Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionBrian J. Atkisson
2017-11-29 15:00:37 UTC
Description of problem:
When running ipa-client-install and using DNS locations to prefer IPA servers for a site, ipa-client-install does not appear to respect SRV record priority when discovering the server to use in /etc/ipa/defaults.conf
Version-Release number of selected component (if applicable):
ipa-client-4.5.0-21.el7_4.2.2.x86_64
How reproducible:
always
Steps to Reproduce:
1. Configure a site to use DNS Locations
2. Run ipa-client-install
3.
Actual results:
Server is selected at random
Expected results:
A preferred server should be used
[root@client01 ~]# ipa-client-install --domain=ipa.example.com --configure-firefox --mkhomedir --ntp-server=clock1.rdu2.example.com --ntp-server=clock02.util.phx2.example.com --ntp-server=clock.bos.example.com --force-ntpd --ssh-trust-dns --enable-dns-updates --verbose
Logging to /var/log/ipaclient-install.log
ipa-client-install was invoked with arguments [] and options: {'no_dns_sshfp': False, 'force': False, 'verbose': True, 'ip_addresses': None, 'configure_firefox': True, 'realm_name': None, 'force_ntpd': True, 'on_master': False, 'no_nisdomain': False, 'ssh_trust_dns': True, 'principal': None, 'keytab': None, 'no_ntp': False, 'domain_name': 'ipa.example.com', 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 'kinit_attempts': None, 'ntp_servers': ['clock1.rdu2.example.com', 'clock02.util.phx2.example.com', 'clock.bos.example.com'], 'enable_dns_updates': True, 'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': None, 'unattended': False, 'quiet': False, 'nisdomain': None, 'prompt_password': False, 'host_name': None, 'permit': False, 'automount_location': None, 'preserve_sssd': False, 'mkhomedir': True, 'log_file': None, 'uninstall': False}
IPA version 4.5.0-21.el7_4.2.2
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Starting external process
args=/usr/sbin/selinuxenabled
Process finished, return code=0
stdout=
stderr=
[IPA Discovery]
Starting IPA discovery with domain=ipa.example.com, servers=None, hostname=client01.users.ipa.example.com
Search for LDAP SRV record in ipa.example.com
Search DNS for SRV record of _ldap._tcp.ipa.example.com
DNS record found: 50 100 389 idm03.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 389 idm01.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm03.iam.prod.int.phx2.example.com.
DNS record found: 0 100 389 idm02.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm01.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm02.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.phx2.example.com.
[Kerberos realm search]
Search DNS for TXT record of _kerberos.ipa.example.com
DNS record found: "IPA.EXAMPLE.COM"
Search DNS for SRV record of _kerberos._udp.ipa.example.com
DNS record found: 0 100 88 idm02.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm04.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm03.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm02.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm04.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm01.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm03.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm-admin.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm-admin.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm01.iam.prod.int.phx2.example.com.
[LDAP server check]
Verifying that idm03.iam.prod.int.rdu2.example.com (realm IPA.EXAMPLE.COM) is an IPA server
Init LDAP connection to: ldap://idm03.iam.prod.int.rdu2.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=ipa,dc=example,dc=com' is for IPA
Naming context 'dc=ipa,dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=ipa,dc=example,dc=com (sub)
Found: cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com
Discovery result: Success; server=idm03.iam.prod.int.rdu2.example.com, domain=ipa.example.com, kdc=idm02.iam.prod.int.phx2.example.com,idm04.iam.prod.int.rdu2.example.com,idm03.iam.prod.int.phx2.example.com,idm02.iam.prod.int.rdu2.example.com,idm04.iam.prod.int.phx2.example.com,idm01.iam.prod.int.rdu2.example.com,idm03.iam.prod.int.rdu2.example.com,idm-admin.iam.prod.int.rdu2.example.com,idm-admin.iam.prod.int.phx2.example.com,idm01.iam.prod.int.phx2.example.com, basedn=dc=ipa,dc=example,dc=com
Validated servers: idm03.iam.prod.int.rdu2.example.com
will use discovered domain: ipa.example.com
Start searching for LDAP SRV record in "ipa.example.com" (Validating DNS Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.ipa.example.com
DNS record found: 0 100 389 idm01.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm03.iam.prod.int.phx2.example.com.
DNS record found: 0 100 389 idm02.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm01.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm02.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm03.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.rdu2.example.com.
