I meant dynamic updates in zone config. ipa dnszone-show dev.mcs.az-eastus2.mob.nuance.com <http://dev.mcs.az-eastus2.mob.nuance.com> --all


On 06.06.2017 19:08, Josh Pavel wrote:
Dynamic updates are enabled:


dynamic-db "ipa" {

library "ldap.so";

arg "uri ldapi://%2fvar%2frun%2fslapd-MOB-NUANCE-COM.socket";

arg "base cn=dns, dc=mob,dc=nuance,dc=com";

arg "server_id freeipa-01.dev.mcs.az-eastus2.mob.nuance.com <http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>";

arg "auth_method sasl";

arg "sasl_mech GSSAPI";

arg "sasl_user DNS/freeipa-01.dev.mcs.az-eastus2.mob.nuance.com <http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>";

arg "serial_autoincrement yes";

};


Nothing was logged at the default level (dynamic), but I changed it to debug 10. Nothing strikes me when I look at that log... everything I see has query approved, the only thing that surprised me a bit was that the requests are signed - I'm not sure if they're supposed to be or not.

Here's a snippet - as you'd expect from debug 10, there is a lot of logs.



06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: UDP request

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: using view '_default'

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: request is not signed

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: recursion available

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: query

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): ns_client_attach: ref = 1

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): query (cache) 'metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com/AAAA/IN <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com/AAAA/IN>' approved

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): replace

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): send

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): sendto

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): senddone

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): next

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): ns_client_detach: ref = 0

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): endrequest

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): send

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): sendto

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): senddone

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): next

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): ns_client_detach: ref = 0

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>): endrequest


On Tue, Jun 6, 2017 at 7:41 AM, Martin Bašti <mba...@redhat.com <mailto:mba...@redhat.com>> wrote:



    On 06.06.2017 13:00, Martin Bašti via FreeIPA-users wrote:



    On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote:
    I have a setup with 2 zones:

    My IPA realm is mob.nuance.com <http://mob.nuance.com>
    My first IPA server was built out with the DNS zone
    prod.mcs.som.mob.nuance.com <http://prod.mcs.som.mob.nuance.com>
    My second IPA server is in a DNS zone of
    dev.mcs.az-eastus2.mob.nuance.com
    <http://dev.mcs.az-eastus2.mob.nuance.com>

    I can successfully add client to my first IPA server, and
    everything works as expected, including DNS updates.
    When I add clients to my second IPA server, they complete
    successfully for everything except updating DNS.

    I recreated the DNS Update file from ipa-client install log, and
    executed it manually as "admin" with debug. Any ideas what is wrong?

    # kinit admin

    Password for ad...@mob.nuance.com <mailto:ad...@mob.nuance.com>:

    # id admin

    uid=1294000000(admin) gid=1294000000(admins)
    groups=1294000000(admins)

    # getent passwd admin

    admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash

    # kinit -k

    # klist

    Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI

    Default principal:
    host/metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance....@mob.nuance.com
    
<mailto:metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance....@mob.nuance.com>


    Valid starting       Expires Service principal

06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/mob.nuance....@mob.nuance.com
    <mailto:mob.nuance....@mob.nuance.com>


    # nsupdate -v -g ./dns_update.txt

    Outgoing update query:

    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

    ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

    ;; UPDATE SECTION:

    metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com
    <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>.
    0 ANY A


    Reply from SOA query:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  58840

    ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
    ADDITIONAL: 0

    ;; QUESTION SECTION:

    ;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com
    <http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>.
    IN SOA


    ;; AUTHORITY SECTION:

    dev.mcs.az-eastus2.mob.nuance.com
    <http://dev.mcs.az-eastus2.mob.nuance.com>. 0
    INSOAfreeipa-01.dev.mcs.az-eastus2.mob.nuance.com
    <http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
    hostmaster.dev.mcs.az-eastus2.mob.nuance.com
    <http://hostmaster.dev.mcs.az-eastus2.mob.nuance.com>.
    1496548206 3600 900 1209600 3600


    Found zone name: dev.mcs.az-eastus2.mob.nuance.com
    <http://dev.mcs.az-eastus2.mob.nuance.com>

    The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
    <http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>

    start_gssrequest

    send_gssrequest

    Outgoing update query:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  14301

    ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; QUESTION SECTION:

    ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
    <http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
    ANY TKEY


    ;; ADDITIONAL SECTION:

    2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
    <http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
    0 ANY TKEYgss-tsig. 1496686456 1496686456 3 NOERROR 750
    YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA
    AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg
    AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1
    czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB
    OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r
    5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8
    UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9
    MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6
    j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2
    uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq
    gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ
    1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C
    tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC
    1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa
    dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ
    +YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU
    1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze
    voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0


    recvmsg reply from GSS-TSIG query

    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id:  14301

    ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:

    ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
    <http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
    ANY TKEY


    *response to GSS-TSIG query was unsuccessful*





    _______________________________________________
    FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>

    Hello,

    please kinit as host, only hosts are allowed to update their DNS
    records over DDNS

    kinit -kt /etc/krb5.keytab
    nsupdate -v -g ....

    Could you please provide output of nsupdate from
    ipa-client-install log?

    Martin
-- Martin Bašti
    Software Engineer
    Red Hat Czech


    _______________________________________________
    FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
    <mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org
    <mailto:freeipa-users-le...@lists.fedorahosted.org>

    I was told and now I see you used host principal. Could you please
    check zone settings of this zone dev.mcs.az-eastus2.mob.nuance.com
    <http://dev.mcs.az-eastus2.mob.nuance.com> , do you have dynamic
    updates enabled?

    Do you have any error output in journalct -u named-pkcs11 on the
    DNS server?

    Martin

-- Martin Bašti
    Software Engineer
    Red Hat Czech



--
Martin Bašti
Software Engineer
Red Hat Czech

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to