|
 |
a6e2d8 |
From 936e27f75961c67e619ecfa641e256ce80662d68 Mon Sep 17 00:00:00 2001
|
|
|
a6e2d8 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
a6e2d8 |
Date: Feb 14 2020 07:24:58 +0000
|
|
|
a6e2d8 |
Subject: adtrust: print DNS records for external DNS case after role is enabled
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
We cannot gather information about required DNS records before "ADTrust
|
|
|
a6e2d8 |
Controller" role is enabled on this server. As result, we need to call
|
|
|
a6e2d8 |
the step to add DNS records after the role was enabled.
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
Fixes: https://pagure.io/freeipa/issue/8192
|
|
|
a6e2d8 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
a6e2d8 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
---
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
|
|
|
a6e2d8 |
index 1abfea9..7d94b71 100644
|
|
|
a6e2d8 |
--- a/install/tools/ipa-adtrust-install.in
|
|
|
a6e2d8 |
+++ b/install/tools/ipa-adtrust-install.in
|
|
|
a6e2d8 |
@@ -214,7 +214,13 @@ def main():
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
# Enable configured services and update DNS SRV records
|
|
|
a6e2d8 |
service.sync_services_state(api.env.host)
|
|
|
a6e2d8 |
- api.Command.dns_update_system_records()
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
+ dns_help = adtrust.generate_dns_service_records_help(api)
|
|
|
a6e2d8 |
+ if dns_help:
|
|
|
a6e2d8 |
+ for line in dns_help:
|
|
|
a6e2d8 |
+ service.print_msg(line, sys.stdout)
|
|
|
a6e2d8 |
+ else:
|
|
|
a6e2d8 |
+ api.Command.dns_update_system_records()
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
print("""
|
|
|
a6e2d8 |
=============================================================================
|
|
|
a6e2d8 |
diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
|
|
|
a6e2d8 |
index 70c4359..6c14e84 100644
|
|
|
a6e2d8 |
--- a/ipaserver/install/adtrust.py
|
|
|
a6e2d8 |
+++ b/ipaserver/install/adtrust.py
|
|
|
a6e2d8 |
@@ -26,6 +26,8 @@ from ipaserver.install import installutils
|
|
|
a6e2d8 |
from ipaserver.install import adtrustinstance
|
|
|
a6e2d8 |
from ipaserver.install import service
|
|
|
a6e2d8 |
from ipaserver.install.plugins.adtrust import update_host_cifs_keytabs
|
|
|
a6e2d8 |
+from ipaserver.install.bindinstance import dns_zone_exists
|
|
|
a6e2d8 |
+from ipaserver.dns_data_management import IPASystemRecords
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
if six.PY3:
|
|
|
a6e2d8 |
@@ -436,6 +438,41 @@ def install(standalone, options, fstore, api):
|
|
|
a6e2d8 |
add_new_adtrust_agents(api, options)
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
+def generate_dns_service_records_help(api):
|
|
|
a6e2d8 |
+ """
|
|
|
a6e2d8 |
+ Return list of instructions to create DNS service records for Windows
|
|
|
a6e2d8 |
+ if in case DNS is not enabled and the DNS zone is not managed by IPA.
|
|
|
a6e2d8 |
+ In case IPA manages the DNS zone, nothing is returned.
|
|
|
a6e2d8 |
+ """
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
+ zone = api.env.domain
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
+ err_msg = []
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
+ ret = api.Command['dns_is_enabled']()
|
|
|
a6e2d8 |
+ if not ret['result']:
|
|
|
a6e2d8 |
+ err_msg.append("DNS management was not enabled at install time.")
