+++ This bug was initially created as a clone of Bug #729357 +++
Description of problem:
in RHEVM we implement a wrapper to install IPA with the simplest configuration possible, no CA is required, no kerberos and no DNS configuration.
the only host that can connect to the IPA instance we deploy is from within the host. yet ipa-server-install still preforms DNS checks (even with the --no-dns flag supplied) which can fail the installation. we need a method to install IPA which will be bullet proof and will not perform checks that protect functions we do not intend to use.
ipaserver.install.installutils.verify_fqdn still verify the reverse dns lookup for the ip address of the host even tho the --no-dns flag is provided.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
This was already closed upstream and will be released as part of future FreeIPA
The bug also talks about the wrong flag above:
Instead --no-dns it should be --no-host-dns.
Changed machine name to not resolve to ip address and installed ...
# ipa-server-install -p mysecret -P mysecret -a mysecret --no-host-dns
Warning: skipping DNS resolution of host ipaserver.rhts.eng.rdu.redhat.com
The domain name has been calculated based on the host name.
# kinit admin
Password for admin@RHTS.ENG.RDU.REDHAT.COM:
# ipa user-add --first=Jenny --last=Galipeau jgalipea
Added user "jgalipea"
User login: jgalipea
First name: Jenny
Last name: Galipeau
Full name: Jenny Galipeau
Display name: Jenny Galipeau
Home directory: /home/jgalipea
GECOS field: Jenny Galipeau
Login shell: /bin/sh
Kerberos principal: jgalipea@RHTS.ENG.RDU.REDHAT.COM
# ipa passwd jgalipea
Enter Password again to verify:
Changed password for "jgalipea@RHTS.ENG.RDU.REDHAT.COM"
# kinit jgalipea
Password for jgalipea@RHTS.ENG.RDU.REDHAT.COM:
Password expired. You must change it now.
Enter new password:
Enter it again:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jgalipea@RHTS.ENG.RDU.REDHAT.COM
Valid starting Expires Service principal
08/22/11 14:40:42 08/23/11 14:40:42 krbtgt/RHTS.ENG.RDU.REDHAT.COM@RHTS.ENG.RDU.REDHAT.COM
# rpm -qi ipa-server
Name : ipa-server Relocations: (not relocatable)
Version : 2.1.0 Vendor: Red Hat, Inc.
Release : 1.el6 Build Date: Mon 15 Aug 2011 06:26:27 PM EDT
Install Date: Mon 22 Aug 2011 02:25:15 PM EDT Build Host: x86-005.build.bos.redhat.com
Group : System Environment/Base Source RPM: ipa-2.1.0-1.el6.src.rpm
Size : 3296786 License: GPLv3+
Signature : (none)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://www.freeipa.org/
Summary : The IPA authentication server
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof). If you are installing an IPA server you need
to install this package (in other words, most people should NOT install
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Cause: Installing IPA server using --no-host-dns without a DNS resolvable host name.
Consequence: Installation fails on error that host name is not resolvable or does not match the reverse.
Fix: Move the no-host-dns test so it is tested before any DNS lookups occur.
Result: Installation with --no-host-dns should do no DNS validation.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.