def __add_dns_service_records(self):
"""
Add DNS service records for Windows if DNS is enabled and the DNS zone
is managed. If there are already service records for LDAP and Kerberos
their values are used. Otherwise default values are used.
"""
zone = api.env.domain
err_msg = None
ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg = "DNS management was not enabled at install time."
else:
if not dns_zone_exists(zone):
err_msg = (
"DNS zone %s cannot be managed as it is not defined in "
"IPA" % zone)
if err_msg:
self.print_msg(err_msg)
self.print_msg("Add the following service records to your DNS " \
"server for DNS zone %s: " % zone)
system_records = IPASystemRecords(api)
adtrust_records = system_records.get_base_records(
[self.fqdn], ["AD trust controller"],
include_master_role=False, include_kerberos_realm=False)
for r_name, node in adtrust_records.items():
for rec in IPASystemRecords.records_list_from_node(r_name, node):
self.print_msg(rec)
else:
api.Command.dns_update_system_records()
def __add_dns_service_records(self):
"""
Add DNS service records for Windows if DNS is enabled and the DNS zone
is managed. If there are already service records for LDAP and Kerberos
their values are used. Otherwise default values are used.
"""
zone = api.env.domain
err_msg = None
ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg = "DNS management was not enabled at install time."
else:
if not dns_zone_exists(zone):
err_msg = (
"DNS zone %s cannot be managed as it is not defined in "
"IPA" % zone)
if err_msg:
self.print_msg(err_msg)
self.print_msg("Add the following service records to your DNS " \
"server for DNS zone %s: " % zone)
system_records = IPASystemRecords(api, all_servers=True)
adtrust_records = system_records.get_base_records(
[self.fqdn], ["AD trust controller"],
include_master_role=False,
include_kerberos_realm=False)
for r_name, node in adtrust_records.items():
for rec in IPASystemRecords.records_list_from_node(
r_name, node):
self.print_msg(rec)
else:
api.Command.dns_update_system_records()
def generate_dns_service_records_help(api):
"""
Return list of instructions to create DNS service records for Windows
if in case DNS is not enabled and the DNS zone is not managed by IPA.
In case IPA manages the DNS zone, nothing is returned.
"""
zone = api.env.domain
err_msg = []
ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg.append("DNS management was not enabled at install time.")
else:
if not dns_zone_exists(zone):
err_msg.append(
"DNS zone %s cannot be managed as it is not defined in "
"IPA" % zone)
if err_msg:
err_msg.append("Add the following service records to your DNS "
"server for DNS zone %s: " % zone)
system_records = IPASystemRecords(api, all_servers=True)
adtrust_records = system_records.get_base_records(
[api.env.host], ["AD trust controller"],
include_master_role=False, include_kerberos_realm=False)
for r_name, node in adtrust_records.items():
for rec in IPASystemRecords.records_list_from_node(r_name, node):
err_msg.append(rec)
return err_msg
return None
def __add_dns_service_records(self):
"""
Add DNS service records for Windows if DNS is enabled and the DNS zone
is managed. If there are already service records for LDAP and Kerberos
their values are used. Otherwise default values are used.
"""
zone = self.domain_name
host_in_rr = normalize_zone(self.fqdn)
priority = 0
ipa_srv_rec = (
("_ldap._tcp", [self.srv_rec(host_in_rr, 389, priority)], 389),
("_kerberos._tcp", [self.srv_rec(host_in_rr, 88, priority)], 88),
("_kerberos._udp", [self.srv_rec(host_in_rr, 88, priority)], 88),
)
win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
".dc._msdcs")
err_msg = None
if self.no_msdcs:
err_msg = '--no-msdcs was given, special DNS service records ' \
'are not added to local DNS server'
else:
ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg = "DNS management was not enabled at install time."
