#7397 ipa host-add --ip-address... returns Internal error when forward-policy=none is defined
Closed: fixed 6 years ago Opened 6 years ago by frenaud.

Request for enhancement

As admin , I want to create a host entry with an IP address on my IPA server configured with no reverse zone and forwarder disabled.

Issue

ipa host-add --ip-address fails with an internal error and a Traceback is seen in /var/log/httpd/error_log

Steps to Reproduce

  1. configure ipa server with --setup-dns --forwarder $FWD_ADDRESS --no-reverse
  2. obtain a TGT for admin: kinit admin
  3. change the forward policy to disabled with ipa dnserver-mod $MASTER --forward-policy none
  4. try to add a new host with ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22

Actual behavior

$ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
ipa: ERROR: an internal error has occurred

The error log for httpd show the following:

[...] ipa: DEBUG: raw: host_add('testhost.ipadomain.com', ip_address='172.16.30.22', version='2.229')
[...] ipa: DEBUG: host_add('testhost.ipadomain.com', random=False, force=False, no_reverse=False, ip_address='172.16.30.22', all=False, raw=False, version='2.229', no_members=False)
[...] ipa: DEBUG: raw: dnszone_show(<DNS name ipadomain.com.>, version='2.229')
[...] ipa: DEBUG: dnszone_show(<DNS name ipadomain.com.>, rights=False, all=False, raw=False, version='2.229')
[...] ipa: DEBUG: raw: dnsrecord_find(<DNS name ipadomain.com.>, None, arecord='172.16.30.22', version='2.229')
[...] ipa: DEBUG: dnsrecord_find(<DNS name ipadomain.com.>, None, arecord=('172.16.30.22',), structured=False, all=False, raw=False, version='2.229', pkey_only=False)
[...] ipa: ERROR: non-public: NoNameservers: All nameservers failed to answer the query 22.30.16.172.in-addr.arpa. IN SOA: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL
[...] Traceback (most recent call last):
[...]   File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[...]     result = command(*args, **options)
[...]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__
[...]     return self.__do_call(*args, **options)
[...]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call
[...]     ret = self.run(*args, **options)
[...]   File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run
[...]     return self.execute(*args, **options)
[...]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 1187, in execute
[...]     *keys, **options)
[...]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/host.py", line 666, in pre_callback
[...]     check_reverse=check_reverse)
[...]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 587, in add_records_for_host_validation
[...]     revzone, revname = get_reverse_zone(ip)
[...]   File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 542, in get_reverse_zone
[...]     revzone = DNSName(dns.resolver.zone_for_name(revdns))
[...]   File "/usr/lib/python3.6/site-packages/dns/resolver.py", line 1156, in zone_for_name
[...]     answer = resolver.query(name, dns.rdatatype.SOA, rdclass, tcp)
[...]   File "/usr/lib/python3.6/site-packages/dns/resolver.py", line 947, in query
[...]     raise NoNameservers(request=request, errors=errors)
[...] dns.resolver.NoNameservers: All nameservers failed to answer the query 22.30.16.172.in-addr.arpa. IN SOA: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL
[...]
[...] ipa: INFO: [jsonserver_session] admin@IPADOMAIN.COM: host_add/1('testhost.ipadomain.com', ip_address='172.16.30.22', version='2.229'): InternalError

Expected behavior

ipa host-add should create the host entry but display a warning stating that the reverse address could not be created because the IPA server does not manage reverse zones, and a warning that no name server for the reverse zone could be found.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.6.90.dev201802081017+git8821f7ae8-0.fc26.x86_64
freeipa-client-4.6.90.dev201802081017+git8821f7ae8-0.fc26.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.3.7.8-1.fc26.x86_64
pki-ca-10.5.1-2.fc26.noarch
krb5-server-1.15.1-28.fc26.x86_64

Additional info

When the command is called with --no-reverse it succeeds.


Metadata Update from @frenaud:
- Issue assigned to frenaud

6 years ago

The issue was discovered when writing tests for issue #7374

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1551

6 years ago

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.6.4

6 years ago

master:

  • 7364c26 ipa host-add --ip-address: properly handle NoNameservers

ipa-4-6:

  • 023fe42 ipa host-add --ip-address: properly handle NoNameservers

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

master:

  • 6fe8620 azure: bump F32->F34
  • a8fd65b freeipa.spec: do not use jsl for linting on Fedora 34+
  • be2f659 azure: Collect systemd boot log
  • 09a4918 azure: Enforce multi-user.target as default systemd's target
  • 1c82895 azure: Wait for systemd booted
  • 7ed21f1 azure: Remove no longer needed repo
  • 06d7c7f azure: Mask systemd-resolved
  • 1aff24e ipatests: Update expectations for test_detect_container
  • 9148ca2 azure: Add workaround for PhantomJS against OpenSSL 1.1.1
  • b5fdba7 azure: Warn about memory issues
  • 07c423a BIND: Setup logging
  • 65700bf ipatests: Setup and collect BIND logs
  • fc0c6b4 azure: Run Base and XMLRPC tests is isolated network
  • cc72a98 ipatests: Handle network-isolated mode
  • 4709aef dnsutil: Improvements for IPA DNS Resolver
  • 269c61a dns: get_reverse_zone: Ignore resolver's timeout
  • 3889d86 pytest: Show extra summary information for all except passed tests
  • afef09c ipatests: Ignore warnings on failed to read files on tarring
  • 4a4c078 ipatests: Suppress list trust or certificates
  • 611b49e azure: Collect installed packages
  • 26ee44b ipatests: dnssec: Add alternative approach for checking chain of trust
  • a893852 azure: Warn about extra and missing gating tests compared to PR-CI
  • 0155357 azure: Re-balance tests envs
  • 6c2db32 azure: coredump: Wait for systemd fully booted
  • 10461b7 azure: Make it possible to adjust Docker resources per test env

ipa-4-9:

