Skip to content

Commit

Permalink
Support IPA IPA Trust with additional IPA server
Browse files Browse the repository at this point in the history
  • Loading branch information
justin-stephenson committed Aug 14, 2024
1 parent 2ebf336 commit fe0bad4
Show file tree
Hide file tree
Showing 20 changed files with 116 additions and 10 deletions.
2 changes: 2 additions & 0 deletions data/configs/dnsmasq.conf
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ cache-size=0

# These zones have their own DNS server
server=/ipa.test/172.16.100.10
server=/ipa2.test/172.16.100.11
server=/samba.test/172.16.100.30
server=/ad.test/172.16.200.10

Expand All @@ -35,3 +36,4 @@ ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test
ptr-record=40.100.16.172.in-addr.arpa,client.test
ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test
ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test
ptr-record=80.100.16.172.in-addr.arpa,master2.ipa2.test
9 changes: 9 additions & 0 deletions data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRjXEUrafBAJC0RohbrH64Q58TqzbnL
AraSK9LAttYKzI7AtazSjeD/r1FSGktTCgfc+PFGMrbcOfTXYoPMcWQyAAAAuKw1diasNX
YmAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGNcRStp8EAkLRGi
FusfrhDnxOrNucsCtpIr0sC21grMjsC1rNKN4P+vUVIaS1MKB9z48UYyttw59Ndig8xxZD
IAAAAhAKXeBygNxWAGiweouLvmFqlCs0XRUF71oZNRzhDm29t0AAAAG1dlbGwga25vd24g
a2V5IGZvciBzc3NkLWNpLgECAwQ=
-----END OPENSSH PRIVATE KEY-----
1 change: 1 addition & 0 deletions data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key.pub
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGNcRStp8EAkLRGiFusfrhDnxOrNucsCtpIr0sC21grMjsC1rNKN4P+vUVIaS1MKB9z48UYyttw59Ndig8xxZDI= Well known key for sssd-ci.
7 changes: 7 additions & 0 deletions data/ssh-keys/hosts/master2.ipa2.test.ed25519_key
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAReHC8F3OuxqeK1AaPPG7RZhv4L1PjZ7L/ftWb2gTIXAAAAKC5mEuCuZhL
ggAAAAtzc2gtZWQyNTUxOQAAACAReHC8F3OuxqeK1AaPPG7RZhv4L1PjZ7L/ftWb2gTIXA
AAAEC/H/YS4MZKKUrXvQkjngF7f+8X+5bJy5zTc0rfFdvu1xF4cLwXc67Gp4rUBo88btFm
G/gvU+Nnsv9+1ZvaBMhcAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC
-----END OPENSSH PRIVATE KEY-----
1 change: 1 addition & 0 deletions data/ssh-keys/hosts/master2.ipa2.test.ed25519_key.pub
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF4cLwXc67Gp4rUBo88btFmG/gvU+Nnsv9+1ZvaBMhc Well known key for sssd-ci.
38 changes: 38 additions & 0 deletions data/ssh-keys/hosts/master2.ipa2.test.rsa_key
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAmTy0Hq25qAKQpv6bZgNya2EspHWb+lZXGpvgtvlEvJT1p2IgxrZa
Oi0MAh+eePbtFPF9aCqZhkW10r5Y8tAEsxWueNi1NAzJGokbOEOW+Gk9J6kTl0mgLI8NBn
3NvNsbfReOxqhNXwgoAERvxM0Tzno3c4rX24zFmmv3ykrGZlxrZOrenKe1wHwYLnz7KHzt
f+IOYVsGGu28v1EgsAX21P9LUww/pJapWrFE4V7U0ogKSLxxF9BOWF1aMTDK78jgPsyjqo
n6Dr29F2wryhitx7CzQVFZZZzjNAvTL9Y2xs0VkI/iorlivTU3wDegTM5Vh1zIegwpBdyH
LNovGSmkZlIkBmc0nILzr/fY9tcNl3W+Wztjge7MOHKy5CJvEzknfjbWBS+0uHuglbtb24
+vAUvkuxSUpUmk9epj0xccjJxT1qUgj9oe8qyk6RObZJg7AELW8r9J/nPg9Yj+Fg3ovJjn
r0NJ/ESQ3l77M266oTL6xSd98B4/8FJC8HYKhS6tAAAFmLNCjLCzQoywAAAAB3NzaC1yc2
EAAAGBAJk8tB6tuagCkKb+m2YDcmthLKR1m/pWVxqb4Lb5RLyU9adiIMa2WjotDAIfnnj2
7RTxfWgqmYZFtdK+WPLQBLMVrnjYtTQMyRqJGzhDlvhpPSepE5dJoCyPDQZ9zbzbG30Xjs
aoTV8IKABEb8TNE856N3OK19uMxZpr98pKxmZca2Tq3pyntcB8GC58+yh87X/iDmFbBhrt
vL9RILAF9tT/S1MMP6SWqVqxROFe1NKICki8cRfQTlhdWjEwyu/I4D7Mo6qJ+g69vRdsK8
oYrcews0FRWWWc4zQL0y/WNsbNFZCP4qK5Yr01N8A3oEzOVYdcyHoMKQXchyzaLxkppGZS
JAZnNJyC86/32PbXDZd1vls7Y4HuzDhysuQibxM5J3421gUvtLh7oJW7W9uPrwFL5LsUlK
