Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1802209
Description of problem: Installing an IPA client on a host that only has an IPv6 address fails with an error message that the "admin user" cannot be found. Version-Release number of selected component (if applicable): ipa-client-4.6.5-11.el7_7.4.x86_64 sssd-1.16.4-21.el7_7.1.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure a IPA server with an IPv6 address 2. Setup a new host as a client with only a IPv6 address 3. Run "ipa-client-install" on the client Actual results: ~~~ .... Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://ipa.example.com/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf Unable to find 'user1' user with 'getent passwd user1@example.com'! Unable to reliably detect configuration. Check NSS setup manually. NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Searching for IPA server... IPA server: DNS discovery Restarting sssd, waiting for it to become available. Unable to find 'admin' user with 'getent passwd admin@EXAMPLE.COM'! This may mean that sssd didn't re-start properly after the configuration changes. ~~~ The is caused by sssd not starting up: ~~~ (Tue Feb 11 10:37:55 2020) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error. DataProvider.Offline] ~~~ and can be resolved by adding "lookup_family_order = ipv6_only" under the domain section in SSSD.conf Expected results: Installation to detect an IPv6 only network and configure sssd accordingly. Additional info: https://blog.delouw.ch/2017/03/01/configure-sssd-to-work-on-ipv6-only-hosts/ and the referenced sssd tickets: https://pagure.io/SSSD/sssd/issue/2128 https://pagure.io/SSSD/sssd/issue/2015
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1802209
Metadata Update from @rcritten: - Issue assigned to rcritten
Note that this is not enough because any other application on the machine would be failing to pick up IPv6 too. You really need to configure IPv6 addresses to be preferred in the system resolver via gai.conf(5).
I agree with Alexander. It's problematic that SSSD behaves differently than other LDAP clients or HTTPS connections with ipa CLI.
ipa
RFC 3484 and gai.conf(5) define defaults and system-wide configuration options to modify the default lookup order. By default a RFC3484 conform application should use the OS lookup order, which is IPv6 before IPv4. With option precedence ::ffff:0:0/96 100 in /etc/gai.conf the getaddrinfo() API returns AF_INET before AF_INET6 (applications must be restarted to re-read the new configuration).
gai.conf(5)
precedence ::ffff:0:0/96 100
/etc/gai.conf
getaddrinfo()
AF_INET
AF_INET6
Currently SSSD defaults to lookup_family_order = ipv4_first. There is no option to use the default order from glibc. IMHO SSSD should use the default order and we should rather point customers to gai.conf than to SSSD's option lookup_family_order to fix buggy IPv6/IPv4 deployments.
lookup_family_order = ipv4_first
gai.conf
lookup_family_order
By default IPv6 has a higher precedence as IPv4:
# python3 -c "import socket, pprint; pprint.pprint(socket.getaddrinfo('www.redhat.com', 443, socket.AF_UNSPEC, socket.SOCK_STREAM))" [(<AddressFamily.AF_INET6: 10>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('2a02:26f0:fe00:1a5::d44', 443, 0, 0)), (<AddressFamily.AF_INET6: 10>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('2a02:26f0:fe00:190::d44', 443, 0, 0)), (<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('2.19.199.160', 443))]
Give IPv4 a higher precedence:
# echo "precedence ::ffff:0:0/96 100" >> /etc/gai.conf
# python3 -c "import socket, pprint; pprint.pprint(socket.getaddrinfo('www.redhat.com', 443, socket.AF_UNSPEC, socket.SOCK_STREAM))" [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('2.19.199.160', 443)), (<AddressFamily.AF_INET6: 10>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('2a02:26f0:fe00:190::d44', 443, 0, 0)), (<AddressFamily.AF_INET6: 10>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('2a02:26f0:fe00:1a5::d44', 443, 0, 0))]
Update from internal discussion: SSSD uses the async DNS resolver c-ares instead of glibc's DNS resolver. c-ares does not use /etc/gai.conf.
I think additionally this is a problem since SSSD defaults to ipv4_first. So even if the preferences are set properly elsewhere SSSD will be doing the wrong thing.
The RFE against SSSD to correct this was closed as wontfix. https://pagure.io/SSSD/sssd/issue/2015
So what do we want to do here? Let SSSD handle it? The issue is still currently wontfix.
Closing as this is going to be handled by sssd.
Metadata Update from @rcritten: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.