Bug 1595911

Summary: [RFE] Have `adcli join` work without FQDN in `hostname` output
Product: Red Hat Enterprise Linux 7 Reporter: Josip Vilicic <jvilicic>
Component: adcliAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.5CC: cpelland, cww, jason.nagin, mike, ondrej.valousek, pcech, pkis, troels
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: adcli-0.8.1-8.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:11:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1594286, 1647919    

Description Josip Vilicic 2018-06-27 18:09:15 UTC 
1. Proposed title of this feature request  
   Making `adcli` more resilient when FQDN isn't in gethostname() results

2. Who is the customer behind the request?  
   Account: University Of Central Florida (1295742)
   TAM customer:  Not that I can tell
   SRM customer:  Not that I can tell
   Strategic:  Not that I can tell
  

3. What is the nature and description of the request?  
   This customer has a large number of RHEL hosts joined to Active Directory with `adcli`.  Some return a FQDN with `hostname` and some return a short name.  Having the short name returned with `hostname` is preferable for some of their internal operations.

   After joining the servers to AD, the servers with shortname `hostname` output had their DNS records  scavenged by AD because their TTL had not been updated.  The workaround is to have "ad_hostname=fqdn" specified in sssd.conf.

   If a FQDN is required to properly join a RHEL host to Active Directory with `adcli`, and the RHEL host returns a shortname with `hostname`, but `hostname -f` returns the FQDN, would it be possible to have `adcli` be more resilient and perhaps get the fqdn from /etc/hosts or concatenate the shortname with the domain it's being joined to?



4. Why does the customer need this? (List the business requirements here)  
   The customer is asking "if adcli truly needs a FQDN, why does it not use `hostname -f`?" which returns the FQDN in their environment.  Having to configure all their hosts to return a FQDN for `hostname` output would be a lot of work.


5. How would the customer like to achieve this? (List the functional requirements here)  
   Have `adcli` require `hostname -f` output instead of `hostname` if it truly requires a FQDN


6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  
   The customer can verify if DNS records are updated and an AD join persists for hosts that have shortnames
   

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
   -- Related bug:  "Bug 86107 - adcli not using fqdn" -- https://bugs.freedesktop.org/show_bug.cgi?id=86107
   -- Upstream bug and discussion:  "DDNS not working due to non FQDN hostname" -- https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/QHBRCO2JR36PT5F4ZPZNGUHCEE5E4G42/
   -- RFE for RHEL 6 was opened as well but will most likely not be acted upon: https://bugzilla.redhat.com/show_bug.cgi?id=1592974


8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
   The customer has RHEL 7 hosts that they are joining to AD.


9. Is the sales team involved in this request and do they have any additional input?  
   Not at the moment


10. List any affected packages or components.  
    adcli, sssd, Active Directory environment


11. Would the customer be able to assist in testing this functionality if implemented?
    Yes


___________________________________________________


Additional Additional information:

1) The `hostname` output only has a shortname:

   $ cat hostname 
   net1682

2) Similarly, the kernel is only aware of the short name:

   $ cat proc/sys/kernel/hostname 
   net1682

3) But /etc/sysconfig/network has the FQDN:

   $ cat etc/sysconfig/network
   NETWORKING=yes
   HOSTNAME=net1682.net.ucf.edu

4) And the shortname is also in the interface's network script:

   $ cat etc/sysconfig/network-scripts/ifcfg-eth0
   DEVICE="eth0"
   BOOTPROTO="dhcp"
   #GATEWAY="10.169.200.1"
   HOSTNAME="net1682"            <---
   HWADDR="00:50:56:B1:8D:60"
   #IPADDR="10.169.200.79"
   IPV6INIT="no"
   MTU="1500"
   #NETMASK="255.255.255.0"
   NM_CONTROLLED="yes"
   ONBOOT="yes"
   TYPE="Ethernet"
   UUID="ddd7b117-364c-46be-b373-fc6f7c52e3d4"
Comment 3 Josip Vilicic 2018-06-27 18:13:31 UTC 
In the RFE filed for RHEL 6:

   "Bug 1592974 - [RFE] If adcli requires FQDN in `hostname` output, would it be possible to have it use `hostname -f` instead?"
   https://bugzilla.redhat.com/show_bug.cgi?id=1592974


Sumit mentioned:


--------------------------------------------
First, given that RHEL6 is in Maintenance Phase 2, most probable there will be no change to adcli in RHEL6 anymore, see https://access.redhat.com/support/policy/updates/errata for details.

As the adcli man page says adcli uses gethostname() to get the hostname not the hostname command. gethostname() uses the hostname data from the kernel. adcli does this to have a reliable and unique source of the name. The plain hostname command uses the same call.

'hostname -f' tries to canonicalize  the name with the help of a reverse DNS lookup. This might work in some environments but fail in others. Often AD DNS servers do not have the table needed for reverse lookups properly filled. Additionally you might run into issue if multiple network interfaces are used. That's why adcli does not use this as a fallback.

If 'hostname -f' is reliable working in the given environment and given that the chances for a change in RHEL6 are minimal I would suggest to join with:

    adcli join --host-fqdn=$(hostname -f) --domin=...

bye,
Sumit
--------------------------------------------
Comment 4 Josip Vilicic 2018-06-27 19:15:20 UTC 
We communicated the above to the customer and asked if they would still like an RFE for RHEL 7, to which they responded:

--------------------------------------------
Since RHEL 6 is on Maintenance Phase 2, I can understand the RFE being skipped.

DNS servers are not the only location to get the fqdn. You can also check the hosts file. It would also be possible to concatenate the short name with the domain that is being joined.

Setting ad_hostname has been sufficient for us, but evident by the bug reports you have found, we are not the only ones that have come across this problem. Looking up the fqdn in /etc/hosts or concatenating the shortname with the domain, would at least make the program more resilient to minor issues. Having an extremely fragile program is just bad coding.
--------------------------------------------


So we have filed this RFE, with the focus being robustness in adcli's processing of the hostname.
Comment 9 Michael Cronenworth 2019-06-07 15:38:06 UTC 
When is this making it to RHEL 7 general release?

This is *not* a RFE. This is a bug.

https://gitlab.freedesktop.org/realmd/adcli/issues/1
https://bugs.freedesktop.org/show_bug.cgi?id=86107

The current adcli package in RHEL 7 changelog notes a fix for this, but it does NOT fix it.

* Wed Jan 16 2019 Sumit Bose <sbose> - 0.8.1-6.1
- join failed if hostname is not FQDN [#1666775]

The Fedora package, fully patched (this patch), DOES fix this.
Comment 10 Sumit Bose 2019-06-07 15:53:59 UTC 
(In reply to Michael Cronenworth from comment #9)
> When is this making it to RHEL 7 general release?

adcli-0.8.1-9 should fix this and is available in the current RHEL-7.7 beta version
https://www.redhat.com/en/blog/red-hat-enterprise-linux-77-beta-now-available

HTH

bye,
Sumit

> 
> This is *not* a RFE. This is a bug.
> 
> https://gitlab.freedesktop.org/realmd/adcli/issues/1
> https://bugs.freedesktop.org/show_bug.cgi?id=86107
> 
> The current adcli package in RHEL 7 changelog notes a fix for this, but it
> does NOT fix it.
> 
> * Wed Jan 16 2019 Sumit Bose <sbose> - 0.8.1-6.1
> - join failed if hostname is not FQDN [#1666775]
> 
> The Fedora package, fully patched (this patch), DOES fix this.
Comment 12 errata-xmlrpc 2019-08-06 13:11:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2256