++ b/ipaserver/install/bindinstance.py

@@ -664,7 +664,7 @@ class BindInstance(service.Service):

         return normalize_zone(self.host_domain) == normalize_zone(self.domain)

     def create_file_with_system_records(self):

-        system_records = IPASystemRecords(self.api)

+        system_records = IPASystemRecords(self.api, all_servers=True)

         text = u'\n'.join(

             IPASystemRecords.records_list_from_zone(

                 system_records.get_base_records()

@@ -741,7 +741,7 @@ class BindInstance(service.Service):

         # Instead we reply on the IPA init script to start only enabled

         # components as found in our LDAP configuration tree

         try:

-            self.ldap_enable('DNS', self.fqdn, None, self.suffix)

+            self.ldap_configure('DNS', self.fqdn, None, self.suffix)

         except errors.DuplicateEntry:

             # service already exists (forced DNS reinstall)

             # don't crash, just report error

@@ -1175,7 +1175,7 @@ class BindInstance(service.Service):

             except ValueError as error:

                 root_logger.debug(error)

-        # disabled by default, by ldap_enable()

+        # disabled by default, by ldap_configure()

         if enabled:

             self.enable()

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py

index 0c4d9bf9ad8ae11ac88523857845e16eb62651b9..62e9ad7de6f00eabb48f726a3931eb8acf0ba22b 100644

--- a/ipaserver/install/cainstance.py

+++ b/ipaserver/install/cainstance.py

@@ -1218,7 +1218,7 @@ class CAInstance(DogtagInstance):

             config = ['caRenewalMaster']

         else:

             config = []

-        self.ldap_enable('CA', self.fqdn, None, basedn, config)

+        self.ldap_configure('CA', self.fqdn, None, basedn, config)

     def setup_lightweight_ca_key_retrieval(self):

         if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'):

diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py

index 3849626e5a253667271913337d1a5aa4a72755bb..28468826d7194e7103e61c0ef3957b849e1be896 100644

--- a/ipaserver/install/dnskeysyncinstance.py

+++ b/ipaserver/install/dnskeysyncinstance.py

@@ -384,8 +384,8 @@ class DNSKeySyncInstance(service.Service):

     def __enable(self):

         try:

-            self.ldap_enable('DNSKeySync', self.fqdn, None,

-                             self.suffix, self.extra_config)

+            self.ldap_configure('DNSKeySync', self.fqdn, None,

+                                self.suffix, self.extra_config)

         except errors.DuplicateEntry:

             self.logger.error("DNSKeySync service already exists")

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py

index 7081c7418e76afbd1b4ae28deafefb6b264c62f0..2df51eaa77d3ee3246027a6bcbc4023dbad61160 100644

--- a/ipaserver/install/httpinstance.py

+++ b/ipaserver/install/httpinstance.py

@@ -200,7 +200,7 @@ class HTTPInstance(service.Service):

         # We do not let the system start IPA components on its own,

         # Instead we reply on the IPA init script to start only enabled

         # components as found in our LDAP configuration tree

-        self.ldap_enable('HTTP', self.fqdn, None, self.suffix)

+        self.ldap_configure('HTTP', self.fqdn, None, self.suffix)

     def configure_selinux_for_httpd(self):

         try:

@@ -583,7 +583,7 @@ class HTTPInstance(service.Service):

         if running:

             self.restart()

-        # disabled by default, by ldap_enable()

+        # disabled by default, by ldap_configure()

         if enabled:

             self.enable()

diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py

index 9ebabe057513141ee76d238a3f20e76a27dd932e..3a639ac20f101293edd7449f8846a451469e2297 100644

--- a/ipaserver/install/ipa_kra_install.py

+++ b/ipaserver/install/ipa_kra_install.py

@@ -224,4 +224,11 @@ class KRAInstaller(KRAInstall):

             self.log.error(dedent(self.FAIL_MESSAGE))

             raise

+        # pki-spawn restarts 389-DS, reconnect

+        api.Backend.ldap2.close()

+        api.Backend.ldap2.connect()

+

+        # Enable configured services and update DNS SRV records

+        service.enable_services(api.env.host)

