RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1595911 - [RFE] Have `adcli join` work without FQDN in `hostname` output
Summary: [RFE] Have `adcli join` work without FQDN in `hostname` output
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: adcli
Version: 7.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1594286 1647919
TreeView+ depends on / blocked
 
Reported: 2018-06-27 18:09 UTC by Josip Vilicic
Modified: 2023-09-07 19:13 UTC (History)
8 users (show)

Fixed In Version: adcli-0.8.1-8.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:11:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:2256 0 None None None 2019-08-06 13:11:10 UTC

Description Josip Vilicic 2018-06-27 18:09:15 UTC 
1. Proposed title of this feature request  
   Making `adcli` more resilient when FQDN isn't in gethostname() results

2. Who is the customer behind the request?  
   Account: University Of Central Florida (1295742)
   TAM customer:  Not that I can tell
   SRM customer:  Not that I can tell
   Strategic:  Not that I can tell
  

3. What is the nature and description of the request?  
   This customer has a large number of RHEL hosts joined to Active Directory with `adcli`.  Some return a FQDN with `hostname` and some return a short name.  Having the short name returned with `hostname` is preferable for some of their internal operations.

   After joining the servers to AD, the servers with shortname `hostname` output had their DNS records  scavenged by AD because their TTL had not been updated.  The workaround is to have "ad_hostname=fqdn" specified in sssd.conf.

   If a FQDN is required to properly join a RHEL host to Active Directory with `adcli`, and the RHEL host returns a shortname with `hostname`, but `hostname -f` returns the FQDN, would it be possible to have `adcli` be more resilient and perhaps get the fqdn from /etc/hosts or concatenate the shortname with the domain it's being joined to?



4. Why does the customer need this? (List the business requirements here)  
   The customer is asking "if adcli truly needs a FQDN, why does it not use `hostname -f`?" which returns the FQDN in their environment.  Having to configure all their hosts to return a FQDN for `hostname` output would be a lot of work.


5. How would the customer like to achieve this? (List the functional requirements here)  
   Have `adcli` require `hostname -f` output instead of `hostname` if it truly requires a FQDN


6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  
   The customer can verify if DNS records are updated and an AD join persists for hosts that have shortnames
   

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
   -- Related bug:  "Bug 86107 - adcli not using fqdn" -- https://bugs.freedesktop.org/show_bug.cgi?id=86107
   -- Upstream bug and discussion:  "DDNS not working due to non FQDN hostname" -- https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/QHBRCO2JR36PT5F4ZPZNGUHCEE5E4G42/
   -- RFE for RHEL 6 was opened as well but will most likely not be acted upon: https://bugzilla.redhat.com/show_bug.cgi?id=1592974


8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
   The customer has RHEL 7 hosts that they are joining to AD.


9. Is the sales team involved in this request and do they have any additional input?  
   Not at the moment


10. List any affected packages or components.  
    adcli, sssd, Active Directory environment


11. Would the customer be able to assist in testing this functionality if implemented?
    Yes


___________________________________________________


Additional Additional information:

1) The `hostname` output only has a shortname:

   $ cat hostname 
   net1682

2) Similarly, the kernel is only aware of the short name:

   $ cat proc/sys/kernel/hostname 
   net1682

3) But /etc/sysconfig/network has the FQDN:

   $ cat etc/sysconfig/network
   NETWORKING=yes
   HOSTNAME=net1682.net.ucf.edu

4) And the shortname is also in the interface's network script:

   $ cat etc/sysconfig/network-scripts/ifcfg-eth0
   DEVICE="eth0"
   BOOTPROTO="dhcp"
   #GATEWAY="10.169.200.1"
   HOSTNAME="net1682"            <---
   HWADDR="00:50:56:B1:8D:60"
   #IPADDR="10.169.200.79"
   IPV6INIT="no"
   MTU="1500"
   #NETMASK="255.255.255.0"
   NM_CONTROLLED="yes"
   ONBOOT="yes"
   TYPE="Ethernet"
   UUID="ddd7b117-364c-46be-b373-fc6f7c52e3d4"
Comment 3 Josip Vilicic 2018-06-27 18:13:31 UTC 
In the RFE filed for RHEL 6:

