Bug 1802209

Summary: ipa-client-install fails when host only has an IPv6 address
Product: Red Hat Enterprise Linux 7 Reporter: Ron van der Wees <rvdwees>
Component: sssdAssignee: Tomas Halman <thalman>
Status: CLOSED WONTFIX QA Contact: sssd-qe <sssd-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7CC: grajaiya, jhrozek, lslebodn, mzidek, pasik, pbrezina, pcech, rcritten, swachira, thalman, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-29 13:52:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ron van der Wees 2020-02-12 15:38:10 UTC 
Description of problem:
Installing an IPA client on a host that only has an IPv6 address fails with an
error message that the "admin user" cannot be found.

Version-Release number of selected component (if applicable):
ipa-client-4.6.5-11.el7_7.4.x86_64
sssd-1.16.4-21.el7_7.1.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure a IPA server with an IPv6 address
2. Setup a new host as a client with only a IPv6 address
3. Run "ipa-client-install" on the client

Actual results:
~~~
....
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Unable to find 'user1' user with 'getent passwd user1'!
Unable to reliably detect configuration. Check NSS setup manually.
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Searching for IPA server...
IPA server: DNS discovery
Restarting sssd, waiting for it to become available.
Unable to find 'admin' user with 'getent passwd admin'!
This may mean that sssd didn't re-start properly after the configuration changes.
~~~

The is caused by sssd not starting up:
~~~
(Tue Feb 11 10:37:55 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.  DataProvider.Offline]
~~~

and can be resolved by adding "lookup_family_order = ipv6_only" under the
domain section in SSSD.conf


Expected results:
Installation to detect an IPv6 only network and configure sssd accordingly.


Additional info:
https://blog.delouw.ch/2017/03/01/configure-sssd-to-work-on-ipv6-only-hosts/
 
and the referenced sssd tickets:
https://pagure.io/SSSD/sssd/issue/2128
https://pagure.io/SSSD/sssd/issue/2015
Comment 1 Rob Crittenden 2020-03-25 20:17:53 UTC 
Can you be more specific about IPv6-only.

I've been unable to reproduce this using 7.8 beta.

ipa-client-4.6.6-11.el7
sssd-1.16.4-37.el7

My client and server have only 2 interfaces: lo and eth0. lo has both IPv4 and IPv6 configured. eth0 has only IPv6 configured, link-local and a routed address.
Comment 2 Rob Crittenden 2020-03-25 21:00:23 UTC 
Ok, so in this case the server has both IPv4 and IPv6, the client is IPv6-only.

On DNS lookup it will get the IPv4 address so sssd won't work.

The trick will be reliably knowing that only/an IPv6 is available on a client in order to add this option (or ipv6_first).
Comment 3 Rob Crittenden 2020-03-25 21:45:06 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8243
Comment 4 Ron van der Wees 2020-03-26 08:46:11 UTC 
(In reply to Rob Crittenden from comment #2)
> Ok, so in this case the server has both IPv4 and IPv6, the client is
> IPv6-only.
Just to confirm that this is indeed the case.
Comment 5 Rob Crittenden 2020-03-31 15:11:59 UTC 
Re-assigning to sssd team to address.
Comment 6 Pavel Březina 2020-04-01 09:25:48 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/2015
Comment 8 RHEL Program Management 2020-04-29 13:52:37 UTC 
Development Management has reviewed and declined this request. You may appeal this decision by using your Red Hat support channels, who will make certain  the issue receives the proper prioritization with product and development management.

https://www.redhat.com/support/process/production/#howto
Comment 9 Sam Wachira 2020-05-05 10:11:57 UTC 
Upstream SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
https://github.com/SSSD/sssd/issues/3057