From d1f7db826a64708a094018622f1f8eafd964b05e Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Apr 02 2019 15:02:04 +0000
Subject: Revert "Tests: Remove DNS configuration from trust tests"


This reverts commit 1d9e1521c59a5b43c2322892ce5cbe8cceff2790.
The reverted commit message states:
"Since DNS configuration is no longer needed for running trust tests,
this method's contents are removed."
In fact tests can run without DNS configuration only in case if test setup
has a DNS server with DNSSEC support and there are A records for Windows
machines and SRV records  Windows AD services and this DNS server is used
as forwarder by bind. If one of these in not true
then tests fail when trying to establish trust (ipa trust-add) as --server
option is not used and ipa can not find the AD machine. If we specify
--server option and add Windows hosts to /etc/hosts, then trust will be
established, but then sssd will fail to find the host to talk for getting users
from AD. So for general case we should setup DNS forwarders prior to
establishing trust, as stated in
https://www.freeipa.org/page/Active_Directory_trust_setup

Related to https://pagure.io/freeipa/issue/7889

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 46506e4..4ef4236 100644
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -503,11 +503,48 @@ def install_adtrust(host):
 
 def configure_dns_for_trust(master, ad):
     """
-    This method is intentionally left empty. Originally it served for DNS
-    configuration on IPA master according to the relationship of the IPA's
-    and AD's domains.
+    This configures DNS on IPA master according to the relationship of the
+    IPA's and AD's domains.
     """
 
+    def is_subdomain(subdomain, domain):
+        subdomain_unpacked = subdomain.split('.')
+        domain_unpacked = domain.split('.')
+
+        subdomain_unpacked.reverse()
+        domain_unpacked.reverse()
+
+        subdomain = False
+
+        if len(subdomain_unpacked) > len(domain_unpacked):
+            subdomain = True
+
+            for subdomain_segment, domain_segment in zip(subdomain_unpacked,
+                                                         domain_unpacked):
+                subdomain = subdomain and subdomain_segment == domain_segment
+
+        return subdomain
+
+    kinit_admin(master)
+
+    if is_subdomain(ad.domain.name, master.domain.name):
+        master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
+                            '%s.%s' % (ad.shortname, ad.netbios),
+                            '--a-ip-address', ad.ip])
+
+        master.run_command(['ipa', 'dnsrecord-add', master.domain.name,
+                            ad.netbios,
+                            '--ns-hostname',
+                            '%s.%s' % (ad.shortname, ad.netbios)])
+
+        master.run_command(['ipa', 'dnszone-mod', master.domain.name,
+                            '--allow-transfer', ad.ip])
+    else:
+        master.run_command(['ipa', 'dnsforwardzone-add', ad.domain.name,
+                            '--forwarder', ad.ip,
+                            '--forward-policy', 'only',
+                            ])
+
 
 def establish_trust_with_ad(master, ad_domain, extra_args=()):
     """