Hi Rob, Thank you! That filter did the trick. There are 9 pTRRecord in the zone! See attached for details. What is the safe way to delete those "hidden" records? I assume that the zone can be deleted after those pTRRecord being deleted first. Many thanks.
Kathy. [root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # 15.0.10.in-addr.arpa., dns, example.com dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com idnsSOAserial: 1630088951 idnsZoneActive: FALSE idnsSOAminimum: 3600 idnsSOAexpire: 1209600 idnsSOAretry: 900 idnsSOArefresh: 3600 idnsAllowQuery: any; idnsSOArName: hostmaster idnsAllowDynUpdate: TRUE idnsSOAmName: ipa0.example.com. idnsName: 15.0.10.in-addr.arpa. idnsUpdatePolicy: grant EXAMPLE.COM krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; idnsAllowTransfer: none; objectClass: top objectClass: idnsrecord objectClass: idnszone nSRecord: ipa0.example.com. nSRecord: ipa2.example.com. nSRecord: ipa3.example.com. nSRecord: hou1-ipa1.example.com. nSRecord: sfo1-ipa1.example.com. nSRecord: hou2-ipa1.example.com. nSRecord: hq-ipa1.example.com. nSRecord: gcc2-ipa1.example.com. # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa0 ~]$ ldapsearch -Y GSSAPI -b idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com '(objectclass=ldapsubentry)' SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com> with scope subtree # filter: (objectclass=ldapsubentry) # requesting: ALL # # 200 + 0aa41606-f47811ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com dn: idnsName=200+nsuniqueid=0aa41606-f47811ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com pTRRecord: user9-laptop.example.com. dNSTTL: 300 objectClass: idnsRecord objectClass: top objectClass: ldapsubentry idnsName: 200 # 155 + f3e40606-f6a711ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com dn: idnsName=155+nsuniqueid=f3e40606-f6a711ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com pTRRecord: user7-laptop.example.com. dNSTTL: 300 objectClass: idnsRecord objectClass: top objectClass: ldapsubentry idnsName: 155 # 183 + c0f24006-f6b011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com dn: idnsName=183+nsuniqueid=c0f24006-f6b011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com pTRRecord: DESKTOP-test.example.com. dNSTTL: 300 objectClass: idnsRecord objectClass: top objectClass: ldapsubentry idnsName: 183 # 101 + 4a137207-f6c511ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com dn: idnsName=101+nsuniqueid=4a137207-f6c511ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com pTRRecord: test-laptop.example.com. dNSTTL: 300 objectClass: idnsRecord objectClass: top objectClass: ldapsubentry idnsName: 101 # 74 + 1ccac207-f6cd11ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com dn: idnsName=74+nsuniqueid=1ccac207-f6cd11ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com pTRRecord: jsmith-laptop.example.com. dNSTTL: 300 objectClass: idnsRecord objectClass: top objectClass: ldapsubentry idnsName: 74 # 63 + bdd08006-f79411ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com dn: idnsName=63+nsuniqueid=bdd08006-f79411ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com pTRRecord: kwang-laptop.example.com. dNSTTL: 300 objectClass: idnsRecord objectClass: top objectClass: ldapsubentry idnsName: 63 # 160 + ea49d205-f85011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com dn: idnsName=160+nsuniqueid=ea49d205-f85011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com pTRRecord: john-laptop.example.com. dNSTTL: 300 objectClass: idnsRecord objectClass: top objectClass: ldapsubentry idnsName: 160 # 32 + e7f77005-f87011ea-9c15fb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com dn: idnsName=32+nsuniqueid=e7f77005-f87011ea-9c15fb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com pTRRecord: key10-laptop.example.com. dNSTTL: 300 objectClass: idnsRecord objectClass: top objectClass: ldapsubentry idnsName: 32 # 66 + 3fc5b812-c04911eb-b84afb86-bfdbf4a5, 15.0.10.in-addr.arpa., dns, example.com dn: idnsName=66+nsuniqueid=3fc5b812-c04911eb-b84afb86-bfdbf4a5,idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com pTRRecord: load8-laptop.example.com. dNSTTL: 300 objectClass: idnsRecord objectClass: top objectClass: ldapsubentry idnsName: 66 # search result search: 4 result: 0 Success # numResponses: 10 # numEntries: 9 [root@ipa0 ~]$ On Fri, Aug 27, 2021 at 9:58 AM Rob Crittenden <[email protected]> wrote: > Kathy Zhu wrote: > > Hi Rob, > > > > There are 5 more reverse zones which can not be deleted as well. IPA > > said "Not allowed on non-leaf entry". Though that is the same complaint, > > however, there are no "glue, extensibleobject" objectclasses associated > > with those 5 zones. Please see attached for details. I like to have > > those deleted as well. > > 389 seems to think there are records under those even though IPA isn't > seeing them. 389 doesn't show conflict values. I think I'd try > ldapsearch to see if there is anything below it. > > kinit admin > ldapsearch -Y GSSAPI -b > idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > If nothing then add this filter to the end, '(objectclass=ldapsubentry)' > > rob > > > > > Thanks. > > > > Kathy. > > > > > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 15.0.10.in-addr.arpa. > --all > > > > dn: idnsname=15.