+        api.Command.dns_update_system_records()

         api.Backend.ldap2.disconnect()

diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py

index 915d3c3c6e038eeb6a8f94f1ed7f7008c0ef4ead..a23de3960f0789761b4b86227508236c80e97c2f 100644

--- a/ipaserver/install/krainstance.py

+++ b/ipaserver/install/krainstance.py

@@ -376,4 +376,4 @@ class KRAInstance(DogtagInstance):

                 directives[nickname], cert, paths.KRA_CS_CFG_PATH)

     def __enable_instance(self):

-        self.ldap_enable('KRA', self.fqdn, None, self.suffix)

+        self.ldap_configure('KRA', self.fqdn, None, self.suffix)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py

index 5971a30fc566f6e96ce0b08632772d33da5602d2..4041d1b5fb3c3cf3db78b6cb282ce5f17793a0e3 100644

--- a/ipaserver/install/krbinstance.py

+++ b/ipaserver/install/krbinstance.py

@@ -240,7 +240,7 @@ class KrbInstance(service.Service):

         # We do not let the system start IPA components on its own,

         # Instead we reply on the IPA init script to start only enabled

         # components as found in our LDAP configuration tree

-        self.ldap_enable('KDC', self.fqdn, None, self.suffix)

+        self.ldap_configure('KDC', self.fqdn, None, self.suffix)

     def __start_instance(self):

         try:

@@ -598,7 +598,7 @@ class KrbInstance(service.Service):

             except ValueError as error:

                 root_logger.debug(error)

-        # disabled by default, by ldap_enable()

+        # disabled by default, by ldap_configure()

         if enabled:

             self.enable()

diff --git a/ipaserver/install/odsexporterinstance.py b/ipaserver/install/odsexporterinstance.py

index 59f27f578dab5663b1a7b734dff3699a6996084d..1694704f967b0b2a5debe76252ae859ae8a47f2b 100644

--- a/ipaserver/install/odsexporterinstance.py

+++ b/ipaserver/install/odsexporterinstance.py

@@ -69,8 +69,8 @@ class ODSExporterInstance(service.Service):

     def __enable(self):

         try:

-            self.ldap_enable('DNSKeyExporter', self.fqdn, None,

-                             self.suffix)

+            self.ldap_configure('DNSKeyExporter', self.fqdn, None,

+                                self.suffix)

         except errors.DuplicateEntry:

             root_logger.error("DNSKeyExporter service already exists")

diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py

index bc2974a2cf56e4ade1b778303c14f9ce05a8bf0f..92a46a9f6e318454084398ed625cf27a8250c2af 100644

--- a/ipaserver/install/opendnssecinstance.py

+++ b/ipaserver/install/opendnssecinstance.py

@@ -136,8 +136,8 @@ class OpenDNSSECInstance(service.Service):

     def __enable(self):

         try:

-            self.ldap_enable('DNSSEC', self.fqdn, None,

-                             self.suffix, self.extra_config)

+            self.ldap_configure('DNSSEC', self.fqdn, None,

+                                self.suffix, self.extra_config)

         except errors.DuplicateEntry:

             root_logger.error("DNSSEC service already exists")

@@ -368,7 +368,7 @@ class OpenDNSSECInstance(service.Service):

         self.restore_state("kasp_db_configured")  # just eat state

-        # disabled by default, by ldap_enable()

+        # disabled by default, by ldap_configure()

         if enabled:

             self.enable()

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py

index 3651cde827ecf299e5570feed4936311f91749fb..dcdd9aabb746c4973b3f73934d94225503728f0b 100644

--- a/ipaserver/install/server/install.py

+++ b/ipaserver/install/server/install.py

@@ -869,14 +869,6 @@ def install(installer):

     if options.setup_dns:

         dns.install(False, False, options)

-    else:

-        # Create a BIND instance

-        bind = bindinstance.BindInstance(fstore)

-        bind.setup(host_name, ip_addresses, realm_name,

-                   domain_name, (), 'first', (),

-                   zonemgr=options.zonemgr,

-                   no_dnssec_validation=options.no_dnssec_validation)

-        bind.create_file_with_system_records()

     if options.setup_adtrust:

         adtrust.install(False, options, fstore, api)

@@ -908,6 +900,16 @@ def install(installer):

     # Make sure the files we crated in /var/run are recreated at startup

     tasks.configure_tmpfiles()

+    # Enable configured services and update DNS SRV records

+    service.enable_services(host_name)

+    api.Command.dns_update_system_records()

+

+    if not options.setup_dns:

+        # After DNS and AD trust are configured and services are

+        # enabled, create a dummy instance to dump DNS configuration.

