[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
Petr Viktorin
pviktori at redhat.com
Wed Sep 12 16:01:49 UTC 2012
On 09/11/2012 11:05 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>
>>> Shouldn't this also call verify_fqdn() on the local hostname and not
>>> just the master? I think this would eventually fail in the conncheck but
>>> what if that was skipped?
>>>
>>> rob
>>
>> A few lines above there is a call to get_host_name, which will call
>> verify_fqdn.
>>
>
> I double-checked this, it fails in conncheck. Here are my steps:
>
> # ipa-server-install --setup-dns
> # ipa-replica-prepare replica.example.com --ip-address=192.168.100.2
> # ipa host-del replica.example.com
>
> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>
> # ipa-replica-install ...
>
> The verify_fqdn() passes because the resolver uses /etc/hosts.
>
> The conncheck fails:
>
> Execute check on remote master
> Check connection from master to remote replica 'replica.example.com':
>
> Remote master check failed with following error message(s):
> Could not chdir to home directory /home/admin: No such file or directory
> Port check failed! Unable to resolve host name 'replica.example.com'
>
> Connection check failed!
> Please fix your network settings according to error messages above.
> If the check results are not valid it can be skipped with
> --skip-conncheck parameter.
>
> The DNS test happens much further after this, and I get why, I just
> don't see how useful it is unless the --skip-conncheck is used.
For the record, it's because we need to check if the host has DNS
installed. We need a LDAP connection to check this.
> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
> --skip-conncheck
> Directory Manager (existing master) password:
>
> ipa : ERROR Could not resolve hostname replica.example.com
> using DNS. Clients may not function properly. Please check your DNS
> setup. (Note that this check queries IPA DNS directly and ignores
> /etc/hosts.)
> Continue? [no]:
>
> So I guess, what are the intentions here? It is certainly better than
> before.
>
> rob
If the replica is in the master's /etc/hosts, but not in DNS, the
conncheck will succeed. This check explicitly queries IPA records only
and ignores /etc/hosts so it'll notice this case and warn.
--
Petr³
More information about the Freeipa-devel
mailing list