[Freeipa-devel] [freeipa PR#689][opened] Sort SRV records by priority

alex-zel Tue, 04 Apr 2017 00:05:13 -0700

   URL: https://github.com/freeipa/freeipa/pull/689
Author: alex-zel
 Title: #689: Sort SRV records by priority
Action: opened


PR body:
"""
In some cases where multiple SRV records are present, LDAP and Kerberos records 
were returned in different order, causing replication issues in a multi master 
enviorment.

## Replication:
DNS configuration (using PfSense):
```
srv-host=_kerberos._udp.example.com,server01.example.com,88,0,1
srv-host=_kerberos._tcp.example.com,server01.example.com,88,0,1
srv-host=_kerberos-master._tcp.example.com,server01.example.com,88,0,1
srv-host=_kerberos-master._udp.example.com,server01.example.com,88,0,1
srv-host=_kpasswd._tcp.example.com,server01.example.com,88,0,1
srv-host=_kpasswd._udp.example.com,server01.example.com,88,0,1
srv-host=_ldap._tcp.example.com,server01.example.com,389,0,1
srv-host=_kerberos._udp.example.com,server02.example.com,88,0,2
srv-host=_kerberos._tcp.example.com,server02.example.com,88,0,2
srv-host=_kerberos-master._tcp.example.com,server02.example.com,88,0,2
srv-host=_kerberos-master._udp.example.com,server02.example.com,88,0,2
srv-host=_kpasswd._tcp.example.com,server02.example.com,88,0,2
srv-host=_kpasswd._udp.example.com,server02.example.com,88,0,2
srv-host=_ldap._tcp.example.com,server02.example.com,389,0,2
txt-record=_kerberos.example.com,EXAMPLE.COM
```

Client installation:
Host record is added beforehand from web UI on server01.example.com ONLY.
`/usr/sbin/ipa-client-install --force-join --principal=bind_user 
--password=bind_pass --hostname=`hostname -f` --unattended`

/var/log/ipaclient-install.log:

> 2017-04-02T10:54:09Z DEBUG [IPA Discovery]
> 2017-04-02T10:54:09Z DEBUG Starting IPA discovery with domain=None, 
> servers=None, hostname=client01.example.com
> 2017-04-02T10:54:09Z DEBUG Start searching for LDAP SRV record in 
> "example.com" (domain of the hostname) and its sub-domains
> 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of _ldap._tcp.example.com
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 389 server01.example.com.
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 389 server02.example.com.
> 2017-04-02T10:54:09Z DEBUG [Kerberos realm search]
> 2017-04-02T10:54:09Z DEBUG Search DNS for TXT record of _kerberos.example.com
> 2017-04-02T10:54:09Z DEBUG DNS record not found: NoAnswer
> 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of 
> _kerberos._udp.example.com
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 88 server02.example.com.
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 88 server01.example.com.

Notice the records are not in the same order, ipa-client-install did not return 
any error and the client machine could see user, groups, netgroups, but users 
could not authenticate.
Looking at the web UI, server01.example.com shows the client is not enrolled 
and no kerberos key is present, but server02.example.com shows the client is 
enrolled and has a key.

In cases were either server01 or server02 were returned first in IPA Discovery 
the installation and replication went fine.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/689/head:pr689
git checkout pr689

From 283da88845c65d5cd3b4ce6b5e32c17fc3c5fb98 Mon Sep 17 00:00:00 2001
From: Alex Zeleznikov <a...@iucc.ac.il>
Date: Tue, 4 Apr 2017 09:42:10 +0300
Subject: [PATCH] Sort SRV records by priority

In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.
---
 ipaclient/install/ipadiscovery.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index 46e05c9..b30e7de 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -22,13 +22,14 @@
 import six
 
 from ipapython.ipa_log_manager import root_logger
-from dns import resolver, rdatatype
 from dns.exception import DNSException
+from dns import resolver, rdatatype
 from ipalib import errors
 from ipapython import ipaldap
 from ipaplatform.paths import paths
 from ipapython.ipautil import valid_ip, realm_to_suffix
 from ipapython.dn import DN
+from operator import attrgetter
 
 NOT_FQDN = -1
 NO_LDAP_SERVER = -2
@@ -493,6 +494,7 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port,
 
         try:
             answers = resolver.query(qname, rdatatype.SRV)
+            answers = sorted(answers, key=attrgetter('priority'))
         except DNSException as e:
             root_logger.debug("DNS record not found: %s", e.__class__.__name__)
             answers = []

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#689][opened] Sort SRV records by priority

Reply via email to