Bug 1854557
Summary: | [RFE] ipa-client-install forces nsupdate to bind with gssapi | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Striker Leggette <striker> |
Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.3 | CC: | abokovoy, amore, fcami, frenaud, ksiddiqu, pasik, pcech, rcritten, ssidhaye, tscherf, twoerner |
Target Milestone: | beta | Keywords: | FutureFeature, Triaged |
Target Release: | 8.4 | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-09 18:21:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Striker Leggette
2020-07-07 16:37:32 UTC
This is by design. GSS-TSIG is the only way we can securely authenticate to the authorative DNS server at this point, we have no knowledge or means to do otherwise. There are two places where a client might do nsupdate in FreeIPA domain: - during enrollment process, in ipa-client-install - during IP address changes in SSSD SSSD has 'dyndns_auth' option that can be used to force insecure updates with 'none' value. If we want to have any flexibility here, we probably need to retry nsupdate without GSS-TSIG if tsig version failed and then if that succeeded, set 'dyndns_auth = none' in SSSD configuration. Upstream ticket: https://pagure.io/freeipa/issue/8402 master: 72f44b5 ipa-client-install: remove fsync in do_nsupdate() 20c7bd5 ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain) 2e31e84 ipa-client-install: update sssd.conf if nsupdate requires -g ipa-4-9: e82f253 ipa-client-install: remove fsync in do_nsupdate() a8588c5 ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain) 3cbd24d ipa-client-install: update sssd.conf if nsupdate requires -g Automated test Fixed upstream master: https://pagure.io/freeipa/c/dabf2763f8be750596f9f6e998bce985793e89a8 Automated test Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Verified using: 1: runner.log 2021-08-16T08:44:03 ok: [master.ipa.test] => (item=ipa-server) => 2021-08-16T08:44:03 msg: 2021-08-16T08:44:03 - arch: x86_64 2021-08-16T08:44:03 epoch: null 2021-08-16T08:44:03 name: ipa-server 2021-08-16T08:44:03 release: 4.module+el8.5.0+11912+1b4496cf 2021-08-16T08:44:03 source: rpm 2021-08-16T08:44:03 version: 4.9.6 2: test_result.txt 2021-08-16T08:46:33 ============================= test session starts ============================== 2021-08-16T08:46:33 platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3 2021-08-16T08:46:33 cachedir: .pytest_cache 2021-08-16T08:46:33 metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-330.el8.x86_64-x86_64-with-redhat-8.5-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}} 2021-08-16T08:46:33 rootdir: /tmp/wp/freeipa, inifile: tox.ini 2021-08-16T08:46:33 plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5 2021-08-16T08:46:33 collecting ... collected 1 item 2021-08-16T08:46:33 2021-08-16T08:53:06 ipatests/test_integration/test_installation_client.py::TestClientInstallBind::test_client_nsupdate PASSED [100%] 2021-08-16T08:53:06 2021-08-16T08:53:06 ------------------ generated xml file: /tmp/wp/twd/junit.xml ------------------- 2021-08-16T08:53:06 ------------- generated html file: file:///tmp/wp/twd/report.html -------------- 2021-08-16T08:53:06 ========================== 1 passed in 392.13 seconds ========================== Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4230 |