[Freeipa-users] Re: SRV and URI records are not cleaned after ipa server-del

Fri, 15 Nov 2024 10:14:01 -0800 

On Пят, 15 ліс 2024, Kees Bakker wrote:

On 15-11-2024 14:01, Alexander Bokovoy wrote:

On Пят, 15 ліс 2024, Kees Bakker via FreeIPA-users wrote:

Hi,

After I did a "ipa server-del" I was expecting that the SRV and URI
records were cleaned up as well.
But they weren't.  I'm talking about DNS records like
_kerberos.example.com  _kerberos_tcp.example.com _ldap_tcp.example.com
etc

Is this a known issue? Am I expected to cleanup these entries myself?
after a ipa server-del


It does clean up DNS server entries if integrated DNS is enabled:
 - removes master DNS records for the replica
 - removes DNSSEC public keys associated with that replica

If any of those operations failed, you'll get a message returned as a
part of the command. There are two messages:

            self.add_message(
                messages.ServerRemovalWarning(
                    message=_(
                        "Failed to cleanup %(hostname)s DNS entries: "
                        "%(err)s") % dict(hostname=hostname, err=e)))

            self.add_message(
                messages.ServerRemovalWarning(
                    message=_("You may need to manually remove them from the " 
                              "tree")))


Well, in my case it didn't cleanup the above mentioned records. There
are still 15 SRV and URI records were the removed server is listed.


You can try to run what it was supposed to run, as a part of IPA console
on an IPA server:

# ipa -e in_server=true console
(Custom IPA interactive Python console)
    api: IPA API object
    pp: pretty printer

from ipaserver.install import bindinstance
bindinstance.remove_master_dns_records('fqdn-of-old-server', api.env.realm)


This should print few messages as it goes through the removal. I haven't
tried it myself, though -- I don't have a spare server to remove at this
moment.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to