def check_txt(domain, status):
spf, dmarc = 1, 1
if u"Не делегирован" in status:
return spf, dmarc
try:
mess = dns.resolver.query(
dns_name.from_text(domain),
dns.rdatatype.TXT)
except Exception:
spf = 1
else:
txts = [rdata.to_text() for rdata in mess]
spfs = filter(lambda i: "v=spf1" in i, txts)
if not spfs:
spf = 1
else:
if "+all" in " ".join(spfs):
spf = 2
else:
spf = 0
try:
mess = dns.resolver.query(
dns_name.from_text("_dmarc." + domain),
dns.rdatatype.TXT)
except:
return spf, dmarc
else:
txts = [txt for rdata in mess for txt in rdata.strings]
dmarc = 0 if filter(lambda i: "v=DMARC1" in i, txts) else 1
return spf, dmarc
def fetch_dns(self):
try:
name_server = self.settings.get("dns", "server")
keyring = dns.tsigkeyring.from_text(
{self.settings.get("dns", "tsig_name"):
self.settings.get("dns", "tsig_key")}
)
for domain in self.settings.get("dns", "domains").split(","):
try:
responses = query.xfr(
name_server,
dns_name.from_text(domain),
keyring=keyring,
keyname=self.settings.get("dns", "tsig_name"),
keyalgorithm=dns.tsig.HMAC_SHA512
)
with open(pjoin(self.configs, "dns." + domain),
"w") as config:
for response in responses:
for line in response.answer:
config.write(line.to_text() + u"\n")
except:
pass
except:
logging.error("can't fetch from DNS: %s" %
self.settings.get('dns', 'server'))
def do_reverse_check(lookup, fip, host):
"""Do PTR record checks"""
hostfromdns = name.from_text(fip)
if str(hostfromdns) == str(fip):
print " [OK] "
else:
print " [ERROR!! DNS:" + str(hostfromdns) + " FILE: " + fip + "] "
def test(self, req, author, content, ip):
if self.karma_points == 0:
return
serverlist, prefix = self._getdata(ip)
if not serverlist:
self.log.warning("No IP blacklist servers configured")
return
self.log.debug('Checking for IP blacklisting on "%s"', ip)
points = 0
servers = []
for server in serverlist:
self.log.debug("Checking blacklist %s for %s [%s]", server, ip,
prefix)
try:
res = query(from_text(prefix +
server.encode('utf-8')))[0].to_text()
points -= abs(self.karma_points)
if res == '127.0.0.1':
servers.append(server)
else:
# strip the common part of responses
if res.startswith('127.0.0.'):
res = res[8:]
elif res.startswith('127.'):
res = res[4:]
servers.append('%s [%s]' % (server, res))
except NXDOMAIN: # not blacklisted on this server
continue
except (Timeout, NoAnswer, NoNameservers), e:
self.log.warning('Error checking IP blacklist server "%s" '
'for IP "%s": %s', server, ip, e)
def _query(self, url, server):
res = query(from_text(url + '.' + server.encode('utf-8')))[0].to_text()
if res == '127.0.0.1':
return '%s (%s)' % (server, url)
# strip the common part of responses
if res.startswith('127.0.0.'):
res = res[8:]
elif res.startswith('127.'):
res = res[4:]
return '%s (%s[%s])' % (server, url, res)
def test_should_return_a_list_of_records(self):
with mock.patch('dns.resolver.query') as query:
query_name = name.from_text('foo.bar.baz.')
msg = message.from_text(self.MESSAGE)
answer = resolver.Answer(query_name,
33, 1, msg,
msg.answer[0])
query.return_value = answer
self.assertEqual(srvlookup.lookup('foo', 'bar', 'baz'),
[srvlookup.SRV('1.2.3.5', 11211, 1, 0),
srvlookup.SRV('1.2.3.4', 11211, 2, 0)])
def addSOA(self, mname, rname, serial, refresh, retry, expire, minimum):
"""
Adds a start of authority record to the zone.
