Bug 704012 - IPA Replica Installation Fails - reverse address doesn't match error
Summary: IPA Replica Installation Fails - reverse address doesn't match error
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 707312
Blocks: 709332
TreeView+ depends on / blocked
 
Reported: 2011-05-11 20:17 UTC by Jenny Severance
Modified: 2015-01-04 23:48 UTC (History)
7 users (show)

Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Installing an IPA replica in a new IP subnet with an IPA-controlled DNS server will fail. Result: The replica server installation is unsuccessful. Fix: Restart bind after creating the new reverse zone. Bind needs a restart whenever a new zone is added over LDAP. Result: The IPA replica installation is successful.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:22:10 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Jenny Severance 2011-05-11 20:17:54 UTC
Description of problem:

:: [16:04:51] ::  EXECUTING: ipa-replica-install -U --setup-dns --forwarder=10.14.63.12 -p Secret123 /dev/shm/replica-info-amd-tilapia-01.testrelm.gpg
root        : ERROR    The DNS forward record amd-tilapia-01.testrelm. does not match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com.
:: [   FAIL   ] :: Replica installation (Expected 0, got 1)

ipa-replicainstall.log

2011-05-11 16:04:51,720 DEBUG /usr/sbin/ipa-replica-install was invoked with argument "/dev/shm/replica-info-amd-tilapia-01.testrelm.gpg" and options: {'no_forwarders': False, 'no_host_dns': False, 'no_reverse': False, 'setup_dns': True, 'forwarders': ['10.14.63.12'], 'debug': False, 'conf_ntp': True, 'unattended': True}
2011-05-11 16:04:51,721 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-05-11 16:04:51,721 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2011-05-11 16:04:51,882 DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpQUBNmaipa/files.tar -d /dev/shm/replica-info-amd-tilapia-01.testrelm.gpg
2011-05-11 16:04:51,882 DEBUG stdout=
2011-05-11 16:04:51,883 DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg'
gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/pubring.gpg' created
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

2011-05-11 16:04:51,908 DEBUG args=tar xf /tmp/tmpQUBNmaipa/files.tar -C /tmp/tmpQUBNmaipa
2011-05-11 16:04:51,909 DEBUG stdout=
2011-05-11 16:04:51,909 DEBUG stderr=
2011-05-11 16:04:51,916 ERROR The DNS forward record amd-tilapia-01.testrelm. does not match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com.


Master install with integrated DNS.  
   Master IP address: 10.16.64.34
   
Replica install with integrated DNS.
   Replica IP address: 10.16.67.10

DNS entries in IPA/DS:

# dns, testrelm
dn: cn=dns,dc=testrelm
objectClass: nsContainer
objectClass: top
cn: dns

# testrelm, dns, testrelm
dn: idnsname=testrelm,cn=dns,dc=testrelm
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: dell-pe830-02.testrelm.
idnsSOAserial: 2011110501
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM krb5-self * A; grant TESTRELM krb5-self * AAA
 A;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: testrelm
idnsAllowDynUpdate: TRUE
idnsSOArName: root.dell-pe830-02.testrelm.
idnsSOAmName: dell-pe830-02.testrelm.

# dell-pe830-02, testrelm, dns, testrelm
dn: idnsname=dell-pe830-02,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
aRecord: 10.16.64.34
aRecord: 10.16.67.10
idnsName: dell-pe830-02

# 64.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: dell-pe830-02.testrelm.
idnsSOAserial: 2011110501
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM krb5-subdomain 64.16.10.in-addr.arpa.. PTR;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: 64.16.10.in-addr.arpa.
idnsAllowDynUpdate: TRUE
idnsSOArName: root.64.16.10.in-addr.arpa.
idnsSOAmName: dell-pe830-02.testrelm.

