Tree - rpms/ipa - CentOS Git server

rpms / ipa

Files

Commit: 177dc68814364064fa3f929a235eef1acb4130ae
Blob Blame History Raw
From 936e27f75961c67e619ecfa641e256ce80662d68 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Feb 14 2020 07:24:58 +0000
Subject: adtrust: print DNS records for external DNS case after role is enabled


We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.

Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
index 1abfea9..7d94b71 100644
--- a/install/tools/ipa-adtrust-install.in
+++ b/install/tools/ipa-adtrust-install.in
@@ -214,7 +214,13 @@ def main():
 
     # Enable configured services and update DNS SRV records
     service.sync_services_state(api.env.host)
-    api.Command.dns_update_system_records()
+
+    dns_help = adtrust.generate_dns_service_records_help(api)
+    if dns_help:
+        for line in dns_help:
+            service.print_msg(line, sys.stdout)
+    else:
+        api.Command.dns_update_system_records()
 
     print("""
 =============================================================================
diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
index 70c4359..6c14e84 100644
--- a/ipaserver/install/adtrust.py
+++ b/ipaserver/install/adtrust.py
@@ -26,6 +26,8 @@ from ipaserver.install import installutils
 from ipaserver.install import adtrustinstance
 from ipaserver.install import service
 from ipaserver.install.plugins.adtrust import update_host_cifs_keytabs
+from ipaserver.install.bindinstance import dns_zone_exists
+from ipaserver.dns_data_management import IPASystemRecords
 
 
 if six.PY3:
@@ -436,6 +438,41 @@ def install(standalone, options, fstore, api):
         add_new_adtrust_agents(api, options)
 
 
+def generate_dns_service_records_help(api):
+    """
+    Return list of instructions to create DNS service records for Windows
+    if in case DNS is not enabled and the DNS zone is not managed by IPA.
+    In case IPA manages the DNS zone, nothing is returned.
+    """
+
+    zone = api.env.domain
+
+    err_msg = []
+
+    ret = api.Command['dns_is_enabled']()
+    if not ret['result']:
+        err_msg.append("DNS management was not enabled at install time.")
+    else:
+        if not dns_zone_exists(zone):
+            err_msg.append(
+                "DNS zone %s cannot be managed as it is not defined in "
+                "IPA" % zone)
+
+    if err_msg:
+        err_msg.append("Add the following service records to your DNS "
+                       "server for DNS zone %s: " % zone)
+        system_records = IPASystemRecords(api, all_servers=True)
+        adtrust_records = system_records.get_base_records(
+            [api.env.host], ["AD trust controller"],
+            include_master_role=False, include_kerberos_realm=False)
+        for r_name, node in adtrust_records.items():
+            for rec in IPASystemRecords.records_list_from_node(r_name, node):
+                err_msg.append(rec)
+        return err_msg
+
+    return None
+
+
 @group
 class ADTrustInstallInterface(ServiceAdminInstallInterface):
     """
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 8699d53..a59e85d 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -32,10 +32,8 @@ import socket
 
 import six
 
-from ipaserver.dns_data_management import IPASystemRecords
 from ipaserver.install import service
 from ipaserver.install import installutils
-from ipaserver.install.bindinstance import dns_zone_exists
 from ipaserver.install.replication import wait_for_task
 from ipalib import errors, api
 from ipalib.util import normalize_zone
@@ -586,43 +584,6 @@ class ADTRUSTInstance(service.Service):
                     logger.critical("Failed to remove old key for %s",
                                     self.principal)
 
-    def srv_rec(self, host, port, prio):
-        return "%(prio)d 100 %(port)d %(host)s" % dict(host=host,prio=prio,port=port)
-
-    def __add_dns_service_records(self):
-        """
-        Add DNS service records for Windows if DNS is enabled and the DNS zone
-        is managed. If there are already service records for LDAP and Kerberos
-        their values are used. Otherwise default values are used.
-        """
-
-        zone = api.env.domain
-
-        err_msg = None
-
-        ret = api.Command['dns_is_enabled']()
-        if not ret['result']:
-            err_msg = "DNS management was not enabled at install time."
-        else:
-            if not dns_zone_exists(zone):
-                err_msg = (
-                    "DNS zone %s cannot be managed as it is not defined in "
-                    "IPA" % zone)
-
-        if err_msg:
-            self.print_msg(err_msg)
-            self.print_msg("Add the following service records to your DNS " \
-                           "server for DNS zone %s: " % zone)
-            system_records = IPASystemRecords(api, all_servers=True)
-            adtrust_records = system_records.get_base_records(
-                [self.fqdn], ["AD trust controller"],
-                include_master_role=False, include_kerberos_realm=False)
-            for r_name, node in adtrust_records.items():
-                for rec in IPASystemRecords.records_list_from_node(r_name, node):
-                    self.print_msg(rec)
-        else:
-            api.Command.dns_update_system_records()
-
     def __configure_selinux_for_smbd(self):
         try:
             tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_ADTRUST,
@@ -876,8 +837,6 @@ class ADTRUSTInstance(service.Service):
         self.step("map BUILTIN\\Guests to nobody group",
                   self.__map_Guests_to_nobody)
         self.step("configuring smbd to start on boot", self.__enable)
-        self.step("adding special DNS service records", \
-                  self.__add_dns_service_records)
 
         if self.enable_compat:
             self.step("enabling trusted domains support for older clients via Schema Compatibility plugin",
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 6b08b70..afce0d7 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -984,6 +984,12 @@ def install(installer):
     service.enable_services(host_name)
     api.Command.dns_update_system_records()
 
+    if options.setup_adtrust:
+        dns_help = adtrust.generate_dns_service_records_help(api)
+        if dns_help:
+            for line in dns_help:
+                service.print_msg(line, sys.stdout)
+
     if not options.setup_dns:
         # After DNS and AD trust are configured and services are
         # enabled, create a dummy instance to dump DNS configuration.
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 536f0db..71ea091 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1351,6 +1351,12 @@ def install(installer):
     # enabled-service case, also perform update in hidden replica case.
     api.Command.dns_update_system_records()
 
+    if options.setup_adtrust:
+        dns_help = adtrust.generate_dns_service_records_help(api)
+        if dns_help:
+            for line in dns_help:
+                service.print_msg(line, sys.stdout)
+
     ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api)
     api.Backend.ldap2.disconnect()
rpms / ipa

Source Code

Files
