On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > Hi, > During my setup today I'm always failing in enrolling clients with > automatic dns updates. > I'm playing with FreeIPA 2.1.90, but I guess this is a general > problem, not strictly due to the alpha version. > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > console I see: > Failed to update DNS A record. (Command '/usr/bin/nsupdate > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > I see in server logs that named refuses it: > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > update 'internet.unix.mydomain.it/IN' denied > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > update 'internet.unix.mydomain.it/IN' denied > > What is the cause? What other informations do you need about my > deployment? > > Thanks in advance as usual > Marco
Hello Marco, please check the settings of the zone you are trying to add clients to. GSS-TSIG updates are not enabled by default for new zones, it may be your case. This is an entry for my zone 'example.com' where dynamic updates are enabled: # ipa dnszone-show example.com --all dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Zone name: example.com Authoritative nameserver: ns.example.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 2012200201 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant > IDM.LAB.BOS.REDHAT.COM > krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self > * SSHFP; Active zone: TRUE > Dynamic update: TRUE nsrecord: ns.example.com. objectclass: top, idnsrecord, idnszone I have marked the important attributes with ">". I would also make sure that the zone is properly loaded in bind-dyndb-ldap plugin (you can for example try to retrieve its SOA record with dig). HTH, Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users