[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install

Petr Viktorin pviktori at redhat.com
Mon Sep 17 11:45:44 UTC 2012 

On 09/14/2012 08:46 AM, Martin Kosek wrote:
> On 09/13/2012 10:35 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 09/11/2012 11:05 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>>>>> Petr Viktorin wrote:
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>>>>
>>>>>> Shouldn't this also call verify_fqdn() on the local hostname and not
>>>>>> just the master? I think this would eventually fail in the conncheck
>>>>>> but
>>>>>> what if that was skipped?
>>>>>>
>>>>>> rob
>>>>>
>>>>> A few lines above there is a call to get_host_name, which will call
>>>>> verify_fqdn.
>>>>>
>>>>
>>>> I double-checked this, it fails in conncheck. Here are my steps:
>>>>
>>>> # ipa-server-install --setup-dns
>>>> # ipa-replica-prepare replica.example.com --ip-address=192.168.100.2
>>>> # ipa host-del replica.example.com
>>>>
>>>> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>>>>
>>>> # ipa-replica-install ...
>>>>
>>>> The verify_fqdn() passes because the resolver uses /etc/hosts.
>>>>
>>>> The conncheck fails:
>>>>
>>>> Execute check on remote master
>>>> Check connection from master to remote replica 'replica.example.com':
>>>>
>>>> Remote master check failed with following error message(s):
>>>> Could not chdir to home directory /home/admin: No such file or directory
>>>> Port check failed! Unable to resolve host name 'replica.example.com'
>>>>
>>>> Connection check failed!
>>>> Please fix your network settings according to error messages above.
>>>> If the check results are not valid it can be skipped with
>>>> --skip-conncheck parameter.
>>>>
>>>> The DNS test happens much further after this, and I get why, I just
>>>> don't see how useful it is unless the --skip-conncheck is used.
>>>
>>> For the record, it's because we need to check if the host has DNS
>>> installed. We need a LDAP connection to check this.
>>>
>>>> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
>>>> --skip-conncheck
>>>> Directory Manager (existing master) password:
>>>>
>>>> ipa         : ERROR    Could not resolve hostname replica.example.com
>>>> using DNS. Clients may not function properly. Please check your DNS
>>>> setup. (Note that this check queries IPA DNS directly and ignores
>>>> /etc/hosts.)
>>>> Continue? [no]:
>>>>
>>>> So I guess, what are the intentions here? It is certainly better than
>>>> before.
>>>>
>>>> rob
>>>
>>> If the replica is in the master's /etc/hosts, but not in DNS, the
>>> conncheck will succeed. This check explicitly queries IPA records only
>>> and ignores /etc/hosts so it'll notice this case and warn.
>>>
>>
>> Ok, like I said, this is better than we have. Just one nit then you get an ack:
>>
>> +        # If remote host has DNS, check forward/reverse resolution
>> +        try:
>> +            entry = conn.find_entries(u'cn=dns', base_dn=DN(api.env.basedn))
>> +        except errors.NotFound:
>>
>> u'cn=dns' should be str(constants.container_dns).
>>
>> rob
>
> This is a search filter, Petr could use the one I already have in
> "dns.py::get_dns_masters()" function:
> '(&(objectClass=ipaConfigObject)(cn=DNS))'
>
> For performance sake, I would also not search in the entire tree, but limit the
> search only to:
>
> DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
>
> Martin
>

Attaching updated patch with Martin's suggestions.

-- 
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0077-02-Check-direct-reverse-hostname-address-resolution-in-.patch
Type: text/x-patch
Size: 5926 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120917/0129f15e/attachment.bin>

More information about the Freeipa-devel mailing list