Bug 1385515

Summary: Enhance ipa-client-install behavior when enrolling clients in DNS zones different from the main IPA domain
Product: Red Hat Enterprise Linux 8 Reporter: Luc de Louw <ldelouw>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: NEW --- QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 8.3CC: afarley, cww, fcami, frenaud, ldelouw, pasik, pcech, pspacek, pvoborni, rcritten, tmihinto, tscherf
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-14 14:51:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1298243    

Description Luc de Louw 2016-10-17 08:54:21 UTC 
Description of problem:

In IPA environments with a lot of DNS domains it is a hassle to manually add the SRV records needed for services auto discovery. Of course this can be scripted but every IPA user need to reinvent the wheel. It would be nice to be able to copy the SRV entries from another DNS zone when creating the zone with CLI or WebUI.

I.e 
[root@ipa1 ~]# ipa dnszone-add --add-srv-entries-from=example.com example.net

At the moment only the creation of the TXT record with record _kerberos is being created.


Version-Release number of selected component (if applicable):
4.4

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Luc de Louw 2016-10-17 12:43:08 UTC 
... and of course taking care about updating SRV entries on replication topology changes
Comment 3 Petr Spacek 2016-10-24 14:00:06 UTC 
In general, SRV records should be present only in single DNS zone. Clients should find name of the "main" IPA zone from _kerberos TXT record, which is automatically created by IPA. This avoids copying which is error-prone (and next to impossible when some zones are managed by IPA and some others don't).

OpenLDAP client libs derive DNS domain name from base DN, so pure LDAP client is covered as well. nss-pam-ldapd has "uri" options which is used to specify domain name so it is covered.

What is your use case?
Comment 8 Petr Spacek 2016-11-14 14:51:25 UTC 
We determined that standard procedures listed in comment #3 covers all reasonable cases we were able to to come up.
Comment 9 Luc de Louw 2019-02-27 15:48:55 UTC 
Comment #3 does not fix the problem. The ipa-client-install is not able to find LDAP server.
Comment 10 Rob Crittenden 2019-02-27 16:18:58 UTC 
Logs are needed to evaluate
Comment 14 François Cami 2019-04-23 14:50:57 UTC 
So far for separate dns zones ipa-client-install requires specifying --domain <main IPA domain>.
As Alexander pointed out over IRC the man page for ipa-client-install covers this use-case:

#############

       --domain=DOMAIN
              The primary DNS domain of an existing IPA deployment, e.g. example.com. This DNS domain should contain the SRV records generated by the IPA server installer. Usually the name is a lower-cased
              name of an IPA Kerberos realm name.

              When no --server option is specified, this domain will be used by the installer to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details).

              The default value used by the installer is the domain part of the hostname. This option needs to be specified if the primary IPA DNS domain is different from the default value.

#############

It looks like what should be done there is for ipa-client-install to determine the domain from the _kerberos TXT record as explained in comment#3 when --domain is not specified.
Nothing needs to be done server-side.
Comment 15 François Cami 2019-04-23 14:51:56 UTC 
Luc, does the above sound good enough to you?
Comment 16 Luc de Louw 2019-05-07 12:48:32 UTC 
(In reply to François Cami from comment #15)
> Luc, does the above sound good enough to you?

Hi François,

I only see one problem with that: For the hjost server123.subdomain.example.com it will create a DNS entry like server123.subdomain in the example.com domain which is not something that is nice, its getting difficult to migrate that pseudo-subdomain to another DNS server if needed. 

What will be the behaviour when the domain subdomain.exmple.com exists in IPA? I did not tried that yet.

Thanks,

Luc
Comment 17 François Cami 2019-05-09 15:45:27 UTC 
Hi Luc,

This should not happen.

If the subzone $subzone.$IPAdomain is created beforehand, the client will try to create a DNS entry in the subzone.

To create a subzone with dynamic updates enabled:
#################
$ ipa dnszone-add $subzone.$IPAdomain.
$ ipa dnszone-mod $subzone.$IPAdomain. --dynamic-update=True
#################

The nsupdate commands sent by the client will be:
#################
update delete <short_hostname>.$subzone.$IPAdomain IN A
show
send

update delete <short_hostname>.$subzone.$IPAdomain IN AAAA
show
send

update add <short_hostname>.$subzone.$IPAdomain 1200 IN A <IP>
show
send
#################
(search for 'nsupdate' in ipaclient-install.log).

I've just verified, the resulting entry is created in the subzone in this case.

Thanks for confirming!
François
Comment 18 Luc de Louw 2019-05-10 10:09:00 UTC 
(In reply to François Cami from comment #17)
> Hi Luc,
> 
> This should not happen.
> 
> If the subzone $subzone.$IPAdomain is created beforehand, the client will
> try to create a DNS entry in the subzone.
> 
> To create a subzone with dynamic updates enabled:
> #################
> $ ipa dnszone-add $subzone.$IPAdomain.
> $ ipa dnszone-mod $subzone.$IPAdomain. --dynamic-update=True
> #################
> 
> The nsupdate commands sent by the client will be:
> #################
> update delete <short_hostname>.$subzone.$IPAdomain IN A
> show
> send
> 
> update delete <short_hostname>.$subzone.$IPAdomain IN AAAA
> show
> send
> 
> update add <short_hostname>.$subzone.$IPAdomain 1200 IN A <IP>
> show
> send
> #################
> (search for 'nsupdate' in ipaclient-install.log).
> 
> I've just verified, the resulting entry is created in the subzone in this
> case.
> 
> Thanks for confirming!
> François

Hi François,

It would be nice to document this that the subdomain must exist before the first host in that particular domain is enrolled. 
Also, IMHO, the ipa-client-installer (DNS part) should fail with an error message hinting to that issue.

Thanks,

Luc
Comment 19 François Cami 2019-05-10 10:26:31 UTC 
> It would be nice to document this that the subdomain must exist before the first host in that particular domain is enrolled. 

Well $shortname.$subzone is a valid zone entry in BIND (I've just tested) though it's arguably awkward.
IDM is not doing anything different than BIND itself so it's not a MUST item.

Granted RFC952 ( https://tools.ietf.org/rfc/rfc952.txt ) defines a hostname this way: 
 <hname> ::= <name>*["."<name>]
 <name> ::= <let>[*[<let-or-digit-or-hyphen>]<let-or-digit>]
but I could find no hard requirement on zone entries not having any dot in them if not ending with a dot.

> Also, IMHO, the ipa-client-installer (DNS part) should fail with an error message hinting to that issue.

Possibly.
With that said, ipa-client-install does not fail nor display any warning when nsupdate fails entirely: since the zone might prohibit updates or even not be under IDM direct control we cannot consider nsupdate failures as critical. 

Also, the nsupdate built by ipa-client-install is "update add <short_hostname>.$subzone.$IPAdomain 1200 IN A <IP>".
To display that warning we would have to detect the subzone does not exist first and act on that.
Let me think about it and get back to you.

Setting NEEDINFO on myself.