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > > > Record name: @ > > > > NS record: ipa0.example.com <http://ipa0.example.com>., > > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > > <http://ipa3.example.com>., hou1-ipa1.example.com > > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > > <http://hou2-ipa1.example.com>., hq- > > > > ipa1.example.com <http://ipa1.example.com>., > > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > > > idnsallowdynupdate: TRUE > > > > idnsallowquery: any; > > > > idnsallowtransfer: none; > > > > idnssoaexpire: 1209600 > > > > idnssoaminimum: 3600 > > > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > > > idnssoarefresh: 3600 > > > > idnssoaretry: 900 > > > > idnssoarname: hostmaster > > > > idnssoaserial: 1629023582 > > > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > > krb5-subdomain 15.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > > > idnszoneactive: FALSE > > > > objectclass: top, idnsrecord, idnszone > > > > ---------------------------- > > > > Number of entries returned 1 > > > > ---------------------------- > > > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 14.0.10.in-addr.arpa. > --all > > > > dn: idnsname=14.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > > > Record name: @ > > > > NS record: ipa0.example.com <http://ipa0.example.com>., > > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > > <http://ipa3.example.com>., hou1-ipa1.example.com > > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > > <http://hou2-ipa1.example.com>., hq- > > > > ipa1.example.com <http://ipa1.example.com>., > > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > > > idnsallowdynupdate: TRUE > > > > idnsallowquery: any; > > > > idnsallowtransfer: none; > > > > idnssoaexpire: 1209600 > > > > idnssoaminimum: 3600 > > > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > > > idnssoarefresh: 3600 > > > > idnssoaretry: 900 > > > > idnssoarname: hostmaster > > > > idnssoaserial: 1629023582 > > > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > > krb5-subdomain 14.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > > > idnszoneactive: FALSE > > > > objectclass: top, idnsrecord, idnszone > > > > ---------------------------- > > > > Number of entries returned 1 > > > > ---------------------------- > > > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 13.0.10.in-addr.arpa. > --all > > > > dn: idnsname=13.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > > > Record name: @ > > > > NS record: ipa0.example.com <http://ipa0.example.com>., > > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > > <http://ipa3.example.com>., hou1-ipa1.example.com > > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > > <http://hou2-ipa1.example.com>., hq- > > > > ipa1.example.com <http://ipa1.example.com>., > > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > > > idnsallowdynupdate: TRUE > > > > idnsallowquery: any; > > > > idnsallowtransfer: none; > > > > idnssoaexpire: 1209600 > > > > idnssoaminimum: 3600 > > > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > > > idnssoarefresh: 3600 > > > > idnssoaretry: 900 > > > > idnssoarname: hostmaster > > > > idnssoaserial: 1629023582 > > > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > > krb5-subdomain 13.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > > > idnszoneactive: FALSE > > > > objectclass: top, idnsrecord, idnszone > > > > ---------------------------- > > > > Number of entries returned 1 > > > > ---------------------------- > > > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 12.0.10.in-addr.arpa. > --all > > > > dn: idnsname=12.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > > > Record name: @ > > > > NS record: ipa0.example.com <http://ipa0.example.com>., > > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > > <http://ipa3.example.com>., hou1-ipa1.example.com > > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > > <http://hou2-ipa1.example.com>., hq- > > > > ipa1.example.com <http://ipa1.example.com>., > > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > > > idnsallowdynupdate: TRUE > > > > idnsallowquery: any; > > > > idnsallowtransfer: none; > > > > idnssoaexpire: 1209600 > > > > idnssoaminimum: 3600 > > > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > > > idnssoarefresh: 3600 > > > > idnssoaretry: 900 > > > > idnssoarname: hostmaster > > > > idnssoaserial: 1629023582 > > > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > > krb5-subdomain 12.