#8529 ipa-ca record incomplete when hostname is not in DNS
Closed: fixed 3 years ago by frenaud. Opened 3 years ago by cheimes.

Issue

ipa-server-install runs on systems that do not have their FQDN in DNS and only have their ip/hostname pair in /etc/hosts. The installation works flawless except for one issue the final DNS step. dns_update_system_records does not uses glibc's NSS resolver for the ipa-ca record. Instead it DNS to resolve the current hostname to an IP address.

Because the installer creates the records in two different ways and has a DNS lookup timeout of 30 seconds each, the problem also slows installation by a full minute.

Steps to Reproduce

  1. Run a server that does not have a DNS record but ip hostname in /etc/hosts
  2. ipa-server-install without DNS
  3. check logs

Actual behavior

$ hostname
host-10-0-138-99.ipa.example
$ host $(hostname)
Host host-10-0-138-99.ipa.example not found: 3(NXDOMAIN)
$ getent ahosts $(hostname)
10.0.138.99     STREAM host-10-0-138-99.ipa.example
10.0.138.99     DGRAM  
10.0.138.99     RAW
$ ipa-server-install -p Secret123 -a Secret123 -r IPA.EXAMPLE -n ipa.example -U
...
The ipa-client-install command was successful

unable to resolve host name host-10-0-138-99.ipa.example. to IP address, ipa-ca DNS record will be incomplete
unable to resolve host name host-10-0-138-99.ipa.example. to IP address, ipa-ca DNS record will be incomplete
Please add records in this file to your DNS system: /tmp/ipa.system.records.8tmwtdho.db
$ cat /tmp/ipa.system.records.8tmwtdho.db 
_kerberos-master._tcp.ipa.example. 86400 IN SRV 0 100 88 host-10-0-138-99.ipa.example.
_kerberos-master._udp.ipa.example. 86400 IN SRV 0 100 88 host-10-0-138-99.ipa.example.
_kerberos._tcp.ipa.example. 86400 IN SRV 0 100 88 host-10-0-138-99.ipa.example.
_kerberos._udp.ipa.example. 86400 IN SRV 0 100 88 host-10-0-138-99.ipa.example.
_kerberos.ipa.example. 86400 IN TXT "IPA.EXAMPLE"
_kpasswd._tcp.ipa.example. 86400 IN SRV 0 100 464 host-10-0-138-99.ipa.example.
_kpasswd._udp.ipa.example. 86400 IN SRV 0 100 464 host-10-0-138-99.ipa.example.
_ldap._tcp.ipa.example. 86400 IN SRV 0 100 389 host-10-0-138-99.ipa.example.

Expected behavior

  • FreeIPA works fine on systems that do not have the current hostname in DNS yet
  • The ipa system records file always contains a correct ipa-ca pointer. A correct file from another test installation looks like this:
...
_ldap._tcp.ipa.example. 86400 IN SRV 0 100 389 ipaserver.ipa.example.
ipa-ca.ipa.example. 86400 IN A 192.168.122.164

Version/Release/Distribution

freeipa-server-4.8.9-2.fc32.x86_64
freeipa-client-4.8.9-2.fc32.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.3.12-1.fc32.x86_64
pki-ca-10.9.4-1.fc32.noarch
krb5-server-1.18.2-22.fc32.x86_64

Additional info:

The issue only affects F32 and earlier as well as RHEL 8. Fedora 33 uses systemd-resolved's stub resolver which turns /etc/hosts entries into DNS records for us.


I think it should be safe to useresolve_ip_addresses_nss from ipaserver.install.installutils here. It uses getaddrinfo to resolve the hostname and returns an IPAddress object.

master:

  • 731c5b2 Lookup ipa-ca record with NSS

ipa-4-8:

  • 81cf1db Lookup ipa-ca record with NSS

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata Update from @fcami:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5174

3 years ago

Login to comment on this ticket.

Metadata