Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sort SRV records by priority #689

Closed
wants to merge 1 commit into from
Closed

Sort SRV records by priority #689

wants to merge 1 commit into from

Conversation

alex-zel
Copy link

@alex-zel alex-zel commented Apr 4, 2017
edited by MartinBasti

In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.

Replication:

DNS configuration (using PfSense):

srv-host=_kerberos._udp.example.com,server01.example.com,88,0,1
srv-host=_kerberos._tcp.example.com,server01.example.com,88,0,1
srv-host=_kerberos-master._tcp.example.com,server01.example.com,88,0,1
srv-host=_kerberos-master._udp.example.com,server01.example.com,88,0,1
srv-host=_kpasswd._tcp.example.com,server01.example.com,88,0,1
srv-host=_kpasswd._udp.example.com,server01.example.com,88,0,1
srv-host=_ldap._tcp.example.com,server01.example.com,389,0,1
srv-host=_kerberos._udp.example.com,server02.example.com,88,0,2
srv-host=_kerberos._tcp.example.com,server02.example.com,88,0,2
srv-host=_kerberos-master._tcp.example.com,server02.example.com,88,0,2
srv-host=_kerberos-master._udp.example.com,server02.example.com,88,0,2
srv-host=_kpasswd._tcp.example.com,server02.example.com,88,0,2
srv-host=_kpasswd._udp.example.com,server02.example.com,88,0,2
srv-host=_ldap._tcp.example.com,server02.example.com,389,0,2
txt-record=_kerberos.example.com,EXAMPLE.COM

Client installation:
Host record is added beforehand from web UI on server01.example.com ONLY.
/usr/sbin/ipa-client-install --force-join --principal=bind_user --password=bind_pass --hostname=hostname -f --unattended

/var/log/ipaclient-install.log:

2017-04-02T10:54:09Z DEBUG [IPA Discovery]
2017-04-02T10:54:09Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=client01.example.com
2017-04-02T10:54:09Z DEBUG Start searching for LDAP SRV record in "example.com" (domain of the hostname) and its sub-domains
2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of _ldap._tcp.example.com
2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 389 server01.example.com.
2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 389 server02.example.com.
2017-04-02T10:54:09Z DEBUG [Kerberos realm search]
2017-04-02T10:54:09Z DEBUG Search DNS for TXT record of _kerberos.example.com
2017-04-02T10:54:09Z DEBUG DNS record not found: NoAnswer
2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of _kerberos._udp.example.com
2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 88 server02.example.com.
2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 88 server01.example.com.

Notice the records are not in the same order, ipa-client-install did not return any error and the client machine could see user, groups, netgroups, but users could not authenticate.
Looking at the web UI, server01.example.com shows the client is not enrolled and no kerberos key is present, but server02.example.com shows the client is enrolled and has a key.

In cases were either server01 or server02 were returned first in IPA Discovery the installation and replication went fine.

tiran
tiran requested changes Apr 4, 2017
View reviewed changes
Copy link
Member

@tiran tiran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor style nitpicks

ipaclient/install/ipadiscovery.py Outdated
from dns.exception import DNSException
from dns import resolver, rdatatype
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please leave the order of imports.

ipaclient/install/ipadiscovery.py Outdated
from ipalib import errors
from ipapython import ipaldap
from ipaplatform.paths import paths
from ipapython.ipautil import valid_ip, realm_to_suffix
from ipapython.dn import DN
from operator import attrgetter
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use import operator and move the import before import socket. The operator module is a stdlib module and belongs in the top section.

@MartinBasti MartinBasti self-assigned this Apr 6, 2017
@MartinBasti
Copy link
Contributor

@alex-zel Please merge your commits into one, thanks.

@alex-zel
Copy link
Author

alex-zel commented Apr 6, 2017

Sorry I think I messed up trying to squash the commits

@MartinBasti
Copy link
Contributor 

git reset HEAD~3
git commit add -p
git commit --amend

should help

@MartinBasti
Sort SRV records by priority
3975c16 
In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.

Update ipadiscovery.py
@MartinBasti
Copy link
Contributor

I squashed your commits, please check

@alex-zel
Copy link
Author

Thanks, sorry I didn't get to it.

@MartinBasti MartinBasti added ack Pull Request approved, can be merged pushed Pull Request has already been pushed labels May 16, 2017
@MartinBasti
Copy link
Contributor

master:

  • 8ec8e24 Sort SRV records by priority

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiran tiran tiran approved these changes

Assignees

@MartinBasti MartinBasti

Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@alex-zel @MartinBasti @tiran