757644 – --no-reverse option in ipa-replica-install is not honored.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 757644 - --no-reverse option in ipa-replica-install is not honored.

Summary: --no-reverse option in ipa-replica-install is not honored.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-11-28 08:14 UTC by Gowrishankar Rajaiyan
Modified:	2012-06-20 13:17 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-2.2.0-1.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2012-06-20 13:17:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Gowrishankar Rajaiyan 2011-11-28 08:14:19 UTC

Description of problem:
DNS reverse zone is created even when --no-reverse option is specified during ipa-replica-install. 

Version-Release number of selected component (if applicable):
ipa-server-2.1.3-9.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install ipa server with --setup-dns option.
2. Create a replica gpg file using: ipa-replica-prepare --ip-address=10.65.201.69 ratchet.testrelm
3. On slave: ipa-replica-install --setup-dns --forwarder=10.65.255.201 --no-reverse replica-info-ratchet.testrelm.gpg
  
Actual results:
reverse zone is successfully setup. 

Expected results:
Should not create DNS reverse zone when --no-reverse is specified. 

Additional info:
[root@ratchet ~]# ipa-replica-install --setup-dns --forwarder=10.65.255.201 --no-reverse replica-info-ratchet.testrelm.gpg 
Directory Manager (existing master) password: 

Warning: Hostname (ratchet.testrelm) not found in DNS
Run connection check to master
Check connection from replica to remote master 'jetfire.testrelm':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin@TESTRELM password: 

Execute check on remote master
Check connection from master to remote replica 'ratchet.testrelm':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 31 minutes
  [1/29]: creating directory server user
  [2/29]: creating directory server instance
  [3/29]: adding default schema
  [4/29]: enabling memberof plugin
  [5/29]: enabling referential integrity plugin
  [6/29]: enabling winsync plugin
  [7/29]: configuring replication version plugin
  [8/29]: enabling IPA enrollment plugin
  [9/29]: enabling ldapi
  [10/29]: configuring uniqueness plugin
  [11/29]: configuring uuid plugin
  [12/29]: configuring modrdn plugin
  [13/29]: enabling entryUSN plugin
  [14/29]: configuring lockout plugin
  [15/29]: creating indices
  [16/29]: configuring ssl for ds instance
  [17/29]: configuring certmap.conf
  [18/29]: configure autobind for root
  [19/29]: configure new location for managed entries
  [20/29]: restarting directory server
  [21/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
  [22/29]: adding replication acis
  [23/29]: setting Auto Member configuration
  [24/29]: initializing group membership
  [25/29]: adding master entry
  [26/29]: configuring Posix uid/gid generation
  [27/29]: enabling compatibility plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
  [28/29]: tuning directory server
  [29/29]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 minutes 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring ipa_kpasswd
  [1/2]: starting ipa_kpasswd 
  [2/2]: configuring ipa_kpasswd to start on boot
done configuring ipa_kpasswd.
Configuring the web interface: Estimated time 31 minutes
  [1/12]: disabling mod_ssl in httpd
  [2/12]: setting mod_nss port to 443
  [3/12]: setting mod_nss password file
  [4/12]: enabling mod_nss renegotiate
  [5/12]: adding URL rewriting rules
  [6/12]: configuring httpd
  [7/12]: setting up ssl
  [8/12]: publish CA cert
  [9/12]: creating a keytab for httpd
  [10/12]: configuring SELinux for httpd
  [11/12]: restarting httpd
  [12/12]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
Using reverse zone 201.65.10.in-addr.arpa.
Configuring named:
  [1/8]: adding NS record to the zone
  [2/8]: setting up reverse zone
  [3/8]: setting up our own record
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: restarting named
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
done configuring named.
[root@ratchet ~]#


[root@ratchet ~]# ipa dnszone-find
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: jetfire.testrelm.
  Administrator e-mail address: root.201.65.10.in-addr.arpa.
  SOA serial: 2011281101
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE

  Zone name: testrelm
  Authoritative nameserver: jetfire.testrelm.
  Administrator e-mail address: root.jetfire.testrelm.
  SOA serial: 2011281101
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
----------------------------
Number of entries returned 2
----------------------------
[root@ratchet ~]#

Comment 2 Dmitri Pal 2011-12-05 17:11:17 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2161

Comment 3 Rob Crittenden 2012-02-03 16:00:52 UTC

master: 2e860f6d070db3b2fe8799891c3e568ac48a1fac

ipa-2-2: 21e6f8e82af680fbbf041315efe77455cdbc3f07

Comment 6 Martin Kosek 2012-04-19 12:36:26 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 7 Scott Poore 2012-05-07 19:39:49 UTC

This doesn't appear to work yet for me.  Am I doing something wrong?

### ON MASTER:

# ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN
Warning: Hostname (spoore-dvm2.testrelm.com) not found in DNS
Preparing replica for spoore-dvm2.testrelm.com from spoore-dvm1.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-spoore-dvm2.testrelm.com.gpg
Adding DNS records for spoore-dvm2.testrelm.com
Using reverse zone 122.168.192.in-addr.arpa.


