Hi List,
When I run ipa-healthcheck on all of our ipa servers, they all reported following:
[root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human
ERROR: ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com: Replication conflict
[root@ipa0 ~]#
[root@ipa0 ~]# ipa-healthcheck --failures-only
[
{
"source": "ipahealthcheck.ds.replication",
"kw": {
"msg": "Replication conflict",
"glue": true,
"conflict": "deletedEntryHasChildren",
"key": "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com"
},
"uuid": "3027f742-4b7b-4a20-9650-a5a030699480",
"duration": "0.002318",
"when": "20210819234114Z",
"check": "ReplicationConflictCheck",
"result": "ERROR"
}
]
[root@ipa0 ~]#
[root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. --sizelimit=99999 --all --structured
dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
Records:
Record type: NS
Record data: ipa1.example.com.
NS Hostname: ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone, glue, extensibleobject
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 ~]#
Notice above, glue is true! After googling, I found following:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
The explanation made sense to me. However, I do not know what happened to get us into this situation.
A good zone displays objectclass like this:
objectclass: top, idnsrecord, idnszone
Note, no "glue, extensibleobject" there.
This zone can not be deleted since "Not allowed on non-leaf entry". Any ideas to delete this zone?
Thanks.
Kathy.
Kathy Zhu via FreeIPA-users wrote:
Hi List,
When I run ipa-healthcheck on all of our ipa servers, they all reported following:
[root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human
ERROR: ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com: Replication conflict
[root@ipa0 ~]#
[root@ipa0 ~]# ipa-healthcheck --failures-only
[
{
"source": "ipahealthcheck.ds.replication",
"kw": {
"msg": "Replication conflict",
"glue": true,
"conflict": "deletedEntryHasChildren",
"key": "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com"
},
"uuid": "3027f742-4b7b-4a20-9650-a5a030699480",
"duration": "0.002318",
"when": "20210819234114Z",
"check": "ReplicationConflictCheck",
"result": "ERROR"
}
]
[root@ipa0 ~]#
[root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. --sizelimit=99999 --all --structured
dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
Records:
Record type: NS
Record data: ipa1.example.com http://ipa1.example.com.
NS Hostname: ipa1.example.com http://ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone, glue, extensibleobject
Number of entries returned 1
[root@ipa0 ~]#
Notice above, glue is true! After googling, I found following:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
The explanation made sense to me. However, I do not know what happened to get us into this situation.
A good zone displays objectclass like this:
objectclass: top, idnsrecord, idnszone
Note, no "glue, extensibleobject" there.
This zone can not be deleted since "Not allowed on non-leaf entry". Any ideas to delete this zone?
Do you want to delete the zone?
rob
Yes, I want to delete the zone. I tried a few ways, none worked so far.
On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden rcritten@redhat.com wrote:
Kathy Zhu via FreeIPA-users wrote:
Hi List,
When I run ipa-healthcheck on all of our ipa servers, they all reported following:
[root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human
ERROR:
ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:
Replication conflict
[root@ipa0 ~]#
[root@ipa0 ~]# ipa-healthcheck --failures-only
[
{
"source": "ipahealthcheck.ds.replication", "kw": { "msg": "Replication conflict", "glue": true, "conflict": "deletedEntryHasChildren", "key": "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com" }, "uuid": "3027f742-4b7b-4a20-9650-a5a030699480", "duration": "0.002318", "when": "20210819234114Z", "check": "ReplicationConflictCheck", "result": "ERROR"
}
]
[root@ipa0 ~]#
[root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. --sizelimit=99999 --all --structured
dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
Records:
Record type: NS Record data: ipa1.example.com <http://ipa1.example.com>. NS Hostname: ipa1.example.com <http://ipa1.example.com>.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone, glue, extensibleobject
Number of entries returned 1
[root@ipa0 ~]#
Notice above, glue is true! After googling, I found following:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
The explanation made sense to me. However, I do not know what happened to get us into this situation.
A good zone displays objectclass like this:
objectclass: top, idnsrecord, idnszone
Note, no "glue, extensibleobject" there.
This zone can not be deleted since "Not allowed on non-leaf entry". Any ideas to delete this zone?
Do you want to delete the zone?
rob
Hi Rob,
There are 5 more reverse zones which can not be deleted as well. IPA said "Not allowed on non-leaf entry". Though that is the same complaint, however, there are no "glue, extensibleobject" objectclasses associated with those 5 zones. Please see attached for details. I like to have those deleted as well.