  • b9fd47a azure: bump F32->F34
  • 18563bc freeipa.spec: do not use jsl for linting on Fedora 34+
  • c711292 azure: Collect systemd boot log
  • c26907b azure: Enforce multi-user.target as default systemd's target
  • eb0a5db azure: Wait for systemd booted
  • e243b95 azure: Remove no longer needed repo
  • 4d53d9f azure: Mask systemd-resolved
  • c90a363 ipatests: Update expectations for test_detect_container
  • aa0c8c8 azure: Add workaround for PhantomJS against OpenSSL 1.1.1
  • 6164bfb azure: Warn about memory issues
  • 0932c92 BIND: Setup logging
  • 64c0f90 ipatests: Setup and collect BIND logs
  • 5501fda azure: Run Base and XMLRPC tests is isolated network
  • a192c21 ipatests: Handle network-isolated mode
  • b487629 dnsutil: Improvements for IPA DNS Resolver
  • 9e15311 dns: get_reverse_zone: Ignore resolver's timeout
  • 645f90a pytest: Show extra summary information for all except passed tests
  • 535131d ipatests: Ignore warnings on failed to read files on tarring
  • c92f100 ipatests: Suppress list trust or certificates
  • 3049b95 azure: Collect installed packages
  • 3ada2d9 ipatests: dnssec: Add alternative approach for checking chain of trust
  • 0dd0631 azure: Warn about extra and missing gating tests compared to PR-CI
  • d4d2794 azure: Re-balance tests envs
  • 692f42d azure: coredump: Wait for systemd fully booted
  • 391ca8b azure: Make it possible to adjust Docker resources per test env

ipa-4-8:

  • c02544c azure: bump F32->F34
  • 7802e14 freeipa.spec: do not use jsl for linting on Fedora 34+
  • 7433be9 azure: Collect systemd boot log
  • 523a9f8 azure: Enforce multi-user.target as default systemd's target
  • 677df14 azure: Wait for systemd booted
  • 04c90fb azure: Remove no longer needed repo
  • 8fea2f6 azure: Mask systemd-resolved
  • 976a3bf ipatests: Update expectations for test_detect_container
  • e573163 azure: Add workaround for PhantomJS against OpenSSL 1.1.1
  • 0123795 azure: Warn about memory issues
  • 835df31 BIND: Setup logging
  • 2a9dea8 ipatests: Setup and collect BIND logs
  • e23f976 azure: Run Base and XMLRPC tests is isolated network
  • 34e1f6a ipatests: Handle network-isolated mode
  • c8e5867 dnsutil: Improvements for IPA DNS Resolver
  • fe0b5ff dns: get_reverse_zone: Ignore resolver's timeout
  • d40306b pytest: Show extra summary information for all except passed tests
  • ff70aac ipatests: Ignore warnings on failed to read files on tarring
  • cb3b396 ipatests: Suppress list trust or certificates
  • 21a5201 azure: Collect installed packages
  • c65c7eb ipatests: dnssec: Add alternative approach for checking chain of trust
  • 6710ff4 azure: Warn about extra and missing gating tests compared to PR-CI
  • a5730f5 azure: Re-balance tests envs
  • e66eb48 azure: coredump: Wait for systemd fully booted
  • 6561fc6 ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating
  • 8bf9538 azure: Make it possible to adjust Docker resources per test env
  • 2a7f21a ipa-kdb: fix gcc complaints in kdb tests
  • e94261f Set client keytab location for 389ds
  • ba6eb85 dnssec: fix the key type with OpenDNSSEC 2.1
  • 7daf47c ipatests: add a test for ZSK/KSK keytype in DNSKEY record
  • b8242e6 handle Y2038 in timestamp to datetime conversions
  • 5bfe16a OpenDNSSEC: fix timezone in key creation date
  • 56746ec freeipa.spec: bump the required version of 389ds
  • 2b8ccc8 freeipa.spec: synchronize with Fedora for 389-ds and PKI versions
  • a868604 ipatests: collect config files for NetworkManager and systemd-resolved
  • bc9ca47 ipatests: add utility for managing domain name resolvers
  • cdc78af ipatests: setup resolvers during replica and client installations
  • 549ef48 ipatests: do not manually modify /etc/resolv.conf in tests
  • 324ba20 ipatests: disable systemd-resolved cache
  • 9a28022 ipatests: mock resolver factory
  • 63a3cff ipatests: always try to create A records for hosts in IPA domain
  • d9744e7 ipatests: do not configure nameserver when installing client and replica
  • 47e9df1 ipatests: fix TestInstalDNSSECFirst::test_resolvconf logic
  • bca86ce pr-ci: Run tests on F34
  • 0b8517d Revert "ipatests: configure client to use IPA server as DNS resolver"
  • d43d9ca ipatests: Fetch sudo rules without time offset

Login to comment on this ticket.

Metadata