summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-09-25 11:03:16 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-09-26 22:27:35 +0200
commit82d248c7e7d61dba7065a1a744823bc06c1b5b96 (patch)
tree4d31359eba52fea9e2c9b63d57e1df8c2932927e
parent7d3b27b0b2137cbc26da20d93bdcf332b123be19 (diff)
downloadsssd-82d248c7e7d61dba7065a1a744823bc06c1b5b96.tar.gz
sssd-82d248c7e7d61dba7065a1a744823bc06c1b5b96.tar.xz
sssd-82d248c7e7d61dba7065a1a744823bc06c1b5b96.zip
IPA: Ignore dns_discovery_domain in server mode
https://fedorahosted.org/sssd/ticket/2079 If the dns_discovery_domain is set in the server mode, then the current failover code will use it to discover the AD servers as well. This patch resets the discovery domain unless the admin configured SRV resolution for IPA servers manually. In the case he did, we try to warn him that service discovery of AD servers will most likely fail.
-rw-r--r--src/providers/ipa/ipa_init.c36
1 files changed, 36 insertions, 0 deletions
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index a5ab88182..b1440da16 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -261,12 +261,48 @@ int sssm_ipa_id_init(struct be_ctx *bectx,
DEBUG(SSSDBG_MINOR_FAILURE, ("SRV resolution enabled on the IPA server. "
"Site discovery of trusted AD servers might not work\n"));
+ /* If SRV discovery is enabled on the server and
+ * dns_discovery_domain is set explicitly, then
+ * the current failover code would use the dns_discovery
+ * domain to try to find AD servers and fail
+ */
+ if (dp_opt_get_string(bectx->be_res->opts,
+ DP_RES_OPT_DNS_DOMAIN)) {
+ sss_log(SSS_LOG_ERR, ("SRV discovery is enabled on the IPA "
+ "server while using custom dns_discovery_domain. "
+ "DNS discovery of trusted AD domain will likely fail. "
+ "It is recommended not to use SRV discovery or the "
+ "dns_discovery_domain option for the IPA domain while "
+ "running on the server itself\n"));
+ DEBUG(SSSDBG_CRIT_FAILURE, ("SRV discovery is enabled on IPA "
+ "server while using custom dns_discovery_domain. "
+ "DNS discovery of trusted AD domain will likely fail. "
+ "It is recommended not to use SRV discovery or the "
+ "dns_discovery_domain option for the IPA domain while "
+ "running on the server itself\n"));
+ }
+
ret = be_fo_set_dns_srv_lookup_plugin(bectx, hostname);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to set SRV lookup plugin "
"[%d]: %s\n", ret, strerror(ret)));
goto done;
}
+ } else {
+ /* In server mode we need to ignore the dns_discovery_domain if set
+ * and only discover servers based on AD domains
+ */
+ ret = dp_opt_set_string(bectx->be_res->opts, DP_RES_OPT_DNS_DOMAIN,
+ NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Could not reset the "
+ "dns_discovery_domain, trusted AD domains discovery "
+ "might fail. Please remove dns_discovery_domain "
+ "from the config file and restart the SSSD\n"));
+ } else {
+ DEBUG(SSSDBG_CONF_SETTINGS, ("The value of dns_discovery_domain "
+ "will be ignored in ipa_server_mode\n"));
+ }
}
} else {
/* fall back to standard plugin on clients. */