|
|
|
a6e2d8 |
+ else:
|
|
|
a6e2d8 |
+ if not dns_zone_exists(zone):
|
|
|
a6e2d8 |
+ err_msg.append(
|
|
|
a6e2d8 |
+ "DNS zone %s cannot be managed as it is not defined in "
|
|
|
a6e2d8 |
+ "IPA" % zone)
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
+ if err_msg:
|
|
|
a6e2d8 |
+ err_msg.append("Add the following service records to your DNS "
|
|
|
a6e2d8 |
+ "server for DNS zone %s: " % zone)
|
|
|
a6e2d8 |
+ system_records = IPASystemRecords(api, all_servers=True)
|
|
|
a6e2d8 |
+ adtrust_records = system_records.get_base_records(
|
|
|
a6e2d8 |
+ [api.env.host], ["AD trust controller"],
|
|
|
a6e2d8 |
+ include_master_role=False, include_kerberos_realm=False)
|
|
|
a6e2d8 |
+ for r_name, node in adtrust_records.items():
|
|
|
a6e2d8 |
+ for rec in IPASystemRecords.records_list_from_node(r_name, node):
|
|
|
a6e2d8 |
+ err_msg.append(rec)
|
|
|
a6e2d8 |
+ return err_msg
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
+ return None
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
@group
|
|
|
a6e2d8 |
class ADTrustInstallInterface(ServiceAdminInstallInterface):
|
|
|
a6e2d8 |
"""
|
|
|
a6e2d8 |
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
|
|
a6e2d8 |
index 8699d53..a59e85d 100644
|
|
|
a6e2d8 |
--- a/ipaserver/install/adtrustinstance.py
|
|
|
a6e2d8 |
+++ b/ipaserver/install/adtrustinstance.py
|
|
|
a6e2d8 |
@@ -32,10 +32,8 @@ import socket
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
import six
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
-from ipaserver.dns_data_management import IPASystemRecords
|
|
|
a6e2d8 |
from ipaserver.install import service
|
|
|
a6e2d8 |
from ipaserver.install import installutils
|
|
|
a6e2d8 |
-from ipaserver.install.bindinstance import dns_zone_exists
|
|
|
a6e2d8 |
from ipaserver.install.replication import wait_for_task
|
|
|
a6e2d8 |
from ipalib import errors, api
|
|
|
a6e2d8 |
from ipalib.util import normalize_zone
|
|
|
a6e2d8 |
@@ -586,43 +584,6 @@ class ADTRUSTInstance(service.Service):
|
|
|
a6e2d8 |
logger.critical("Failed to remove old key for %s",
|
|
|
a6e2d8 |
self.principal)
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
- def srv_rec(self, host, port, prio):
|
|
|
a6e2d8 |
- return "%(prio)d 100 %(port)d %(host)s" % dict(host=host,prio=prio,port=port)
|
|
|
a6e2d8 |
-
|
|
|
a6e2d8 |
- def __add_dns_service_records(self):
|
|
|
a6e2d8 |
- """
|
|
|
a6e2d8 |
- Add DNS service records for Windows if DNS is enabled and the DNS zone
|
|
|
a6e2d8 |
- is managed. If there are already service records for LDAP and Kerberos
|
|
|
a6e2d8 |
- their values are used. Otherwise default values are used.
|
|
|
a6e2d8 |
- """
|
|
|
a6e2d8 |
-
|
|
|
a6e2d8 |
- zone = api.env.domain
|
|
|
a6e2d8 |
-
|
|
|
a6e2d8 |
- err_msg = None
|
|
|
a6e2d8 |
-
|
|
|
a6e2d8 |
- ret = api.Command['dns_is_enabled']()
|
|
|
a6e2d8 |
- if not ret['result']:
|
|
|
a6e2d8 |
- err_msg = "DNS management was not enabled at install time."
