The zone settings:

$ ipa dnszone-show --all
Zone name: hq.example.com.
  dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
  Zone name: hq.example.com.
  Active zone: TRUE
  Authoritative nameserver: ipa.hq.example.com.
  Administrator e-mail address: hostmaster.hq.example.com.
  SOA serial: 1426857128
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM
krb5-self * AAAA; grant HQ.EXAMPLE.COM krb5-self * SSHFP;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
  nsrecord: ipa.hq.example.com.
  objectclass: idnszone, top, idnsrecord

The DNS log doesn't mention anything about updates. It does contain some
errors about unreachable hosts, but that's because I had a temporary
interruption towards the gateway from the ipa server.

One thing I did after installing the IPA server is to turn off support for
ipv6, using
$ echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
$ sysctl -p

Do you think it could have any influence?


On 20 March 2015 at 12:31, Martin Basti <mba...@redhat.com> wrote:

>  Hello,
>
> do you have enabled DNS dynamic updates for hq.example.zone?
> You can check it in zone settings.
>
> Are there any log entries in dns log related to nsupdate executed from a
> client?
> $ journalctl -b -u named-pkcs11
>
>
> On 20/03/15 09:53, Roberto Cornacchia wrote:
>
>  It seems so:
>
>  $ firewall-cmd --list-all
> FedoraServer (default, active)
>   interfaces: em2
>   sources:
>   services: cockpit dhcpv6-client ssh
>   ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp
> 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp 9445/tcp
> 8011/tcp 53/udp 8082/tcp
>   masquerade: no
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
>
> On 20 March 2015 at 00:53, Dmitri Pal <d...@redhat.com> wrote:
>
>>  On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
>>
>>  Yes.
>>
>>  [root@meson ~]# cat /etc/resolv.conf
>> search hq.example.com
>> nameserver 192.168.0.72
>>
>>  Sorry from the short log I posted it's not visible, but that ip address
>> is the address of the ipa server (ipa.hq.example.com)
>>
>>  [root@meson ~]# dig ipa.hq.example.com
>>
>>  ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ipa.hq.example.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
>>
>>  ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;ipa.hq.example.com. IN A
>>
>>  ;; ANSWER SECTION:
>> ipa.hq.example.com. 1200 IN A 192.168.0.72
>>
>>  ;; AUTHORITY SECTION:
>> hq.example.com. 86400 IN NS ipa.hq.example.com.
>>
>>  ;; Query time: 1 msec
>> ;; SERVER: 192.168.0.72#53(192.168.0.72)
>> ;; WHEN: do mrt 19 22:02:04 CET 2015
>> ;; MSG SIZE  rcvd: 83
>>
>>
>>
>>  OK so you can in fact lookup the server.
>> Have you opened all required ports for ldap and kerberos and other
>> protocols in the firewall both UDP and TCP?
>>
>>
>>
>>
>> On 19 March 2015 at 21:55, Dmitri Pal <d...@redhat.com> wrote:
>>
>>>  On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
>>>
>>>  Hi,
>>>
>>>  This should really work like a charm, and I'm sure it is a stupid
>>> mistake of mine if it doesn't, but I really can't find out what goes wrong.
>>>
>>>  Both IPA server and client are on FC21, very up to date.
>>> Server installation (standard, with dns) worked well. Required ports
>>> open in the firewall. Everything seems to work.
>>>
>>>  I did try to use the IPA server as a DNS (with forwarders) and NTP
>>> server from non-ipa clients, no problem.
>>> I also tried to use it as LDAP server, from a non-fedora machine (a
>>> synology). It worked well and I could see users.
>>>
>>>  When trying to enroll a client, the enrollment itself seems to
>>> succeed, but:
>>> - Unable to sync time with NTP server
>>> - Unable to update DNS
>>> - Unable to find users
>>>
>>>  I include below the short installation log (I changed the real domain
>>> into hq.example.com), and in attachment, the full log with debug on.
>>>
>>>  From the debug log, about the DNS update failure, I can see this:
>>>
>>>    ; Communication with 192.168.0.72#53 failed: operation canceled
>>>   could not reach any name server
>>>
>>>  I'm not sure what communication problem this could be, as the server
>>> (which is both the IPA and the DNS servers), clearly can be reached.
>>>
>>>  Any idea where to look at?
>>>
>>>
>>>  Do you have the IPA DNS server in the resolv.conf of the client?
>>>
>>>
>>>
>>>
>>>  Thanks,
>>> Roberto
>>>
>>>
>>>  [root@meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns
>>> --force-ntpd --hostname=meson.hq.example.com
>>> Discovery was successful!
>>> Hostname: meson.hq.example.com
>>> Realm: HQ.EXAMPLE.COM
>>> DNS Domain: hq.example.com
>>> IPA Server: ipa.hq.example.com
>>> BaseDN: dc=hq,dc=example,dc=com
>>>
>>>  Continue to configure the system with these values? [no]: yes
>>> Synchronizing time with KDC...
>>> *Unable to sync time with IPA NTP server, assuming the time is in sync.
>>> Please check that 123 UDP port is opened.*
>>> User authorized to enroll computers: admin
>>> Password for ad...@hq.example.com:
>>> Successfully retrieved CA cert
>>>     Subject:     CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>>     Issuer:      CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>>     Valid From:  Mon Mar 16 18:44:35 2015 UTC
>>>     Valid Until: Fri Mar 16 18:44:35 2035 UTC
>>>
>>>  Enrolled in IPA realm HQ.EXAMPLE.COM
>>> Created /etc/ipa/default.conf
>>> New SSSD config will be created
>>> Configured sudoers in /etc/nsswitch.conf
>>> Configured /etc/sssd/sssd.conf
>>> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
>>> trying https://ipa.hq.example.com/ipa/json
>>> Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json'
>>> Forwarding 'ca_is_enabled' to json server '
>>> https://ipa.hq.example.com/ipa/json'
>>> Systemwide CA database updated.
>>> Added CA certificates to the default NSS database.
>>> Hostname (meson.hq.example.com) not found in DNS
>>> *Failed to update DNS records.*
>>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>>> Forwarding 'host_mod' to json server '
>>> https://ipa.hq.example.com/ipa/json'
>>> *Could not update DNS SSHFP records.*
>>> SSSD enabled
>>> Configured /etc/openldap/ldap.conf
>>> *Unable to find 'admin' user with 'getent passwd ad...@hq.example.com
>>> <ad...@hq.example.com>'!*
>>> *Unable to reliably detect configuration. Check NSS setup manually.*
>>> NTP enabled
>>> Configured /etc/ssh/ssh_config
>>> Configured /etc/ssh/sshd_config
>>> Configuring hq.example.com as NIS domain.
>>> Client configuration complete.
>>>
>>>
>>>
>>>
>>>
>>>   --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
>
>
> --
> Martin Basti
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to