Bug 874935 - ipa-server installation fails to find A/AAAA record for IPA hostname
ipa-server installation fails to find A/AAAA record for IPA hostname
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-09 01:25 EST by Steeve Goveas
Modified: 2013-02-21 04:29 EST (History)
2 users (show)

See Also:
Fixed In Version: ipa-3.0.0-8.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:29:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Steeve Goveas 2012-11-09 01:25:34 EST
Description of problem:
When using --no-forwarder option ipa-server installation fails not finding the A/AAAA record for the hostname.

[root@rasalghul ~]# ipa-server-install --setup-dns --no-forwarder -p Secret123 -a Secret123 -r TESTRELM.COM -n testrelm.com --ip-address=10.65.201.217 --hostname=rasalghul.testrelm.com -U

[1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
Unexpected error - see /var/log/ipaserver-install.log for details:
NotFound: Nameserver 'rasalghul.testrelm.com.' does not have a corresponding A/AAAA record

[root@rasalghul ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.65.201.217 rasalghul.testrelm.com rasalghul

Version-Release number of selected component (if applicable):
[root@rasalghul ~]# rpm -qa | grep ipa-server
ipa-server-trust-ad-3.0.0-107.20121109T0309zgit349ab51.el6.x86_64
ipa-server-selinux-3.0.0-107.20121109T0309zgit349ab51.el6.x86_64
ipa-server-3.0.0-107.20121109T0309zgit349ab51.el6.x86_64

[root@rasalghul ~]# rpm -qa | grep bind-dyndb-ldap
bind-dyndb-ldap-2.3-1.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install IPA server with --setup-dns
2.
3.
  
Actual results:
Fails with error
Unexpected error - see /var/log/ipaserver-install.log for details:
NotFound: Nameserver 'rasalghul.testrelm.com.' does not have a corresponding A/AAAA record

Expected results:
Installation is successful

Additional info:
[root@rasalghul ~]# tail -50 /var/log/ipaserver-install.log 
2012-11-09T05:22:17Z DEBUG stderr=ldap_initialize( ldap://rasalghul.testrelm.com:389/??base )

2012-11-09T05:22:17Z DEBUG   duration: 0 seconds
2012-11-09T05:22:17Z DEBUG   [2/9]: setting up our zone
2012-11-09T05:22:17Z DEBUG raw: dnszone_add(u'testrelm.com', idnssoamname=u'rasalghul.testrelm.com.', idnssoarname=u'hostmaster.testrelm.com', idnsupdatepolicy=u'grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;', idnsallowdynupdate=True, idnsallowquery=u'any', idnsallowtransfer=u'none', force=False, ip_address=u'10.65.201.217')
2012-11-09T05:22:17Z DEBUG dnszone_add(u'testrelm.com', idnssoamname=u'rasalghul.testrelm.com.', idnssoarname=u'hostmaster.testrelm.com.', idnssoaserial=1352438537, idnssoarefresh=3600, idnssoaretry=900, idnssoaexpire=1209600, idnssoaminimum=3600, idnsupdatepolicy=u'grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP;', idnsallowdynupdate=True, idnsallowquery=u'any;', idnsallowtransfer=u'none;', force=False, ip_address=u'10.65.201.217', all=False, raw=False)
2012-11-09T05:22:17Z DEBUG raw: dnsrecord_add(u'testrelm.com', u'rasalghul', arecord=u'10.65.201.217')
2012-11-09T05:22:17Z DEBUG dnsrecord_add(u'testrelm.com', u'rasalghul', arecord=(u'10.65.201.217',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False)
2012-11-09T05:22:17Z DEBUG raw: dnsrecord_add(u'testrelm.com', u'@', nsrecord=u'rasalghul.testrelm.com.', force=True)
2012-11-09T05:22:17Z DEBUG dnsrecord_add(u'testrelm.com', u'@', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, nsrecord=(u'rasalghul.testrelm.com.',), force=True, structured=False, all=False, raw=False)
2012-11-09T05:22:17Z DEBUG   duration: 0 seconds
2012-11-09T05:22:17Z DEBUG   [3/9]: setting up reverse zone
2012-11-09T05:22:17Z DEBUG raw: dnszone_add(u'201.65.10.in-addr.arpa.', idnssoamname=u'rasalghul.testrelm.com.', idnssoarname=u'hostmaster.testrelm.com', idnsupdatepolicy=u'grant TESTRELM.COM krb5-subdomain 201.65.10.in-addr.arpa. PTR;', idnsallowdynupdate=True, idnsallowquery=u'any', idnsallowtransfer=u'none', force=False, ip_address=None)
2012-11-09T05:22:17Z DEBUG dnszone_add(u'201.65.10.in-addr.arpa.', idnssoamname=u'rasalghul.testrelm.com.', idnssoarname=u'hostmaster.testrelm.com.', idnssoaserial=1352438537, idnssoarefresh=3600, idnssoaretry=900, idnssoaexpire=1209600, idnssoaminimum=3600, idnsupdatepolicy=u'grant TESTRELM.COM krb5-subdomain 201.65.10.in-addr.arpa. PTR;', idnsallowdynupdate=True, idnsallowquery=u'any;', idnsallowtransfer=u'none;', force=False, ip_address=None, all=False, raw=False)
2012-11-09T05:22:17Z DEBUG raw: dns_resolve(u'rasalghul.testrelm.com.')
2012-11-09T05:22:17Z DEBUG dns_resolve(u'rasalghul.testrelm.com.')
2012-11-09T05:22:17Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1072, in main
    bind.create_instance()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 508, in create_instance
    self.start_creation()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 616, in __setup_reverse_zone
    dns_backup=self.dns_backup)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 293, in add_zone
    force=force)

  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
    ret = self.run(*args, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
    return self.execute(*args, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 1063, in execute
    self, ldap, dn, entry_attrs, attrs_list, *keys, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py", line 1812, in pre_callback
    check_ns_rec_resolvable(keys[0], nameserver)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py", line 1516, in check_ns_rec_resolvable
    reason=_('Nameserver \'%(host)s\' does not have a corresponding A/AAAA record') % {'host': name}

2012-11-09T05:22:17Z INFO The ipa-server-install command failed, exception: NotFound: Nameserver 'rasalghul.testrelm.com.' does not have a corresponding A/AAAA record
Comment 2 Martin Kosek 2012-11-09 03:14:59 EST
This is indeed a regression in 6.4, I will open an upstream bug and fix this.
Comment 3 Martin Kosek 2012-11-09 03:17:04 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3248
Comment 4 Martin Kosek 2012-11-09 03:36:25 EST
A patch with a fix is attached to ticket #3248. As a workaround until it gets pushed, you could either
1) Use an IPA hostname that is already resolvable, OR
2) Install IPA with --no-reverse option and configure reverse zone later when IPA installation is finished (if required)
Comment 5 Steeve Goveas 2012-11-09 03:47:37 EST
The patch resolved the issue. Installation was successful
Comment 6 Steeve Goveas 2012-11-09 03:50:05 EST
[root@rasalghul ~]# ipa-server-install --setup-dns --forwarder 10.65.201.122 -p Secret123 -P Secret123 -a Secret123 -r TESTRELM.COM -n testrelm.com --ip-address=10.65.201.217 --hostname=rasalghul.testrelm.com -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
....
....
....
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
Comment 11 Namita Soman 2012-11-20 15:06:38 EST
Verified using ipa-3.0.0-8.el6. Installed successfully
Comment 13 errata-xmlrpc 2013-02-21 04:29:45 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.