[Freeipa-devel] What would break if loopback addresses were allowed for IPA server?

Simo Sorce simo at redhat.com
Mon Oct 17 15:55:20 UTC 2016 

On Mon, 2016-10-17 at 09:02 +0200, Petr Spacek wrote:
> On 27.9.2016 14:31, Jan Pazdziora wrote:
> > On Wed, Sep 21, 2016 at 12:01:44PM +0200, Jan Pazdziora wrote:
> >>
> >> I've recently hit again the situation of IPA installer not happy
> >> about the provided IP address not being local to it, this time in
> >> containerized environment:
> >>
> >> 	https://bugzilla.redhat.com/show_bug.cgi?id=1377973
> >>
> >> During the discussion, we came to an interesting question:
> >>
> >> 	What would break if loopback addresses were allowed for IPA
> >> 	server?
> >>
> >> Of course, the idea is that it would only be used for installation and
> >> then IPA would change its IP address in DNS to whatever is the real IP
> >> address under which it is accessible.
> >>
> >> Where does the allow_loopback=False requirement in the installer come
> >> from and what would break if it was removed altogether?
> > 
> > I also see messages like
> > 
> > 	Adding [10.11.12.13 ipa.example.com] to your /etc/hosts file
> > 
> > in some cases. Actually, it's
> > 
> > 	10.11.12.13 ipa.example.com ipa
> > 
> > which gets added so the message is not accurate.
> > 
> > Modification of /etc/hosts itself seems unfortunate. Should the IP
> > address change in the future, there will be one more place where
> > the IP address stays hardcoded.
> > 
> > I wonder why
> > 
> > 	hosts:      files dns myhostname
> > 
> > isn't enough, and whether
> > 
> > 	hosts:      files myhostname dns
> > 
> > might actually be better order.
> 
> Theoretically yes. Practically it will break Dogtag and other components which
> are not able to cope up with link-local addresses returned from myhostname module.
> 
> 
> > When the value is not in /etc/hosts,
> > I see weird startup issues, presumably because individual components
> > time out resolving $HOSTNAME, so systemctl start ipa fails. Perhaps
> > it has something to do with named being up at that point, rather than
> > unreachable, just not resolving anything yet. Chicken and egg.
> > 
> > I wonder why we cannot add ipa.example.com to 127.0.0.1. I've tried
> > that and have seen
> > 
> > 	named-pkcs11[453]: LDAP error: Local error: SASL(-1): generic
> > 	failure: GSSAPI Error: Unspecified GSS failure.  Minor code
> > 	may provide more information (Server
> > 	ldap/localhost at EXAMPLE.TEST not found in Kerberos database):
> > 	bind to LDAP server failed
> > 
> > which suggests something derives the hostname and thus the principal
> > from the IP address used. Why is not $HOSTNAME used everywhere? What
> > part of the system cares about the IP address (and the reverse
> > resolution)?
> 
> AFAIK FQDN is used everywhere. The "localhost" name might be coming from
> Kerberos name canonicalization, which works like this:
> FQDN (name resolution) record-> IP address (IP address resolution)->new name.
> 
> You might try to add rdns=false to [libdefaults] section in /etc/krb5.conf. It
> should be default anyway, but why not try it explicitly.
> 
> Also, I would try if dns_canonicalize_hostname=false makes any difference or not.

Btw this attribute came up also elsewhere, I think we should consider
changing ipa-client-install (or SSSD) to make
dns_canonicalize_hostname=false the default in IPa installs.

Should we open a ticket for that?

Simo.

> 
> > If overloading 127.0.0.1 with the $HOSTNAME does not work, could
> > 127.0.0.2 do the trick? It seems to work for subsequent starts (did
> > not try it during ipa-server-install) in containers.
> 
> It will likely suffer with very similar problems. It if works, it works just
> accidentally and might break at any time in future.
> 
> Before we touch IP address/domain name logic, we need to agree how it should
> behave.
> 
> What is the purpose of --ip-address option?
> a) Specify IP addresses used in DNS.
> ab) What checks should be performed on it?
> b) To bind deamons only to specific IP addresses instead of all interfaces?
> 
> I have seen requests for both. We need to decide what is the intended behavior
> and design it before making further changes. The spaghetti code is too
> intertwined for making any non-systematic changes.
> 
> -- 
> Petr^2 Spacek
> 


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list