Hi Martin Thanks a lot for you reply. We applied the LDIF patch and now we managed to add new zones. Many thanks!! Yes, you understood well that the DNS zones already had these attributes defined. However using the ldapsearch query from the ticket, these attributes did not show up in the current schema (which is why we then proceeded with the patch which fixed the problem). It is strange how the attributes managed to make their way in the existing DNS zones when they were not supported in the schema. If it helps, after applying the patch what we also noticed is that in UI, the allow query and transfer options now show up as editable form elements. Before they were not editable but just printed values. Thanks again. Regards John <div class="gmail_quote">On Mon, Jul 30, 2012 at 5:26 PM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> On 07/30/2012 03:21 PM, John Blaut wrote: > Hi > > I am following the same issue with Robert. > > In /etc/dirsrv/slapd-<DOMAIN>/schema/99user.ldif we can see that these new > attributes have been added. </div>Hello John, I assume that the new attributes were not added to the MAY list in idnsZone objectclass due to an issue with IPA upgrade which is already described in the following ticket: <a href="https://fedorahosted.org/freeipa/ticket/2440" target="_blank">https://fedorahosted.org/freeipa/ticket/2440</a> The ticket should contain more information about the issue and also an LDIF that should workaround it until a fix is released. <div class="im"> > > Unfortunately I couldn't verify using ldapsearch on 'cn=schema' to see if this > is indeed the case as well within the LDAP data. > > However if I browse other pre-existing DNS zones using ldapsearch I see that > these already have the two attributes in place, so I guess the update procedure > managed to insert them somehow: > > idnsAllowQuery: any; > idnsAllowTransfer: none; </div>If I understand it correctly, you have existing DNS zones with there attributes defined? I assume this would mean that idnsZone objectclass has the attribute list updated. But then it is quite strange that you get the '"idnsAllowTransfer" not allowed' error. Martin <div class="im"> > > So we are a bit confused that when trying to add a new zone, we get errors due > to these attributes. This is also preventing us to add new replicas (which > require new reverse zones). > > Regards > > John > > > On Mon, Jul 30, 2012 at 2:57 PM, Simo Sorce <<a href="mailto:simo@redhat.com">simo@redhat.com</a> </div><div class="im">> <mailto:<a href="mailto:simo@redhat.com">simo@redhat.com</a>>> wrote: > > On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: > > Hi Simo, > > > > Thanks for your reply. > > > > Yes the IPA server has been updated from 2.1 to 2.2. Prior to the > > update, DNS zones could be created without any issues. > > > > I have also noticed that the command 'ipa ping' is displaying the > > incorrect IPA server version (IPA server version 2.1.90.rc1. API > > version 2.34) when infact the IPA server version 2.2.x should be > > displayed. > > This is odd, have you restarted httpd since the update ? > > The symptom below seem to suggest somethinhg went wrong in updating the > DNS schema where we added a few attributes to allow zone transfers. > > Can you check the ipaserver-upgrade.log file and see if there are any > errors in there ? > > Simo. > > > Regards, > > > > Robert.. > > > > > > On 27 July 2012 17:29, Simo Sorce <<a href="mailto:simo@redhat.com">simo@redhat.com</a> </div><div class="im">> <mailto:<a href="mailto:simo@redhat.com">simo@redhat.com</a>>> wrote: > > On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: > > > Hi, > > > > > > > > > I'm encountering a strange problem.. upon trying to add a > > new DNS zone > > > the following message is being displayed "attribute > > > "idnsAllowTransfer" not allowed" and the DNS entry is not > > created. Has > > > any one ever encountered such a problem if so what needs to > > be done to > > > resolve it ? > > > > > > > > > IPA server version 2.1.3. API version 2.13 > > > > > > > > > Was this server upgraded from a 2.0.x one ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list </div>> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> <div class="HOEnZb"><div class="h5">> > > > > _______________________________________________ > Freeipa-users mailing list > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > </div></div></blockquote></div>