[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install

Petr Viktorin pviktori at redhat.com
Tue Sep 18 11:17:06 UTC 2012 

On 09/17/2012 08:10 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 09/14/2012 08:46 AM, Martin Kosek wrote:
>>> On 09/13/2012 10:35 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> On 09/11/2012 11:05 PM, Rob Crittenden wrote:
>>>>>> Petr Viktorin wrote:
>>>>>>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>>>>>>
>>>>>>>> Shouldn't this also call verify_fqdn() on the local hostname and
>>>>>>>> not
>>>>>>>> just the master? I think this would eventually fail in the
>>>>>>>> conncheck
>>>>>>>> but
>>>>>>>> what if that was skipped?
>>>>>>>>
>>>>>>>> rob
>>>>>>>
>>>>>>> A few lines above there is a call to get_host_name, which will call
>>>>>>> verify_fqdn.
>>>>>>>
>>>>>>
>>>>>> I double-checked this, it fails in conncheck. Here are my steps:
>>>>>>
>>>>>> # ipa-server-install --setup-dns
>>>>>> # ipa-replica-prepare replica.example.com --ip-address=192.168.100.2
>>>>>> # ipa host-del replica.example.com
>>>>>>
>>>>>> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>>>>>>
>>>>>> # ipa-replica-install ...
>>>>>>
>>>>>> The verify_fqdn() passes because the resolver uses /etc/hosts.
>>>>>>
>>>>>> The conncheck fails:
>>>>>>
>>>>>> Execute check on remote master
>>>>>> Check connection from master to remote replica 'replica.example.com':
>>>>>>
>>>>>> Remote master check failed with following error message(s):
>>>>>> Could not chdir to home directory /home/admin: No such file or
>>>>>> directory
>>>>>> Port check failed! Unable to resolve host name 'replica.example.com'
>>>>>>
>>>>>> Connection check failed!
>>>>>> Please fix your network settings according to error messages above.
>>>>>> If the check results are not valid it can be skipped with
>>>>>> --skip-conncheck parameter.
>>>>>>
>>>>>> The DNS test happens much further after this, and I get why, I just
>>>>>> don't see how useful it is unless the --skip-conncheck is used.
>>>>>
>>>>> For the record, it's because we need to check if the host has DNS
>>>>> installed. We need a LDAP connection to check this.
>>>>>
>>>>>> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
>>>>>> --skip-conncheck
>>>>>> Directory Manager (existing master) password:
>>>>>>
>>>>>> ipa         : ERROR    Could not resolve hostname replica.example.com
>>>>>> using DNS. Clients may not function properly. Please check your DNS
>>>>>> setup. (Note that this check queries IPA DNS directly and ignores
>>>>>> /etc/hosts.)
>>>>>> Continue? [no]:
>>>>>>
>>>>>> So I guess, what are the intentions here? It is certainly better than
>>>>>> before.
>>>>>>
>>>>>> rob
>>>>>
>>>>> If the replica is in the master's /etc/hosts, but not in DNS, the
>>>>> conncheck will succeed. This check explicitly queries IPA records only
>>>>> and ignores /etc/hosts so it'll notice this case and warn.
>>>>>
>>>>
>>>> Ok, like I said, this is better than we have. Just one nit then you
>>>> get an ack:
>>>>
>>>> +        # If remote host has DNS, check forward/reverse resolution
>>>> +        try:
>>>> +            entry = conn.find_entries(u'cn=dns',
>>>> base_dn=DN(api.env.basedn))
>>>> +        except errors.NotFound:
>>>>
>>>> u'cn=dns' should be str(constants.container_dns).
>>>>
>>>> rob
>>>
>>> This is a search filter, Petr could use the one I already have in
>>> "dns.py::get_dns_masters()" function:
>>> '(&(objectClass=ipaConfigObject)(cn=DNS))'
>>>
>>> For performance sake, I would also not search in the entire tree, but
>>> limit the
>>> search only to:
>>>
>>> DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
>>>
>>> Martin
>>>
>>
>> Attaching updated patch with Martin's suggestions.
>
> I think what Martin had in mind was:
>
> if api.Object.dnsrecord.get_dns_masters():
>      ...
>

I didn't want to do this because api.Object.* use our global ldap2 
Backend, which is hardwired to query localhost.
I see now that I can hack around this, and we already do this in 
ipa-replica-install.
I've extracted the hack and reused it to get the DNS masters.


-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0077-03-Check-direct-reverse-hostname-address-resolution-in-.patch
Type: text/x-patch
Size: 9996 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120918/5a6b4bb3/attachment.bin>

More information about the Freeipa-devel mailing list