1518792 – ipa-client-install should respect DNS Locations SRV record priority

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1518792 - ipa-client-install should respect DNS Locations SRV record priority

Summary: ipa-client-install should respect DNS Locations SRV record priority

Keywords:
Status:	CLOSED DUPLICATE of bug 1594142
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-29 15:00 UTC by Brian J. Atkisson
Modified:	2018-10-18 09:50 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-18 09:50:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Brian J. Atkisson 2017-11-29 15:00:37 UTC

Description of problem:

When running ipa-client-install and using DNS locations to prefer IPA servers for a site, ipa-client-install does not appear to respect SRV record priority when discovering the server to use in /etc/ipa/defaults.conf

Version-Release number of selected component (if applicable):
ipa-client-4.5.0-21.el7_4.2.2.x86_64

How reproducible:
always

Steps to Reproduce:
1. Configure a site to use DNS Locations
2. Run ipa-client-install
3.

Actual results:
Server is selected at random

Expected results:
A preferred server should be used


[root@client01 ~]# ipa-client-install  --domain=ipa.example.com --configure-firefox --mkhomedir  --ntp-server=clock1.rdu2.example.com --ntp-server=clock02.util.phx2.example.com --ntp-server=clock.bos.example.com --force-ntpd --ssh-trust-dns --enable-dns-updates --verbose
Logging to /var/log/ipaclient-install.log
ipa-client-install was invoked with arguments [] and options: {'no_dns_sshfp': False, 'force': False, 'verbose': True, 'ip_addresses': None, 'configure_firefox': True, 'realm_name': None, 'force_ntpd': True, 'on_master': False, 'no_nisdomain': False, 'ssh_trust_dns': True, 'principal': None, 'keytab': None, 'no_ntp': False, 'domain_name': 'ipa.example.com', 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 'kinit_attempts': None, 'ntp_servers': ['clock1.rdu2.example.com', 'clock02.util.phx2.example.com', 'clock.bos.example.com'], 'enable_dns_updates': True, 'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': None, 'unattended': False, 'quiet': False, 'nisdomain': None, 'prompt_password': False, 'host_name': None, 'permit': False, 'automount_location': None, 'preserve_sssd': False, 'mkhomedir': True, 'log_file': None, 'uninstall': False}
IPA version 4.5.0-21.el7_4.2.2
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Starting external process
args=/usr/sbin/selinuxenabled
Process finished, return code=0
stdout=
stderr=
[IPA Discovery]
Starting IPA discovery with domain=ipa.example.com, servers=None, hostname=client01.users.ipa.example.com
Search for LDAP SRV record in ipa.example.com
Search DNS for SRV record of _ldap._tcp.ipa.example.com
DNS record found: 50 100 389 idm03.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 389 idm01.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm03.iam.prod.int.phx2.example.com.
DNS record found: 0 100 389 idm02.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm01.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm02.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.phx2.example.com.
[Kerberos realm search]
Search DNS for TXT record of _kerberos.ipa.example.com
DNS record found: "IPA.EXAMPLE.COM"
Search DNS for SRV record of _kerberos._udp.ipa.example.com
DNS record found: 0 100 88 idm02.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm04.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm03.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm02.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm04.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm01.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm03.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm-admin.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm-admin.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm01.iam.prod.int.phx2.example.com.
[LDAP server check]
Verifying that idm03.iam.prod.int.rdu2.example.com (realm IPA.EXAMPLE.COM) is an IPA server
Init LDAP connection to: ldap://idm03.iam.prod.int.rdu2.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=ipa,dc=example,dc=com' is for IPA
Naming context 'dc=ipa,dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=ipa,dc=example,dc=com (sub)
Found: cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com
Discovery result: Success; server=idm03.iam.prod.int.rdu2.example.com, domain=ipa.example.com, kdc=idm02.iam.prod.int.phx2.example.com,idm04.iam.prod.int.rdu2.example.com,idm03.iam.prod.int.phx2.example.com,idm02.iam.prod.int.rdu2.example.com,idm04.iam.prod.int.phx2.example.com,idm01.iam.prod.int.rdu2.example.com,idm03.iam.prod.int.rdu2.example.com,idm-admin.iam.prod.int.rdu2.example.com,idm-admin.iam.prod.int.phx2.example.com,idm01.iam.prod.int.phx2.example.com, basedn=dc=ipa,dc=example,dc=com
Validated servers: idm03.iam.prod.int.rdu2.example.com
will use discovered domain: ipa.example.com
Start searching for LDAP SRV record in "ipa.example.com" (Validating DNS Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.ipa.example.com
DNS record found: 0 100 389 idm01.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm03.iam.prod.int.phx2.example.com.
DNS record found: 0 100 389 idm02.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm01.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm02.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm03.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.rdu2.example.com.
DNS validated, enabling discovery
will use discovered server: idm03.iam.prod.int.rdu2.example.com
Discovery was successful!
will use discovered realm: IPA.EXAMPLE.COM
will use discovered basedn: dc=ipa,dc=example,dc=com
Client hostname: client01.users.ipa.example.com
Hostname source: Machine's FQDN
Realm: IPA.EXAMPLE.COM
Realm source: Discovered from LDAP DNS records in idm03.iam.prod.int.rdu2.example.com
DNS Domain: ipa.example.com
DNS Domain source: Discovered LDAP SRV records from ipa.example.com
IPA Server: idm03.iam.prod.int.rdu2.example.com
IPA Server source: Discovered from LDAP DNS records in idm03.iam.prod.int.rdu2.example.com
BaseDN: dc=ipa,dc=example,dc=com
BaseDN source: From IPA server ldap://idm03.iam.prod.int.rdu2.example.com:389

Continue to configure the system with these values? [no]: 

=====



idm03.iam.prod.int.rdu2.example.com has a priority of 50, whereas, idm02.iam.prod.int.rdu2.example.com and idm01.iam.prod.int.rdu2.example.com have a priority of 0.  idm01 or idm02 should have been chosen based on the priority, not idm03.

Comment 2 Florence Blanc-Renaud 2017-12-06 13:32:28 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7306

Comment 4 Florence Blanc-Renaud 2018-10-18 09:50:46 UTC

This issue has been fixed with the fix for BZ #1594142 SRV lookup doesn't correctly sort results, hence closing as duplicate.

*** This bug has been marked as a duplicate of bug 1594142 ***

Note You need to log in before you can comment on or make changes to this bug.