Bug 1204254

Summary: when configuring freeipa-server on a machine with IPv6 it seems to ignore IPv4 configuration
Product: [Fedora] Fedora Reporter: Peter Robinson <pbrobinson>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: abokovoy, dkupka, ipa-maint, mkosek, pbrobinson, pvoborni, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-4.2.2-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-11 16:02:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Robinson 2015-03-20 17:22:24 UTC
When configuring freeipa-server one a machine that's running a dual stack 192.168.x.y IPv4 and a IPv6 routed address space it seems to just configure IPv6 reverse zones etc

v6 IPs modified to be different range.

Do you want to configure DNS forwarders? [yes]: 
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 8.8.8.8
DNS forwarder 8.8.8.8 added
Enter IP address for a DNS forwarder: 8.8.4.4
DNS forwarder 8.8.4.4 added
Enter IP address for a DNS forwarder: 
Checking forwarders, please wait ...
Do you want to configure the reverse zone? [yes]: 
Please specify the reverse zone name [1.8.6.2.1.1.b.1.3.e.2.0.1.0.0.2.ip6.arpa.]: 
Using reverse zone(s) 1.8.6.2.1.1.b.1.3.e.2.0.1.0.0.2.ip6.arpa.

The IPA Master Server will be configured with:
Hostname:       bblack.home.example.com
IP address(es): 2001:02e3:1b11:2681:9259:afff:fe69:c71
Domain name:    home.example.com
Realm name:     HOME.EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    8.8.8.8, 8.8.4.4
Reverse zone(s):  1.8.6.2.1.1.b.1.3.e.2.0.1.0.0.2.ip6.arpa.

If a host is running dual IP stacks it should prompt to configure reverse lookup for both the IPv4 and IPv6 range.

freeipa-python-4.1.3-3.fc22.armv7hl
freeipa-client-4.1.3-3.fc22.armv7hl
freeipa-admintools-4.1.3-3.fc22.armv7hl
freeipa-server-4.1.3-3.fc22.armv7hl

Comment 1 Martin Kosek 2015-03-25 13:31:09 UTC
Sorry it took us too long to answer. David, can you please advise with this one?

Comment 2 Peter Robinson 2015-03-25 13:36:32 UTC
I've done some more testing now I have it running and it doesn't seem to support dual stack IPv4/IPv6 very well at all.

1) I had to setup the IPv4 reverse zone and DNS records on the IPA server

2) The IPA client on setting up a host doesn't register both IPs. It registers the IPv6 forward/reverse lookup records but not the IPv4 A/PTR records so you have to do this manually afterwards

3) When using --enable-dns-updates it doesn't seem to update the records (although I have to do more testing with this one)

Comment 3 David Kupka 2015-03-25 14:03:41 UTC
(In reply to Peter Robinson from comment #2)
> I've done some more testing now I have it running and it doesn't seem to
> support dual stack IPv4/IPv6 very well at all.

IIRC ipa-server-install works this way:

1. Try to resolve all IP addresses.
2. Checks if each resolved address in assigned to some interface.
3. If not installing with DNS server and IP addresses were provided check that all of them were resolved. Use only provided.

So, if hostname of your IPA server resolves to IPv6 address only and you don't provide --ip-address <IPv4-address> it gets configured with only IPv6 addresses.

> 
> 1) I had to setup the IPv4 reverse zone and DNS records on the IPA server

I should be added automatically if the address is specified/resolved during installation.

> 
> 2) The IPA client on setting up a host doesn't register both IPs. It
> registers the IPv6 forward/reverse lookup records but not the IPv4 A/PTR
> records so you have to do this manually afterwards
> 
> 3) When using --enable-dns-updates it doesn't seem to update the records
> (although I have to do more testing with this one)

Actually, ipa-client does this (https://fedorahosted.org/freeipa/ticket/4249) but we're still waiting for SSSD (https://fedorahosted.org/sssd/ticket/2558). Right now ipa-client-install adds all IP addresses to DNS but updates are performed by SSSD and it replaces the records with just one.

Comment 4 Petr Vobornik 2015-03-30 17:31:09 UTC
From comment 1:

  IP address(es): 2001:02e3:1b11:2681:9259:afff:fe69:c71

it seems that the issue is with step 1 - IP address resolution.

FreeIPA uses socket.getaddrinfo function to get the list of IPs. It usually does a DNS lookup. In python console try:

import socket
socket.getaddrinfo('my.server.hostname', None, socket.AF_UNSPEC, socket.SOCK_STREAM)

Does it return only one or multiple addresses?

As David wrote, if the IP addresses are not resolvable, they have to be explicitly defined. 

IMHO not a bug (client installation is handled in bug 1076262)

Comment 5 Peter Robinson 2015-03-31 09:28:46 UTC
> 3. If not installing with DNS server and IP addresses were provided check
> that all of them were resolved. Use only provided.

I was installing the DNS (the questions about configuring of forwarders, and reverse zones above indicate that).