:param mname:
:param rname:
:param serial:
:param refresh:
:param retry:
:param expire:
:param minimum:
"""
import dns.rdtypes.ANY.SOA as rdtype
rdataset = self.nix_zone.find_rdataset('@', rdtype=rdatatype.SOA, create=True)
rdata = rdtype.SOA(rdataclass.IN, rdatatype.SOA, name.from_text(mname), name.from_text(rname), int(serial),
int(refresh), int(retry), int(expire), int(minimum))
rdataset.add(rdata, ttl=self.ttl)
return
def __init__(self, zone_name):
if isinstance(zone_name, str):
self.nix_zone = zone.Zone(name.from_text(zone_name))
self.domain = self.nix_zone.origin
elif isinstance(zone_name, zone.Zone):
self.nix_zone = zone_name
self.domain = zone_name.origin
else:
raise ZoneInvalid('Invalid zone. Must be dnspython Zone object or domain name as string.')
return
def test_should_return_name_when_addt_record_is_missing(self):
with mock.patch('dns.resolver.query') as query:
query_name = name.from_text('foo.bar.baz.')
msg = self.get_message(additional_answers=[
'foo.bar.baz. 0 IN SRV 3 0 11213 foo3.bar.baz.'])
answer = resolver.Answer(query_name,
33, 1, msg,
msg.answer[0])
query.return_value = answer
self.assertEqual(srvlookup.lookup('foo', 'bar', 'baz'),
[srvlookup.SRV('1.2.3.5', 11212, 1, 0),
srvlookup.SRV('1.2.3.4', 11211, 2, 0),
srvlookup.SRV('foo3.bar.baz', 11213, 3, 0)])
def check_dns(domain, ns):
ns_s = filter(len, map(lambda s: s.strip(),
ns.replace('"', '').split(';')))
if len(ns_s) < 1:
return {}
mess = dns.message.make_query(dns_name.from_text(domain),
dns.rdatatype.SOA)
result = {}
for ns in ns_s:
try:
name_s = dns_name.from_text(ns.split()[0]).to_text()
answer = query.tcp(mess, name_s, timeout=2)
if len(answer.authority):
result[ns] = True
else:
rr = answer.answer[0][0]
if rr.rdtype == dns.rdatatype.SOA:
result[ns] = True
else:
result[ns] = False
except:
result[ns] = False
return result
def test_should_include_local_domain_when_omitted(self):
with mock.patch('dns.resolver.query') as query:
with mock.patch('socket.getfqdn') as getfqdn:
getfqdn.return_value = 'baz'
query_name = name.from_text('foo.bar.baz.')
msg = message.from_text(self.MESSAGE)
answer = resolver.Answer(query_name,
33, 1, msg,
msg.answer[0])
query.return_value = answer
self.assertEqual(srvlookup.lookup('foo', 'bar'),
[srvlookup.SRV('1.2.3.5', 11211, 1, 0),
srvlookup.SRV('1.2.3.4', 11211, 2, 0)])
def addCNAME(self, record_name, target):
"""
Adds a CNAME record to the zone.
:param record_name: String which represents the DNS name for the record.
:param target: Target of DNS name.
"""
import dns.rdtypes.ANY.CNAME as rdtype
rdataset = self.nix_zone.find_rdataset(record_name, rdtype=rdatatype.CNAME, create=True)
rdata = rdtype.CNAME(rdataclass.IN, rdatatype.CNAME, name.from_text(target))
rdataset.add(rdata, ttl=self.ttl)
return
def addNS(self, record_name, host):
"""
Adds a NS record to the zone.
:param record_name: String which represents the DNS name for the record.
:param host: Hostname of the nameserver being added.
"""
import dns.rdtypes.ANY.NS as rdtype
rdataset = self.nix_zone.find_rdataset(record_name, rdtype=rdatatype.NS, create=True)
rdata = rdtype.NS(rdataclass.IN, rdatatype.NS, name.from_text(host))
rdataset.add(rdata, ttl=self.ttl)
return
def addMX(self, record_name, exchanger, priority):
"""
Adds a MX record to the zone.
:param record_name: String which represents the DNS name for the record.
:param exchanger: Host to point this MX record at.
:param priority: MX record priority.
"""
import dns.rdtypes.ANY.MX as rdtype
rdataset = self.nix_zone.find_rdataset(record_name, rdtype=rdatatype.MX, create=True)
rdata = rdtype.MX(rdataclass.IN, rdatatype.MX, priority, name.from_text(exchanger))
rdataset.add(rdata, ttl=self.ttl)
return
def addSRV(self, record_name, priority, weight, port, target):
"""
Adds a SRV record to the zone.
