Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1357653 - Satellite 6 is not removing PTR dns records from a second DNS in the IPA server.
Summary: Satellite 6 is not removing PTR dns records from a second DNS in the IPA server.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: DHCP & DNS
Version: 6.1.9
Hardware: All
OS: Linux
urgent
medium vote
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-18 18:48 UTC by Fotios Tsiadimos
Modified: 2017-10-09 19:10 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-10 20:05:18 UTC


Attachments (Terms of Use)

Description Fotios Tsiadimos 2016-07-18 18:48:39 UTC
Description of problem:

Satellite 6 is not removing PTR dns records from the DNS in the IPA server.

Satellite 6 in the Infrastructure --> Domains has only the the DNS Capsule option and it is missing the DNS IPA.

When you remove a client from the Satellite the IPA remove the host but not the PTR record under the IPA server.


Satellite 6.1.9

Comment 3 Ivan Necas 2016-07-20 07:00:15 UTC
Asking Stephen as our IPA integration expert: any idea if this might bea a bug a bug, some missing configuration or a RFE of something we have not supported so far?

Comment 4 Stephen Benjamin 2016-07-20 14:00:34 UTC
Satellite doesn't manage the DNS directly when using the Realm feature.  IPA (if configured for DNS) handles this all by itself.  When a host registers it creates A/PTR records, and when it deletes a host it removes them. This sounds like what the customer is trying to use.

I think to get the PTR record deleted, you should:

1. Login to IPA
2. On the Network Services tab, click on DNS and then "DNS Global Configuration."
3. Check the "Allow PTR sync" option.  

If this doesn't work, it could be a bug in IPA but let's try that first.

---
Note, the customer has also enabled the DNS management features of Satellite, but by default in 6.1 this just installs a bind server on their Satellite.  Theoretically it could be configured to manage FreeIPA as well by kerberos, but it's not documented downstream and it's not required as IPA can do it as described above.

I'm not sure what their intention is by configuring that, maybe they did it by mistake.  That is what these "DNS capsule" options are pointing to.  This can be configured to talk to FreeIPA to, but it's not necessary as the realm feature handles everything.

Comment 7 Stephen Benjamin 2016-11-10 20:05:18 UTC
I don't think there's anything for Satellite team to do here. We are calling the host-del API call, with the 'updatedns' flag.  IdM is not doing the right thing, or the customer's Identity Management server is misconfigured.

There is more information here about dynamic dns updates:

  https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dynamic-dns-updates.html


There's also more information upstream:
  https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR

The customer can enable DNS updates instead of relying on realm by using TSIG-GSS nsupdate provider.  This is apparently not documented, but you can see the satellite-installer --help, and set the appropriate --foreman-proxy-dns* settings.  You might want to file a docs bug to get that documented.

    --foreman-proxy-dns-tsig-keytab  Kerberos keytab for DNS updates using GSS-TSIG authentication (default: "/etc/foreman-proxy/dns.keytab")
    --foreman-proxy-dns-tsig-principal  Kerberos principal for DNS updates using GSS-TSIG authentication (default: "foremanproxy/sat-rhel6.example.com@EXAMPLE.COM")


Note You need to log in before you can comment on or make changes to this bug.