def __add_dns_service_records(self): """ Add DNS service records for Windows if DNS is enabled and the DNS zone is managed. If there are already service records for LDAP and Kerberos their values are used. Otherwise default values are used. """ zone = api.env.domain err_msg = None ret = api.Command['dns_is_enabled']() if not ret['result']: err_msg = "DNS management was not enabled at install time." else: if not dns_zone_exists(zone): err_msg = ( "DNS zone %s cannot be managed as it is not defined in " "IPA" % zone) if err_msg: self.print_msg(err_msg) self.print_msg("Add the following service records to your DNS " \ "server for DNS zone %s: " % zone) system_records = IPASystemRecords(api) adtrust_records = system_records.get_base_records( [self.fqdn], ["AD trust controller"], include_master_role=False, include_kerberos_realm=False) for r_name, node in adtrust_records.items(): for rec in IPASystemRecords.records_list_from_node(r_name, node): self.print_msg(rec) else: api.Command.dns_update_system_records()
def __add_dns_service_records(self): """ Add DNS service records for Windows if DNS is enabled and the DNS zone is managed. If there are already service records for LDAP and Kerberos their values are used. Otherwise default values are used. """ zone = api.env.domain err_msg = None ret = api.Command['dns_is_enabled']() if not ret['result']: err_msg = "DNS management was not enabled at install time." else: if not dns_zone_exists(zone): err_msg = ( "DNS zone %s cannot be managed as it is not defined in " "IPA" % zone) if err_msg: self.print_msg(err_msg) self.print_msg("Add the following service records to your DNS " \ "server for DNS zone %s: " % zone) system_records = IPASystemRecords(api, all_servers=True) adtrust_records = system_records.get_base_records( [self.fqdn], ["AD trust controller"], include_master_role=False, include_kerberos_realm=False) for r_name, node in adtrust_records.items(): for rec in IPASystemRecords.records_list_from_node( r_name, node): self.print_msg(rec) else: api.Command.dns_update_system_records()
def generate_dns_service_records_help(api): """ Return list of instructions to create DNS service records for Windows if in case DNS is not enabled and the DNS zone is not managed by IPA. In case IPA manages the DNS zone, nothing is returned. """ zone = api.env.domain err_msg = [] ret = api.Command['dns_is_enabled']() if not ret['result']: err_msg.append("DNS management was not enabled at install time.") else: if not dns_zone_exists(zone): err_msg.append( "DNS zone %s cannot be managed as it is not defined in " "IPA" % zone) if err_msg: err_msg.append("Add the following service records to your DNS " "server for DNS zone %s: " % zone) system_records = IPASystemRecords(api, all_servers=True) adtrust_records = system_records.get_base_records( [api.env.host], ["AD trust controller"], include_master_role=False, include_kerberos_realm=False) for r_name, node in adtrust_records.items(): for rec in IPASystemRecords.records_list_from_node(r_name, node): err_msg.append(rec) return err_msg return None
def __add_dns_service_records(self): """ Add DNS service records for Windows if DNS is enabled and the DNS zone is managed. If there are already service records for LDAP and Kerberos their values are used. Otherwise default values are used. """ zone = self.domain_name host_in_rr = normalize_zone(self.fqdn) priority = 0 ipa_srv_rec = ( ("_ldap._tcp", [self.srv_rec(host_in_rr, 389, priority)], 389), ("_kerberos._tcp", [self.srv_rec(host_in_rr, 88, priority)], 88), ("_kerberos._udp", [self.srv_rec(host_in_rr, 88, priority)], 88), ) win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs", ".dc._msdcs") err_msg = None if self.no_msdcs: err_msg = '--no-msdcs was given, special DNS service records ' \ 'are not added to local DNS server' else: ret = api.Command['dns_is_enabled']() if not ret['result']: err_msg = "DNS management was not enabled at install time." else: if not dns_zone_exists(zone): err_msg = "DNS zone %s cannot be managed " \ "as it is not defined in IPA" % zone if err_msg: self.print_msg(err_msg) self.print_msg("Add the following service records to your DNS " \ "server for DNS zone %s: " % zone) for suff in win_srv_suffix: for srv in ipa_srv_rec: self.print_msg("%s%s IN SRV %s" % (srv[0], suff, " ".join(srv[1]))) self.print_msg("") return for (srv, rdata, port) in ipa_srv_rec: cifs_rdata = list() for fqdn in self.cifs_hosts: cifs_srv = self.srv_rec(fqdn, port, priority) cifs_rdata.append(cifs_srv) cifs_rdata.extend(rdata) for suff in win_srv_suffix: win_srv = srv+suff win_rdata = get_rr(zone, win_srv, "SRV") if win_rdata: for rec in win_rdata: del_rr(zone, win_srv, "SRV", rec) for rec in cifs_rdata: add_rr(zone, win_srv, "SRV", rec)
