Both the WebUI and the CLI on the RHEL server work fine.  The issue is that I'm 
trying to automate the cleanup of old PTR records for the IP address of a new 
VM joining the domain (we're experimenting in an AWS Cloud environment and at 
least in this phase we have RHEL6 machines joining the domain and then being 
terminated on a regular basis).

I've found a workaround of sorts, but it relies on behavior that does not seem 
"correct" to me, in the dnsrecord-mod command.  For the standard case where 
there's already exactly one PTR record for my IP, dnsrecord-mod is completely 
adequate.  For the edge case where there is more than one orphan PTR record 
matching my IP, I've found that a dnsrecord-mod command formed so as to set the 
--ptr-hostname of any one of the existing records to the empty string seems to 
have the effect of deleting all matching PTR records except for the one 
specified, which is left untouched.

dnsrecord-mod --ptr-record=<any_old_hostname> --ptr-hostname="" <record_name>

So after this command, I seem to always have exactly one PTR record matching my 
IP, which I can then change to the value I want with a second dnsrecord-mod 


-----Original Message-----
From: Martin Basti [] 
Sent: Wednesday, January 27, 2016 5:13 AM
To: Martin Kosek <>; Izzo, Anthony (U.S. Person) 
Subject: Re: [Freeipa-users] ipa-admintools version incompatibility

On 27.01.2016 08:30, Martin Kosek wrote:
> Adding freeipa-users list back, so that others benefit from the discussion.
> On 01/26/2016 07:47 PM, Izzo, Anthony wrote:
>> The error I'm getting is that the option "raw" is invalid.  The 
>> dnsrecord-del command includes a "--raw" switch on RHEL6, but not on RHEL7.  
>> I am not using the switch, but according to the debug output, RHEL6 is 
>> passing "raw" (as a parameter with a value) unconditionally, with the value 
>> indicating whether the flag was selected or not.  Since RHEL7 does not 
>> accept "raw", it fails.
> Ah, I see. It looks like we broke forward compatibility of this command in
> I think dnsrecord-del should at least "eat" the options without raising error.
> CCing Martin Basti to eventually create ticket for it. Martin, can you think 
> of
> any workaround that Anthony could use, besides using nsupdate?
I'm not aware of any workaround on that particular client side

Ticket filed:

Is there any issue that prevents you to use WebUI to remove dnsrecord, 
or calling dnsrecord-del on RHEL7 machine (or directly on server)?

>> I hadn't thought about using the nsupdate tool, I'll give that a shot.  
>> Thanks.
>> Tony
>> -----Original Message-----
>> From: Martin Kosek []
>> Sent: Tuesday, January 26, 2016 11:10 AM
>> To: Izzo, Anthony (U.S. Person) <>; 
>> Subject: Re: [Freeipa-users] ipa-admintools version incompatibility
>> On 01/26/2016 04:22 PM, Izzo, Anthony wrote:
>>> I have a FreeIPA 4.2 server (on RHEL7) and a FreeIPA 3.0 client (on RHEL6). 
>>>  I am aware of the incompatibility between versions for ipa-admintools (in 
>>> my case I'm trying to use ipa dnsrecord-del).  I was just wondering if 
>>> there is a workaround that would allow me, from my 3.0 client, to delete a 
>>> DNS PTR record on the 4.2 server, since I can't use the ipa dnsrecord-del 
>>> command (the APIs are different, and the server responds that I've sent an 
>>> invalid option).  Thanks.
>> That's strange, client should be forward compatible already:
>> , i.e. RHEL-6 clients should be able to update RHEL-7 servers. We would know 
>> more if you send us the error.
>> Anyway, given you are only updating DNS, maybe you could just use standard 
>> Kerberos-authenticated DNS update (nsupdate tool), to delete that PTR record?

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to