SSSD · madhuriupadhye · Dec 8, 2025 · Dec 1, 2025
diff --git a/sssd_test_framework/topology_controllers.py b/sssd_test_framework/topology_controllers.py
@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+import socket
+
 from pytest_mh import BackupTopologyController
 from pytest_mh.conn import ProcessResult
 
@@ -144,6 +146,9 @@ def topology_setup(self, client: ClientHost, ipa: IPAHost, trusted: ADHost | Sam
             self.logger.info(f"Topology '{self.name}' is already provisioned")
             return
 
+        # Configure DNS forwarder for AD domain on IPA server
+        self.setup_dns_forwarder(ipa, trusted)
+
         # Create trust
         self.logger.info(f"Establishing trust between {ipa.domain} and {trusted.domain}")
         ipa.kinit()
@@ -167,6 +172,52 @@ def topology_setup(self, client: ClientHost, ipa: IPAHost, trusted: ADHost | Sam
         # Backup so we can restore to this state after each test
         super().topology_setup()
 
+    def setup_dns_forwarder(self, ipa: IPAHost, trusted: ADHost | SambaHost) -> None:
+        """
+        Configure DNS forwarder on IPA server for the trusted AD domain.
+
+        This ensures IPA can resolve the AD domain for trust establishment.
+        """
+        self.logger.info(f"Configuring DNS forwarder for {trusted.domain} on {ipa.hostname}")
+        ipa.kinit()
+
+        # Check if forwarder already exists
+        result = ipa.conn.exec(
+            ["ipa", "dnsforwardzone-show", trusted.domain],
+            raise_on_error=False,
+        )
+
+        if result.rc == 0:
+            self.logger.info(f"DNS forwarder for {trusted.domain} already exists, skipping")
+            return
+
+        # Resolve AD server hostname to IP address (forwarder requires IP)
+        # Use getattr to safely access the host attribute from the connection
+        ad_hostname = getattr(trusted.conn, "host", trusted.hostname)
+        try:
+            ad_ip = socket.gethostbyname(ad_hostname)
+        except socket.gaierror:
+            self.logger.error(
+                f"Could not resolve hostname '{ad_hostname}'. "
+                "Please ensure it is resolvable from the test controller."
+            )
+            raise
+
+        # Add DNS forward zone pointing to the AD server IP
+        ipa.conn.exec(
+            [
+                "ipa",
+                "dnsforwardzone-add",
+                trusted.domain,
+                f"--forwarder={ad_ip}",
+                "--forward-policy=only",
+            ]
+        )
+
+        # Restart named to ensure it picks up the new forwarder zone
+        ipa.conn.exec(["systemctl", "restart", "named"])
+        self.logger.info(f"DNS forwarder for {trusted.domain} configured successfully")
+
     # If this command is run on freshly started containers, it is possible the IPA is not yet
     # fully ready to create the trust. It takes a while for it to start working.
     @retry_command(max_retries=20, delay=5, match_stderr='CIFS server communication error: code "3221225581"')