DNS validated, enabling discovery
will use discovered server: idm03.iam.prod.int.rdu2.example.com
Discovery was successful!
will use discovered realm: IPA.EXAMPLE.COM
will use discovered basedn: dc=ipa,dc=example,dc=com
Client hostname: client01.users.ipa.example.com
Hostname source: Machine's FQDN
Realm: IPA.EXAMPLE.COM
Realm source: Discovered from LDAP DNS records in idm03.iam.prod.int.rdu2.example.com
DNS Domain: ipa.example.com
DNS Domain source: Discovered LDAP SRV records from ipa.example.com
IPA Server: idm03.iam.prod.int.rdu2.example.com
IPA Server source: Discovered from LDAP DNS records in idm03.iam.prod.int.rdu2.example.com
BaseDN: dc=ipa,dc=example,dc=com
BaseDN source: From IPA server ldap://idm03.iam.prod.int.rdu2.example.com:389
Continue to configure the system with these values? [no]:
=====
idm03.iam.prod.int.rdu2.example.com has a priority of 50, whereas, idm02.iam.prod.int.rdu2.example.com and idm01.iam.prod.int.rdu2.example.com have a priority of 0. idm01 or idm02 should have been chosen based on the priority, not idm03.
Comment 2Florence Blanc-Renaud
2017-12-06 13:32:28 UTC
Comment 4Florence Blanc-Renaud
2018-10-18 09:50:46 UTC
This issue has been fixed with the fix for BZ #1594142 SRV lookup doesn't correctly sort results, hence closing as duplicate.
*** This bug has been marked as a duplicate of bug 1594142 ***
Description of problem: When running ipa-client-install and using DNS locations to prefer IPA servers for a site, ipa-client-install does not appear to respect SRV record priority when discovering the server to use in /etc/ipa/defaults.conf Version-Release number of selected component (if applicable): ipa-client-4.5.0-21.el7_4.2.2.x86_64 How reproducible: always Steps to Reproduce: 1. Configure a site to use DNS Locations 2. Run ipa-client-install 3. Actual results: Server is selected at random Expected results: A preferred server should be used [root@client01 ~]# ipa-client-install --domain=ipa.example.com --configure-firefox --mkhomedir --ntp-server=clock1.rdu2.example.com --ntp-server=clock02.util.phx2.example.com --ntp-server=clock.bos.example.com --force-ntpd --ssh-trust-dns --enable-dns-updates --verbose Logging to /var/log/ipaclient-install.log ipa-client-install was invoked with arguments [] and options: {'no_dns_sshfp': False, 'force': False, 'verbose': True, 'ip_addresses': None, 'configure_firefox': True, 'realm_name': None, 'force_ntpd': True, 'on_master': False, 'no_nisdomain': False, 'ssh_trust_dns': True, 'principal': None, 'keytab': None, 'no_ntp': False, 'domain_name': 'ipa.example.com', 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 'kinit_attempts': None, 'ntp_servers': ['clock1.rdu2.example.com', 'clock02.util.phx2.example.com', 'clock.bos.example.com'], 'enable_dns_updates': True, 'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': None, 'unattended': False, 'quiet': False, 'nisdomain': None, 'prompt_password': False, 'host_name': None, 'permit': False, 'automount_location': None, 'preserve_sssd': False, 'mkhomedir': True, 'log_file': None, 'uninstall': False} IPA version 4.5.0-21.el7_4.2.2 Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Starting external process args=/usr/sbin/selinuxenabled Process finished, return code=0 stdout= stderr= [IPA Discovery] Starting IPA discovery with domain=ipa.example.com, servers=None, hostname=client01.users.ipa.example.com Search for LDAP SRV record in ipa.example.com Search DNS for SRV record of _ldap._tcp.ipa.example.com DNS record found: 50 100 389 idm03.iam.prod.int.rdu2.example.com. DNS record found: 50 100 389 idm-admin.iam.prod.int.rdu2.example.com. DNS record found: 0 100 389 idm01.iam.prod.int.rdu2.example.com. DNS record found: 50 100 389 idm04.iam.prod.int.phx2.example.com. DNS record found: 50 100 389 idm03.iam.prod.int.phx2.example.com. DNS record found: 0 100 389 idm02.iam.prod.int.rdu2.example.com. DNS record found: 50 100 389 idm01.iam.prod.int.phx2.example.com. DNS