1018018 – ipa-client-install to a different hostname can fail to set up new DNS records

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1018018 - ipa-client-install to a different hostname can fail to set up new DNS records

Summary: ipa-client-install to a different hostname can fail to set up new DNS records

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-11 01:43 UTC by Michael Gregg
Modified:	2014-08-05 11:18 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-11 19:48:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michael Gregg 2013-10-11 01:43:18 UTC

Description of problem:
This has come up in a QA test, it looks like in some cases running install-client-cli to a new hostname on a client will not set up dns records properly.

Version-Release number of selected component (if applicable):
ipa-client-3.3.2-1.el7.x86_64

How reproducible:
unknown

Steps to Reproduce:
1. ipa-client-install --hostname=ipaqavmg.testrelm.com.nonexistent --server=<master IPA server> --domain=testrelm.com -p admin -w Secret123  -U

Actual results:
[root@ipaqavmg install-client-cli]# ipa-client-install --hostname=ipaqavmg.testrelm.com.nonexistent --server=ipaqa64vmj.testrelm.com --domain=testrelm.com -p admin -w Secret123  -U
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Hostname: ipaqavmg.testrelm.com.nonexistent
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: ipaqa64vmj.testrelm.com
BaseDN: dc=testrelm,dc=com

Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.COM
    Issuer:      CN=Certificate Authority,O=TESTRELM.COM
    Valid From:  Thu Oct 10 00:04:33 2013 UTC
    Valid Until: Mon Oct 10 00:04:33 2033 UTC

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
Hostname (ipaqavmg.testrelm.com.nonexistent) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.


Expected results:
This used to pass, so, I would expect that the IP addresses would get set up. 

Additional info:

Comment 4 Martin Kosek 2013-10-11 08:06:48 UTC

I tested with ipa-server-3.3.2-1.el7.x86_64 and it worked fine for me:

SERVER:

# ipa dnszone-add other.zone.test --name-server=`hostname`. --dynamic-update
Administrator e-mail address [hostmaster.other.zone.test.]: 
  Zone name: other.zone.test
  Authoritative nameserver: vm-119.example.com.
  Administrator e-mail address: hostmaster.other.zone.test.
  SOA serial: 1381478396
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self
                      * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: TRUE
  Allow query: any;


CLIENT:

[root@vm-052 ~]# ipa-client-install --hostname client.other.zone.test
Discovery was successful!
Hostname: client.other.zone.test
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: vm-119.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Fri Oct 11 07:28:43 2013 UTC
    Valid Until: Tue Oct 11 07:28:43 2033 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Hostname (client.other.zone.test) not found in DNS
DNS server record set to: client.other.zone.test -> 10.0.0.52
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config


SERVER:

# ipa dnsrecord-show other.zone.test client
  Record name: client
  A record: 10.0.0.52
  SSHFP record: 1 1 57322CB8429B154A83EC7985C9C173959AE32F8E, 1 2
                7B9E1224743D1E2B218E278EFD474912993F2E08580081DB3EBAA420 A82F529F, 2 1
                FC533874B195235557F0DC01B57DE114BF28ADB7, 2 2
                FE767477F9680258F571F1756D345A9E2F6AE834720E4F63960183E1 DCAD2C5D

Comment 5 Martin Kosek 2013-10-11 18:17:03 UTC

Please check that your DNS zone exists and can accept dynamic updates. This is what I see in the provided log file:


2013-10-11T01:34:41Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2013-10-11T01:34:41Z DEBUG 
debug
zone testrelm.com.nonexistent.
update delete ipaqavmg.testrelm.com.nonexistent. IN A
show
send
update add ipaqavmg.testrelm.com.nonexistent. 1200 IN A 10.16.98.192
show
send

2013-10-11T01:34:41Z DEBUG Starting external process
2013-10-11T01:34:41Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2013-10-11T01:34:41Z DEBUG Process finished, return code=2
2013-10-11T01:34:41Z DEBUG stdout=Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;testrelm.com.nonexistent.	IN	SOA

;; UPDATE SECTION:
ipaqavmg.testrelm.com.nonexistent. 0 ANY A	

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;testrelm.com.nonexistent.	IN	SOA

;; UPDATE SECTION:
ipaqavmg.testrelm.com.nonexistent. 1200	IN A	10.16.98.192


2013-10-11T01:34:41Z DEBUG stderr=Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  10026
;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;testrelm.com.nonexistent.	IN	SOA

;; AUTHORITY SECTION:
.			0	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2013101001 1800 900 604800 86400

specified zone 'testrelm.com.nonexistent' does not exist (NXDOMAIN)
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  12492
;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;testrelm.com.nonexistent.	IN	SOA

;; AUTHORITY SECTION:
.			0	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2013101001 1800 900 604800 86400

specified zone 'testrelm.com.nonexistent' does not exist (NXDOMAIN)

2013-10-11T01:34:41Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2
2013-10-11T01:34:41Z ERROR Failed to update DNS records.



This is the important part:
specified zone 'testrelm.com.nonexistent' does not exist (NXDOMAIN)

Comment 6 Michael Gregg 2013-10-11 19:48:41 UTC

I seem to be unable to reproduce this with last nights build. 

This is already covered in a QE test, so, we should know if this comes back. 

I am closing this bug.

Note You need to log in before you can comment on or make changes to this bug.