RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 918259 - ipa-dns-install fails with ObjectclassViolation
Summary: ipa-dns-install fails with ObjectclassViolation
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-05 19:09 UTC by Namita Soman
Modified: 2014-06-18 00:07 UTC (History)
4 users (show)

Fixed In Version: ipa-3.2.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 11:41:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Namita Soman 2013-03-05 19:09:20 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3458

In the following scenario:

1. ipa-server-install without --setup-dns on server A
2. ipa-replica-install with --setup-dns on server B
3. ipa-dns-install on server A

The last step fails with:
{{{
2013-02-25T16:15:04Z DEBUG   [1/9]: adding NS record to the zone
2013-02-25T16:15:04Z DEBUG raw: dnsrecord_add(u'example.com', u'@', nsrecord=u'a.example.com.', force=True)
2013-02-25T16:15:04Z DEBUG dnsrecord_add(u'example.com', u'@', a_extra_create_reverse=False, aaaa_extra_create_reverse=False, nsrecord=(u'a.example.com.',), force=True, structured=False, all=False, raw=False)
2013-02-25T16:15:04Z INFO   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 612, in run_script
    return_value = main_function()

  File "/sbin/ipa-dns-install", line 238, in main
    bind.create_instance()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 509, in create_instance
    self.start_creation()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 362, in start_creation
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 585, in __add_self_ns
    add_ns_rr(self.domain, api.env.host, self.dns_backup, force=True)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 325, in add_ns_rr
    force=force)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 304, in add_rr
    api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw)

  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__
    ret = self.run(*args, **options)

  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run
    return self.execute(*args, **options)

  File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1036, in execute
    self._exc_wrapper(keys, options, ldap.add_entry)(dn, entry_attrs)

  File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 957, in wrapped
    return func(*call_args, **call_kwargs)

  File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 965, in exc_func
    self, keys, options, e, call_func, *args, **kwargs)

  File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 2461, in exc_callback
    ldap.update_entry(dn, entry_attrs, **call_kwargs)

  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 1594, in update_entry
    self.conn.modify_s(dn, modlist)

  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)

  File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 916, in error_handler
    raise errors.ObjectclassViolation(info=info)

2013-02-25T16:15:04Z INFO The ipa-dns-install command failed, exception: ObjectclassViolation: missing attribute "idnsSOAserial" required by object class "idnsZone"
}}}
Comment 1 Martin Kosek 2013-03-22 13:38:32 UTC 
Fixed upstream:

master:
b5b040e68f571a858dfe85b65b58687ffc816649 Configure ipa_dns DS plugin on install and upgrade
952a7ac9f55e09eeaa7a24400957aac684a616fb Add 389 DS plugin for special idnsSOASerial attribute handling

ipa-3-1:
9cb2c757a1527d03e39fb79fa7660bf9e935b7ba Configure ipa_dns DS plugin on install and upgrade
6f395d9ede7e20305e90c0c6b3150307277081c3 Add 389 DS plugin for special idnsSOASerial attribute handling
Comment 4 Scott Poore 2014-01-29 21:43:28 UTC 
Verified.

Version ::

ipa-server-3.3.3-15.el7.x86_64

Test Results ::

ON MASTER:

[root@rhel7-4 ~]# ipa-server-install -r $REALM -n $DOMAIN -p Secret123 -P Secret123 -a Secret123 -U
...

ON REPLICA:

[root@rhel7-5 ~]# ipa-replica-install -U --setup-ca --setup-dns --forwarder=192.168.122.1 -w Secret123 -p Secret123  /dev/shm/replica-info-rhel7-5.example.com.gpg
...

ON MASTER:

[root@rhel7-4 ~]# ipa-dns-install --forwarder=192.168.122.1

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the IPA Server.

This includes:
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Directory Manager password: 

Using reverse zone 122.168.192.in-addr.arpa.

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring DNS (named)
  [1/9]: adding NS record to the zone
  [2/9]: setting up reverse zone
  [3/9]: setting up our own record
  [4/9]: setting up CA record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server
==============================================================================
Setup complete

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files


	You must make sure these network ports are open:
		TCP Ports:
		  * 53: bind
		UDP Ports:
		  * 53: bind
Comment 8 Martin Kosek 2014-05-15 13:44:38 UTC 
A tested workaround (RHEL-6 master, RHEL-7 replica):

# ipa dnszone-find
  Zone name: 0.0.10.in-addr.arpa.
  Authoritative nameserver: vm-067.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: example.com
  Authoritative nameserver: vm-067.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

<-- list of DNS replicated zones, notice that SOA Serial is missing

# ipa-dns-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the IPA Server.

This includes:
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: y
Directory Manager password: 

Do you want to configure DNS forwarders? [yes]: n
No DNS forwarders configured
Using reverse zone 0.0.10.in-addr.arpa.

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring DNS (named)
  [1/8]: adding NS record to the zone
Unexpected error - see /var/log/ipaserver-install.log for details:
ObjectclassViolation: missing attribute "idnsSOAserial" required by object class "idnsZone"


<-- errors out, we need to workaround

# ipa dnszone-mod example.com --serial 1
  Zone name: example.com
  Authoritative nameserver: vm-067.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

# ipa dnszone-mod 0.0.10.in-addr.arpa. --serial 1
  Zone name: 0.0.10.in-addr.arpa.
  Authoritative nameserver: vm-067.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;


<-- workaround complete, let's try install again

# ipa-dns-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the IPA Server.

This includes:
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: y
Directory Manager password: 

Do you want to configure DNS forwarders? [yes]: 
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 10.0.0.1
DNS forwarder 10.0.0.1 added
Enter IP address for a DNS forwarder: 
Using reverse zone 0.0.10.in-addr.arpa.

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring DNS (named)
  [1/8]: adding NS record to the zone
  [2/8]: setting up reverse zone
  [3/8]: setting up our own record
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: restarting named
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server
==============================================================================
Setup complete

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files


	You must make sure these network ports are open:
		TCP Ports:
		  * 53: bind
		UDP Ports:
		  * 53: bind
Comment 9 Ludek Smid 2014-06-13 11:41:51 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.