Bug 704012
| Summary: | IPA Replica Installation Fails - reverse address doesn't match error | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jenny Severance <jgalipea> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 6.1 | CC: | benl, dpal, jwest, mgregg, mkosek, nsoman, shaines |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.1.0-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Installing an IPA replica in a new IP subnet with an IPA-controlled DNS server will fail.
Result: The replica server installation is unsuccessful.
Fix: Restart bind after creating the new reverse zone. Bind needs a restart whenever a new zone is added over LDAP.
Result: The IPA replica installation is successful.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 18:22:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 707312 | ||
| Bug Blocks: | 709332 | ||
What is the hostname of the machine? What DNS does the machine point to? What are the contents of /etc/hosts? Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. The root cause of the problem is that the master machine name server wasn't restarted after the ipa-replica-prepare. The ipa-replica-prepare script created a new DNS reverse zone and there is a known issue with Bind name server that it has to be reloaded to recognize a new zone. Since the new zone is not recognized by the master machine name server, it sends the DNS request to its forwarder which provides an invalid PTR record. This problem will be solved by: https://fedorahosted.org/freeipa/ticket/826 Looks like the problem is not that named is not restarted as the replica installations still fail. When a new zone is created add_forward_record() is being called. This is adding the new reverse zone IP address to the master's DNS entry and I think this is causing the replica installation to blow up. Actually, I see there are 2 problems. The one I described and the the Rob's. The new reverse zone creation issue is fixed upstream: Upstream commits: master: 17c3f9e84efcbeb3b5ae1de83d799974de3bb078 ipa-2-0: 1df0ca7527aed9f2c445a9209066499bae0d07df Even after this fix is applied, Bind name server should be restarted when a new DNS zone is created during ipa-replica-prepare (until ticket 826 is fixed). Installed master and replica in different zones successfully. verified using ipa-server-2.1.1-3.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: Installing an IPA replica in a new IP subnet with an IPA-controlled DNS server will fail.
Result: The replica server installation is unsuccessful.
Fix: Restart bind after creating the new reverse zone. Bind needs a restart whenever a new zone is added over LDAP.
Result: The IPA replica installation is successful.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |
Description of problem: :: [16:04:51] :: EXECUTING: ipa-replica-install -U --setup-dns --forwarder=10.14.63.12 -p Secret123 /dev/shm/replica-info-amd-tilapia-01.testrelm.gpg root : ERROR The DNS forward record amd-tilapia-01.testrelm. does not match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com. :: [ FAIL ] :: Replica installation (Expected 0, got 1) ipa-replicainstall.log 2011-05-11 16:04:51,720 DEBUG /usr/sbin/ipa-replica-install was invoked with argument "/dev/shm/replica-info-amd-tilapia-01.testrelm.gpg" and options: {'no_forwarders': False, 'no_host_dns': False, 'no_reverse': False, 'setup_dns': True, 'forwarders': ['10.14.63.12'], 'debug': False, 'conf_ntp': True, 'unattended': True} 2011-05-11 16:04:51,721 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-05-11 16:04:51,721 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-05-11 16:04:51,882 DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpQUBNmaipa/files.tar -d /dev/shm/replica-info-amd-tilapia-01.testrelm.gpg 2011-05-11 16:04:51,882 DEBUG stdout= 2011-05-11 16:04:51,883 DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg' gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/pubring.gpg' created gpg: 3DES encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected 2011-05-11 16:04:51,908 DEBUG args=tar xf /tmp/tmpQUBNmaipa/files.tar -C /tmp/tmpQUBNmaipa 2011-05-11 16:04:51,909 DEBUG stdout= 2011-05-11 16:04:51,909 DEBUG stderr= 2011-05-11 16:04:51,916 ERROR The DNS forward record amd-tilapia-01.testrelm. does not match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com. Master install with integrated