The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
Hello,
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?
1. what is not working on lxc?
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.
1. what is not working on lxc?
It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version?
[1] I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work
2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.
- what is not working on lxc?
It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
That's weird. I've now tried a replica install on a fresh VM and it has worked- exact same parameters as before ¬ ¬U, no "invalid 'dnszoneidnsname': only master zones can contain records". Maybe I had a problem with the previous install failing and me cleaning up/retrying incorrectly.
Never mind...
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version?
[1] I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work
2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.
- what is not working on lxc?
It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Ah, wait, this new replica doesn't have CA and DNS. Will try various combinations and post back.
On Tue, Jan 9, 2018 at 10:03 PM, Alex Corcoles alex@corcoles.net wrote:
That's weird. I've now tried a replica install on a fresh VM and it has worked- exact same parameters as before ¬ ¬U, no "invalid 'dnszoneidnsname': only master zones can contain records". Maybe I had a problem with the previous install failing and me cleaning up/retrying incorrectly.
Never mind...
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version?
[1] I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work
2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.
- what is not working on lxc?
It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
OK, just reproduced the error:
[root@ipa2 ~]# ipa-replica-install -v -w $pw -n ipa.pdp7.net -P alex --mkhomedir --setup-ca --setup-dns --auto-forwarders [...] ipa : DEBUG [2/8]: setting up our own record [2/8]: setting up our own record ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG raw: dnsrecord_add(u' h2.int.pdp7.net', u'ipa2', arecord=u'10.42.42.83', version=u'2.228') ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG dnsrecord_add(<DNS name h2.int.pdp7.net.>, <DNS name ipa2>, arecord=(u'10.42.42.83',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version=u'2.228') ipa : DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 852, in __add_self self.__add_master_records(self.fqdn, self.ip_addresses) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 843, in __add_master_records add_fwd_rr(zone, host, addr, self.api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 367, in add_fwd_rr add_rr(zone, host, "A", ip_address, None, api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 358, in add_rr api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3666, in execute result = super(dnsrecord_add, self).execute(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1141, in execute dn = self.obj.get_dn(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3161, in get_dn dn = self.check_zone(keys[-2], **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3152, in check_zone error=_(u'only master zones can contain records') ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
ipa : DEBUG [error] ValidationError: invalid 'dnszoneidnsname': only master zones can contain records [error] ValidationError: invalid 'dnszoneidnsname': only master zones can contain records Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1479, in install dns.install(False, True, options, api) File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line 338, in install bind.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 719, in create_instance self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 852, in __add_self self.__add_master_records(self.fqdn, self.ip_addresses) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 843, in __add_master_records add_fwd_rr(zone, host, addr, self.api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 367, in add_fwd_rr add_rr(zone, host, "A", ip_address, None, api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 358, in add_rr api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3666, in execute result = super(dnsrecord_add, self).execute(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1141, in execute dn = self.obj.get_dn(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3161, in get_dn dn = self.check_zone(keys[-2], **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3152, in check_zone error=_(u'only master zones can contain records')
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR invalid 'dnszoneidnsname': only master zones can contain records ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
, so yeah, it's:
dnsrecord_add(u'h2.int.pdp7.net', u'ipa2', arecord=u'10.42.42.83', version=u'2.228')
which is the host name of the replica and its IP, which is within the forwarded zones:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
Maybe I can add the replica under an ipa.pdp7.net hostname? I'd really prefer to keep the replica with its DNS/DHCP setup, but I suppose using a different hostname is problematic. Can we skip adding this entry?
On Tue, Jan 9, 2018 at 10:05 PM, Alex Corcoles alex@corcoles.net wrote:
Ah, wait, this new replica doesn't have CA and DNS. Will try various combinations and post back.
On Tue, Jan 9, 2018 at 10:03 PM, Alex Corcoles alex@corcoles.net wrote:
That's weird. I've now tried a replica install on a fresh VM and it has worked- exact same parameters as before ¬ ¬U, no "invalid 'dnszoneidnsname': only master zones can contain records". Maybe I had a problem with the previous install failing and me cleaning up/retrying incorrectly.
Never mind...
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version?
[1] I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work
2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.
- what is not working on lxc?
It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
You should open a bug about this, IPA should not fail if zone where replica belongs is a forward zone.