else:
if not dns_zone_exists(zone):
err_msg = "DNS zone %s cannot be managed " \
"as it is not defined in IPA" % zone
if err_msg:
self.print_msg(err_msg)
self.print_msg("Add the following service records to your DNS " \
"server for DNS zone %s: " % zone)
for suff in win_srv_suffix:
for srv in ipa_srv_rec:
self.print_msg("%s%s IN SRV %s" % (srv[0], suff, " ".join(srv[1])))
self.print_msg("")
return
for (srv, rdata, port) in ipa_srv_rec:
cifs_rdata = list()
for fqdn in self.cifs_hosts:
cifs_srv = self.srv_rec(fqdn, port, priority)
cifs_rdata.append(cifs_srv)
cifs_rdata.extend(rdata)
for suff in win_srv_suffix:
win_srv = srv+suff
win_rdata = get_rr(zone, win_srv, "SRV")
if win_rdata:
for rec in win_rdata:
del_rr(zone, win_srv, "SRV", rec)
for rec in cifs_rdata:
add_rr(zone, win_srv, "SRV", rec)
def ask_for_options(self):
options = self.options
super(ReplicaPrepare, self).ask_for_options()
# get the directory manager password
self.dirman_password = options.password
if not options.password:
self.dirman_password = installutils.read_password(
"Directory Manager (existing master)",
confirm=False,
validate=False)
if self.dirman_password is None:
raise admintool.ScriptError(
"Directory Manager password required")
# Try out the password & get the subject base
api.Backend.ldap2.disconnect()
try:
api.Backend.ldap2.connect(bind_pw=self.dirman_password)
entry_attrs = api.Backend.ldap2.get_ipa_config()
self.subject_base = entry_attrs.get('ipacertificatesubjectbase',
[None])[0]
ca_enabled = api.Command.ca_is_enabled()['result']
except errors.ACIError:
raise admintool.ScriptError("The password provided is incorrect "
"for LDAP server %s" % api.env.host)
except errors.LDAPError:
raise admintool.ScriptError("Unable to connect to LDAP server %s" %
api.env.host)
except errors.DatabaseError as e:
raise admintool.ScriptError(e.desc)
if ca_enabled and not ipautil.file_exists(paths.CA_CS_CFG_PATH):
raise admintool.ScriptError(
"CA is not installed on this server. "
"ipa-replica-prepare must be run on an IPA server with CA.")
if not ca_enabled and not options.http_cert_files:
raise admintool.ScriptError(
"Cannot issue certificates: a CA is not installed. Use the "
"--http-cert-file, --dirsrv-cert-file options to provide "
"custom certificates.")
if self.subject_base is not None:
self.subject_base = DN(self.subject_base)
# Validate more options using the password
try:
installutils.verify_fqdn(self.replica_fqdn, local_hostname=False)
except installutils.BadHostError as e:
if isinstance(e, installutils.HostLookupError):
if not options.ip_addresses:
if dns_container_exists(api.env.basedn):
logger.info('You might use the --ip-address option '
'to create a DNS entry if the DNS zone '
'is managed by IPA.')
raise
else:
# The host doesn't exist in DNS but we're adding it.
pass
else:
raise
if options.ip_addresses:
if not dns_container_exists(api.env.basedn):
logger.error(
"It is not possible to add a DNS record automatically "
"because DNS is not managed by IPA. Please create DNS "
"record manually and then omit --ip-address option.")
raise admintool.ScriptError("Cannot add DNS record")
options.reverse_zones = bindinstance.check_reverse_zones(
options.ip_addresses, options.reverse_zones, options, False,
True)
_host, zone = self.replica_fqdn.split('.', 1)
if not bindinstance.dns_zone_exists(zone, api=api):
logger.error(
"DNS zone %s does not exist in IPA managed DNS "
"server. Either create DNS zone or omit "
"--ip-address option.", zone)
raise admintool.ScriptError("Cannot add DNS record")
self.http_pin = self.dirsrv_pin = None
if options.http_cert_files:
if options.http_pin is None:
options.http_pin = installutils.read_password(
"Enter Apache Server private key unlock",
confirm=False,
validate=False,
retry=False)
if options.http_pin is None:
raise admintool.ScriptError(
"Apache Server private key unlock password required")
http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12(
options.http_cert_files, options.http_pin,
options.http_cert_name)
self.http_pkcs12_file = http_pkcs12_file
self.http_pin = http_pin
if options.dirsrv_cert_files:
if options.dirsrv_pin is None:
options.dirsrv_pin = installutils.read_password(
"Enter Directory Server private key unlock",
confirm=False,
validate=False,
retry=False)
if options.dirsrv_pin is None:
