Issue #7472: ipa: ERROR: Could not get SOA serial interactively - freeipa

freeipa

#7472 ipa: ERROR: Could not get SOA serial interactively

Closed: fixed 5 years ago Opened 6 years ago by fbarreto.

Issue

Test test_backup_and_restore.py::TestBackupAndRestoreWithDNSSEC::test_full_backup_and_restore_with_DNSSEC_zone is failing with error message:

[ipatests.pytest_plugins.integration.host.Host.master.ParamikoTransport] RUN ['ipa', 'dnszone-add', 'example2.test.', '--dnssec', 'true'] [ipatests.pytest_plugins.integration.host.Host.master.cmd30] RUN ['ipa', 'dnszone-add', 'example2.test.', '--dnssec', 'true'] 
[ipatests.pytest_plugins.integration.host.Host.master.cmd30] SOA serial: 
[ipatests.pytest_plugins.integration.host.Host.master.cmd30] ipa: ERROR: Could not get SOA serial interactively

---------------------------- Captured stdout setup -----------------------------
<ipatests.pytest_plugins.integration.config.Config object at 0x7fb127f51438> ----------------------------- Captured stdout call -----------------------------
LDAPEntry(ipapython.dn.DN('uid=admin,cn=users,cn=accounts,dc=ipa,dc=test'), {'objectClass': [b'top', b'person', b'posixaccount', b'krbprincipalaux', b'krbticketpolicyaux', b'inetuser', b'ipaobject', b'ipasshuser', b'ipaSshGroupOfPubKeys'], 'uid': [b'admin'], 'krbPrincipalName': [b'admin@IPA.TEST'], 'cn': [b'Administrator'], 'sn': [b'Administrator'], 'uidNumber': [b'418200000'], 'gidNumber': [b'418200000'], 'homeDirectory': [b'/home/admin'], 'loginShell': [b'/bin/bash'], 'gecos': [b'Administrator'], 'ipaUniqueID': [b'5caf956c-315e-11e8-b015-5254009af21c'], 'memberOf': [b'cn=admins,cn=groups,cn=accounts,dc=ipa,dc=test', b'cn=Replication Administrators,cn=privileges,cn=pbac,dc=ipa,dc=test', b'cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Modify DNA Range,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Read DNA Range,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=Host Enrollment,cn=privileges,cn=pbac,dc=ipa,dc=test', b'cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=ipa,dc=test', b'cn=trust admins,cn=groups,cn=accounts,dc=ipa,dc=test'], 'krbPrincipalKey': [b"0\x81\xde\xa0\x03\x02\x01\x01\xa1\x03\x02\x01\x01\xa2\x03\x02\x01\x01\xa3\x03\x02\x01\x01\xa4\x81\xc70\x81\xc40h\xa0\x1b0\x19\xa0\x03\x02\x01\x04\xa1\x12\x04\x1096<*hUv-A1sBLPYz\xa1I0G\xa0\x03\x02\x01\x12\xa1@\x04> \x00\x7flQ\r>\x02m\xaf\xed\x0b\xd2\xc3\xd2\xac\xa7\x9e\xd6K{\x9e\xc4K\x15/C\x9db i!\x00Cuov.\x1aY\x0e\xec\xc9\xda\xd8`\xec\xbd\xc2\xdfm\x16qkjM$G8\x95{@0X\xa0\x1b0\x19\xa0\x03\x02\x01\x04\xa1\x12\x04\x10ZjDCX'FP.xr7WL X\xa1907\xa0\x03\x02\x01\x11\xa10\x04.\x10\x00\xda\xbe\xd6\xe3@1S3\xa8\xd5\xa8V\xf6\xcc{\x151\xc1\tfX\\,\xfc\xf5\xb2\x8a\xcd\xe8\x1e\xa3\xcc\x86\xa7\xc6\xce\xfe\xda\xb9\x12:\xc4t~"], 'krbLastPwdChange': [b'20180327013532Z'], 'krbPasswordExpiration': [b'20180625013532Z'], 'userPassword': [b'{SSHA512}ubnf3zzpKdGwMPSyL9c9/jUCwhUsfySS9I0GT5dCBkKiokeeD0CLlL4pnYau6Qbj1ptoxLF6mRcC9JEEdqqYsUl+Ztwx5nhR'], 'krbExtraData': [b'\x00\x02\xe4\x9f\xb9Zroot/admin@IPA.TEST\x00']})

Full log: https://fedorapeople.org/groups/freeipa/prci/jobs/e50452a0-315d-11e8-b502-fa163eb66c23/report.html

Steps to Reproduce

Run ipa dnszone-add example2.test. --dnssec true

Version/Release/Distribution

Git master (last commit: 64438f8)

fbarreto commented 6 years ago

Just to be clear, I think that the error is not related to DNSSEC itself, because it also happens in TestBackupAndRestoreWithDNS, as you can see in nightly PRs:

https://fedorapeople.org/groups/freeipa/prci/jobs/587ea8e2-3f8d-11e8-af2a-fa163ea1eaf0/report.html
https://fedorapeople.org/groups/freeipa/prci/jobs/52ccf0a2-3f8d-11e8-9ca4-fa163e016cdd/report.html

abbra commented 6 years ago

It is coming from a client side processing of an option that is not marked as optional:

        Int('idnssoaserial',
            cli_name='serial',
            label=_('SOA serial'),
            doc=_('SOA record serial number'),
            minvalue=1,
            maxvalue=4294967295,
            default_from=_create_zone_serial,
            autofill=True,
        ),

note that Int('idnssoaserial') does not have any optional sign so it must always be provided by the client. We would set the SOA serial on the server side but client side is not allowing us to submit anything without getting a value from a prompt.

I think a possible fix would be to add '?' to the Int('idnssoaserial?') definition, making SOA serial an optional parameter.

Metadata Update from @fbarreto:
- Issue priority set to: important
- Issue set to the milestone: FreeIPA 4.6.4

6 years ago

fbarreto commented 6 years ago

After some investigation, I figure it out that the problem is not related to the dnszone-add command itself, but with backup and restore.

The problem described above does not happen on a brand new installation, but after a uninstall and a ipa-restore.

The commit 342b0695518ff5d3bae9d0ff914d94c6f06d836b on PR 1844 fixes this problem. The missing of GSSPROXY_CONF on ipa-backup (and restore) makes ipa dnszone-add behaves badly and in some cases even raises the error ERROR: No valid Negotiate header in server response.

As it can be seen on this PR on my freeipa fork, the tests are green using the patch of PR 1844.

Metadata Update from @fbarreto:
- Issue assigned to fbarreto

6 years ago

rcritten commented 5 years ago

@fbarreto can this be closed since https://github.com/freeipa/freeipa/pull/1844/ was merged?

fbarreto commented 5 years ago

master:

9d83821 Adding GSSPROXY_CONF to be backed up on ipa-backup
415578a Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users

ipa-4-6:

2cd8398 Adding GSSPROXY_CONF to be backed up on ipa-backup
9b217ef Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users

Metadata Update from @fbarreto:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata

Assignee

fbarreto

Tags

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.6.4

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#7472 ipa: ERROR: Could not get SOA serial interactively Closed: fixed 5 years ago Opened 6 years ago by fbarreto.

Issue

Steps to Reproduce

Version/Release/Distribution

Metadata

bug test-failure

#7472 ipa: ERROR: Could not get SOA serial interactively

Closed: fixed 5 years ago Opened 6 years ago by fbarreto.