def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None,
update_policy=None, force=False, api=api):
# always normalize zones
name = normalize_zone(name)
if update_policy is None:
if zone_is_reverse(name):
update_policy = get_dns_reverse_zone_update_policy(api.env.realm, name)
else:
update_policy = get_dns_forward_zone_update_policy(api.env.realm)
if zonemgr is None:
zonemgr = 'hostmaster.%s' % name
if ns_hostname:
ns_hostname = normalize_zone(ns_hostname)
ns_hostname = unicode(ns_hostname)
try:
api.Command.dnszone_add(unicode(name),
idnssoamname=ns_hostname,
idnssoarname=unicode(zonemgr),
idnsallowdynupdate=True,
idnsupdatepolicy=unicode(update_policy),
idnsallowquery=u'any',
idnsallowtransfer=u'none',
force=force)
except (errors.DuplicateEntry, errors.EmptyModlist):
pass
def get_reverse_record_name(zone, ip_address):
ip = netaddr.IPAddress(ip_address)
rev = '.' + normalize_zone(zone)
fullrev = '.' + normalize_zone(ip.reverse_dns)
if not fullrev.endswith(rev):
raise ValueError("IP address does not match reverse zone")
return fullrev[1:-len(rev)]
def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_address=None,
update_policy=None, force=False):
if zone_is_reverse(name):
# always normalize reverse zones
name = normalize_zone(name)
if update_policy is None:
if zone_is_reverse(name):
update_policy = get_dns_reverse_zone_update_policy(api.env.realm, name)
else:
update_policy = get_dns_forward_zone_update_policy(api.env.realm)
if zonemgr is None:
zonemgr = 'hostmaster.%s' % name
if ns_hostname is None:
# automatically retrieve list of DNS masters
dns_masters = api.Object.dnsrecord.get_dns_masters()
if not dns_masters:
raise installutils.ScriptError(
"No IPA server with DNS support found!")
ns_main = dns_masters.pop(0)
ns_replicas = dns_masters
else:
ns_main = ns_hostname
ns_replicas = []
ns_main = normalize_zone(ns_main)
if ns_ip_address is not None:
ns_ip_address = unicode(ns_ip_address)
try:
api.Command.dnszone_add(unicode(name),
idnssoamname=unicode(ns_main),
idnssoarname=unicode(zonemgr),
ip_address=ns_ip_address,
idnsallowdynupdate=True,
idnsupdatepolicy=unicode(update_policy),
idnsallowquery=u'any',
idnsallowtransfer=u'none',
force=force)
except (errors.DuplicateEntry, errors.EmptyModlist):
pass
nameservers = ns_replicas + [ns_main]
for hostname in nameservers:
hostname = normalize_zone(hostname)
add_ns_rr(name, hostname, dns_backup=None, force=True)
def remove_server_ns_records(self, fqdn):
"""
Remove all NS records pointing to this server
"""
ldap = api.Backend.ldap2
ns_rdata = normalize_zone(fqdn)
# find all NS records pointing to this server
search_kw = {}
search_kw['nsrecord'] = ns_rdata
attr_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
attributes = ['idnsname', 'objectclass']
dn = DN(api.env.container_dns, api.env.basedn)
entries, truncated = ldap.find_entries(attr_filter, attributes, base_dn=dn)
# remove records
if entries:
root_logger.debug("Removing all NS records pointing to %s:", ns_rdata)
for entry in entries:
if 'idnszone' in entry['objectclass']:
# zone record
zone = entry.single_value['idnsname']
root_logger.debug("zone record %s", zone)
del_ns_rr(zone, u'@', ns_rdata)
else:
zone = entry.dn[1].value # get zone from DN
record = entry.single_value['idnsname']
root_logger.debug("record %s in zone %s", record, zone)
del_ns_rr(zone, record, ns_rdata)
def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders,
forward_policy, reverse_zones,
named_user=constants.NAMED_USER, zonemgr=None,
no_dnssec_validation=False):
self.named_user = named_user
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.forwarders = forwarders
self.forward_policy = forward_policy
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.reverse_zones = reverse_zones
self.no_dnssec_validation=no_dnssec_validation
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
self.first_instance = not dns_container_exists(
self.fqdn, self.suffix, realm=self.realm, ldapi=True)
self.__setup_sub_dict()
def remove_master_dns_records(self, fqdn, realm_name, domain_name):
host, zone = fqdn.split(".", 1)
self.host = host
self.fqdn = fqdn
self.domain = domain_name
suffix = ipautil.realm_to_suffix(realm_name)
resource_records = (
("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr),
)
for (record, type, rdata) in resource_records:
del_rr(self.domain, record, type, rdata)
areclist = get_fwd_rr(zone, host)
for rdata in areclist:
del_fwd_rr(zone, host, rdata)
rzone = find_reverse_zone(rdata)
if rzone is not None:
record = get_reverse_record_name(rzone, rdata)
del_rr(rzone, record, "PTR", normalize_zone(fqdn))
def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders, ntp,
reverse_zones, named_user="******", zonemgr=None,
ca_configured=None, no_dnssec_validation=False):
self.named_user = named_user
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.forwarders = forwarders
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ntp = ntp
self.reverse_zones = reverse_zones
self.ca_configured = ca_configured
self.no_dnssec_validation=no_dnssec_validation
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
self.first_instance = not dns_container_exists(
self.fqdn, self.suffix, realm=self.realm, ldapi=True,
dm_password=self.dm_password, autobind=self.autobind)
self.__setup_sub_dict()
def __add_dns_service_records(self):
"""
Add DNS service records for Windows if DNS is enabled and the DNS zone
is managed. If there are already service records for LDAP and Kerberos
their values are used. Otherwise default values are used.
