[Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true
Sumit Bose
sbose at redhat.com
Fri Sep 7 12:02:01 UTC 2012
Hi,
those two patches should fix
https://fedorahosted.org/freeipa/ticket/2515 . The first makes the
needed change for fresh installations. The second adds the changes
during ipa-adtrust-install if needed. I prefer to do the changes here
instead of during updates, because during updates it is not easy to see
that the Kerberos configuration was changes.
bye,
Sumit
-------------- next part --------------
From af51c4e31fe691a05498c29d334b5958c60dface Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Thu, 16 Aug 2012 13:16:55 +0200
Subject: [PATCH 67/68] Set master_kdc and dns_lookup_kdc to true
---
contrib/RHEL4/ipa-client-setup | 3 ++-
install/share/krb5.conf.template | 3 ++-
install/share/krb5.ini.template | 1 +
install/tools/ipa-replica-conncheck | 3 ++-
ipa-client/ipa-install/ipa-client-install | 1 +
5 Dateien ge?ndert, 8 Zeilen hinzugef?gt(+), 3 Zeilen entfernt(-)
diff --git a/contrib/RHEL4/ipa-client-setup b/contrib/RHEL4/ipa-client-setup
index 1a8761036e1b7230b1524c45d565126ff73030b4..4d1fead981d0e10232e974527222a2f9a62252b4 100644
--- a/contrib/RHEL4/ipa-client-setup
+++ b/contrib/RHEL4/ipa-client-setup
@@ -307,7 +307,7 @@ def main():
#[libdefaults]
libopts = [{'name':'default_realm', 'type':'option', 'value':ipasrv.getRealmName()}]
libopts.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
- libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'false'})
+ libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
@@ -316,6 +316,7 @@ def main():
#[realms]
kropts =[{'name':'kdc', 'type':'option', 'value':ipasrv.getServerName()+':88'},
+ {'name':'master_kdc', 'type':'option', 'value':ipasrv.getServerName()+':88'},
{'name':'admin_server', 'type':'option', 'value':ipasrv.getServerName()+':749'},
{'name':'default_domain', 'type':'option', 'value':ipasrv.getDomainName()}]
ropts = [{'name':ipasrv.getRealmName(), 'type':'subsection', 'value':kropts}]
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index eda8ba6fe647d54d5feef1acda41c482b0dbcefa..f8b1a6f09868c55e47f21279b6d061fbd8251171 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -6,7 +6,7 @@
[libdefaults]
default_realm = $REALM
dns_lookup_realm = false
- dns_lookup_kdc = false
+ dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
@@ -14,6 +14,7 @@
[realms]
$REALM = {
kdc = $FQDN:88
+ master_kdc = $FQDN:88
admin_server = $FQDN:749
default_domain = $DOMAIN
pkinit_anchors = FILE:/etc/ipa/ca.crt
diff --git a/install/share/krb5.ini.template b/install/share/krb5.ini.template
index 89f4a370143ac0848b7eeed24085d897242595f1..01cc1369f518f8e903d175d5c41e40040eaa1784 100644
--- a/install/share/krb5.ini.template
+++ b/install/share/krb5.ini.template
@@ -8,6 +8,7 @@
$REALM = {
admin_server = $FQDN
kdc = $FQDN
+ master_kdc = $FQDN
default_domain = $REALM
}
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 8e4536cf67cafb907a3e330607a81b4bc034015b..169e9dc9f1d28dcc7c36b09f4382b8948d5ae831 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -177,7 +177,7 @@ def configure_krb5_conf(realm, kdc, filename):
#[libdefaults]
libdefaults = [{'name':'default_realm', 'type':'option', 'value':realm}]
libdefaults.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
- libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'false'})
+ libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'})
@@ -188,6 +188,7 @@ def configure_krb5_conf(realm, kdc, filename):
#the following are necessary only if DNS discovery does not work
#[realms]
realms_info =[{'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(kdc, 88)},
+ {'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(kdc, 88)},
{'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(kdc, 749)}]
realms = [{'name':realm, 'type':'subsection', 'value':realms_info}]
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index d87fcc2a662b73c8ff269b65437d7d3023509b62..38b632220a1397b73acc042bd343b7638eb96230 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -671,6 +671,7 @@ def configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, c
#[realms]
for server in cli_server:
kropts.append({'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)})
+ kropts.append({'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)})
kropts.append({'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(server, 749)})
kropts.append({'name':'default_domain', 'type':'option', 'value':cli_domain})
kropts.append({'name':'pkinit_anchors', 'type':'option', 'value':'FILE:/etc/ipa/ca.crt'})
--
1.7.11.4
-------------- next part --------------
From 8328a84bbfeacf95231956c112e970035f367bb9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Fri, 7 Sep 2012 12:40:58 +0200
Subject: [PATCH 68/68] Update krb5.conf during ipa-adtrust-install
---
ipaserver/install/adtrustinstance.py | 62 ++++++++++++++++++++++++++++++++++++
1 Datei ge?ndert, 62 Zeilen hinzugef?gt(+)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 078c54dbe6ab520e5e3e7e186d4059b5a0fa252b..a23354c0ddb648d74be7fd8170e38da3a116c18e 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -36,8 +36,11 @@ from ipapython.ipa_log_manager import *
from ipapython import services as ipaservices
from ipapython.dn import DN
+import ipaclient.ipachangeconf
+
import string
import struct
+import re
ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
@@ -100,6 +103,7 @@ class ADTRUSTInstance(service.Service):
def __init__(self, fstore=None):
self.fqdn = None
self.ip_address = None
+ self.realm = None
self.domain_name = None
self.netbios_name = None
self.no_msdcs = None
@@ -410,6 +414,63 @@ class ADTRUSTInstance(service.Service):
except:
self.print_msg(SELINUX_WARNING % dict(var=','.join(sebools)))
+ def __mod_krb5_conf(self):
+ """
+ Set dns_lookup_kdc to true and master_kdc in /etc/krb5.conf
+ """
+
+ if not self.fqdn or not self.realm:
+ self.print_msg("Cannot modify /etc/krb5.conf")
+
+ krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
+ krbconf.setOptionAssignment(" = ")
+ krbconf.setSectionNameDelimiters(("[", "]"))
+ krbconf.setSubSectionDelimiters(("{", "}"))
+ krbconf.setIndent(("", " ", " "))
+
+ libopts = [{'name':'dns_lookup_kdc', 'type':'option', 'action':'set',
+ 'value':'true'}]
+
+ master_kdc = self.fqdn + ":88"
+ kropts = [{'name':'master_kdc', 'type':'option', 'action':'set',
+ 'value':master_kdc}]
+
+ ropts = [{'name':self.realm, 'type':'subsection', 'action':'set',
+ 'value':kropts}]
+
+ opts = [{'name':'libdefaults', 'type':'section', 'action':'set',
+ 'value':libopts},
+ {'name':'realms', 'type':'section', 'action':'set',
+ 'value':ropts}]
+
+ krbconf.changeConf("/etc/krb5.conf", opts)
+
+ def __update_krb5_conf(self):
+ """
+ Update /etc/krb5.conf if needed
+ """
+
+ try:
+ krb5conf = open("/etc/krb5.conf", 'r')
+ except IOError, e:
+ self.print_msg("Cannot open /etc/krb5.conf (%s)\n" % str(e))
+ return
+
+ has_dns_lookup_kdc_true = False
+ for line in krb5conf:
+ if re.match("^\s*dns_lookup_kdc\s*=\s*[Tt][Rr][Uu][Ee]\s*$", line):
+ has_dns_lookup_kdc_true = True
+ break
+ krb5conf.close()
+
+ if not has_dns_lookup_kdc_true:
+ self.__mod_krb5_conf()
+ else:
+ self.print_msg("'dns_lookup_kdc' already set to 'true', "
+ "nothing to do.")
+
+
+
def __start(self):
try:
self.start()
@@ -541,6 +602,7 @@ class ADTRUSTInstance(service.Service):
self.step("adding cifs Kerberos principal", self.__setup_principal)
self.step("adding admin(group) SIDs", self.__add_admin_sids)
self.step("adding RID bases", self.__add_rid_bases)
+ self.step("updating Kerberos config", self.__update_krb5_conf)
self.step("activating CLDAP plugin", self.__add_cldap_module)
self.step("activating sidgen plugin and task", self.__add_sidgen_module)
self.step("activating extdom plugin", self.__add_extdom_module)
--
1.7.11.4
More information about the Freeipa-devel
mailing list