Support IPA IPA Trust with additional IPA server

Makefile

@@ -18,13 +18,18 @@ up-keycloak:
 	docker-compose -f docker-compose.yml -f docker-compose.keycloak.yml up \
 	--no-recreate --detach ${LIMIT}
 
+up-ipaipatrust:
+	docker-compose -f docker-compose.yml -f docker-compose.ipaipatrust.yml up \
+	--no-recreate --detach ${LIMIT}
+
 stop:
 	docker-compose stop
 
 down:
 	docker-compose -f docker-compose.yml \
 	-f docker-compose.keycloak.yml \
-	-f docker-compose.passkey.yml down
+	-f docker-compose.passkey.yml \
+	-f docker-compose.ipaipatrust.yml down
 
 update:
 	docker-compose pull

data/configs/dnsmasq.conf

@@ -12,6 +12,7 @@ cache-size=0
 
 # These zones have their own DNS server
 server=/ipa.test/172.16.100.10
+server=/ipa2.test/172.16.100.80
 server=/samba.test/172.16.100.30
 server=/ad.test/172.16.200.10
 
@@ -35,3 +36,4 @@ ptr-record=30.100.16.172.in-addr.arpa,dc.samba.test
 ptr-record=40.100.16.172.in-addr.arpa,client.test
 ptr-record=10.200.16.172.in-addr.arpa,dc.ad.test
 ptr-record=70.100.16.172.in-addr.arpa,master.keycloak.test
+ptr-record=80.100.16.172.in-addr.arpa,master2.ipa2.test

data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key

@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSyoR60qsHJnLDmDWTMv0jnrm6UVIYs
+/IgAcAc8iiQcMmKjrpGhCWdsGmRuUVU3QEWHYNr/9PONpgteK6DPVmwbAAAAuLEQ0DWxEN
+A1AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLKhHrSqwcmcsOYN
+ZMy/SOeubpRUhiz8iABwBzyKJBwyYqOukaEJZ2waZG5RVTdARYdg2v/0842mC14roM9WbB
+sAAAAhAMmRy5TySGuPcwkjcMhPVRbTj0t0d9WDIp7zOnyIUQeuAAAAG1dlbGwga25vd24g
+a2V5IGZvciBzc3NkLWNpLgECAwQ=
+-----END OPENSSH PRIVATE KEY-----

data/ssh-keys/hosts/master2.ipa2.test.ecdsa_key.pub

@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLKhHrSqwcmcsOYNZMy/SOeubpRUhiz8iABwBzyKJBwyYqOukaEJZ2waZG5RVTdARYdg2v/0842mC14roM9WbBs= Well known key for sssd-ci.

data/ssh-keys/hosts/master2.ipa2.test.ed25519_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCmEpAu12f745YYegsmuLzQP7uZPhkwkcmEjuJFgHGZNgAAAKBy82b/cvNm
+/wAAAAtzc2gtZWQyNTUxOQAAACCmEpAu12f745YYegsmuLzQP7uZPhkwkcmEjuJFgHGZNg
+AAAEBOc5N5gKJwEtnLAcLLAHyJ9XvgGkQgG6bjj2nBnNGwdqYSkC7XZ/vjlhh6Cya4vNA/
+u5k+GTCRyYSO4kWAcZk2AAAAG1dlbGwga25vd24ga2V5IGZvciBzc3NkLWNpLgEC
+-----END OPENSSH PRIVATE KEY-----

data/ssh-keys/hosts/master2.ipa2.test.ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYSkC7XZ/vjlhh6Cya4vNA/u5k+GTCRyYSO4kWAcZk2 Well known key for sssd-ci.

data/ssh-keys/hosts/master2.ipa2.test.rsa_key

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAr69HvYYr8C8Ib2BdhNulk5+M4XVc7dn9m+K77TXySpw156pZ8z1b
+ZEZpSLegp2NC+tCo5QGgqqvMqoBrdAJ8ZHMor1LKINnHFl0R67xb1lkEQP7ZpzjLaSGtW4
+eQ4Tzt8vfBaxm6X8wOlTsRYqyoKaKsWBwyZKFGBILiAlZf2xZSpi3aoanNf33I7mFWEfYt
+LWbteYVtuvpd09by4fg5z9Cj5D2j2bMfz0KF/LT4RclMZCWLcpLiuuN+kITJd6YesmSJ3h
+wpIamPGDSzFSnU8+77ocYE/5xpCyoO6wJHxO5AaHFO5czCLyFu9EO+af+xOeTcJEqvz0Vs
+jPBb00e0xJI6aNbzf5Ef7UVrpA8BtTwpsGQInr64tmYruDjAls3YCizUHchVFNrM3uhOQc
+VPUQkVz6xe0txf8CJSUNOfu2WlpPVyLenH/XvT/ykzgqROmO1Szks/IirKxmEzg34OG1F+
+cCObnv8P3KEKvlrVC4w4qdtQ202gSy6Y2zz8ro6BAAAFkKJKRjmiSkY5AAAAB3NzaC1yc2
+EAAAGBAK+vR72GK/AvCG9gXYTbpZOfjOF1XO3Z/Zviu+018kqcNeeqWfM9W2RGaUi3oKdj
+QvrQqOUBoKqrzKqAa3QCfGRzKK9SyiDZxxZdEeu8W9ZZBED+2ac4y2khrVuHkOE87fL3wW
+sZul/MDpU7EWKsqCmirFgcMmShRgSC4gJWX9sWUqYt2qGpzX99yO5hVhH2LS1m7XmFbbr6
+XdPW8uH4Oc/Qo+Q9o9mzH89Chfy0+EXJTGQli3KS4rrjfpCEyXemHrJkid4cKSGpjxg0sx
+Up1PPu+6HGBP+caQsqDusCR8TuQGhxTuXMwi8hbvRDvmn/sTnk3CRKr89FbIzwW9NHtMSS
+OmjW83+RH+1Fa6QPAbU8KbBkCJ6+uLZmK7g4wJbN2Aos1B3IVRTazN7oTkHFT1EJFc+sXt
+LcX/AiUlDTn7tlpaT1ci3px/170/8pM4KkTpjtUs5LPyIqysZhM4N+DhtRfnAjm57/D9yh
+Cr5a1QuMOKnbUNtNoEsumNs8/K6OgQAAAAMBAAEAAAGAVEQsEmVJLO66SoW7xY5/GFQ2hC
+vBc5qUMNGrlwdBnHTZzDEi7O84p1u4gzcEmVUcmuY7pIBH2qUFyaBIKgBJPvsXgCSjK+eZ
+PQpOHradjC3tQumaZ0FwG5CaMKVRIiAR9/DLNr5D7VAYjI6k86HiFPpgVPDNYQQT6/UFR9
+67IoBOC0RCMjmahjTEjEZmvL3KBJVygU+1BrKxD3txy14/CIVIHyFLto9ayhRb5Q6+aOa5
+O+3gOYfntYGJwvLWGYw1MGQMuwHNVdQcZ2u+u1qT7bnM8qQzbfCk00VFHIJAGrAvZNdzdf
+/QfFFr4wYK1LdZu9tMN5pwm53gYxpPMZ/al5CFCE7sIA46HV9srro7SXUNZGFEzPbC/AHV
+K1mHMiygqjfRB2qUrjWSBsUjEmwwzWDeAWzNjDF7wloS3v9sVrx2MtvamR5mEaG0JCjaIg
++CFpvnSReSqJlcHf3yehYbIIJEsLRrHJchsnFnOgLYw8V0g86d61ZZkHz2Zh3biDOzAAAA
+wEd4BRep6kF4TH5Te9l++Ul3WEerxSNtIW+F2Uut8tYxjWTtFOrXBNSNKr9mc9GN2SEO7W
+inhOZlbvPLMIIAoZhud38oCMuGWLRAy2YH7I+yrad7/wMimWc4+s3CiOlxzAvrG/8bpfCa
+o3uAvCHzMnj9E4INTFuC5PZUCkQV60aq1Cw/DBeAkuOAtsbrCZdbRyi5jOL8/98zIiGMkv
+UNc7asBXkTMWToCerk5PjGbHobbbqi4J7okGFJ6VA7njePkgAAAMEA3vYMybZgofgl+FTx
+nOAQlKNsfkAhuzzYCIR5ASFwboz/LEfIMc+Q8VGU1CTJVIVA2wa35mqJV4Pe3UNAOpkb88
+Ju3wYbaYCsVd5JRuJgl9GRFmAkZ5wlSJR0i0oaES7mjZceS/jo4xhh2MJC/nrszxiKQmSb
+nMmVp9/y07/SbqK/897E6iPs2ByEVFWv+sdACGPmOeZ1Qqtm4r5L/PGXmE82MPvx0Wvjjy
+W0Rgs416eKwwynjDCiF0+go2MRUhiTAAAAwQDJt9DA/+Evn1h1LSJJvTNkSRcRwojyIJVS
+v+dUhBCRvh18sA+uHGdvH8VOVYwXJGk8HQIIstcAyB0E9SzMAjiTWUBcNMZKumW961FWO3
+rL1gP++3DQbGeuhizYcx57+ttcY1JhZAUU9NjsZW3tCk5+Szl6qjXk13VBzGX8ohXvJP/Y
+77RWhCEHWPgMSNhMIoX3OC9yh0OInCkwZXVzCgxupVmv5wv/jVkKaWdKu6IHWjbNg+gP95
+nZutPrimevjRsAAAAbV2VsbCBrbm93biBrZXkgZm9yIHNzc2QtY2ku
+-----END OPENSSH PRIVATE KEY-----