"""
zone = self.domain_name
host_in_rr = normalize_zone(self.fqdn)
priority = 0
ipa_srv_rec = (
("_ldap._tcp", [self.srv_rec(host_in_rr, 389, priority)], 389),
("_kerberos._tcp", [self.srv_rec(host_in_rr, 88, priority)], 88),
("_kerberos._udp", [self.srv_rec(host_in_rr, 88, priority)], 88),
)
win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
".dc._msdcs")
err_msg = None
if self.no_msdcs:
err_msg = '--no-msdcs was given, special DNS service records ' \
'are not added to local DNS server'
else:
ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg = "DNS management was not enabled at install time."
else:
if not dns_zone_exists(zone):
err_msg = "DNS zone %s cannot be managed " \
"as it is not defined in IPA" % zone
if err_msg:
self.print_msg(err_msg)
self.print_msg("Add the following service records to your DNS " \
"server for DNS zone %s: " % zone)
for suff in win_srv_suffix:
for srv in ipa_srv_rec:
self.print_msg("%s%s IN SRV %s" % (srv[0], suff, " ".join(srv[1])))
self.print_msg("")
return
for (srv, rdata, port) in ipa_srv_rec:
cifs_rdata = list()
for fqdn in self.cifs_hosts:
cifs_srv = self.srv_rec(fqdn, port, priority)
cifs_rdata.append(cifs_srv)
cifs_rdata.extend(rdata)
for suff in win_srv_suffix:
win_srv = srv+suff
win_rdata = get_rr(zone, win_srv, "SRV")
if win_rdata:
for rec in win_rdata:
del_rr(zone, win_srv, "SRV", rec)
for rec in cifs_rdata:
add_rr(zone, win_srv, "SRV", rec)
def __add_self_ns(self):
# add NS record to all zones
ns_hostname = normalize_zone(api.env.host)
result = api.Command.dnszone_find()
for zone in result['result']:
zone = unicode(zone['idnsname'][0]) # we need unicode due to backup
root_logger.debug("adding self NS to zone %s apex", zone)
add_ns_rr(zone, ns_hostname, self.dns_backup, force=True)
def check_reverse_zones(ip_addresses, reverse_zones, options, unattended,
search_reverse_zones=False):
checked_reverse_zones = []
if (not options.no_reverse and not reverse_zones
and not options.auto_reverse):
if unattended:
options.no_reverse = True
else:
options.no_reverse = not create_reverse()
# shortcut
if options.no_reverse:
return []
# verify zones passed in options
for rz in reverse_zones:
# isn't the zone managed by someone else
if not options.allow_zone_overlap:
try:
ipautil.check_zone_overlap(rz)
except ValueError as e:
msg = "Reverse zone %s will not be used: %s" % (rz, e)
if unattended:
sys.exit(msg)
else:
root_logger.warning(msg)
continue
checked_reverse_zones.append(normalize_zone(rz))
# check that there is reverse zone for every IP
ips_missing_reverse = []
for ip in ip_addresses:
if search_reverse_zones and find_reverse_zone(str(ip)):
# reverse zone is already in LDAP
continue
for rz in checked_reverse_zones:
if verify_reverse_zone(rz, ip):
# reverse zone was entered by user
break
else:
ips_missing_reverse.append(ip)
# create reverse zone for IP addresses that does not have one
for (ip, rz) in get_auto_reverse_zones(ips_missing_reverse):
if options.auto_reverse:
root_logger.info("Reverse zone %s will be created" % rz)
checked_reverse_zones.append(rz)
elif unattended:
root_logger.warning("Missing reverse record for IP address %s"
% ip)
else:
if ipautil.user_input("Do you want to create reverse zone for IP "
"%s" % ip, True):
rz = read_reverse_zone(rz, str(ip), options.allow_zone_overlap)
checked_reverse_zones.append(rz)
return checked_reverse_zones
def read_reverse_zone(default, ip_address):
while True:
zone = ipautil.user_input("Please specify the reverse zone name", default=default)
if not zone:
return None
if verify_reverse_zone(zone, ip_address):
break
return normalize_zone(zone)
def __add_master_records(self, fqdn, addrs):
host, zone = fqdn.split(".", 1)
if normalize_zone(zone) == normalize_zone(self.domain):
host_in_rr = host
else:
host_in_rr = normalize_zone(fqdn)
srv_records = (
("_ldap._tcp", "0 100 389 %s" % host_in_rr),
("_kerberos._tcp", "0 100 88 %s" % host_in_rr),
("_kerberos._udp", "0 100 88 %s" % host_in_rr),
("_kerberos-master._tcp", "0 100 88 %s" % host_in_rr),
("_kerberos-master._udp", "0 100 88 %s" % host_in_rr),
("_kpasswd._tcp", "0 100 464 %s" % host_in_rr),
("_kpasswd._udp", "0 100 464 %s" % host_in_rr),
)
if self.ntp:
srv_records += (
("_ntp._udp", "0 100 123 %s" % host_in_rr),
)
for (rname, rdata) in srv_records:
add_rr(self.domain, rname, "SRV", rdata, self.dns_backup,
api=self.api)
if not dns_zone_exists(zone, self.api):
# check if master hostname is resolvable
try:
verify_host_resolvable(fqdn, root_logger)
except errors.DNSNotARecordError:
root_logger.warning("Master FQDN (%s) is not resolvable.",
fqdn)
# Add forward and reverse records to self
for addr in addrs:
try:
add_fwd_rr(zone, host, addr, self.api)
except errors.NotFound as e:
pass
reverse_zone = find_reverse_zone(addr, self.api)
if reverse_zone:
add_ptr_rr(reverse_zone, addr, fqdn, None, api=self.api)
def find_reverse_zone(ip_address, api=api):
ip = netaddr.IPAddress(ip_address)
zone = normalize_zone(ip.reverse_dns)
while len(zone) > 0:
if dns_zone_exists(zone, api):
return zone
zone = zone.partition('.')[2]
return None
def find_reverse_zone(ip_address, api=api):
ip = netaddr.IPAddress(ip_address)
zone = normalize_zone(ip.reverse_dns)
while len(zone) > 0:
if dns_zone_exists(zone, api):
return zone
foo, bar, zone = zone.partition('.')
