[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install

Rob Crittenden rcritten at redhat.com
Wed Sep 19 14:56:22 UTC 2012 

Petr Viktorin wrote:
> On 09/17/2012 08:10 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 09/14/2012 08:46 AM, Martin Kosek wrote:
>>>> On 09/13/2012 10:35 PM, Rob Crittenden wrote:
>>>>> Petr Viktorin wrote:
>>>>>> On 09/11/2012 11:05 PM, Rob Crittenden wrote:
>>>>>>> Petr Viktorin wrote:
>>>>>>>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>>
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>>>>>>>
>>>>>>>>> Shouldn't this also call verify_fqdn() on the local hostname and
>>>>>>>>> not
>>>>>>>>> just the master? I think this would eventually fail in the
>>>>>>>>> conncheck
>>>>>>>>> but
>>>>>>>>> what if that was skipped?
>>>>>>>>>
>>>>>>>>> rob
>>>>>>>>
>>>>>>>> A few lines above there is a call to get_host_name, which will call
>>>>>>>> verify_fqdn.
>>>>>>>>
>>>>>>>
>>>>>>> I double-checked this, it fails in conncheck. Here are my steps:
>>>>>>>
>>>>>>> # ipa-server-install --setup-dns
>>>>>>> # ipa-replica-prepare replica.example.com --ip-address=192.168.100.2
>>>>>>> # ipa host-del replica.example.com
>>>>>>>
>>>>>>> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>>>>>>>
>>>>>>> # ipa-replica-install ...
>>>>>>>
>>>>>>> The verify_fqdn() passes because the resolver uses /etc/hosts.
>>>>>>>
>>>>>>> The conncheck fails:
>>>>>>>
>>>>>>> Execute check on remote master
>>>>>>> Check connection from master to remote replica
>>>>>>> 'replica.example.com':
>>>>>>>
>>>>>>> Remote master check failed with following error message(s):
>>>>>>> Could not chdir to home directory /home/admin: No such file or
>>>>>>> directory
>>>>>>> Port check failed! Unable to resolve host name 'replica.example.com'
>>>>>>>
>>>>>>> Connection check failed!
>>>>>>> Please fix your network settings according to error messages above.
>>>>>>> If the check results are not valid it can be skipped with
>>>>>>> --skip-conncheck parameter.
>>>>>>>
>>>>>>> The DNS test happens much further after this, and I get why, I just
>>>>>>> don't see how useful it is unless the --skip-conncheck is used.
>>>>>>
>>>>>> For the record, it's because we need to check if the host has DNS
>>>>>> installed. We need a LDAP connection to check this.
>>>>>>
>>>>>>> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
>>>>>>> --skip-conncheck
>>>>>>> Directory Manager (existing master) password:
>>>>>>>
>>>>>>> ipa         : ERROR    Could not resolve hostname
>>>>>>> replica.example.com
>>>>>>> using DNS. Clients may not function properly. Please check your DNS
>>>>>>> setup. (Note that this check queries IPA DNS directly and ignores
>>>>>>> /etc/hosts.)
>>>>>>> Continue? [no]:
>>>>>>>
>>>>>>> So I guess, what are the intentions here? It is certainly better
>>>>>>> than
>>>>>>> before.
>>>>>>>
>>>>>>> rob
>>>>>>
>>>>>> If the replica is in the master's /etc/hosts, but not in DNS, the
>>>>>> conncheck will succeed. This check explicitly queries IPA records
>>>>>> only
>>>>>> and ignores /etc/hosts so it'll notice this case and warn.
>>>>>>
>>>>>
>>>>> Ok, like I said, this is better than we have. Just one nit then you
>>>>> get an ack:
>>>>>
>>>>> +        # If remote host has DNS, check forward/reverse resolution
>>>>> +        try:
>>>>> +            entry = conn.find_entries(u'cn=dns',
>>>>> base_dn=DN(api.env.basedn))
>>>>> +        except errors.NotFound:
>>>>>
>>>>> u'cn=dns' should be str(constants.container_dns).
>>>>>
>>>>> rob
>>>>
>>>> This is a search filter, Petr could use the one I already have in
>>>> "dns.py::get_dns_masters()" function:
>>>> '(&(objectClass=ipaConfigObject)(cn=DNS))'
>>>>
>>>> For performance sake, I would also not search in the entire tree, but
>>>> limit the
>>>> search only to:
>>>>
>>>> DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
>>>>
>>>> Martin
>>>>
>>>
>>> Attaching updated patch with Martin's suggestions.
>>
>> I think what Martin had in mind was:
>>
>> if api.Object.dnsrecord.get_dns_masters():
>>      ...
>>
>
> I didn't want to do this because api.Object.* use our global ldap2
> Backend, which is hardwired to query localhost.
> I see now that I can hack around this, and we already do this in
> ipa-replica-install.
> I've extracted the hack and reused it to get the DNS masters.
>
>

I can't say I'm crazy about the method name you've chosen...

rob

More information about the Freeipa-devel mailing list