[Freeipa-users] dns stops working after upgrade

Wed Nov 5 15:11:50 UTC 2014

Hello,

Rob V., you did not answered to my question when DNS worked for you last time. 
Did it work right after reverting the snapshot?

Petr^2 Spacek

On 5.11.2014 16:09, Rob Verduijn wrote:
> Hello again,
>
> I don't know about foreman upstream, the current version that I am using
> included in the katello installation is 1.6
> And the foreman manpage still requires the configuration of the
> realm-smart-proxy.
> http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm
>
> About the snapshot:
> I removed all the katello entries from my current freeipa installation ( I
> peeked in the script to see what it did )
>    - user (foreman-realm)
>    - role (Smart Host Proxy Manager)
>    - privilege (Smart Host Proxy Management)
>    - 3 custom permissions ( modify host password, write host certificate,
> modify host userclass )
> applied the update to freeipa 4.1.
> my local dns zones did not resolv again
> running the ipa-ldap-updater did not fix it
>
> So I guess that it is not due to the katello integration or the
> realm-smart-proxy script.
>
> Rob
>
> 2014-11-05 14:39 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>
>> On 4.11.2014 17:15, Rob Verduijn wrote:
>>
>>> The problem with 'foreman-prepare-realm' and freeipa was that it claimed
>>> that a few o thef permissions required did not exist when it tried to add
>>> them to the 'smart proxy host management' privilege.
>>>
>>> I think it was because the permissions were all in lower case without the
>>> 'System: ' prefix. This is just an assumption since I did not get to work
>>> even after adding them manually. So I figured to try it again after
>>> reverting back to 3.3.5.
>>>
>>> After downgrading I learned that it did not work due to a bug in a ruby
>>> script. (fixed by commenting out line 505-506
>>> in /usr/share/ruby/xmlrpc/client.rb on the katello host, see
>>> https://bugs.ruby-lang.org/issues/8182 and
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )
>>>
>>> After which I tried the upgrade again.
>>>
>>> regarding
>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
>>> I did look again using the kredentials as mentioned in step 4. and saw
>>> only
>>> 3 objects (1x idnsConfigObject 2x nsContainer)
>>> When using admin credentials I saw all the dns zone entries.
>>>
>>> I can see the zone entries in the ipa gui.
>>>
>>> Also when I look at the permissions in ipa there are no longer any
>>> permissions that have the 'System: ' prefix.
>>>
>>
>> AFAIK the foreman proxy is not necessary (and not supported) with IPA 4.x
>> because it was obsoleted by 'native' proxy delivered by Foreman upstream.
>>
>> Am I right, Rob (Crittenden)? :-)
>>
>> Anyway, back to your DNS problem. Did it worked before you installed
>> Foreman proxy? Or not? I.e. is it working when you revert the snapshot?
>>
>> Do you have other replicas in the replication topology? Please keep in
>> mind that changes in LDAP (including changes to permissions) are replicated
>> so reverting one VM and not others is not necessarily enough.
>>
>> Petr^2 Spacek
>>
>>
>>   2014-11-04 15:52 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>
>>>   On 4.11.2014 15:27, Rob Verduijn wrote:
>>>>
>>>>   Hello again,
>>>>>
>>>>> I've managed to integrate my katello configuration with freeipa.
>>>>> Now I not only use freeipa authentication in katello but also when a
>>>>> host
>>>>> is defined in katello it automagically gets created in the freeipa
>>>>> realm ,
>>>>> certs, otp,dns all working great.
>>>>>
>>>>> however, to obtain all this integration greatness I had to downgrade my
>>>>> freeipa to 3.3.5 again (revert snapshot) because the katello realm
>>>>> integration tool (foreman-prepare-realm) is not capable of dealing with
>>>>> 4.X
>>>>> versions of freeipa.
>>>>>
>>>>>   It would be nice if you could get tell us more details about the
>>>> problem
>>>> you had with Katello, AFAIK we are not aware of any.
>>>>
>>>>    And now the named-pkcs11 again does not see my internal zones.
>>>>
>>>>>
>>>>> This page
>>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
>>>>> thinks
>>>>> I should contact the freeipa-users list
>>>>>
>>>>>
>>>> Do I understand correctly that you did all the steps 0-4 successfully and
>>>> then you found out that you can't see DNS objects in LDAP (step 5) when
>>>> using ldapsearch with DNS principal?
>>>>
>>>> Can you see the objects in IPA web UI or CLI? If it is the case then we
>>>> will need help from LDAP ACI expert (pviktori? :-).
>>>>
>>>> Petr^2 Spacek
>>>>
>>>>
>>>>    The command 'ipa-ldap-updater
>>>>
>>>>> /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it.
>>>>> and the command 'ipa-ldap-updater' didn't fix it either.
>>>>>
>>>>> So I am now stuck at freeipa 3.3.5 again (with a working katello
>>>>> integration, so I got some mixed emotions about it)
>>>>> Any ideas anyone ?
>>>>> Rob
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2014-10-29 22:14 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:
>>>>>
>>>>>    Hello,
>>>>>
>>>>>>
>>>>>> I've tested the update again.
>>>>>>
>>>>>> The bind-utils conflict is still there when I issue "yum update
>>>>>> freeipa-server" ( as indicated on the freeipa 4.1 download page
>>>>>> http://www.freeipa.org/page/Downloads#Upgrading )
>>>>>>
>>>>>> 'yum update' works fine
>>>>>>
>>>>>> My internal zones didn't resolv after the update
>>>>>> ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't
>>>>>> fix
>>>>>> it
>>>>>> ipa-ldap-updater did fix the 'access control instructions' and my
>>>>>> internal
>>>>>> dns zones started to resolv again :-)
>>>>>>
>>>>>> Cheers
>>>>>> Rob
>>>>>>
>>>>>>
>>>>>> 2014-10-29 18:14 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>
>>>>>>    On 29.10.2014 16:46, Rob Verduijn wrote:
>>>>>>
>>>>>>>
>>>>>>>    Hello,
>>>>>>>
>>>>>>>>
>>>>>>>> # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
>>>>>>>>      fixes the problem.
>>>>>>>>
>>>>>>>> I can resolv my internal dns zones again:-)
>>>>>>>>
>>>>>>>> Many thanx.
>>>>>>>>
>>>>>>>> Since this problem happened every time I tried to update the freeipa
>>>>>>>> server.
>>>>>>>> I could re-run the update with some debug options if you like so you
>>>>>>>> can
>>>>>>>> pinpoint what goes wrong with the update script if you like.
>>>>>>>>
>>>>>>>>
>>>>>>>>   I have re-build some packages in mkosek's CORP so now you should
>>>>>>> not see
>>>>>>> encounter dependency problems. Simple 'yum upgrade' should give you
>>>>>>> all
>>>>>>> the
>>>>>>> required packages.
>>>>>>>
>>>>>>> We are looking at other problems in upgrade process right now so there
>>>>>>> is
>>>>>>> not much to test except package dependencies.