   "Bug 1592974 - [RFE] If adcli requires FQDN in `hostname` output, would it be possible to have it use `hostname -f` instead?"
   https://bugzilla.redhat.com/show_bug.cgi?id=1592974


Sumit mentioned:


--------------------------------------------
First, given that RHEL6 is in Maintenance Phase 2, most probable there will be no change to adcli in RHEL6 anymore, see https://access.redhat.com/support/policy/updates/errata for details.

As the adcli man page says adcli uses gethostname() to get the hostname not the hostname command. gethostname() uses the hostname data from the kernel. adcli does this to have a reliable and unique source of the name. The plain hostname command uses the same call.

'hostname -f' tries to canonicalize  the name with the help of a reverse DNS lookup. This might work in some environments but fail in others. Often AD DNS servers do not have the table needed for reverse lookups properly filled. Additionally you might run into issue if multiple network interfaces are used. That's why adcli does not use this as a fallback.

If 'hostname -f' is reliable working in the given environment and given that the chances for a change in RHEL6 are minimal I would suggest to join with:

    adcli join --host-fqdn=$(hostname -f) --domin=...

bye,
Sumit
--------------------------------------------
Comment 4 Josip Vilicic 2018-06-27 19:15:20 UTC 
We communicated the above to the customer and asked if they would still like an RFE for RHEL 7, to which they responded:

--------------------------------------------
Since RHEL 6 is on Maintenance Phase 2, I can understand the RFE being skipped.

DNS servers are not the only location to get the fqdn. You can also check the hosts file. It would also be possible to concatenate the short name with the domain that is being joined.

Setting ad_hostname has been sufficient for us, but evident by the bug reports you have found, we are not the only ones that have come across this problem. Looking up the fqdn in /etc/hosts or concatenating the shortname with the domain, would at least make the program more resilient to minor issues. Having an extremely fragile program is just bad coding.
--------------------------------------------


So we have filed this RFE, with the focus being robustness in adcli's processing of the hostname.
Comment 9 Michael Cronenworth 2019-06-07 15:38:06 UTC 
When is this making it to RHEL 7 general release?

This is *not* a RFE. This is a bug.

https://gitlab.freedesktop.org/realmd/adcli/issues/1
https://bugs.freedesktop.org/show_bug.cgi?id=86107

The current adcli package in RHEL 7 changelog notes a fix for this, but it does NOT fix it.

* Wed Jan 16 2019 Sumit Bose <sbose> - 0.8.1-6.1
- join failed if hostname is not FQDN [#1666775]

The Fedora package, fully patched (this patch), DOES fix this.
Comment 10 Sumit Bose 2019-06-07 15:53:59 UTC 
(In reply to Michael Cronenworth from comment #9)
> When is this making it to RHEL 7 general release?

adcli-0.8.1-9 should fix this and is available in the current RHEL-7.7 beta version
https://www.redhat.com/en/blog/red-hat-enterprise-linux-77-beta-now-available

HTH

bye,
Sumit

> 
> This is *not* a RFE. This is a bug.
> 
> https://gitlab.freedesktop.org/realmd/adcli/issues/1
> https://bugs.freedesktop.org/show_bug.cgi?id=86107
> 
> The current adcli package in RHEL 7 changelog notes a fix for this, but it
> does NOT fix it.
> 
> * Wed Jan 16 2019 Sumit Bose <sbose> - 0.8.1-6.1
> - join failed if hostname is not FQDN [#1666775]
> 
> The Fedora package, fully patched (this patch), DOES fix this.
Comment 12 errata-xmlrpc 2019-08-06 13:11:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2256
Note You need to log in before you can comment on or make changes to this bug.