Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed
Hi Simo, Thanks for your reply. Yes the IPA server has been updated from 2.1 to 2.2. Prior to the update, DNS zones could be created without any issues. I have also noticed that the command 'ipa ping' is displaying the incorrect IPA server version (IPA server version 2.1.90.rc1. API version 2.34) when infact the IPA server version 2.2.x should be displayed. Regards, Robert.. On 27 July 2012 17:29, Simo Sorce s...@redhat.com wrote: On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: Hi, I'm encountering a strange problem.. upon trying to add a new DNS zone the following message is being displayed attribute idnsAllowTransfer not allowed and the DNS entry is not created. Has any one ever encountered such a problem if so what needs to be done to resolve it ? IPA server version 2.1.3. API version 2.13 Was this server upgraded from a 2.0.x one ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed
On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: Hi Simo, Thanks for your reply. Yes the IPA server has been updated from 2.1 to 2.2. Prior to the update, DNS zones could be created without any issues. I have also noticed that the command 'ipa ping' is displaying the incorrect IPA server version (IPA server version 2.1.90.rc1. API version 2.34) when infact the IPA server version 2.2.x should be displayed. This is odd, have you restarted httpd since the update ? The symptom below seem to suggest somethinhg went wrong in updating the DNS schema where we added a few attributes to allow zone transfers. Can you check the ipaserver-upgrade.log file and see if there are any errors in there ? Simo. Regards, Robert.. On 27 July 2012 17:29, Simo Sorce s...@redhat.com wrote: On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: Hi, I'm encountering a strange problem.. upon trying to add a new DNS zone the following message is being displayed attribute idnsAllowTransfer not allowed and the DNS entry is not created. Has any one ever encountered such a problem if so what needs to be done to resolve it ? IPA server version 2.1.3. API version 2.13 Was this server upgraded from a 2.0.x one ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed
Hi I am following the same issue with Robert. In /etc/dirsrv/slapd-DOMAIN/schema/99user.ldif we can see that these new attributes have been added. Unfortunately I couldn't verify using ldapsearch on 'cn=schema' to see if this is indeed the case as well within the LDAP data. However if I browse other pre-existing DNS zones using ldapsearch I see that these already have the two attributes in place, so I guess the update procedure managed to insert them somehow: idnsAllowQuery: any; idnsAllowTransfer: none; So we are a bit confused that when trying to add a new zone, we get errors due to these attributes. This is also preventing us to add new replicas (which require new reverse zones). Regards John On Mon, Jul 30, 2012 at 2:57 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: Hi Simo, Thanks for your reply. Yes the IPA server has been updated from 2.1 to 2.2. Prior to the update, DNS zones could be created without any issues. I have also noticed that the command 'ipa ping' is displaying the incorrect IPA server version (IPA server version 2.1.90.rc1. API version 2.34) when infact the IPA server version 2.2.x should be displayed. This is odd, have you restarted httpd since the update ? The symptom below seem to suggest somethinhg went wrong in updating the DNS schema where we added a few attributes to allow zone transfers. Can you check the ipaserver-upgrade.log file and see if there are any errors in there ? Simo. Regards, Robert.. On 27 July 2012 17:29, Simo Sorce s...@redhat.com wrote: On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: Hi, I'm encountering a strange problem.. upon trying to add a new DNS zone the following message is being displayed attribute idnsAllowTransfer not allowed and the DNS entry is not created. Has any one ever encountered such a problem if so what needs to be done to resolve it ? IPA server version 2.1.3. API version 2.13 Was this server upgraded from a 2.0.x one ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed
On 07/30/2012 02:57 PM, Simo Sorce wrote: On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: Hi Simo, Thanks for your reply. Yes the IPA server has been updated from 2.1 to 2.2. Prior to the update, DNS zones could be created without any issues. I have also noticed that the command 'ipa ping' is displaying the incorrect IPA server version (IPA server version 2.1.90.rc1. API version 2.34) when infact the IPA server version 2.2.x should be displayed. This is odd, have you restarted httpd since the update ? The symptom below seem to suggest somethinhg went wrong in updating the DNS schema where we added a few attributes to allow zone transfers. Can you check the ipaserver-upgrade.log file and see if there are any errors in there ? Simo. This error is described in ticket 2440 which is scheduled for 3.0.1 milestone: https://fedorahosted.org/freeipa/ticket/2440 The ticket contains more information about the issue including commands to verify it and also an LDIF file that should workaround the issue until a fixed version of IPA server is released. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed
