Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 295981 Details for
Bug 433483
Check FQDNs in ipa-addservice
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Require DNS A record for service principals
freeipa-679-dns.patch (text/plain), 6.58 KB, created by
Rob Crittenden
on 2008-02-26 18:54:14 UTC
(
hide
)
Description:
Require DNS A record for service principals
Filename:
MIME Type:
Creator:
Rob Crittenden
Created:
2008-02-26 18:54:14 UTC
Size:
6.58 KB
patch
obsolete
># HG changeset patch ># User Rob Crittenden <rcritten@redhat.com> ># Date 1204051916 18000 ># Node ID aa90098c154e9a8a3869d93abb1e02b469f55c86 ># Parent 3f2aad04b13e0b632b29e5363f9124d4e6daef62 >Require that service principals resolve to a DNS A record. >There is a --force option for those who know what they are doing. > >433483 > >diff -r 3f2aad04b13e -r aa90098c154e ipa-admintools/ipa-addservice >--- a/ipa-admintools/ipa-addservice Tue Feb 26 10:48:45 2008 -0500 >+++ b/ipa-admintools/ipa-addservice Tue Feb 26 13:51:56 2008 -0500 >@@ -36,11 +36,16 @@ import errno > import errno > > def usage(): >- print "ipa-addservice principal" >+ print "ipa-addservice [--force] principal" > sys.exit(1) > > def parse_options(): > parser = OptionParser() >+ >+ parser.add_option("--force", action="store_true", default=False, >+ help="Force a service principal name") >+ parser.add_option("--usage", action="store_true", >+ help="Program usage") > > args = ipa.config.init_config(sys.argv) > options, args = parser.parse_args(args) >@@ -60,7 +65,7 @@ def main(): > client = ipaclient.IPAClient() > > try: >- client.add_service_principal(princ_name) >+ client.add_service_principal(princ_name, "%d" % options.force) > > except Exception, e: > print str(e) >diff -r 3f2aad04b13e -r aa90098c154e ipa-admintools/man/ipa-addservice.1 >--- a/ipa-admintools/man/ipa-addservice.1 Tue Feb 26 10:48:45 2008 -0500 >+++ b/ipa-admintools/man/ipa-addservice.1 Tue Feb 26 13:51:56 2008 -0500 >@@ -21,8 +21,7 @@ ipa\-addservice \- Add a service princip > ipa\-addservice \- Add a service principal > > .SH "SYNOPSIS" >-ipa\-addservice \fIprincipal\fR >- >+ipa\-addservice [\fIOPTION\fR]... \fIprincipal\fR > .SH "DESCRIPTION" > Adds a service principal \fIprincipal\fR. > >@@ -42,6 +41,12 @@ snmp > snmp > > You cannot specify the kerberos realm. The IPA server will add on the realm it is configured for. >+ >+The hostname must resolve to a DNS A record in order to ensure that it will work with Kerberos. Use the \-\-force flag to force the creation of a principal. >+.SH "OPTIONS" >+.TP >+\fB\-\-force\fR >+Force the creation of the given principal name. > .SH "EXAMPLES" > .TP > ipa\-addservice HTTP/www.example.com >diff -r 3f2aad04b13e -r aa90098c154e ipa-python/ipaclient.py >--- a/ipa-python/ipaclient.py Tue Feb 26 10:48:45 2008 -0500 >+++ b/ipa-python/ipaclient.py Tue Feb 26 13:51:56 2008 -0500 >@@ -381,8 +381,8 @@ class IPAClient: > result = self.transport.update_password_policy(policy.origDataDict(), policy.toDict()) > return result > >- def add_service_principal(self, princ_name): >- return self.transport.add_service_principal(princ_name) >+ def add_service_principal(self, princ_name, force): >+ return self.transport.add_service_principal(princ_name, force) > > def delete_service_principal(self, principal_dn): > return self.transport.delete_service_principal(principal_dn) >diff -r 3f2aad04b13e -r aa90098c154e ipa-python/ipaerror.py >--- a/ipa-python/ipaerror.py Tue