#1223 IPA Replica Installation Fails - reverse address doesn't match error
Closed: Fixed None Opened 11 years ago by dpal.

Description of problem:

:: [16:04:51] ::  EXECUTING: ipa-replica-install -U --setup-dns
--forwarder=10.14.63.12 -p Secret123
/dev/shm/replica-info-amd-tilapia-01.testrelm.gpg
root        : ERROR    The DNS forward record amd-tilapia-01.testrelm. does not
match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com.
:: [   FAIL   ] :: Replica installation (Expected 0, got 1)

ipa-replicainstall.log

2011-05-11 16:04:51,720 DEBUG /usr/sbin/ipa-replica-install was invoked with
argument "/dev/shm/replica-info-amd-tilapia-01.testrelm.gpg" and options:
{'no_forwarders': False, 'no_host_dns': False, 'no_reverse': False,
'setup_dns': True, 'forwarders': ['10.14.63.12'], 'debug': False, 'conf_ntp':
True, 'unattended': True}
2011-05-11 16:04:51,721 DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-05-11 16:04:51,721 DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2011-05-11 16:04:51,882 DEBUG args=/usr/bin/gpg --batch --homedir
/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg --passphrase-fd 0 --yes --no-tty -o
/tmp/tmpQUBNmaipa/files.tar -d
/dev/shm/replica-info-amd-tilapia-01.testrelm.gpg
2011-05-11 16:04:51,882 DEBUG stdout=
2011-05-11 16:04:51,883 DEBUG stderr=gpg: WARNING: unsafe permissions on
homedir `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg'
gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/pubring.gpg' created
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

2011-05-11 16:04:51,908 DEBUG args=tar xf /tmp/tmpQUBNmaipa/files.tar -C
/tmp/tmpQUBNmaipa
2011-05-11 16:04:51,909 DEBUG stdout=
2011-05-11 16:04:51,909 DEBUG stderr=
2011-05-11 16:04:51,916 ERROR The DNS forward record amd-tilapia-01.testrelm.
does not match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com.


Master install with integrated DNS.  
   Master IP address: 10.16.64.34

Replica install with integrated DNS.
   Replica IP address: 10.16.67.10

DNS entries in IPA/DS:

# dns, testrelm
dn: cn=dns,dc=testrelm
objectClass: nsContainer
objectClass: top
cn: dns

# testrelm, dns, testrelm
dn: idnsname=testrelm,cn=dns,dc=testrelm
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: dell-pe830-02.testrelm.
idnsSOAserial: 2011110501
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM krb5-self * A; grant TESTRELM krb5-self * AAA
 A;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: testrelm
idnsAllowDynUpdate: TRUE
idnsSOArName: root.dell-pe830-02.testrelm.
idnsSOAmName: dell-pe830-02.testrelm.

# dell-pe830-02, testrelm, dns, testrelm
dn: idnsname=dell-pe830-02,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
aRecord: 10.16.64.34
aRecord: 10.16.67.10
idnsName: dell-pe830-02

# 64.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: dell-pe830-02.testrelm.
idnsSOAserial: 2011110501
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM krb5-subdomain 64.16.10.in-addr.arpa.. PTR;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: 64.16.10.in-addr.arpa.
idnsAllowDynUpdate: TRUE
idnsSOArName: root.64.16.10.in-addr.arpa.
idnsSOAmName: dell-pe830-02.testrelm.

# _ldap._tcp, testrelm, dns, testrelm
dn: idnsname=_ldap._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 389 dell-pe830-02
idnsName: _ldap._tcp

# _kerberos, testrelm, dns, testrelm
dn: idnsname=_kerberos,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
tXTRecord: TESTRELM
idnsName: _kerberos

# _kerberos._tcp, testrelm, dns, testrelm
dn: idnsname=_kerberos._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos._tcp

# _kerberos._udp, testrelm, dns, testrelm
dn: idnsname=_kerberos._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos._udp

# _kerberos-master._tcp, testrelm, dns, testrelm
dn: idnsname=_kerberos-master._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos-master._tcp

# _kerberos-master._udp, testrelm, dns, testrelm
dn: idnsname=_kerberos-master._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 88 dell-pe830-02
idnsName: _kerberos-master._udp

# _kpasswd._tcp, testrelm, dns, testrelm
dn: idnsname=_kpasswd._tcp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 464 dell-pe830-02
idnsName: _kpasswd._tcp

# _kpasswd._udp, testrelm, dns, testrelm
dn: idnsname=_kpasswd._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 464 dell-pe830-02
idnsName: _kpasswd._udp

# _ntp._udp, testrelm, dns, testrelm
dn: idnsname=_ntp._udp,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
sRVRecord: 0 100 123 dell-pe830-02
idnsName: _ntp._udp

# 34, 64.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=34,idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
pTRRecord: dell-pe830-02.testrelm.
idnsName: 34

# amd-tilapia-01, testrelm, dns, testrelm
dn: idnsname=amd-tilapia-01,idnsname=testrelm,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
aRecord: 10.16.67.10
idnsName: amd-tilapia-01

# 67.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
nSRecord: dell-pe830-02.testrelm.
idnsSOAserial: 2011110501
idnsSOAretry: 900
idnsSOAminimum: 3600
idnsUpdatePolicy: grant TESTRELM krb5-subdomain 67.16.10.in-addr.arpa.. PTR;
idnsSOArefresh: 3600
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
idnsName: 67.16.10.in-addr.arpa.
idnsAllowDynUpdate: TRUE
idnsSOArName: root.67.16.10.in-addr.arpa.
idnsSOAmName: dell-pe830-02.testrelm.

# 10, 67.16.10.in-addr.arpa., dns, testrelm
dn: idnsname=10,idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm
objectClass: top
objectClass: idnsrecord
pTRRecord: amd-tilapia-01.testrelm.
idnsName: 10

IP replica package is create with the correct slave IP address:

"ipa-replica-prepare -p MySecret --ip-address=10.16.67.10
amd-tilapia-01.testrelm"

Version-Release number of selected component (if applicable):
ipa-server-2.0.0-23.el6.x86_64

How reproducible:
always if IP address would be require different reverse zones

Steps to Reproduce:
1.
2.
3.

Actual results:
install fails

Expected results:
correct dns entries set up when creating replica package for replica
installation to succeed

Additional info:


The root cause of the problem is that the master machine name server wasn't restarted after the ipa-replica-prepare. The ipa-replica-prepare script created a new DNS reverse zone and there is a known issue with Bind name server that it has to be reloaded to recognize a new zone.

Since the new zone is not recognized by the master machine name server, it sends the DNS request to its forwarder which provides an invalid PTR record.

Closing this ticket as duplicate to #826 which deals with this issue.

Restarting the name server did not resolve the installation problem.

The problem appears to be that when a new zone is added a forward entry is created. If you create a reverse zone then the entry for the name server gets an aRecord for the IP address that caused the reverse zone to be created.

It seems there are 2 relevant issues. Rob's issue is fixed there:

master: 17c3f9e[[BR]]
ipa-2-0: 1df0ca7

The one I described is still valid, tracked in #826.

Metadata Update from @dpal:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.1 - 2011/05

5 years ago

Login to comment on this ticket.

Metadata