From c2bce952d8f4358a028eb067154011cc1f6d8a44 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 24 May 2023 10:55:03 -0400 Subject: [PATCH] Don't allow the FQDN to match the domain on server installs Without this the installation is successful but the DNS records will not work. With --setup-dns there will be no A record for the host (only an NS record) and the PTR record will point to the domain name. Fixes: https://pagure.io/freeipa/issue/9003 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipaserver/install/server/install.py | 3 +++ ipaserver/install/server/replicainstall.py | 3 +++ ipatests/test_integration/test_installation.py | 14 ++++++++++++++ .../test_integration/test_replica_promotion.py | 17 +++++++++++++++++ 4 files changed, 37 insertions(+) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 91e6c6a33..4e4076410 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -525,6 +525,9 @@ def install_check(installer): domain_name = domain_name.lower() + if host_name.lower() == domain_name: + raise ScriptError("hostname cannot be the same as the domain name") + if not options.realm_name: realm_name = read_realm_name(domain_name, not installer.interactive) logger.debug("read realm_name: %s\n", realm_name) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index d5ab3b512..8a0c298c7 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -930,6 +930,9 @@ def promote_check(installer): installutils.verify_fqdn(config.master_host_name, options.no_host_dns, local_hostname=not container_environment) + if config.host_name.lower() == config.domain_name.lower(): + raise ScriptError("hostname cannot be the same as the domain name") + ccache = os.environ['KRB5CCNAME'] kinit_keytab('host/{env.host}@{env.realm}'.format(env=api.env), paths.KRB5_KEYTAB, diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 79ec84034..39fbff2b6 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -2100,3 +2100,17 @@ class TestHostnameValidator(IntegrationTest): hostname = m.group(1) break assert hostname == self.master.hostname + + def test_hostname_matching_domain(self): + # https://pagure.io/freeipa/issue/9003 + # Prevent hostname from matching the domain + self.master.run_command(['hostname', self.master.hostname]) + args = self.get_args(self.master) + args.extend(['--hostname', self.master.domain.name]) + result = self.master.run_command( + args, raiseonerr=False, + ) + + assert result.returncode == 1 + assert 'hostname cannot be the same as the domain name' \ + in result.stderr_text diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 28fd72d1c..d477c3a20 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -355,6 +355,23 @@ class TestWrongClientDomain(IntegrationTest): assert("An error occurred while removing SSSD" not in result.stdout_text) + def test_hostname_domain_matching(self): + client = self.replicas[0] + client.run_command(['ipa-client-install', '-U', '--domain', + self.master.domain.name, '-w', + self.master.config.admin_password, + '-p', 'admin', + '--server', self.master.hostname, + '--hostname', self.master.domain.name]) + Firewall(self.replicas[0]).enable_services(["freeipa-ldap", + "freeipa-ldaps"]) + result = client.run_command(['ipa-replica-install', '-U', '-w', + self.master.config.dirman_password], + raiseonerr=False) + assert result.returncode == 1 + assert 'hostname cannot be the same as the domain name' \ + in result.stderr_text + class TestRenewalMaster(IntegrationTest):