Feb 26 10:48:45 2008 -0500 >+++ b/ipa-python/ipaerror.py Tue Feb 26 13:51:56 2008 -0500 >@@ -143,6 +143,11 @@ INPUT_SAME_GROUP = gen_error_code( > 0x0002, > "You can't add a group to itself") > >+INPUT_NOT_DNS_A_RECORD = gen_error_code( >+ INPUT_CATEGORY, >+ 0x0003, >+ "The requested hostname is not a DNS A record. This is required by Kerberos.") >+ > # > # Connection errors > # >diff -r 3f2aad04b13e -r aa90098c154e ipa-python/rpcclient.py >--- a/ipa-python/rpcclient.py Tue Feb 26 10:48:45 2008 -0500 >+++ b/ipa-python/rpcclient.py Tue Feb 26 13:51:56 2008 -0500 >@@ -704,11 +704,11 @@ class RPCClient: > > return ipautil.unwrap_binary_data(result) > >- def add_service_principal(self, princ_name): >- server = self.setup_server() >- >- try: >- result = server.add_service_principal(princ_name) >+ def add_service_principal(self, princ_name, force): >+ server = self.setup_server() >+ >+ try: >+ result = server.add_service_principal(princ_name, force) > except xmlrpclib.Fault, fault: > raise ipaerror.gen_exception(fault.faultCode, fault.faultString) > except socket.error, (value, msg): >diff -r 3f2aad04b13e -r aa90098c154e ipa-server/ipa-gui/ipagui/subcontrollers/principal.py >--- a/ipa-server/ipa-gui/ipagui/subcontrollers/principal.py Tue Feb 26 10:48:45 2008 -0500 >+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/principal.py Tue Feb 26 13:51:56 2008 -0500 >@@ -96,7 +96,7 @@ class PrincipalController(IPAController) > # The realm is added by add_service_principal > principal_name = utf8_encode_values(service + "/" + kw.get('hostname')) > >- rv = client.add_service_principal(principal_name) >+ rv = client.add_service_principal(principal_name, 0) > except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE): > turbogears.flash("Service principal '%s' already exists" % > principal_name) >diff -r 3f2aad04b13e -r aa90098c154e ipa-server/xmlrpc-server/funcs.py >--- a/ipa-server/xmlrpc-server/funcs.py Tue Feb 26 10:48:45 2008 -0500 >+++ b/ipa-server/xmlrpc-server/funcs.py Tue Feb 26 13:51:56 2008 -0500 >@@ -30,6 +30,7 @@ from ipa import ipautil > from ipa import ipautil > from urllib import quote,unquote > from ipa import radius_util >+from ipa import dnsclient > > import string > from types import * >@@ -1702,11 +1703,29 @@ class IPAServer: > except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND): > return True > >- def add_service_principal(self, name, opts=None): >+ def add_service_principal(self, name, force, opts=None): > """Given a name of the form: service/FQDN create a service >- principal for it in the default realm.""" >+ principal for it in the default realm. >+ >+ Ensure that the principal points at a DNS A record so it will >+ work with Kerberos unless force is set to 1""" > if not name: > raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER) >+ >+ try: >+ f = int(force) >+ except ValueError: >+ f = 1 >+ logging.debug("IPA: add service principal %s (%d)" % (name, f)) >+ >+ if not f: >+ fqdn = name + "." >+ rs = dnsclient.query(fqdn, dnsclient.DNS_C_IN, dnsclient.DNS_T_A) >+ if len(rs) == 0: >+ logging.debug("IPA: DNS A record lookup failed for %s" % name) >+ raise ipaerror.gen_exception(ipaerror.INPUT_NOT_DNS_A_RECORD) >+ else: >+ logging.debug("IPA: found %d records for %s" % (len(rs), name)) > > service_container = DefaultServiceContainer >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=295981">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 433483
: 295981