VJpPXqY9MXHIycU9alII/aHvKspOkTm2SYOwBC1vK/Sf5z4PWI/hYN6LyY569DSfxEkN5e
+zNuuqEy+sUnffAeP/BSQvB2CoUurQAAAAMBAAEAAAGAAwZBMdfQ8cF3NGyTCZzozbjBxk
8x8Gty1aoc8c+SrTwtawvTRMjFmB9afNI98PpCrKaliIBKvm0yzQGHxOcZKKW1Z1oznV7h
Oz5YhLBE0wtUsysxoUtJN4ftRGMIRAF5Fet4nHAm8si47WRsZlB74xfjb0revs0U+1rFLb
9zEgMh9YBzO1lOC4oHeidqV567m0oNaZt/z9lAX/BMelzrxcFyLaXwvaFhn1IfX2ldPviD
Z3McslEgsrrI9G6Xmsr2pkRrH5TVy+Wbx8vNgw2hdcTw6jt+BIq5mkOkETaNKLUL87l6OF
o1uIRZrw/3s8uWQnSnDxCu5fvfjU3LP5bRTp78tYDYgVaWmDn+9JTPZR5pQzym05JNbkLu
+hEiBLELtJNlQIvwG76SltqFMzcZ7G6ZbIohGn+R42Y92gaRYQNE16qLnXS1aD+W2a3zP4
qLwPMxD3/86EyxpMsXWCuIFHmzOhGQuN7sHu+Mw5woD5JUTbrEg4N7LkCLD4e4wWi7AAAA
wQC7PMaiiCF6s8m6gFfLuO60/dRpTY+V/VcuQxN6xi9ftI1LdEI4K8RISlTdD7+4sK9Isl
9bf+RsqYIbCGUTuH+QplKW60oMFu34sMk7D689AjuTFk3YOE7E6R4cDqJIKTD09+p0hVhw
s3otGW6aPiX3M+efWI2sqrjM4QpZC2iRT6EMPksd9EbzgTUuDPfzSPdf1moN62VlhXkL3T
Te0YEmqYkxcXlil6juNRTYvyXGQGZHKgxIk5V7hakqdHJ+vtMAAADBAMt5mNAv3bH28TND
4bJU3L0Z3ZafJtB74/oTlQVltBJPFTSB+SrR8YXKK8RTBEBeVCw4U0e5zjwRKNxqL+XGaL
G8T0enPtsVdKcrrxCqnCbJPzGvhBYg7NXU7tj1GRlkdjISBndn2C4sStvGzAY5bbEwkjfq
BIv+b1O+Hz8FsVF/TVUK1H/ADfta20kPy18+7v1CtfBjXXLyaRj1BvnZMq8sg6BmFd5P07
nbN4olqKjXmWAqqPohJvJqaGujkHDeIwAAAMEAwMsyb3zFCXlgpDcSaK7Vz6F8Rl9rrG8+
Ki/9FNfx+s82iLKWFPYsGZ5ENVtOBNwOA5VdNL9pZpYfcR+iTcvAawCjd32PAKRuJkTBYs
5XIb66aGaNvOxAct86S99wupXG2Ir3vdX7R5PYdlix7TmHw2Llb11MldhxT2tzh52PVYFl
UbrlpJI58UiqATq/Zd85tKNOSxUW8LfOc3CcUMa4n7lwE9pgEPbRjkPl3ld76D+yhupguw
L/HjhXlclqUcTvAAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----
1 change: 1 addition & 0 deletions data/ssh-keys/hosts/master2.ipa2.test.rsa_key.pub
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZPLQerbmoApCm/ptmA3JrYSykdZv6Vlcam+C2+US8lPWnYiDGtlo6LQwCH5549u0U8X1oKpmGRbXSvljy0ASzFa542LU0DMkaiRs4Q5b4aT0nqROXSaAsjw0Gfc282xt9F47GqE1fCCgARG/EzRPOejdzitfbjMWaa/fKSsZmXGtk6t6cp7XAfBgufPsofO1/4g5hWwYa7by/USCwBfbU/0tTDD+klqlasUThXtTSiApIvHEX0E5YXVoxMMrvyOA+zKOqifoOvb0XbCvKGK3HsLNBUVllnOM0C9Mv1jbGzRWQj+KiuWK9NTfAN6BMzlWHXMh6DCkF3Ics2i8ZKaRmUiQGZzScgvOv99j21w2Xdb5bO2OB7sw4crLkIm8TOSd+NtYFL7S4e6CVu1vbj68BS+S7FJSlSaT16mPTFxyMnFPWpSCP2h7yrKTpE5tkmDsAQtbyv0n+c+D1iP4WDei8mOevQ0n8RJDeXvszbrqhMvrFJ33wHj/wUkLwdgqFLq0= Well known key for sssd-ci.
22 changes: 22 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,28 @@ services:
networks:
sssd:
ipv4_address: 172.16.100.10
ipa2:
image: ${REGISTRY}/ci-ipa2:${TAG}
container_name: ipa2
hostname: master2.ipa2.test
dns: 172.16.100.2
env_file: ./env.containers
volumes:
- ./shared:/shared:rw
cap_add:
- SYS_ADMIN
- SYS_PTRACE
- AUDIT_WRITE
- AUDIT_CONTROL
- SYS_CHROOT
- NET_ADMIN
security_opt:
- apparmor=unconfined
- label=disable
- seccomp=unconfined
networks:
sssd:
ipv4_address: 172.16.100.11
ldap:
image: ${REGISTRY}/ci-ldap:${TAG}
container_name: ldap
Expand Down
7 changes: 7 additions & 0 deletions src/ansible/group_vars/all
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@ service: {
netbios: 'IPA',
password: 'Secret123'
},
ipa2: {
domain: 'ipa2.test',
hostname: 'master2',
fqn: 'master2.ipa2.test',
netbios: 'IPA2',
password: 'Secret123'
},
ldap: {
domain: 'ldap.test',
hostname: 'master',
Expand Down
2 changes: 2 additions & 0 deletions src/ansible/inventory.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ all:
hosts:
master.ipa.test:
ansible_host: sssd-wip-ipa
master2.ipa2.test:
ansible_host: sssd-wip-ipa2
ldap:
hosts:
master.ldap.test:
Expand Down
4 changes: 3 additions & 1 deletion src/ansible/playbook_image_service.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@
roles:
- samba