raise admintool.ScriptError(
"Directory Server private key unlock password required"
)
dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12(
options.dirsrv_cert_files, options.dirsrv_pin,
options.dirsrv_cert_name)
self.dirsrv_pkcs12_file = dirsrv_pkcs12_file
self.dirsrv_pin = dirsrv_pin
if (options.http_cert_files and options.dirsrv_cert_files
and http_ca_cert != dirsrv_ca_cert):
raise admintool.ScriptError(
"Apache Server SSL certificate and Directory Server SSL "
"certificate are not signed by the same CA certificate")
def ask_for_options(self):
options = self.options
super(ReplicaPrepare, self).ask_for_options()
# get the directory manager password
self.dirman_password = options.password
if not options.password:
self.dirman_password = installutils.read_password(
"Directory Manager (existing master)",
confirm=False, validate=False)
if self.dirman_password is None:
raise admintool.ScriptError(
"Directory Manager password required")
# Try out the password & get the subject base
suffix = ipautil.realm_to_suffix(api.env.realm)
try:
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'directory manager')),
bind_pw=self.dirman_password)
entry_attrs = conn.get_ipa_config()
self.subject_base = entry_attrs.get(
'ipacertificatesubjectbase', [None])[0]
ca_enabled = api.Command.ca_is_enabled()['result']
conn.disconnect()
except errors.ACIError:
raise admintool.ScriptError("The password provided is incorrect "
"for LDAP server %s" % api.env.host)
except errors.LDAPError:
raise admintool.ScriptError(
"Unable to connect to LDAP server %s" % api.env.host)
except errors.DatabaseError as e:
raise admintool.ScriptError(e.desc)
if not ca_enabled and not options.http_cert_files:
raise admintool.ScriptError(
"Cannot issue certificates: a CA is not installed. Use the "
"--http-cert-file, --dirsrv-cert-file options to provide "
"custom certificates.")
if self.subject_base is not None:
self.subject_base = DN(self.subject_base)
# Validate more options using the password
try:
installutils.verify_fqdn(self.replica_fqdn, local_hostname=False)
except installutils.BadHostError as e:
msg = str(e)
if isinstance(e, installutils.HostLookupError):
if not options.ip_addresses:
if dns_container_exists(
api.env.host, api.env.basedn,
dm_password=self.dirman_password,
ldapi=True, realm=api.env.realm):
self.log.info('You might use the --ip-address option '
'to create a DNS entry if the DNS zone '
'is managed by IPA.')
raise
else:
# The host doesn't exist in DNS but we're adding it.
pass
else:
raise
if options.ip_addresses:
if not dns_container_exists(api.env.host, api.env.basedn,
dm_password=self.dirman_password,
ldapi=True, realm=api.env.realm):
self.log.error(
"It is not possible to add a DNS record automatically "
"because DNS is not managed by IPA. Please create DNS "
"record manually and then omit --ip-address option.")
raise admintool.ScriptError("Cannot add DNS record")
disconnect = False
if not api.Backend.ldap2.isconnected():
api.Backend.ldap2.connect(
bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=self.dirman_password)
disconnect = True
options.reverse_zones = bindinstance.check_reverse_zones(
options.ip_addresses, options.reverse_zones, options, False,
True)
host, zone = self.replica_fqdn.split('.', 1)
if not bindinstance.dns_zone_exists(zone, api=api):
self.log.error("DNS zone %s does not exist in IPA managed DNS "
"server. Either create DNS zone or omit "
"--ip-address option." % zone)
raise admintool.ScriptError("Cannot add DNS record")
if disconnect:
api.Backend.ldap2.disconnect()
self.http_pin = self.dirsrv_pin = self.pkinit_pin = None
if options.http_cert_files:
if options.http_pin is None:
options.http_pin = installutils.read_password(
"Enter Apache Server private key unlock",
confirm=False, validate=False)
if options.http_pin is None:
raise admintool.ScriptError(
"Apache Server private key unlock password required")
http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12(
options.http_cert_files, options.http_pin,
options.http_cert_name)
self.http_pkcs12_file = http_pkcs12_file
self.http_pin = http_pin
if options.dirsrv_cert_files:
if options.dirsrv_pin is None:
options.dirsrv_pin = installutils.read_password(
"Enter Directory Server private key unlock",
confirm=False, validate=False)
if options.dirsrv_pin is None:
raise admintool.ScriptError(
"Directory Server private key unlock password required")
dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12(
options.dirsrv_cert_files, options.dirsrv_pin,
options.dirsrv_cert_name)
self.dirsrv_pkcs12_file = dirsrv_pkcs12_file
self.dirsrv_pin = dirsrv_pin
if options.pkinit_cert_files:
if options.pkinit_pin is None:
options.pkinit_pin = installutils.read_password(
"Enter Kerberos KDC private key unlock",
confirm=False, validate=False)
if options.pkinit_pin is None:
raise admintool.ScriptError(
"Kerberos KDC private key unlock password required")
pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12(
options.pkinit_cert_files, options.pkinit_pin,
options.pkinit_cert_name)
self.pkinit_pkcs12_file = pkinit_pkcs12_file
self.pkinit_pin = pkinit_pin
if (options.http_cert_files and options.dirsrv_cert_files and
http_ca_cert != dirsrv_ca_cert):
raise admintool.ScriptError(
"Apache Server SSL certificate and Directory Server SSL "
"certificate are not signed by the same CA certificate")
if (not ipautil.file_exists(
dogtag.configured_constants().CS_CFG_PATH) and
options.dirsrv_pin is None):
self.log.info("If you installed IPA with your own certificates "
"using PKCS#12 files you must provide PKCS#12 files for any "
"replicas you create as well.")
raise admintool.ScriptError("The replica must be created on the "
"primary IPA server.")
"record manually and then omit --ip-address option.")
raise admintool.ScriptError("Cannot add DNS record")
disconnect = False
if not api.Backend.ldap2.isconnected():
api.Backend.ldap2.connect(
bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=self.dirman_password)
disconnect = True
options.reverse_zones = bindinstance.check_reverse_zones(
options.ip_addresses, options.reverse_zones, options, False,
True)
host, zone = self.replica_fqdn.split('.', 1)
if not bindinstance.dns_zone_exists(zone, api=api):
self.log.error("DNS zone %s does not exist in IPA managed DNS "
"server. Either create DNS zone or omit "
"--ip-address option." % zone)
raise admintool.ScriptError("Cannot add DNS record")
if disconnect:
api.Backend.ldap2.disconnect()
self.http_pin = self.dirsrv_pin = self.pkinit_pin = None
if options.http_cert_files:
if options.http_pin is None:
options.http_pin = installutils.read_password(
"Enter Apache Server private key unlock",
confirm=False, validate=False)
def ask_for_options(self):
options = self.options
super(ReplicaPrepare, self).ask_for_options()
# get the directory manager password
self.dirman_password = options.password
if not options.password:
self.dirman_password = installutils.read_password(
"Directory Manager (existing master)",
confirm=False, validate=False)
if self.dirman_password is None:
raise admintool.ScriptError(
"Directory Manager password required")
# Try out the password & get the subject base
api.Backend.ldap2.disconnect()
try:
api.Backend.ldap2.connect(bind_pw=self.dirman_password)
entry_attrs = api.Backend.ldap2.get_ipa_config()
self.subject_base = entry_attrs.get(
'ipacertificatesubjectbase', [None])[0]
ca_enabled = api.Command.ca_is_enabled()['result']
except errors.ACIError:
raise admintool.ScriptError("The password provided is incorrect "
"for LDAP server %s" % api.env.host)
except errors.LDAPError:
raise admintool.ScriptError(
"Unable to connect to LDAP server %s" % api.env.host)
except errors.DatabaseError as e:
raise admintool.ScriptError(e.desc)
if ca_enabled and not ipautil.file_exists(paths.CA_CS_CFG_PATH):
raise admintool.ScriptError(
"CA is not installed on this server. "
"ipa-replica-prepare must be run on an IPA server with CA.")
if not ca_enabled and not options.http_cert_files:
raise admintool.ScriptError(
"Cannot issue certificates: a CA is not installed. Use the "
"--http-cert-file, --dirsrv-cert-file options to provide "
"custom certificates.")
if self.subject_base is not None:
self.subject_base = DN(self.subject_base)
# Validate more options using the password
try:
installutils.verify_fqdn(self.replica_fqdn, local_hostname=False)
except installutils.BadHostError as e:
if isinstance(e, installutils.HostLookupError):
if not options.ip_addresses:
if dns_container_exists(api.env.basedn):
logger.info('You might use the --ip-address option '
'to create a DNS entry if the DNS zone '
'is managed by IPA.')