return None
def find_reverse_zone(ip_address):
ip = netaddr.IPAddress(ip_address)
zone = normalize_zone(ip.reverse_dns)
while len(zone) > 0:
if dns_zone_exists(zone):
return zone
foo, bar, zone = zone.partition('.')
return None
def __add_master_records(self, fqdn, addrs):
host, zone = fqdn.split(".", 1)
if normalize_zone(zone) == normalize_zone(self.domain):
host_in_rr = host
else:
host_in_rr = normalize_zone(fqdn)
srv_records = (
("_ldap._tcp", "0 100 389 %s" % host_in_rr),
("_kerberos._tcp", "0 100 88 %s" % host_in_rr),
("_kerberos._udp", "0 100 88 %s" % host_in_rr),
("_kerberos-master._tcp", "0 100 88 %s" % host_in_rr),
("_kerberos-master._udp", "0 100 88 %s" % host_in_rr),
("_kpasswd._tcp", "0 100 464 %s" % host_in_rr),
("_kpasswd._udp", "0 100 464 %s" % host_in_rr),
)
if self.ntp:
srv_records += (
("_ntp._udp", "0 100 123 %s" % host_in_rr),
)
for (rname, rdata) in srv_records:
add_rr(self.domain, rname, "SRV", rdata, self.dns_backup, self.api)
if not dns_zone_exists(zone, self.api):
# add DNS domain for host first
root_logger.debug(
"Host domain (%s) is different from DNS domain (%s)!" % (
zone, self.domain))
root_logger.debug("Add DNS zone for host first.")
add_zone(zone, self.zonemgr, dns_backup=self.dns_backup,
ns_hostname=self.fqdn, force=True, api=self.api)
# Add forward and reverse records to self
for addr in addrs:
add_fwd_rr(zone, host, addr, self.api)
reverse_zone = find_reverse_zone(addr, self.api)
if reverse_zone:
add_ptr_rr(reverse_zone, addr, fqdn, None, self.api)
def __add_master_records(self, fqdn, addrs):
host, zone = fqdn.split(".", 1)
if normalize_zone(zone) == normalize_zone(self.domain):
host_in_rr = host
else:
host_in_rr = normalize_zone(fqdn)
srv_records = (
("_ldap._tcp", "0 100 389 %s" % host_in_rr),
("_kerberos._tcp", "0 100 88 %s" % host_in_rr),
("_kerberos._udp", "0 100 88 %s" % host_in_rr),
("_kerberos-master._tcp", "0 100 88 %s" % host_in_rr),
("_kerberos-master._udp", "0 100 88 %s" % host_in_rr),
("_kpasswd._tcp", "0 100 464 %s" % host_in_rr),
("_kpasswd._udp", "0 100 464 %s" % host_in_rr),
)
if self.ntp:
srv_records += (
("_ntp._udp", "0 100 123 %s" % host_in_rr),
)
for (rname, rdata) in srv_records:
add_rr(self.domain, rname, "SRV", rdata, self.dns_backup, self.api)
if not dns_zone_exists(zone, self.api):
# add DNS domain for host first
root_logger.debug(
"Host domain (%s) is different from DNS domain (%s)!" % (
zone, self.domain))
root_logger.debug("Add DNS zone for host first.")
add_zone(zone, self.zonemgr, dns_backup=self.dns_backup,
ns_hostname=self.fqdn, force=True, api=self.api)
# Add forward and reverse records to self
for addr in addrs:
add_fwd_rr(zone, host, addr, self.api)
reverse_zone = find_reverse_zone(addr, self.api)
if reverse_zone:
add_ptr_rr(reverse_zone, addr, fqdn, None, self.api)
def read_reverse_zone(default, ip_address):
while True:
zone = ipautil.user_input("Please specify the reverse zone name", default=default)
if not zone:
return None
if verify_reverse_zone(zone, ip_address):
break
else:
print "Invalid reverse zone %s for IP address %s" % (zone, ip_address)
return normalize_zone(zone)
def read_reverse_zone(default, ip_address):
while True:
zone = ipautil.user_input("Please specify the reverse zone name", default=default)
if not zone:
return None
if verify_reverse_zone(zone, ip_address):
break
else:
print "Invalid reverse zone %s for IP address %s" % (zone, ip_address)
return normalize_zone(zone)
def __add_self_ns(self):
# add NS record to all zones
ns_hostname = normalize_zone(self.api.env.host)
result = self.api.Command.dnszone_find()
for zone in result['result']:
zone = unicode(
zone['idnsname'][0]) # we need unicode due to backup
root_logger.debug("adding self NS to zone %s apex", zone)
add_ns_rr(zone,
ns_hostname,
self.dns_backup,
force=True,
api=self.api)
def add_zone(name,
zonemgr=None,
dns_backup=None,
ns_hostname=None,
update_policy=None,
force=False,
skip_overlap_check=False,
api=api):
# always normalize zones
name = normalize_zone(name)
if update_policy is None:
if zone_is_reverse(name):
update_policy = get_dns_reverse_zone_update_policy(
api.env.realm, name)
else:
update_policy = get_dns_forward_zone_update_policy(api.env.realm)
if zonemgr is None:
zonemgr = 'hostmaster.%s' % name
if ns_hostname:
ns_hostname = normalize_zone(ns_hostname)
ns_hostname = unicode(ns_hostname)
try:
api.Command.dnszone_add(unicode(name),
idnssoamname=ns_hostname,
idnssoarname=unicode(zonemgr),
idnsallowdynupdate=True,
idnsupdatepolicy=unicode(update_policy),
idnsallowquery=u'any',
idnsallowtransfer=u'none',
skip_overlap_check=skip_overlap_check,
force=force)
except (errors.DuplicateEntry, errors.EmptyModlist):
pass
def remove_master_dns_records(self, fqdn, realm_name, domain_name):
host, zone = fqdn.split(".", 1)
self.host = host
self.fqdn = fqdn
self.domain = domain_name
areclist = get_fwd_rr(zone, host, api=self.api)
for rdata in areclist:
del_fwd_rr(zone, host, rdata, api=self.api)
rzone = find_reverse_zone(rdata)
if rzone is not None:
record = get_reverse_record_name(rzone, rdata)
del_rr(rzone, record, "PTR", normalize_zone(fqdn),
api=self.api)
self.update_system_records()
def remove_master_dns_records(self, fqdn, realm_name, domain_name):
host, zone = fqdn.split(".", 1)
self.host = host
