Add automatic DNS forwarder setup for IPA-AD trust

madhuriupadhye · madhuriupadhye · commit 202271758b6c · 2025-12-01T20:35:44.000+05:30
IPA trust tests fail with "Unable to read domain information"
when IPA's DNS cannot resolve the AD domain.

Added setup_dns_forwarder() to IPATrustADTopologyController that:
Creates a DNS forward zone for the AD domain
Resolves AD hostname to IP (required by ipa dnsforwardzone-add)
Restarts named to apply the configuration

Signed-off-by: Madhuri Upadhye &lt;mupadhye@redhat.com&gt;
diff --git a/sssd_test_framework/topology_controllers.py b/sssd_test_framework/topology_controllers.py
@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+import socket
+
 from pytest_mh import BackupTopologyController
 from pytest_mh.conn import ProcessResult
 
@@ -137,6 +139,9 @@ def topology_setup(self, client: ClientHost, ipa: IPAHost, trusted: ADHost | Sam
             self.logger.info(f"Topology '{self.name}' is already provisioned")
             return
 
+        # Configure DNS forwarder for AD domain on IPA server
+        self.setup_dns_forwarder(ipa, trusted)
+
         # Create trust
         self.logger.info(f"Establishing trust between {ipa.domain} and {trusted.domain}")
         ipa.kinit()
@@ -160,6 +165,47 @@ def topology_setup(self, client: ClientHost, ipa: IPAHost, trusted: ADHost | Sam
         # Backup so we can restore to this state after each test
         super().topology_setup()
 
+    def setup_dns_forwarder(self, ipa: IPAHost, trusted: ADHost | SambaHost) -> None:
+        """
+        Configure DNS forwarder on IPA server for the trusted AD domain.
+
+        This ensures IPA can resolve the AD domain for trust establishment.
+        """
+        self.logger.info(f"Configuring DNS forwarder for {trusted.domain} on {ipa.hostname}")
+        ipa.kinit()
+
+        # Check if forwarder already exists
+        result = ipa.conn.exec(
+            ["ipa", "dnsforwardzone-show", trusted.domain],
+            raise_on_error=False,
+        )
+
+        if result.rc == 0:
+            self.logger.info(f"DNS forwarder for {trusted.domain} already exists, skipping")
+            return
+
+        # Resolve AD server hostname to IP address (forwarder requires IP)
+        try:
+            ad_ip = socket.gethostbyname(trusted.conn.host)
+        except socket.gaierror:
+            # If resolution fails, try using the hostname directly
+            ad_ip = trusted.conn.host
+
+        # Add DNS forward zone pointing to the AD server IP
+        ipa.conn.exec(
+            [
+                "ipa",
+                "dnsforwardzone-add",
+                trusted.domain,
+                f"--forwarder={ad_ip}",
+                "--forward-policy=only",
+            ]
+        )
+
+        # Restart named to ensure it picks up the new forwarder zone
+        ipa.conn.exec(["systemctl", "restart", "named"])
+        self.logger.info(f"DNS forwarder for {trusted.domain} configured successfully")
+
     # If this command is run on freshly started containers, it is possible the IPA is not yet
     # fully ready to create the trust. It takes a while for it to start working.
     @retry_command(max_retries=20, delay=5, match_stderr='CIFS server communication error: code "3221225581"')
