freeipa

Clone
Source Code
GIT

#4249 ipa-client-install does not properly handle dual stacked hosts
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1076262

Description of problem:
Joining a host to a freeipa domain never creates AAAA records if dual stacked,
and in a pure IPv6 environment there are many other issues: for example,
service checks seem to only check if a name is resolveable on A records.
Finally, even once joined, dns record updates don't (seem) to create or update
AAAA records on the domain network.

1) ipa-join should be able to handle
* v4 only
* v4 and v6 (Uploading both A and AAAA records and PTRs)
* v6 only
2) service checks should check both A and AAAA and provided *one* of these
exists it should validate.

In general, I think that freeipa needs more ipv6-only network testing ....

Version-Release number of selected component (if applicable):
freeipa-3.3.4

Related bug for ipa-server-install: #3575

See related discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1077464 before implementation.

This ticket is too general and processing and triage thus takes too long - sorry.

I see it reports already tracked bugs:

  • 4164: Unable to add host when ipv6 address already exists

There are also related bugs tracked:

  • 4291: CA not start during ipa server install in pure IPv6 env

  • 3575: ipa-server-install does not properly handle dual stacked hosts

You can track these tickets separately if you are interested in solution to these issues.

Part of it (dns record updates) is not related to FreeIPA, but resides in SSSD - see related Bug 1077464.

The only untracked issue I see is that ipa-client-install only adds A or AAAA record when it is being installed (this is not done by ipa-join as reported), but it never adds both, when both IPv4 and IPv6 is configured.

Changing the ticket title to match this issue. It should be pretty easy fix, update resolve_ipaddress to not bail out when it finds A address, but rather return all IPv4 and IPv6 addresses that can be used to connect to master.

Blocked by https://fedorahosted.org/sssd/ticket/2558.

SSSD removes all A/AAAA except the one which IP address is used for LDAP connection.

Fix for bind-dyndb-ldap plugin is required for proper functionality.
https://fedorahosted.org/bind-dyndb-ldap/ticket/155

Related ticket - #4007.

SSSD ticket is planned for 1.13, this aligns well with 4.2 release.

https://fedorahosted.org/sssd/ticket/2558 was moved to 1.13.1, moving this ticket also.

master:

  • 8ba1392 client: Add support for multiple IP addresses during installation.

ipa-4-2:

  • ff34125 client: Add support for multiple IP addresses during installation.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1254785

master:

  • 9fe67dc Add dependency to SSSD 1.13.1

ipa-4-2:

  • 7924007 Add dependency to SSSD 1.13.1

master:

  • f160aa3 client: Add description of --ip-address and --all-ip-addresses to man page

ipa-4-2:

  • d0c41bd client: Add description of --ip-address and --all-ip-addresses to man page

Metadata Update from @mkosek:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.2.1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
https://fedorahosted.org/sssd/ticket/2558, https://fedorahosted.org/bind-dyndb-ldap/ticket/155
None
Client
None
1
ipv6
None
mbasti
None
https://bugzilla.redhat.com/show_bug.cgi?id=1076262, https://bugzilla.redhat.com/show_bug.cgi?id=1254785
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.