Hi Guy!

I've been working with this recently - maybe I can help.  

Have you enrolled the ipadevmstr.collmedia.net as a service with `ipa 
service-add DNS/ipadevmstr.collmedia.net`?  On the client, can you `kinit -kt 
$dnskeytab -p DNS/ipadevmstr.collmedia.net` just fine?  You'll have to kinit 
before you can do `nsupdate -g a_update`.  

If all else fails, on the IPA Server, what does your kdc log say in 
/var/log/krb5kdc.log?  


HTH,

Lynn Root
@roguelynn
Associate Software Engineer

On Apr 30, 2013, at 9:08 AM, Guy Matz <gm...@collective.com> wrote:

> hi!  Anyone out there gotten Dynamic DNS freeipa-managed DNS server?  I've 
> been trying for days following instructions from various freeipa and redhat 
> docs!  I've set up  keytabs, set up /etc/rndc.key, set Dynamic update to True 
> and put the following in my BIND update policy:
> grant host\047foreman.collmedia....@collmedia.net wildcard * ANY;
> grant host\047ipadevmstr.collmedia....@collmedia.net wildcard * ANY;
> 
> I keep getting:
> 
> # nsupdate -g a_update
> update failed: REFUSED
> update failed: REFUSED
> [root@ipadevmstr ~]# cat a_update
> server ipadevmstr.collmedia.net
> zone collmedia.net.
> update add client.collmedia.net.                86400 IN      A       
> 192.168.8.120
> send
> update delete client.collmedia.net. IN      A
> send
> 
> tail /var/log/messages
> Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: 
> collmedia.net IN SOA - (192.168.8.111)
> Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37600: query: 
> 692300375.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111)
> Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#52609: updating 
> zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED)
> Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: 
> collmedia.net IN SOA - (192.168.8.111)
> Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#40423: query: 
> 718499086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111)
> Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: updating 
> zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED)
> 
> Any help would be GREATLY appreciated . . .
> 
> Thanks a lot,
> Guy
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to