[Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
Petr Viktorin
pviktori at redhat.com
Wed Sep 19 15:44:59 UTC 2012
On 09/19/2012 04:56 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 09/17/2012 08:10 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> On 09/14/2012 08:46 AM, Martin Kosek wrote:
>>>>> On 09/13/2012 10:35 PM, Rob Crittenden wrote:
>>>>>> Petr Viktorin wrote:
>>>>>>> On 09/11/2012 11:05 PM, Rob Crittenden wrote:
>>>>>>>> Petr Viktorin wrote:
>>>>>>>>> On 09/04/2012 07:44 PM, Rob Crittenden wrote:
>>>>>>>>>> Petr Viktorin wrote:
>>>>>>>>>>>
>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/2845
>>>>>>>>>>
>>>>>>>>>> Shouldn't this also call verify_fqdn() on the local hostname and
>>>>>>>>>> not
>>>>>>>>>> just the master? I think this would eventually fail in the
>>>>>>>>>> conncheck
>>>>>>>>>> but
>>>>>>>>>> what if that was skipped?
>>>>>>>>>>
>>>>>>>>>> rob
>>>>>>>>>
>>>>>>>>> A few lines above there is a call to get_host_name, which will
>>>>>>>>> call
>>>>>>>>> verify_fqdn.
>>>>>>>>>
>>>>>>>>
>>>>>>>> I double-checked this, it fails in conncheck. Here are my steps:
>>>>>>>>
>>>>>>>> # ipa-server-install --setup-dns
>>>>>>>> # ipa-replica-prepare replica.example.com
>>>>>>>> --ip-address=192.168.100.2
>>>>>>>> # ipa host-del replica.example.com
>>>>>>>>
>>>>>>>> On replica, set DNS to IPA master, with hostname in /etc/hosts.
>>>>>>>>
>>>>>>>> # ipa-replica-install ...
>>>>>>>>
>>>>>>>> The verify_fqdn() passes because the resolver uses /etc/hosts.
>>>>>>>>
>>>>>>>> The conncheck fails:
>>>>>>>>
>>>>>>>> Execute check on remote master
>>>>>>>> Check connection from master to remote replica
>>>>>>>> 'replica.example.com':
>>>>>>>>
>>>>>>>> Remote master check failed with following error message(s):
>>>>>>>> Could not chdir to home directory /home/admin: No such file or
>>>>>>>> directory
>>>>>>>> Port check failed! Unable to resolve host name
>>>>>>>> 'replica.example.com'
>>>>>>>>
>>>>>>>> Connection check failed!
>>>>>>>> Please fix your network settings according to error messages above.
>>>>>>>> If the check results are not valid it can be skipped with
>>>>>>>> --skip-conncheck parameter.
>>>>>>>>
>>>>>>>> The DNS test happens much further after this, and I get why, I just
>>>>>>>> don't see how useful it is unless the --skip-conncheck is used.
>>>>>>>
>>>>>>> For the record, it's because we need to check if the host has DNS
>>>>>>> installed. We need a LDAP connection to check this.
>>>>>>>
>>>>>>>> ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
>>>>>>>> --skip-conncheck
>>>>>>>> Directory Manager (existing master) password:
>>>>>>>>
>>>>>>>> ipa : ERROR Could not resolve hostname
>>>>>>>> replica.example.com
>>>>>>>> using DNS. Clients may not function properly. Please check your DNS
>>>>>>>> setup. (Note that this check queries IPA DNS directly and ignores
>>>>>>>> /etc/hosts.)
>>>>>>>> Continue? [no]:
>>>>>>>>
>>>>>>>> So I guess, what are the intentions here? It is certainly better
>>>>>>>> than
>>>>>>>> before.
>>>>>>>>
>>>>>>>> rob
>>>>>>>
>>>>>>> If the replica is in the master's /etc/hosts, but not in DNS, the
>>>>>>> conncheck will succeed. This check explicitly queries IPA records
>>>>>>> only
>>>>>>> and ignores /etc/hosts so it'll notice this case and warn.
>>>>>>>
>>>>>>
>>>>>> Ok, like I said, this is better than we have. Just one nit then you
>>>>>> get an ack:
>>>>>>
>>>>>> + # If remote host has DNS, check forward/reverse resolution
>>>>>> + try:
>>>>>> + entry = conn.find_entries(u'cn=dns',
>>>>>> base_dn=DN(api.env.basedn))
>>>>>> + except errors.NotFound:
>>>>>>
>>>>>> u'cn=dns' should be str(constants.container_dns).
>>>>>>
>>>>>> rob
>>>>>
>>>>> This is a search filter, Petr could use the one I already have in
>>>>> "dns.py::get_dns_masters()" function:
>>>>> '(&(objectClass=ipaConfigObject)(cn=DNS))'
>>>>>
>>>>> For performance sake, I would also not search in the entire tree, but
>>>>> limit the
>>>>> search only to:
>>>>>
>>>>> DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> Attaching updated patch with Martin's suggestions.
>>>
>>> I think what Martin had in mind was:
>>>
>>> if api.Object.dnsrecord.get_dns_masters():
>>> ...
>>>
>>
>> I didn't want to do this because api.Object.* use our global ldap2
>> Backend, which is hardwired to query localhost.
>> I see now that I can hack around this, and we already do this in
>> ipa-replica-install.
>> I've extracted the hack and reused it to get the DNS masters.
>>
>>
>
> I can't say I'm crazy about the method name you've chosen...
>
> rob
I intended the name as a warning to not use it unless necessary.
Changed to temporary_ldap2_connection.
--
Petr³
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0077-04-Check-direct-reverse-hostname-address-resolution-in-.patch
Type: text/x-patch
Size: 9985 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120919/68c31602/attachment.bin>
More information about the Freeipa-devel
mailing list