From 2e31e8479a94e75ad33cf50f6eee106283b44b0d Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Jun 28 2021 08:41:07 +0000
Subject: ipa-client-install: update sssd.conf if nsupdate requires -g


If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
index 1db3445..9eeef04 100644
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -205,7 +205,11 @@ Create DNS A/AAAA record for each IP address on this host.
 Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server.
 .TP
 \fB\-\-enable\-dns\-updates\fR
-This option tells SSSD to automatically update DNS with the IP address of this client.
+This option tells SSSD to automatically update DNS with the IP address of this
+client.
+The default is to use GSS-TSIG. However, if using GSS-TSIG fails for any reason
+at install time, \fBipa\-client\-install\fR will configure SSSD to use
+unauthenticated nsupdates instead.
 .TP
 \fB\-\-no\-krb5\-offline\-passwords\fR
 Configure SSSD not to store user password when the server is offline.
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 79fdb3d..14eaa0d 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1369,9 +1369,35 @@ def do_nsupdate(update_txt):
         ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE])
         result = True
     except CalledProcessError as e:
-        logger.debug('nsupdate failed: %s', str(e))
+        logger.debug('nsupdate (GSS-TSIG) failed: %s', str(e))
         try:
             ipautil.run([paths.NSUPDATE, UPDATE_FILE])
+            try:
+                sssdconfig = SSSDConfig.SSSDConfig()
+                sssdconfig.import_config()
+                domains = sssdconfig.list_active_domains()
+                for name in domains:
+                    domain = sssdconfig.get_domain(name)
+                    try:
+                        provider = domain.get_option('id_provider')
+                    except SSSDConfig.NoOptionError:
+                        continue
+                    if name == api.env.domain and provider == "ipa":
+                        try:
+                            if domain.get_option('dyndns_update') is True:
+                                domain.set_option('dyndns_auth', 'none')
+                                sssdconfig.save_domain(domain)
+                                sssdconfig.write(paths.SSSD_CONF)
+                                break
+                        except SSSDConfig.NoOptionError:
+                            break
+            except Exception as e:
+                logger.debug('Unable to update SSSD configuration: %s', str(e))
+                logger.info(
+                    'Failed to configure SSSD for unauthenticated DNS '
+                    'dynamic updates. SSSD might be unable to update DNS '
+                    'entries for this host.'
+                )
             result = True
         except CalledProcessError as e:
             logger.debug('Unauthenticated nsupdate failed: %s', str(e))