1533228 – The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1533228 - The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

Summary: The ipa-replica-install command failed, exception: ValidationError: invalid '...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1672238
TreeView+	depends on / blocked

Reported:	2018-01-10 19:17 UTC by alex
Modified:	2022-03-13 14:37 UTC (History)
CC List:	16 users (show)
Fixed In Version:	ipa-4.6.5-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1672238 (view as bug list)
Environment:
Last Closed:	2019-08-06 13:09:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Full log (4.08 MB, text/plain) 2018-01-10 19:17 UTC, alex	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7532	0	None	None	None	2021-12-10 15:45:17 UTC
Red Hat Product Errata	RHBA-2019:2241	0	None	None	None	2019-08-06 13:09:20 UTC

Description alex 2018-01-10 19:17:48 UTC

Created attachment 1379689 [details]
Full log

Description of problem:

ipa-replica-install with CA/DNS fails if replica is in a forwarded zone

Version-Release number of selected component (if applicable):

ipa-server-4.5.0-22.el7.centos.x86_64

How reproducible:

Steps to Reproduce:
1.

I set up forwards on my first ipa-server:

$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1
$ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only

2.

I install the replica on a server in the h2.int.pdp7.net domain:

$ ipa-replica-install -v -w $pw -n ipa.pdp7.net -P alex --mkhomedir --setup-ca --setup-dns --auto-forwarders
[...]
ipa         : DEBUG      [2/8]: setting up our own record
  [2/8]: setting up our own record
ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG    raw: dnsrecord_add(u'h2.int.pdp7.net', u'ipa2', arecord=u'10.42.42.83', version=u'2.228')
ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG    dnsrecord_add(<DNS name h2.int.pdp7.net.>, <DNS name ipa2>, arecord=(u'10.42.42.83',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version=u'2.228')
ipa         : DEBUG    Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 852, in __add_self
    self.__add_master_records(self.fqdn, self.ip_addresses)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 843, in __add_master_records
    add_fwd_rr(zone, host, addr, self.api)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 367, in add_fwd_rr
    add_rr(zone, host, "A", ip_address, None, api)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 358, in add_rr
    api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3666, in execute
    result = super(dnsrecord_add, self).execute(*keys, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1141, in execute
    dn = self.obj.get_dn(*keys, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3161, in get_dn
    dn = self.check_zone(keys[-2], **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3152, in check_zone
    error=_(u'only master zones can contain records')
ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

ipa         : DEBUG      [error] ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
  [error] ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG      File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute
    for _nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for _nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main
    replica_install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1479, in install
    dns.install(False, True, options, api)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line 338, in install
    bind.create_instance()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 719, in create_instance
    self.start_creation()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 852, in __add_self
    self.__add_master_records(self.fqdn, self.ip_addresses)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 843, in __add_master_records
    add_fwd_rr(zone, host, addr, self.api)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 367, in add_fwd_rr
    add_rr(zone, host, "A", ip_address, None, api)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 358, in add_rr
    api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3666, in execute
    result = super(dnsrecord_add, self).execute(*keys, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1141, in execute
    dn = self.obj.get_dn(*keys, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3161, in get_dn
    dn = self.check_zone(keys[-2], **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3152, in check_zone
    error=_(u'only master zones can contain records')

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG    The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    invalid 'dnszoneidnsname': only master zones can contain records
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

3.

Actual results:

Replica installation fails.

Expected results:

Replica installation works.

Additional info:

None

Comment 2 alex 2018-01-10 19:19:22 UTC

See also thread at:

https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/7A2I475DZFE235QRJRXMRXTL3DVT46IN/

Comment 3 Rob Crittenden 2018-01-10 21:05:12 UTC

Can you confirm I understand the problem correctly?

This replica is in a different DNS domain that the original master and that DNS domain is not controlled by IPA?

Why have DNS enabled on the replica at all then? What is it going to manage?

Comment 4 alex 2018-01-11 19:44:54 UTC

> This replica is in a different DNS domain that the original master and that DNS domain is not controlled by IPA?

Yes.

> Why have DNS enabled on the replica at all then? What is it going to manage?

Host the IPA DNS zone (e.g. the SRV records for discovery of services), it seems simpler than maintaining the records on my existing DNS servers.

This seems to work mostly well and I don't see documentation explicitly disallowing this- save for the fact that the replica installation doesn't work.

Maybe it'd be nice to allow IPA hosts (both servers and clients) to have their existing hostname and a second hostname in IPA (e.g. my server is xxxx.foo.example.com, but when added to IPA it gets a xxxx.ipa.example.com additional name). This would also allow handling stuff such as laptops moving between different networks and getting different hostnames.

Comment 5 Rob Crittenden 2018-01-15 18:50:13 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7369

Comment 15 François Cami 2019-01-22 22:16:46 UTC

Fixed upstream: master https://pagure.io/freeipa/c/63fa87a36e3026868c49d603762a730948db9643

Comment 16 Christian Heimes 2019-01-28 11:06:27 UTC

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/6b18e8a4232718ec72779d0a59fc243238d75d5c
https://pagure.io/freeipa/c/493cdc4fb8d9a0d1e20b77660e2be9464746e708
ipa-4-6:
https://pagure.io/freeipa/c/28f416c0f454e719c2cf4d24f9727ce92ab4a3d2
https://pagure.io/freeipa/c/2835dcb1073965ccbcbf37f4b1dcb1dee7510130

Comment 22 Mohammad Rizwan 2019-05-15 13:29:49 UTC

version:
ipa-server-4.6.5-8.el7.x86_64

The ipa-replica-install got succeed. Console logs provided. Based on above observation, marking the bug as verified.

Comment 23 Nikhil Dehadrai 2019-05-15 13:34:25 UTC

Based on above comment#22, marking bug to VERIFIED

Comment 25 errata-xmlrpc 2019-08-06 13:09:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241

Note You need to log in before you can comment on or make changes to this bug.