#2787 [RFE] Binding IPA Replica to a specific Nic or hostname using --hostname
Closed: wontfix 5 years ago Opened 11 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=824519 (Red Hat Enterprise Linux 6)

Description of problem:
Server has 2 NICs and each NIC resolves to a different hostname. Installing IPA
Replica server using the secondary hostname which is bound to the 2nd NIC fails

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-14.el6.x86_64

How reproducible:
Always

Steps to Reproduce:

Note: We need to uninstall IPA before moving on to the next case
# ipa-server-install --uninstall

Verify
# netstat -ntlp | egrep '389|636'

Case 1: Without --ip-address option. Not using /etc/hosts file

1. Prepare replica file from the master server

# ipa-replica-prepare options <secondary FQDN>

2.  Copy replica file over to Replica Server

3. Make sure the both hostnames resolve through DNS with respective PTR

4. Install Replica first without any options

# ipa-replica-install REPLICA_FILE


Case 2: With --ip-address option. Not using /etc/hosts file

5. Install Replica with giving the IP address option

# ipa-replica-install REPLICA_FILE --ip-address=<Second NIC IP>

Case 3: Using /etc/hosts file for Hostname resolution without --ip-address
option

6. # ipa-replica-install REPLICA_FILE

Case 4: Using /etc/hosts file for Hostname resolution with --ip-address option

7. ipa-replica-install REPLICA_FILE --ip-address=<Second NIC IP>

Actual results:

For Case 1 and 3

creation of replica failed: {'info': 'TLS: hostname does not match CN in peer
certificate', 'desc': "Can't contact LDAP server"}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


For Case 2 and 4

Error: the hostname resolves to an IP address that is different
from the one provided on the command line. Please fix your DNS
or /etc/hosts file and restart the installation.


[21/30]: setting up initial replication
creation of replica failed: {'info': 'TLS: hostname does not match CN in peer
certificate', 'desc': "Can't contact LDAP server"}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Expected results:

Replica installation should be successful.

Additional info:

RFE: To use --hostname to configure binding replica to specific NIC or hostname

Eg.
* On Master IPA server

[root@ratchet ~]# host eywa.lab.eng.pnq.redhat.com ; host 10.65.201.136
eywa.lab.eng.pnq.redhat.com has address 10.65.201.136
136.201.65.10.in-addr.arpa domain name pointer eywa.lab.eng.pnq.redhat.com.

[root@ratchet ~]# ipa-replica-prepare eywa.lab.eng.pnq.redhat.com
Directory Manager (existing master) password:

Preparing replica for eywa.lab.eng.pnq.redhat.com from
ratchet.lab.eng.pnq.redhat.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into
/var/lib/ipa/replica-info-eywa.lab.eng.pnq.redhat.com.gpg

[root@ratchet ~]# ipa dnsrecord-find lab.eng.pnq.redhat.com. eywa
----------------------------
Number of entries returned 0
----------------------------

[root@ratchet ~]# cat /etc/resolv.conf
search lab.eng.pnq.redhat.com pnq.redhat.com redhat.com
nameserver 10.65.201.245


* On Replica server

[root@sideswipe ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

[root@sideswipe ~]# cat /etc/resolv.conf
search lab.eng.pnq.redhat.com pnq.redhat.com redhat.com
nameserver 10.65.201.245

[root@sideswipe ~]# host sideswipe.lab.eng.pnq.redhat.com ; host 10.65.201.67;
host eywa.lab.eng.pnq.redhat.com; host 10.65.201.136
sideswipe.lab.eng.pnq.redhat.com has address 10.65.201.67
67.201.65.10.in-addr.arpa domain name pointer sideswipe.lab.eng.pnq.redhat.com.
eywa.lab.eng.pnq.redhat.com has address 10.65.201.136
136.201.65.10.in-addr.arpa domain name pointer eywa.lab.eng.pnq.redhat.com.

[root@sideswipe ~]# ipa-replica-install
replica-info-eywa.lab.eng.pnq.redhat.com.gpg
Directory Manager (existing master) password:

This replica was created for 'eywa.lab.eng.pnq.redhat.com' but this machine is
named 'sideswipe.lab.eng.pnq.redhat.com'
This may cause problems. Continue? [yes]:

Run connection check to master
Check connection from replica to remote master
'ratchet.lab.eng.pnq.redhat.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
.
.
[20/30]: restarting directory server
[21/30]: setting up initial replication
creation of replica failed: {'info': 'TLS: hostname does not match CN in peer
certificate', 'desc': "Can't contact LDAP server"}

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Small note: Think carefully about environments with NAT/non-standard DNS (like Amazon EC2).

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: Future Releases

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata