On Mon, Sep 17, 2012 at 11:18:53AM +0200, Petr Spacek wrote: > On 09/17/2012 09:15 AM, Martin Kosek wrote: > >On 09/17/2012 09:06 AM, Petr Spacek wrote: > >>Discussion about patch "Set master_kdc and dns_lookup_kdc to true)" reminds > >>one > >>related problem: > >> > >>Our server installer puts line "nameserver 127.0.0.1" to /etc/resolv.conf, > >>but > >>this file should contain all (or three nearest) DNS servers in IPA domain. > >> > >>As a result, IPA server will work even after local named crash (which is > >>not so > >>rare as I want :-(). > >> > >>New ticket: > >>https://fedorahosted.org/freeipa/ticket/3085 > >> > >>Martin, what do you think? > >> > >>How we can update resolv.conf to reflect replica addition/deletion? > >> > >>Should it be done manually? E.g. ipa-replica-install script can print "don't > >>forget to add this server to /etc/resolv.conf on other servers"? > >> > >>Petr^2 Spacek > >> > > > >It would not be difficult to pull a list of IPA masters with DNS support > >during > >ipa-{server,replica}-install and write more IPs to the resolv.conf. But I > >think > >there may be an issue when somebody willingly stop a remote replica or > >uninstall it. He would also need to remove it's IP from all resolv.confs in > >all > >replicas... > > > >Btw. why would IPA server fail when a local named crashes? A record in > >/etc/hosts we always add should still enable local IPA services to work or > >do I > >miss something? > > Well... try it :-D "service named stop" > > I didn't examine details of this problem, but my guess is Kerberos > and reverse DNS lookups. Also, you need to resolve neighbouring
at least reverse DNS lookups shouldn't be the case since 'rdns = false' in krb5.conf. bye, Sumit > replica IP and so on. > > > Name servers listed in resolv.conf are tried in order, so 127.0.0.1 > should be on first place. > > man resolv.conf: > nameserver Name server IP address > ... Up to MAXNS (currently 3, see <resolv.h>) name servers > may be listed, one per keyword. If there are multiple servers, > the resolver library queries them in the order listed. > ... > (The algorithm used is to try a name server, and if the query times > out, try the next, until out of name servers, then repeat trying all > the name servers until a maximum number of retries are made.) > > > Also, some update mechanism for resolv.conf would be nice. We should > provide "gen-recolv-conf.py script" at least, so admin can call it > from cron or someting like that. > > Petr^2 Spacek > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel