#7298 ipa-server-install silently produces a broken installation if --hostname is in a non-existing subdomain
Opened 2 years ago by mattock. Modified 2 years ago

Request for enhancement

As a system administrator I would like the ipa-server-install to fail if it is unable to add an A record for the IPA server itself.

Issue

The ipa-server-install script is unable to add an A record for the IPA server if --hostname is in a subdomain that does not (yet) exist. In other words:

SUCCESS: --hostname ipa-server-1.vagrant.example.lan --domain vagrant.example.lan
FAILURE: --hostname ipa-server-1.ipa.vagrant.example.lan --domain vagrant.example.lan

This behavior may be expected, but only if one knows the internals of the installer. Moreover, ipa-server-install does not notice the problem nor warn about it - at least not when using the --unattended switch.

The failure seems to occur when the installer tries to add an A record for the itself. Here's a successful run:

2017-11-24T09:53:21Z DEBUG raw: dnsrecord_add(u'vagrant.example.lan', u'ipa-server-1',\
 arecord=u'192.168.44.35', version=u'2.228')
2017-11-24T09:53:21Z DEBUG dnsrecord_add(<DNS name vagrant.example.lan.>, <DNS name\
 ipa-server-1>, arecord=(u'192.168.44.35',), a_extra_create_reverse=False,\
 aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False,\
 version=u'2.228')

A failed run looks identical except that the domain of course differs:

2017-11-24T09:34:44Z DEBUG raw: dnsrecord_add(u'ipa.vagrant.example.lan', \
 u'ipa-server-1', arecord=u'192.168.44.35', version=u'2.228')
2017-11-24T09:34:44Z DEBUG dnsrecord_add(<DNS name ipa.vagrant.example.lan.>,\
 <DNS name ipa-server-1>, arecord=(u'192.168.44.35',), a_extra_create_reverse=False, \
 aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, \
 version=u'2.228')

Only much later it becomes obvious that something is wrong:

017-11-07T14:08:07Z ERROR DNS query for ipa-server-1.ipa.vagrant.example.lan. 1 failed: All\
 nameservers failed to answer the query ipa-server-1.ipa.vagrant.example.lan. IN A: Server \
 127.0.0.1 UDP port 53 answered SERVFAIL
2017-11-07T14:08:12Z ERROR unable to resolve host name ipa-server-1.ipa.vagrant.example.lan. \
 to IP address, ipa-ca DNS record will be incomplete

This problem can be reproduced consistently, for example using the Vagrant setup in the puppet-ipa module.

When one looks at the generated DNS records it is clear that the A record for the server itself is missing. E.g.

$ su - admin
$ kinit admin
$ ipa dnsrecord-find vagrant.example.lan

Steps to Reproduce

Get a clean CentOS 7 test server. Run ipa-server-install with "--hostname ipa-server-1.ipa.vagrant.example.lan --domain vagrant.example.lan". The whole process can be automated with Vagrantfile in the puppet-ipa module module.

Actual behavior

Installation fails silently, leaving the admin no idea what went wrong. The logs also do not have any clues except the SERVFAIL messages which point towards a DNS issue.

Expected behavior

The installer should notice that the A record for the server itself was not created and fail with an error. If that is not possible, the installer should at least warn the user about using a --hostname that is in a subdomain.

Version/Release/Distribution

CentOS 7 with following package versions:

ipa-server-4.5.0-21.el7.centos.2.2.x86_64
ipa-client-4.5.0-21.el7.centos.2.2.x86_64
389-ds-base-1.3.6.1-21.el7_4.x86_64
pki-ca-10.4.1-13.el7_4.noarch
krb5-server-1.15.1-8.el7.x86_64

Additional info:

None.


Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8

2 years ago

Login to comment on this ticket.

Metadata