704012 – IPA Replica Installation Fails - reverse address doesn't match error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 704012 - IPA Replica Installation Fails - reverse address doesn't match error

Summary: IPA Replica Installation Fails - reverse address doesn't match error

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:	707312
Blocks:	709332
TreeView+	depends on / blocked

Reported:	2011-05-11 20:17 UTC by Jenny Severance
Modified:	2015-01-04 23:48 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-2.1.0-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Installing an IPA replica in a new IP subnet with an IPA-controlled DNS server will fail. Result: The replica server installation is unsuccessful. Fix: Restart bind after creating the new reverse zone. Bind needs a restart whenever a new zone is added over LDAP. Result: The IPA replica installation is successful.
Clone Of:
Environment:
Last Closed:	2011-12-06 18:22:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Jenny Severance 2011-05-11 20:17:54 UTC

Description of problem:

:: [16:04:51] ::  EXECUTING: ipa-replica-install -U --setup-dns --forwarder=10.14.63.12 -p Secret123 /dev/shm/replica-info-amd-tilapia-01.testrelm.gpg
root        : ERROR    The DNS forward record amd-tilapia-01.testrelm. does not match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com.
:: [   FAIL   ] :: Replica installation (Expected 0, got 1)

ipa-replicainstall.log

2011-05-11 16:04:51,720 DEBUG /usr/sbin/ipa-replica-install was invoked with argument "/dev/shm/replica-info-amd-tilapia-01.testrelm.gpg" and options: {'no_forwarders': False, 'no_host_dns': False, 'no_reverse': False, 'setup_dns': True, 'forwarders': ['10.14.63.12'], 'debug': False, 'conf_ntp': True, 'unattended': True}
2011-05-11 16:04:51,721 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-05-11 16:04:51,721 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2011-05-11 16:04:51,882 DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpQUBNmaipa/files.tar -d /dev/shm/replica-info-amd-tilapia-01.testrelm.gpg
2011-05-11 16:04:51,882 DEBUG stdout=
2011-05-11 16:04:51,883 DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg'
gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/pubring.gpg' created
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

2011-05-11 16:04:51,908 DEBUG args=tar xf /tmp/tmpQUBNmaipa/files.tar -C /tmp/tmpQUBNmaipa
2011-05-11 16:04:51,909 DEBUG stdout=
2011-05-11 16:04:51,909 DEBUG stderr=
2011-05-11 16:04:51,916 ERROR The DNS forward record amd-tilapia-01.testrelm. does not match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com.


Master install with integrated DNS.  
   Master IP address: 10.16.64.34
   
Replica install with integrated DNS.
   Replica IP address: 10.16.67.10

DNS entries in IPA/DS:

# dns, testrelm
dn: cn=dns,dc=testrelm
objectClass: nsContainer
objectClass: top
cn: dns

# testrelm, dns, testrelm
dn: idnsname=testrelm,cn=dns,dc=testrelm
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: dell-pe830-02.testrelm.
idnsSOAserial: 2011110501
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM krb5-self * A; grant TESTRELM krb5-self * AAA
 A;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: testrelm
idnsAllowDynUpdate: TRUE
idnsSOArName: root.dell-pe830-02.testrelm.
idnsSOAmName: dell-pe830-02.testrelm.

# dell-pe830-02, testrelm, dns, testrelm
dn: idnsname=dell-pe830-02,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
aRecord: 10.16.64.34
aRecord: 10.16.67.10
idnsName: dell-pe830-02

# 64.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: dell-pe830-02.testrelm.
idnsSOAserial: 2011110501
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM krb5-subdomain 64.16.10.in-addr.arpa.. PTR;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: 64.16.10.in-addr.arpa.
idnsAllowDynUpdate: TRUE
idnsSOArName: root.64.16.10.in-addr.arpa.
idnsSOAmName: dell-pe830-02.testrelm.

