882938 – --ip-address option in ipa-replica-prepare does not add A and PTR record in DNS

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 882938 - --ip-address option in ipa-replica-prepare does not add A and PTR record in DNS

Summary: --ip-address option in ipa-replica-prepare does not add A and PTR record in DNS

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-03 12:27 UTC by Steeve Goveas
Modified:	2014-06-18 00:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-3.2.1-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 11:20:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Steeve Goveas 2012-12-03 12:27:42 UTC

Description of problem:
When ipa-replica-prepare is given --ip-address option, an A and PTR record should get added in the IPA DNS. This does not seem to work.

Version-Release number of selected component (if applicable):
[root@rasalghul ~]# rpm -qa | grep ipa-server
ipa-server-3.0.0-9.el6.x86_64
ipa-server-selinux-3.0.0-9.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install and configure IPA server with integrated DNS
2. Run ipa-replica-prepare for replica server with --ip-address option
# ipa-replica-prepare --ip-address <Replica IP Address> <Replica Hostname>

3. Adding an entry in /etc/hosts for the replica works
  
Actual results:
[root@rasalghul ~]# ipa-replica-prepare --ip-address=10.65.201.109 wazwan.testrelm.com
Directory Manager (existing master) password: 

Preparing replica for wazwan.testrelm.com from rasalghul.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-wazwan.testrelm.com.gpg
Adding DNS records for wazwan.testrelm.com
preparation of replica failed: Nameserver 'rasalghul.testrelm.com.' does not have a corresponding A/AAAA record
Nameserver 'rasalghul.testrelm.com.' does not have a corresponding A/AAAA record
  File "/usr/sbin/ipa-replica-prepare", line 477, in <module>
    main()

  File "/usr/sbin/ipa-replica-prepare", line 465, in main
    add_zone(domain)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 293, in add_zone
    force=force)

  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
    ret = self.run(*args, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
    return self.execute(*args, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 1063, in execute
    self, ldap, dn, entry_attrs, attrs_list, *keys, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py", line 1825, in pre_callback
    check_ns_rec_resolvable(keys[0], nameserver)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py", line 1526, in check_ns_rec_resolvable
    reason=_('Nameserver \'%(host)s\' does not have a corresponding A/AAAA record') % {'host': name}


Expected results:
Preparation of replica is successful with A and PTR record of the replica server added in IPA DNS.


Additional info:
[root@rasalghul ~]# man ipa-replica-prepare
...
--ip-address=IP_ADDRESS
              IP address of the replica server. If you provide this option, the A and PTR records will be added to the DNS.
...

[root@rasalghul ~]# ipa dnszone-find
  Zone name: 201.65.10.in-addr.arpa.
  Authoritative nameserver: rasalghul.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA serial: 1354530593
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: 206.65.10.in-addr.arpa.
  Authoritative nameserver: sideswipe.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: testrelm.com
  Authoritative nameserver: rasalghul.testrelm.com.
  Administrator e-mail address: hostmaster.testrelm.com.
  SOA serial: 1354530962
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 3
----------------------------

[root@rasalghul ~]# ipa-replica-prepare --ip-address 10.65.201.109 wazwan.testrelm.com
Directory Manager (existing master) password: 

Preparing replica for wazwan.testrelm.com from rasalghul.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-wazwan.testrelm.com.gpg
Adding DNS records for wazwan.testrelm.com
preparation of replica failed: Nameserver 'rasalghul.testrelm.com.' does not have a corresponding A/AAAA record
Nameserver 'rasalghul.testrelm.com.' does not have a corresponding A/AAAA record
  File "/usr/sbin/ipa-replica-prepare", line 477, in <module>
    main()

  File "/usr/sbin/ipa-replica-prepare", line 465, in main
    add_zone(domain)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 293, in add_zone
    force=force)

  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
    ret = self.run(*args, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
    return self.execute(*args, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 1063, in execute
    self, ldap, dn, entry_attrs, attrs_list, *keys, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py", line 1825, in pre_callback
    check_ns_rec_resolvable(keys[0], nameserver)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py", line 1526, in check_ns_rec_resolvable
    reason=_('Nameserver \'%(host)s\' does not have a corresponding A/AAAA record') % {'host': name}


[root@rasalghul ~]# ipa-replica-prepare --ip-address=10.65.201.109 wazwan.testrelm.com
Directory Manager (existing master) password: 

Preparing replica for wazwan.testrelm.com from rasalghul.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-wazwan.testrelm.com.gpg
Adding DNS records for wazwan.testrelm.com
preparation of replica failed: Nameserver 'rasalghul.testrelm.com.' does not have a corresponding A/AAAA record
Nameserver 'rasalghul.testrelm.com.' does not have a corresponding A/AAAA record
  File "/usr/sbin/ipa-replica-prepare", line 477, in <module>
    main()

  File "/usr/sbin/ipa-replica-prepare", line 465, in main
    add_zone(domain)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py", line 293, in add_zone
    force=force)

  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__
    ret = self.run(*args, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run
    return self.execute(*args, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line 1063, in execute
    self, ldap, dn, entry_attrs, attrs_list, *keys, **options)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py", line 1825, in pre_callback
    check_ns_rec_resolvable(keys[0], nameserver)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py", line 1526, in check_ns_rec_resolvable
    reason=_('Nameserver \'%(host)s\' does not have a corresponding A/AAAA record') % {'host': name}

Comment 2 Martin Kosek 2012-12-03 13:41:53 UTC

The error message is ugly, but it may have a point. Is the "rasalghul.testrelm.com." really resolvable? You can try it with this command:

[root@rasalghul ~]# host rasalghul.testrelm.com.

