All replicas in topology should have one IPA domain (api.env.domain)
But with replica promotion is possible to set different api.env.domain for each replica.
This is blocker for DNS location feature and any dynamic records generator, also it can cause harm in 4.3.x topologies, because different domains may parse results differently, adding system SRV records will not work.
This behavior is not reproducible on 4.2, thus this is regression.
Steps to reproduce: 1. [master]# ipa-server-install --domain ipadomain.test. 1. [replica]# ipa-client-install --domain random.domain. --server ipa.replica.ipadomain.test 1. [replica]# ipa-replica-install 1. api.env.domain is random.domain, expected is ipadomain.test.
[root@vm-058-114 ~]# ipa-client-install --server vm-012.ipa.test. --domain vm-012.ipa.test [root@vm-058-114 ~]# ipa-replica-install [root@vm-058-114 ~]# ipa dns-update-system-records ipa: WARNING: IPA does not manage the zone vm-012.ipa.test., please add records to your DNS server manually IPA DNS records: _kerberos-master._tcp.vm-012.ipa.test. 86400 IN SRV 0 100 88 vm-012.ipa.test. _kerberos-master._tcp.vm-012.ipa.test. 86400 IN SRV 0 100 88 vm-058-114.ipa.test. ... [root@vm-058-114 ~]# ipa dnszone-find Zone name: ipa.test. <nothing else>
Blocker for DNS locations, this feature will not work on replicas with invalid api.env.domain
master:
ipa-4-3:
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=837369 (Red Hat Enterprise Linux 7)
The check is too strict and prevents installation even if domain used in ipa-client-install has different casing (e.g. upper case) than the domain stored in LDAP. We need to compare these two as real domain names and not strings. I will send a patch.
Tests:
Metadata Update from @mbasti: - Issue assigned to pspacek - Issue set to the milestone: FreeIPA 4.3.2
Login to comment on this ticket.