Description of problem:
:: [16:04:51] :: EXECUTING: ipa-replica-install -U --setup-dns --forwarder=10.14.63.12 -p Secret123 /dev/shm/replica-info-amd-tilapia-01.testrelm.gpg root : ERROR The DNS forward record amd-tilapia-01.testrelm. does not match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com. :: [ FAIL ] :: Replica installation (Expected 0, got 1) ipa-replicainstall.log 2011-05-11 16:04:51,720 DEBUG /usr/sbin/ipa-replica-install was invoked with argument "/dev/shm/replica-info-amd-tilapia-01.testrelm.gpg" and options: {'no_forwarders': False, 'no_host_dns': False, 'no_reverse': False, 'setup_dns': True, 'forwarders': ['10.14.63.12'], 'debug': False, 'conf_ntp': True, 'unattended': True} 2011-05-11 16:04:51,721 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-05-11 16:04:51,721 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-05-11 16:04:51,882 DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpQUBNmaipa/files.tar -d /dev/shm/replica-info-amd-tilapia-01.testrelm.gpg 2011-05-11 16:04:51,882 DEBUG stdout= 2011-05-11 16:04:51,883 DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg' gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpQUBNmaipa/ipa-Jqwjqy/.gnupg/pubring.gpg' created gpg: 3DES encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected 2011-05-11 16:04:51,908 DEBUG args=tar xf /tmp/tmpQUBNmaipa/files.tar -C /tmp/tmpQUBNmaipa 2011-05-11 16:04:51,909 DEBUG stdout= 2011-05-11 16:04:51,909 DEBUG stderr= 2011-05-11 16:04:51,916 ERROR The DNS forward record amd-tilapia-01.testrelm. does not match the reverse address amd-tilapia-01.rhts.eng.bos.redhat.com. Master install with integrated DNS. Master IP address: 10.16.64.34 Replica install with integrated DNS. Replica IP address: 10.16.67.10 DNS entries in IPA/DS: # dns, testrelm dn: cn=dns,dc=testrelm objectClass: nsContainer objectClass: top cn: dns # testrelm, dns, testrelm dn: idnsname=testrelm,cn=dns,dc=testrelm idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: dell-pe830-02.testrelm. idnsSOAserial: 2011110501 idnsSOAretry: 900 idnsSOAminimum: 3600 idnsUpdatePolicy: grant TESTRELM krb5-self * A; grant TESTRELM krb5-self * AAA A; idnsSOArefresh: 3600 objectClass: top objectClass: idnsrecord objectClass: idnszone idnsName: testrelm idnsAllowDynUpdate: TRUE idnsSOArName: root.dell-pe830-02.testrelm. idnsSOAmName: dell-pe830-02.testrelm. # dell-pe830-02, testrelm, dns, testrelm dn: idnsname=dell-pe830-02,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord aRecord: 10.16.64.34 aRecord: 10.16.67.10 idnsName: dell-pe830-02 # 64.16.10.in-addr.arpa., dns, testrelm dn: idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: dell-pe830-02.testrelm. idnsSOAserial: 2011110501 idnsSOAretry: 900 idnsSOAminimum: 3600 idnsUpdatePolicy: grant TESTRELM krb5-subdomain 64.16.10.in-addr.arpa.. PTR; idnsSOArefresh: 3600 objectClass: top objectClass: idnsrecord objectClass: idnszone idnsName: 64.16.10.in-addr.arpa. idnsAllowDynUpdate: TRUE idnsSOArName: root.64.16.10.in-addr.arpa. idnsSOAmName: dell-pe830-02.testrelm. # _ldap._tcp, testrelm, dns, testrelm dn: idnsname=_ldap._tcp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 389 dell-pe830-02 idnsName: _ldap._tcp # _kerberos, testrelm, dns, testrelm dn: idnsname=_kerberos,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord tXTRecord: TESTRELM idnsName: _kerberos # _kerberos._tcp, testrelm, dns, testrelm dn: idnsname=_kerberos._tcp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 88 dell-pe830-02 idnsName: _kerberos._tcp # _kerberos._udp, testrelm, dns, testrelm dn: idnsname=_kerberos._udp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 88 dell-pe830-02 idnsName: _kerberos._udp # _kerberos-master._tcp, testrelm, dns, testrelm dn: idnsname=_kerberos-master._tcp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 88 dell-pe830-02 idnsName: _kerberos-master._tcp # _kerberos-master._udp, testrelm, dns, testrelm dn: idnsname=_kerberos-master._udp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 88 dell-pe830-02 idnsName: _kerberos-master._udp # _kpasswd._tcp, testrelm, dns, testrelm dn: idnsname=_kpasswd._tcp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 464 dell-pe830-02 idnsName: _kpasswd._tcp # _kpasswd._udp, testrelm, dns, testrelm dn: idnsname=_kpasswd._udp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 464 dell-pe830-02 idnsName: _kpasswd._udp # _ntp._udp, testrelm, dns, testrelm dn: idnsname=_ntp._udp,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord sRVRecord: 0 100 123 dell-pe830-02 idnsName: _ntp._udp # 34, 64.16.10.in-addr.arpa., dns, testrelm dn: idnsname=34,idnsname=64.16.10.in-addr.arpa.,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord pTRRecord: dell-pe830-02.testrelm. idnsName: 34 # amd-tilapia-01, testrelm, dns, testrelm dn: idnsname=amd-tilapia-01,idnsname=testrelm,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord aRecord: 10.16.67.10 idnsName: amd-tilapia-01 # 67.16.10.in-addr.arpa., dns, testrelm dn: idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: dell-pe830-02.testrelm. idnsSOAserial: 2011110501 idnsSOAretry: 900 idnsSOAminimum: 3600 idnsUpdatePolicy: grant TESTRELM krb5-subdomain 67.16.10.in-addr.arpa.. PTR; idnsSOArefresh: 3600 objectClass: top objectClass: idnsrecord objectClass: idnszone idnsName: 67.16.10.in-addr.arpa. idnsAllowDynUpdate: TRUE idnsSOArName: root.67.16.10.in-addr.arpa. idnsSOAmName: dell-pe830-02.testrelm. # 10, 67.16.10.in-addr.arpa., dns, testrelm dn: idnsname=10,idnsname=67.16.10.in-addr.arpa.,cn=dns,dc=testrelm objectClass: top objectClass: idnsrecord pTRRecord: amd-tilapia-01.testrelm. idnsName: 10
IP replica package is create with the correct slave IP address:
"ipa-replica-prepare -p MySecret --ip-address=10.16.67.10 amd-tilapia-01.testrelm"
Version-Release number of selected component (if applicable): ipa-server-2.0.0-23.el6.x86_64
How reproducible: always if IP address would be require different reverse zones
Steps to Reproduce: 1. 2. 3.
Actual results: install fails
Expected results: correct dns entries set up when creating replica package for replica installation to succeed
Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=704012
The root cause of the problem is that the master machine name server wasn't restarted after the ipa-replica-prepare. The ipa-replica-prepare script created a new DNS reverse zone and there is a known issue with Bind name server that it has to be reloaded to recognize a new zone.
Since the new zone is not recognized by the master machine name server, it sends the DNS request to its forwarder which provides an invalid PTR record.
Closing this ticket as duplicate to #826 which deals with this issue.
Restarting the name server did not resolve the installation problem.
The problem appears to be that when a new zone is added a forward entry is created. If you create a reverse zone then the entry for the name server gets an aRecord for the IP address that caused the reverse zone to be created.
It seems there are 2 relevant issues. Rob's issue is fixed there:
master: 17c3f9e[[BR]] ipa-2-0: 1df0ca7
The one I described is still valid, tracked in #826.
Metadata Update from @dpal: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.1 - 2011/05
Login to comment on this ticket.