Mistakenly failed to post to freeipa-users. ---------- Forwarded message ---------- From: Jason Sherrill <ja...@deeplocal.com> Date: Thu, May 11, 2017 at 9:16 AM Subject: Re: [Freeipa-users] DNS update failing To: Martin Bašti <mba...@redhat.com>
Thank you for the assistance, Martin. The reverse zone is working because of a policy I'd added: grant * tcp-self *. The same entry did for the the forward zone did not work. I ran the manual update as described and was refused. It seems GSS-TSIG is working, but the update is still refused: [root@ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab [root@ipa-1 jsherrill]# nsupdate -g > debug > update add testbook3.int.dplcl.com. 86400 a 10.0.1.36 > Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;testbook3.int.dplcl.com. IN SOA ;; AUTHORITY SECTION: int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. 1494432187 3600 900 1209600 3600 Found zone name: int.dplcl.com The master is: ipa-1.int.dplcl.com start_gssrequest Found realm from ticket: INT.DPLCL.COM send_gssrequest Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY ;; ADDITIONAL SECTION: 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY ;; ANSWER SECTION: 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** Sending update to 10.0.1.5#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; UPDATE SECTION: testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 ;; TSIG PSEUDOSECTION: 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;int.dplcl.com. IN SOA ;; TSIG PSEUDOSECTION: 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230 NOERROR 0 On Thu, May 11, 2017 at 4:09 AM, Martin Bašti <mba...@redhat.com> wrote: > > > On 10.05.2017 18:38, Jason Sherrill wrote: > > Hello, > > I've recently implemented freeIPA in a mixed environment of Mac OS 10.12 > and Windows 10 with limited issues! > > One issue is that updating the reverse zone via nsupdate works without > issue, updating to the forward zone results in a REFUSED status. Below is > my zone config, named.conf, and an example of client-side behavior. I'm > new to nearly all systems involved- misconfiguration is likely. Thanks! > > > From freeIPA server: > > # ipa dnszone-show int.dplcl.com --all > > > dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com > > Zone name: int.dplcl.com. > > Active zone: TRUE > > Authoritative nameserver: ipa-1.int.dplcl.com. > > Administrator e-mail address: hostmaster.int.dplcl.com. > > SOA serial: 1494344164 > > SOA refresh: 3600 > > SOA retry: 900 > > SOA expire: 1209600 > > SOA minimum: 3600 > > BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant > INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self * > > SSHFP; > > Dynamic update: TRUE > > Allow query: any; > > Allow transfer: none; > > Allow PTR sync: TRUE > > Allow in-line DNSSEC signing: FALSE > > nsrecord: ipa-1.int.dplcl.com. > > objectclass: idnszone, top, idnsrecord, ipadnszone > > /etc/named.conf from IPA server: > > options { > > // turns on IPv6 for port 53, IPv4 is on by default for all ifaces > > listen-on-v6 {any;}; > > // Put files that named is allowed to write in the data/ directory: > > directory "/var/named"; // the default > > dump-file "data/cache_dump.db"; > > statistics-file "data/named_stats.txt"; > > memstatistics-file "data/named_mem_stats.txt"; > > // Any host is permitted to issue recursive queries > > allow-recursion { any; }; > > tkey-gssapi-keytab "/etc/named.keytab"; > > pid-file "/run/named/named.pid"; > > dnssec-enable no; > > dnssec-validation no; > > /* Path to ISC DLV key */ > > bindkeys-file "/etc/named.iscdlv.key"; > > managed-keys-directory "/var/named/dynamic"; > > }; > > /* If you want to enable debugging, eg. using the 'rndc trace' command, > > * By default, SELinux policy does not allow named to modify the /var/named > directory, > > * so put the default debug log file in data/ : > > */ > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > print-time yes; > > }; > > }; > > zone "." IN { > > type hint; > > file "named.ca"; > > }; > > include "/etc/named.rfc1912.zones"; > > include "/etc/named.root.key"; > > dynamic-db "ipa" { > > library "ldap.so"; > > arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket"; > > arg "base cn=dns, dc=int,dc=dplcl,dc=com"; > > arg "server_id ipa-1.int.dplcl.com"; > > arg "auth_method sasl"; > > arg "sasl_mech GSSAPI"; > > arg "sasl_user DNS/ipa-1.int.dplcl.com"; > > arg "serial_autoincrement yes"; > > }; > > > From client macbook: > > testbook3:etc jsherrill$ nsupdate > > > debug > > > update add testbook3.int.dplcl.com 86400 a 10.0.1.36 > > > > > Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049 > > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;testbook3.int.dplcl.com. IN SOA > > ;; AUTHORITY SECTION: > > int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. > 1494425173 3600 900 1209600 3600 > > Found zone name: int.dplcl.com > > The master is: ipa-1.int.dplcl.com > > Sending update to 10.0.1.5#53 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167 > > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 > > > Reply from update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167 > > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; ZONE SECTION: > ;int.dplcl.com. IN SOA > -- > > > *Jason Sherrill* > Deeplocal Inc. <http://deeplocal.com/> > mobile: 412-636-2073 <%28412%29%20636-2073> > office: 412-362-0201 <%28412%29%20362-0201> > > > > > Hello, > > DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so you > cannot use plain nsupdate without providing credentials > > Here is policy, hosts can update only its records using GSS-TSIG (kerberos) > > BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant INT.DPLCL.COM > krb5-self * AAAA; grant INT.DPLCL.COM krb5-self * > > SSHFP; > > So for manual updates via nsupdate, you have to do following steps: > > 1, kinit -kt /etc/krb5.keytab > > 2, nsupdate -g > > ... update A records ... > > I don't know why a reverse zone works for you, you should check policy of > the reverse zone. > > Martin > > -- > Martin Bašti > Software Engineer > Red Hat Czech > > -- *Jason Sherrill* Deeplocal Inc. <http://deeplocal.com/> mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201> -- *Jason Sherrill* Deeplocal Inc. <http://deeplocal.com/> mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project