The zone settings: $ ipa dnszone-show --all Zone name: hq.example.com. dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com Zone name: hq.example.com. Active zone: TRUE Authoritative nameserver: ipa.hq.example.com. Administrator e-mail address: hostmaster.hq.example.com. SOA serial: 1426857128 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM krb5-self * AAAA; grant HQ.EXAMPLE.COM krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa.hq.example.com. objectclass: idnszone, top, idnsrecord
The DNS log doesn't mention anything about updates. It does contain some errors about unreachable hosts, but that's because I had a temporary interruption towards the gateway from the ipa server. One thing I did after installing the IPA server is to turn off support for ipv6, using $ echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf $ sysctl -p Do you think it could have any influence? On 20 March 2015 at 12:31, Martin Basti <mba...@redhat.com> wrote: > Hello, > > do you have enabled DNS dynamic updates for hq.example.zone? > You can check it in zone settings. > > Are there any log entries in dns log related to nsupdate executed from a > client? > $ journalctl -b -u named-pkcs11 > > > On 20/03/15 09:53, Roberto Cornacchia wrote: > > It seems so: > > $ firewall-cmd --list-all > FedoraServer (default, active) > interfaces: em2 > sources: > services: cockpit dhcpv6-client ssh > ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp > 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp 9445/tcp > 8011/tcp 53/udp 8082/tcp > masquerade: no > forward-ports: > icmp-blocks: > rich rules: > > > On 20 March 2015 at 00:53, Dmitri Pal <d...@redhat.com> wrote: > >> On 03/19/2015 05:04 PM, Roberto Cornacchia wrote: >> >> Yes. >> >> [root@meson ~]# cat /etc/resolv.conf >> search hq.example.com >> nameserver 192.168.0.72 >> >> Sorry from the short log I posted it's not visible, but that ip address >> is the address of the ipa server (ipa.hq.example.com) >> >> [root@meson ~]# dig ipa.hq.example.com >> >> ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ipa.hq.example.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;ipa.hq.example.com. IN A >> >> ;; ANSWER SECTION: >> ipa.hq.example.com. 1200 IN A 192.168.0.72 >> >> ;; AUTHORITY SECTION: >> hq.example.com. 86400 IN NS ipa.hq.example.com. >> >> ;; Query time: 1 msec >> ;; SERVER: 192.168.0.72#53(192.168.0.72) >> ;; WHEN: do mrt 19 22:02:04 CET 2015 >> ;; MSG SIZE rcvd: 83 >> >> >> >> OK so you can in fact lookup the server. >> Have you opened all required ports for ldap and kerberos and other >> protocols in the firewall both UDP and TCP? >> >> >> >> >> On 19 March 2015 at 21:55, Dmitri Pal <d...@redhat.com> wrote: >> >>> On 03/19/2015 04:46 PM, Roberto Cornacchia wrote: >>> >>> Hi, >>> >>> This should really work like a charm, and I'm sure it is a stupid >>> mistake of mine if it doesn't, but I really can't find out what goes wrong. >>> >>> Both IPA server and client are on FC21, very up to date. >>> Server installation (standard, with dns) worked well. Required ports >>> open in the firewall. Everything seems to work. >>> >>> I did try to use the IPA server as a DNS (with forwarders) and NTP >>> server from non-ipa clients, no problem. >>> I also tried to use it as LDAP server, from a non-fedora machine (a >>> synology). It worked well and I could see users. >>> >>> When trying to enroll a client, the enrollment itself seems to >>> succeed, but: >>> - Unable to sync time with NTP server >>> - Unable to update DNS >>> - Unable to find users >>> >>> I include below the short installation log (I changed the real domain >>> into hq.example.com), and in attachment, the full log with debug on. >>> >>> From the debug log, about the DNS update failure, I can see this: >>> >>> ; Communication with 192.168.0.72#53 failed: operation canceled >>> could not reach any name server >>> >>> I'm not sure what communication problem this could be, as the server >>> (which is both the IPA and the DNS servers), clearly can be reached. >>> >>> Any idea where to look at? >>> >>> >>> Do you have the IPA DNS server in the resolv.conf of the client? >>> >>> >>> >>> >>> Thanks, >>> Roberto >>> >>> >>> [root@meson ~]# ipa-client-install --mkhomedir --ssh-trust-dns >>> --force-ntpd --hostname=meson.hq.example.com >>> Discovery was successful! >>> Hostname: meson.hq.example.com >>> Realm: HQ.EXAMPLE.COM >>> DNS Domain: hq.example.com >>> IPA Server: ipa.hq.example.com >>> BaseDN: dc=hq,dc=example,dc=com >>> >>> Continue to configure the system with these values? [no]: yes >>> Synchronizing time with KDC... >>> *Unable to sync time with IPA NTP server, assuming the time is in sync. >>> Please check that 123 UDP port is opened.* >>> User authorized to enroll computers: admin >>> Password for ad...@hq.example.com: >>> Successfully retrieved CA cert >>> Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM >>> Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM >>> Valid From: Mon Mar 16 18:44:35 2015 UTC >>> Valid Until: Fri Mar 16 18:44:35 2035 UTC >>> >>> Enrolled in IPA realm HQ.EXAMPLE.COM >>> Created /etc/ipa/default.conf >>> New SSSD config will be created >>> Configured sudoers in /etc/nsswitch.conf >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM >>> trying https://ipa.hq.example.com/ipa/json >>> Forwarding 'ping' to json server 'https://ipa.hq.example.com/ipa/json' >>> Forwarding 'ca_is_enabled' to json server ' >>> https://ipa.hq.example.com/ipa/json' >>> Systemwide CA database updated. >>> Added CA certificates to the default NSS database. >>> Hostname (meson.hq.example.com) not found in DNS >>> *Failed to update DNS records.* >>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub >>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub >>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >>> Forwarding 'host_mod' to json server ' >>> https://ipa.hq.example.com/ipa/json' >>> *Could not update DNS SSHFP records.* >>> SSSD enabled >>> Configured /etc/openldap/ldap.conf >>> *Unable to find 'admin' user with 'getent passwd ad...@hq.example.com >>> <ad...@hq.example.com>'!* >>> *Unable to reliably detect configuration. Check NSS setup manually.* >>> NTP enabled >>> Configured /etc/ssh/ssh_config >>> Configured /etc/ssh/sshd_config >>> Configuring hq.example.com as NIS domain. >>> Client configuration complete. >>> >>> >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project