raise
else:
# The host doesn't exist in DNS but we're adding it.
pass
else:
raise
if options.ip_addresses:
if not dns_container_exists(api.env.basedn):
logger.error(
"It is not possible to add a DNS record automatically "
"because DNS is not managed by IPA. Please create DNS "
"record manually and then omit --ip-address option.")
raise admintool.ScriptError("Cannot add DNS record")
options.reverse_zones = bindinstance.check_reverse_zones(
options.ip_addresses, options.reverse_zones, options, False,
True)
_host, zone = self.replica_fqdn.split('.', 1)
if not bindinstance.dns_zone_exists(zone, api=api):
logger.error("DNS zone %s does not exist in IPA managed DNS "
"server. Either create DNS zone or omit "
"--ip-address option.", zone)
raise admintool.ScriptError("Cannot add DNS record")
self.http_pin = self.dirsrv_pin = None
if options.http_cert_files:
if options.http_pin is None:
options.http_pin = installutils.read_password(
"Enter Apache Server private key unlock",
confirm=False, validate=False, retry=False)
if options.http_pin is None:
raise admintool.ScriptError(
"Apache Server private key unlock password required")
http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12(
options.http_cert_files, options.http_pin,
options.http_cert_name)
self.http_pkcs12_file = http_pkcs12_file
self.http_pin = http_pin
if options.dirsrv_cert_files:
if options.dirsrv_pin is None:
options.dirsrv_pin = installutils.read_password(
"Enter Directory Server private key unlock",
confirm=False, validate=False, retry=False)
if options.dirsrv_pin is None:
raise admintool.ScriptError(
"Directory Server private key unlock password required")
dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12(
options.dirsrv_cert_files, options.dirsrv_pin,
options.dirsrv_cert_name)
self.dirsrv_pkcs12_file = dirsrv_pkcs12_file
self.dirsrv_pin = dirsrv_pin
if (options.http_cert_files and options.dirsrv_cert_files and
http_ca_cert != dirsrv_ca_cert):
raise admintool.ScriptError(
"Apache Server SSL certificate and Directory Server SSL "
"certificate are not signed by the same CA certificate")
def __add_dns_service_records(self):
"""
Add DNS service records for Windows if DNS is enabled and the DNS zone
is managed. If there are already service records for LDAP and Kerberos
their values are used. Otherwise default values are used.
"""
zone = self.domain_name
host, host_domain = self.fqdn.split(".", 1)
if normalize_zone(zone) == normalize_zone(host_domain):
host_in_rr = host
else:
host_in_rr = normalize_zone(self.fqdn)
priority = 0
ipa_srv_rec = (
("_ldap._tcp", [self.srv_rec(host_in_rr, 389, priority)], 389),
("_kerberos._tcp", [self.srv_rec(host_in_rr, 88, priority)], 88),
("_kerberos._udp", [self.srv_rec(host_in_rr, 88, priority)], 88),
)
win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
".dc._msdcs")
err_msg = None
if self.no_msdcs:
err_msg = '--no-msdcs was given, special DNS service records ' \
'are not added to local DNS server'
else:
ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg = "DNS management was not enabled at install time."
else:
if not dns_zone_exists(zone):
err_msg = "DNS zone %s cannot be managed " \
"as it is not defined in IPA" % zone
if err_msg:
self.print_msg(err_msg)
self.print_msg("Add the following service records to your DNS " \
"server for DNS zone %s: " % zone)
for srv in ipa_srv_rec:
for suff in win_srv_suffix:
self.print_msg(" - %s%s" % (srv[0], suff))
return
for (srv, rdata, port) in ipa_srv_rec:
cifs_rdata = list()
for fqdn in self.cifs_hosts:
cifs_srv = self.srv_rec(fqdn, port, priority)
cifs_rdata.append(cifs_srv)
cifs_rdata.extend(rdata)
for suff in win_srv_suffix:
win_srv = srv + suff
win_rdata = get_rr(zone, win_srv, "SRV")
if win_rdata:
for rec in win_rdata:
del_rr(zone, win_srv, "SRV", rec)
for rec in cifs_rdata:
add_rr(zone, win_srv, "SRV", rec)