def ask_for_options(self): options = self.options super(ReplicaPrepare, self).ask_for_options() # get the directory manager password self.dirman_password = options.password if not options.password: self.dirman_password = installutils.read_password( "Directory Manager (existing master)", confirm=False, validate=False) if self.dirman_password is None: raise admintool.ScriptError( "Directory Manager password required") # Try out the password & get the subject base api.Backend.ldap2.disconnect() try: api.Backend.ldap2.connect(bind_pw=self.dirman_password) entry_attrs = api.Backend.ldap2.get_ipa_config() self.subject_base = entry_attrs.get('ipacertificatesubjectbase', [None])[0] ca_enabled = api.Command.ca_is_enabled()['result'] except errors.ACIError: raise admintool.ScriptError("The password provided is incorrect " "for LDAP server %s" % api.env.host) except errors.LDAPError: raise admintool.ScriptError("Unable to connect to LDAP server %s" % api.env.host) except errors.DatabaseError as e: raise admintool.ScriptError(e.desc) if ca_enabled and not ipautil.file_exists(paths.CA_CS_CFG_PATH): raise admintool.ScriptError( "CA is not installed on this server. " "ipa-replica-prepare must be run on an IPA server with CA.") if not ca_enabled and not options.http_cert_files: raise admintool.ScriptError( "Cannot issue certificates: a CA is not installed. Use the " "--http-cert-file, --dirsrv-cert-file options to provide " "custom certificates.") if self.subject_base is not None: self.subject_base = DN(self.subject_base) # Validate more options using the password try: installutils.verify_fqdn(self.replica_fqdn, local_hostname=False) except installutils.BadHostError as e: if isinstance(e, installutils.HostLookupError): if not options.ip_addresses: if dns_container_exists(api.env.basedn): logger.info('You might use the --ip-address option ' 'to create a DNS entry if the DNS zone ' 'is managed by IPA.') raise else: # The host doesn't exist in DNS but we're adding it. pass else: raise if options.ip_addresses: if not dns_container_exists(api.env.basedn): logger.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " "record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) _host, zone = self.replica_fqdn.split('.', 1) if not bindinstance.dns_zone_exists(zone, api=api): logger.error( "DNS zone %s does not exist in IPA managed DNS " "server. Either create DNS zone or omit " "--ip-address option.", zone) raise admintool.ScriptError("Cannot add DNS record") self.http_pin = self.dirsrv_pin = None if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False, retry=False) if options.http_pin is None: raise admintool.ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12( options.http_cert_files, options.http_pin, options.http_cert_name) self.http_pkcs12_file = http_pkcs12_file self.http_pin = http_pin if options.dirsrv_cert_files: if options.dirsrv_pin is None: options.dirsrv_pin = installutils.read_password( "Enter Directory Server private key unlock", confirm=False, validate=False, retry=False) if options.dirsrv_pin is None: raise admintool.ScriptError( "Directory Server private key unlock password required" ) dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12( options.dirsrv_cert_files, options.dirsrv_pin, options.dirsrv_cert_name) self.dirsrv_pkcs12_file = dirsrv_pkcs12_file self.dirsrv_pin = dirsrv_pin if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise admintool.ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate")
def ask_for_options(self): options = self.options super(ReplicaPrepare, self).ask_for_options() # get the directory manager password self.dirman_password = options.password if not options.password: self.dirman_password = installutils.read_password( "Directory Manager (existing master)", confirm=False, validate=False) if self.dirman_password is None: raise admintool.ScriptError( "Directory Manager password required") # Try out the password & get the subject base suffix = ipautil.realm_to_suffix(api.env.realm) try: conn = api.Backend.ldap2 conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=self.dirman_password) entry_attrs = conn.get_ipa_config() self.subject_base = entry_attrs.get( 'ipacertificatesubjectbase', [None])[0] ca_enabled = api.Command.ca_is_enabled()['result'] conn.disconnect() except errors.ACIError: raise admintool.ScriptError("The password provided is incorrect " "for LDAP server %s" % api.env.host) except errors.LDAPError: raise admintool.ScriptError( "Unable to connect to LDAP server %s" % api.env.host) except errors.DatabaseError as e: raise admintool.ScriptError(e.desc) if not ca_enabled and not options.http_cert_files: raise admintool.ScriptError( "Cannot issue certificates: a CA is not installed. Use the " "--http-cert-file, --dirsrv-cert-file options to provide " "custom certificates.") if self.subject_base