Kathy Zhu wrote: > Hi Rob, > > There are 5 more reverse zones which can not be deleted as well. IPA > said "Not allowed on non-leaf entry". Though that is the same complaint, > however, there are no "glue, extensibleobject" objectclasses associated > with those 5 zones. Please see attached for details. I like to have > those deleted as well.
389 seems to think there are records under those even though IPA isn't seeing them. 389 doesn't show conflict values. I think I'd try ldapsearch to see if there is anything below it. kinit admin ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com If nothing then add this filter to the end, '(objectclass=ldapsubentry)' rob > > Thanks. > > Kathy. > > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa. --all > > dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > <http://ipa3.example.com>., hou1-ipa1.example.com > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa. --all > > dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > <http://ipa3.example.com>., hou1-ipa1.example.com > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa. --all > > dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > <http://ipa3.example.com>., hou1-ipa1.example.com > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa. --all > > dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > <http://ipa3.example.com>., hou1-ipa1.example.com > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa. --all > > dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > Record name: @ > > NS record: ipa0.example.com <http://ipa0.example.com>., > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > <http://ipa3.example.com>., hou1-ipa1.example.com > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > <http://hou2-ipa1.example.com>., hq- > > ipa1.example.com <http://ipa1.example.com>., > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > idnsallowdynupdate: TRUE > > idnsallowquery: any; > > idnsallowtransfer: none; > > idnssoaexpire: 1209600 > > idnssoaminimum: 3600 > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > idnssoarefresh: 3600 > > idnssoaretry: 900 > > idnssoarname: hostmaster.example.com <http://hostmaster.example.com>. > > idnssoaserial: 1629023582 > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > idnszoneactive: FALSE > > objectclass: top, idnsrecord, idnszone > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > [root@ipa0 export-ipa-data]# > > > On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <k...@nuro.ai > <mailto:k...@nuro.ai>> wrote: > > Yes, I want to delete the zone. I tried a few ways, none worked so far. > > On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Kathy Zhu via FreeIPA-users wrote: > > Hi List, > > > > When I run ipa-healthcheck on all of our ipa servers, they all > reported > > following: > > > > [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human > > > > ERROR: > > > > ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com: > > Replication conflict > > > > [root@ipa0 ~]# > > > > [root@ipa0 ~]# ipa-healthcheck --failures-only > > > > [ > > > > { > > > > "source": "ipahealthcheck.ds.replication", > > > > "kw": { > > > > "msg": "Replication conflict", > > > > "glue": true, > > > > "conflict": "deletedEntryHasChildren", > > > > "key": > "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com" > > > > }, > > > > "uuid": "3027f742-4b7b-4a20-9650-a5a030699480", > > > > "duration": "0.002318", > > > > "when": "20210819234114Z", > > > > "check": "ReplicationConflictCheck", > > > > "result": "ERROR" > > > > } > > > > ] > > > > [root@ipa0 ~]# > > > > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. > > --sizelimit=99999 --all --structured > > > > dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > > > Record name: @ > > > > Records: > > > > Record type: NS > > > > Record data: ipa1.example.com <http://ipa1.example.com> > <http://ipa1.example.com>. > > > > NS Hostname: ipa1.example.com <http://ipa1.example.com> > <http://ipa1.example.com>. > > > > idnsallowdynupdate: TRUE > > > > idnsallowquery: any; > > > > idnsallowtransfer: none; > > > > idnssoaexpire: 1209600 > > > > idnssoaminimum: 3600 > > > > idnssoamname: ipa0.example.com <http://ipa0.example.com> > <http://ipa0.example.com>. > > > > idnssoarefresh: 3600 > > > > idnssoaretry: 900 > > > > idnssoarname: hostmaster > > > > idnssoaserial: 1629023582 > > > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > <http://EXAMPLE.COM> > > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key > wildcard * ANY; > > > > idnszoneactive: FALSE > > > > objectclass: top, idnsrecord, idnszone, glue, extensibleobject > > > > ---------------------------- > > > > Number of entries returned 1 > > > > ---------------------------- > > > > [root@ipa0 ~]# > > > > > > Notice above, glue is true! After googling, I found following: > > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/ipa-replica-manage#Solving_Orphan_Entry_Conflicts > > > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts#Solving_Common_Replication_Conflicts-Solving_Orphan_Entry_Conflicts > > > > > > The explanation made sense to me. However, I do not know what > happened > > to get us into this situation. > > > > > > A good zone displays objectclass like this: > > > > > > objectclass: top, idnsrecord, idnszone > > > > > > > > Note, no "glue, extensibleobject" there. > > > > > > This zone can not be deleted since "Not allowed on non-leaf > entry". Any > > ideas to delete this zone? > > Do you want to delete the zone? > > rob > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