self.fqdn = fqdn
self.domain = domain_name
areclist = get_fwd_rr(zone, host, api=self.api)
for rdata in areclist:
del_fwd_rr(zone, host, rdata, api=self.api)
rzone = find_reverse_zone(rdata)
if rzone is not None:
record = get_reverse_record_name(rzone, rdata)
del_rr(rzone, record, "PTR", normalize_zone(fqdn),
api=self.api)
self.update_system_records()
def read_reverse_zone(default, ip_address, allow_zone_overlap=False):
while True:
zone = ipautil.user_input("Please specify the reverse zone name", default=default)
if not zone:
return None
if not verify_reverse_zone(zone, ip_address):
logger.error("Invalid reverse zone %s for IP address %s",
zone, ip_address)
continue
if not allow_zone_overlap:
try:
dnsutil.check_zone_overlap(zone, raise_on_error=False)
except dnsutil.DNSZoneAlreadyExists as e:
logger.error("Reverse zone %s will not be used: %s",
zone, e)
continue
break
return normalize_zone(zone)
def read_reverse_zone(default, ip_address, allow_zone_overlap=False):
while True:
zone = ipautil.user_input("Please specify the reverse zone name", default=default)
if not zone:
return None
if not verify_reverse_zone(zone, ip_address):
logger.error("Invalid reverse zone %s for IP address %s",
zone, ip_address)
continue
if not allow_zone_overlap:
try:
dnsutil.check_zone_overlap(zone, raise_on_error=False)
except ValueError as e:
logger.error("Reverse zone %s will not be used: %s",
zone, e)
continue
break
return normalize_zone(zone)
def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders,
forward_policy, reverse_zones, zonemgr=None,
no_dnssec_validation=False):
"""Setup bindinstance for installation
"""
self.setup_templating(
fqdn=fqdn,
realm_name=realm_name,
domain_name=domain_name,
no_dnssec_validation=no_dnssec_validation
)
self.ip_addresses = ip_addresses
self.forwarders = forwarders
self.forward_policy = forward_policy
self.reverse_zones = reverse_zones
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
def __check_replica(self):
try:
cifs_services = DN(api.env.container_service, self.suffix)
# Search for cifs services which also belong to adtrust agents, these are our DCs
res = self.admin_conn.get_entries(cifs_services,
ldap.SCOPE_ONELEVEL,
"(&(krbprincipalname=cifs/*@%s)(memberof=%s))" % (self.realm, str(self.smb_dn)))
if len(res) > 1:
# there are other CIFS services defined, we are not alone
for entry in res:
managedBy = entry.single_value.get('managedBy')
if managedBy:
fqdn = DN(managedBy)['fqdn']
if fqdn != unicode(self.fqdn):
# this is CIFS service of a different host in our
# REALM, we need to remember it to announce via
# SRV records for _msdcs
self.cifs_hosts.append(normalize_zone(fqdn))
except Exception as e:
root_logger.critical("Checking replicas for cifs principals failed with error '%s'" % e)
def check_reverse_zones(ip_addresses, reverse_zones, options, unattended, search_reverse_zones=False):
reverse_asked = False
ret_reverse_zones = []
# check that there is IP address in every reverse zone
if reverse_zones:
for rz in reverse_zones:
for ip in ip_addresses:
if verify_reverse_zone(rz, ip):
ret_reverse_zones.append(normalize_zone(rz))
break
else:
# no ip matching reverse zone found
sys.exit("There is no IP address matching reverse zone %s." % rz)
if not options.no_reverse:
# check that there is reverse zone for every IP
for ip in ip_addresses:
if search_reverse_zones and find_reverse_zone(str(ip)):
# reverse zone is already in LDAP
continue
for rz in ret_reverse_zones:
if verify_reverse_zone(rz, ip):
# reverse zone was entered by user
break
else:
# no reverse zone for ip found
if not reverse_asked:
if not unattended and not reverse_zones:
# user did not specify reverse_zone nor no_reverse
options.no_reverse = not create_reverse()
if options.no_reverse:
# user decided not to create reverse zone
return []
reverse_asked = True
rz = get_reverse_zone_default(str(ip))
if not unattended:
rz = read_reverse_zone(rz, str(ip))
ret_reverse_zones.append(rz)
return ret_reverse_zones
def check_reverse_zones(ip_addresses, reverse_zones, options, unattended, search_reverse_zones=False):
reverse_asked = False
ret_reverse_zones = []
# check that there is IP address in every reverse zone
if reverse_zones:
for rz in reverse_zones:
for ip in ip_addresses:
if verify_reverse_zone(rz, ip):
ret_reverse_zones.append(normalize_zone(rz))
break
else:
# no ip matching reverse zone found
sys.exit("There is no IP address matching reverse zone %s." % rz)
if not options.no_reverse:
# check that there is reverse zone for every IP
for ip in ip_addresses:
if search_reverse_zones and find_reverse_zone(str(ip)):
# reverse zone is already in LDAP
continue
for rz in ret_reverse_zones:
if verify_reverse_zone(rz, ip):
# reverse zone was entered by user
break
else:
# no reverse zone for ip found
if not reverse_asked:
if not unattended and not reverse_zones:
# user did not specify reverse_zone nor no_reverse
options.no_reverse = not create_reverse()
if options.no_reverse:
# user decided not to create reverse zone
return []
reverse_asked = True
rz = get_reverse_zone_default(str(ip))
if not unattended:
rz = read_reverse_zone(rz, str(ip))
ret_reverse_zones.append(rz)
return ret_reverse_zones
def __check_replica(self):
try:
cifs_services = DN(api.env.container_service, self.suffix)
