On 02/20/2012 05:08 PM, Marco Pizzoli wrote:
On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>> wrote:

    On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
     > Hi,
     > During my setup today I'm always failing in enrolling clients with
     > automatic dns updates.
     > I'm playing with FreeIPA 2.1.90, but I guess this is a general
     > problem, not strictly due to the alpha version.
     > I'm doing a "ipa-client-install --enable-dns-updates" and at the
     > console I see:
     > Failed to update DNS A record. (Command '/usr/bin/nsupdate
     > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2)
     > I see in server logs that named refuses it:
     > Feb 19 17:05:25 freeipa01 named[2089]: client
     > update 'internet.unix.mydomain.it/IN
    <http://internet.unix.mydomain.it/IN>' denied
     > Feb 19 17:05:25 freeipa01 named[2089]: client
     > update 'internet.unix.mydomain.it/IN
    <http://internet.unix.mydomain.it/IN>' denied
     > What is the cause? What other informations do you need about my
     > deployment?
     > Thanks in advance as usual
     > Marco

    Hello Marco,

    please check the settings of the zone you are trying to add clients to.
    GSS-TSIG updates are not enabled by default for new zones, it may be
    your case.

    This is an entry for my zone 'example.com <http://example.com>'
    where dynamic updates are

    # ipa dnszone-show example.com <http://example.com> --all
      dn: idnsname=example.com
      Zone name: example.com <http://example.com>
      Authoritative nameserver: ns.example.com <http://ns.example.com>.
      Administrator e-mail address: hostmaster.example.com
      SOA serial: 2012200201 <tel:2012200201>
      SOA refresh: 3600
      SOA retry: 900
      SOA expire: 1209600
      SOA minimum: 3600
     > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM
    <http://IDM.LAB.BOS.REDHAT.COM> krb5-self * A; grant
     >                     krb5-self * AAAA; grant
      Active zone: TRUE
     > Dynamic update: TRUE
      nsrecord: ns.example.com <http://ns.example.com>.
      objectclass: top, idnsrecord, idnszone

    I have marked the important attributes with ">". I would also make sure
    that the zone is properly loaded in bind-dyndb-ldap plugin (you can for
    example try to retrieve its SOA record with dig).

Hi Martin,
yes this is the case:

[root@freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
<http://internet.unix.mydomain.it> --all
   dn: idnsname=internet.unix.mydomain.it
   Zone name: internet.unix.mydomain.it <http://internet.unix.mydomain.it>
   Authoritative nameserver: freeipa01.unix.mydomain.it
   Administrator e-mail address: hostmaster.internet.unix.mydomain.it
   SOA serial: 2012180201
   SOA refresh: 3600
   SOA retry: 900
   SOA expire: 1209600
   SOA minimum: 3600
   Active zone: TRUE
   Dynamic update: FALSE
   nsrecord: freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it>.
   objectclass: top, idnsrecord, idnszone

So, could you tell me how should I do to have my (new) zone being
eventually updated?
A link to a doc page would suffices.

Thanks a lot

Hello Marco,

I think the important part of configuration is:

On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> [root@freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
>    Dynamic update: FALSE

Please try to enable dynamic update for this zone and then retry ipa-client-install

Dynamic update setting can be changed with command:

ipa dnszone-mod internet.unix.mydomain.it --addattr=idnsAllowDynUpdate=TRUE

This command in current aplha doesn't work for me, so please create/modify idnsAllowDynUpdate attribute for zone in LDAP manually. Value has to be TRUE with capital letters.

Documentation about DNS-in-LDAP can be found in /usr/share/doc/bind-dyndb-ldap-1.1.0/README .

You can allow dynamic updates generally in /etc/named.conf or per-zone through idnsAllowDynUpdate in LDAP, see README.

After altering named.conf it is necessary to reload bind via 'rndc reload', changes in LDAP are reflected immediately.

If problem persists, try to set zone's idnsUpdatePolicy to 'grant * wildcard *;' (relaxes/disables various access policy checks)

Best regards,

Petr Spacek

Freeipa-users mailing list

Reply via email to