Support IPA IPA Trust with additional IPA server

data/configs/dnsmasq.conf

@@ -12,6 +12,7 @@ cache-size=0
 
 # These zones have their own DNS server
 server=/ipa.test/172.16.100.10
+server=/ipa2.test/172.16.100.11
 server=/samba.test/172.16.100.30
 server=/ad.test/172.16.200.10
 
@@ -35,3 +36,4 @@ ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test
 ptr-record=40.100.16.172.in-addr.arpa,client.test
 ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test
 ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test
+ptr-record=80.100.16.172.in-addr.arpa,master.ipa2.test

data/ssh-keys/hosts/master.ipa2.test.ecdsa_key

@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQS8NdlhWjczTrSSmXrPIm5dxUPF9l1r
+n6/iWMQOvSied2nz1L7KlcL10FY8fV/CSfHdLav4ZUqcVA5IlnHcboZYAAAAuIaESlSGhE
+pUAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLw12WFaNzNOtJKZ
+es8ibl3FQ8X2XWufr+JYxA69KJ53afPUvsqVwvXQVjx9X8JJ8d0tq/hlSpxUDkiWcdxuhl
+gAAAAhANtStHx78vkgxkGy20Ad7KyCGgDsRsCbV0vyPQEHnAL8AAAAG1dlbGwga25vd24g
+a2V5IGZvciBzc3NkLWNpLgECAwQ=
+-----END OPENSSH PRIVATE KEY-----

data/ssh-keys/hosts/master.ipa2.test.ecdsa_key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLw12WFaNzNOtJKZes8ibl3FQ8X2XWufr+JYxA69KJ53afPUvsqVwvXQVjx9X8JJ8d0tq/hlSpxUDkiWcdxuhlg= Well known key for sssd-ci.

data/ssh-keys/hosts/master.ipa2.test.ed25519_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCjsyIr5pg77lSpJ3be3Bws6peMckoZPcaoxzV9nOd6dgAAAKDuA//H7gP/
+xwAAAAtzc2gtZWQyNTUxOQAAACCjsyIr5pg77lSpJ3be3Bws6peMckoZPcaoxzV9nOd6dg
+AAAEA9qGHT87bpptMonGNLVVli2ey6arjyf3Yy7fi8FC02JqOzIivmmDvuVKkndt7cHCzq
+l4xyShk9xqjHNX2c53p2AAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC
+-----END OPENSSH PRIVATE KEY-----

data/ssh-keys/hosts/master.ipa2.test.ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOzIivmmDvuVKkndt7cHCzql4xyShk9xqjHNX2c53p2 Well known key for sssd-ci.

data/ssh-keys/hosts/master.ipa2.test.rsa_key

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAjZ1FeLKLYYNBDJkA8BfMTKVRD2jZOn3YPWN3uezc7Rx5w1x/0rqW
+tLRZdz2QV+K7BmqhhcuotNr2g1uf3eZSZL1p7OZ10INuET2ZyoLANM1ME22S+Qedan8uU7
+bN/KH/VW1QF1NHvI/C2uMUcGIzoKWrfyGSNp6vWvhIG6qjm8IcK4IcLeGh+wVNCEoH7EVv
+EqxSVbiPkqvEAZ0X4UbXpEXrFi9BL25KbyD+yevHFPfhb2PP2pVQfz2Ip6CJ8XhvNrE1s1
+3EiDYugbMjDmzJNwyZNPiarIXqqgfI3R/nj/jLgBl6r0uOAMPpFNJambmDxXoW6bjadfeE
++Lgb/OtrrLNaqdzg3d8C0EKFwdA7rXS+iZTc4skldnoZGyw4wojTxTPkG7khSH1D1N47gW
+VAzPnZySAcyCMvQHRbYpHu5va+Ye6vCYvzp+7k3mm1S2zzS5qB/Mzg9thP16s7JKtvS29l
+38MqhsMedvJAoBvTpQck7aoL9vIl0Ylie7AGkszBAAAFkNCDdlfQg3ZXAAAAB3NzaC1yc2
+EAAAGBAI2dRXiyi2GDQQyZAPAXzEylUQ9o2Tp92D1jd7ns3O0cecNcf9K6lrS0WXc9kFfi
+uwZqoYXLqLTa9oNbn93mUmS9aezmddCDbhE9mcqCwDTNTBNtkvkHnWp/LlO2zfyh/1VtUB
+dTR7yPwtrjFHBiM6Clq38hkjaer1r4SBuqo5vCHCuCHC3hofsFTQhKB+xFbxKsUlW4j5Kr
+xAGdF+FG16RF6xYvQS9uSm8g/snrxxT34W9jz9qVUH89iKegifF4bzaxNbNdxIg2LoGzIw
+5syTcMmTT4mqyF6qoHyN0f54/4y4AZeq9LjgDD6RTSWpm5g8V6Fum42nX3hPi4G/zra6yz
+Wqnc4N3fAtBChcHQO610vomU3OLJJXZ6GRssOMKI08Uz5Bu5IUh9Q9TeO4FlQMz52ckgHM
+gjL0B0W2KR7ub2vmHurwmL86fu5N5ptUts80uagfzM4PbYT9erOySrb0tvZd/DKobDHnby
+QKAb06UHJO2qC/byJdGJYnuwBpLMwQAAAAMBAAEAAAGAMVA6YGjgM3E25jGji3fmCyyoOR
+L8TiuDcQEhsItkdWcsmZSs6E9UapHA885q5MfN89KO853zXiM/o4d0+JsbRvxUlgu8rAMQ
+gY1vb/8u+lQhMUS/YNu/e9XU5o7qVRZ+aRubP7we53EyW/GmbOotazw1p5wjo8SHcMizp3
+q45WTnVVlGAc4oD1cNt5y7/JFDN//s3e/agyswIpW3OpnmPsygLAYBj4g7AE6/msXxegJF
+rPnXaBkFwoFFhIXZc05J+0uQzUYoFPSCHg5MV9oMlQ4QNv01TEUnpBTbWd2ujhfKUlImAA
+RHOf0xQx1/ktSQE5SsmRnEFGmAjkSUooEvCt/AXHjN87SoUWgEklr63viymWNAfdcRcsOa
+/cj1sCsYBxJUMpivPQ05N6tbP7ikOvxX/mpfPsg7P7NrpoNVp8gwsCG8eNJEPrOTOO5C2j
+iAFtDbp+uZ7QxgMfFSIxdwQU4A38rCaMe2opnvEHYEkrOyRi43X2QH2YW/9Au9LxLPAAAA
+wH3G2wy2i2BpzWG8Tvww9x6dyigivn1JTY2HOh8pihcvGbs72HYQAHVXCoALIlMXnevpw8
++RI5Tta058yoGmoVwi48ZBzMnkvoFmaU6lZf2Gy7LODZX3JGIo+qSayYUH8tX37ZU96QC7
+TJOyDuwQu0vQf/G7OvCLWKekgS7TAzK6Rk0lsVkCXc7HF6LpYdYt6b6na/vaLx5TT1ywbs
+pGSUrh7jvgCkFviNgMNKmd1R9wRzQFaNoYjCQaCBFSmh9MqQAAAMEAxnKJ+RRL6AbBpxye
+fnW/ciGLo4l/EbJC6imT0AFgYw6Gu1epiCVBTD6oERAgxs+3fu6DnxWVLojWpTT9RESkYJ
+PVUzAnp4cgdf4vyyj80dAsJ3RbGU+Y1hZWKdb5COLvMiXg8orMgCvNhADD6Az8cG+ncVPz
+busx+kStztT8Uy4VwwxQutglQYqvp0o6M4Kb5r8s6kAQu55ENhOSKUIKfU1//VPN5dQ/wV
+71jNvU5ym07UgcZNhkyNw97WOyFfVzAAAAwQC2rzy87d7qskmkNN11lSkh1L52NcQyxhsE
+jX+FjMTRbr4YgdnsU9tTtAigYrfQqDL4WGNPrnsA0qse32Ed3nNM1QdI/Mzni3eyK0ayqd
+tPE2CdrqxYW2Brlp5luHwaFlW2UvrmZ5H+Yw80tVfXZrRZkmzHD0kCFkwZqYBtbMY19mMa
+K8NmGXEMYPHGk/uHPruS57jr/h4Of8x2QlJ2aSBTRom1Ah42zZJgVqZO6MdY40EJBSfE5m
+z7ClUXMywXB/sAAAAbV2VsbCBrbm93biBrZXkgZm9yIHNzc2QtY2ku
+-----END OPENSSH PRIVATE KEY-----

