On 05/10/15 09:42, Oleg Fayans wrote:
Hi Jan, Simo

On 10/05/2015 02:15 PM, Jan Pazdziora wrote:
On Thu, Oct 01, 2015 at 04:33:28PM +0200, Oleg Fayans wrote:

Having PTR sync enabled in global DNS configuration and installing
with --enable-dns-updates option, ipa master still does not create a PTR
record for the client machine. As a result, ipa-repolica-install
throws the
following error:

ipa         : ERROR    Reverse DNS resolution of address
(f22replica1.pesen.net) failed. Clients may not function properly.
check your DNS setup. (Note that this check queries IPA DNS directly and
ignores /etc/hosts.)

I believe you also need to have the PTR sync enabled in the forward zone

Today I was unable to reproduce this issue with just PTR sync enabled in
global dns configuration. I wonder, what might have caused it. Anyway,
today I hit a number of other issues with replica promotion.

1. At one point ipa-replica-install on a configured client has thrown
the following error:

Configuring ipa-custodia
   [1/5]: Generating ipa-custodia config file
   [2/5]: Generating ipa-custodia keys
   [3/5]: Importing RA Key
   [error] HTTPError: 502 Server Error: Proxy Error
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    502 Server
Error: Proxy Error

(corresponding part of the error log of dirsrv attached)

Seem like the peer server was unreachable ?
Was there a networking problem ?

2. The second attempt after re-enrolling client resulted in the error of
CA installation:

Starting replication, please wait until this has completed.
Update in progress, 7 seconds elapsed
Update succeeded

   [4/24]: creating installation admin user
   [5/24]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpHAJVFG'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA
configuration failed.

This is due to the known bug with authentication in Dogtag. Endy fixed it upstream.

do you know when the bug will be released in a package we can use for testing ?

Weird thing is that mentioned log files were missing in the system.

3. This is probably not related to replica promotions, but anyway:
when I do `ipa host-del --updatedns %client_hostname%` on master, it
does delete the host, but *preserves* dns records (in both zones).
Is --updatedns option not aimed at automatic deletion of dns records?

I do not know that it does help, but I tend to use --force when deleting a failed replica.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to