Bug 1488732
| Summary: | fake_mname in named.conf is no longer effective | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Martin Kosek <mkosek> |
| Component: | bind-dyndb-ldap | Assignee: | Alexander Bokovoy <abokovoy> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | abokovoy, frenaud, gparente, ksiddiqu, myusuf, pcech, pvoborni, twoerner |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bind-dyndb-ldap-11.3-1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:50:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Martin Kosek
2017-09-06 06:56:46 UTC
Thorsten Scherf tested this scenario with a RHEL-7.3 system with following conf:
$ grep -A4 dynamic-db /etc/named.conf
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket";
arg "base cn=dns, dc=domain,dc=com";
arg "fake_mname vm-96.domain.com.";
And it worked for him.
[root@vm-idm-031 ~]# cat /etc/named.conf
.
.
dyndb "ipa" "/usr/lib64/bind/ldap.so" {
uri "ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket";
base "cn=dns, dc=testrelm,dc=test";
server_id "master.testrelm.test";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/master.testrelm.test";
fake_mname "reachable.master.test";
};
[root@vm-idm-031 ~]# systemctl restart named-pkcs11
[root@vm-idm-031 ~]# dig +short -t SOA testrelm.test.
master.testrelm.test. hostmaster.testrelm.test. 1515074331 3600 900 1209600 3600
[root@vm-idm-031 ~]# dig +short -t SOA master.test.
[root@vm-idm-031 ~]#
[root@vm-idm-031 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 Beta (Maipo)
As part of DNS Locations https://pagure.io/freeipa/issue/2008 it is possible to configure it in LDAP in per DNS server configuration. design page: * https://docs.pagure.org/bind-dyndb-ldap/Design/PerServerConfigInLDAP.html * https://www.freeipa.org/page/V4/DNS_Location_Mechanism#DNS_server_configuration doc: https://pagure.io/bind-dyndb-ldap Can be set in CLI by: $ ipa dnsserver-mod ipa.myipa.test --soa-mname-override fake.myipa.test. dig +short -t SOA myipa.test fake.myipa.test. hostmaster.myipa.test. 1515083621 3600 900 1209600 3600 Setting fake_mname in /etc/named.conf didn't work for me as well but that is expected as /etc/named.conf has lower priority than the LDAP entry according to design page: """ Priority order for configuration Highest priority is on top: DNS zone: idnsZone entry SOA MNAME is an exception - server’s config overrides zone’s config per-server config in LDAP: idnsServerConfig entry global config in LDAP: idnsConfig entry per-server config on disk: named.conf built-in defaults """ Migration should be handled as well: """ Upgrade Following options from named.conf should be migrated to newly created idnsServerConfigObject during IPA upgrade: fake_mname -> idnsSOAMName forward -> idnsForwardPolicy forwarders -> idnsForwarders At the same time, named.conf needs to be updated to contain server_id option equal to FreeIPA server’s FQDN without trailing period (for consistency with names used in cn=masters). """ I did not test the upgrade though. The only thing to improve I see is bind-dyndb-ldap documentation which doesn't mention the priorities (it is only on the design page). I committed a documentation update upstream with https://pagure.io/bind-dyndb-ldap/pull-request/178 to clarify the order priorities after checking it out on a test deployment and also with one of upstream users. Clarification from freeipa-users@ can be seen at https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/UKMCM5I42M4NS3BLR7T5VH2XHGTA4QE6/ Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL8. Verified. Following is the snippets picked from runner.log IPA Version: 2020-08-06T07:29:40+0000 ok: [master.testrealm.test] => (item=ipa-server) => 2020-08-06T07:29:40+0000 msg: 2020-08-06T07:29:40+0000 - arch: x86_64 2020-08-06T07:29:40+0000 epoch: null 2020-08-06T07:29:40+0000 name: ipa-server 2020-08-06T07:29:40+0000 release: 8.module+el8.3.0+7513+a375844a 2020-08-06T07:29:40+0000 source: rpm 2020-08-06T07:29:40+0000 version: 4.8.7 pytest summary 2020-08-06T07:39:52+0000 ------------------ generated xml file: /tmp/wp/twd/junit.xml ------------------- 2020-08-06T07:39:52+0000 ------------- generated html file: file:///tmp/wp/twd/report.html -------------- 2020-08-06T07:39:52+0000 ==================== 1 passed, 1 warnings in 515.40 seconds ==================== Test added upstream: master: https://pagure.io/freeipa/c/592f3fe65986077ec0a19158d061a371c86307c7 Test added upstream: ipa-4-8: https://pagure.io/freeipa/c/b93f2a70d09f44a64a320ad558c76536e9b625ad Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4670 |