That's weird. I've now tried a replica install on a fresh VM and it has worked- exact same parameters as before ¬ ¬U, no "invalid 'dnszoneidnsname': only master zones can contain records". Maybe I had a problem with the previous install failing and me cleaning up/retrying incorrectly.

Never mind...

On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version?

[1]
I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work

2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users <freeipa-users@lists.fedorahosted.org>:
Hi Marti,

On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
it looks that replica is trying to add records to your forward zone. What is the hostname of the replica?

Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone.

I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide automatic network configuration to VMs. It's a non-routable network, so I'm not sure what the right setup would be.

1. what is not working on lxc?

It was something about GSSAPI or something like that, I'll try to reproduce and start a new thread about that- but I guess it's more of an LXC problem (ideally I would like to run my replica on LXC so it consumes less RAM, but I can live with a full VM).

Cheers,

Álex
 
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users <freeipa-users@lists.fedorahosted.org>:
Hi,

I'm labbing a FreeIPA environment for personal use, and I'm getting that while bringing up a replica.

I set up my first freeipa-server instance on a cheap VPS on a public IP, intend on making it publicly accessible so I can always authenticate my laptop even on wild public networks.

I'm adding the replica as a VM(1) on a Proxmox VE, on a private network with VPN connectivity to the first public freeipa-server, but I'm getting:

2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

. I'm trying to create the replica with CA and DNS, and I had set up DNS forwarding to the internal DNS on the Proxmox system with:

$ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1
$ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 --forwarder=10.42.42.1 --forward-policy=only

on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - h2.int.pdp7.net is the network it manages), and I guess that's messing with the replica, but I'm not sure how to troubleshoot this.

Thoughts? Ideas?

Thanks,

Álex

(1) I can't seem to create a freeipa-replica on an LXC container. Is this something that can be discussed here or should I take it to LXC?

--
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org




--
S pozdravom Martin Bašti.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org




--
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org




--
S pozdravom Martin Bašti.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org




--
   ___
 {~._.~}
  ( Y )
 ()~*~()  mail: alex at corcoles dot net
 (_)-(_)  http://alex.corcoles.net/