diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-09-25 11:03:16 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-09-26 22:27:35 +0200 |
commit | 82d248c7e7d61dba7065a1a744823bc06c1b5b96 (patch) | |
tree | 4d31359eba52fea9e2c9b63d57e1df8c2932927e | |
parent | 7d3b27b0b2137cbc26da20d93bdcf332b123be19 (diff) | |
download | sssd-82d248c7e7d61dba7065a1a744823bc06c1b5b96.tar.gz sssd-82d248c7e7d61dba7065a1a744823bc06c1b5b96.tar.bz2 sssd-82d248c7e7d61dba7065a1a744823bc06c1b5b96.zip |
IPA: Ignore dns_discovery_domain in server mode
https://fedorahosted.org/sssd/ticket/2079
If the dns_discovery_domain is set in the server mode, then the current
failover code will use it to discover the AD servers as well. This patch
resets the discovery domain unless the admin configured SRV resolution
for IPA servers manually. In the case he did, we try to warn him that
service discovery of AD servers will most likely fail.
-rw-r--r-- | src/providers/ipa/ipa_init.c | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index a5ab8818..b1440da1 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -261,12 +261,48 @@ int sssm_ipa_id_init(struct be_ctx *bectx, DEBUG(SSSDBG_MINOR_FAILURE, ("SRV resolution enabled on the IPA server. " "Site discovery of trusted AD servers might not work\n")); + /* If SRV discovery is enabled on the server and + * dns_discovery_domain is set explicitly, then + * the current failover code would use the dns_discovery + * domain to try to find AD servers and fail + */ + if (dp_opt_get_string(bectx->be_res->opts, + DP_RES_OPT_DNS_DOMAIN)) { + sss_log(SSS_LOG_ERR, ("SRV discovery is enabled on the IPA " + "server while using custom dns_discovery_domain. " + "DNS discovery of trusted AD domain will likely fail. " + "It is recommended not to use SRV discovery or the " + "dns_discovery_domain option for the IPA domain while " + "running on the server itself\n")); + DEBUG(SSSDBG_CRIT_FAILURE, ("SRV discovery is enabled on IPA " + "server while using custom dns_discovery_domain. " + "DNS discovery of trusted AD domain will likely fail. " + "It is recommended not to use SRV discovery or the " + "dns_discovery_domain option for the IPA domain while " + "running on the server itself\n")); + } + ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin " "[%d]: %s\n", ret, strerror(ret))); goto done; } + } else { + /* In server mode we need to ignore the dns_discovery_domain if set + * and only discover servers based on AD domains + */ + ret = dp_opt_set_string(bectx->be_res->opts, DP_RES_OPT_DNS_DOMAIN, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, ("Could not reset the " + "dns_discovery_domain, trusted AD domains discovery " + "might fail. Please remove dns_discovery_domain " + "from the config file and restart the SSSD\n")); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, ("The value of dns_discovery_domain " + "will be ignored in ipa_server_mode\n")); + } } } else { /* fall back to standard plugin on clients. */ |