data/ssh-keys/hosts/master.ipa2.test.rsa_key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCNnUV4sothg0EMmQDwF8xMpVEPaNk6fdg9Y3e57NztHHnDXH/Supa0tFl3PZBX4rsGaqGFy6i02vaDW5/d5lJkvWns5nXQg24RPZnKgsA0zUwTbZL5B51qfy5Tts38of9VbVAXU0e8j8La4xRwYjOgpat/IZI2nq9a+EgbqqObwhwrghwt4aH7BU0ISgfsRW8SrFJVuI+Sq8QBnRfhRtekResWL0EvbkpvIP7J68cU9+FvY8/alVB/PYinoInxeG82sTWzXcSINi6BsyMObMk3DJk0+JqsheqqB8jdH+eP+MuAGXqvS44Aw+kU0lqZuYPFehbpuNp194T4uBv862uss1qp3ODd3wLQQoXB0DutdL6JlNziySV2ehkbLDjCiNPFM+QbuSFIfUPU3juBZUDM+dnJIBzIIy9AdFtike7m9r5h7q8Ji/On7uTeabVLbPNLmoH8zOD22E/Xqzskq29Lb2XfwyqGwx528kCgG9OlByTtqgv28iXRiWJ7sAaSzME= Well known key for sssd-ci.

docker-compose.yml

@@ -44,6 +44,33 @@ services:
     networks:
       sssd:
         ipv4_address: 172.16.100.10
+  ipa2:
+    image: ${REGISTRY}/ci-ipa2:${TAG}
+    container_name: ipa2
+    hostname: master.ipa2.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    - SYS_CHROOT
+    - NET_ADMIN
+    - CAP_CHOWN
+    - CAP_DAC_OVERRIDE
+    - CAP_SETGID
+    - CAP_SETUID
+    - CAP_DAC_READ_SEARCH
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.11
   ldap:
     image: ${REGISTRY}/ci-ldap:${TAG}
     container_name: ldap

readme.md

@@ -81,6 +81,7 @@ perfoming an `ldapsearch`).
 | nfs          | `172.16.100.50` | `nfs.test`                 | NFS server                          |
 | kdc          | `172.16.100.60` | `kdc.test`                 | Kerberos KDC                        |
 | keycloak     | `172.16.100.70` | `master.keycloak.test`     | Keycloak IdP                        |
+| ipa2         | `172.16.100.11` | `master.ipa2.test`         | IPA server in different realm       |
 
 ## Available user accounts
 

src/ansible/group_vars/all

@@ -6,6 +6,13 @@ service: {
     netbios: 'IPA',
     password: 'Secret123'
   },
+  ipa2: {
+    domain: 'ipa2.test',
+    hostname: 'master',
+    fqn: 'master.ipa2.test',
+    netbios: 'IPA2',
+    password: 'Secret123'
+  },
   ldap: {
     domain: 'ldap.test',
     hostname: 'master',

src/ansible/inventory.yml

@@ -53,6 +53,8 @@ all:
           hosts:
             master.ipa.test:
               ansible_host: sssd-wip-ipa
+            master.ipa2.test:
+              ansible_host: sssd-wip-ipa2
         ldap:
           hosts:
             master.ldap.test:

src/ansible/roles/cleanup/tasks/main.yml

@@ -7,7 +7,7 @@
 
   - name: Remove 389ds database to make image smaller
     shell: rm -f /var/lib/dirsrv/slapd-IPA-TEST/db/__db.*
-  when: inventory_hostname == 'master.ipa.test' or inventory_hostname == 'ipa-devel'
+  when: inventory_hostname in groups["ipa"] or inventory_hostname == 'ipa-devel'
 
 - name: Minimize LDAP service container
   block:
@@ -29,4 +29,4 @@
 
   - name: Remove SSSD's database and logs
     shell: rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/*
-  when: inventory_hostname == 'client.test' or inventory_hostname == 'master.ipa.test'
+  when: inventory_hostname in groups["client"] or inventory_hostname in groups["ipa"]

src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2

@@ -13,9 +13,9 @@ domain=test
 cache-size=0
 
 # These zones have their own DNS server
-{% if 'master.ipa.test' in hostvars %}
-server=/ipa.test/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }}
-{% endif %}
+{% for host in groups['ipa'] %}
+server=/{{ hostvars[host]['ansible_facts']['domain'] }}/{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}
+{% endfor %}
 {% if 'dc.samba.test' in hostvars %}
 server=/samba.test/{{ hostvars['dc.samba.test']['ansible_facts']['default_ipv4']['address'] }}
 {% endif %}
@@ -29,6 +29,7 @@ server=/{{ hostvars[ad]['ansible_facts']['windows_domain'] }}/{{ hostvars[ad]['a
 
 {% if 'master.ipa.test' in hostvars %}
 # Add reverse zones for artificial hosts in IPA domain
+{% if 'master.ipa.test' in hostvars %}
 server=/251.255.10.in-addr.arpa/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }}
 {% endif %}
 