Thanks.
Kathy.
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa. --all
dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa. --all
dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa. --all
dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa. --all
dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa. --all
dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com., ipa2.example.com., ipa3.example.com., hou1-ipa1.example.com., sfo1-ipa1.example.com., hou2-ipa1.example.com., hq-
ipa1.example.com., gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster.example.com.
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
----------------------------
Number of entries returned 1
----------------------------
[root@ipa0 export-ipa-data]#
On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu kzhu@nuro.ai wrote:
Yes, I want to delete the zone. I tried a few ways, none worked so far.
On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden rcritten@redhat.com wrote:
Kathy Zhu via FreeIPA-users wrote:
Hi List,
When I run ipa-healthcheck on all of our ipa servers, they all reported following:
[root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human
ERROR:
ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:
Replication conflict
[root@ipa0 ~]#
[root@ipa0 ~]# ipa-healthcheck --failures-only
[
{
"source": "ipahealthcheck.ds.replication", "kw": { "msg": "Replication conflict", "glue": true, "conflict": "deletedEntryHasChildren", "key": "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com" }, "uuid": "3027f742-4b7b-4a20-9650-a5a030699480", "duration": "0.002318", "when": "20210819234114Z", "check": "ReplicationConflictCheck", "result": "ERROR"
}
]
[root@ipa0 ~]#
[root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. --sizelimit=99999 --all --structured
dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
Records:
Record type: NS Record data: ipa1.example.com <http://ipa1.example.com>. NS Hostname: ipa1.example.com <http://ipa1.example.com>.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone, glue, extensibleobject
Number of entries returned 1
[root@ipa0 ~]#
Notice above, glue is true! After googling, I found following:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
The explanation made sense to me. However, I do not know what happened to get us into this situation.
A good zone displays objectclass like this:
objectclass: top, idnsrecord, idnszone
Note, no "glue, extensibleobject" there.
This zone can not be deleted since "Not allowed on non-leaf entry". Any ideas to delete this zone?
Do you want to delete the zone?
rob
Kathy Zhu wrote:
Hi Rob,
There are 5 more reverse zones which can not be deleted as well. IPA said "Not allowed on non-leaf entry". Though that is the same complaint, however, there are no "glue, extensibleobject" objectclasses associated with those 5 zones. Please see attached for details. I like to have those deleted as well.
389 seems to think there are records under those even though IPA isn't seeing them. 389 doesn't show conflict values. I think I'd try ldapsearch to see if there is anything below it.
kinit admin ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
If nothing then add this filter to the end, '(objectclass=ldapsubentry)'
rob
Thanks.
Kathy.
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa. --all
dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com http://ipa1.example.com., gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa. --all
dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com http://ipa1.example.com., gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa. --all
dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com http://ipa1.example.com., gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa. --all
dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com http://ipa1.example.com., gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa. --all
dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com http://ipa1.example.com., gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster.example.com http://hostmaster.example.com.
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]#
On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <kzhu@nuro.ai mailto:kzhu@nuro.ai> wrote:
Yes, I want to delete the zone. I tried a few ways, none worked so far. On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Kathy Zhu via FreeIPA-users wrote: > Hi List, > > When I run ipa-healthcheck on all of our ipa servers, they all reported > following: > > [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human > > ERROR: > ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com: > Replication conflict > > [root@ipa0 ~]# > > [root@ipa0 ~]# ipa-healthcheck --failures-only > > [ > > { > > "source": "ipahealthcheck.ds.replication", > > "kw": { > > "msg": "Replication conflict", > > "glue": true, > > "conflict": "deletedEntryHasChildren", > > "key": "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com" > > }, > > "uuid": "3027f742-4b7b-4a20-9650-a5a030699480", > > "duration": "0.002318", > > "when": "20210819234114Z", > > "check": "ReplicationConflictCheck", > > "result": "ERROR" > > } > > ] > > [root@ipa0 ~]# > > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. > --sizelimit=99999 --all --structured > > dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > Records: > > Record type: NS > > Record data: ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>. > > NS Hostname: ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone, glue, extensibleobject > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 ~]# > > > Notice above, glue is true! After googling, I found following: > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/ipa-replica-manage#Solving_Orphan_Entry_Conflicts > > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts#Solving_Common_Replication_Conflicts-Solving_Orphan_Entry_Conflicts > > > The explanation made sense to me. However, I do not know what happened > to get us into this situation. > > > A good zone displays objectclass like this: > > > objectclass: top, idnsrecord, idnszone > > > > Note, no "glue, extensibleobject" there. > > > This zone can not be deleted since "Not allowed on non-leaf entry". Any > ideas to delete this zone? Do you want to delete the zone? rob
Hi Rob,
Thank you! That filter did the trick. There are 9 pTRRecord in the zone! See attached for details. What is the safe way to delete those "hidden" records? I assume that the zone can be deleted after those pTRRecord being deleted first. Many thanks.