# Search for cifs services which also belong to adtrust agents, these are our DCs
res = api.Backend.ldap2.get_entries(cifs_services,
ldap.SCOPE_ONELEVEL,
"(&(krbprincipalname=cifs/*@%s)(memberof=%s))" % (self.realm, str(self.smb_dn)))
if len(res) > 1:
# there are other CIFS services defined, we are not alone
for entry in res:
managedBy = entry.single_value.get('managedBy')
if managedBy:
fqdn = DN(managedBy)['fqdn']
if fqdn != unicode(self.fqdn):
# this is CIFS service of a different host in our
# REALM, we need to remember it to announce via
# SRV records for _msdcs
self.cifs_hosts.append(normalize_zone(fqdn))
except Exception as e:
logger.critical("Checking replicas for cifs principals failed "
"with error '%s'", e)
def setup(self,
fqdn,
ip_addresses,
realm_name,
domain_name,
forwarders,
forward_policy,
reverse_zones,
named_user=constants.NAMED_USER,
zonemgr=None,
no_dnssec_validation=False):
self.named_user = named_user
self.fqdn = fqdn
self.ip_addresses = ip_addresses
self.realm = realm_name
self.domain = domain_name
self.forwarders = forwarders
self.forward_policy = forward_policy
self.host = fqdn.split(".")[0]
self.suffix = ipautil.realm_to_suffix(self.realm)
self.reverse_zones = reverse_zones
self.no_dnssec_validation = no_dnssec_validation
if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
self.first_instance = not dns_container_exists(
self.fqdn,
self.suffix,
realm=self.realm,
ldapi=True,
dm_password=self.dm_password,
autobind=self.autobind)
self.__setup_sub_dict()
def add_ns_rr(zone, hostname, dns_backup=None, force=True):
hostname = normalize_zone(hostname)
add_rr(zone, "@", "NS", hostname, dns_backup=dns_backup,
force=force)
def add_ptr_rr(zone, ip_address, fqdn, dns_backup=None, api=api):
name = get_reverse_record_name(zone, ip_address)
add_rr(zone, name, "PTR", normalize_zone(fqdn), dns_backup, api)
def host_in_rr(self):
# when a host is not in a default domain, it needs to be referred
# with FQDN and not in a domain-relative host name
if not self.host_in_default_domain():
return normalize_zone(self.fqdn)
return self.host
def __add_dns_service_records(self):
"""
Add DNS service records for Windows if DNS is enabled and the DNS zone
is managed. If there are already service records for LDAP and Kerberos
their values are used. Otherwise default values are used.
"""
zone = self.domain_name
host, host_domain = self.fqdn.split(".", 1)
if normalize_zone(zone) == normalize_zone(host_domain):
host_in_rr = host
else:
host_in_rr = normalize_zone(self.fqdn)
priority = 0
ipa_srv_rec = (
("_ldap._tcp", [self.srv_rec(host_in_rr, 389, priority)], 389),
("_kerberos._tcp", [self.srv_rec(host_in_rr, 88, priority)], 88),
("_kerberos._udp", [self.srv_rec(host_in_rr, 88, priority)], 88),
)
win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
".dc._msdcs")
err_msg = None
if self.no_msdcs:
err_msg = '--no-msdcs was given, special DNS service records ' \
'are not added to local DNS server'
else:
ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg = "DNS management was not enabled at install time."
else:
if not dns_zone_exists(zone):
err_msg = "DNS zone %s cannot be managed " \
"as it is not defined in IPA" % zone
if err_msg:
self.print_msg(err_msg)
self.print_msg("Add the following service records to your DNS " \
"server for DNS zone %s: " % zone)
for srv in ipa_srv_rec:
for suff in win_srv_suffix:
self.print_msg(" - %s%s" % (srv[0], suff))
return
for (srv, rdata, port) in ipa_srv_rec:
cifs_rdata = list()
for fqdn in self.cifs_hosts:
cifs_srv = self.srv_rec(fqdn, port, priority)
cifs_rdata.append(cifs_srv)
cifs_rdata.extend(rdata)
for suff in win_srv_suffix:
win_srv = srv + suff
win_rdata = get_rr(zone, win_srv, "SRV")
if win_rdata:
for rec in win_rdata:
del_rr(zone, win_srv, "SRV", rec)
for rec in cifs_rdata:
add_rr(zone, win_srv, "SRV", rec)
def add_ns_rr(zone, hostname, dns_backup=None, force=True, api=api):
hostname = normalize_zone(hostname)
add_rr(zone, "@", "NS", hostname, dns_backup=dns_backup,
force=force, api=api)
def install_check(standalone, api, replica, options, hostname):
global ip_addresses
global reverse_zones
fstore = sysrestore.FileStore(paths.SYSRESTORE)
if not ipautil.file_exists(paths.IPA_DNS_INSTALL):
raise RuntimeError("Integrated DNS requires '%s' package" %
constants.IPA_DNS_PACKAGE_NAME)
# when installing first DNS instance we need to check zone overlap
if replica or standalone:
already_enabled = api.Command.dns_is_enabled()['result']
else:
already_enabled = False
if not already_enabled:
domain = dnsutil.DNSName(util.normalize_zone(api.env.domain))
print("Checking DNS domain %s, please wait ..." % domain)
try:
dnsutil.check_zone_overlap(domain, raise_on_error=False)
except ValueError as e:
if options.force or options.allow_zone_overlap:
root_logger.warning("%s Please make sure that the domain is "
"properly delegated to this IPA server.",
e.message)
else:
raise e
for reverse_zone in options.reverse_zones:
try:
dnsutil.check_zone_overlap(reverse_zone)
except ValueError as e:
if options.force or options.allow_zone_overlap:
root_logger.warning(e.message)
else:
raise e
if standalone:
print("==============================================================================")
print("This program will setup DNS for the FreeIPA Server.")