On 07/30/2012 03:21 PM, John Blaut wrote: Hi I am following the same issue with Robert. In /etc/dirsrv/slapd-DOMAIN/schema/99user.ldif we can see that these new attributes have been added. Hello John, I assume that the new attributes were not added to the MAY list in idnsZone objectclass due to an issue with IPA upgrade which is already described in the following ticket: https://fedorahosted.org/freeipa/ticket/2440 The ticket should contain more information about the issue and also an LDIF that should workaround it until a fix is released. Unfortunately I couldn't verify using ldapsearch on 'cn=schema' to see if this is indeed the case as well within the LDAP data. However if I browse other pre-existing DNS zones using ldapsearch I see that these already have the two attributes in place, so I guess the update procedure managed to insert them somehow: idnsAllowQuery: any; idnsAllowTransfer: none; If I understand it correctly, you have existing DNS zones with there attributes defined? I assume this would mean that idnsZone objectclass has the attribute list updated. But then it is quite strange that you get the 'idnsAllowTransfer not allowed' error. Martin So we are a bit confused that when trying to add a new zone, we get errors due to these attributes. This is also preventing us to add new replicas (which require new reverse zones). Regards John On Mon, Jul 30, 2012 at 2:57 PM, Simo Sorce s...@redhat.com mailto:s...@redhat.com wrote: On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: Hi Simo, Thanks for your reply. Yes the IPA server has been updated from 2.1 to 2.2. Prior to the update, DNS zones could be created without any issues. I have also noticed that the command 'ipa ping' is displaying the incorrect IPA server version (IPA server version 2.1.90.rc1. API version 2.34) when infact the IPA server version 2.2.x should be displayed. This is odd, have you restarted httpd since the update ? The symptom below seem to suggest somethinhg went wrong in updating the DNS schema where we added a few attributes to allow zone transfers. Can you check the ipaserver-upgrade.log file and see if there are any errors in there ? Simo. Regards, Robert.. On 27 July 2012 17:29, Simo Sorce s...@redhat.com mailto:s...@redhat.com wrote: On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: Hi, I'm encountering a strange problem.. upon trying to add a new DNS zone the following message is being displayed attribute idnsAllowTransfer not allowed and the DNS entry is not created. Has any one ever encountered such a problem if so what needs to be done to resolve it ? IPA server version 2.1.3. API version 2.13 Was this server upgraded from a 2.0.x one ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed
Hi Martin Thanks a lot for you reply. We applied the LDIF patch and now we managed to add new zones. Many thanks!! Yes, you understood well that the DNS zones already had these attributes defined. However using the ldapsearch query from the ticket, these attributes did not show up in the current schema (which is why we then proceeded with the patch which fixed the problem). It is strange how the attributes managed to make their way in the existing DNS zones when they were not supported in the schema. If it helps, after applying the patch what we also noticed is that in UI, the allow query and transfer options now show up as editable form elements. Before they were not editable but just printed values. Thanks again. Regards John On Mon, Jul 30, 2012 at 5:26 PM, Martin Kosek mko...@redhat.com wrote: On 07/30/2012 03:21 PM, John Blaut wrote: Hi I am following the same issue with Robert. In /etc/dirsrv/slapd-DOMAIN/schema/99user.ldif we can see that these new attributes have been added. Hello John, I assume that the new attributes were not added to the MAY list in idnsZone objectclass due to an issue with IPA upgrade which is already described in the following ticket: https://fedorahosted.org/freeipa/ticket/2440 The ticket should contain more information about the issue and also an LDIF that should workaround it until a fix is released. Unfortunately I couldn't verify using ldapsearch on 'cn=schema' to see if this is indeed the case as well within the LDAP data. However if I browse other pre-existing DNS zones using ldapsearch I see that these already have the two attributes in place, so I guess the update procedure managed to insert them somehow: idnsAllowQuery: any; idnsAllowTransfer: none; If I understand it correctly, you have existing DNS zones with there attributes defined? I assume this would mean that idnsZone objectclass has the attribute list updated. But then it is quite strange that you get the 'idnsAllowTransfer not allowed' error. Martin So we are a bit confused that when trying to add a new zone, we get errors due to these attributes. This is also preventing us to add new replicas (which require new reverse zones). Regards John On Mon, Jul 30, 2012 at 2:57 PM, Simo Sorce s...@redhat.com mailto:s...@redhat.com wrote: On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: Hi Simo, Thanks for your reply. Yes the IPA server has been updated from 2.1 to 2.2. Prior to the update, DNS zones could be created without any issues. I have also noticed that the command 'ipa ping' is displaying the incorrect IPA server version (IPA server version 2.1.90.rc1. API version 2.34) when infact the IPA server version 2.2.x should be displayed. This is odd, have you restarted httpd since the update ? The symptom below seem to suggest somethinhg went wrong in updating the DNS schema where we added a few attributes to allow zone transfers. Can you check the ipaserver-upgrade.log file and see if there are any errors in there ? Simo. Regards, Robert.. On 27 July 2012 17:29, Simo Sorce s...@redhat.com mailto:s...@redhat.com wrote: On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: Hi, I'm encountering a strange problem.. upon trying to add a new DNS zone the following message is being displayed attribute idnsAllowTransfer not allowed and the DNS entry is not created. Has any one ever encountered such a problem if so what needs to be done to resolve it ? IPA server version 2.1.3. API version 2.13 Was this server upgraded from a 2.0.x one ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed
On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: Hi, I'm encountering a strange problem.. upon trying to add a new DNS zone the following message is being displayed attribute idnsAllowTransfer not allowed and the DNS entry is not created. Has any one ever encountered such a problem if so what needs to be done to resolve it ? IPA server version 2.1.3. API version 2.13 Was this server upgraded from a 2.0.x one ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