:param record_name:
:param priority:
:param weight:
:param port:
:param target:
"""
import dns.rdtypes.IN.SRV as rdtype
rdataset = self.nix_zone.find_rdataset(record_name, rdtype=rdatatype.SRV, create=True)
rdata = rdtype.SRV(rdataclass.IN, rdatatype.SRV, priority, weight, port, name.from_text(target))
rdataset.add(rdata, ttl=self.ttl)
return
def WriteToZoneFile(zone_file, record_sets, domain):
"""Writes the given record-sets in zone file format to the given file.
Args:
zone_file: file, File into which the records should be written.
record_sets: list, ResourceRecordSets to be written out.
domain: str, The origin domain for the zone file.
"""
zone_contents = zone.Zone(name.from_text(domain))
for record_set in record_sets:
rdset = zone_contents.get_rdataset(record_set.name,
record_set.type,
create=True)
for rrdata in record_set.rrdatas:
rdset.add(rdata.from_text(rdataclass.IN,
rdatatype.from_text(record_set.type),
str(rrdata),
origin=zone_contents.origin),
ttl=record_set.ttl)
zone_contents.to_file(zone_file, relativize=False)
def test_create_simple_rrset(self):
rrset = create_simple_rrset("localhost", "127.0.0.1")
assert rrset
assert rrset.name == from_text("localhost.")
def _test_hit_authority(self, nameserver, aggressive=False):
name = "a.gtld-servers.net."
resolver = self.get_test_resolver(nameserver)
try:
q1 = resolver.query(name, A)
except Timeout:
raise unittest.SkipTest("Timeout occurred")
if not q1.response.authority:
raise unittest.SkipTest("no authority section")
if aggressive:
assert len(resolver.cache.data) >= 1
else:
assert len(resolver.cache.data) == 1
name = from_text(name)
assert (name, A, IN) in resolver.cache.data
assert resolver.cache.get((name, A, IN))
entry = resolver.cache.data[(name, A, IN)]
if isinstance(entry, LRUCacheNode):
answer = entry.value
else:
answer = entry
assert answer == q1
rrsets = answer.response.answer
assert rrsets
assert len(rrsets) == 1
names = set([rrset.name for rrset in rrsets])
assert len(names) == 1
assert len(answer.response.authority) == 1
rrsets = answer.response.authority
assert rrsets
assert len(rrsets) == 1
authority_names = sorted(set([
rrset.name for rrset in rrsets
if rrset.rdtype == NS and rrset.rdclass == IN
]))
with dnspython_resolver_socket_block():
q2 = resolver.query(name, A)
if aggressive:
assert len(resolver.cache.data) >= 1
else:
assert len(resolver.cache.data) == 1
assert q2 is q1
if aggressive:
return resolver, authority_names
with self.assertRaises(_SocketBlockedError):
with dnspython_resolver_socket_block():
resolver.query(authority_names[0], NS)
def check_dns_resolution(host_name, dns_servers):
"""Check forward and reverse resolution of host_name using dns_servers
"""
# Point the resolver at specified DNS server
server_ips = []
for dns_server in dns_servers:
try:
server_ips = list(
a[4][0] for a in socket.getaddrinfo(dns_server, None))
except socket.error:
pass
else:
break
if not server_ips:
root_logger.error(
'Could not resolve any DNS server hostname: %s', dns_servers)
return False
resolver = dnsresolver.Resolver()
resolver.nameservers = server_ips
root_logger.debug('Search DNS server %s (%s) for %s',
dns_server, server_ips, host_name)
# Get IP addresses of host_name
addresses = set()
for rtype in 'A', 'AAAA':
try:
result = resolver.query(host_name, rtype)
except dnsexception.DNSException:
rrset = []
else:
rrset = result.rrset
if rrset:
addresses.update(r.address for r in result.rrset)
if not addresses:
root_logger.error(
'Could not resolve hostname %s using DNS. '
'Clients may not function properly. '
'Please check your DNS setup. '
'(Note that this check queries IPA DNS directly and '
'ignores /etc/hosts.)',
host_name)
return False
no_errors = True
# Check each of the IP addresses
checked = set()
for address in addresses:
if address in checked:
continue
checked.add(address)
try:
root_logger.debug('Check reverse address %s (%s)',
address, host_name)
revname = dnsreversename.from_address(address)
rrset = resolver.query(revname, 'PTR').rrset
except Exception, e:
root_logger.debug('Check failed: %s %s', type(e).__name__, e)
root_logger.error(
'Reverse DNS resolution of address %s (%s) failed. '
'Clients may not function properly. '
'Please check your DNS setup. '
'(Note that this check queries IPA DNS directly and '
'ignores /etc/hosts.)',
address, host_name)
no_errors = False
else:
host_name_obj = dnsname.from_text(host_name)
if rrset:
names = [r.target.to_text() for r in rrset]
else:
names = []
root_logger.debug(
'Address %s resolves to: %s. ', address, ', '.join(names))
if not rrset or not any(
r.target == host_name_obj for r in rrset):
root_logger.error(
'The IP address %s of host %s resolves to: %s. '
'Clients may not function properly. '
'Please check your DNS setup. '
'(Note that this check queries IPA DNS directly and '
'ignores /etc/hosts.)',
address, host_name, ', '.join(names))
no_errors = False
def test_decode(self):
assert key_decode("foo.bar.!1!1") == (from_text("foo.bar."), A, IN)
assert key_decode("foo!bar.!1!1") == (from_text("foo!bar."), A, IN)
def test_nxdomain(self, expected_extra=0, long_expiry=False, ignore_any=False):
missing_name = "invalid.invalid."