Kathy.
[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# 15.0.10.in-addr.arpa., dns, example.com
dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
idnsSOAserial: 1630088951
idnsZoneActive: FALSE
idnsSOAminimum: 3600
idnsSOAexpire: 1209600
idnsSOAretry: 900
idnsSOArefresh: 3600
idnsAllowQuery: any;
idnsSOArName: hostmaster
idnsAllowDynUpdate: TRUE
idnsSOAmName: ipa0.example.com.
idnsName: 15.0.10.in-addr.arpa.
idnsUpdatePolicy: grant EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnsAllowTransfer: none;
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
nSRecord: ipa0.example.com.
nSRecord: ipa2.example.com.
nSRecord: ipa3.example.com.
nSRecord: hou1-ipa1.example.com.
nSRecord: sfo1-ipa1.example.com.
nSRecord: hou2-ipa1.example.com.
nSRecord: hq-ipa1.example.com.
nSRecord: gcc2-ipa1.example.com.
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com '(objectclass=ldapsubentry)'
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree
# filter: (objectclass=ldapsubentry)
# requesting: ALL
#
# 200 + 0aa41606-f47811ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com
dn: idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: user9-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 200
# 155 + f3e40606-f6a711ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com
dn: idnsName=155+nsuniqueid=f3e40606-f6a711ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: user7-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 155
# 183 + c0f24006-f6b011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com
dn: idnsName=183+nsuniqueid=c0f24006-f6b011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: DESKTOP-test.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 183
# 101 + 4a137207-f6c511ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com
dn: idnsName=101+nsuniqueid=4a137207-f6c511ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: test-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 101
# 74 + 1ccac207-f6cd11ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com
dn: idnsName=74+nsuniqueid=1ccac207-f6cd11ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: jsmith-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 74
# 63 + bdd08006-f79411ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com
dn: idnsName=63+nsuniqueid=bdd08006-f79411ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: kwang-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 63
# 160 + ea49d205-f85011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com
dn: idnsName=160+nsuniqueid=ea49d205-f85011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: john-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 160
# 32 + e7f77005-f87011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com
dn: idnsName=32+nsuniqueid=e7f77005-f87011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: key10-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 32
# 66 + 3fc5b812-c04911eb-b84afb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com
dn: idnsName=66+nsuniqueid=3fc5b812-c04911eb-b84afb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: load8-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 66
# search result
search: 4
result: 0 Success
# numResponses: 10
# numEntries: 9
[root@ipa0 ~]$
On Fri, Aug 27, 2021 at 9:58 AM Rob Crittenden rcritten@redhat.com wrote:
Kathy Zhu wrote:
Hi Rob,
There are 5 more reverse zones which can not be deleted as well. IPA said "Not allowed on non-leaf entry". Though that is the same complaint, however, there are no "glue, extensibleobject" objectclasses associated with those 5 zones. Please see attached for details. I like to have those deleted as well.
389 seems to think there are records under those even though IPA isn't seeing them. 389 doesn't show conflict values. I think I'd try ldapsearch to see if there is anything below it.
kinit admin ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
If nothing then add this filter to the end, '(objectclass=ldapsubentry)'
rob
Thanks.
Kathy.
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa.
--all
dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com <http://ipa1.example.com>.,
gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa.
--all
dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com <http://ipa1.example.com>.,
gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa.
--all
dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com <http://ipa1.example.com>.,
gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa.
--all
dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com <http://ipa1.example.com>.,
gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa.
