On Mon, 2012-02-20 at 17:08 +0100, Marco Pizzoli wrote: > > > On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <mko...@redhat.com> > wrote: > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > > Hi, > > During my setup today I'm always failing in enrolling > clients with > > automatic dns updates. > > I'm playing with FreeIPA 2.1.90, but I guess this is a > general > > problem, not strictly due to the alpha version. > > > > I'm doing a "ipa-client-install --enable-dns-updates" and at > the > > console I see: > > Failed to update DNS A record. (Command '/usr/bin/nsupdate > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status > 2) > > > > I see in server logs that named refuses it: > > Feb 19 17:05:25 freeipa01 named[2089]: client > 192.168.20.112#38558: > > update 'internet.unix.mydomain.it/IN' denied > > Feb 19 17:05:25 freeipa01 named[2089]: client > 192.168.20.112#40809: > > update 'internet.unix.mydomain.it/IN' denied > > > > What is the cause? What other informations do you need about > my > > deployment? > > > > Thanks in advance as usual > > Marco > > > Hello Marco, > > please check the settings of the zone you are trying to add > clients to. > GSS-TSIG updates are not enabled by default for new zones, it > may be > your case. > > This is an entry for my zone 'example.com' where dynamic > updates are > enabled: > > # ipa dnszone-show example.com --all > dn: > idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > Zone name: example.com > Authoritative nameserver: ns.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 2012200201 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * > A; grant IDM.LAB.BOS.REDHAT.COM > > krb5-self * AAAA; grant > IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP; > Active zone: TRUE > > Dynamic update: TRUE > nsrecord: ns.example.com. > objectclass: top, idnsrecord, idnszone > > I have marked the important attributes with ">". I would also > make sure > that the zone is properly loaded in bind-dyndb-ldap plugin > (you can for > example try to retrieve its SOA record with dig). > > Hi Martin, > yes this is the case: > > [root@freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it --all > dn: > idnsname=internet.unix.mydomain.it,cn=dns,dc=unix,dc=mydomain,dc=it > Zone name: internet.unix.mydomain.it > Authoritative nameserver: freeipa01.unix.mydomain.it. > Administrator e-mail address: hostmaster.internet.unix.mydomain.it. > SOA serial: 2012180201 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > Active zone: TRUE > Dynamic update: FALSE > nsrecord: freeipa01.unix.mydomain.it. > objectclass: top, idnsrecord, idnszone > > So, could you tell me how should I do to have my (new) zone being > eventually updated? > A link to a doc page would suffices. > > Thanks a lot > Marco >
Hello Marco, glad we found the root cause. You can update the zone with this command: # ipa dnszone-mod internet.unix.mydomain.it --dynamic-update=TRUE --update-policy="grant MYDOMAIN.IT krb5-self * A; grant MYDOMAIN.IT krb5-self * AAAA; grant MYDOMAIN.IT krb5-self * SSHFP;" # service named reload (or "rndc reload") It enables dynamic updates and configures an update policy for it - every host in this domain can now add/delete its own A/AAAA/SSHFP records. Sources of DNS documentation: 1. Our command help: # ipa help dns 2. FreeIPA guide: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Working_with_DNS.html 3. And freeipa-users of course :-) Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users