On Tue, Aug 27, 2013 at 12:01:45PM +0200, Pavel Březina wrote: > On 08/18/2013 09:45 PM, Jakub Hrozek wrote: > >https://fedorahosted.org/sssd/ticket/1964 > > > >Currently the AD sites are enabled unconditionally > > Hi, > at the moment, there cannot be set two srv plugins on one fail over context: > > [ad_failover_init] (0x0100): No primary servers defined, using > service discovery > [fo_add_srv_server] (0x0400): Adding new SRV server to service > 'gc_ad.pb' using 'tcp'. > [fo_add_srv_server] (0x0400): Adding new SRV server to service > 'ad.pb' using 'tcp'. > [_ad_servers_init] (0x0100): Added service discovery for AD > [be_fo_set_srv_lookup_plugin] (0x0400): Trying to set SRV lookup > plugin to AD > [sssd[be[ipa.pb]]] [fo_set_srv_lookup_plugin] (0x0080): SRV lookup > plugin is already set > [sssd[be[ipa.pb]]] [be_fo_set_srv_lookup_plugin] (0x0080): Unable to > set SRV lookup plugin, another plugin may be already in place > > So unfortunately, the change won't be that trivial :-(
Ugh, sorry, I thought I tested the patch..apparently I was wrong. Maybe we can abuse the fact that IPA installer only ever puts the local replica hostname to the ipa_server parameter and not use any resolve plugin in the server mode? See attached patch. I'm wondering whether to extend it with a warning for cases where some admin overriden the ipa_server directive. Or even better, read the ipa_server list, if there is no _srv_ keyword, proceed as the attached patch, if there is a _srv_ keyword, then don't enable the AD sites? (This I think would be mostly sanity checking, I don't think anyone would run such a setup)
>From 6d75c9dd1c0e4a1663941b0c75100029d1a7309e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Wed, 14 Aug 2013 21:12:07 +0200 Subject: [PATCH] IPA: Enable AD sites when in server mode https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally --- src/providers/ipa/ipa_common.h | 1 + src/providers/ipa/ipa_init.c | 8 ++++++-- src/providers/ipa/ipa_subdomains.c | 19 ++++++++++++++++++- 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 1afe20dbb1ecb52de8bd6948fe780300d43e4dd3..02f0baf55f0d226eeb8956076b9bbcce285d4a94 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -27,6 +27,7 @@ #include "providers/ldap/ldap_common.h" #include "providers/krb5/krb5_common.h" #include "providers/ad/ad_common.h" +#include "providers/ad/ad_srv.h" struct ipa_service { struct sdap_service *sdap; diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 407ab166918c5ff5599382c8281502380aa179fe..0395c3a75709b99f0fb6efa42c11afa0df377aa8 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -115,6 +115,7 @@ int sssm_ipa_id_init(struct be_ctx *bectx, const char *hostname; const char *ipa_domain; struct ipa_srv_plugin_ctx *srv_ctx; + bool server_mode; int ret; if (!ipa_options) { @@ -205,6 +206,8 @@ int sssm_ipa_id_init(struct be_ctx *bectx, /* setup SRV lookup plugin */ hostname = dp_opt_get_string(ipa_options->basic, IPA_HOSTNAME); + server_mode = dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE); + if (dp_opt_get_bool(ipa_options->basic, IPA_ENABLE_DNS_SITES)) { /* use IPA plugin */ ipa_domain = dp_opt_get_string(ipa_options->basic, IPA_DOMAIN); @@ -218,8 +221,9 @@ int sssm_ipa_id_init(struct be_ctx *bectx, be_fo_set_srv_lookup_plugin(bectx, ipa_srv_plugin_send, ipa_srv_plugin_recv, srv_ctx, "IPA"); - } else { - /* fall back to standard plugin */ + } else if (server_mode == false) { + /* fall back to standard plugin on clients. IPA servers do not + * use any discovery */ ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin " diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 9ded9954bbc819e65e3b222c8968d2440320c4be..6e627c93743701e65fb47e2999fa2d24ad7f6a3a 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -102,6 +102,8 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, struct ad_options *ad_options; struct ad_id_ctx *ad_id_ctx; const char *gc_service_name; + struct ad_srv_plugin_ctx *srv_ctx; + char *ad_domain; errno_t ret; ad_options = ad_create_default_options(id_ctx, id_ctx->server_mode->realm, @@ -112,7 +114,9 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, return ENOMEM; } - ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, subdom->name); + ad_domain = subdom->name; + + ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Cannot set AD domain\n")); talloc_free(ad_options); @@ -153,6 +157,19 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, ad_id_ctx->sdap_id_ctx->opts = ad_options->id; ad_options->id_ctx = ad_id_ctx; + /* use AD plugin */ + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res, + default_host_dbs, + ad_id_ctx->ad_options->id, + id_ctx->server_mode->hostname, + ad_domain); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, ("Out of memory?\n")); + return ENOMEM; + } + be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send, + ad_srv_plugin_recv, srv_ctx, "AD"); + ret = sdap_domain_subdom_add(ad_id_ctx->sdap_id_ctx, ad_id_ctx->sdap_id_ctx->opts->sdom, subdom->parent); -- 1.8.3.1
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
