def __add_dns_service_records(self):
"""
Add DNS service records for Windows if DNS is enabled and the DNS zone
is managed. If there are already service records for LDAP and Kerberos
their values are used. Otherwise default values are used.
"""
zone = api.env.domain
err_msg = None
ret = api.Command['dns_is_enabled']()
if not ret['result']:
err_msg = "DNS management was not enabled at install time."
else:
if not dns_zone_exists(zone):
err_msg = (
"DNS zone %s cannot be managed as it is not defined in "
"IPA" % zone)
if err_msg:
self.print_msg(err_msg)
self.print_msg("Add the following service records to your DNS " \
"server for DNS zone %s: " % zone)
system_records = IPASystemRecords(api)
adtrust_records = system_records.get_base_records(
[self.fqdn], ["AD trust controller"],
include_master_role=False, include_kerberos_realm=False)
for r_name, node in adtrust_records.items():
for rec in IPASystemRecords.records_list_from_node(r_name, node):
self.print_msg(rec)
else:
api.Command.dns_update_system_records()
def create_file_with_system_records(self):
system_records = IPASystemRecords(self.api)
text = u'\n'.join(
IPASystemRecords.records_list_from_zone(
system_records.get_base_records()
)
)
[fd, name] = tempfile.mkstemp(".db","ipa.system.records.")
os.write(fd, text)
os.close(fd)
print("Please add records in this file to your DNS system:", name)
def create_file_with_system_records(self):
system_records = IPASystemRecords(self.api, all_servers=True)
text = u'\n'.join(
IPASystemRecords.records_list_from_zone(
system_records.get_base_records()))
with tempfile.NamedTemporaryFile(mode="w",
prefix="ipa.system.records.",
suffix=".db",
delete=False) as f:
f.write(text)
print("Please add records in this file to your DNS system:",
f.name)
def create_file_with_system_records(self):
system_records = IPASystemRecords(self.api)
text = u'\n'.join(
IPASystemRecords.records_list_from_zone(
system_records.get_base_records()
)
)
with tempfile.NamedTemporaryFile(
mode="w", prefix="ipa.system.records.",
suffix=".db", delete=False
) as f:
f.write(text)
print("Please add records in this file to your DNS system:",
f.name)
def pre_callback(self, ldap, dn, *keys, **options):
assert isinstance(dn, DN)
if not options.get('force'):
servers = self.api.Command.server_find(
in_location=keys[-1])['result']
location_member = servers[0]['cn'][0] if servers else None
if location_member:
raise DependentEntry(label=_('IPA Server'),
key=keys[-1],
dependent=location_member)
system_records = IPASystemRecords(self.api)
_success, failed = system_records.remove_location_records(keys[-1])
if failed:
self.add_message(messages.AutomaticDNSRecordsUpdateFailed())
return dn
def pre_callback(self, ldap, dn, *keys, **options):
assert isinstance(dn, DN)
if not options.get('force'):
servers = self.api.Command.server_find(
in_location=keys[-1])['result']
location_member = servers[0]['cn'][0] if servers else None
if location_member:
raise DependentEntry(
label=_('IPA Server'),
key=keys[-1],
dependent=location_member
)
system_records =IPASystemRecords(self.api)
_success, failed = system_records.remove_location_records(keys[-1])
if failed:
self.add_message(messages.AutomaticDNSRecordsUpdateFailed())
return dn
def update_system_records(self):
self.print_msg("Updating DNS system records")
system_records = IPASystemRecords(self.api)
try:
((_ipa_rec, failed_ipa_rec),
(_loc_rec, failed_loc_rec)) = system_records.update_dns_records()
except IPADomainIsNotManagedByIPAError:
root_logger.error(
"IPA domain is not managed by IPA, please update records "
"manually")
else:
if failed_ipa_rec or failed_loc_rec:
root_logger.error("Update of following records failed:")
for attr in (failed_ipa_rec, failed_loc_rec):
for rname, node, error in attr:
for record in IPASystemRecords.records_list_from_node(
rname, node):
root_logger.error("%s (%s)", record, error)
def update_system_records(self):
self.print_msg("Updating DNS system records")
system_records = IPASystemRecords(self.api)
try:
(
(_ipa_rec, failed_ipa_rec),
(_loc_rec, failed_loc_rec)
) = system_records.update_dns_records()
except IPADomainIsNotManagedByIPAError:
logger.error(
"IPA domain is not managed by IPA, please update records "
"manually")
else:
if failed_ipa_rec or failed_loc_rec:
logger.error("Update of following records failed:")
for attr in (failed_ipa_rec, failed_loc_rec):
for rname, node, error in attr:
for record in IPASystemRecords.records_list_from_node(
rname, node
):
logger.error("%s (%s)", record, error)
def check(self):
# pylint: disable=import-outside-toplevel
from ipapython.dnsutil import query_srv
from ipaserver.dns_data_management import IPASystemRecords
# pylint: enable=import-outside-toplevel
system_records = IPASystemRecords(api)
base_records = system_records.get_base_records()
# collect the list of expected values
txt_rec = dict()
srv_rec = dict()
uri_rec = dict()
a_rec = list()
aaaa_rec = list()
for name, node in base_records.items():
for rdataset in node:
for rd in rdataset:
if rd.rdtype == rdatatype.SRV:
if name.ToASCII() in srv_rec:
srv_rec[name.ToASCII()].append(rd.target.to_text())
else:
srv_rec[name.ToASCII()] = [rd.target.to_text()]
elif rd.rdtype == rdatatype.TXT:
if name.ToASCII() in txt_rec:
txt_rec[name.ToASCII()].append(rd.to_text())
else:
txt_rec[name.ToASCII()] = [rd.to_text()]
elif rd.rdtype == rdatatype.A:
a_rec.append(rd.to_text())
elif rd.rdtype == rdatatype.AAAA:
aaaa_rec.append(rd.to_text())
elif rd.rdtype == rdatatype.URI:
if name.ToASCII() in uri_rec:
uri_rec[name.ToASCII()].append(
rd.target.decode('utf-8')
)
else:
uri_rec[name.ToASCII()] = [
rd.target.decode('utf-8')
]
else:
logger.error("Unhandled rdtype %d", rd.rdtype)
