Bug 728543

Summary: Reduce IPA dependency on the name resolution
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED WORKSFORME QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, iheim, jgalipea, mkosek, nsoman
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: ipa-2.2.0-1.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-08 14:47:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 756082    

Description Dmitri Pal 2011-08-05 13:57:45 UTC
Current kerberos implementation in IPA requires reverse name resolution. This creates problems in the cases when IPA is installed as an internal component of a bigger solution. Also IPA installation fails if there are two reverse addresses.

This bug is to remove the dependency on the proper name resolution.
Per Simo's comment:

I guess we can add a switch for the install, an we have some patches to
prevent libkrb5 from using the reverse address that should already be in
fedora (not sure about RHEL6), but beyond that if a kerb app fails on
multiple answers to a PTR request there isn't much we can do.

Comment 2 Rob Crittenden 2011-08-05 19:44:18 UTC

Comment 5 Martin Kosek 2011-11-10 12:54:29 UTC
I checked a current status of DNS resolution requirements in FreeIPA 3.x and they look OK to me. I will post my test steps so that somebody can confirm that this BZ requirements are fulfilled.

1) I installed a FreeIPA server without DNS support and with a custom hostname (ipa.example.com) that is not resolvable. Plus, the reverse record for the IP address of the server points to different hostname than the chosen one.

# ipa-server-install -p secret123 -a secret123 --hostname=ipa.example.com --no-host-dns

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)

To accept the default shown in brackets, press the Enter key.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
Example: master.example.com.

Server host name [ipa.example.com]: 

Warning: skipping DNS resolution of host ipa.example.com

Warning: hostname ipa.example.com does not match system hostname vm-093.idm.lab.bos.redhat.com.
System hostname will be updated during the installation process
to prevent service failures.

The domain name has been calculated based on the host name.

Please confirm the domain name [example.com]: 

Unable to resolve IP address for host name
Please provide the IP address to be used for this host name:
Adding [ ipa.example.com] to your /etc/hosts file
The IPA Master Server will be configured with
Hostname:    ipa.example.com
IP address:
Domain name: example.com

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [EXAMPLE.COM]: 

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring ntpd
  [1/4]: stopping ntpd
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.Wub29v.db
Setup complete

2) Then I tested server capabilities:

Every service is running:

# ipactl status
Directory Service: RUNNING

Kinit and ipa command works:

# kinit admin
Password for admin@EXAMPLE.COM: 
[root@vm-093 ~]# ipa user-find
1 user matched
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 416000000
  GID: 416000000
  Account disabled: False
  Password: True
  Kerberos keys available: True
Number of entries returned 1

3) Then I tested if I can join a machine to this server:
- I created a host record in IPA server with --force option as the host does not have an A record. I created a random bulk password for the host:

# ipa host-add vm-138.example.com --random
ipa: ERROR: Host does not have corresponding DNS A record
# ipa host-add vm-138.example.com --random --force
Added host "vm-138.example.com"
  Host name: vm-138.example.com
  Random password: {;.xj^IN,g1V
  Password: True
  Keytab: False
  Managed by: vm-138.example.com

- Back on the client machine I added a record for host IP address to /etc/hosts (as ipa.example.com is not resolvable):

echo " ipa.example.com ipa" >> /etc/hosts

- Then I installed the IPA client with bulk password:

# ipa-client-install --server ipa.example.com --domain example.com --hostname vm-138.example.com -w "{;.xj^IN,g1V"
DNS domain 'example.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: vm-138.example.com
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Warning: Hostname (vm-138.example.com) not found in DNS
Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1)
SSSD enabled
NTP enabled
Client configuration complete.

- there were warnings about a failure to update a DNS record, which is OK. kinit, id or ipa commands worked on a client machine fine too:

# kinit admin
Password for admin@EXAMPLE.COM: 
# ipa user-find
1 user matched
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 416000000
  GID: 416000000
  Account disabled: False
  Keytab: True
  Password: True
Number of entries returned 1

# id admin
uid=416000000(admin) gid=416000000(admins) groups=416000000(admins)

- all this worked even though reverse record for client's IP address points to a different hostname (thanks to krb5.conf rdns=false setting).

Comment 8 Martin Kosek 2012-04-18 20:03:42 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    New Contents:
No documentation needed.

Comment 9 Namita Soman 2012-05-07 17:57:17 UTC
Verified steps as indicated by Martin using ipa-server-2.2.0-12.el6.x86_64. Same behaviour as he listed.

Comment 10 Namita Soman 2012-05-08 14:47:03 UTC
Since no changes were made to address this, closing this as worksforme