|
|
|
a6e2d8 |
- else:
|
|
|
a6e2d8 |
- if not dns_zone_exists(zone):
|
|
|
a6e2d8 |
- err_msg = (
|
|
|
a6e2d8 |
- "DNS zone %s cannot be managed as it is not defined in "
|
|
|
a6e2d8 |
- "IPA" % zone)
|
|
|
a6e2d8 |
-
|
|
|
a6e2d8 |
- if err_msg:
|
|
|
a6e2d8 |
- self.print_msg(err_msg)
|
|
|
a6e2d8 |
- self.print_msg("Add the following service records to your DNS " \
|
|
|
a6e2d8 |
- "server for DNS zone %s: " % zone)
|
|
|
a6e2d8 |
- system_records = IPASystemRecords(api, all_servers=True)
|
|
|
a6e2d8 |
- adtrust_records = system_records.get_base_records(
|
|
|
a6e2d8 |
- [self.fqdn], ["AD trust controller"],
|
|
|
a6e2d8 |
- include_master_role=False, include_kerberos_realm=False)
|
|
|
a6e2d8 |
- for r_name, node in adtrust_records.items():
|
|
|
a6e2d8 |
- for rec in IPASystemRecords.records_list_from_node(r_name, node):
|
|
|
a6e2d8 |
- self.print_msg(rec)
|
|
|
a6e2d8 |
- else:
|
|
|
a6e2d8 |
- api.Command.dns_update_system_records()
|
|
|
a6e2d8 |
-
|
|
|
a6e2d8 |
def __configure_selinux_for_smbd(self):
|
|
|
a6e2d8 |
try:
|
|
|
a6e2d8 |
tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_ADTRUST,
|
|
|
a6e2d8 |
@@ -876,8 +837,6 @@ class ADTRUSTInstance(service.Service):
|
|
|
a6e2d8 |
self.step("map BUILTIN\\Guests to nobody group",
|
|
|
a6e2d8 |
self.__map_Guests_to_nobody)
|
|
|
a6e2d8 |
self.step("configuring smbd to start on boot", self.__enable)
|
|
|
a6e2d8 |
- self.step("adding special DNS service records", \
|
|
|
a6e2d8 |
- self.__add_dns_service_records)
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
if self.enable_compat:
|
|
|
a6e2d8 |
self.step("enabling trusted domains support for older clients via Schema Compatibility plugin",
|
|
|
a6e2d8 |
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
|
|
a6e2d8 |
index 6b08b70..afce0d7 100644
|
|
|
a6e2d8 |
--- a/ipaserver/install/server/install.py
|
|
|
a6e2d8 |
+++ b/ipaserver/install/server/install.py
|
|
|
a6e2d8 |
@@ -984,6 +984,12 @@ def install(installer):
|
|
|
a6e2d8 |
service.enable_services(host_name)
|
|
|
a6e2d8 |
api.Command.dns_update_system_records()
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
+ if options.setup_adtrust:
|
|
|
a6e2d8 |
+ dns_help = adtrust.generate_dns_service_records_help(api)
|
|
|
a6e2d8 |
+ if dns_help:
|
|
|
a6e2d8 |
+ for line in dns_help:
|
|
|
a6e2d8 |
+ service.print_msg(line, sys.stdout)
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
if not options.setup_dns:
|
|
|
a6e2d8 |
# After DNS and AD trust are configured and services are
|
|
|
a6e2d8 |
# enabled, create a dummy instance to dump DNS configuration.
|
|
|
a6e2d8 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
a6e2d8 |
index 536f0db..71ea091 100644
|
|
|
a6e2d8 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
a6e2d8 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
a6e2d8 |
@@ -1351,6 +1351,12 @@ def install(installer):
|
|
|
a6e2d8 |
# enabled-service case, also perform update in hidden replica case.
|
|
|
a6e2d8 |
api.Command.dns_update_system_records()
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
+ if options.setup_adtrust:
|
|
|
a6e2d8 |
+ dns_help = adtrust.generate_dns_service_records_help(api)
|
|
|
a6e2d8 |
+ if dns_help:
|
|
|
a6e2d8 |
+ for line in dns_help:
|
|
|
a6e2d8 |
+ service.print_msg(line, sys.stdout)
|
|
|
a6e2d8 |
+
|
|
|
a6e2d8 |
ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api)
|
|
|
a6e2d8 |
api.Backend.ldap2.disconnect()
|
|
|
a6e2d8 |
|
|
|
a6e2d8 |
|