# For each SRV record that IPA thinks it should have, do a DNS
# lookup of it and ensure that DNS has the same set of values
# that IPA thinks it should.
for srv, hosts in srv_rec.items():
logger.debug("Search DNS for SRV record of %s", srv)
try:
answers = query_srv(srv)
except DNSException as e:
logger.debug("DNS record not found: %s", e.__class__.__name__)
answers = []
for answer in answers:
logger.debug("DNS record found: %s", answer)
try:
hosts.remove(answer.target.to_text())
yield Result(
self, constants.SUCCESS,
key=self.srv_to_name(srv, answer.target.to_text()))
except ValueError:
yield Result(
self, constants.WARNING,
msg='Unexpected SRV entry in DNS',
key=self.srv_to_name(srv, answer.target.to_text()))
for host in hosts:
yield Result(
self, constants.WARNING,
msg='Expected SRV record missing',
key=self.srv_to_name(srv, host))
for uri, hosts in uri_rec.items():
logger.debug("Search DNS for URI record of %s", uri)
answers = query_uri(uri)
for answer in answers:
logger.debug("DNS record found: %s", answer)
try:
hosts.remove(answer.target.decode('utf-8'))
yield Result(
self, constants.SUCCESS,
key=self.uri_to_name(
uri, answer.target.decode('utf-8')
)
)
except ValueError:
yield Result(
self, constants.WARNING,
msg='Unexpected URI entry in DNS',
key=self.uri_to_name(
uri, answer.target.decode('utf-8')
)
)
for host in hosts:
yield Result(
self, constants.WARNING,
msg='Expected URI record missing',
key=self.uri_to_name(uri, host)
)
for txt, realms in txt_rec.items():
logger.debug("Search DNS for TXT record of %s", txt)
try:
answers = resolve(txt, rdatatype.TXT)
except DNSException as e:
logger.debug("DNS record not found: %s", e.__class__.__name__)
answers = []
for answer in answers:
logger.debug("DNS record found: %s", answer)
realm = answer.to_text()
try:
realms.remove(realm)
yield Result(self, constants.SUCCESS,
key=realm)
except ValueError:
yield Result(self, constants.WARNING,
key=realm,
msg='expected realm missing')
if a_rec:
# Look up the ipa-ca records
qname = "ipa-ca." + api.env.domain + "."
logger.debug("Search DNS for A record of %s", qname)
try:
answers = resolve(qname, rdatatype.A)
except DNSException as e:
logger.debug("DNS record not found: %s", e.__class__.__name__)
answers = []
for answer in answers:
logger.debug("DNS record found: %s", answer)
ipaddr = answer.to_text()
try:
yield Result(self, constants.SUCCESS,
key=ipaddr)
except ValueError:
yield Result(self, constants.WARNING,
key=ipaddr,
msg='expected ipa-ca IPv4 address missing')
ca_count = 0
for server in system_records.servers_data:
master = system_records.servers_data.get(server)
if 'CA server' in master.get('roles'):
ca_count += 1
if len(answers) != ca_count:
yield Result(
self, constants.WARNING,
key='ca_count_a_rec',
msg='Got {count} ipa-ca A records, expected {expected}',
count=len(answers),
expected=ca_count)
if aaaa_rec:
# Look up the ipa-ca records
qname = "ipa-ca." + api.env.domain + "."
logger.debug("Search DNS for AAAA record of %s", qname)
try:
answers = resolve(qname, rdatatype.AAAA)
except DNSException as e:
logger.debug("DNS record not found: %s", e.__class__.__name__)
answers = []
for answer in answers:
logger.debug("DNS record found: %s", answer)
ipaddr = answer.to_text()
try:
yield Result(self, constants.SUCCESS,
key=ipaddr)
except ValueError:
yield Result(self, constants.WARNING,
key=ipaddr,
msg='expected ipa-ca IPv6 address missing')
ca_count = 0
for server in system_records.servers_data:
master = system_records.servers_data.get(server)
if 'CA server' in master.get('roles'):
ca_count += 1
if len(answers) != ca_count:
yield Result(
self, constants.WARNING,
key='ca_count_aaaa_rec',
msg='Got {count} ipa-ca AAAA records, expected {expected}',
count=len(answers),
expected=ca_count)