--all
dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
Record name: @
NS record: ipa0.example.com http://ipa0.example.com., ipa2.example.com http://ipa2.example.com., ipa3.example.com http://ipa3.example.com., hou1-ipa1.example.com http://hou1-ipa1.example.com., sfo1-ipa1.example.com http://sfo1-ipa1.example.com., hou2-ipa1.example.com http://hou2-ipa1.example.com., hq-
ipa1.example.com <http://ipa1.example.com>.,
gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
idnsallowdynupdate: TRUE
idnsallowquery: any;
idnsallowtransfer: none;
idnssoaexpire: 1209600
idnssoaminimum: 3600
idnssoamname: ipa0.example.com http://ipa0.example.com.
idnssoarefresh: 3600
idnssoaretry: 900
idnssoarname: hostmaster.example.com http://hostmaster.example.com.
idnssoaserial: 1629023582
idnsupdatepolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnszoneactive: FALSE
objectclass: top, idnsrecord, idnszone
Number of entries returned 1
[root@ipa0 export-ipa-data]#
On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <kzhu@nuro.ai mailto:kzhu@nuro.ai> wrote:
Yes, I want to delete the zone. I tried a few ways, none worked so
far.
On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Kathy Zhu via FreeIPA-users wrote: > Hi List, > > When I run ipa-healthcheck on all of our ipa servers, they all reported > following: > > [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type
human
> > ERROR: >
ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:
> Replication conflict > > [root@ipa0 ~]# > > [root@ipa0 ~]# ipa-healthcheck --failures-only > > [ > > { > > "source": "ipahealthcheck.ds.replication", > > "kw": { > > "msg": "Replication conflict", > > "glue": true, > > "conflict": "deletedEntryHasChildren", > > "key": "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com" > > }, > > "uuid": "3027f742-4b7b-4a20-9650-a5a030699480", > > "duration": "0.002318", > > "when": "20210819234114Z", > > "check": "ReplicationConflictCheck", > > "result": "ERROR" > > } > > ] > > [root@ipa0 ~]# > > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. > --sizelimit=99999 --all --structured > > dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > Records: > > Record type: NS > > Record data: ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>. > > NS Hostname: ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone, glue,
extensibleobject
> > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 ~]# > > > Notice above, glue is true! After googling, I found following: > > >
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
> > >
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
> > > The explanation made sense to me. However, I do not know what happened > to get us into this situation. > > > A good zone displays objectclass like this: > > > objectclass: top, idnsrecord, idnszone > > > > Note, no "glue, extensibleobject" there. > > > This zone can not be deleted since "Not allowed on non-leaf entry". Any > ideas to delete this zone? Do you want to delete the zone? rob
Kathy Zhu wrote:
Hi Rob,
Thank you! That filter did the trick. There are 9 pTRRecord in the zone! See attached for details. What is the safe way to delete those "hidden" records? I assume that the zone can be deleted after those pTRRecord being deleted first. Many thanks.
Use ldapdelete to remove the conflicts using the DN, e.g:
$ ldapdelete -Y GSSAPI idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
rob
Kathy.
[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM mailto:admin@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
idnsSOAserial: 1630088951
idnsZoneActive: FALSE
idnsSOAminimum: 3600
idnsSOAexpire: 1209600
idnsSOAretry: 900
idnsSOArefresh: 3600
idnsAllowQuery: any;
idnsSOArName: hostmaster
idnsAllowDynUpdate: TRUE
idnsSOAmName: ipa0.example.com http://ipa0.example.com.
idnsName: 15.0.10.in-addr.arpa.
idnsUpdatePolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnsAllowTransfer: none;
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
nSRecord: ipa0.example.com http://ipa0.example.com.
nSRecord: ipa2.example.com http://ipa2.example.com.
nSRecord: ipa3.example.com http://ipa3.example.com.
nSRecord: hou1-ipa1.example.com http://hou1-ipa1.example.com.
nSRecord: sfo1-ipa1.example.com http://sfo1-ipa1.example.com.
nSRecord: hou2-ipa1.example.com http://hou2-ipa1.example.com.
nSRecord: hq-ipa1.example.com http://hq-ipa1.example.com.
nSRecord: gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com '(objectclass=ldapsubentry)'
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM mailto:admin@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree
# filter: (objectclass=ldapsubentry)
# requesting: ALL
#
# 200 + 0aa41606-f47811ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: user9-laptop.example.com http://user9-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 200
# 155 + f3e40606-f6a711ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsName=155+nsuniqueid=f3e40606-f6a711ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: user7-laptop.example.com http://user7-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 155
# 183 + c0f24006-f6b011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsName=183+nsuniqueid=c0f24006-f6b011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: DESKTOP-test.example.com http://DESKTOP-test.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 183
# 101 + 4a137207-f6c511ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsName=101+nsuniqueid=4a137207-f6c511ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: test-laptop.example.com http://test-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 101
# 74 + 1ccac207-f6cd11ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsName=74+nsuniqueid=1ccac207-f6cd11ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: jsmith-laptop.example.com http://jsmith-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 74
# 63 + bdd08006-f79411ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsName=63+nsuniqueid=bdd08006-f79411ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: kwang-laptop.example.com http://kwang-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 63
# 160 + ea49d205-f85011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsName=160+nsuniqueid=ea49d205-f85011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: john-laptop.example.com http://john-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 160
# 32 + e7f77005-f87011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsName=32+nsuniqueid=e7f77005-f87011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: key10-laptop.example.com http://key10-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 32
# 66 + 3fc5b812-c04911eb-b84afb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsName=66+nsuniqueid=3fc5b812-c04911eb-b84afb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: load8-laptop.example.com http://load8-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 66
# search result
search: 4
result: 0 Success
# numResponses: 10
# numEntries: 9
[root@ipa0 ~]$
On Fri, Aug 27, 2021 at 9:58 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kathy Zhu wrote: > Hi Rob, > > There are 5 more reverse zones which can not be deleted as well. IPA > said "Not allowed on non-leaf entry". Though that is the same complaint, > however, there are no "glue, extensibleobject" objectclasses associated > with those 5 zones. Please see attached for details. I like to have > those deleted as well. 389 seems to think there are records under those even though IPA isn't seeing them. 389 doesn't show conflict values. I think I'd try ldapsearch to see if there is anything below it. kinit admin ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com If nothing then add this filter to the end, '(objectclass=ldapsubentry)' rob > > Thanks. > > Kathy. > > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa. --all > > dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com> > <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa. --all > > dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com> > <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa. --all > > dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com> > <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa. --all > > dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com> > <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa. --all > > dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <http://ipa3.example.com> > <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster.example.com <http://hostmaster.example.com> <http://hostmaster.example.com>. > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# > > > On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <kzhu@nuro.ai <mailto:kzhu@nuro.ai> > <mailto:kzhu@nuro.ai <mailto:kzhu@nuro.ai>>> wrote: > > Yes, I want to delete the zone. I tried a few ways, none worked so far. > > On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Kathy Zhu via FreeIPA-users wrote: > > Hi List, > > > > When I run ipa-healthcheck on all of our ipa servers, they all > reported > > following: > > > > [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human > > > > ERROR: > > > ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com: > > Replication conflict > > > > [root@ipa0 ~]# > > > > [root@ipa0 ~]# ipa-healthcheck --failures-only > > > > [ > > > > { > > > > "source": "ipahealthcheck.ds.replication", > > > > "kw": { > > > > "msg": "Replication conflict", > > > > "glue": true, > > > > "conflict": "deletedEntryHasChildren", > > > > "key": > "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com" > > > > }, > > > > "uuid": "3027f742-4b7b-4a20-9650-a5a030699480", > > > > "duration": "0.002318", > > > > "when": "20210819234114Z", > > > > "check": "ReplicationConflictCheck", > > > > "result": "ERROR" > > > > } > > > > ] > > > > [root@ipa0 ~]# > > > > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. > > --sizelimit=99999 --all --structured > > > > dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > > > Record name: @ > > > > Records: > > > > Record type: NS > > > > Record data: ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com> > <http://ipa1.example.com>. > > > > NS Hostname: ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com> > <http://ipa1.example.com>. > > > > idnsallowdynupdate: TRUE > > > > idnsallowquery: any; > > > > idnsallowtransfer: none; > > > > idnssoaexpire: 1209600 > > > > idnssoaminimum: 3600 > > > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com> > <http://ipa0.example.com>. > > > > idnssoarefresh: 3600 > > > > idnssoaretry: 900 > > > > idnssoarname: hostmaster > > > > idnssoaserial: 1629023582 > > > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > <http://EXAMPLE.COM> > > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key > wildcard * ANY; > > > > idnszoneactive: FALSE > > > > objectclass: top, idnsrecord, idnszone, glue, extensibleobject > > > > ---------------------------- > > > > Number of entries returned 1 > > > > ---------------------------- > > > > [root@ipa0 ~]# > > > > > > Notice above, glue is true! After googling, I found following: > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/ipa-replica-manage#Solving_Orphan_Entry_Conflicts > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts#Solving_Common_Replication_Conflicts-Solving_Orphan_Entry_Conflicts > > > > > > The explanation made sense to me. However, I do not know what > happened > > to get us into this situation. > > > > > > A good zone displays objectclass like this: > > > > > > objectclass: top, idnsrecord, idnszone > > > > > > > > Note, no "glue, extensibleobject" there. > > > > > > This zone can not be deleted since "Not allowed on non-leaf > entry". Any > > ideas to delete this zone? > > Do you want to delete the zone? > > rob >
Hi Rob,
After deleted those hidden records inside the zones, I deleted those zones smoothly. Remember 1.1.10.in-addr.arpa.zone which was marked with glue=true? There was one hidden ptr record inside the zone. After that record being deleted, 1.1.10.in-addr.arpa.zone disappread itself :-). Thank you so much for your help! Have a great weekend!
