ipa-server-install runs on systems that do not have their FQDN in DNS and only have their ip/hostname pair in /etc/hosts. The installation works flawless except for one issue the final DNS step. dns_update_system_records does not uses glibc's NSS resolver for the ipa-ca record. Instead it DNS to resolve the current hostname to an IP address.
ipa-server-install
/etc/hosts
dns_update_system_records
ipa-ca
Because the installer creates the records in two different ways and has a DNS lookup timeout of 30 seconds each, the problem also slows installation by a full minute.
ip hostname
$ hostname host-10-0-138-99.ipa.example $ host $(hostname) Host host-10-0-138-99.ipa.example not found: 3(NXDOMAIN) $ getent ahosts $(hostname) 10.0.138.99 STREAM host-10-0-138-99.ipa.example 10.0.138.99 DGRAM 10.0.138.99 RAW
$ ipa-server-install -p Secret123 -a Secret123 -r IPA.EXAMPLE -n ipa.example -U ... The ipa-client-install command was successful unable to resolve host name host-10-0-138-99.ipa.example. to IP address, ipa-ca DNS record will be incomplete unable to resolve host name host-10-0-138-99.ipa.example. to IP address, ipa-ca DNS record will be incomplete Please add records in this file to your DNS system: /tmp/ipa.system.records.8tmwtdho.db
$ cat /tmp/ipa.system.records.8tmwtdho.db _kerberos-master._tcp.ipa.example. 86400 IN SRV 0 100 88 host-10-0-138-99.ipa.example. _kerberos-master._udp.ipa.example. 86400 IN SRV 0 100 88 host-10-0-138-99.ipa.example. _kerberos._tcp.ipa.example. 86400 IN SRV 0 100 88 host-10-0-138-99.ipa.example. _kerberos._udp.ipa.example. 86400 IN SRV 0 100 88 host-10-0-138-99.ipa.example. _kerberos.ipa.example. 86400 IN TXT "IPA.EXAMPLE" _kpasswd._tcp.ipa.example. 86400 IN SRV 0 100 464 host-10-0-138-99.ipa.example. _kpasswd._udp.ipa.example. 86400 IN SRV 0 100 464 host-10-0-138-99.ipa.example. _ldap._tcp.ipa.example. 86400 IN SRV 0 100 389 host-10-0-138-99.ipa.example.
... _ldap._tcp.ipa.example. 86400 IN SRV 0 100 389 ipaserver.ipa.example. ipa-ca.ipa.example. 86400 IN A 192.168.122.164
freeipa-server-4.8.9-2.fc32.x86_64 freeipa-client-4.8.9-2.fc32.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.3.12-1.fc32.x86_64 pki-ca-10.9.4-1.fc32.noarch krb5-server-1.18.2-22.fc32.x86_64
The issue only affects F32 and earlier as well as RHEL 8. Fedora 33 uses systemd-resolved's stub resolver which turns /etc/hosts entries into DNS records for us.
I think it should be safe to useresolve_ip_addresses_nss from ipaserver.install.installutils here. It uses getaddrinfo to resolve the hostname and returns an IPAddress object.
resolve_ip_addresses_nss
ipaserver.install.installutils
getaddrinfo
PR: https://github.com/freeipa/freeipa/pull/5174
master:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @fcami: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5174
Login to comment on this ticket.