+        bind = bindinstance.BindInstance(fstore)

+        bind.create_file_with_system_records()

+

     # Everything installed properly, activate ipa service.

     services.knownservices.ipa.enable()

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py

index b10f761e3f643f9fa868451192fa4550b24b6b16..59fec452c674b9941ce731748dd63985a08fefc0 100644

--- a/ipaserver/install/server/replicainstall.py

+++ b/ipaserver/install/server/replicainstall.py

@@ -1518,14 +1518,10 @@ def install(installer):

     if options.setup_dns:

         dns.install(False, True, options, api)

-    else:

-        api.Command.dns_update_system_records()

     if options.setup_adtrust:

         adtrust.install(False, options, fstore, api)

-    api.Backend.ldap2.disconnect()

-

     if not promote:

         # Call client install script

         service.print_msg("Configuring client side components")

@@ -1556,6 +1552,11 @@ def install(installer):

     # Make sure the files we crated in /var/run are recreated at startup

     tasks.configure_tmpfiles()

+    # Enable configured services and update DNS SRV records

+    service.enable_services(config.host_name)

+    api.Command.dns_update_system_records()

+    api.Backend.ldap2.disconnect()

+

     # Everything installed properly, activate ipa service.

     services.knownservices.ipa.enable()

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py

index 0523e914aa7debf6aaa82ddcce9b7b26c1833cd3..4271ebe06be03199165894f7a884e17f311896cb 100644

--- a/ipaserver/install/service.py

+++ b/ipaserver/install/service.py

@@ -24,6 +24,7 @@ import socket

 import datetime

 import traceback

 import tempfile

+import warnings

 import six

@@ -59,6 +60,10 @@ SERVICE_LIST = {

     'DNSKeySync': ('ipa-dnskeysyncd', 110),

 }

+CONFIGURED_SERVICE = u'configuredService'

+ENABLED_SERVICE = 'enabledService'

+

+

 def print_msg(message, output_fd=sys.stdout):

     root_logger.debug(message)

     output_fd.write(message)

@@ -120,7 +125,7 @@ def find_providing_server(svcname, conn, host_name=None, api=api):

     """

     dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)

     query_filter = conn.make_filter({'objectClass': 'ipaConfigObject',

-                                     'ipaConfigString': 'enabledService',

+                                     'ipaConfigString': ENABLED_SERVICE,

                                      'cn': svcname}, rules='&')

     try:

         entries, _trunc = conn.find_entries(filter=query_filter, base_dn=dn)

@@ -217,6 +222,53 @@ def set_service_entry_config(name, fqdn, config_values,

         raise e

+def enable_services(fqdn):

+    """Change all configured services to enabled

+

+    Server.ldap_configure() only marks a service as configured. Services

+    are enabled at the very end of installation.

+

+    Note: DNS records must be updated with dns_update_system_records, too.

+

+    :param fqdn: hostname of server

+    """

+    ldap2 = api.Backend.ldap2

+    search_base = DN(('cn', fqdn), api.env.container_masters, api.env.basedn)

+    search_filter = ldap2.make_filter(

+        {

+            'objectClass': 'ipaConfigObject',

+            'ipaConfigString': CONFIGURED_SERVICE

+        },

+        rules='&'

+    )

+    entries = ldap2.get_entries(

+        search_base,

+        filter=search_filter,

+        scope=api.Backend.ldap2.SCOPE_ONELEVEL,

+        attrs_list=['cn', 'ipaConfigString']

+    )

+    for entry in entries:

+        name = entry['cn']

+        cfgstrings = entry.setdefault('ipaConfigString', [])

+        for value in list(cfgstrings):

+            if value.lower() == CONFIGURED_SERVICE.lower():

+                cfgstrings.remove(value)

+        if not case_insensitive_attr_has_value(cfgstrings, ENABLED_SERVICE):

+            cfgstrings.append(ENABLED_SERVICE)

+

+        try:

+            ldap2.update_entry(entry)

+        except errors.EmptyModlist:

+            root_logger.debug("Nothing to do for service %s", name)

+        except Exception:

+            root_logger.exception(

+                "failed to set service %s config values", name

+            )

+            raise

+        else:

+            root_logger.debug("Enabled service %s for %s", name, fqdn)

+

+

 class Service(object):

     def __init__(self, service_name, service_desc=None, sstore=None,

                  fstore=None, api=api, realm_name=None,

@@ -522,7 +574,35 @@ class Service(object):

         self.steps = []

     def ldap_enable(self, name, fqdn, dm_password=None, ldap_suffix='',

-                    config=[]):

+                    config=()):

+        """Legacy function, all services should use ldap_configure()

+        """

+        warnings.warn(

+            "ldap_enable is deprecated, use ldap_configure instead.",

+            DeprecationWarning,

+            stacklevel=2

+        )

+        self._ldap_enable(ENABLED_SERVICE, name, fqdn, ldap_suffix, config)

+

+    def ldap_configure(self, name, fqdn, dm_password=None, ldap_suffix='',

+                       config=()):

+        """Create or modify service entry in cn=masters,cn=ipa,cn=etc

+

+        Contrary to ldap_enable(), the method only sets

+        ipaConfigString=configuredService. ipaConfigString=enabledService

+        is set at the very end of the installation process, to ensure that

+        other machines see this master/replica after it is fully installed.

+

+        To switch all configured services to enabled, use::

+

+            ipaserver.install.service.enable_services(api.env.host)

+            api.Command.dns_update_system_records()

+        """

+        self._ldap_enable(

+            CONFIGURED_SERVICE, name, fqdn, ldap_suffix, config

+        )

+

+    def _ldap_enable(self, value, name, fqdn, ldap_suffix, config):

         extra_config_opts = [

             ' '.join([u'startOrder', unicode(SERVICE_LIST[name][1])])

         ]

@@ -533,7 +613,7 @@ class Service(object):

         set_service_entry_config(

             name,

             fqdn,

-            [u'enabledService'],

+            [value],

             ldap_suffix=ldap_suffix,

             post_add_config=extra_config_opts)

@@ -559,7 +639,7 @@ class Service(object):

         # case insensitive

         for value in entry.get('ipaConfigString', []):

-            if value.lower() == u'enabledservice':

+            if value.lower() == ENABLED_SERVICE:

                 entry['ipaConfigString'].remove(value)

                 break

@@ -672,7 +752,7 @@ class SimpleServiceInstance(Service):

         if self.gensvc_name == None:

             self.enable()

         else:

-            self.ldap_enable(self.gensvc_name, self.fqdn, None, self.suffix)

+            self.ldap_configure(self.gensvc_name, self.fqdn, None, self.suffix)

     def is_installed(self):

         return self.service.is_installed()

diff --git a/ipaserver/plugins/serverrole.py b/ipaserver/plugins/serverrole.py

index db88b3885c538c2800f6e4a1d649083859d43641..35b199387b4d3512d39f197d125c20571e23ad7a 100644

--- a/ipaserver/plugins/serverrole.py

+++ b/ipaserver/plugins/serverrole.py

@@ -15,16 +15,21 @@ IPA server roles

 """) + _("""

 Get status of roles (DNS server, CA, etc.) provided by IPA masters.

 """) + _("""

+The status of a role is either enabled, configured, or absent.

+""") + _("""

 EXAMPLES:

 """) + _("""

   Show status of 'DNS server' role on a server:

     ipa server-role-show ipa.example.com "DNS server"

 """) + _("""

   Show status of all roles containing 'AD' on a server:

-    ipa server-role-find --server ipa.example.com --role='AD'

+    ipa server-role-find --server ipa.example.com --role="AD trust controller"

 """) + _("""

   Show status of all configured roles on a server:

     ipa server-role-find ipa.example.com

+""") + _("""

+  Show implicit IPA master role:

+    ipa server-role-find --include-master

 """)

-- 

2.17.1