On 06.06.2017 13:00, Martin Bašti via FreeIPA-users wrote:



On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote:
I have a setup with 2 zones:

My IPA realm is mob.nuance.com <http://mob.nuance.com>
My first IPA server was built out with the DNS zone prod.mcs.som.mob.nuance.com <http://prod.mcs.som.mob.nuance.com> My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuance.com <http://dev.mcs.az-eastus2.mob.nuance.com>

I can successfully add client to my first IPA server, and everything works as expected, including DNS updates. When I add clients to my second IPA server, they complete successfully for everything except updating DNS.

I recreated the DNS Update file from ipa-client install log, and executed it manually as "admin" with debug. Any ideas what is wrong?

# kinit admin

Password for ad...@mob.nuance.com <mailto:ad...@mob.nuance.com>:

# id admin

uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins)

# getent passwd admin

admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash

# kinit -k

# klist

Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI

Default principal: host/metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance....@mob.nuance.com <mailto:metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance....@mob.nuance.com>


Valid starting     Expires              Service principal

06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/mob.nuance....@mob.nuance.com <mailto:mob.nuance....@mob.nuance.com>


# nsupdate -v -g ./dns_update.txt

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; UPDATE SECTION:

metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>. 0 ANY A


Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  58840

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>. IN SOA


;; AUTHORITY SECTION:

dev.mcs.az-eastus2.mob.nuance.com <http://dev.mcs.az-eastus2.mob.nuance.com>. 0 INSOAfreeipa-01.dev.mcs.az-eastus2.mob.nuance.com <http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>. hostmaster.dev.mcs.az-eastus2.mob.nuance.com <http://hostmaster.dev.mcs.az-eastus2.mob.nuance.com>. 1496548206 3600 900 1209600 3600


Found zone name: dev.mcs.az-eastus2.mob.nuance.com <http://dev.mcs.az-eastus2.mob.nuance.com>

The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com <http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>

start_gssrequest

send_gssrequest

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  14301

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com <http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>. ANY TKEY


;; ADDITIONAL SECTION:

2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com <http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>. 0 ANY TKEYgss-tsig. 1496686456 1496686456 3 NOERROR 750 YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1 czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r 5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8 UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9 MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6 j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2 uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ +YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU 1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0


recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id:  14301

;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com <http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>. ANY TKEY


*response to GSS-TSIG query was unsuccessful*





_______________________________________________
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org

Hello,

please kinit as host, only hosts are allowed to update their DNS records over DDNS

kinit -kt /etc/krb5.keytab
nsupdate -v -g ....

Could you please provide output of nsupdate from ipa-client-install log?

Martin
--
Martin Bašti
Software Engineer
Red Hat Czech


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

I was told and now I see you used host principal. Could you please check zone settings of this zone dev.mcs.az-eastus2.mob.nuance.com <http://dev.mcs.az-eastus2.mob.nuance.com> , do you have dynamic updates enabled?

Do you have any error output in journalct -u named-pkcs11 on the DNS server?

Martin

--
Martin Bašti
Software Engineer
Red Hat Czech

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to