Re: [Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install

Thu, 13 Sep 2012 13:36:08 -0700 

Petr Viktorin wrote:

On 09/11/2012 11:05 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

On 09/04/2012 07:44 PM, Rob Crittenden wrote:

Petr Viktorin wrote:


https://fedorahosted.org/freeipa/ticket/2845


Shouldn't this also call verify_fqdn() on the local hostname and not
just the master? I think this would eventually fail in the conncheck
but
what if that was skipped?

rob


A few lines above there is a call to get_host_name, which will call
verify_fqdn.



I double-checked this, it fails in conncheck. Here are my steps:

# ipa-server-install --setup-dns
# ipa-replica-prepare replica.example.com --ip-address=192.168.100.2
# ipa host-del replica.example.com

On replica, set DNS to IPA master, with hostname in /etc/hosts.

# ipa-replica-install ...

The verify_fqdn() passes because the resolver uses /etc/hosts.

The conncheck fails:

Execute check on remote master
Check connection from master to remote replica 'replica.example.com':

Remote master check failed with following error message(s):
Could not chdir to home directory /home/admin: No such file or directory
Port check failed! Unable to resolve host name 'replica.example.com'

Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with
--skip-conncheck parameter.

The DNS test happens much further after this, and I get why, I just
don't see how useful it is unless the --skip-conncheck is used.


For the record, it's because we need to check if the host has DNS
installed. We need a LDAP connection to check this.


ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
--skip-conncheck
Directory Manager (existing master) password:

ipa         : ERROR    Could not resolve hostname replica.example.com
using DNS. Clients may not function properly. Please check your DNS
setup. (Note that this check queries IPA DNS directly and ignores
/etc/hosts.)
Continue? [no]:

So I guess, what are the intentions here? It is certainly better than
before.

rob


If the replica is in the master's /etc/hosts, but not in DNS, the
conncheck will succeed. This check explicitly queries IPA records only
and ignores /etc/hosts so it'll notice this case and warn.




Ok, like I said, this is better than we have. Just one nit then you get 
an ack:


+        # If remote host has DNS, check forward/reverse resolution
+        try:

+            entry = conn.find_entries(u'cn=dns', 
base_dn=DN(api.env.basedn))

+        except errors.NotFound:

u'cn=dns' should be str(constants.container_dns).

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel






















					Reply via email to