### ON REPLICA:

# yum install -y ipa-server bind-dyndb-ldap bind
...installed with no errors shown...
Installed:
  bind.x86_64 32:9.8.2-0.8.rc1.el6   bind-dyndb-ldap.x86_64 0:1.1.0-0.8.b1.el6   ipa-server.x86_64 0:2.2.0-12.el6  

Dependency Installed:
  389-ds-base.x86_64 0:1.2.10.2-9.el6                      389-ds-base-libs.x86_64 0:1.2.10.2-9.el6                
  certmonger.x86_64 0:0.56-1.el6                           httpd.x86_64 0:2.2.15-15.el6_2.1                        
  ipa-admintools.x86_64 0:2.2.0-12.el6                     ipa-client.x86_64 0:2.2.0-12.el6                        
  ipa-python.x86_64 0:2.2.0-12.el6                         ipa-server-selinux.x86_64 0:2.2.0-12.el6                
  krb5-pkinit-openssl.x86_64 0:1.9-33.el6                  krb5-server.x86_64 0:1.9-33.el6                         
  krb5-workstation.x86_64 0:1.9-33.el6                     libipa_hbac.x86_64 0:1.8.0-25.el6                       
  libipa_hbac-python.x86_64 0:1.8.0-25.el6                 memcached.x86_64 0:1.4.4-3.el6                          
  mod_auth_kerb.x86_64 0:5.4-9.el6                         mod_nss.x86_64 0:1.0.8-15.el6                           
  mod_wsgi.x86_64 0:3.2-1.el6                              pki-ca.noarch 0:9.0.3-24.el6                            
  pki-common.noarch 0:9.0.3-24.el6                         pki-java-tools.noarch 0:9.0.3-24.el6                    
  pki-native-tools.x86_64 0:9.0.3-24.el6                   pki-selinux.noarch 0:9.0.3-24.el6                       
  pki-setup.noarch 0:9.0.3-24.el6                          pki-silent.noarch 0:9.0.3-24.el6                        
  pki-symkey.x86_64 0:9.0.3-24.el6                         pki-util.noarch 0:9.0.3-24.el6                          
  python-memcached.noarch 0:1.43-6.el6                     slapi-nis.x86_64 0:0.40-1.el6                           
  sssd.x86_64 0:1.8.0-25.el6                               sssd-client.x86_64 0:1.8.0-25.el6                       
  tomcat6.noarch 0:6.0.24-43.el6                           tomcatjss.noarch 0:2.1.0-2.el6                          

Complete!

[root@spoore-dvm2 yum.repos.d]# vi ~/.ssh/known_hosts 

[root@spoore-dvm2 yum.repos.d]# cd /dev/shm

[root@spoore-dvm2 shm]# sftp root@$MASTERIP:/var/lib/ipa/replica-info-$hostname_s.$DOMAIN.gpg
Connecting to 192.168.122.101...
Fetching /var/lib/ipa/replica-info-spoore-dvm2.testrelm.com.gpg to replica-info-spoore-dvm2.testrelm.com.gpg
/var/lib/ipa/replica-info-spoore-dvm2.testrelm.com.gpg                           100%   28KB  28.4KB/s   00:00    

[root@spoore-dvm2 shm]# /etc/init.d/ntpd stop
Shutting down ntpd:                                        [FAILED]

[root@spoore-dvm2 shm]# ntpdate $NTPSERVER
 7 May 14:26:52 ntpdate[1716]: adjust time server 66.187.233.4 offset 0.007145 sec

[root@spoore-dvm2 shm]# cat /etc/resolv.conf 
nameserver 192.168.122.101

[root@spoore-dvm2 shm]# cat /etc/hosts
127.0.0.1	localhost.localdomain	localhost.localdomain	localhost4	localhost4.localdomain4	localhost
::1	localhost.localdomain	localhost.localdomain	localhost6	localhost6.localdomain6	localhost

[root@spoore-dvm2 shm]# fixHostFile
:: [14:27:12] ::  Ip address is 192.168.122.102
:: [14:27:12] ::  Hosts file contains:
:: [14:27:12] ::  127.0.0.1	localhost.localdomain	localhost.localdomain	localhost4	localhost4.localdomain4	localhost
::1	localhost.localdomain	localhost.localdomain	localhost6	localhost6.localdomain6	localhost
192.168.122.102 spoore-dvm2.testrelm.com spoore-dvm2

[root@spoore-dvm2 shm]# fixhostname
:: [   PASS   ] :: Running 'hostname spoore-dvm2.testrelm.com'
:: [14:27:18] ::  /etc/sysconfig/network contains:
:: [14:27:18] ::  NETWORKING=yes
HOSTNAME=spoore-dvm2.testrelm.com

