Yeah, think so, filed:
https://bugzilla.redhat.com/show_bug.cgi?id=1533228
On Wed, Jan 10, 2018 at 8:07 PM, Martin Basti via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> You should open a bug about this, IPA should not fail if zone where
> replica belongs is a forward zone.
>
> Probably the easiest solution might be to update FreeIPA's code before
> installing.
> /usr/lib/python??/site-packages/ipaserver/install/bindinstance.py:add_rr
> and replace lines showed in diff:
>
> --- a/ipaserver/install/bindinstance.py
> +++ b/ipaserver/install/bindinstance.py
> @@ -357,7 +357,7 @@ def add_rr(zone, name, type, rdata, dns_backup=None,
> api=api, **kwargs):
> addkw.update(kwargs)
> try:
> api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw)
> - except (errors.DuplicateEntry, errors.EmptyModlist):
> + except (errors.DuplicateEntry, errors.EmptyModlist,
> errors.ValidationError):
> pass
> if dns_backup:
> dns_backup.add(zone, type, name, rdata)
>
>
> and change it back after installation
>
> Or you can remove the forward zone (remove, disabling is not enough) and
> add it back after installation, if this won't cause you any service
> interruptions. (but you have to able to resolve h2.int.pdp7.net without
> forwardzone)
>
> 2018-01-10 19:38 GMT+01:00 Alex Corcoles via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
>> OK, just reproduced the error:
>>
>> [root@ipa2 ~]# ipa-replica-install -v -w $pw -n ipa.pdp7.net -P alex
>> --mkhomedir --setup-ca --setup-dns --auto-forwarders
>> [...]
>> ipa : DEBUG [2/8]: setting up our own record
>> [2/8]: setting up our own record
>> ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG raw: dnsrecord_add(u'
>> h2.int.pdp7.net', u'ipa2', arecord=u'10.42.42.83', version=u'2.228')
>> ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG dnsrecord_add(<DNS
>> name h2.int.pdp7.net.>, <DNS name ipa2>, arecord=(u'10.42.42.83',),
>> a_extra_create_reverse=False, aaaa_extra_create_reverse=False,
>> force=False, structured=False, all=False, raw=False, version=u'2.228')
>> ipa : DEBUG Traceback (most recent call last):
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 504, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 494, in run_step
>> method()
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 852, in __add_self
>> self.__add_master_records(self.fqdn, self.ip_addresses)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 843, in __add_master_records
>> add_fwd_rr(zone, host, addr, self.api)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 367, in add_fwd_rr
>> add_rr(zone, host, "A", ip_address, None, api)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 358, in add_rr
>> api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447,
>> in __call__
>> return self.__do_call(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475,
>> in __do_call
>> ret = self.run(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797,
>> in run
>> return self.execute(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line
>> 3666, in execute
>> result = super(dnsrecord_add, self).execute(*keys, **options)
>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py",
>> line 1141, in execute
>> dn = self.obj.get_dn(*keys, **options)
>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line
>> 3161, in get_dn
>> dn = self.check_zone(keys[-2], **options)
>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line
>> 3152, in check_zone
>> error=_(u'only master zones can contain records')
>> ValidationError: invalid 'dnszoneidnsname': only master zones can contain
>> records
>>
>> ipa : DEBUG [error] ValidationError: invalid
>> 'dnszoneidnsname': only master zones can contain records
>> [error] ValidationError: invalid 'dnszoneidnsname': only master zones
>> can contain records
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>> line 172, in execute
>> return_value = self.run()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
>> 333, in run
>> cfgr.run()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 368, in run
>> self.execute()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 392, in execute
>> for _nothing in self._executor():
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 434, in __runner
>> exc_handler(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 463, in _handle_execute_exception
>> self._handle_exception(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 453, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 424, in __runner
>> step()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 421, in <lambda>
>> step = lambda: next(self.__gen)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 81, in run_generator_with_yield_from
>> six.reraise(*exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 59, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 658, in _configure
>> next(executor)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 434, in __runner
>> exc_handler(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 463, in _handle_execute_exception
>> self._handle_exception(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 521, in _handle_exception
>> self.__parent._handle_exception(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 453, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 518, in _handle_exception
>> super(ComponentBase, self)._handle_exception(exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 453, in _handle_exception
>> six.reraise(*exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 424, in __runner
>> step()
>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 421, in <lambda>
>> step = lambda: next(self.__gen)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 81, in run_generator_with_yield_from
>> six.reraise(*exc_info)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 59, in run_generator_with_yield_from
>> value = gen.send(prev_value)
>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
>> line 63, in _install
>> for _nothing in self._installer(self.parent):
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py",
>> line 617, in main
>> replica_install(self)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>> line 386, in decorated
>> func(installer)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
>> line 1479, in install
>> dns.install(False, True, options, api)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line
>> 338, in install
>> bind.create_instance()
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 719, in create_instance
>> self.start_creation()
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 504, in start_creation
>> run_step(full_msg, method)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 494, in run_step
>> method()
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 852, in __add_self
>> self.__add_master_records(self.fqdn, self.ip_addresses)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 843, in __add_master_records
>> add_fwd_rr(zone, host, addr, self.api)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 367, in add_fwd_rr
>> add_rr(zone, host, "A", ip_address, None, api)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
>> line 358, in add_rr
>> api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447,
>> in __call__
>> return self.__do_call(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475,
>> in __do_call
>> ret = self.run(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797,
>> in run
>> return self.execute(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line
>> 3666, in execute
>> result = super(dnsrecord_add, self).execute(*keys, **options)
>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py",
>> line 1141, in execute
>> dn = self.obj.get_dn(*keys, **options)
>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line
>> 3161, in get_dn
>> dn = self.check_zone(keys[-2], **options)
>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dns.py", line
>> 3152, in check_zone
>> error=_(u'only master zones can contain records')
>>
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> DEBUG The ipa-replica-install command failed, exception:
>> ValidationError: invalid 'dnszoneidnsname': only master zones can contain
>> records
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR invalid 'dnszoneidnsname': only master zones can contain records
>> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
>> ERROR The ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>> , so yeah, it's:
>>
>> dnsrecord_add(u'h2.int.pdp7.net', u'ipa2', arecord=u'10.42.42.83',
>> version=u'2.228')
>>
>> which is the host name of the replica and its IP, which is within the
>> forwarded zones:
>>
>> $ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1
>> $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24
>> --forwarder=10.42.42.1 --forward-policy=only
>>
>> Maybe I can add the replica under an ipa.pdp7.net hostname? I'd really
>> prefer to keep the replica with its DNS/DHCP setup, but I suppose using a
>> different hostname is problematic. Can we skip adding this entry?
>>
>>
>> On Tue, Jan 9, 2018 at 10:05 PM, Alex Corcoles <a...@corcoles.net> wrote:
>>
>>> Ah, wait, this new replica doesn't have CA and DNS. Will try various
>>> combinations and post back.
>>>
>>> On Tue, Jan 9, 2018 at 10:03 PM, Alex Corcoles <a...@corcoles.net>
>>> wrote:
>>>
>>>> That's weird. I've now tried a replica install on a fresh VM and it has
>>>> worked- exact same parameters as before ¬ ¬U, no "invalid
>>>> 'dnszoneidnsname': only master zones can contain records". Maybe I had a
>>>> problem with the previous install failing and me cleaning up/retrying
>>>> incorrectly.
>>>>
>>>> Never mind...
>>>>
>>>> On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users <
>>>> freeipa-users@lists.fedorahosted.org> wrote:
>>>>
>>>>> do you have a traceback in log? I'm curious where exactly this
>>>>> happened, what is your FreeIPA version?
>>>>>
>>>>> [1]
>>>>> I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA
>>>>> running in LXC :-) So it should work
>>>>>
>>>>> 2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users <
>>>>> freeipa-users@lists.fedorahosted.org>:
>>>>>
>>>>>> Hi Marti,
>>>>>>
>>>>>> On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users <
>>>>>> freeipa-users@lists.fedorahosted.org> wrote:
>>>>>>
>>>>>>> it looks that replica is trying to add records to your forward zone.
>>>>>>> What is the hostname of the replica?
>>>>>>>
>>>>>>
>>>>>> Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.
>>>>>>
>>>>>> I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to
>>>>>> provide automatic network configuration to VMs. It's a non-routable
>>>>>> network, so I'm not sure what the right setup would be.
>>>>>>
>>>>>> 1. what is not working on lxc?
>>>>>>>
>>>>>>
>>>>>> It was something about GSSAPI or something like that, I'll try to
>>>>>> reproduce and start a new thread about that- but I guess it's more of an
>>>>>> LXC problem (ideally I would like to run my replica on LXC so it consumes
>>>>>> less RAM, but I can live with a full VM).
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Álex
>>>>>>
>>>>>> 2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users <
>>>>>> freeipa-users@lists.fedorahosted.org>:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm labbing a FreeIPA environment for personal use, and I'm getting
>>>>>>> that while bringing up a replica.
>>>>>>>
>>>>>>> I set up my first freeipa-server instance on a cheap VPS on a public
>>>>>>> IP, intend on making it publicly accessible so I can always
>>>>>>> authenticate my
>>>>>>> laptop even on wild public networks.
>>>>>>>
>>>>>>> I'm adding the replica as a VM(1) on a Proxmox VE, on a private
>>>>>>> network with VPN connectivity to the first public freeipa-server, but
>>>>>>> I'm
>>>>>>> getting:
>>>>>>>
>>>>>>> 2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed,
>>>>>>> exception: ValidationError: invalid 'dnszoneidnsname': only master zones
>>>>>>> can contain records
>>>>>>>
>>>>>>> . I'm trying to create the replica with CA and DNS, and I had set up
>>>>>>> DNS forwarding to the internal DNS on the Proxmox system with:
>>>>>>>
>>>>>>> $ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1
>>>>>>> $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24
>>>>>>> --forwarder=10.42.42.1 --forward-policy=only
>>>>>>>
>>>>>>> on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 -
>>>>>>> h2.int.pdp7.net is the network it manages), and I guess that's
>>>>>>> messing with the replica, but I'm not sure how to troubleshoot this.
>>>>>>>
>>>>>>> Thoughts? Ideas?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Álex
>>>>>>>
>>>>>>> (1) I can't seem to create a freeipa-replica on an LXC container. Is
>>>>>>> this something that can be discussed here or should I take it to LXC?
>>>>>>>
>>>>>>> --
>>>>>>> ___
>>>>>>> {~._.~}
>>>>>>> ( Y )
>>>>>>> ()~*~() mail: alex at corcoles dot net
>>>>>>> (_)-(_) http://alex.corcoles.net/
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>>>>>> rahosted.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> S pozdravom Martin Bašti.
>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>>>>>> rahosted.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> ___
>>>>>> {~._.~}
>>>>>> ( Y )
>>>>>> ()~*~() mail: alex at corcoles dot net
>>>>>> (_)-(_) http://alex.corcoles.net/
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>>>>> rahosted.org
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> S pozdravom Martin Bašti.
>>>>>
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>>>> rahosted.org
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> ___
>>>> {~._.~}
>>>> ( Y )
>>>> ()~*~() mail: alex at corcoles dot net
>>>> (_)-(_) http://alex.corcoles.net/
>>>>
>>>>
>>>
>>>
>>> --
>>> ___
>>> {~._.~}
>>> ( Y )
>>> ()~*~() mail: alex at corcoles dot net
>>> (_)-(_) http://alex.corcoles.net/
>>>
>>>
>>
>>
>> --
>> ___
>> {~._.~}
>> ( Y )
>> ()~*~() mail: alex at corcoles dot net
>> (_)-(_) http://alex.corcoles.net/
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>
>
> --
> S pozdravom Martin Bašti.
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
