Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1518792 - ipa-client-install should respect DNS Locations SRV record priority
Summary: ipa-client-install should respect DNS Locations SRV record priority
Keywords:
Status: CLOSED DUPLICATE of bug 1594142
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-29 15:00 UTC by Brian J. Atkisson
Modified: 2018-10-18 09:50 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-18 09:50:46 UTC


Attachments (Terms of Use)

Description Brian J. Atkisson 2017-11-29 15:00:37 UTC
Description of problem:

When running ipa-client-install and using DNS locations to prefer IPA servers for a site, ipa-client-install does not appear to respect SRV record priority when discovering the server to use in /etc/ipa/defaults.conf

Version-Release number of selected component (if applicable):
ipa-client-4.5.0-21.el7_4.2.2.x86_64

How reproducible:
always

Steps to Reproduce:
1. Configure a site to use DNS Locations
2. Run ipa-client-install
3.

Actual results:
Server is selected at random

Expected results:
A preferred server should be used


[root@client01 ~]# ipa-client-install  --domain=ipa.example.com --configure-firefox --mkhomedir  --ntp-server=clock1.rdu2.example.com --ntp-server=clock02.util.phx2.example.com --ntp-server=clock.bos.example.com --force-ntpd --ssh-trust-dns --enable-dns-updates --verbose
Logging to /var/log/ipaclient-install.log
ipa-client-install was invoked with arguments [] and options: {'no_dns_sshfp': False, 'force': False, 'verbose': True, 'ip_addresses': None, 'configure_firefox': True, 'realm_name': None, 'force_ntpd': True, 'on_master': False, 'no_nisdomain': False, 'ssh_trust_dns': True, 'principal': None, 'keytab': None, 'no_ntp': False, 'domain_name': 'ipa.example.com', 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 'kinit_attempts': None, 'ntp_servers': ['clock1.rdu2.example.com', 'clock02.util.phx2.example.com', 'clock.bos.example.com'], 'enable_dns_updates': True, 'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': None, 'unattended': False, 'quiet': False, 'nisdomain': None, 'prompt_password': False, 'host_name': None, 'permit': False, 'automount_location': None, 'preserve_sssd': False, 'mkhomedir': True, 'log_file': None, 'uninstall': False}
IPA version 4.5.0-21.el7_4.2.2
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Starting external process
args=/usr/sbin/selinuxenabled
Process finished, return code=0
stdout=
stderr=
[IPA Discovery]
Starting IPA discovery with domain=ipa.example.com, servers=None, hostname=client01.users.ipa.example.com
Search for LDAP SRV record in ipa.example.com
Search DNS for SRV record of _ldap._tcp.ipa.example.com
DNS record found: 50 100 389 idm03.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 389 idm01.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm03.iam.prod.int.phx2.example.com.
DNS record found: 0 100 389 idm02.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm01.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm02.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.phx2.example.com.
[Kerberos realm search]
Search DNS for TXT record of _kerberos.ipa.example.com
DNS record found: "IPA.EXAMPLE.COM"
Search DNS for SRV record of _kerberos._udp.ipa.example.com
DNS record found: 0 100 88 idm02.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm04.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm03.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm02.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm04.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm01.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm03.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm-admin.iam.prod.int.rdu2.example.com.
DNS record found: 0 100 88 idm-admin.iam.prod.int.phx2.example.com.
DNS record found: 0 100 88 idm01.iam.prod.int.phx2.example.com.
[LDAP server check]
Verifying that idm03.iam.prod.int.rdu2.example.com (realm IPA.EXAMPLE.COM) is an IPA server
Init LDAP connection to: ldap://idm03.iam.prod.int.rdu2.example.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=ipa,dc=example,dc=com' is for IPA
Naming context 'dc=ipa,dc=example,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=ipa,dc=example,dc=com (sub)
Found: cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com
Discovery result: Success; server=idm03.iam.prod.int.rdu2.example.com, domain=ipa.example.com, kdc=idm02.iam.prod.int.phx2.example.com,idm04.iam.prod.int.rdu2.example.com,idm03.iam.prod.int.phx2.example.com,idm02.iam.prod.int.rdu2.example.com,idm04.iam.prod.int.phx2.example.com,idm01.iam.prod.int.rdu2.example.com,idm03.iam.prod.int.rdu2.example.com,idm-admin.iam.prod.int.rdu2.example.com,idm-admin.iam.prod.int.phx2.example.com,idm01.iam.prod.int.phx2.example.com, basedn=dc=ipa,dc=example,dc=com
Validated servers: idm03.iam.prod.int.rdu2.example.com
will use discovered domain: ipa.example.com
Start searching for LDAP SRV record in "ipa.example.com" (Validating DNS Discovery) and its sub-domains
Search DNS for SRV record of _ldap._tcp.ipa.example.com
DNS record found: 0 100 389 idm01.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm03.iam.prod.int.phx2.example.com.
DNS record found: 0 100 389 idm02.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm01.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm04.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm02.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.phx2.example.com.
DNS record found: 50 100 389 idm03.iam.prod.int.rdu2.example.com.
DNS record found: 50 100 389 idm-admin.iam.prod.int.rdu2.example.com.
DNS validated, enabling discovery
will use discovered server: idm03.iam.prod.int.rdu2.example.com
Discovery was successful!
will use discovered realm: IPA.EXAMPLE.COM
will use discovered basedn: dc=ipa,dc=example,dc=com
Client hostname: client01.users.ipa.example.com
Hostname source: Machine's FQDN
Realm: IPA.EXAMPLE.COM
Realm source: Discovered from LDAP DNS records in idm03.iam.prod.int.rdu2.example.com
DNS Domain: ipa.example.com
DNS Domain source: Discovered LDAP SRV records from ipa.example.com
IPA Server: idm03.iam.prod.int.rdu2.example.com
IPA Server source: Discovered from LDAP DNS records in idm03.iam.prod.int.rdu2.example.com
BaseDN: dc=ipa,dc=example,dc=com
BaseDN source: From IPA server ldap://idm03.iam.prod.int.rdu2.example.com:389

Continue to configure the system with these values? [no]: 

=====



idm03.iam.prod.int.rdu2.example.com has a priority of 50, whereas, idm02.iam.prod.int.rdu2.example.com and idm01.iam.prod.int.rdu2.example.com have a priority of 0.  idm01 or idm02 should have been chosen based on the priority, not idm03.

Comment 2 Florence Blanc-Renaud 2017-12-06 13:32:28 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7306

Comment 4 Florence Blanc-Renaud 2018-10-18 09:50:46 UTC
This issue has been fixed with the fix for BZ #1594142 SRV lookup doesn't correctly sort results, hence closing as duplicate.

*** This bug has been marked as a duplicate of bug 1594142 ***


Note You need to log in before you can comment on or make changes to this bug.