DNS. Master IP address: 10.16.64.34 Replica install with integrated DNS. Replica IP address: 10.16.67.10 DNS entries in IPA/DS: # dns, testrelm dn: cn=dns,dc=testrelm objectClass: nsContainer objectClass: top cn: dns # testrelm, dns, testrelm dn: idnsname=testrelm,cn=dns,dc=testrelm idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: dell-pe830-02.testrelm. idnsSOAserial: 2011110501 idnsSOAretry: 900 idnsSOAminimum: 3600 idnsUpdatePolicy: grant TESTRELM krb5-self * A; grant TESTRELM krb5-self * AAA A; idnsSOArefresh: 3600 objectClass: top objectClass: idnsrecord objectClass: idnszone idnsName: testrelm idnsAllowDynUpdate: TRUE idnsSOArName: root.dell-pe830-02.testrelm. idnsSOAmName: dell-pe830-02.testrelm. # dell-pe830-02, testrelm, dns, testrelm dn: idnsname=dell-pe830-02,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord aRecord: 10.16.64.34 aRecord: 10.16.67.10 idnsName: dell-pe830-02 # 64.16.10.in-addr.arpa., dns, testrelm dn: idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: dell-pe830-02.testrelm. idnsSOAserial: 2011110501 idnsSOAretry: 900 idnsSOAminimum: 3600 idnsUpdatePolicy: grant TESTRELM krb5-subdomain 64.16.10.in-addr.arpa.. PTR; idnsSOArefresh: 3600 objectClass: top objectClass: idnsrecord objectClass: idnszone idnsName: 64.16.10.in-addr.arpa. idnsAllowDynUpdate: TRUE idnsSOArName: root.64.16.10.in-addr.arpa. idnsSOAmName: dell-pe830-02.testrelm. # _ldap._tcp, testrelm, dns, testrelm dn: idnsname=_ldap._tcp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 389 dell-pe830-02 idnsName: _ldap._tcp # _kerberos, testrelm, dns, testrelm dn: idnsname=_kerberos,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord tXTRecord: TESTRELM idnsName: _kerberos # _kerberos._tcp, testrelm, dns, testrelm dn: idnsname=_kerberos._tcp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 88 dell-pe830-02 idnsName: _kerberos._tcp # _kerberos._udp, testrelm, dns, testrelm dn: idnsname=_kerberos._udp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 88 dell-pe830-02 idnsName: _kerberos._udp # _kerberos-master._tcp, testrelm, dns, testrelm dn: idnsname=_kerberos-master._tcp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 88 dell-pe830-02 idnsName: _kerberos-master._tcp # _kerberos-master._udp, testrelm, dns, testrelm dn: idnsname=_kerberos-master._udp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 88 dell-pe830-02 idnsName: _kerberos-master._udp # _kpasswd._tcp, testrelm, dns, testrelm dn: idnsname=_kpasswd._tcp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 464 dell-pe830-02 idnsName: _kpasswd._tcp # _kpasswd._udp, testrelm, dns, testrelm dn: idnsname=_kpasswd._udp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 464 dell-pe830-02 idnsName: _kpasswd._udp # _ntp._udp, testrelm, dns, testrelm dn: idnsname=_ntp._udp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 123 dell-pe830-02 idnsName: _ntp._udp # 34, 64.16.10.in-addr.arpa., dns, testrelm dn: idnsname=34,idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord pTRRecord: dell-pe830-02.testrelm. idnsName: 34 # amd-tilapia-01, testrelm, dns, testrelm dn: idnsname=amd-tilapia-01,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord aRecord: 10.16.67.10 idnsName: amd-tilapia-01 # 67.16.10.in-addr.arpa., dns, testrelm dn: idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: dell-pe830-02.testrelm. idnsSOAserial: 2011110501 idnsSOAretry: 900 idnsSOAminimum: 3600 idnsUpdatePolicy: grant TESTRELM krb5-subdomain 67.16.10.in-addr.arpa.. PTR; idnsSOArefresh: 3600 objectClass: top objectClass: idnsrecord objectClass: idnszone idnsName: 67.16.10.in-addr.arpa. idnsAllowDynUpdate: TRUE idnsSOArName: root.67.16.10.in-addr.arpa. idnsSOAmName: dell-pe830-02.testrelm. # 10, 67.16.10.in-addr.arpa., dns, testrelm dn: idnsname=10,idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord pTRRecord: amd-tilapia-01.testrelm. idnsName: 10 IP replica package is create with the correct slave IP address: "ipa-replica-prepare -p MySecret --ip-address=10.16.67.10 amd-tilapia-01.testrelm" Version-Release number of selected component (if applicable): ipa-server-2.0.0-23.el6.x86_64 How reproducible: always if IP address would be require different reverse zones Steps to Reproduce: 1. 2. 3. Actual results: install fails Expected results: correct dns entries set up when creating replica package for replica installation to succeed Additional info: