From 82d248c7e7d61dba7065a1a744823bc06c1b5b96 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 25 Sep 2013 11:03:16 +0200 Subject: IPA: Ignore dns_discovery_domain in server mode https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail. --- src/providers/ipa/ipa_init.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index a5ab8818..b1440da1 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -261,12 +261,48 @@ int sssm_ipa_id_init(struct be_ctx *bectx, DEBUG(SSSDBG_MINOR_FAILURE, ("SRV resolution enabled on the IPA server. " "Site discovery of trusted AD servers might not work\n")); + /* If SRV discovery is enabled on the server and + * dns_discovery_domain is set explicitly, then + * the current failover code would use the dns_discovery + * domain to try to find AD servers and fail + */ + if (dp_opt_get_string(bectx->be_res->opts, + DP_RES_OPT_DNS_DOMAIN)) { + sss_log(SSS_LOG_ERR, ("SRV discovery is enabled on the IPA " + "server while using custom dns_discovery_domain. " + "DNS discovery of trusted AD domain will likely fail. " + "It is recommended not to use SRV discovery or the " + "dns_discovery_domain option for the IPA domain while " + "running on the server itself\n")); + DEBUG(SSSDBG_CRIT_FAILURE, ("SRV discovery is enabled on IPA " + "server while using custom dns_discovery_domain. " + "DNS discovery of trusted AD domain will likely fail. " + "It is recommended not to use SRV discovery or the " + "dns_discovery_domain option for the IPA domain while " + "running on the server itself\n")); + } + ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin " "[%d]: %s\n", ret, strerror(ret))); goto done; } + } else { + /* In server mode we need to ignore the dns_discovery_domain if set + * and only discover servers based on AD domains + */ + ret = dp_opt_set_string(bectx->be_res->opts, DP_RES_OPT_DNS_DOMAIN, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, ("Could not reset the " + "dns_discovery_domain, trusted AD domains discovery " + "might fail. Please remove dns_discovery_domain " + "from the config file and restart the SSSD\n")); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, ("The value of dns_discovery_domain " + "will be ignored in ipa_server_mode\n")); + } } } else { /* fall back to standard plugin on clients. */ -- cgit