[Freeipa-devel] [freeipa PR#689][opened] Sort SRV records by priority
alex-zel
freeipa-github-notification at redhat.com
Tue Apr 4 07:04:25 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/689
Author: alex-zel
Title: #689: Sort SRV records by priority
Action: opened
PR body:
"""
In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.
## Replication:
DNS configuration (using PfSense):
```
srv-host=_kerberos._udp.example.com,server01.example.com,88,0,1
srv-host=_kerberos._tcp.example.com,server01.example.com,88,0,1
srv-host=_kerberos-master._tcp.example.com,server01.example.com,88,0,1
srv-host=_kerberos-master._udp.example.com,server01.example.com,88,0,1
srv-host=_kpasswd._tcp.example.com,server01.example.com,88,0,1
srv-host=_kpasswd._udp.example.com,server01.example.com,88,0,1
srv-host=_ldap._tcp.example.com,server01.example.com,389,0,1
srv-host=_kerberos._udp.example.com,server02.example.com,88,0,2
srv-host=_kerberos._tcp.example.com,server02.example.com,88,0,2
srv-host=_kerberos-master._tcp.example.com,server02.example.com,88,0,2
srv-host=_kerberos-master._udp.example.com,server02.example.com,88,0,2
srv-host=_kpasswd._tcp.example.com,server02.example.com,88,0,2
srv-host=_kpasswd._udp.example.com,server02.example.com,88,0,2
srv-host=_ldap._tcp.example.com,server02.example.com,389,0,2
txt-record=_kerberos.example.com,EXAMPLE.COM
```
Client installation:
Host record is added beforehand from web UI on server01.example.com ONLY.
`/usr/sbin/ipa-client-install --force-join --principal=bind_user --password=bind_pass --hostname=`hostname -f` --unattended`
/var/log/ipaclient-install.log:
> 2017-04-02T10:54:09Z DEBUG [IPA Discovery]
> 2017-04-02T10:54:09Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=client01.example.com
> 2017-04-02T10:54:09Z DEBUG Start searching for LDAP SRV record in "example.com" (domain of the hostname) and its sub-domains
> 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of _ldap._tcp.example.com
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 389 server01.example.com.
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 389 server02.example.com.
> 2017-04-02T10:54:09Z DEBUG [Kerberos realm search]
> 2017-04-02T10:54:09Z DEBUG Search DNS for TXT record of _kerberos.example.com
> 2017-04-02T10:54:09Z DEBUG DNS record not found: NoAnswer
> 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of _kerberos._udp.example.com
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 88 server02.example.com.
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 88 server01.example.com.
Notice the records are not in the same order, ipa-client-install did not return any error and the client machine could see user, groups, netgroups, but users could not authenticate.
Looking at the web UI, server01.example.com shows the client is not enrolled and no kerberos key is present, but server02.example.com shows the client is enrolled and has a key.
In cases were either server01 or server02 were returned first in IPA Discovery the installation and replication went fine.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/689/head:pr689
git checkout pr689
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pr-689.patch
Type: text/x-diff
Size: 1479 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20170404/674f034b/attachment.bin>
More information about the Freeipa-devel
mailing list