data/ssh-keys/hosts/master2.ipa2.test.rsa_key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvr0e9hivwLwhvYF2E26WTn4zhdVzt2f2b4rvtNfJKnDXnqlnzPVtkRmlIt6CnY0L60KjlAaCqq8yqgGt0AnxkcyivUsog2ccWXRHrvFvWWQRA/tmnOMtpIa1bh5DhPO3y98FrGbpfzA6VOxFirKgpoqxYHDJkoUYEguICVl/bFlKmLdqhqc1/fcjuYVYR9i0tZu15hW26+l3T1vLh+DnP0KPkPaPZsx/PQoX8tPhFyUxkJYtykuK6436QhMl3ph6yZIneHCkhqY8YNLMVKdTz7vuhxgT/nGkLKg7rAkfE7kBocU7lzMIvIW70Q75p/7E55NwkSq/PRWyM8FvTR7TEkjpo1vN/kR/tRWukDwG1PCmwZAievri2Ziu4OMCWzdgKLNQdyFUU2sze6E5BxU9RCRXPrF7S3F/wIlJQ05+7ZaWk9XIt6cf9e9P/KTOCpE6Y7VLOSz8iKsrGYTODfg4bUX5wI5ue/w/coQq+WtULjDip21DbTaBLLpjbPPyujoE= Well known key for sssd-ci.

docker-compose.ipaipatrust.yml

@@ -0,0 +1,23 @@
+services:
+  ipa2:
+    image: ${REGISTRY}/ci-ipa2:${TAG}
+    container_name: ipa2
+    hostname: master2.ipa2.test
+    dns: 172.16.100.2
+    env_file: ./env.containers
+    volumes:
+    - ./shared:/shared:rw
+    cap_add:
+    - SYS_ADMIN
+    - SYS_PTRACE
+    - AUDIT_WRITE
+    - AUDIT_CONTROL
+    - SYS_CHROOT
+    - NET_ADMIN
+    security_opt:
+    - apparmor=unconfined
+    - label=disable
+    - seccomp=unconfined
+    networks:
+      sssd:
+        ipv4_address: 172.16.100.80

src/ansible/group_vars/all

@@ -6,6 +6,13 @@ service: {
     netbios: 'IPA',
     password: 'Secret123'
   },
+  ipa2: {
+    domain: 'ipa2.test',
+    hostname: 'master2',
+    fqn: 'master2.ipa2.test',
+    netbios: 'IPA2',
+    password: 'Secret123'
+  },
   ldap: {
     domain: 'ldap.test',
     hostname: 'master',

