As a system administrator I would like the ipa-server-install to fail if it is unable to add an A record for the IPA server itself.
The ipa-server-install script is unable to add an A record for the IPA server if --hostname is in a subdomain that does not (yet) exist. In other words:
SUCCESS: --hostname ipa-server-1.vagrant.example.lan --domain vagrant.example.lan
FAILURE: --hostname ipa-server-1.ipa.vagrant.example.lan --domain vagrant.example.lan
This behavior may be expected, but only if one knows the internals of the installer. Moreover, ipa-server-install does not notice the problem nor warn about it - at least not when using the --unattended switch.
The failure seems to occur when the installer tries to add an A record for the itself. Here's a successful run:
2017-11-24T09:53:21Z DEBUG raw: dnsrecord_add(u'vagrant.example.lan', u'ipa-server-1',\
2017-11-24T09:53:21Z DEBUG dnsrecord_add(<DNS name vagrant.example.lan.>, <DNS name\
ipa-server-1>, arecord=(u'192.168.44.35',), a_extra_create_reverse=False,\
aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False,\
A failed run looks identical except that the domain of course differs:
2017-11-24T09:34:44Z DEBUG raw: dnsrecord_add(u'ipa.vagrant.example.lan', \
u'ipa-server-1', arecord=u'192.168.44.35', version=u'2.228')
2017-11-24T09:34:44Z DEBUG dnsrecord_add(<DNS name ipa.vagrant.example.lan.>,\
<DNS name ipa-server-1>, arecord=(u'192.168.44.35',), a_extra_create_reverse=False, \
aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, \
Only much later it becomes obvious that something is wrong:
017-11-07T14:08:07Z ERROR DNS query for ipa-server-1.ipa.vagrant.example.lan. 1 failed: All\
nameservers failed to answer the query ipa-server-1.ipa.vagrant.example.lan. IN A: Server \
127.0.0.1 UDP port 53 answered SERVFAIL
2017-11-07T14:08:12Z ERROR unable to resolve host name ipa-server-1.ipa.vagrant.example.lan. \
to IP address, ipa-ca DNS record will be incomplete
This problem can be reproduced consistently, for example using the Vagrant setup in the puppet-ipa module.
When one looks at the generated DNS records it is clear that the A record for the server itself is missing. E.g.
$ su - admin
$ kinit admin
$ ipa dnsrecord-find vagrant.example.lan
Get a clean CentOS 7 test server. Run ipa-server-install with "--hostname ipa-server-1.ipa.vagrant.example.lan --domain vagrant.example.lan". The whole process can be automated with Vagrantfile in the puppet-ipa module module.
Installation fails silently, leaving the admin no idea what went wrong. The logs also do not have any clues except the SERVFAIL messages which point towards a DNS issue.
The installer should notice that the A record for the server itself was not created and fail with an error. If that is not possible, the installer should at least warn the user about using a --hostname that is in a subdomain.
CentOS 7 with following package versions:
Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8
to comment on this ticket.