record found: 50 100 389 idm04.iam.prod.int.rdu2.example.com. DNS record found: 50 100 389 idm02.iam.prod.int.phx2.example.com. DNS record found: 50 100 389 idm-admin.iam.prod.int.phx2.example.com. [Kerberos realm search] Search DNS for TXT record of _kerberos.ipa.example.com DNS record found: "IPA.EXAMPLE.COM" Search DNS for SRV record of _kerberos._udp.ipa.example.com DNS record found: 0 100 88 idm02.iam.prod.int.phx2.example.com. DNS record found: 0 100 88 idm04.iam.prod.int.rdu2.example.com. DNS record found: 0 100 88 idm03.iam.prod.int.phx2.example.com. DNS record found: 0 100 88 idm02.iam.prod.int.rdu2.example.com. DNS record found: 0 100 88 idm04.iam.prod.int.phx2.example.com. DNS record found: 0 100 88 idm01.iam.prod.int.rdu2.example.com. DNS record found: 0 100 88 idm03.iam.prod.int.rdu2.example.com. DNS record found: 0 100 88 idm-admin.iam.prod.int.rdu2.example.com. DNS record found: 0 100 88 idm-admin.iam.prod.int.phx2.example.com. DNS record found: 0 100 88 idm01.iam.prod.int.phx2.example.com. [LDAP server check] Verifying that idm03.iam.prod.int.rdu2.example.com (realm IPA.EXAMPLE.COM) is an IPA server Init LDAP connection to: ldap://idm03.iam.prod.int.rdu2.example.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=ipa,dc=example,dc=com' is for IPA Naming context 'dc=ipa,dc=example,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=ipa,dc=example,dc=com (sub) Found: cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com Discovery result: Success; server=idm03.iam.prod.int.rdu2.example.com, domain=ipa.example.com, kdc=idm02.iam.prod.int.phx2.example.com,idm04.iam.prod.int.rdu2.example.com,idm03.iam.prod.int.phx2.example.com,idm02.iam.prod.int.rdu2.example.com,idm04.iam.prod.int.phx2.example.com,idm01.iam.prod.int.rdu2.example.com,idm03.iam.prod.int.rdu2.example.com,idm-admin.iam.prod.int.rdu2.example.com,idm-admin.iam.prod.int.phx2.example.com,idm01.iam.prod.int.phx2.example.com, basedn=dc=ipa,dc=example,dc=com Validated servers: idm03.iam.prod.int.rdu2.example.com will use discovered domain: ipa.example.com Start searching for LDAP SRV record in "ipa.example.com" (Validating DNS Discovery) and its sub-domains Search DNS for SRV record of _ldap._tcp.ipa.example.com DNS record found: 0 100 389 idm01.iam.prod.int.rdu2.example.com. DNS record found: 50 100 389 idm04.iam.prod.int.phx2.example.com. DNS record found: 50 100 389 idm03.iam.prod.int.phx2.example.com. DNS record found: 0 100 389 idm02.iam.prod.int.rdu2.example.com. DNS record found: 50 100 389 idm01.iam.prod.int.phx2.example.com. DNS record found: 50 100 389 idm04.iam.prod.int.rdu2.example.com. DNS record found: 50 100 389 idm02.iam.prod.int.phx2.example.com. DNS record found: 50 100 389 idm-admin.iam.prod.int.phx2.example.com. DNS record found: 50 100 389 idm03.iam.prod.int.rdu2.example.com. DNS record found: 50 100 389 idm-admin.iam.prod.int.rdu2.example.com. DNS validated, enabling discovery will use discovered server: idm03.iam.prod.int.rdu2.example.com Discovery was successful! will use discovered realm: IPA.EXAMPLE.COM will use discovered basedn: dc=ipa,dc=example,dc=com Client hostname: client01.users.ipa.example.com Hostname source: Machine's FQDN Realm: IPA.EXAMPLE.COM Realm source: Discovered from LDAP DNS records in idm03.iam.prod.int.rdu2.example.com DNS Domain: ipa.example.com DNS Domain source: Discovered LDAP SRV records from ipa.example.com IPA Server: idm03.iam.prod.int.rdu2.example.com IPA Server source: Discovered from LDAP DNS records in idm03.iam.prod.int.rdu2.example.com BaseDN: dc=ipa,dc=example,dc=com BaseDN source: From IPA server ldap://idm03.iam.prod.int.rdu2.example.com:389 Continue to configure the system with these values? [no]: ===== idm03.iam.prod.int.rdu2.example.com has a priority of 50, whereas, idm02.iam.prod.int.rdu2.example.com and idm01.iam.prod.int.rdu2.example.com have a priority of 0. idm01 or idm02 should have been chosen based on the priority, not idm03.