Kathy.
On Fri, Aug 27, 2021 at 1:43 PM Rob Crittenden rcritten@redhat.com wrote:
Kathy Zhu wrote:
Hi Rob,
Thank you! That filter did the trick. There are 9 pTRRecord in the zone! See attached for details. What is the safe way to delete those "hidden" records? I assume that the zone can be deleted after those pTRRecord being deleted first. Many thanks.
Use ldapdelete to remove the conflicts using the DN, e.g:
$ ldapdelete -Y GSSAPI
idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
rob
Kathy.
[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM mailto:admin@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
idnsSOAserial: 1630088951
idnsZoneActive: FALSE
idnsSOAminimum: 3600
idnsSOAexpire: 1209600
idnsSOAretry: 900
idnsSOArefresh: 3600
idnsAllowQuery: any;
idnsSOArName: hostmaster
idnsAllowDynUpdate: TRUE
idnsSOAmName: ipa0.example.com http://ipa0.example.com.
idnsName: 15.0.10.in-addr.arpa.
idnsUpdatePolicy: grant EXAMPLE.COM http://EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY;
idnsAllowTransfer: none;
objectClass: top
objectClass: idnsrecord
objectClass: idnszone
nSRecord: ipa0.example.com http://ipa0.example.com.
nSRecord: ipa2.example.com http://ipa2.example.com.
nSRecord: ipa3.example.com http://ipa3.example.com.
nSRecord: hou1-ipa1.example.com http://hou1-ipa1.example.com.
nSRecord: sfo1-ipa1.example.com http://sfo1-ipa1.example.com.
nSRecord: hou2-ipa1.example.com http://hou2-ipa1.example.com.
nSRecord: hq-ipa1.example.com http://hq-ipa1.example.com.
nSRecord: gcc2-ipa1.example.com http://gcc2-ipa1.example.com.
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com '(objectclass=ldapsubentry)'
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM mailto:admin@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree
# filter: (objectclass=ldapsubentry)
# requesting: ALL
#
# 200 + 0aa41606-f47811ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn:
idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: user9-laptop.example.com http://user9-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 200
# 155 + f3e40606-f6a711ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn:
idnsName=155+nsuniqueid=f3e40606-f6a711ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: user7-laptop.example.com http://user7-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 155
# 183 + c0f24006-f6b011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn:
idnsName=183+nsuniqueid=c0f24006-f6b011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: DESKTOP-test.example.com http://DESKTOP-test.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 183
# 101 + 4a137207-f6c511ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn:
idnsName=101+nsuniqueid=4a137207-f6c511ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: test-laptop.example.com http://test-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 101
# 74 + 1ccac207-f6cd11ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn:
idnsName=74+nsuniqueid=1ccac207-f6cd11ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: jsmith-laptop.example.com http://jsmith-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 74
# 63 + bdd08006-f79411ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn:
idnsName=63+nsuniqueid=bdd08006-f79411ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: kwang-laptop.example.com http://kwang-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 63
# 160 + ea49d205-f85011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn:
idnsName=160+nsuniqueid=ea49d205-f85011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: john-laptop.example.com http://john-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 160
# 32 + e7f77005-f87011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn:
idnsName=32+nsuniqueid=e7f77005-f87011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: key10-laptop.example.com http://key10-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 32
# 66 + 3fc5b812-c04911eb-b84afb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com http://example.com
dn:
idnsName=66+nsuniqueid=3fc5b812-c04911eb-b84afb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com
pTRRecord: load8-laptop.example.com http://load8-laptop.example.com.
dNSTTL: 300
objectClass: idnsRecord
objectClass: top
objectClass: ldapsubentry
idnsName: 66
# search result
search: 4
result: 0 Success
# numResponses: 10
# numEntries: 9
[root@ipa0 ~]$
On Fri, Aug 27, 2021 at 9:58 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kathy Zhu wrote: > Hi Rob, > > There are 5 more reverse zones which can not be deleted as well.