expected_cache_count = expected_extra + (1 if DNSPYTHON_2 else 0)
resolver = self.get_test_resolver()
if DNSPYTHON_2:
query = resolver.resolve
else:
query = resolver.query
try:
query(missing_name)
except NXDOMAIN:
pass
else:
raise unittest.SkipTest("DNS hijacked")
e_qnames = e_responses = None
with self.assertRaises(NXDOMAIN) as first_e:
query(missing_name)
if not hasattr(first_e, "qnames"):
first_e = first_e.exception
e_qnames, e_responses = _get_nxdomain_exception_values(first_e)
assert e_qnames and e_responses
name = from_text(missing_name)
assert e_qnames == [name]
assert len(resolver.cache.data) == expected_cache_count
self._flush_cache(resolver)
with self.assertRaises(NXDOMAIN):
query(missing_name, A, tcp=True)
assert len(resolver.cache.data) == expected_cache_count
if DNSPYTHON_2:
assert (name, ANY, IN) in resolver.cache.data
entry = resolver.cache.data[(name, ANY, IN)]
assert entry is not None
if isinstance(entry, LRUCacheNode):
entry = entry.value
assert isinstance(entry, Answer)
if expected_extra:
assert (name, A, IN) in resolver.cache.data
else:
assert (name, A, IN) not in resolver.cache.data
# While dnspython 2 creates a cache entry for ANY,
# requests for ANY fail, and the cache entry persists
with self.assertRaises(NoMetaqueries):
query(missing_name, ANY)
# The exception caching .resolve sets ignore_any becase it
# fetches from the cache, which removes the cache entry unless
# the expiration is high
if DNSPYTHON_2 and not ignore_any:
assert (name, ANY, IN) in resolver.cache.data
entry = resolver.cache.data[(name, ANY, IN)]
assert entry is not None
if isinstance(entry, LRUCacheNode):
entry = entry.value
assert isinstance(entry, Answer)
with self.assertRaises(NXDOMAIN):
query(missing_name, A, tcp=True)
# While dnspython 2 creates a cache entry for ANY, and it uses
# that caching to response to A without network activity,
# the cache entry expiries very quickly. This appear to be
# improved in dnspython 2.1dev.
if not long_expiry:
if DNSPYTHON_2:
long_expiry = True
if long_expiry:
with self.assertRaises(NXDOMAIN):
with dnspython_resolver_socket_block():
query(missing_name, A)
# bailout because test_exceptions would fail the below assertion, as the
# exception NODOMAIN will be raised even when the socket is blocked
if expected_extra or long_expiry:
return resolver, first_e
with self.assertRaises(_SocketBlockedError):
with dnspython_resolver_socket_block():
query(missing_name, A)
class NSEC3Hash(unittest.TestCase):
DATA = [
# Source: https://tools.ietf.org/html/rfc5155#appendix-A
("example", "aabbccdd", 12, "0p9mhaveqvm6t7vbl5lop2u3t2rp3tom", 1),
("a.example", "aabbccdd", 12, "35mthgpgcu1qg68fab165klnsnk3dpvl", 1),
("ai.example", "aabbccdd", 12, "gjeqe526plbf1g8mklp59enfd789njgi", 1),
("ns1.example", "aabbccdd", 12, "2t7b4g4vsa5smi47k61mv5bv1a22bojr", 1),
("ns2.example", "aabbccdd", 12, "q04jkcevqvmu85r014c7dkba38o0ji5r", 1),
("w.example", "aabbccdd", 12, "k8udemvp1j2f7eg6jebps17vp3n8i58h", 1),
("*.w.example", "aabbccdd", 12, "r53bq7cc2uvmubfu5ocmm6pers9tk9en", 1),
("x.w.example", "aabbccdd", 12, "b4um86eghhds6nea196smvmlo4ors995", 1),
("y.w.example", "aabbccdd", 12, "ji6neoaepv8b5o6k4ev33abha8ht9fgc", 1),
("x.y.w.example", "aabbccdd", 12, "2vptu5timamqttgl4luu9kg21e0aor3s",
1),
("xx.example", "aabbccdd", 12, "t644ebqk9bibcna874givr6joj62mlhv", 1),
(
"2t7b4g4vsa5smi47k61mv5bv1a22bojr.example",
"aabbccdd",
12,
"kohar7mbb8dc2ce8a9qvl8hon4k53uhi",
1,
),
# Source: generated with knsec3hash (Linux knot package)
("example.com", "9F1AB450CF71D6", 0,
"qfo2sv6jaej4cm11a3npoorfrckdao2c", 1),
("example.com", "9F1AB450CF71D6", 1,
"1nr64to0bb861lku97deb4ubbk6cl5qh", 1),
("example.com.", "AF6AB45CCF79D6", 6,
"sale3fn6penahh1lq5oqtr5rcl1d113a", 1),
("test.domain.dev.", "", 6, "8q98lv9jgkhoq272e42c8blesivia7bu", 1),
("www.test.domain.dev.", "B4", 2, "nv7ti6brgh94ke2f3pgiigjevfgpo5j0",
1),
("*.test-domain.dev", "", 0, "o6uadafckb6hea9qpcgir2gl71vt23gu", 1),
("*.test-domain.dev", "", 45, "505k9g118d9sofnjhh54rr8fadgpa0ct", 1),
# Alternate forms of parameters
(
name.from_text("example"),
"aabbccdd",
12,
"0p9mhaveqvm6t7vbl5lop2u3t2rp3tom",
1,
),
(
"example",
b"\xaa\xbb\xcc\xdd",
12,
"0p9mhaveqvm6t7vbl5lop2u3t2rp3tom",
1,
),
("*.test-domain.dev", None, 45, "505k9g118d9sofnjhh54rr8fadgpa0ct", 1),
(
"example",
"aabbccdd",
12,
"0p9mhaveqvm6t7vbl5lop2u3t2rp3tom",
dnssec.NSEC3Hash.SHA1,
),
("example", "aabbccdd", 12, "0p9mhaveqvm6t7vbl5lop2u3t2rp3tom",
"SHA1"),
("example", "aabbccdd", 12, "0p9mhaveqvm6t7vbl5lop2u3t2rp3tom",
"sha1"),
]
def test_hash_function(self):
for d in self.DATA:
hash = dnssec.nsec3_hash(d[0], d[1], d[2], d[4])
self.assertEqual(hash, d[3].upper(), "Error {}".format(d))
def test_hash_invalid_salt_length(self):
data = (
"example.com",
"9F1AB450CF71D",
0,
"qfo2sv6jaej4cm11a3npoorfrckdao2c",
1,
)
with self.assertRaises(ValueError):
hash = dnssec.nsec3_hash(data[0], data[1], data[2], data[4])
def test_hash_invalid_algorithm(self):
data = (
"example.com",
"9F1AB450CF71D",
0,
"qfo2sv6jaej4cm11a3npoorfrckdao2c",
1,
)
with self.assertRaises(ValueError):
dnssec.nsec3_hash(data[0], data[1], data[2], 10)
with self.assertRaises(ValueError):
dnssec.nsec3_hash(data[0], data[1], data[2], "foo")
def _test_hit_additional(self, nameserver, aggressive=False):
name = "cloudflare.com."
resolver = self.get_test_resolver(nameserver)
try:
q1 = resolver.query(name, NS)
except Timeout:
raise unittest.SkipTest("Timeout occurred")
if not q1.response.additional:
raise unittest.SkipTest("no additional section")
# Many US servers are returning an additional section with
# only a single entry, as opposed to many as expected by the logic.
if len(q1.response.additional) == 1:
raise unittest.SkipTest("additional section has one entry")
if aggressive:
assert len(resolver.cache.data) > 1
else:
assert len(resolver.cache.data) == 1
name = from_text(name)
assert (name, NS, IN) in resolver.cache.data
assert resolver.cache.get((name, NS, IN))
entry = resolver.cache.data[(name, NS, IN)]
if isinstance(entry, LRUCacheNode):
answer = entry.value
else:
answer = entry
rrsets = answer.response.answer
assert rrsets
assert len(rrsets) == 1
names = set([rrset.name for rrset in rrsets])
assert len(names) == 1
rrset = [rrset for rrset in rrsets][0]
assert len(answer.response.additional) > 1
rrsets = answer.response.additional
assert rrsets
assert len(rrsets) > 1
additional_names = sorted(set([
rrset.name for rrset in rrsets
if rrset.rdclass == IN
]))
assert additional_names
additional_a_names = sorted(set([
rrset.name for rrset in rrsets
if rrset.rdtype == A and rrset.rdclass == IN
]))
if not additional_a_names:
additional_aaaa_names = sorted(set([
rrset.name for rrset in rrsets
if rrset.rdtype == AAAA and rrset.rdclass == IN
]))
if additional_aaaa_names:
raise unittest.SkipTest("Additional only has AAAA")
assert additional_a_names
with dnspython_resolver_socket_block():
q2 = resolver.query(name, NS)
if aggressive:
assert len(resolver.cache.data) > 1
else:
assert len(resolver.cache.data) == 1
assert q2 is q1
if aggressive:
return resolver, additional_a_names
with self.assertRaises(_SocketBlockedError):
with dnspython_resolver_socket_block():
ip = resolver.query(additional_a_names[0], A)
return resolver
def replica_krb_init_info(ansible_log,
fstore,
realm_name,
master_host_name,
host_name,
domain_name,
admin_password,
no_pkinit,
subject_base,
pkcs12_info=None):
# promote is not needed here
# From replicainstall.install_krb
krb = krbinstance.KrbInstance(fstore=fstore)
krb.set_output(ansible_log)
# pkinit files
if pkcs12_info is None:
pkcs12_info = make_pkcs12_info(config.dir, "pkinitcert.p12",
"pkinit_pin.txt")
#krb.create_replica(realm_name,
# master_host_name, host_name,
# domain_name, dirman_password,
# setup_pkinit, pkcs12_info,
# subject_base=subject_base,
# promote=promote)
with redirect_stdout(ansible_log):
krb.init_info(realm_name,
host_name,
setup_pkinit=not no_pkinit,
subject_base=subject_base)
# From ipaserver.install.krbinstance.create_replica
krb.pkcs12_info = pkcs12_info
krb.subject_base = subject_base
krb.master_fqdn = master_host_name
krb.config_pkinit = not no_pkinit
#krb.__common_setup(realm_name, host_name, domain_name, admin_password)
krb.fqdn = host_name
krb.realm = realm_name.upper()
krb.host = host_name.split(".")[0]
krb.ip = socket.getaddrinfo(host_name, None, socket.AF_UNSPEC,
socket.SOCK_STREAM)[0][4][0]
krb.domain = domain_name
krb.suffix = ipautil.realm_to_suffix(krb.realm)
krb.kdc_password = ipautil.ipa_generate_password()
krb.admin_password = admin_password
krb.dm_password = admin_password
#krb.__setup_sub_dict()
if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR)
else:
includes = ''
krb.sub_dict = dict(FQDN=krb.fqdn,
IP=krb.ip,
PASSWORD=krb.kdc_password,
SUFFIX=krb.suffix,
DOMAIN=krb.domain,
HOST=krb.host,
SERVER_ID=installutils.realm_to_serverid(
krb.realm),
REALM=krb.realm,
KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL,
DICT_WORDS=paths.DICT_WORDS,
KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
KDC_CERT=paths.KDC_CERT,
KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM,
KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
INCLUDES=includes)
# IPA server/KDC is not a subdomain of default domain
# Proper domain-realm mapping needs to be specified
domain = dnsname.from_text(krb.domain)
fqdn = dnsname.from_text(krb.fqdn)
if not fqdn.is_subdomain(domain):
logger.debug("IPA FQDN '%s' is not located in default domain '%s'",
fqdn, domain)
server_domain = fqdn.parent().to_unicode(omit_final_dot=True)
