https://bugzilla.redhat.com/show_bug.cgi?id=894131 (Red Hat Enterprise Linux 6)
Description of problem: It looks like ipa-replica-install doesn't always properly add idnssoaserial for new entries. From testing, I'm seeing a zone get added but it's missing that data. At least that's not getting replicate back to the master. In order to test in my isolated environment, I have to delete the existing reverse zone because the master and replica are on same virtual network. And in test scripts, I can't currently guarantee servers will be on different networks, so that does the same. After initial Master install, I see this: [root@rhel6-1 shared]# ipa dnszone-show 122.168.192.in-addr.arpa. Zone name: 122.168.192.in-addr.arpa. Authoritative nameserver: rhel6-1.testrelm.com. Administrator e-mail address: hostmaster.testrelm.com. SOA serial: 1357837632 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Afterward ipa dnszone-del and ipa-replica-install, I see this: [root@rhel6-1 log]# ipa dnszone-find Zone name: 122.168.192.in-addr.arpa. Authoritative nameserver: rhel6-2.testrelm.com. Administrator e-mail address: hostmaster.testrelm.com. SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; No "SOA serial" option there. Then, if I try to re-run ipa-replica-prepare, that's when I see errors that led me here. Version-Release number of selected component (if applicable): How reproducible: always (at least with ipa-replica-install options listed): Steps to Reproduce: On Master: 1. setup IPA Master server 2. ipa dnszone-del <reverse zone for replica if it exists> 3. ipa-replica-prepare (with no --ip-address option) On Replica: 4. sftp replica info gpg file 5. ipa-replica-install -U --setup-dns --no-forwarders -w $ADMINPW -p $ADMINPW /dev/shm/replica-info-$s_short.$DOMAIN.gpg Actual results: ipa dnszone-show <reverse zone for replica> does not show SOA serial value. However, looks like it was created with one: log shows that it should have been added with the the idnssoaserial value though: 2013-01-10T18:42:51Z DEBUG [2/8]: setting up reverse zone 2013-01-10T18:42:51Z DEBUG raw: dnszone_add(u'122.168.192.in-addr.arpa.', idnssoamname=u'rhel6-2.testre lm.com.', idnssoarname=u'hostmaster.testrelm.com', idnsupdatepolicy=u'grant TESTRELM.COM krb5-subdomain 122.168.192.in-addr.arpa. PTR;', idnsallowdynupdate=True, idnsallowquery=u'any', idnsallowtransfer=u'n one', force=True, ip_address=None) 2013-01-10T18:42:51Z DEBUG dnszone_add(u'122.168.192.in-addr.arpa.', idnssoamname=u'rhel6-2.testrelm.co m.', idnssoarname=u'hostmaster.testrelm.com.', idnssoaserial=1357843371, idnssoarefresh=3600, idnssoare try=900, idnssoaexpire=1209600, idnssoaminimum=3600, idnsupdatepolicy=u'grant TESTRELM.COM krb5-subdoma in 122.168.192.in-addr.arpa. PTR;', idnsallowdynupdate=True, idnsallowquery=u'any;', idnsallowtransfer= u'none;', force=True, ip_address=None, all=False, raw=False) 2013-01-10T18:42:51Z DEBUG raw: dnsrecord_add(u'122.168.192.in-addr.arpa.', u'@', nsrecord=u'rhel6-2.te strelm.com.', force=True) 2013-01-10T18:42:51Z DEBUG dnsrecord_add(u'122.168.192.in-addr.arpa.', u'@', a_extra_create_reverse=Fal se, aaaa_extra_create_reverse=False, nsrecord=(u'rhel6-2.testrelm.com.',), force=True, structured=False , all=False, raw=False) 2013-01-10T18:42:51Z DEBUG duration: 0 seconds And I can see it in ldap on replica: [root@rhel6-2 shm]# ldapsearch -h $(hostname) -xLLL -D "cn=Directory Manager" -w $ADMINPW -b dc=testrelm,dc=com idnsname=122.168.192.in-addr.arpa. dn: idnsname=122.168.192.in-addr.arpa.,cn=dns,dc=testrelm,dc=com idnsSOAminimum: 3600 idnsSOAexpire: 1209600 idnsSOAretry: 900 idnsSOArefresh: 3600 idnsSOAserial: 1357843373 idnsZoneActive: TRUE nSRecord: rhel6-2.testrelm.com. objectClass: top objectClass: idnsrecord objectClass: idnszone idnsAllowTransfer: none; idnsUpdatePolicy: grant TESTRELM.COM krb5-subdomain 122.168.192.in-addr.arpa. PTR; idnsAllowQuery: any; idnsName: 122.168.192.in-addr.arpa. idnsSOAmName: rhel6-2.testrelm.com. idnsSOArName: hostmaster.testrelm.com. idnsAllowDynUpdate: TRUE but, I cannot see it in ldap on master: [root@rhel6-1 log]# ldapsearch -h $(hostname) -xLLL -D "cn=Directory Manager" -w $ADMINPW -b dc=testrelm,dc=com idnsname=122.168.192.in-addr.arpa. dn: idnsname=122.168.192.in-addr.arpa.,cn=dns,dc=testrelm,dc=com idnsSOAminimum: 3600 idnsSOAexpire: 1209600 idnsSOAretry: 900 idnsSOArefresh: 3600 idnsZoneActive: TRUE nSRecord: rhel6-2.testrelm.com. objectClass: top objectClass: idnsrecord objectClass: idnszone idnsAllowTransfer: none; idnsUpdatePolicy: grant TESTRELM.COM krb5-subdomain 122.168.192.in-addr.arpa. PTR; idnsAllowQuery: any; idnsName: 122.168.192.in-addr.arpa. idnsSOAmName: rhel6-2.testrelm.com. idnsSOArName: hostmaster.testrelm.com. idnsAllowDynUpdate: TRUE Also, I did confirm that I could reproduce it (at least with those ipa-replica-install options. So, I'll go ahead and open a bug now and we can work from that I think. Expected results: idnssoaserial set properly and synced across all servers. Additional info:
Long term fix for this problem should be this: https://fedorahosted.org/freeipa/ticket/3347
For the short term this is fixed in bind-dyndb-ldap 2.3
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: FreeIPA 3.0.3 (bug fixing)
Login to comment on this ticket.