- hosts: master.ipa.test
- hosts:
- master.ipa.test
- master2.ipa2.test
gather_facts: no
roles:
- ipa
Expand Down
4 changes: 2 additions & 2 deletions src/ansible/roles/cleanup/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

- name: Remove 389ds database to make image smaller
shell: rm -f /var/lib/dirsrv/slapd-IPA-TEST/db/__db.*
when: inventory_hostname == 'master.ipa.test' or inventory_hostname == 'ipa-devel'
when: inventory_hostname in groups["ipa"] or inventory_hostname == 'ipa-devel'

- name: Minimize LDAP service container
block:
Expand All @@ -29,4 +29,4 @@

- name: Remove SSSD's database and logs
shell: rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/*
when: inventory_hostname == 'client.test' or inventory_hostname == 'master.ipa.test'
when: inventory_hostname in groups["client"] or inventory_hostname in groups["ipa"]
10 changes: 6 additions & 4 deletions src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ domain=test
cache-size=0

# These zones have their own DNS server
{% if 'master.ipa.test' in hostvars %}
server=/ipa.test/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }}
{% endif %}
{% for host in groups['ipa'] %}
server=/{{ hostvars[host]['ansible_facts']['domain'] }}/{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}
{% endfor %}
{% if 'dc.samba.test' in hostvars %}
server=/samba.test/{{ hostvars['dc.samba.test']['ansible_facts']['default_ipv4']['address'] }}
{% endif %}
Expand All @@ -28,7 +28,9 @@ server=/{{ hostvars[ad]['ansible_facts']['windows_domain'] }}/{{ hostvars[ad]['a
{% endif %}

# Add reverse zones for artificial hosts in IPA domain
{% if 'master.ipa.test' in hostvars %}
server=/251.255.10.in-addr.arpa/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }}
{% endif %}

# Add SRV record for LDAP
{% if 'master.ldap.test' in hostvars %}
Expand All @@ -51,4 +53,4 @@ ptr-record={{ hostvars[host]['ansible_facts']['default_ipv4']['address'].split('
{% elif hostvars[host].ansible_system == 'Win32NT' %}
ptr-record={{ hostvars[host]['ansible_facts']['ip_addresses'][0].split('.') | reverse | join(".") }}.in-addr.arpa,{{ host }}
{% endif %}
{% endfor %}
{% endfor %}
5 changes: 5 additions & 0 deletions src/ansible/roles/ipa/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@
ipa --no-prompt dnszone-add --name-from-ip 10.255.251.0/24
args:
stdin: '{{ ipa_password }}'
when: inventory_hostname == 'master.ipa.test'

