[Freeipa-users] dns stops working after upgrade

Rob Crittenden rcritten at redhat.com
Wed Nov 5 14:41:59 UTC 2014


Petr Spacek wrote:
> On 4.11.2014 17:15, Rob Verduijn wrote:
>> The problem with 'foreman-prepare-realm' and freeipa was that it claimed
>> that a few o thef permissions required did not exist when it tried to add
>> them to the 'smart proxy host management' privilege.
>>
>> I think it was because the permissions were all in lower case without the
>> 'System: ' prefix. This is just an assumption since I did not get to work
>> even after adding them manually. So I figured to try it again after
>> reverting back to 3.3.5.
>>
>> After downgrading I learned that it did not work due to a bug in a ruby
>> script. (fixed by commenting out line 505-506
>> in /usr/share/ruby/xmlrpc/client.rb on the katello host, see
>> https://bugs.ruby-lang.org/issues/8182 and
>> https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )
>>
>> After which I tried the upgrade again.
>>
>> regarding
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
>> I did look again using the kredentials as mentioned in step 4. and saw
>> only
>> 3 objects (1x idnsConfigObject 2x nsContainer)
>> When using admin credentials I saw all the dns zone entries.
>>
>> I can see the zone entries in the ipa gui.
>>
>> Also when I look at the permissions in ipa there are no longer any
>> permissions that have the 'System: ' prefix.
> 
> AFAIK the foreman proxy is not necessary (and not supported) with IPA
> 4.x because it was obsoleted by 'native' proxy delivered by Foreman
> upstream.
> 
> Am I right, Rob (Crittenden)? :-)

I believe he's referring to the native smart proxy here. It includes a
script to setup permissions. I guess it hasn't been tested against a 4.x
IPA master.

rob


> Anyway, back to your DNS problem. Did it worked before you installed
> Foreman proxy? Or not? I.e. is it working when you revert the snapshot?
> 
> Do you have other replicas in the replication topology? Please keep in
> mind that changes in LDAP (including changes to permissions) are
> replicated so reverting one VM and not others is not necessarily enough.
> 
> Petr^2 Spacek
> 
>> 2014-11-04 15:52 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>
>>> On 4.11.2014 15:27, Rob Verduijn wrote:
>>>
>>>> Hello again,
>>>>
>>>> I've managed to integrate my katello configuration with freeipa.
>>>> Now I not only use freeipa authentication in katello but also when a
>>>> host
>>>> is defined in katello it automagically gets created in the freeipa
>>>> realm ,
>>>> certs, otp,dns all working great.
>>>>
>>>> however, to obtain all this integration greatness I had to downgrade my
>>>> freeipa to 3.3.5 again (revert snapshot) because the katello realm
>>>> integration tool (foreman-prepare-realm) is not capable of dealing with
>>>> 4.X
>>>> versions of freeipa.
>>>>
>>> It would be nice if you could get tell us more details about the problem
>>> you had with Katello, AFAIK we are not aware of any.
>>>
>>>   And now the named-pkcs11 again does not see my internal zones.
>>>>
>>>> This page
>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
>>>> thinks
>>>> I should contact the freeipa-users list
>>>>
>>>
>>> Do I understand correctly that you did all the steps 0-4 successfully
>>> and
>>> then you found out that you can't see DNS objects in LDAP (step 5) when
>>> using ldapsearch with DNS principal?
>>>
>>> Can you see the objects in IPA web UI or CLI? If it is the case then we
>>> will need help from LDAP ACI expert (pviktori? :-).
>>>
>>> Petr^2 Spacek
>>>
>>>
>>>   The command 'ipa-ldap-updater
>>>> /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it.
>>>> and the command 'ipa-ldap-updater' didn't fix it either.
>>>>
>>>> So I am now stuck at freeipa 3.3.5 again (with a working katello
>>>> integration, so I got some mixed emotions about it)
>>>> Any ideas anyone ?
>>>> Rob
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2014-10-29 22:14 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:
>>>>
>>>>   Hello,
>>>>>
>>>>> I've tested the update again.
>>>>>
>>>>> The bind-utils conflict is still there when I issue "yum update
>>>>> freeipa-server" ( as indicated on the freeipa 4.1 download page
>>>>> http://www.freeipa.org/page/Downloads#Upgrading )
>>>>>
>>>>> 'yum update' works fine
>>>>>
>>>>> My internal zones didn't resolv after the update
>>>>> ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't
>>>>> fix
>>>>> it
>>>>> ipa-ldap-updater did fix the 'access control instructions' and my
>>>>> internal
>>>>> dns zones started to resolv again :-)
>>>>>
>>>>> Cheers
>>>>> Rob
>>>>>
>>>>>
>>>>> 2014-10-29 18:14 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>
>>>>>   On 29.10.2014 16:46, Rob Verduijn wrote:
>>>>>>
>>>>>>   Hello,
>>>>>>>
>>>>>>> # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
>>>>>>>     fixes the problem.
>>>>>>>
>>>>>>> I can resolv my internal dns zones again:-)
>>>>>>>
>>>>>>> Many thanx.
>>>>>>>
>>>>>>> Since this problem happened every time I tried to update the freeipa
>>>>>>> server.
>>>>>>> I could re-run the update with some debug options if you like so you
>>>>>>> can
>>>>>>> pinpoint what goes wrong with the update script if you like.
>>>>>>>
>>>>>>>
>>>>>> I have re-build some packages in mkosek's CORP so now you should
>>>>>> not see
>>>>>> encounter dependency problems. Simple 'yum upgrade' should give
>>>>>> you all
>>>>>> the
>>>>>> required packages.
>>>>>>
>>>>>> We are looking at other problems in upgrade process right now so
>>>>>> there
>>>>>> is
>>>>>> not much to test except package dependencies.




More information about the Freeipa-users mailing list