[Freeipa-users] ubuntu dns discovery

Petr Spacek pspacek at redhat.com
Mon May 25 11:30:05 UTC 2015 

On 22.5.2015 22:00, Johnny Tan wrote:
> On Fri, May 22, 2015 at 3:14 PM, Martin Basti <mbasti at redhat.com> wrote:
> 
>>  On 22/05/15 18:05, Johnny Tan wrote:
>>
>> Our servers run CentOS-6.6 and ipa-server-3.0.0-42.el6.centos.x86_64
>>
>>  Our CentOS clients (also 6.6) join the domain seamlessly.
>>
>>  Our Ubuntu 14.04 LTS clients, however, don't seem to be able to
>> auto-discover domain, realm, or IPA servers:
>>  ```
>> dpkg -l | grep freeipa
>> ii  freeipa-client                      3.3.4-0ubuntu3.1
>>         amd64        FreeIPA centralized identity framework -- client
>>
>>  /usr/sbin/ipa-client-install --mkhomedir --no-ntp --no-sudo --unattended
>> --hostname testing-ubuntu001.pp --principal admin --password xx --debug
>>  /usr/sbin/ipa-client-install was invoked with options: {'domain': None,
>> 'force': False, 'krb5_offline_passwords': True, 'primary': False,
>> 'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd':
>> True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None,
>> 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname':
>> 'testing-ubuntu001.pp', 'no_ac': False, 'unattended': True, 'sssd': True,
>> 'trust_sshfp': False, 'dns_updates': False, 'mkhomedir': True, 'conf_ssh':
>> True, 'force_join': False, 'server': None, 'prompt_password': False,
>> 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
>> missing options might be asked for interactively later
>> Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> [IPA Discovery]
>> Starting IPA discovery with domain=None, servers=None,
>> hostname=testing-ubuntu001.pp
>> Start searching for LDAP SRV record in "pp" (domain of the hostname) and
>> its sub-domains
>> Search DNS for SRV record of _ldap._tcp.pp
>> DNS record not found: EmptyLabel
>> Start searching for LDAP SRV record in ".pp" (search domain from
>> /etc/resolv.conf) and its sub-domains
>> Search DNS for SRV record of _ldap._tcp..pp
>> DNS record not found: EmptyLabel
>> Already searched pp; skipping
>> No LDAP server found
>> No LDAP server found
>> Unable to discover domain, not provided on command line
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>  ```
>>
>>  Yet on the same client:
>> ```
>>  root at testing-ubuntu001:~# dig srv _ldap._tcp.pp +short
>> 0 100 389 production-ipa003.pp.
>> 0 100 389 production-ipa001.pp.
>> 0 100 389 production-ipa002.pp.
>>  ```
>>
>>  Why can't ipa-client-install discover those SRV records?
>>
>>  johnny
>>
>>
>>  Hello,
>>
>> this is weird, "DNS record not found: EmptyLabel", this error returns
>> python-dns when empty label is used in domain name.
>>
>> And here is empty label -> _ldap._tcp..pp  (two dots).
>>
>> But that doubled dot is not on line above and the error is the same,
>> interesting.
>>
> 
> Aha! It seems our configuration management system is populating `search` in
> /etc/resolv.conf with ".pp" rather than "pp". If I manually change that, it
> now works! Thank you.

Martin, do you see in code why it did not work before? We should fix that
(assuming that we are able to find the root cause :-).

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list