798774 – IPA provider should assume that ipa_domain is also the dns_discovery_domain

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 798774 - IPA provider should assume that ipa_domain is also the dns_discovery_domain

Summary: IPA provider should assume that ipa_domain is also the dns_discovery_domain

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-29 20:08 UTC by Stephen Gallagher
Modified:	2020-05-02 16:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sssd-1.8.0-11.el6
Doc Type:	Bug Fix
Doc Text:	Cause: SSSD would use either the value of dns_discovery_domain or else the hostname portion of the machine's FQDN to look up DNS SRV records for failover servers. Consequence: On FreeIPA-enrolled machines, the client hostname might not match the IPA domain name. These clients would be unable to discover failover servers. Change: When id_provider = ipa, dns_discovery_domain will be automatically set to the value if ipa_domain. Result: FreeIPA clients will be able to autodetect failover servers even if their hostname is not part of the FreeIPA domain.
Clone Of:
Environment:
Last Closed:	2012-06-20 11:55:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2259	0	None	None	None	2020-05-02 16:46:45 UTC
Red Hat Product Errata	RHBA-2012:0747	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2012-06-19 19:31:43 UTC

Description Stephen Gallagher 2012-02-29 20:08:14 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1217

Currently, if we don't specify dns_discovery_domain explicitly in sssd.conf, we default to using the domain part of the machine's hostname. We should instead be defaulting to the value of ipa_domain for IPA installations.

Comment 2 Stephen Gallagher 2012-05-04 12:34:54 UTC

Steps to reproduce:

1. Set up an IPA realm with at least two servers (one replicating to the other) providing DNS. (We'll call them master and secondary).

2. Create a client and set its FQDN hostname to something OTHER than hostname.ipa.domain. For example, if the IPA domain is "ipa.com", set the client hostname to "client.example.com"

2. Enroll a client against the master. Disable cached credentials by setting cache_credentials = False in sssd.conf (This is so we can ensure that we're testing against the server)

3. Take down the master.

X. Set /etc/resolv.conf to point at the secondary (or don't. This step just avoids the timeout trying to reach the primary DNS)

4. Attempt to log in to the client.

Before this fix, we would fail because we cannot look up the server entries from DNS (our DNS lookup would be trying to find _ldap._tcp.example.com, but it SHOULD be looking for _ldap._tcp.ipa.com).

After this fix, lookups will be against the correct DNS domain and login should succeed.

Comment 3 Kaleem 2012-05-09 14:18:46 UTC

Verified.

sssd-version:
============

[root@dhcp201-113 ~]# rpm -q sssd
sssd-1.8.0-25.el6.x86_64
[root@dhcp201-113 ~]#

Followed steps given in comment 2 for verification.

DNS lookup tries for _ldap._tcp.testrelm.com and login is also successful.

[root@dhcp201-113 ~]# hostname
dhcp201-113.englab.pnq.redhat.com
[root@dhcp201-113 ~]#

[root@dhcp201-113 ~]# cat /var/log/sssd/sssd_testrelm.com.log |grep _ldap._tcp 
(Wed May  9 19:12:54 2012) [sssd[be[testrelm.com]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.testrelm.com'
(Wed May  9 19:12:54 2012) [sssd[be[testrelm.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.testrelm.com'
[root@dhcp201-113 ~]#

Comment 4 Stephen Gallagher 2012-06-12 13:42:06 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: SSSD would use either the value of dns_discovery_domain or else the hostname portion of the machine's FQDN to look up DNS SRV records for failover servers.

Consequence: On FreeIPA-enrolled machines, the client hostname might not match the IPA domain name. These clients would be unable to discover failover servers.

Change: When id_provider = ipa, dns_discovery_domain will be automatically set to the value if ipa_domain.

Result: FreeIPA clients will be able to autodetect failover servers even if their hostname is not part of the FreeIPA domain.

Comment 6 errata-xmlrpc 2012-06-20 11:55:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html

Comment 7 Chad Hirsch 2013-12-18 00:55:33 UTC

This is not a good idea!

If a user does not have SRV records for the domain their systems are in, then we should create them, or encourage the users to create them. Maybe we can provide an option in ipa-client-install for the dns_discovery_domain.

This broke our implementation of IPA, because now we have hosts that are not pointing to the correct DNS subdomains for SRV record lookups. In an enterprise environment, you want to segregate IPA domains, for instance, so that software development environments cannot affect production environments. Having this default encourages that all IPA servers exist in one pool, rather than facilitating the segregation of resources, as is proper.

Note You need to log in before you can comment on or make changes to this bug.