[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
Rob Crittenden
rcritten at redhat.com
Thu Sep 13 20:35:19 UTC 2012
Petr Viktorin wrote:
> On 09/11/2012 11:05 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>>
>>>> Shouldn't this also call verify_fqdn() on the local hostname and not
>>>> just the master? I think this would eventually fail in the conncheck
>>>> but
>>>> what if that was skipped?
>>>>
>>>> rob
>>>
>>> A few lines above there is a call to get_host_name, which will call
>>> verify_fqdn.
>>>
>>
>> I double-checked this, it fails in conncheck. Here are my steps:
>>
>> # ipa-server-install --setup-dns
>> # ipa-replica-prepare replica.example.com --ip-address=192.168.100.2
>> # ipa host-del replica.example.com
>>
>> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>>
>> # ipa-replica-install ...
>>
>> The verify_fqdn() passes because the resolver uses /etc/hosts.
>>
>> The conncheck fails:
>>
>> Execute check on remote master
>> Check connection from master to remote replica 'replica.example.com':
>>
>> Remote master check failed with following error message(s):
>> Could not chdir to home directory /home/admin: No such file or directory
>> Port check failed! Unable to resolve host name 'replica.example.com'
>>
>> Connection check failed!
>> Please fix your network settings according to error messages above.
>> If the check results are not valid it can be skipped with
>> --skip-conncheck parameter.
>>
>> The DNS test happens much further after this, and I get why, I just
>> don't see how useful it is unless the --skip-conncheck is used.
>
> For the record, it's because we need to check if the host has DNS
> installed. We need a LDAP connection to check this.
>
>> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
>> --skip-conncheck
>> Directory Manager (existing master) password:
>>
>> ipa : ERROR Could not resolve hostname replica.example.com
>> using DNS. Clients may not function properly. Please check your DNS
>> setup. (Note that this check queries IPA DNS directly and ignores
>> /etc/hosts.)
>> Continue? [no]:
>>
>> So I guess, what are the intentions here? It is certainly better than
>> before.
>>
>> rob
>
> If the replica is in the master's /etc/hosts, but not in DNS, the
> conncheck will succeed. This check explicitly queries IPA records only
> and ignores /etc/hosts so it'll notice this case and warn.
>
Ok, like I said, this is better than we have. Just one nit then you get
an ack:
+ # If remote host has DNS, check forward/reverse resolution
+ try:
+ entry = conn.find_entries(u'cn=dns',
base_dn=DN(api.env.basedn))
+ except errors.NotFound:
u'cn=dns' should be str(constants.container_dns).
rob
More information about the Freeipa-devel
mailing list