logger.debug("Domain '%s' needs additional mapping in krb5.conf",
server_domain)
dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \
% dict(domain=server_domain, realm=krb.realm)
else:
dr_map = ""
krb.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
# Configure KEYRING CCACHE if supported
if kernel_keyring.is_persistent_keyring_supported():
logger.debug("Enabling persistent keyring CCACHE")
krb.sub_dict['OTHER_LIBDEFAULTS'] = \
" default_ccache_name = KEYRING:persistent:%{uid}\n"
else:
logger.debug("Persistent keyring CCACHE is not enabled")
krb.sub_dict['OTHER_LIBDEFAULTS'] = ''
return krb
def check_dns_resolution(host_name, dns_servers):
"""Check forward and reverse resolution of host_name using dns_servers
"""
# Point the resolver at specified DNS server
server_ips = []
for dns_server in dns_servers:
try:
server_ips = list(
a[4][0] for a in socket.getaddrinfo(dns_server, None))
except socket.error:
pass
else:
break
if not server_ips:
logger.error(
'Could not resolve any DNS server hostname: %s', dns_servers)
return False
resolver = dnsresolver.Resolver()
resolver.nameservers = server_ips
logger.debug('Search DNS server %s (%s) for %s',
dns_server, server_ips, host_name)
# Get IP addresses of host_name
addresses = set()
for rtype in 'A', 'AAAA':
try:
result = resolver.query(host_name, rtype)
except dnsexception.DNSException:
rrset = []
else:
rrset = result.rrset
if rrset:
addresses.update(r.address for r in result.rrset)
if not addresses:
logger.error(
'Could not resolve hostname %s using DNS. '
'Clients may not function properly. '
'Please check your DNS setup. '
'(Note that this check queries IPA DNS directly and '
'ignores /etc/hosts.)',
host_name)
return False
no_errors = True
# Check each of the IP addresses
checked = set()
for address in addresses:
if address in checked:
continue
checked.add(address)
try:
logger.debug('Check reverse address %s (%s)', address, host_name)
revname = dnsreversename.from_address(address)
rrset = resolver.query(revname, 'PTR').rrset
except Exception as e:
logger.debug('Check failed: %s %s', type(e).__name__, e)
logger.error(
'Reverse DNS resolution of address %s (%s) failed. '
'Clients may not function properly. '
'Please check your DNS setup. '
'(Note that this check queries IPA DNS directly and '
'ignores /etc/hosts.)',
address, host_name)
no_errors = False
else:
host_name_obj = dnsname.from_text(host_name)
if rrset:
names = [r.target.to_text() for r in rrset]
else:
names = []
logger.debug(
'Address %s resolves to: %s. ', address, ', '.join(names))
if not rrset or not any(
r.target == host_name_obj for r in rrset):
logger.error(
'The IP address %s of host %s resolves to: %s. '
'Clients may not function properly. '
'Please check your DNS setup. '
'(Note that this check queries IPA DNS directly and '
'ignores /etc/hosts.)',
address, host_name, ', '.join(names))
no_errors = False
return no_errors
def main(self, host=[], *args):
"""
Main function
"""
target = self.ip
if self.host:
try:
target = gethostbyname(self.host)
except:
raise InvalidTarget('Host not found.')
domain = None
if not host or not host[0]:
raise NoHostName('No host name specified.')
for domain in host:
if not domain:
continue
self._check_stop()
self._write_result('%s:' % domain)
results = []
try:
# make DNS query manually, clearing the RD (recursion desired) flag
query = make_query(domain, rdatatype.A, rdataclass.IN)
query.flags = flags.RD
found = False
try:
response = dns_query.udp(query, target, self.DNS_TIMEOUT, self.DNS_PORT, None)
except Exception:
response = None
if response and response.rcode() == rcode.NXDOMAIN:
raise NXDOMAIN
if response and response.rcode() == rcode.NOERROR:
found = True
else:
raise NXDOMAIN
a_records = Answer(dns_name.from_text(domain), rdatatype.A, rdataclass.IN, response, True)
a_records = map(lambda x: str(x), a_records)
for a in a_records:
if str(a) not in results:
results.append(str(a))
self._write_result(str(a))
if len(results) == 0:
self._write_result('No A records.')
except ( NoAnswer, NXDOMAIN ):
self._write_result('Host not found.')
except Timeout:
self._write_result('DNS request timeout.')
except DNSException:
self._write_result('DNS error.')
self._write_result('')
self._check_stop()