Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 896699

Summary: ipa-replica-manage -H does not delete DNS SRV records
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, ksiddiqu, mbabinsk, mbasti, mkosek, pvoborni
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-06 17:14:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
vm1 var log dir
none
vm2 var log dir none

Description Scott Poore 2013-01-17 19:35:18 UTC 
Description of problem:

running ipa-replica-manage remotely with -H option does not appear to delete DNS SRV records.


[root@rhel6-5 shm]# ipa-replica-manage -p $ADMINPW -H $MASTER del $REPLICA -f
Deleting replication agreements between rhel6-5.testrelm.com and rhel6-4.testrelm.com
ipa: INFO: Setting agreement cn=meTorhel6-4.testrelm.com,cn=replica,cn=dc\=testrelm\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTorhel6-4.testrelm.com,cn=replica,cn=dc\=testrelm\,dc\=com,cn=mapping tree,cn=config
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0
Deleted replication agreement from 'rhel6-4.testrelm.com' to 'rhel6-5.testrelm.com'
Background task created to clean replication data. This may take a while.
This may be safely interrupted with Ctrl+C

[root@rhel6-5 shm]# dig @$MASTER +short _kerberos-master._tcp.testrelm.com srv|grep $REPLICA
0 100 88 rhel6-5.testrelm.com.


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-22.el6.x86_64

How reproducible:
always?


Steps to Reproduce:
On MASTER:
1.  Install IPA Server
2.  ipa-replica-prepare -p $ADMINPW --ip-address=$REPLICA_IP $REPLICA

On REPLICA:
3.  sftp $MASTER:/var/lib/ipa/replica-info-$REPLICA.gpg .
4.  ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD --setup-ca -w $ADMINPW -p $ADMINPW replica-info-$REPLICA.gpg
5.  ipa-replica-manage -p $ADMINPW -H $MASTER del $REPLICA -f
6.  dig @$MASTER +short _kerberos-master._tcp.testrelm.com srv|grep $REPLICA

On MASTER:
  
Actual results:

Deletes replication agreement but, leaves behind the DNS SRV records

Expected results:

No DNS SRV records left behind so that it functions the same as when ipa-replica-manage del is run from the remote server directly.


Additional info:
Comment 2 Rob Crittenden 2013-01-17 19:49:08 UTC 
I think the problem is that it deletes the agreements and then removes the SRV records on the local IPA server. Because we've already broken replication these changes are lost.
Comment 3 Rob Crittenden 2013-01-17 19:50:16 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3362
Comment 5 Martin Kosek 2014-03-11 07:20:22 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4235
Comment 6 Michael Gregg 2014-04-15 02:18:40 UTC 
Update: 

I needed to uninstall, then reinstall the replica multiple times to reproduce this bug. 

I needed to go through 6 install/uninstall cycles on several machines before this behavior started. 

I am still getting this behavior on various systems:

[root@nocp11 ~]# ipa-replica-manage -p $ADMINPW -H $MASTER del $REPLICA -f
Deleting replication agreements between nocp11.testrelm.test and blade04.testrelm.test
ipa: INFO: Setting agreement cn=meToblade04.testrelm.test,cn=replica,cn=dc\=testrelm\,dc\=test,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToblade04.testrelm.test,cn=replica,cn=dc\=testrelm\,dc\=test,cn=mapping tree,cn=config
ipa: INFO: Replication Update in progress: TRUE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0
Deleted replication agreement from 'blade04.testrelm.test' to 'nocp11.testrelm.test'
Background task created to clean replication data. This may take a while.
This may be safely interrupted with Ctrl+C
[root@nocp11 ~]# dig @$MASTER +short _kerberos-master._tcp.testrelm.test srv
0 100 88 nocp11.testrelm.test.
0 100 88 blade04.testrelm.test.
Comment 7 Martin Kosek 2016-01-29 13:06:12 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.
Comment 8 Martin Bašti 2016-06-28 11:10:04 UTC 
This should be fixed as side effect of bz 747612
Comment 10 Scott Poore 2016-09-13 23:19:33 UTC 
This appears to still be an issue.  Is there a new way to handle this?

[root@vm2 ~]# ipa-replica-manage -p Secret123 list
vm2.example.com: master
vm1.example.com: master

[root@vm2 ~]# dig @vm1.example.com +short vm2.example.com
192.168.122.152

[root@vm2 ~]# dig @vm1.example.com +short -x 192.168.122.152
vm2.example.com.

[root@vm2 ~]# dig @vm1.example.com +short _kerberos._tcp.example.com srv
0 100 88 vm1.example.com.
0 100 88 vm2.example.com.

[root@vm2 ~]# ipa-replica-manage -p Secret123 -H vm1.example.com del vm2.example.com 
Updating DNS system records
ipa: ERROR: unable to resolve host name vm2.example.com. to IP address, ipa-ca DNS record will be incomplete
------------------------------------
Deleted IPA server "vm2.example.com"
------------------------------------

[root@vm2 ~]#  dig @vm1.example.com +short _kerberos._tcp.example.com srv
0 100 88 vm1.example.com.
0 100 88 vm2.example.com.

[root@vm1 ~]# ipa dnsrecord-find example.com | grep vm2
  NS record: vm2.example.com., vm1.example.com.
  SRV record: 0 100 88 vm2.example.com., 0 100 88 vm1.example.com.
  SRV record: 0 100 88 vm2.example.com., 0 100 88 vm1.example.com.
  SRV record: 0 100 464 vm1.example.com., 0 100 464 vm2.example.com.
  SRV record: 0 100 389 vm1.example.com., 0 100 389 vm2.example.com.
  SRV record: 0 100 88 vm2.example.com., 0 100 88 vm1.example.com.
  SRV record: 0 100 88 vm2.example.com., 0 100 88 vm1.example.com.
  SRV record: 0 100 464 vm1.example.com., 0 100 464 vm2.example.com.
  SRV record: 0 100 123 vm1.example.com., 0 100 123 vm2.example.com.
  Record name: vm2
Comment 11 Scott Poore 2016-09-13 23:20:02 UTC 
Created attachment 1200668 [details]
vm1 var log dir
Comment 12 Scott Poore 2016-09-13 23:20:48 UTC 
Created attachment 1200669 [details]
vm2 var log dir
Comment 13 Martin Bašti 2016-09-14 13:24:11 UTC 
I inspected the code and it looks that option -H was omitted in new code for server-del (which is used for ipa-replica-manage del in domain level 1)

So effectively you hit this ticket, because replica is removing itself: https://fedorahosted.org/freeipa/ticket/6176

For domain level 0, it should work.


Martin may know more about server-del/ipa-replica-manage del
Comment 15 Martin Babinsky 2016-09-26 15:56:37 UTC 
In domain level 1, option -H does not work for ipa-replica-manage del as the command `server-del` (which is called by ipa-replica-manage) is always run against the master specified in XMLRPC uri. This means that when you call `server-del FQDN` on master FQDN it means that the code is run locally and the master tries to remove itself.
Comment 17 Petr Vobornik 2017-04-06 17:14:10 UTC 
Closing with same explanation as written in  Comment 7