- name: 'Check trust with other domains'
shell: |
Expand Down Expand Up @@ -144,6 +145,7 @@
- '"samba" in groups and groups["samba"]'
- join_samba
- trust_ipa_samba
- inventory_hostname != 'master2.ipa2.test'

- name: 'Setup trust with AD'
block:
Expand All @@ -167,6 +169,8 @@
when:
- 'ad_domain not in trust.stdout'
- not trust_ipa_ad_two_way
- inventory_hostname != 'master2.ipa2.test'

- name: Run ipa trust-add (two-way)
shell: |
kinit admin
Expand All @@ -182,3 +186,4 @@
- '"ad" in groups and groups["ad"]'
- join_ad
- trust_ipa_ad
- inventory_hostname != 'master2.ipa2.test'
4 changes: 2 additions & 2 deletions src/ansible/roles/packages/tasks/Fedora.yml
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,7 @@
dnf:
state: present
name: sssd-kcm
when: "'base_ipa' in group_names or 'ipa' in group_names"
when: "'base_ipa' in group_names or 'base_ipa2' in group_names or 'ipa' in group_names"

- name: Install packages for Samba base image
block:
Expand Down Expand Up @@ -264,7 +264,7 @@
- ci-sssd-random
- umockdev
when: passkey_support
when: "'base_client' in group_names or 'client' in group_names or 'base_ipa' in group_names or 'ipa' in group_names"
when: "'base_client' in group_names or 'client' in group_names or 'base_ipa' in group_names or 'base_ipa2' in group_names or 'ipa' in group_names"

- name: Install packages for Keycloak base image
block:
Expand Down
1 change: 1 addition & 0 deletions src/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ ansible-playbook $ANSIBLE_OPTS ./ansible/playbook_image_service.yml
compose stop
build_service_image sssd-wip-client client
build_service_image sssd-wip-ipa ipa
build_service_image sssd-wip-ipa2 ipa2
build_service_image sssd-wip-ldap ldap
build_service_image sssd-wip-samba samba
build_service_image sssd-wip-nfs nfs
Expand Down
3 changes: 3 additions & 0 deletions src/docker-compose.build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ services:
ipa:
image: localhost/sssd/ci-base-ipa:${TAG}
container_name: sssd-wip-ipa
ipa2:
image: localhost/sssd/ci-base-ipa:${TAG}
container_name: sssd-wip-ipa2
ldap:
image: localhost/sssd/ci-base-ldap:${TAG}
container_name: sssd-wip-ldap
Expand Down
1 change: 1 addition & 0 deletions src/push.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ push ci-dns latest ""
push ci-client "$TAG" "$EXTRA_TAGS"
push ci-client-devel "$TAG" "$EXTRA_TAGS"
push ci-ipa "$TAG" "$EXTRA_TAGS"
push ci-ipa2 "$TAG" "$EXTRA_TAGS"
push ci-ipa-devel "$TAG" "$EXTRA_TAGS"
push ci-ldap "$TAG" "$EXTRA_TAGS"
push ci-samba "$TAG" "$EXTRA_TAGS"
Expand Down
2 changes: 1 addition & 1 deletion src/tools/gen-ssh-keys.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ mkdir -p $OUT
mkdir -p $OUT/hosts

for name in client.test dc.samba.test dns.test kdc.test \
master.ipa.test master.keycloak.test master.ldap.test nfs.test; do
master.ipa.test master2.ipa2.test master.keycloak.test master.ldap.test nfs.test; do
for type in ecdsa ed25519 rsa; do
ssh-keygen -C "Well known key for sssd-ci." -t $type -f "$OUT/hosts/$name.${type}_key" -N "" <<< y
done
Expand Down
2 changes: 2 additions & 0 deletions src/tools/setup-dns-files.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ sed -i '/client.test/d' /etc/hosts
sed -i '/nfs.test/d' /etc/hosts
sed -i '/kdc.test/d' /etc/hosts
sed -i '/dc.ad.test/d' /etc/hosts
sed -i '/master2.ipa2.test/d' /etc/hosts

# Append the lines
echo "172.16.100.10 master.ipa.test" >> /etc/hosts
Expand All @@ -26,3 +27,4 @@ echo "172.16.100.40 client.test" >> /etc/hosts
echo "172.16.100.50 nfs.test" >> /etc/hosts
echo "172.16.100.60 kdc.test" >> /etc/hosts
echo "172.16.200.10 dc.ad.test" >> /etc/hosts
echo "172.16.100.11 master2.ipa2.test" >> /etc/hosts

0 comments on commit fe0bad4

Please sign in to comment.