[Freeipa-users] IPA Error 4205 attribute "idnsAllowTransfer" not allowed

John Blaut john.blaut at gmail.com
Mon Jul 30 16:09:24 UTC 2012 

Hi Martin

Thanks a lot for you reply.

We applied the LDIF patch and now we managed to add new zones. Many thanks!!

Yes, you understood well that the DNS zones already had these attributes
defined.
However using the ldapsearch query from the ticket, these attributes did
not show up in the current schema (which is why we then proceeded with the
patch which fixed the problem).
It is strange how the attributes managed to make their way in the existing
DNS zones when they were not supported in the schema.
If it helps, after applying the patch what we also noticed is that in UI,
the allow query and transfer options now show up as editable form elements.
Before they were not editable but just printed values.

Thanks again.

Regards

John


On Mon, Jul 30, 2012 at 5:26 PM, Martin Kosek <mkosek at redhat.com> wrote:

>
> On 07/30/2012 03:21 PM, John Blaut wrote:
> > Hi
> >
> > I am following the same issue with Robert.
> >
> > In /etc/dirsrv/slapd-<DOMAIN>/schema/99user.ldif we can see that these
> new
> > attributes have been added.
>
> Hello John,
>
> I assume that the new attributes were not added to the MAY list in idnsZone
> objectclass due to an issue with IPA upgrade which is already described in
> the
> following ticket:
>
> https://fedorahosted.org/freeipa/ticket/2440
>
> The ticket should contain more information about the issue and also an LDIF
> that should workaround it until a fix is released.
>
> >
> > Unfortunately I couldn't verify using ldapsearch on 'cn=schema' to see
> if this
> > is indeed the case as well within the LDAP data.
> >
> > However if I browse other pre-existing DNS zones using ldapsearch I see
> that
> > these already have the two attributes in place, so I guess the update
> procedure
> > managed to insert them somehow:
> >
> > idnsAllowQuery: any;
> > idnsAllowTransfer: none;
>
> If I understand it correctly, you have existing DNS zones with there
> attributes
> defined? I assume this would mean that idnsZone objectclass has the
> attribute
> list updated. But then it is quite strange that you get the
> '"idnsAllowTransfer" not allowed' error.
>
> Martin
>
> >
> > So we are a bit confused that when trying to add a new zone, we get
> errors due
> > to these attributes. This is also preventing us to add new replicas
> (which
> > require new reverse zones).
> >
> > Regards
> >
> > John
> >
> >
> > On Mon, Jul 30, 2012 at 2:57 PM, Simo Sorce <simo at redhat.com
> > <mailto:simo at redhat.com>> wrote:
> >
> >     On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote:
> >     > Hi Simo,
> >     >
> >     > Thanks for your reply.
> >     >
> >     > Yes the IPA server has been updated from 2.1 to 2.2. Prior to the
> >     > update, DNS zones could be created  without any issues.
> >     >
> >     > I have also noticed that the command  'ipa ping' is displaying the
> >     > incorrect IPA server version (IPA server version 2.1.90.rc1. API
> >     > version 2.34) when infact the IPA server version 2.2.x should be
> >     > displayed.
> >
> >     This is odd, have you restarted httpd since the update ?
> >
> >     The symptom below seem to suggest somethinhg went wrong in updating
> the
> >     DNS schema where we added a few attributes to allow zone transfers.
> >
> >     Can you check the ipaserver-upgrade.log file and see if there are any
> >     errors in there ?
> >
> >     Simo.
> >
> >     > Regards,
> >     >
> >     > Robert..
> >     >
> >     >
> >     > On 27 July 2012 17:29, Simo Sorce <simo at redhat.com
> >     <mailto:simo at redhat.com>> wrote:
> >     >         On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote:
> >     >         > Hi,
> >     >         >
> >     >         >
> >     >         > I'm encountering a strange problem.. upon trying to add a
> >     >         new DNS zone
> >     >         > the following message is being displayed "attribute
> >     >         > "idnsAllowTransfer" not allowed" and the DNS entry is not
> >     >         created. Has
> >     >         > any one ever encountered such a problem if so what needs
> to
> >     >         be done to
> >     >         > resolve it ?
> >     >         >
> >     >         >
> >     >         > IPA server version 2.1.3. API version 2.13
> >     >         >
> >     >
> >     >
> >     >         Was this server upgraded from a 2.0.x one ?
> >     >
> >     >         Simo.
> >     >
> >     >         --
> >     >         Simo Sorce * Red Hat, Inc * New York
> >     >
> >     >
> >
> >
> >     --
> >     Simo Sorce * Red Hat, Inc * New York
> >
> >     _______________________________________________
> >     Freeipa-users mailing list
> >     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >     https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120730/7d7c1228/attachment.htm>

More information about the Freeipa-users mailing list