print("")
print("This includes:")
print(" * Configure DNS (bind)")
print(" * Configure SoftHSM (required by DNSSEC)")
print(" * Configure ipa-dnskeysyncd (required by DNSSEC)")
if options.dnssec_master:
print(" * Configure ipa-ods-exporter (required by DNSSEC key master)")
print(" * Configure OpenDNSSEC (required by DNSSEC key master)")
print(" * Generate DNSSEC master key (required by DNSSEC key master)")
elif options.disable_dnssec_master:
print(" * Unconfigure ipa-ods-exporter")
print(" * Unconfigure OpenDNSSEC")
print("")
print("No new zones will be signed without DNSSEC key master IPA server.")
print("")
print(("Please copy file from %s after uninstallation. This file is needed "
"on new DNSSEC key " % paths.IPA_KASP_DB_BACKUP))
print("master server")
print("")
print("NOTE: DNSSEC zone signing is not enabled by default")
print("")
if options.dnssec_master:
print("Plan carefully, replacing DNSSEC key master is not recommended")
print("")
print("")
print("To accept the default shown in brackets, press the Enter key.")
print("")
if (options.dnssec_master and not options.unattended and not
ipautil.user_input(
"Do you want to setup this IPA server as DNSSEC key master?",
False)):
sys.exit("Aborted")
elif (options.disable_dnssec_master and not options.unattended and not
ipautil.user_input(
"Do you want to disable current DNSSEC key master?",
False)):
sys.exit("Aborted")
if options.disable_dnssec_master:
_is_master()
if options.disable_dnssec_master or options.dnssec_master:
dnssec_zones = _find_dnssec_enabled_zones(api.Backend.ldap2)
if options.disable_dnssec_master:
if dnssec_zones and not options.force:
raise RuntimeError(
"Cannot disable DNSSEC key master, DNSSEC signing is still "
"enabled for following zone(s):\n"
"%s\n"
"It is possible to move DNSSEC key master role to a different "
"server by using --force option to skip this check.\n\n"
"WARNING: You have to immediatelly copy kasp.db file to a new "
"server and run command 'ipa-dns-install --dnssec-master "
"--kasp-db'.\n"
"Your DNS zones will become unavailable if you "
"do not reinstall the DNSSEC key master role immediatelly." %
", ".join([str(zone) for zone in dnssec_zones]))
elif options.dnssec_master:
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
ods.realm = api.env.realm
dnssec_masters = ods.get_masters()
# we can reinstall current server if it is dnssec master
if dnssec_masters and api.env.host not in dnssec_masters:
print("DNSSEC key master(s):", u','.join(dnssec_masters))
raise ScriptError(
"Only one DNSSEC key master is supported in current version.")
if options.kasp_db_file:
dnskeysyncd = services.service('ipa-dnskeysyncd')
if not dnskeysyncd.is_installed():
raise RuntimeError("ipa-dnskeysyncd is not configured on this "
"server, you cannot reuse OpenDNSSEC "
"database (kasp.db file)")
# check if replica can be the DNSSEC master
cmd = [paths.IPA_DNSKEYSYNCD_REPLICA]
environment = {
"SOFTHSM2_CONF": paths.DNSSEC_SOFTHSM2_CONF,
}
# stop dnskeysyncd before test
dnskeysyncd_running = dnskeysyncd.is_running()
dnskeysyncd.stop()
try:
ipautil.run(cmd, env=environment,
runas=constants.ODS_USER,
suplementary_groups=[constants.NAMED_GROUP])
except CalledProcessError as e:
root_logger.debug("%s", e)
raise RuntimeError("This IPA server cannot be promoted to "
"DNSSEC master role because some keys were "
"not replicated from the original "
"DNSSEC master server")
finally:
if dnskeysyncd_running:
dnskeysyncd.start()
elif dnssec_zones and not options.force:
# some zones have --dnssec=true, make sure a user really want to
# install new database
raise RuntimeError(
"DNSSEC signing is already enabled for following zone(s): %s\n"
"Installation cannot continue without the OpenDNSSEC database "
"file from the original DNSSEC master server.\n"
"Please use option --kasp-db to specify location "
"of the kasp.db file copied from the original "
"DNSSEC master server.\n"
"WARNING: Zones will become unavailable if you do not provide "
"the original kasp.db file." %
", ".join([str(zone) for zone in dnssec_zones]))
ip_addresses = get_server_ip_address(hostname, options.unattended,
True, options.ip_addresses)
util.network_ip_address_warning(ip_addresses)
util.broadcast_ip_address_warning(ip_addresses)
if not options.forward_policy:
# user did not specify policy, derive it: default is 'first' but
# if any of local IP addresses belongs to private ranges use 'only'
options.forward_policy = 'first'
for ip in ip_addresses:
if dnsutil.inside_auto_empty_zone(dnsutil.DNSName(ip.reverse_dns)):
options.forward_policy = 'only'
root_logger.debug('IP address %s belongs to a private range, '
'using forward policy only', ip)
break
if options.no_forwarders:
options.forwarders = []
elif options.forwarders or options.auto_forwarders:
if not options.forwarders:
options.forwarders = []
if options.auto_forwarders:
options.forwarders += resolver.get_default_resolver().nameservers
elif standalone or not replica:
options.forwarders = read_dns_forwarders()
# test DNSSEC forwarders
if options.forwarders:
if (not bindinstance.check_forwarders(options.forwarders,
root_logger)
and not options.no_dnssec_validation):
options.no_dnssec_validation = True
print("WARNING: DNSSEC validation will be disabled")
root_logger.debug("will use DNS forwarders: %s\n", options.forwarders)
if not standalone:
search_reverse_zones = False
else:
search_reverse_zones = True
if not standalone and replica:
reverse_zones_unattended_check = True
else:
reverse_zones_unattended_check = options.unattended
reverse_zones = bindinstance.check_reverse_zones(
ip_addresses, options.reverse_zones, options,
reverse_zones_unattended_check, search_reverse_zones
)
if reverse_zones:
print("Using reverse zone(s) %s" % ', '.join(reverse_zones))
def install_check(standalone, api, replica, options, hostname):
global ip_addresses
global reverse_zones
fstore = sysrestore.FileStore(paths.SYSRESTORE)
if not os.path.isfile(paths.IPA_DNS_INSTALL):
raise RuntimeError("Integrated DNS requires '%s' package" %
constants.IPA_DNS_PACKAGE_NAME)
# when installing first DNS instance we need to check zone overlap
if replica or standalone:
already_enabled = api.Command.dns_is_enabled()['result']
else:
already_enabled = False
if not already_enabled:
domain = dnsutil.DNSName(util.normalize_zone(api.env.domain))
print("Checking DNS domain %s, please wait ..." % domain)
try:
dnsutil.check_zone_overlap(domain, raise_on_error=False)
except ValueError as e:
if options.force or options.allow_zone_overlap:
logger.warning("%s Please make sure that the domain is "
"properly delegated to this IPA server.",
e)
else:
raise e
for reverse_zone in options.reverse_zones:
try:
dnsutil.check_zone_overlap(reverse_zone)
except ValueError as e:
if options.force or options.allow_zone_overlap:
logger.warning('%s', six.text_type(e))
else:
raise e
if standalone:
print("==============================================================================")
print("This program will setup DNS for the FreeIPA Server.")