is not None: self.subject_base = DN(self.subject_base) # Validate more options using the password try: installutils.verify_fqdn(self.replica_fqdn, local_hostname=False) except installutils.BadHostError as e: msg = str(e) if isinstance(e, installutils.HostLookupError): if not options.ip_addresses: if dns_container_exists( api.env.host, api.env.basedn, dm_password=self.dirman_password, ldapi=True, realm=api.env.realm): self.log.info('You might use the --ip-address option ' 'to create a DNS entry if the DNS zone ' 'is managed by IPA.') raise else: # The host doesn't exist in DNS but we're adding it. pass else: raise if options.ip_addresses: if not dns_container_exists(api.env.host, api.env.basedn, dm_password=self.dirman_password, ldapi=True, realm=api.env.realm): self.log.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " "record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") disconnect = False if not api.Backend.ldap2.isconnected(): api.Backend.ldap2.connect( bind_dn=DN(('cn', 'Directory Manager')), bind_pw=self.dirman_password) disconnect = True options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) host, zone = self.replica_fqdn.split('.', 1) if not bindinstance.dns_zone_exists(zone, api=api): self.log.error("DNS zone %s does not exist in IPA managed DNS " "server. Either create DNS zone or omit " "--ip-address option." % zone) raise admintool.ScriptError("Cannot add DNS record") if disconnect: api.Backend.ldap2.disconnect() self.http_pin = self.dirsrv_pin = self.pkinit_pin = None if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False) if options.http_pin is None: raise admintool.ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12( options.http_cert_files, options.http_pin, options.http_cert_name) self.http_pkcs12_file = http_pkcs12_file self.http_pin = http_pin if options.dirsrv_cert_files: if options.dirsrv_pin is None: options.dirsrv_pin = installutils.read_password( "Enter Directory Server private key unlock", confirm=False, validate=False) if options.dirsrv_pin is None: raise admintool.ScriptError( "Directory Server private key unlock password required") dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12( options.dirsrv_cert_files, options.dirsrv_pin, options.dirsrv_cert_name) self.dirsrv_pkcs12_file = dirsrv_pkcs12_file self.dirsrv_pin = dirsrv_pin if options.pkinit_cert_files: if options.pkinit_pin is None: options.pkinit_pin = installutils.read_password( "Enter Kerberos KDC private key unlock", confirm=False, validate=False) if options.pkinit_pin is None: raise admintool.ScriptError( "Kerberos KDC private key unlock password required") pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12( options.pkinit_cert_files, options.pkinit_pin, options.pkinit_cert_name) self.pkinit_pkcs12_file = pkinit_pkcs12_file self.pkinit_pin = pkinit_pin if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise admintool.ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate") if (not ipautil.file_exists( dogtag.configured_constants().CS_CFG_PATH) and options.dirsrv_pin is None): self.log.info("If you installed IPA with your own certificates " "using PKCS#12 files you must provide PKCS#12 files for any " "replicas you create as well.") raise admintool.ScriptError("The replica must be created on the " "primary IPA server.")
"record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") disconnect = False if not api.Backend.ldap2.isconnected(): api.Backend.ldap2.connect( bind_dn=DN(('cn', 'Directory Manager')), bind_pw=self.dirman_password) disconnect = True options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) host, zone = self.replica_fqdn.split('.', 1) if not bindinstance.dns_zone_exists(zone, api=api): self.log.error("DNS zone %s does not exist in IPA managed DNS " "server. Either create DNS zone or omit " "--ip-address option." % zone) raise admintool.ScriptError("Cannot add DNS record") if disconnect: api.Backend.ldap2.disconnect() self.http_pin = self.dirsrv_pin = self.pkinit_pin = None if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False)