@@ -53,4 +54,4 @@ ptr-record={{ hostvars[host]['ansible_facts']['default_ipv4']['address'].split('
 {% elif hostvars[host].ansible_system == 'Win32NT' %}
 ptr-record={{ hostvars[host]['ansible_facts']['ip_addresses'][0].split('.') | reverse | join(".") }}.in-addr.arpa,{{ host }}
 {% endif %}
-{% endfor %}
+{% endfor %}

src/ansible/roles/ipa/tasks/main.yml

@@ -110,6 +110,7 @@
     ipa --no-prompt dnszone-add --name-from-ip 10.255.251.0/24
   args:
     stdin: '{{ ipa_password }}'
+  when: inventory_hostname == 'master.ipa.test'
 
 - name: 'Check trust with other domains'
   shell: |
@@ -144,6 +145,7 @@
   - '"samba" in groups and groups["samba"]'
   - join_samba
   - trust_ipa_samba
+  - inventory_hostname != 'master.ipa2.test'
 
 - name: 'Setup trust with AD'
   block:
@@ -167,6 +169,8 @@
     when:
     - 'ad_domain not in trust.stdout'
     - not trust_ipa_ad_two_way
+    - inventory_hostname != 'master.ipa2.test'
+
   - name: Run ipa trust-add (two-way)
     shell: |
       kinit admin
@@ -182,3 +186,4 @@
   - '"ad" in groups and groups["ad"]'
   - join_ad
   - trust_ipa_ad
+  - inventory_hostname != 'master.ipa2.test'

src/build.sh

@@ -140,6 +140,7 @@ ansible-playbook $ANSIBLE_OPTS ./ansible/playbook_image_service.yml
 compose stop
 build_service_image sssd-wip-client client
 build_service_image sssd-wip-ipa ipa
+build_service_image sssd-wip-ipa2 ipa2
 build_service_image sssd-wip-ldap ldap
 build_service_image sssd-wip-samba samba
 build_service_image sssd-wip-nfs nfs

src/docker-compose.build.yml

@@ -5,6 +5,9 @@ services:
   ipa:
     image: localhost/sssd/ci-base-ipa:${TAG}
     container_name: sssd-wip-ipa
+  ipa2:
+    image: localhost/sssd/ci-base-ipa:${TAG}
+    container_name: sssd-wip-ipa2
   ldap:
     image: localhost/sssd/ci-base-ldap:${TAG}
     container_name: sssd-wip-ldap

src/push.sh

@@ -66,6 +66,7 @@ push ci-dns latest ""
 push ci-client "$TAG" "$EXTRA_TAGS"
 push ci-client-devel "$TAG" "$EXTRA_TAGS"
 push ci-ipa "$TAG" "$EXTRA_TAGS"
+push ci-ipa2 "$TAG" "$EXTRA_TAGS"
 push ci-ipa-devel "$TAG" "$EXTRA_TAGS"
 push ci-ldap "$TAG" "$EXTRA_TAGS"
 push ci-samba "$TAG" "$EXTRA_TAGS"

src/tools/gen-ssh-keys.sh

@@ -17,7 +17,7 @@ mkdir -p $OUT
 mkdir -p $OUT/hosts
 
 for name in client.test dc.samba.test dns.test kdc.test \
-            master.ipa.test master.keycloak.test master.ldap.test nfs.test; do
+            master.ipa.test master.ipa2.test master.keycloak.test master.ldap.test nfs.test; do
     for type in ecdsa ed25519 rsa; do
         ssh-keygen -C "Well known key for sssd-ci." -t $type -f "$OUT/hosts/$name.${type}_key" -N "" <<< y
     done

src/tools/setup-dns-files.sh

@@ -17,6 +17,7 @@ sed -i '/client.test/d' /etc/hosts
 sed -i '/nfs.test/d' /etc/hosts
 sed -i '/kdc.test/d' /etc/hosts
 sed -i '/dc.ad.test/d' /etc/hosts
+sed -i '/master.ipa2.test/d' /etc/hosts
 
 # Append the lines
 echo "172.16.100.10 master.ipa.test" >> /etc/hosts
@@ -26,3 +27,4 @@ echo "172.16.100.40 client.test" >> /etc/hosts
 echo "172.16.100.50 nfs.test" >> /etc/hosts
 echo "172.16.100.60 kdc.test" >> /etc/hosts
 echo "172.16.200.10 dc.ad.test" >> /etc/hosts
+echo "172.16.100.11 master.ipa2.test" >> /etc/hosts