> So, if hostname of your IPA server resolves to IPv6 address only and you
> don't provide --ip-address <IPv4-address> it gets configured with only IPv6
> addresses.

My existing local DNS server has IPv4 for forwarad/reverse configured but nothing for IPv6 so in that case I would expect it to be ignoring the IPv6 not IPv4.

> > 1) I had to setup the IPv4 reverse zone and DNS records on the IPA server
> 
> I should be added automatically if the address is specified/resolved during
> installation.

It wasn't specified but then I would expect if configuring DNS (I was) it would ignore resolving and if there's an IPv4 address and a global IPv6 address configure both.

> > 2) The IPA client on setting up a host doesn't register both IPs. It
> > registers the IPv6 forward/reverse lookup records but not the IPv4 A/PTR
> > records so you have to do this manually afterwards

You mention below that ipa-client does this, so presumably it should have been configured initially and not updated later. It wasn't, I'm not sure if that's a side effect of the above or not though.

> > 3) When using --enable-dns-updates it doesn't seem to update the records
> > (although I have to do more testing with this one)
> 
> Actually, ipa-client does this
> (https://fedorahosted.org/freeipa/ticket/4249) but we're still waiting for
> SSSD (https://fedorahosted.org/sssd/ticket/2558). Right now
> ipa-client-install adds all IP addresses to DNS but updates are performed by
> SSSD and it replaces the records with just one.

TBH I'm not sure if no records or incorrect records (if configured initially) is worse

Comment 6 Peter Robinson 2015-03-31 09:36:59 UTC
(In reply to Petr Vobornik from comment #4)
> From comment 1:
> 
>   IP address(es): 2001:02e3:1b11:2681:9259:afff:fe69:c71
> 
> it seems that the issue is with step 1 - IP address resolution.

See comments about DNS configuration.

> As David wrote, if the IP addresses are not resolvable, they have to be
> explicitly defined. 

Actually David wrote:

"If not installing with DNS server and IP addresses were provided check that all of them were resolved. Use only provided." 

So I read that as "if they're not resolvable and we're not configuring DNS they have to be explicitly defined" which makes perfect sense because:

1) if we're configuring a DNS server we'll register all our addresses and records in the DNS we're configuring to serve our domain/IPA instance"
2) if we're using another DNS server the IPA instance needs to be properly resolvable (whether to another IPA instance for a replica or to something like AD for other use cases) and if not...
3) we need to manually specify the IPs so we explicitly know what we're dealing with

I was doing 1) which I've done literally dozens of times on customer sites with single stack without issue, I've got 3 stand alone instances running myself on different networks, this is the first time I've done it with dual stack.

Comment 7 Petr Vobornik 2015-03-31 11:55:42 UTC
It's not clear to me what were the DNS and IP address related configuration option you used and what's is the expected behavior.

If we're configuring DNS, installer uses one of:
a) resolved addresses
b) addresses stated by --ip-address (ignores (a))
c) asks user for addresses if a) returned nothing and b) was not used

Therefore if you used `--ip-address IPv6Address` option then installer ignores the resolved IPv4 address and uses only the IPv6 one and then configures only the IPv6 reverse zone.

Comment 8 Peter Robinson 2015-03-31 12:01:40 UTC
> Therefore if you used `--ip-address IPv6Address` option then installer
> ignores the resolved IPv4 address and uses only the IPv6 one and then
> configures only the IPv6 reverse zone.

I didn't specify any IP address options because I wanted it configured on all IPs, I did specify --setup-dns

Comment 9 David Kupka 2015-03-31 12:22:13 UTC
Could you propose a behavior you would find user-friendly and intuitive? Feedback from day-to-day users is valuable to us.

The reasoning behind current behavior is: We assume that if there is DNS server in the network the safest will be to configure the same unless user specifies otherwise.

Comment 10 Petr Vobornik 2015-03-31 12:42:39 UTC
Was it a first run of the installer? 

I've noticed a bug where installer left IPv6 address in /etc/hosts when installation with IPv6 + IPv4 address was canceled. The subsequent run used only this address.

Comment 11 Martin Kosek 2015-09-15 10:36:13 UTC
David, isn't this bug fixed in new FreeIPA 4.2.1 release?

Comment 12 David Kupka 2015-09-15 10:48:54 UTC
I believe is upstream ticket 5266 (https://fedorahosted.org/freeipa/ticket/5266) and it was fixed in FreeIPA 4.2.1.

Comment 13 Peter Robinson 2015-09-17 15:57:40 UTC
I'll be testing it shortly on F-23

Comment 14 Petr Vobornik 2015-10-08 14:32:10 UTC
moving to post according to comment 12

Comment 15 Fedora Update System 2015-10-09 13:55:39 UTC
freeipa-4.2.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update freeipa'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4abcc8b937

Comment 16 Fedora Update System 2015-10-11 16:02:36 UTC
freeipa-4.2.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.