[root@spoore-dvm2 shm]# hostname
spoore-dvm2.testrelm.com

[root@spoore-dvm2 shm]# ipa-replica-install -U --setup-dns --no-forwarders --no-reverse -w $ADMINPW -p $ADMINPW /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg
Run connection check to master
Check connection from replica to remote master 'spoore-dvm1.testrelm.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Execute check on remote master
Check connection from master to remote replica 'spoore-dvm2.testrelm.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server: Estimated time 1 minute
  [1/30]: creating directory server user
  [2/30]: creating directory server instance
  [3/30]: adding default schema
  [4/30]: enabling memberof plugin
  [5/30]: enabling referential integrity plugin
  [6/30]: enabling winsync plugin
  [7/30]: configuring replication version plugin
  [8/30]: enabling IPA enrollment plugin
  [9/30]: enabling ldapi
  [10/30]: configuring uniqueness plugin
  [11/30]: configuring uuid plugin
  [12/30]: configuring modrdn plugin
  [13/30]: enabling entryUSN plugin
  [14/30]: configuring lockout plugin
  [15/30]: creating indices
  [16/30]: configuring ssl for ds instance
  [17/30]: configuring certmap.conf
  [18/30]: configure autobind for root
  [19/30]: configure new location for managed entries
  [20/30]: restarting directory server
  [21/30]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [22/30]: adding replication acis
  [23/30]: setting Auto Member configuration
  [24/30]: enabling S4U2Proxy delegation
  [25/30]: initializing group membership
  [26/30]: adding master entry
  [27/30]: configuring Posix uid/gid generation
  [28/30]: enabling compatibility plugin
  [29/30]: tuning directory server
  [30/30]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
done configuring krb5kdc.
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
done configuring ipa_memcached.
Configuring the web interface: Estimated time 1 minute
  [1/13]: disabling mod_ssl in httpd
  [2/13]: setting mod_nss port to 443
  [3/13]: setting mod_nss password file
  [4/13]: enabling mod_nss renegotiate
  [5/13]: adding URL rewriting rules
  [6/13]: configuring httpd
  [7/13]: setting up ssl
  [8/13]: publish CA cert
  [9/13]: creating a keytab for httpd
  [10/13]: clean up any existing httpd ccache
  [11/13]: configuring SELinux for httpd
  [12/13]: restarting httpd
  [13/13]: configuring httpd to start on boot
done configuring httpd.
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Using reverse zone 122.168.192.in-addr.arpa.
Configuring named:
  [1/8]: adding NS record to the zone
  [2/8]: setting up reverse zone
  [3/8]: setting up our own record
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: restarting named
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
done configuring named.

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server

[root@spoore-dvm2 shm]# KinitAsAdmin

[root@spoore-dvm2 shm]# ipa dnszone-find
  Zone name: 122.168.192.in-addr.arpa.
  Authoritative nameserver: spoore-dvm1.testrelm.com.
  Administrator e-mail address: hostmaster.122.168.192.in-addr.arpa.
  SOA serial: 2012050701
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: testrelm.com
  Authoritative nameserver: spoore-dvm1.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA serial: 2012050709
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

Comment 8 Martin Kosek 2012-05-09 06:36:24 UTC

Scott, I see you must have had the reverse zone created already during ipa-replica-prepare, i.e. before ipa-replica-install is called. This is what I see in your output:

# ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN
Warning: Hostname (spoore-dvm2.testrelm.com) not found in DNS
...
Adding DNS records for spoore-dvm2.testrelm.com
Using reverse zone 122.168.192.in-addr.arpa.    <<<<<<<< This is where the reverse zone was added

Comment 9 Scott Poore 2012-05-09 19:13:36 UTC

Martin, 

Yep.  Missed that yesterday.  Shanks helped me verify this one today.  To get this one verified, I was apparently missing the replica host info from /etc/hosts on the master.   I'll post verification shortly.

Comment 11 Scott Poore 2012-05-09 19:58:48 UTC

Verified.

Version ::  ipa-server-2.2.0-12.el6.x86_64

Manual Test Results ::

#### ON MASTER ####

[root@celeno ~]# ipa-replica-prepare -p $ADMINPW $SLAVE_S.$DOMAIN
Warning: Hostname (qe-blade-02.testrelm.com) not found in DNS
Preparing replica for qe-blade-02.testrelm.com from celeno.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into
/var/lib/ipa/replica-info-qe-blade-02.testrelm.com.gpg

#### ON REPLICA ####

[root@qe-blade-02 shm]# ipa-replica-install -U --setup-dns
--forwarder=$DNSFORWARD --no-reverse -w $ADMINPW -p $ADMINPW
/dev/shm/replica-info-$SLAVE_S.$DOMAIN.gpg
Warning: Hostname (qe-blade-02.testrelm.com) not found in DNS
...skipping most output here...
Configuring named:
  [1/7]: adding NS record to the zone
  [2/7]: setting up our own record
  [3/7]: setting up kerberos principal
  [4/7]: setting up named.conf
  [5/7]: restarting named
  [6/7]: configuring named to start on boot
  [7/7]: changing resolv.conf to point to ourselves
done configuring named.

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server

#### ON MASTER ####
[root@celeno ~]# ipa dnszone-find
...

Did not show a new reverse zone for replica.

Comment 13 errata-xmlrpc 2012-06-20 13:17:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.