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > > > idnszoneactive: FALSE > > > > objectclass: top, idnsrecord, idnszone > > > > ---------------------------- > > > > Number of entries returned 1 > > > > ---------------------------- > > > > [root@ipa0 export-ipa-data]# ipa dnsrecord-find 0.0.10.in-addr.arpa. > --all > > > > dn: idnsname=0.0.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > > > Record name: @ > > > > NS record: ipa0.example.com <http://ipa0.example.com>., > > ipa2.example.com <http://ipa2.example.com>., ipa3.example.com > > <http://ipa3.example.com>., hou1-ipa1.example.com > > <http://hou1-ipa1.example.com>., sfo1-ipa1.example.com > > <http://sfo1-ipa1.example.com>., hou2-ipa1.example.com > > <http://hou2-ipa1.example.com>., hq- > > > > ipa1.example.com <http://ipa1.example.com>., > > gcc2-ipa1.example.com <http://gcc2-ipa1.example.com>. > > > > idnsallowdynupdate: TRUE > > > > idnsallowquery: any; > > > > idnsallowtransfer: none; > > > > idnssoaexpire: 1209600 > > > > idnssoaminimum: 3600 > > > > idnssoamname: ipa0.example.com <http://ipa0.example.com>. > > > > idnssoarefresh: 3600 > > > > idnssoaretry: 900 > > > > idnssoarname: hostmaster.example.com <http://hostmaster.example.com>. > > > > idnssoaserial: 1629023582 > > > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > > krb5-subdomain 0.0.10.in-addr.arpa. PTR; grant dhcp-key wildcard * ANY; > > > > idnszoneactive: FALSE > > > > objectclass: top, idnsrecord, idnszone > > > > ---------------------------- > > > > Number of entries returned 1 > > > > ---------------------------- > > > > [root@ipa0 export-ipa-data]# > > > > > > On Thu, Aug 19, 2021 at 6:08 PM Kathy Zhu <[email protected] > > <mailto:[email protected]>> wrote: > > > > Yes, I want to delete the zone. I tried a few ways, none worked so > far. > > > > On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > Kathy Zhu via FreeIPA-users wrote: > > > Hi List, > > > > > > When I run ipa-healthcheck on all of our ipa servers, they all > > reported > > > following: > > > > > > [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type > human > > > > > > ERROR: > > > > > > > ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com: > > > Replication conflict > > > > > > [root@ipa0 ~]# > > > > > > [root@ipa0 ~]# ipa-healthcheck --failures-only > > > > > > [ > > > > > > { > > > > > > "source": "ipahealthcheck.ds.replication", > > > > > > "kw": { > > > > > > "msg": "Replication conflict", > > > > > > "glue": true, > > > > > > "conflict": "deletedEntryHasChildren", > > > > > > "key": > > "idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com" > > > > > > }, > > > > > > "uuid": "3027f742-4b7b-4a20-9650-a5a030699480", > > > > > > "duration": "0.002318", > > > > > > "when": "20210819234114Z", > > > > > > "check": "ReplicationConflictCheck", > > > > > > "result": "ERROR" > > > > > > } > > > > > > ] > > > > > > [root@ipa0 ~]# > > > > > > [root@ipa0 ~]# ipa dnsrecord-find 1.1.10.in-addr.arpa. > > > --sizelimit=99999 --all --structured > > > > > > dn: idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com > > > > > > Record name: @ > > > > > > Records: > > > > > > Record type: NS > > > > > > Record data: ipa1.example.com <http://ipa1.example.com> > > <http://ipa1.example.com>. > > > > > > NS Hostname: ipa1.example.com <http://ipa1.example.com> > > <http://ipa1.example.com>. > > > > > > idnsallowdynupdate: TRUE > > > > > > idnsallowquery: any; > > > > > > idnsallowtransfer: none; > > > > > > idnssoaexpire: 1209600 > > > > > > idnssoaminimum: 3600 > > > > > > idnssoamname: ipa0.example.com <http://ipa0.example.com> > > <http://ipa0.example.com>. > > > > > > idnssoarefresh: 3600 > > > > > > idnssoaretry: 900 > > > > > > idnssoarname: hostmaster > > > > > > idnssoaserial: 1629023582 > > > > > > idnsupdatepolicy: grant EXAMPLE.COM <http://EXAMPLE.COM> > > <http://EXAMPLE.COM> > > > krb5-subdomain 1.1.10.in-addr.arpa. PTR; grant dhcp-key > > wildcard * ANY; > > > > > > idnszoneactive: FALSE > > > > > > objectclass: top, idnsrecord, idnszone, glue, > extensibleobject > > > > > > ---------------------------- > > > > > > Number of entries returned 1 > > > > > > ---------------------------- > > > > > > [root@ipa0 ~]# > > > > > > > > > Notice above, glue is true! After googling, I found following: > > > > > > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/ipa-replica-manage#Solving_Orphan_Entry_Conflicts > > > > > > > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts#Solving_Common_Replication_Conflicts-Solving_Orphan_Entry_Conflicts > > > > > > > > > The explanation made sense to me. However, I do not know what > > happened > > > to get us into this situation. > > > > > > > > > A good zone displays objectclass like this: > > > > > > > > > objectclass: top, idnsrecord, idnszone > > > > > > > > > > > > Note, no "glue, extensibleobject" there. > > > > > > > > > This zone can not be deleted since "Not allowed on non-leaf > > entry". Any > > > ideas to delete this zone? > > > > Do you want to delete the zone? > > > > rob > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