def ask_for_options(self): options = self.options super(ReplicaPrepare, self).ask_for_options() # get the directory manager password self.dirman_password = options.password if not options.password: self.dirman_password = installutils.read_password( "Directory Manager (existing master)", confirm=False, validate=False) if self.dirman_password is None: raise admintool.ScriptError( "Directory Manager password required") # Try out the password & get the subject base api.Backend.ldap2.disconnect() try: api.Backend.ldap2.connect(bind_pw=self.dirman_password) entry_attrs = api.Backend.ldap2.get_ipa_config() self.subject_base = entry_attrs.get( 'ipacertificatesubjectbase', [None])[0] ca_enabled = api.Command.ca_is_enabled()['result'] except errors.ACIError: raise admintool.ScriptError("The password provided is incorrect " "for LDAP server %s" % api.env.host) except errors.LDAPError: raise admintool.ScriptError( "Unable to connect to LDAP server %s" % api.env.host) except errors.DatabaseError as e: raise admintool.ScriptError(e.desc) if ca_enabled and not ipautil.file_exists(paths.CA_CS_CFG_PATH): raise admintool.ScriptError( "CA is not installed on this server. " "ipa-replica-prepare must be run on an IPA server with CA.") if not ca_enabled and not options.http_cert_files: raise admintool.ScriptError( "Cannot issue certificates: a CA is not installed. Use the " "--http-cert-file, --dirsrv-cert-file options to provide " "custom certificates.") if self.subject_base is not None: self.subject_base = DN(self.subject_base) # Validate more options using the password try: installutils.verify_fqdn(self.replica_fqdn, local_hostname=False) except installutils.BadHostError as e: if isinstance(e, installutils.HostLookupError): if not options.ip_addresses: if dns_container_exists(api.env.basedn): logger.info('You might use the --ip-address option ' 'to create a DNS entry if the DNS zone ' 'is managed by IPA.') raise else: # The host doesn't exist in DNS but we're adding it. pass else: raise if options.ip_addresses: if not dns_container_exists(api.env.basedn): logger.error( "It is not possible to add a DNS record automatically " "because DNS is not managed by IPA. Please create DNS " "record manually and then omit --ip-address option.") raise admintool.ScriptError("Cannot add DNS record") options.reverse_zones = bindinstance.check_reverse_zones( options.ip_addresses, options.reverse_zones, options, False, True) _host, zone = self.replica_fqdn.split('.', 1) if not bindinstance.dns_zone_exists(zone, api=api): logger.error("DNS zone %s does not exist in IPA managed DNS " "server. Either create DNS zone or omit " "--ip-address option.", zone) raise admintool.ScriptError("Cannot add DNS record") self.http_pin = self.dirsrv_pin = None if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False, retry=False) if options.http_pin is None: raise admintool.ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = self.load_pkcs12( options.http_cert_files, options.http_pin, options.http_cert_name) self.http_pkcs12_file = http_pkcs12_file self.http_pin = http_pin if options.dirsrv_cert_files: if options.dirsrv_pin is None: options.dirsrv_pin = installutils.read_password( "Enter Directory Server private key unlock", confirm=False, validate=False, retry=False) if options.dirsrv_pin is None: raise admintool.ScriptError( "Directory Server private key unlock password required") dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = self.load_pkcs12( options.dirsrv_cert_files, options.dirsrv_pin, options.dirsrv_cert_name) self.dirsrv_pkcs12_file = dirsrv_pkcs12_file self.dirsrv_pin = dirsrv_pin if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise admintool.ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate")
def __add_dns_service_records(self): """ Add DNS service records for Windows if DNS is enabled and the DNS zone is managed. If there are already service records for LDAP and Kerberos their values are used. Otherwise default values are used. """ zone = self.domain_name host, host_domain = self.fqdn.split(".", 1) if normalize_zone(zone) == normalize_zone(host_domain): host_in_rr = host else: host_in_rr = normalize_zone(self.fqdn) priority = 0 ipa_srv_rec = ( ("_ldap._tcp", [self.srv_rec(host_in_rr, 389, priority)], 389), ("_kerberos._tcp", [self.srv_rec(host_in_rr, 88, priority)], 88), ("_kerberos._udp", [self.srv_rec(host_in_rr, 88, priority)], 88), ) win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs", ".dc._msdcs") err_msg = None if self.no_msdcs: err_msg = '--no-msdcs was given, special DNS service records ' \ 'are not added to local DNS server' else: ret = api.Command['dns_is_enabled']() if not ret['result']: err_msg = "DNS management was not enabled at install time." else: if not dns_zone_exists(zone): err_msg = "DNS zone %s cannot be managed " \ "as it is not defined in IPA" % zone if err_msg: self.print_msg(err_msg) self.print_msg("Add the following service records to your DNS " \ "server for DNS zone %s: " % zone) for srv in ipa_srv_rec: for suff in win_srv_suffix: self.print_msg(" - %s%s" % (srv[0], suff)) return for (srv, rdata, port) in ipa_srv_rec: cifs_rdata = list() for fqdn in self.cifs_hosts: cifs_srv = self.srv_rec(fqdn, port, priority) cifs_rdata.append(cifs_srv) cifs_rdata.extend(rdata) for suff in win_srv_suffix: win_srv = srv + suff win_rdata = get_rr(zone, win_srv, "SRV") if win_rdata: for rec in win_rdata: del_rr(zone, win_srv, "SRV", rec) for rec in cifs_rdata: add_rr(zone, win_srv, "SRV", rec)