[Freeipa-devel] [PATCH] 8 Add DNS service records for Windows

Sumit Bose sbose at redhat.com
Mon Nov 28 17:16:34 UTC 2011 

On Mon, Nov 28, 2011 at 02:26:00PM +0200, Alexander Bokovoy wrote:
> On Fri, 25 Nov 2011, Sumit Bose wrote:
> > On Wed, Nov 23, 2011 at 05:33:42PM -0500, Rob Crittenden wrote:
> > > Alexander Bokovoy wrote:
> > > >Hi Sumit,
> > > >
> > > >On Fri, 14 Oct 2011, Sumit Bose wrote:
> > > >>>It would make more clear what is the default and that it is really
> > > >>>optional setting -- I'm thinking from the perspective of maintenance
> > > >>>of the code in future.
> > > >>
> > > >>Thank you for your comments, new version attached.
> > > >Finally got to test it. ACK.
> > > >
> > > 
> > > pushed to master.
> > 
> > Sorry, I think you pushed the first version and not -3- which was ACKed
> > by Alexander.
> Hm. Sumit, could you please rebase -3- on top of current master 
> HEAD+(1)? 
> 
> I tried that briefly myself and failed. 
> 
> (1) Right now I'm also getting make-lint failing due to more strict 
> PyLint in F16/Rawhide and those seems to be corect and also affect 
> adtrustinstance.
> 
> I'm sending the patch shortly, so please rebase on top of it.

ok, rebased version is attached. To push this upstream you still have to
revert the wrong commit.

bye,
Sumit

> 
> -- 
> / Alexander Bokovoy
-------------- next part --------------
>From 9d8f35baa97c332e4eb676d01815cc68050f37ef Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Thu, 13 Oct 2011 12:01:57 +0200
Subject: [PATCH] Add DNS service records for Windows

https://fedorahosted.org/freeipa/ticket/1939
---
 install/tools/ipa-adtrust-install       |    5 ++-
 install/tools/man/ipa-adtrust-install.1 |    3 ++
 ipaserver/install/adtrustinstance.py    |   59 +++++++++++++++++++++++++++++-
 3 files changed, 64 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 9a6e61c2c5e8148a13d51718edc4e38a65af1fec..87fecbfb4834d65fdccc3f8536a5665ba75e48a5 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -45,6 +45,9 @@ def parse_options():
                       type="ip", ip_local=True, help="Master Server IP Address")
     parser.add_option("--netbios-name", dest="netbios_name",
                       help="NetBIOS name of the IPA domain")
+    parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
+                      default=False, help="Do not create DNS service records " \
+                                          "for Windows in managed DNS server")
     parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                       default=False, help="unattended installation never prompts the user")
 
@@ -197,7 +200,7 @@ def main():
         api.Backend.ldap2.connect(ccache)
 
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
-              netbios_name)
+              netbios_name, options.no_msdcs)
     smb.create_instance()
 
     print "=============================================================================="
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index a3981adf48d14cc0e540c646fff099490203f862..b61da19088b40d6a9e53784f9a061913ecda4321 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -39,6 +39,9 @@ The IP address of the IPA server. If not provided then this is determined based
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided then this is determined based on the leading component of the DNS domain name.
 .TP
+\fB\-\-no\-msdcs\fR
+Do not create DNS service records for Windows in managed DNS server
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .SH "EXIT STATUS"
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 1fcf9e03716a1b31aac47e206adc6ee86eee1cd9..bbda11cc752923e010a06daac87aaba532cfbbb4 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -25,7 +25,9 @@ import tempfile
 import installutils
 from ipaserver import ipaldap
 from ipaserver.install.dsinstance import realm_to_serverid
-from ipalib import errors
+from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \
+                                           dns_zone_exists
+from ipalib import errors, api
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipapython.ipa_log_manager import *
@@ -245,6 +247,56 @@ class ADTRUSTInstance(service.Service):
         except ipautil.CalledProcessError, e:
             root_logger.critical("Failed to add key for %s" % cifs_principal)
 
+    def __add_dns_service_records(self):
+        """
+        Add DNS service records for Windows if DNS is enabled and the DNS zone
+        is managed. If there are already service records for LDAP and Kerberos
+        their values are used. Otherwise default values are used.
+        """
+
+        zone = self.domain_name
+        host = self.fqdn.split(".")[0]
+
+        ipa_srv_rec = (
+            ("_ldap._tcp", ["0 100 389 %s" % host]),
+            ("_kerberos._tcp", ["0 100 88 %s" % host]),
+            ("_kerberos._udp", ["0 100 88 %s" % host])
+        )
+        win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs",
+                          ".dc._msdcs")
+
+        err_msg = None
+        ret = api.Command.dns_is_enabled()
+        if not ret['result']:
+            err_msg = "DNS management was not enabled at install time."
+        else:
+            if not dns_zone_exists(zone):
+                err_msg = "DNS zone %s cannot be managed " \
+                          "as it is not defined in IPA" % zone
+
+        if err_msg:
+            print err_msg
+            print "Add the following service records to your DNS server " \
+                  "for DNS zone %s: " % zone
+            for (srv, rdata) in ipa_srv_rec:
+                for suff in win_srv_suffix:
+                    print " - %s%s"  % (srv, suff)
+            return
+
+        for (srv, rdata) in ipa_srv_rec:
+            ipa_rdata = get_rr(zone, srv, "SRV")
+            if not ipa_rdata:
+                ipa_rdata = rdata
+
+            for suff in win_srv_suffix:
+                win_srv = srv+suff
+                win_rdata = get_rr(zone, win_srv, "SRV")
+                if win_rdata:
+                    for rec in win_rdata:
+                        del_rr(zone, win_srv, "SRV", rec)
+                for rec in ipa_rdata:
+                    add_rr(zone, win_srv, "SRV", rec)
+
     def __start(self):
         try:
             self.start()
@@ -277,12 +329,13 @@ class ADTRUSTInstance(service.Service):
                              LDAPI_SOCKET = self.ldapi_socket)
 
     def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
-              smbd_user="samba"):
+              no_msdcs=False, smbd_user="samba"):
         self.fqdn =fqdn
         self.ip_address = ip_address
         self.realm_name = realm_name
         self.domain_name = domain_name
         self.netbios_name = netbios_name
+        self.no_msdcs = no_msdcs
         self.smbd_user = smbd_user
         self.suffix = ipautil.realm_to_suffix(self.realm_name)
         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % realm_to_serverid(self.realm_name)
@@ -311,6 +364,8 @@ class ADTRUSTInstance(service.Service):
         self.step("Adding cifs Kerberos principal", self.__setup_principal)
         self.step("Adding admin(group) SIDs", self.__add_admin_sids)
         self.step("configuring smbd to start on boot", self.__enable)
+        if not self.no_msdcs:
+            self.step("adding special DNS service records", self.__add_dns_service_records)
         self.step("starting smbd", self.__start)
 
         self.start_creation("Configuring smbd:")
-- 
1.7.6

More information about the Freeipa-devel mailing list