In case you modified /etc/resolv.conf before this test and did not reload httpd server, it may be still using the old list of name server IPs, which may not contain this hostname...

Comment 3 Steeve Goveas 2012-12-03 14:27:59 UTC

* Seems like my resolv.conf was wrong

[root@rasalghul ~]# host rasalghul.testrelm.com
Host rasalghul.testrelm.com not found: 3(NXDOMAIN)

[root@rasalghul ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search pnq.redhat.com redhat.com testrelm.com
nameserver 10.65.201.89
nameserver 10.65.255.201
nameserver 10.70.34.1

* After correction

[root@rasalghul ~]# cat /etc/resolv.conf
search testrelm.com
nameserver 10.65.201.217

[root@rasalghul ~]# host rasalghul.testrelm.com
rasalghul.testrelm.com has address 10.65.201.217

[root@rasalghul ~]# ipa-replica-prepare --ip-address=10.65.201.109 wazwan.testrelm.com
Directory Manager (existing master) password: 

Preparing replica for wazwan.testrelm.com from rasalghul.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-wazwan.testrelm.com.gpg
Adding DNS records for wazwan.testrelm.com
Using reverse zone 201.65.10.in-addr.arpa.

[root@rasalghul ~]# ipa-replica-prepare --ip-address=10.34.35.54 dell-pe1950-03.testrelm.com
Directory Manager (existing master) password: 

Preparing replica for dell-pe1950-03.testrelm.com from rasalghul.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-dell-pe1950-03.testrelm.com.gpg
Adding DNS records for dell-pe1950-03.testrelm.com
Using reverse zone 35.34.10.in-addr.arpa.

* It added the new zone and the A and PTR records

[root@rasalghul ~]# ipa dnsrecord-find testrelm.com wazwan
  Record name: wazwan
  A record: 10.65.201.109
----------------------------
Number of entries returned 1
----------------------------
[root@rasalghul ~]# ipa dnsrecord-find 201.65.10.in-addr.arpa wazwan
  Record name: 109
  PTR record: wazwan.testrelm.com.
----------------------------
Number of entries returned 1
----------------------------
[root@rasalghul ~]# ipa dnsrecord-find testrelm.com dell-pe1950-03
  Record name: dell-pe1950-03
  A record: 10.34.35.54
----------------------------
Number of entries returned 1
----------------------------
[root@rasalghul ~]# ipa dnsrecord-find 35.34.10.in-addr.arpa. 54
  Record name: 54
  PTR record: dell-pe1950-03.testrelm.com.
----------------------------
Number of entries returned 1
----------------------------

Comment 4 Martin Kosek 2012-12-04 08:02:07 UTC

Ok. Then this bug is not a 6.4 blocker, IMO.

But I will create an upstream ticket anyway so that we can improve the error message to make it more user-friendly.

Comment 5 Martin Kosek 2012-12-04 08:32:54 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3283

Comment 6 Martin Kosek 2012-12-06 07:02:57 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/152585e73141ae5485e677f36f7f47551b438bbb
ipa-3-0: https://fedorahosted.org/freeipa/changeset/55bace6546095d78760be413896c824efe9c2f20

No stacktrace is now printed, but rather a nice error message which is more readable for users.

Comment 10 Steeve Goveas 2013-12-19 07:11:26 UTC

* Backup resolv.conf

[root@tyan-gt24-01 ~]# cp /etc/resolv.conf resolv.conf.ipa

[root@tyan-gt24-01 ~]# kinit admin
Password for admin:

* Changed resolv.conf

[root@tyan-gt24-01 ~]# cat resolv.conf
# Generated by NetworkManager
domain rhts.eng.bos.redhat.com
search rhts.eng.bos.redhat.com testrelm.com
nameserver 10.16.36.29
nameserver 10.11.5.19
nameserver 10.5.30.160

[root@tyan-gt24-01 ~]# cp resolv.conf /etc/resolv.conf

* Ran ipa-replica-prepare. Error message does not print the stacktrace and is user-friendly

[root@tyan-gt24-01 ~]# ipa-replica-prepare --ip-address=10.65.207.218 dhcp207-218.testrelm.com
Directory Manager (existing master) password: 

Preparing replica for dhcp207-218.testrelm.com from tyan-gt24-01.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-dhcp207-218.testrelm.com.gpg
Adding DNS records for dhcp207-218.testrelm.com
Could not create forward DNS zone for the replica: Nameserver 'tyan-gt24-01.testrelm.com.' does not have a corresponding A/AAAA record

[root@tyan-gt24-01 ~]#

* Verified in version

[root@tyan-gt24-01 ~]# rpm -q ipa-server
ipa-server-3.3.3-6.el7.x86_64

Comment 11 Ludek Smid 2014-06-13 11:20:30 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.