[Freeipa-users] dns stops working after upgrade

Petr Spacek pspacek at redhat.com
Tue Nov 4 14:52:43 UTC 2014 

On 4.11.2014 15:27, Rob Verduijn wrote:
> Hello again,
>
> I've managed to integrate my katello configuration with freeipa.
> Now I not only use freeipa authentication in katello but also when a host
> is defined in katello it automagically gets created in the freeipa realm ,
> certs, otp,dns all working great.
>
> however, to obtain all this integration greatness I had to downgrade my
> freeipa to 3.3.5 again (revert snapshot) because the katello realm
> integration tool (foreman-prepare-realm) is not capable of dealing with 4.X
> versions of freeipa.
It would be nice if you could get tell us more details about the problem you 
had with Katello, AFAIK we are not aware of any.

> And now the named-pkcs11 again does not see my internal zones.
>
> This page
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart thinks
> I should contact the freeipa-users list

Do I understand correctly that you did all the steps 0-4 successfully and then 
you found out that you can't see DNS objects in LDAP (step 5) when using 
ldapsearch with DNS principal?

Can you see the objects in IPA web UI or CLI? If it is the case then we will 
need help from LDAP ACI expert (pviktori? :-).

Petr^2 Spacek

> The command 'ipa-ldap-updater
> /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it.
> and the command 'ipa-ldap-updater' didn't fix it either.
>
> So I am now stuck at freeipa 3.3.5 again (with a working katello
> integration, so I got some mixed emotions about it)
> Any ideas anyone ?
> Rob
>
>
>
>
>
>
> 2014-10-29 22:14 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:
>
>> Hello,
>>
>> I've tested the update again.
>>
>> The bind-utils conflict is still there when I issue "yum update
>> freeipa-server" ( as indicated on the freeipa 4.1 download page
>> http://www.freeipa.org/page/Downloads#Upgrading )
>>
>> 'yum update' works fine
>>
>> My internal zones didn't resolv after the update
>> ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix
>> it
>> ipa-ldap-updater did fix the 'access control instructions' and my internal
>> dns zones started to resolv again :-)
>>
>> Cheers
>> Rob
>>
>>
>> 2014-10-29 18:14 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>
>>> On 29.10.2014 16:46, Rob Verduijn wrote:
>>>
>>>> Hello,
>>>>
>>>> # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
>>>>    fixes the problem.
>>>>
>>>> I can resolv my internal dns zones again:-)
>>>>
>>>> Many thanx.
>>>>
>>>> Since this problem happened every time I tried to update the freeipa
>>>> server.
>>>> I could re-run the update with some debug options if you like so you can
>>>> pinpoint what goes wrong with the update script if you like.
>>>>
>>>
>>> I have re-build some packages in mkosek's CORP so now you should not see
>>> encounter dependency problems. Simple 'yum upgrade' should give you all the
>>> required packages.
>>>
>>> We are looking at other problems in upgrade process right now so there is
>>> not much to test except package dependencies.
>>>
>>> --
>>> Petr^2 Spacek

More information about the Freeipa-users mailing list