Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
1. Proposed title of this feature request
enable ipa-getkeytab to use DNS SRV records to determine IPA server
3. What is the nature and description of the request?
The customer is aware of the importance of having valid and reliable DNS entries when using tools such as `ipa-client-install` and now that they have embraced this, it is surprising to find that `ipa-getkeytab` is not able to rely on the same functionality. There are currently only two options, neither of which are ideal:
(a) specify a server FQDN with `-s`
This approach makes scripting/automation very difficult in the case that anything changes.
(b) rely on the contents of `/etc/ipa/defaults.conf`
The contents of this file are changed by various other tools, such as `ipa-client-install` and then again with `ipa-replica-install`. This file can become not-current very easily in a dynamic environment.
4. Why does the customer need this? (List the business requirements here)
The customer needs this because:
(a) they are already relying on DNS for other ipa-* tools
(b) their environment is dynamic so existing methods of specifying a server are not ideal
5. How would the customer like to achieve this? (List the functional requirements here)
This could be achieved by utilizing the "Failover Mechanism" already used by `ipa-client-install` to determine a valid IPA server based on SRV records in DNS. The `ipa-client-install` man page suggests:
The Failover Mechanism
When some of the IPA servers is not available, client components are
able to fallback to other IPA replica and thus preserving a continued
service. When client machine is configured to use DNS SRV record
autodiscovery (no fixed server was passed to the installer), client
components do the fallback automatically, based on the IPA server
hostnames and priorities discovered from the DNS SRV records.
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
This could be confirmed to be working by NOT using `-s` when running `ipa-getkeytab` and having stale/outdated information in `/etc/ipa/defaults.conf`
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
Similar to the following, which appears to have added the functionality of using a file if no commandline option was given, but this RFE is to extend that further, to utilize SRV records instead:
* https://bugzilla.redhat.com/show_bug.cgi?id=768316
* https://pagure.io/freeipa/issue/2203
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
RHEL7
9. Is the sales team involved in this request and do they have any additional input?
N/A
10. List any affected packages or components.
ipa-client provides /usr/sbin/ipa-getkeytab
11. Would the customer be able to assist in testing this functionality if implemented?
Yes.
Comment 4Florence Blanc-Renaud
2020-04-24 16:45:35 UTC
Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7.
As RHEL-7.9 is already near the end of a Development Phase, this RFE is moved to RHEL 8 for proper evaluation.
Comment 9Florence Blanc-Renaud
2021-08-03 16:40:26 UTC
This request for enhancement is also tracked in another BZ: #1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided
#1988383 is planned for RHEL 9.0 and already fixed upstream.
Closing as a duplicate
*** This bug has been marked as a duplicate of bug 1988383 ***
1. Proposed title of this feature request enable ipa-getkeytab to use DNS SRV records to determine IPA server 3. What is the nature and description of the request? The customer is aware of the importance of having valid and reliable DNS entries when using tools such as `ipa-client-install` and now that they have embraced this, it is surprising to find that `ipa-getkeytab` is not able to rely on the same functionality. There are currently only two options, neither of which are ideal: (a) specify a server FQDN with `-s` This approach makes scripting/automation very difficult in the case that anything changes. (b) rely on the contents of `/etc/ipa/defaults.conf` The contents of this file are changed by various other tools, such as `ipa-client-install` and then again with `ipa-replica-install`. This file can become not-current very easily in a dynamic environment. 4. Why does the customer need this? (List the business requirements here) The customer needs this because: (a) they are already relying on DNS for other ipa-* tools (b) their environment is dynamic so existing methods of specifying a server are not ideal 5. How would the customer like to achieve this? (List the functional requirements here) This could be achieved by utilizing the "Failover Mechanism" already used by `ipa-client-install` to determine a valid IPA server based on SRV records in DNS. The `ipa-client-install` man page suggests: The Failover Mechanism When some of the IPA servers is not available, client components are able to fallback to other IPA replica and thus preserving a continued service. When client machine is configured to use DNS SRV record autodiscovery (no fixed server was passed to the installer), client components do the fallback automatically, based on the IPA server hostnames and priorities discovered from the DNS SRV records. 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. This could be confirmed to be working by NOT using `-s` when running `ipa-getkeytab` and having stale/outdated information in `/etc/ipa/defaults.conf` 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? Similar to the following, which appears to have added the functionality of using a file if no commandline option was given, but this RFE is to extend that further, to utilize SRV records instead: * https://bugzilla.redhat.com/show_bug.cgi?id=768316 * https://pagure.io/freeipa/issue/2203 8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)? RHEL7 9. Is the sales team involved in this request and do they have any additional input? N/A 10. List any affected packages or components. ipa-client provides /usr/sbin/ipa-getkeytab 11. Would the customer be able to assist in testing this functionality if implemented? Yes.