Dynamic updates are enabled:
dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-MOB-NUANCE-COM.socket"; arg "base cn=dns, dc=mob,dc=nuance,dc=com"; arg "server_id freeipa-01.dev.mcs.az-eastus2.mob.nuance.com"; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/freeipa-01.dev.mcs.az-eastus2.mob.nuance.com"; arg "serial_autoincrement yes"; }; Nothing was logged at the default level (dynamic), but I changed it to debug 10. Nothing strikes me when I look at that log... everything I see has query approved, the only thing that surprised me a bit was that the requests are signed - I'm not sure if they're supposed to be or not. Here's a snippet - as you'd expect from debug 10, there is a lot of logs. 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: UDP request 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: using view '_default' 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: request is not signed 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: recursion available 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: query 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_attach: ref = 1 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): query (cache) ' metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com/AAAA/IN' approved 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): replace 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach: ref = 0 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach: ref = 0 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest On Tue, Jun 6, 2017 at 7:41 AM, Martin Bašti <mba...@redhat.com> wrote: > > > On 06.06.2017 13:00, Martin Bašti via FreeIPA-users wrote: > > > > On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote: > > I have a setup with 2 zones: > > My IPA realm is mob.nuance.com > My first IPA server was built out with the DNS zone > prod.mcs.som.mob.nuance.com > My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuance.com > > I can successfully add client to my first IPA server, and everything works > as expected, including DNS updates. > When I add clients to my second IPA server, they complete successfully for > everything except updating DNS. > > I recreated the DNS Update file from ipa-client install log, and executed > it manually as "admin" with debug. Any ideas what is wrong? > > # kinit admin > > Password for ad...@mob.nuance.com: > > # id admin > > uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins) > > # getent passwd admin > > admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash > > # kinit -k > > # klist > > Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI > > Default principal: host/metrics-frontend-01.dev. > mcs.az-eastus2.mob.nuance....@mob.nuance.com > > > Valid starting Expires Service principal > > 06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/MOB.NUANCE.COM@MOB. > NUANCE.COM > > # nsupdate -v -g ./dns_update.txt > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A > > > Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840 > > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA > > > ;; AUTHORITY SECTION: > > dev.mcs.az-eastus2.mob.nuance.com. 0 IN SOA freeipa-01.dev.mcs.az-eastus2. > mob.nuance.com. hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 > 3600 900 1209600 3600 > > > Found zone name: dev.mcs.az-eastus2.mob.nuance.com > > The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com > > start_gssrequest > > send_gssrequest > > Outgoing update query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301 > > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY > > > ;; ADDITIONAL SECTION: > > 2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY TKEY > gss-tsig. > 1496686456 1496686456 3 NOERROR 750 > YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA > AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg > AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1 > czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB > OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r 5FEux+ > izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8 > UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9 > MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6 > j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2 > uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq > gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ > 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C > tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC > 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa > dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ + > YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU 1/ > 8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze > voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0 > > > recvmsg reply from GSS-TSIG query > > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301 > > ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY > > > *response to GSS-TSIG query was unsuccessful* > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > Hello, > > please kinit as host, only hosts are allowed to update their DNS records > over DDNS > > kinit -kt /etc/krb5.keytab > nsupdate -v -g .... > > Could you please provide output of nsupdate from ipa-client-install log? > > Martin > > -- > Martin Bašti > Software Engineer > Red Hat Czech > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > I was told and now I see you used host principal. Could you please check > zone settings of this zone dev.mcs.az-eastus2.mob.nuance.com , do you > have dynamic updates enabled? > > Do you have any error output in journalct -u named-pkcs11 on the DNS > server? > > Martin > > -- > Martin Bašti > Software Engineer > Red Hat Czech > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org