[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
Martin Kosek
mkosek at redhat.com
Fri Sep 14 06:46:36 UTC 2012
On 09/13/2012 10:35 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 09/11/2012 11:05 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>>>> Petr Viktorin wrote:
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>>>
>>>>> Shouldn't this also call verify_fqdn() on the local hostname and not
>>>>> just the master? I think this would eventually fail in the conncheck
>>>>> but
>>>>> what if that was skipped?
>>>>>
>>>>> rob
>>>>
>>>> A few lines above there is a call to get_host_name, which will call
>>>> verify_fqdn.
>>>>
>>>
>>> I double-checked this, it fails in conncheck. Here are my steps:
>>>
>>> # ipa-server-install --setup-dns
>>> # ipa-replica-prepare replica.example.com --ip-address=192.168.100.2
>>> # ipa host-del replica.example.com
>>>
>>> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>>>
>>> # ipa-replica-install ...
>>>
>>> The verify_fqdn() passes because the resolver uses /etc/hosts.
>>>
>>> The conncheck fails:
>>>
>>> Execute check on remote master
>>> Check connection from master to remote replica 'replica.example.com':
>>>
>>> Remote master check failed with following error message(s):
>>> Could not chdir to home directory /home/admin: No such file or directory
>>> Port check failed! Unable to resolve host name 'replica.example.com'
>>>
>>> Connection check failed!
>>> Please fix your network settings according to error messages above.
>>> If the check results are not valid it can be skipped with
>>> --skip-conncheck parameter.
>>>
>>> The DNS test happens much further after this, and I get why, I just
>>> don't see how useful it is unless the --skip-conncheck is used.
>>
>> For the record, it's because we need to check if the host has DNS
>> installed. We need a LDAP connection to check this.
>>
>>> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
>>> --skip-conncheck
>>> Directory Manager (existing master) password:
>>>
>>> ipa : ERROR Could not resolve hostname replica.example.com
>>> using DNS. Clients may not function properly. Please check your DNS
>>> setup. (Note that this check queries IPA DNS directly and ignores
>>> /etc/hosts.)
>>> Continue? [no]:
>>>
>>> So I guess, what are the intentions here? It is certainly better than
>>> before.
>>>
>>> rob
>>
>> If the replica is in the master's /etc/hosts, but not in DNS, the
>> conncheck will succeed. This check explicitly queries IPA records only
>> and ignores /etc/hosts so it'll notice this case and warn.
>>
>
> Ok, like I said, this is better than we have. Just one nit then you get an ack:
>
> + # If remote host has DNS, check forward/reverse resolution
> + try:
> + entry = conn.find_entries(u'cn=dns', base_dn=DN(api.env.basedn))
> + except errors.NotFound:
>
> u'cn=dns' should be str(constants.container_dns).
>
> rob
This is a search filter, Petr could use the one I already have in
"dns.py::get_dns_masters()" function:
'(&(objectClass=ipaConfigObject)(cn=DNS))'
For performance sake, I would also not search in the entire tree, but limit the
search only to:
DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
Martin
More information about the Freeipa-devel
mailing list