ipa dns forwarders are no longer necessary

Dan Lavu · Dan Lavu · commit f5238e59b43a · 2026-04-29T19:05:09.000-04:00
diff --git a/sssd_test_framework/topology_controllers.py b/sssd_test_framework/topology_controllers.py
@@ -1,7 +1,6 @@
 from __future__ import annotations
 
 import re
-import socket
 import tempfile
 
 from pytest_mh import BackupTopologyController
@@ -208,7 +207,6 @@ def topology_setup(self, client: ClientHost, ipa: IPAHost) -> None:
         client.conn.run(f"echo {hostname} > /etc/hostname")
         client.fs.write("/etc/hosts", client.fs.read("/etc/hosts").replace("client.test", hostname))
 
-
         # Change client hostname to match the domain
         self.logger.info(f"Changing hostname to {hostname}")
         client.conn.run(f"hostname {hostname}")
@@ -277,9 +275,6 @@ def topology_setup(self, client: ClientHost, ipa: IPAHost, trusted: ADHost | Sam
             self.logger.info(f"Topology '{self.name}' is already provisioned")
             return
 
-        # Configure DNS forwarder for AD domain on IPA server
-        self.setup_dns_forwarder(ipa, trusted)
-
         # Create trust
         self.logger.info(f"Establishing trust between {ipa.domain} and {trusted.domain}")
         ipa.kinit()
@@ -293,52 +288,6 @@ def topology_setup(self, client: ClientHost, ipa: IPAHost, trusted: ADHost | Sam
         # Backup so we can restore to this state after each test
         super().topology_setup()
 
-    def setup_dns_forwarder(self, ipa: IPAHost, trusted: ADHost | SambaHost) -> None:
-        """
-        Configure DNS forwarder on IPA server for the trusted AD domain.
-
-        This ensures IPA can resolve the AD domain for trust establishment.
-        """
-        self.logger.info(f"Configuring DNS forwarder for {trusted.domain} on {ipa.hostname}")
-        ipa.kinit()
-
-        # Check if forwarder already exists
-        result = ipa.conn.exec(
-            ["ipa", "dnsforwardzone-show", trusted.domain],
-            raise_on_error=False,
-        )
-
-        if result.rc == 0:
-            self.logger.info(f"DNS forwarder for {trusted.domain} already exists, skipping")
-            return
-
-        # Resolve AD server hostname to IP address (forwarder requires IP)
-        # Use getattr to safely access the host attribute from the connection
-        ad_hostname = getattr(trusted.conn, "host", trusted.hostname)
-        try:
-            ad_ip = socket.gethostbyname(ad_hostname)
-        except socket.gaierror:
-            self.logger.error(
-                f"Could not resolve hostname '{ad_hostname}'. "
-                "Please ensure it is resolvable from the test controller."
-            )
-            raise
-
-        # Add DNS forward zone pointing to the AD server IP
-        ipa.conn.exec(
-            [
-                "ipa",
-                "dnsforwardzone-add",
-                trusted.domain,
-                f"--forwarder={ad_ip}",
-                "--forward-policy=only",
-            ]
-        )
-
-        # Restart named to ensure it picks up the new forwarder zone
-        ipa.conn.exec(["systemctl", "restart", "named"])
-        self.logger.info(f"DNS forwarder for {trusted.domain} configured successfully")
-
     # If this command is run on freshly started containers, it is possible the IPA is not yet
     # fully ready to create the trust. It takes a while for it to start working.
     @retry_command(max_retries=20, delay=5, match_stderr='CIFS server communication error: code "3221225581"')