print("")
print("This includes:")
print(" * Configure DNS (bind)")
print(" * Configure SoftHSM (required by DNSSEC)")
print(" * Configure ipa-dnskeysyncd (required by DNSSEC)")
if options.dnssec_master:
print(" * Configure ipa-ods-exporter (required by DNSSEC key master)")
print(" * Configure OpenDNSSEC (required by DNSSEC key master)")
print(" * Generate DNSSEC master key (required by DNSSEC key master)")
elif options.disable_dnssec_master:
print(" * Unconfigure ipa-ods-exporter")
print(" * Unconfigure OpenDNSSEC")
print("")
print("No new zones will be signed without DNSSEC key master IPA server.")
print("")
print(("Please copy file from %s after uninstallation. This file is needed "
"on new DNSSEC key " % paths.IPA_KASP_DB_BACKUP))
print("master server")
print("")
print("NOTE: DNSSEC zone signing is not enabled by default")
print("")
if options.dnssec_master:
print("Plan carefully, replacing DNSSEC key master is not recommended")
print("")
print("")
print("To accept the default shown in brackets, press the Enter key.")
print("")
if (options.dnssec_master and not options.unattended and not
ipautil.user_input(
"Do you want to setup this IPA server as DNSSEC key master?",
False)):
sys.exit("Aborted")
elif (options.disable_dnssec_master and not options.unattended and not
ipautil.user_input(
"Do you want to disable current DNSSEC key master?",
False)):
sys.exit("Aborted")
if options.disable_dnssec_master:
_is_master()
if options.disable_dnssec_master or options.dnssec_master:
dnssec_zones = _find_dnssec_enabled_zones(api.Backend.ldap2)
if options.disable_dnssec_master:
if dnssec_zones and not options.force:
raise RuntimeError(
"Cannot disable DNSSEC key master, DNSSEC signing is still "
"enabled for following zone(s):\n"
"%s\n"
"It is possible to move DNSSEC key master role to a different "
"server by using --force option to skip this check.\n\n"
"WARNING: You have to immediately copy kasp.db file to a new "
"server and run command 'ipa-dns-install --dnssec-master "
"--kasp-db'.\n"
"Your DNS zones will become unavailable if you "
"do not reinstall the DNSSEC key master role immediately." %
", ".join([str(zone) for zone in dnssec_zones]))
elif options.dnssec_master:
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
ods.realm = api.env.realm
dnssec_masters = ods.get_masters()
# we can reinstall current server if it is dnssec master
if dnssec_masters and api.env.host not in dnssec_masters:
print("DNSSEC key master(s):", u','.join(dnssec_masters))
raise ScriptError(
"Only one DNSSEC key master is supported in current version.")
if options.kasp_db_file:
dnskeysyncd = services.service('ipa-dnskeysyncd', api)
if not dnskeysyncd.is_installed():
raise RuntimeError("ipa-dnskeysyncd is not configured on this "
"server, you cannot reuse OpenDNSSEC "
"database (kasp.db file)")
# check if replica can be the DNSSEC master
cmd = [paths.IPA_DNSKEYSYNCD_REPLICA]
environment = {
"SOFTHSM2_CONF": paths.DNSSEC_SOFTHSM2_CONF,
}
# stop dnskeysyncd before test
dnskeysyncd_running = dnskeysyncd.is_running()
dnskeysyncd.stop()
try:
ipautil.run(cmd, env=environment,
runas=constants.ODS_USER,
suplementary_groups=[constants.NAMED_GROUP])
except CalledProcessError as e:
logger.debug("%s", e)
raise RuntimeError("This IPA server cannot be promoted to "
"DNSSEC master role because some keys were "
"not replicated from the original "
"DNSSEC master server")
finally:
if dnskeysyncd_running:
dnskeysyncd.start()
elif dnssec_zones and not options.force:
# some zones have --dnssec=true, make sure a user really want to
# install new database
raise RuntimeError(
"DNSSEC signing is already enabled for following zone(s): %s\n"
"Installation cannot continue without the OpenDNSSEC database "
"file from the original DNSSEC master server.\n"
"Please use option --kasp-db to specify location "
"of the kasp.db file copied from the original "
"DNSSEC master server.\n"
"WARNING: Zones will become unavailable if you do not provide "
"the original kasp.db file." %
", ".join([str(zone) for zone in dnssec_zones]))
ip_addresses = get_server_ip_address(hostname, options.unattended,
True, options.ip_addresses)
util.no_matching_interface_for_ip_address_warning(ip_addresses)
if not options.forward_policy:
# user did not specify policy, derive it: default is 'first' but
# if any of local IP addresses belongs to private ranges use 'only'
options.forward_policy = 'first'
for ip in ip_addresses:
if dnsutil.inside_auto_empty_zone(dnsutil.DNSName(ip.reverse_dns)):
options.forward_policy = 'only'
logger.debug('IP address %s belongs to a private range, '
'using forward policy only', ip)
break
if options.no_forwarders:
options.forwarders = []
elif options.forwarders or options.auto_forwarders:
if not options.forwarders:
options.forwarders = []
if options.auto_forwarders:
options.forwarders += resolver.get_default_resolver().nameservers
elif standalone or not replica:
options.forwarders = read_dns_forwarders()
# test DNSSEC forwarders
if options.forwarders:
if (not bindinstance.check_forwarders(options.forwarders)
and not options.no_dnssec_validation):
options.no_dnssec_validation = True
print("WARNING: DNSSEC validation will be disabled")
logger.debug("will use DNS forwarders: %s\n", options.forwarders)
if not standalone:
search_reverse_zones = False
else:
search_reverse_zones = True
if not standalone and replica:
reverse_zones_unattended_check = True
else:
reverse_zones_unattended_check = options.unattended
reverse_zones = bindinstance.check_reverse_zones(
ip_addresses, options.reverse_zones, options,
reverse_zones_unattended_check, search_reverse_zones
)
if reverse_zones:
print("Using reverse zone(s) %s" % ', '.join(reverse_zones))
def add_ptr_rr(zone, ip_address, fqdn, dns_backup=None, api=api):
name = get_reverse_record_name(zone, ip_address)
add_rr(zone, name, "PTR", normalize_zone(fqdn), dns_backup, api)
def host_in_default_domain(self):
return normalize_zone(self.host_domain) == normalize_zone(self.domain)
def host_in_rr(self):
# when a host is not in a default domain, it needs to be referred
# with FQDN and not in a domain-relative host name
if not self.host_in_default_domain():
return normalize_zone(self.fqdn)
return self.host
def host_in_default_domain(self):
return normalize_zone(self.host_domain) == normalize_zone(self.domain)
cn = u'Realm Domains'
dn = DN(('cn', cn), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
our_domain = api.env.domain
dnszone_1 = u'dnszone.test'
dnszone_1_absolute = u'%s.' % dnszone_1
dnszone_1_dn = DN(('idnsname', dnszone_1_absolute), api.env.container_dns,
api.env.basedn)
idnssoamname = u'ns1.%s.' % dnszone_1
idnssoarname = u'root.%s.' % dnszone_1
dnszone_2 = u'dnszone2.test'
dnszone_2_absolute = "%s." % dnszone_2
dnszone_2_dn = DN(('idnsname', dnszone_2_absolute), api.env.container_dns,
api.env.basedn)
self_server_ns = normalize_zone(api.env.host)
self_server_ns_dnsname = DNSName(self_server_ns)
def assert_realmdomain_and_txt_record_present(response):
zone = response['value']
if isinstance(zone, (tuple, list)):
zone = zone[0]
zone = unicode(zone)
if zone.endswith(u'.'):
#realmdomains are without end dot
zone = zone[:-1]
r = api.Command['realmdomains_show']()
assert zone in r['result']['associateddomain']
r = api.Command['dnsrecord_show'](zone, u'_kerberos')
cn = u'Realm Domains'
dn = DN(('cn', cn), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
our_domain = api.env.domain
dnszone_1 = u'dnszone.test'
dnszone_1_absolute = u'%s.' % dnszone_1
dnszone_1_dn = DN(('idnsname', dnszone_1_absolute), api.env.container_dns,
api.env.basedn)
idnssoamname = u'ns1.%s.' % dnszone_1
idnssoarname = u'root.%s.' % dnszone_1
dnszone_2 = u'dnszone2.test'
dnszone_2_absolute = "%s." % dnszone_2
dnszone_2_dn = DN(('idnsname', dnszone_2_absolute), api.env.container_dns,
api.env.basedn)
self_server_ns = normalize_zone(api.env.host)
self_server_ns_dnsname = DNSName(self_server_ns)
def assert_realmdomain_and_txt_record_present(response):
zone = response['value']
if isinstance(zone, (tuple, list)):
zone = zone[0]
zone = unicode(zone)
if zone.endswith(u'.'):
#realmdomains are without end dot
zone = zone[:-1]
r = api.Command['realmdomains_show']()
assert zone in r['result']['associateddomain']
def check_reverse_zones(ip_addresses,
reverse_zones,
options,
unattended,
search_reverse_zones=False):
checked_reverse_zones = []
if (not options.no_reverse and not reverse_zones
and not options.auto_reverse):
if unattended:
options.no_reverse = True
else:
options.no_reverse = not create_reverse()
# shortcut
if options.no_reverse:
return []
# verify zones passed in options
for rz in reverse_zones:
# isn't the zone managed by someone else
if not options.allow_zone_overlap:
try:
dnsutil.check_zone_overlap(rz)
except ValueError as e:
msg = "Reverse zone %s will not be used: %s" % (rz, e)
if unattended:
raise ScriptError(msg)
else:
root_logger.warning(msg)
continue
checked_reverse_zones.append(normalize_zone(rz))
# check that there is reverse zone for every IP
ips_missing_reverse = []
for ip in ip_addresses:
if search_reverse_zones and find_reverse_zone(str(ip)):
# reverse zone is already in LDAP
continue
for rz in checked_reverse_zones:
if verify_reverse_zone(rz, ip):
# reverse zone was entered by user
break
else:
ips_missing_reverse.append(ip)
# create reverse zone for IP addresses that does not have one
for (ip, rz) in get_auto_reverse_zones(ips_missing_reverse):
if options.auto_reverse:
root_logger.info("Reverse zone %s will be created" % rz)
checked_reverse_zones.append(rz)
elif unattended:
root_logger.warning("Missing reverse record for IP address %s" %
ip)
else:
if ipautil.user_input(
"Do you want to create reverse zone for IP "
"%s" % ip, True):
rz = read_reverse_zone(rz, str(ip), options.allow_zone_overlap)
checked_reverse_zones.append(rz)
return checked_reverse_zones