src/ansible/inventory.yml

@@ -53,6 +53,8 @@ all:
           hosts:
             master.ipa.test:
               ansible_host: sssd-wip-ipa
+            master2.ipa2.test:
+              ansible_host: sssd-wip-ipa2
         ldap:
           hosts:
             master.ldap.test:

src/ansible/playbook_image_service.yml

@@ -16,7 +16,9 @@
   roles:
   - samba
 
-- hosts: master.ipa.test
+- hosts:
+    - master.ipa.test
+    - master2.ipa2.test
   gather_facts: no
   roles:
   - ipa

src/ansible/roles/cleanup/tasks/main.yml

@@ -7,7 +7,7 @@
 
   - name: Remove 389ds database to make image smaller
     shell: rm -f /var/lib/dirsrv/slapd-IPA-TEST/db/__db.*
-  when: inventory_hostname == 'master.ipa.test' or inventory_hostname == 'ipa-devel'
+  when: inventory_hostname in groups["ipa"] or inventory_hostname == 'ipa-devel'
 
 - name: Minimize LDAP service container
   block:
@@ -29,4 +29,4 @@
 
   - name: Remove SSSD's database and logs
     shell: rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/*
-  when: inventory_hostname == 'client.test' or inventory_hostname == 'master.ipa.test'
+  when: inventory_hostname in groups["client"] or inventory_hostname in groups["ipa"]

src/ansible/roles/dns/templates/etc.dnsmasq.conf.j2

@@ -13,9 +13,9 @@ domain=test
 cache-size=0
 
 # These zones have their own DNS server
-{% if 'master.ipa.test' in hostvars %}
-server=/ipa.test/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }}
-{% endif %}
+{% for host in groups['ipa'] %}
+server=/{{ hostvars[host]['ansible_facts']['domain'] }}/{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] }}
+{% endfor %}
 {% if 'dc.samba.test' in hostvars %}
 server=/samba.test/{{ hostvars['dc.samba.test']['ansible_facts']['default_ipv4']['address'] }}
 {% endif %}
@@ -28,7 +28,9 @@ server=/{{ hostvars[ad]['ansible_facts']['windows_domain'] }}/{{ hostvars[ad]['a
 {% endif %}
 
 # Add reverse zones for artificial hosts in IPA domain
+{% if 'master.ipa.test' in hostvars %}
 server=/251.255.10.in-addr.arpa/{{ hostvars['master.ipa.test']['ansible_facts']['default_ipv4']['address'] }}
+{% endif %}
 
 # Add SRV record for LDAP
 {% if 'master.ldap.test' in hostvars %}
@@ -51,4 +53,4 @@ ptr-record={{ hostvars[host]['ansible_facts']['default_ipv4']['address'].split('
 {% elif hostvars[host].ansible_system == 'Win32NT' %}
 ptr-record={{ hostvars[host]['ansible_facts']['ip_addresses'][0].split('.') | reverse | join(".") }}.in-addr.arpa,{{ host }}
 {% endif %}
-{% endfor %}
+{% endfor %}

src/ansible/roles/ipa/tasks/main.yml

@@ -110,6 +110,7 @@
     ipa --no-prompt dnszone-add --name-from-ip 10.255.251.0/24
   args:
     stdin: '{{ ipa_password }}'
+  when: inventory_hostname == 'master.ipa.test'
 
 - name: 'Check trust with other domains'
   shell: |
@@ -144,6 +145,7 @@
   - '"samba" in groups and groups["samba"]'
   - join_samba
   - trust_ipa_samba
+  - inventory_hostname != 'master2.ipa2.test'
 
 - name: 'Setup trust with AD'
   block:
@@ -167,6 +169,8 @@
     when:
     - 'ad_domain not in trust.stdout'
     - not trust_ipa_ad_two_way
+    - inventory_hostname != 'master2.ipa2.test'
+
   - name: Run ipa trust-add (two-way)
     shell: |
       kinit admin
@@ -182,3 +186,4 @@
   - '"ad" in groups and groups["ad"]'
   - join_ad
   - trust_ipa_ad
+  - inventory_hostname != 'master2.ipa2.test'

src/ansible/roles/packages/tasks/Fedora.yml

@@ -222,7 +222,7 @@
     dnf:
       state: present
       name: sssd-kcm
-  when: "'base_ipa' in group_names or 'ipa' in group_names"
+  when: "'base_ipa' in group_names or 'base_ipa2' in group_names or 'ipa' in group_names"
 