# _ldap._tcp, testrelm, dns, testrelm
dn: idnsname=_ldap._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 389 dell-pe830-02
idnsName: _ldap._tcp

# _kerberos, testrelm, dns, testrelm
dn: idnsname=_kerberos,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
tXTRecord: TESTRELM
idnsName: _kerberos

# _kerberos._tcp, testrelm, dns, testrelm
dn: idnsname=_kerberos._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos._tcp

# _kerberos._udp, testrelm, dns, testrelm
dn: idnsname=_kerberos._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos._udp

# _kerberos-master._tcp, testrelm, dns, testrelm
dn: idnsname=_kerberos-master._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos-master._tcp

# _kerberos-master._udp, testrelm, dns, testrelm
dn: idnsname=_kerberos-master._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos-master._udp

# _kpasswd._tcp, testrelm, dns, testrelm
dn: idnsname=_kpasswd._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 464 dell-pe830-02
idnsName: _kpasswd._tcp

# _kpasswd._udp, testrelm, dns, testrelm
dn: idnsname=_kpasswd._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 464 dell-pe830-02
idnsName: _kpasswd._udp

# _ntp._udp, testrelm, dns, testrelm
dn: idnsname=_ntp._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 123 dell-pe830-02
idnsName: _ntp._udp

# 34, 64.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=34,idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
pTRRecord: dell-pe830-02.testrelm.
idnsName: 34

# amd-tilapia-01, testrelm, dns, testrelm
dn: idnsname=amd-tilapia-01,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
aRecord: 10.16.67.10
idnsName: amd-tilapia-01

# 67.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: dell-pe830-02.testrelm.
idnsSOAserial: 2011110501
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM krb5-subdomain 67.16.10.in-addr.arpa.. PTR;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: 67.16.10.in-addr.arpa.
idnsAllowDynUpdate: TRUE
idnsSOArName: root.67.16.10.in-addr.arpa.
idnsSOAmName: dell-pe830-02.testrelm.

# 10, 67.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=10,idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
pTRRecord: amd-tilapia-01.testrelm.
idnsName: 10


IP replica package is create with the correct slave IP address:

"ipa-replica-prepare -p MySecret --ip-address=10.16.67.10 amd-tilapia-01.testrelm"

Version-Release number of selected component (if applicable):
ipa-server-2.0.0-23.el6.x86_64

How reproducible:
always if IP address would be require different reverse zones

Steps to Reproduce:
1.
2.
3.
  
Actual results:
install fails

Expected results:
correct dns entries set up when creating replica package for replica installation to succeed

Additional info:

Comment 2 Rob Crittenden 2011-05-11 21:59:21 UTC

What is the hostname of the machine?

What DNS does the machine point to?

What are the contents of /etc/hosts?

Comment 3 RHEL Program Management 2011-05-12 06:00:22 UTC

Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 4 Dmitri Pal 2011-05-12 14:12:50 UTC

https://fedorahosted.org/freeipa/ticket/1223

Comment 6 Martin Kosek 2011-05-26 12:52:16 UTC

The root cause of the problem is that the master machine name server wasn't restarted after the ipa-replica-prepare. The ipa-replica-prepare script created a new DNS reverse zone and there is a known issue with Bind name server that it has to be reloaded to recognize a new zone.

Since the new zone is not recognized by the master machine name server, it sends the DNS request to its forwarder which provides an invalid PTR record.

This problem will be solved by:
https://fedorahosted.org/freeipa/ticket/826

Comment 7 Rob Crittenden 2011-05-26 18:36:25 UTC

Looks like the problem is not that named is not restarted as the replica installations still fail.

When a new zone is created add_forward_record() is being called. This is adding the new reverse zone IP address to the master's DNS entry and I think this is causing the replica installation to blow up.

Comment 8 Martin Kosek 2011-05-27 16:10:53 UTC

Actually, I see there are 2 problems. The one I described and the the Rob's. The new reverse zone creation issue is fixed upstream:

Upstream commits:
master: 17c3f9e84efcbeb3b5ae1de83d799974de3bb078
ipa-2-0: 1df0ca7527aed9f2c445a9209066499bae0d07df

Even after this fix is applied, Bind name server should be restarted when a new DNS zone is created during ipa-replica-prepare (until ticket 826 is fixed).

Comment 11 Namita Soman 2011-09-22 01:29:30 UTC

Installed master and replica in different zones successfully. verified using ipa-server-2.1.1-3.el6.x86_64

Comment 12 Rob Crittenden 2011-10-31 18:33:16 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Installing an IPA replica in a new IP subnet with an IPA-controlled DNS server will fail.
Result: The replica server installation is unsuccessful.
Fix: Restart bind after creating the new reverse zone. Bind needs a restart whenever a new zone is added over LDAP.
Result: The IPA replica installation is successful.

Comment 13 errata-xmlrpc 2011-12-06 18:22:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.