Probably the easiest solution might be to update FreeIPA's code before installing. /usr/lib/python??/site-packages/ipaserver/install/bindinstance.py:add_rr and replace lines showed in diff:
--- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -357,7 +357,7 @@ def add_rr(zone, name, type, rdata, dns_backup=None, api=api, **kwargs): addkw.update(kwargs) try: api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) - except (errors.DuplicateEntry, errors.EmptyModlist): + except (errors.DuplicateEntry, errors.EmptyModlist, errors.ValidationError): pass if dns_backup: dns_backup.add(zone, type, name, rdata)
and change it back after installation
Or you can remove the forward zone (remove, disabling is not enough) and add it back after installation, if this won't cause you any service interruptions. (but you have to able to resolve h2.int.pdp7.net without forwardzone)
2018-01-10 19:38 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
OK, just reproduced the error:
[root@ipa2 ~]# ipa-replica-install -v -w $pw -n ipa.pdp7.net -P alex --mkhomedir --setup-ca --setup-dns --auto-forwarders [...] ipa : DEBUG [2/8]: setting up our own record [2/8]: setting up our own record ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG raw: dnsrecord_add(u' h2.int.pdp7.net', u'ipa2', arecord=u'10.42.42.83', version=u'2.228') ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG dnsrecord_add(<DNS name h2.int.pdp7.net.>, <DNS name ipa2>, arecord=(u'10.42.42.83',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version=u'2.228') ipa : DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 852, in __add_self self.__add_master_records(self.fqdn, self.ip_addresses) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 843, in __add_master_records add_fwd_rr(zone, host, addr, self.api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 367, in add_fwd_rr add_rr(zone, host, "A", ip_address, None, api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 358, in add_rr api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3666, in execute result = super(dnsrecord_add, self).execute(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1141, in execute dn = self.obj.get_dn(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3161, in get_dn dn = self.check_zone(keys[-2], **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3152, in check_zone error=_(u'only master zones can contain records') ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
ipa : DEBUG [error] ValidationError: invalid 'dnszoneidnsname': only master zones can contain records [error] ValidationError: invalid 'dnszoneidnsname': only master zones can contain records Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1479, in install dns.install(False, True, options, api) File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line 338, in install bind.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 719, in create_instance self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 852, in __add_self self.__add_master_records(self.fqdn, self.ip_addresses) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 843, in __add_master_records add_fwd_rr(zone, host, addr, self.api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 367, in add_fwd_rr add_rr(zone, host, "A", ip_address, None, api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 358, in add_rr api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3666, in execute result = super(dnsrecord_add, self).execute(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1141, in execute dn = self.obj.get_dn(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3161, in get_dn dn = self.check_zone(keys[-2], **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3152, in check_zone error=_(u'only master zones can contain records')
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR invalid 'dnszoneidnsname': only master zones can contain records ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
, so yeah, it's:
dnsrecord_add(u'h2.int.pdp7.net', u'ipa2', arecord=u'10.42.42.83', version=u'2.228')
which is the host name of the replica and its IP, which is within the forwarded zones:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
Maybe I can add the replica under an ipa.pdp7.net hostname? I'd really prefer to keep the replica with its DNS/DHCP setup, but I suppose using a different hostname is problematic. Can we skip adding this entry?
On Tue, Jan 9, 2018 at 10:05 PM, Alex Corcoles alex@corcoles.net wrote:
Ah, wait, this new replica doesn't have CA and DNS. Will try various combinations and post back.
On Tue, Jan 9, 2018 at 10:03 PM, Alex Corcoles alex@corcoles.net wrote:
That's weird. I've now tried a replica install on a fresh VM and it has worked- exact same parameters as before ¬ ¬U, no "invalid 'dnszoneidnsname': only master zones can contain records". Maybe I had a problem with the previous install failing and me cleaning up/retrying incorrectly.
Never mind...
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version?
[1] I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work
2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.
- what is not working on lxc?
It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.
I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:
2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.
Thoughts? Ideas?
Thanks,
Álex
(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Yeah, think so, filed:
https://bugzilla.redhat.com/show_bug.cgi?id=1533228
On Wed, Jan 10, 2018 at 8:07 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
You should open a bug about this, IPA should not fail if zone where replica belongs is a forward zone.