IPA
> said "Not allowed on non-leaf entry". Though that is the same complaint, > however, there are no "glue, extensibleobject" objectclasses associated > with those 5 zones. Please see attached for details. I like to have > those deleted as well. 389 seems to think there are records under those even though IPA
isn't
seeing them. 389 doesn't show conflict values. I think I'd try ldapsearch to see if there is anything below it. kinit admin ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com If nothing then add this filter to the end,
'(objectclass=ldapsubentry)'
rob > > Thanks. > > Kathy. > > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa. --all > > dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <
> <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa. --all > > dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <
> <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa. --all > > dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <
> <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa. --all > > dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <
> <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa. --all > > dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com> <http://ipa2.example.com>., ipa3.example.com <
> <http://ipa3.example.com>., hou1-ipa1.example.com <http://hou1-ipa1.example.com> > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com <http://sfo1-ipa1.example.com> > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com <http://hou2-ipa1.example.com> > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com> <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster.example.com <http://hostmaster.example.com> <http://hostmaster.example.com>. > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# > > > On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <kzhu@nuro.ai <mailto:kzhu@nuro.ai> > <mailto:kzhu@nuro.ai <mailto:kzhu@nuro.ai>>> wrote: > > Yes, I want to delete the zone. I tried a few ways, none worked so far. > > On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
> > Kathy Zhu via FreeIPA-users wrote: > > Hi List, > > > > When I run ipa-healthcheck on all of our ipa servers, they all > reported > > following: > > > > [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human > > > > ERROR: > > >
ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com:
> > Replication conflict > > > > [root@ipa0 ~]# > > > > [root@ipa0 ~]# ipa-healthcheck --failures-only > > > > [ > > > > { > > > > "source": "ipahealthcheck.ds.replication", > > > > "kw": { > > > > "msg": "Replication conflict", > > > > "glue": true, > > > > "conflict": "deletedEntryHasChildren", > > > > "key": > "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com" > > > > }, > > > > "uuid": "3027f742-4b7b-4a20-9650-a5a030699480", > > > > "duration": "0.002318", > > > > "when": "20210819234114Z", > > > > "check": "ReplicationConflictCheck", > > > > "result": "ERROR" > > > > } > > > > ] > > > > [root@ipa0 ~]# > > > > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. > > --sizelimit=99999 --all --structured > > > > dn:
idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com
> > > > Record name: @ > > > > Records: > > > > Record type: NS > > > > Record data: ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com> > <http://ipa1.example.com>. > > > > NS Hostname: ipa1.example.com <http://ipa1.example.com> <http://ipa1.example.com> > <http://ipa1.example.com>. > > > > idnsallowdynupdate: TRUE > > > > idnsallowquery: any; > > > > idnsallowtransfer: none; > > > > idnssoaexpire: 1209600 > > > > idnssoaminimum: 3600 > > > > idnssoamname: ipa0.example.com <http://ipa0.example.com> <http://ipa0.example.com> > <http://ipa0.example.com>. > > > > idnssoarefresh: 3600 > > > > idnssoaretry: 900 > > > > idnssoarname: hostmaster > > > > idnssoaserial: 1629023582 > > > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> <http://EXAMPLE.COM> > <http://EXAMPLE.COM> > > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key > wildcard * ANY; > > > > idnszoneactive: FALSE > > > > objectclass: top, idnsrecord, idnszone, glue, extensibleobject > > > > ---------------------------- > > > > Number of entries returned 1 > > > > ---------------------------- > > > > [root@ipa0 ~]# > > > > > > Notice above, glue is true! After googling, I found following: > > > > > > >
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/htm...
> > > > > > >
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
> > > > > > The explanation made sense to me. However, I do not know what > happened > > to get us into this situation. > > > > > > A good zone displays objectclass like this: > > > > > > objectclass: top, idnsrecord, idnszone > > > > > > > > Note, no "glue, extensibleobject" there. > > > > > > This zone can not be deleted since "Not allowed on
non-leaf
> entry". Any > > ideas to delete this zone? > > Do you want to delete the zone? > > rob >
freeipa-users@lists.fedorahosted.org