 - name: Install packages for Samba base image
   block:
@@ -264,7 +264,7 @@
       - ci-sssd-random
       - umockdev
     when: passkey_support
-  when: "'base_client' in group_names or 'client' in group_names or 'base_ipa' in group_names or 'ipa' in group_names"
+  when: "'base_client' in group_names or 'client' in group_names or 'base_ipa' in group_names or 'base_ipa2' in group_names or 'ipa' in group_names"
 
 - name: Install packages for Keycloak base image
   block:

src/build.sh

@@ -50,7 +50,7 @@ function cleanup {
 }
 
 function compose {
-  docker-compose -f "../docker-compose.yml" -f "../docker-compose.keycloak.yml" -f "./docker-compose.build.yml" $@
+  docker-compose -f "../docker-compose.yml" -f "../docker-compose.keycloak.yml" -f "../docker-compose.ipaipatrust.yml" -f "./docker-compose.build.yml" $@
 }
 
 function base_exec {
@@ -140,6 +140,7 @@ ansible-playbook $ANSIBLE_OPTS ./ansible/playbook_image_service.yml
 compose stop
 build_service_image sssd-wip-client client
 build_service_image sssd-wip-ipa ipa
+build_service_image sssd-wip-ipa2 ipa2
 build_service_image sssd-wip-ldap ldap
 build_service_image sssd-wip-samba samba
 build_service_image sssd-wip-nfs nfs

src/docker-compose.build.yml

@@ -5,6 +5,9 @@ services:
   ipa:
     image: localhost/sssd/ci-base-ipa:${TAG}
     container_name: sssd-wip-ipa
+  ipa2:
+    image: localhost/sssd/ci-base-ipa:${TAG}
+    container_name: sssd-wip-ipa2
   ldap:
     image: localhost/sssd/ci-base-ldap:${TAG}
     container_name: sssd-wip-ldap

src/push.sh

@@ -66,6 +66,7 @@ push ci-dns latest ""
 push ci-client "$TAG" "$EXTRA_TAGS"
 push ci-client-devel "$TAG" "$EXTRA_TAGS"
 push ci-ipa "$TAG" "$EXTRA_TAGS"
+push ci-ipa2 "$TAG" "$EXTRA_TAGS"
 push ci-ipa-devel "$TAG" "$EXTRA_TAGS"
 push ci-ldap "$TAG" "$EXTRA_TAGS"
 push ci-samba "$TAG" "$EXTRA_TAGS"

src/tools/gen-ssh-keys.sh

@@ -17,7 +17,7 @@ mkdir -p $OUT
 mkdir -p $OUT/hosts
 
 for name in client.test dc.samba.test dns.test kdc.test \
-            master.ipa.test master.keycloak.test master.ldap.test nfs.test; do
+            master.ipa.test master2.ipa2.test master.keycloak.test master.ldap.test nfs.test; do
     for type in ecdsa ed25519 rsa; do
         ssh-keygen -C "Well known key for sssd-ci." -t $type -f "$OUT/hosts/$name.${type}_key" -N "" <<< y
     done

src/tools/setup-dns-files.sh

@@ -17,6 +17,7 @@ sed -i '/client.test/d' /etc/hosts
 sed -i '/nfs.test/d' /etc/hosts
 sed -i '/kdc.test/d' /etc/hosts
 sed -i '/dc.ad.test/d' /etc/hosts
+sed -i '/master2.ipa2.test/d' /etc/hosts
 
 # Append the lines
 echo "172.16.100.10 master.ipa.test" >> /etc/hosts
@@ -26,3 +27,4 @@ echo "172.16.100.40 client.test" >> /etc/hosts
 echo "172.16.100.50 nfs.test" >> /etc/hosts
 echo "172.16.100.60 kdc.test" >> /etc/hosts
 echo "172.16.200.10 dc.ad.test" >> /etc/hosts
+echo "172.16.100.80 master2.ipa2.test" >> /etc/hosts