# _ldap._tcp, testrelm, dns, testrelm
dn: idnsname=_ldap._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 389 dell-pe830-02
idnsName: _ldap._tcp

# _kerberos, testrelm, dns, testrelm
dn: idnsname=_kerberos,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
tXTRecord: TESTRELM
idnsName: _kerberos

# _kerberos._tcp, testrelm, dns, testrelm
dn: idnsname=_kerberos._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos._tcp

# _kerberos._udp, testrelm, dns, testrelm
dn: idnsname=_kerberos._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos._udp

# _kerberos-master._tcp, testrelm, dns, testrelm
dn: idnsname=_kerberos-master._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos-master._tcp

# _kerberos-master._udp, testrelm, dns, testrelm
dn: idnsname=_kerberos-master._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos-master._udp

# _kpasswd._tcp, testrelm, dns, testrelm
dn: idnsname=_kpasswd._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 464 dell-pe830-02
idnsName: _kpasswd._tcp

# _kpasswd._udp, testrelm, dns, testrelm
dn: idnsname=_kpasswd._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 464 dell-pe830-02
idnsName: _kpasswd._udp

# _ntp._udp, testrelm, dns, testrelm
dn: idnsname=_ntp._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 123 dell-pe830-02
idnsName: _ntp._udp

# 34, 64.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=34,idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
pTRRecord: dell-pe830-02.testrelm.
idnsName: 34

# amd-tilapia-01, testrelm, dns, testrelm
dn: idnsname=amd-tilapia-01,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
aRecord: 10.16.67.10
idnsName: amd-tilapia-01

# 67.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: dell-pe830-02.testrelm.
idnsSOAserial: 2011110501
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM krb5-subdomain 67.16.10.in-addr.arpa.. PTR;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: 67.16.10.in-addr.arpa.
idnsAllowDynUpdate: TRUE
idnsSOArName: root.67.16.10.in-addr.arpa.
idnsSOAmName: dell-pe830-02.testrelm.

# 10, 67.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=10,idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
pTRRecord: amd-tilapia-01.testrelm.
idnsName: 10


IP replica package is create with the correct slave IP address:

"ipa-replica-prepare -p MySecret --ip-address=10.16.67.10 amd-tilapia-01.testrelm"

Version-Release number of selected component (if applicable):
ipa-server-2.0.0-23.el6.x86_64

How reproducible:
always if IP address would be require different reverse zones

Steps to Reproduce:
1.
2.
3.
  
Actual results:
install fails

Expected results:
correct dns entries set up when creating replica package for replica installation to succeed

Additional info:

Comment 2 Rob Crittenden 2011-05-11 21:59:21 UTC
What is the hostname of the machine?

What DNS does the machine point to?

What are the contents of /etc/hosts?

Comment 3 RHEL Program Management 2011-05-12 06:00:22 UTC
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 4 Dmitri Pal 2011-05-12 14:12:50 UTC
https://fedorahosted.org/freeipa/ticket/1223

Comment 6 Martin Kosek 2011-05-26 12:52:16 UTC
The root cause of the problem is that the master machine name server wasn't restarted after the ipa-replica-prepare. The ipa-replica-prepare script created a new DNS reverse zone and there is a known issue with Bind name server that it has to be reloaded to recognize a new zone.

Since the new zone is not recognized by the master machine name server, it sends the DNS request to its forwarder which provides an invalid PTR record.

This problem will be solved by:
https://fedorahosted.org/freeipa/ticket/826

Comment 7 Rob Crittenden 2011-05-26 18:36:25 UTC
Looks like the problem is not that named is not restarted as the replica installations still fail.

When a new zone is created add_forward_record() is being called. This is adding the new reverse zone IP address to the master's DNS entry and I think this is causing the replica installation to blow up.

Comment 8 Martin Kosek 2011-05-27 16:10:53 UTC
Actually, I see there are 2 problems. The one I described and the the Rob's. The new reverse zone creation issue is fixed upstream:

Upstream commits:
master: 17c3f9e84efcbeb3b5ae1de83d799974de3bb078
ipa-2-0: 1df0ca7527aed9f2c445a9209066499bae0d07df

Even after this fix is applied, Bind name server should be restarted when a new DNS zone is created during ipa-replica-prepare (until ticket 826 is fixed).

Comment 11 Namita Soman 2011-09-22 01:29:30 UTC
Installed master and replica in different zones successfully. verified using ipa-server-2.1.1-3.el6.x86_64

Comment 12 Rob Crittenden 2011-10-31 18:33:16 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Installing an IPA replica in a new IP subnet with an IPA-controlled DNS server will fail.
Result: The replica server installation is unsuccessful.
Fix: Restart bind after creating the new reverse zone. Bind needs a restart whenever a new zone is added over LDAP.
Result: The IPA replica installation is successful.

Comment 13 errata-xmlrpc 2011-12-06 18:22:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.