def add_a_records_for_hosts_in_master_domain(master):
for host in master.domain.hosts:
# We don't need to take care of the zone creation since it is master
# domain
try:
verify_host_resolvable(host.hostname)
log.debug("The host (%s) is resolvable." % host.domain.name)
except errors.DNSNotARecordError:
log.debug("Hostname (%s) does not have A/AAAA record. Adding new one.",
master.hostname)
add_a_record(master, host)
def add_a_records_for_hosts_in_master_domain(master):
for host in master.domain.hosts:
# We don't need to take care of the zone creation since it is master
# domain
try:
verify_host_resolvable(host.hostname)
log.debug("The host (%s) is resolvable." % host.domain.name)
except errors.DNSNotARecordError:
log.debug("Hostname (%s) does not have A/AAAA record. Adding new one.",
master.hostname)
add_a_record(master, host)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
if options.get('ip_address') and dns_container_exists(ldap):
parts = keys[-1].split('.')
host = parts[0]
domain = unicode('.'.join(parts[1:]))
check_reverse = not options.get('no_reverse', False)
add_records_for_host_validation('ip_address',
DNSName(host),
DNSName(domain).make_absolute(),
options['ip_address'],
check_forward=True,
check_reverse=check_reverse)
if not options.get('force', False) and not 'ip_address' in options:
util.verify_host_resolvable(keys[-1], self.log)
if 'locality' in entry_attrs:
entry_attrs['l'] = entry_attrs['locality']
entry_attrs['cn'] = keys[-1]
entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0]
if not entry_attrs.get('userpassword', False) and not options.get('random', False):
entry_attrs['krbprincipalname'] = 'host/%s@%s' % (
keys[-1], self.api.env.realm
)
if 'krbprincipalaux' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('krbprincipalaux')
if 'krbprincipal' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('krbprincipal')
else:
if 'krbprincipalaux' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipalaux')
if 'krbprincipal' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipal')
if options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
for cert in certs_der:
x509.verify_cert_subject(ldap, keys[-1], cert)
entry_attrs['usercertificate'] = certs_der
entry_attrs['managedby'] = dn
entry_attrs['objectclass'].append('ieee802device')
entry_attrs['objectclass'].append('ipasshhost')
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
if 'krbticketflags' in entry_attrs:
entry_attrs['objectclass'].append('krbticketpolicyaux')
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
if options.get('ip_address') and dns_container_exists(ldap):
parts = keys[-1].split('.')
host = parts[0]
domain = unicode('.'.join(parts[1:]))
check_reverse = not options.get('no_reverse', False)
add_records_for_host_validation('ip_address',
DNSName(host),
DNSName(domain).make_absolute(),
options['ip_address'],
check_forward=True,
check_reverse=check_reverse)
if not options.get('force', False) and not 'ip_address' in options:
util.verify_host_resolvable(keys[-1], self.log)
if 'locality' in entry_attrs:
entry_attrs['l'] = entry_attrs['locality']
entry_attrs['cn'] = keys[-1]
entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0]
if not entry_attrs.get('userpassword', False) and not options.get('random', False):
entry_attrs['krbprincipalname'] = 'host/%s@%s' % (
keys[-1], self.api.env.realm
)
if 'krbprincipalaux' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('krbprincipalaux')
if 'krbprincipal' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('krbprincipal')
else:
if 'krbprincipalaux' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipalaux')
if 'krbprincipal' in entry_attrs['objectclass']:
entry_attrs['objectclass'].remove('krbprincipal')
if options.get('random'):
entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
# save the password so it can be displayed in post_callback
setattr(context, 'randompassword', entry_attrs['userpassword'])
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
for cert in certs_der:
x509.verify_cert_subject(ldap, keys[-1], cert)
entry_attrs['usercertificate'] = certs_der
entry_attrs['managedby'] = dn
entry_attrs['objectclass'].append('ieee802device')
entry_attrs['objectclass'].append('ipasshhost')
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
if 'krbticketflags' in entry_attrs:
entry_attrs['objectclass'].append('krbticketpolicyaux')
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
principal = keys[-1]
hostname = principal.hostname
if principal.is_host and not options['force']:
raise errors.HostService()
try:
hostresult = self.api.Command['host_show'](hostname)['result']
except errors.NotFound:
raise errors.NotFound(
reason=_("The host '%s' does not exist to add a service to.") %
hostname)
self.obj.validate_ipakrbauthzdata(entry_attrs)
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
entry_attrs['usercertificate'] = certs_der
if not options.get('force', False):
# We know the host exists if we've gotten this far but we
# really want to discourage creating services for hosts that
# don't exist in DNS.
util.verify_host_resolvable(hostname)
if not 'managedby' in entry_attrs:
entry_attrs['managedby'] = hostresult['dn']
# Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
# as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
# schema
entry_attrs['ipakrbprincipalalias'] = keys[-1]
# Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
# in a list of default objectclasses, add it manually
entry_attrs['objectclass'].append('ipakrbprincipal')
# set krbcanonicalname attribute to enable principal canonicalization
util.set_krbcanonicalname(entry_attrs)
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
return dn
def __add_master_records(self, fqdn, addrs):
host, zone = fqdn.split(".", 1)
if normalize_zone(zone) == normalize_zone(self.domain):
host_in_rr = host
else:
host_in_rr = normalize_zone(fqdn)
srv_records = (
("_ldap._tcp", "0 100 389 %s" % host_in_rr),
("_kerberos._tcp", "0 100 88 %s" % host_in_rr),
("_kerberos._udp", "0 100 88 %s" % host_in_rr),
("_kerberos-master._tcp", "0 100 88 %s" % host_in_rr),
("_kerberos-master._udp", "0 100 88 %s" % host_in_rr),
("_kpasswd._tcp", "0 100 464 %s" % host_in_rr),
("_kpasswd._udp", "0 100 464 %s" % host_in_rr),
)
if self.ntp:
srv_records += (
("_ntp._udp", "0 100 123 %s" % host_in_rr),
)
for (rname, rdata) in srv_records:
add_rr(self.domain, rname, "SRV", rdata, self.dns_backup,
api=self.api)
if not dns_zone_exists(zone, self.api):
# check if master hostname is resolvable
try:
verify_host_resolvable(fqdn, root_logger)
except errors.DNSNotARecordError:
root_logger.warning("Master FQDN (%s) is not resolvable.",
fqdn)
# Add forward and reverse records to self
for addr in addrs:
try:
add_fwd_rr(zone, host, addr, self.api)
except errors.NotFound as e:
pass
reverse_zone = find_reverse_zone(addr, self.api)
if reverse_zone:
add_ptr_rr(reverse_zone, addr, fqdn, None, api=self.api)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
principal = keys[-1]
hostname = principal.hostname
if principal.is_host and not options['force']:
raise errors.HostService()
try:
hostresult = self.api.Command['host_show'](hostname)['result']
except errors.NotFound:
raise errors.NotFound(
reason=_("The host '%s' does not exist to add a service to.") %
hostname)
self.obj.validate_ipakrbauthzdata(entry_attrs)
certs = options.get('usercertificate', [])
certs_der = [x509.normalize_certificate(c) for c in certs]
entry_attrs['usercertificate'] = certs_der
if not options.get('force', False):
# We know the host exists if we've gotten this far but we
# really want to discourage creating services for hosts that
# don't exist in DNS.
util.verify_host_resolvable(hostname)
if not 'managedby' in entry_attrs:
entry_attrs['managedby'] = hostresult['dn']
# Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
# as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
# schema
entry_attrs['ipakrbprincipalalias'] = keys[-1]
# Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
# in a list of default objectclasses, add it manually
entry_attrs['objectclass'].append('ipakrbprincipal')
# set krbcanonicalname attribute to enable principal canonicalization
util.set_krbcanonicalname(entry_attrs)
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
hostname = keys[0]
if len(keys) == 2:
netbiosname = keys[1]
else:
# By default take leftmost label from the host name
netbiosname = DNSName.from_text(hostname)[0].decode().upper()
# SMB service requires existence of the host object
# because DCE RPC calls authenticated with GSSAPI are using
# host/.. principal by default for validation
try:
hostresult = self.api.Command['host_show'](hostname)['result']
except errors.NotFound:
raise errors.NotFound(
reason=_("The host '%s' does not exist to add a service to.") %
hostname)
# We cannot afford the host not being resolvable even for
# clustered environments with CTDB because the target name
# has to exist even in that case
util.verify_host_resolvable(hostname)
smbaccount = '{name}$'.format(name=netbiosname)
smbprincipal = 'cifs/{hostname}'.format(hostname=hostname)
entry_attrs['krbprincipalname'] = [
str(kerberos.Principal(smbprincipal, realm=self.api.env.realm)),
str(kerberos.Principal(smbaccount, realm=self.api.env.realm))
]
entry_attrs['krbcanonicalname'] = entry_attrs['krbprincipalname'][0]
# Rewrite DN using proper rdn and new canonical name because when
# LDAPCreate.execute() was called, it set DN to krbcanonicalname=$value
dn = DN(('krbprincipalname', entry_attrs['krbcanonicalname']),
DN(self.obj.container_dn, api.env.basedn))
# Enforce ipaKrbPrincipalAlias to aid case-insensitive searches as
# krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
# schema
entry_attrs['ipakrbprincipalalias'] = entry_attrs['krbcanonicalname']
for o in ('ipakrbprincipal', 'ipaidobject', 'krbprincipalaux',
'posixaccount'):
if o not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append(o)
entry_attrs['uid'] = [
'/'.join(kerberos.Principal(smbprincipal).components)
]
entry_attrs['uid'].append(smbaccount)
entry_attrs['cn'] = netbiosname
entry_attrs['homeDirectory'] = '/dev/null'
entry_attrs['uidNumber'] = DNA_MAGIC
entry_attrs['gidNumber'] = DNA_MAGIC
self.obj.validate_ipakrbauthzdata(entry_attrs)
if 'managedby' not in entry_attrs:
entry_attrs['managedby'] = hostresult['dn']
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
return dn
