Bug 729377 - ipa-server-install fails on DNS errors when no DNS check is required
Summary: ipa-server-install fails on DNS errors when no DNS check is required
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 729357
Blocks: 728234
TreeView+ depends on / blocked
 
Reported: 2011-08-09 17:40 UTC by Dmitri Pal
Modified: 2015-01-04 23:50 UTC (History)
8 users (show)

Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Installing IPA server using --no-host-dns without a DNS resolvable host name. Consequence: Installation fails on error that host name is not resolvable or does not match the reverse. Fix: Move the no-host-dns test so it is tested before any DNS lookups occur. Result: Installation with --no-host-dns should do no DNS validation.
Clone Of: 729357
Environment:
Last Closed: 2011-12-06 18:29:43 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Dmitri Pal 2011-08-09 17:40:17 UTC
+++ This bug was initially created as a clone of Bug #729357 +++

Description of problem:
in RHEVM we implement a wrapper to install IPA with the simplest configuration possible, no CA is required, no kerberos and no DNS configuration.
the only host that can connect to the IPA instance we deploy is from within the host. yet ipa-server-install still preforms DNS checks (even with the --no-dns flag supplied) which can fail the installation. we need a method to install IPA which will be bullet proof and will not perform checks that protect functions we do not intend to use.

for example:
ipaserver.install.installutils.verify_fqdn still verify the reverse dns lookup for the ip address of the host even tho the --no-dns flag is provided.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 2 Dmitri Pal 2011-08-11 21:22:46 UTC
This was already closed upstream and will be released as part of future FreeIPA
release (2.1).

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1246

The bug also talks about the wrong flag above:
Instead --no-dns it should be --no-host-dns.

Comment 3 Rob Crittenden 2011-08-16 14:36:22 UTC
Upstream commits:

master: 915235859cb67d4f350ff506b435586fd15505e7
ipa-2-0: 73e04bd972ba3d010ea63c9c7b834cdb80f7fadd

Comment 5 Jenny Galipeau 2011-08-22 18:41:43 UTC
Verified:
Changed machine name to not resolve to ip address and installed ...

# ipa-server-install -p mysecret -P mysecret -a mysecret --no-host-dns

<snip>

Warning: skipping DNS resolution of host ipaserver.rhts.eng.rdu.redhat.com
The domain name has been calculated based on the host name.

</snip>

Installation successful.

# kinit admin
Password for admin@RHTS.ENG.RDU.REDHAT.COM: 


# ipa user-add --first=Jenny --last=Galipeau jgalipea
---------------------
Added user "jgalipea"
---------------------
  User login: jgalipea
  First name: Jenny
  Last name: Galipeau
  Full name: Jenny Galipeau
  Display name: Jenny Galipeau
  Initials: JG
  Home directory: /home/jgalipea
  GECOS field: Jenny Galipeau
  Login shell: /bin/sh
  Kerberos principal: jgalipea@RHTS.ENG.RDU.REDHAT.COM
  UID: 1913000003
  GID: 1913000003

# ipa passwd jgalipea
Password: 
Enter Password again to verify: 
-------------------------------------------------------
Changed password for "jgalipea@RHTS.ENG.RDU.REDHAT.COM"
-------------------------------------------------------

# kinit jgalipea
Password for jgalipea@RHTS.ENG.RDU.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jgalipea@RHTS.ENG.RDU.REDHAT.COM

Valid starting     Expires            Service principal
08/22/11 14:40:42  08/23/11 14:40:42  krbtgt/RHTS.ENG.RDU.REDHAT.COM@RHTS.ENG.RDU.REDHAT.COM



Version:

# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.0                             Vendor: Red Hat, Inc.
Release     : 1.el6                         Build Date: Mon 15 Aug 2011 06:26:27 PM EDT
Install Date: Mon 22 Aug 2011 02:25:15 PM EDT      Build Host: x86-005.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.0-1.el6.src.rpm
Size        : 3296786                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Description :
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof). If you are installing an IPA server you need
to install this package (in other words, most people should NOT install
this package).


# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)

Comment 6 Rob Crittenden 2011-11-01 13:11:06 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Installing IPA server using --no-host-dns without a DNS resolvable host name.
Consequence: Installation fails on error that host name is not resolvable or does not match the reverse.
Fix: Move the no-host-dns test so it is tested before any DNS lookups occur.
Result: Installation with --no-host-dns should do no DNS validation.

Comment 7 errata-xmlrpc 2011-12-06 18:29:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.