Probably the easiest solution might be to update FreeIPA's code before installing. /usr/lib/python??/site-packages/ipaserver/install/bindinstance.py:add_rr and replace lines showed in diff:
--- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -357,7 +357,7 @@ def add_rr(zone, name, type, rdata, dns_backup=None, api=api, **kwargs): addkw.update(kwargs) try: api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw)
- except (errors.DuplicateEntry, errors.EmptyModlist):
- except (errors.DuplicateEntry, errors.EmptyModlist,
errors.ValidationError): pass if dns_backup: dns_backup.add(zone, type, name, rdata)
and change it back after installation
Or you can remove the forward zone (remove, disabling is not enough) and add it back after installation, if this won't cause you any service interruptions. (but you have to able to resolve h2.int.pdp7.net without forwardzone)
2018-01-10 19:38 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
OK, just reproduced the error:
[root@ipa2 ~]# ipa-replica-install -v -w $pw -n ipa.pdp7.net -P alex --mkhomedir --setup-ca --setup-dns --auto-forwarders [...] ipa : DEBUG [2/8]: setting up our own record [2/8]: setting up our own record ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG raw: dnsrecord_add(u' h2.int.pdp7.net', u'ipa2', arecord=u'10.42.42.83', version=u'2.228') ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG dnsrecord_add(<DNS name h2.int.pdp7.net.>, <DNS name ipa2>, arecord=(u'10.42.42.83',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version=u'2.228') ipa : DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 852, in __add_self self.__add_master_records(self.fqdn, self.ip_addresses) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 843, in __add_master_records add_fwd_rr(zone, host, addr, self.api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 367, in add_fwd_rr add_rr(zone, host, "A", ip_address, None, api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 358, in add_rr api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3666, in execute result = super(dnsrecord_add, self).execute(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1141, in execute dn = self.obj.get_dn(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3161, in get_dn dn = self.check_zone(keys[-2], **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3152, in check_zone error=_(u'only master zones can contain records') ValidationError: invalid 'dnszoneidnsname': only master zones can contain records
ipa : DEBUG [error] ValidationError: invalid 'dnszoneidnsname': only master zones can contain records [error] ValidationError: invalid 'dnszoneidnsname': only master zones can contain records Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1479, in install dns.install(False, True, options, api) File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line 338, in install bind.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 719, in create_instance self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 852, in __add_self self.__add_master_records(self.fqdn, self.ip_addresses) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 843, in __add_master_records add_fwd_rr(zone, host, addr, self.api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 367, in add_fwd_rr add_rr(zone, host, "A", ip_address, None, api) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 358, in add_rr api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3666, in execute result = super(dnsrecord_add, self).execute(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1141, in execute dn = self.obj.get_dn(*keys, **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3161, in get_dn dn = self.check_zone(keys[-2], **options) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line 3152, in check_zone error=_(u'only master zones can contain records')
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR invalid 'dnszoneidnsname': only master zones can contain records ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
, so yeah, it's:
dnsrecord_add(u'h2.int.pdp7.net', u'ipa2', arecord=u'10.42.42.83', version=u'2.228')
which is the host name of the replica and its IP, which is within the forwarded zones:
$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only
Maybe I can add the replica under an ipa.pdp7.net hostname? I'd really prefer to keep the replica with its DNS/DHCP setup, but I suppose using a different hostname is problematic. Can we skip adding this entry?
On Tue, Jan 9, 2018 at 10:05 PM, Alex Corcoles alex@corcoles.net wrote:
Ah, wait, this new replica doesn't have CA and DNS. Will try various combinations and post back.
On Tue, Jan 9, 2018 at 10:03 PM, Alex Corcoles alex@corcoles.net wrote:
That's weird. I've now tried a replica install on a fresh VM and it has worked- exact same parameters as before ¬ ¬U, no "invalid 'dnszoneidnsname': only master zones can contain records". Maybe I had a problem with the previous install failing and me cleaning up/retrying incorrectly.
Never mind...
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version?
[1] I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work
2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> it looks that replica is trying to add records to your forward zone. > What is the hostname of the replica? >
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.
- what is not working on lxc?
>
It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
> Hi, > > I'm labbing a FreeIPA environment for personal use, and I'm getting > that while bringing up a replica. > > I set up my first freeipa-server instance on a cheap VPS on a public > IP, intend on making it publicly accessible so I can always authenticate my > laptop even on wild public networks. > > I'm adding the replica as a VM(1) on a Proxmox VE, on a private > network with VPN connectivity to the first public freeipa-server, but I'm > getting: > > 2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, > exception: ValidationError: invalid 'dnszoneidnsname': only master zones > can contain records > > . I'm trying to create the replica with CA and DNS, and I had set up > DNS forwarding to the internal DNS on the Proxmox system with: > > $ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 > $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 > --forwarder=10.42.42.1 --forward-policy=only > > on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - > h2.int.pdp7.net is the network it manages), and I guess that's > messing with the replica, but I'm not sure how to troubleshoot this. > > Thoughts? Ideas? > > Thanks, > > Álex > > (1) I can't seem to create a freeipa-replica on an LXC container. Is > this something that can be discussed here or should I take it to LXC? > > -- > ___ > {~._.~} > ( Y ) > ()~*~() mail: alex at corcoles dot net > (_)-(_) http://alex.corcoles.net/ > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedo > rahosted.org > >
-- S pozdravom Martin Bašti.
> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedo > rahosted.org > >
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
-- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- S pozdravom Martin Bašti.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Alex Corcoles -
Martin Basti