On 03/20/2015 10:56 AM, Roberto Cornacchia wrote:
The zone settings:
$ ipa dnszone-show --all
Zone name: hq.example.com <http://hq.example.com>.
dn: idnsname=hq.example.com
<http://hq.example.com>.,cn=dns,dc=hq,dc=example,dc=com
Zone name: hq.example.com <http://hq.example.com>.
Active zone: TRUE
Authoritative nameserver: ipa.hq.example.com
<http://ipa.hq.example.com>.
Administrator e-mail address: hostmaster.hq.example.com
<http://hostmaster.hq.example.com>.
SOA serial: 1426857128
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
krb5-self * A; grant HQ.EXAMPLE.COM krb5-self * AAAA; grant
HQ.EXAMPLE.COM krb5-self * SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
nsrecord: ipa.hq.example.com <http://ipa.hq.example.com>.
objectclass: idnszone, top, idnsrecord
The DNS log doesn't mention anything about updates. It does contain
some errors about unreachable hosts, but that's because I had a
temporary interruption towards the gateway from the ipa server.
One thing I did after installing the IPA server is to turn off support
for ipv6, using
$ echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
$ sysctl -p
Do you think it could have any influence?
I think it can.
I have a vague recollection of a bug related to that is some of the
packages we depend on or something like.
Can you try enabling it and see if it makes a difference?
On 20 March 2015 at 12:31, Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>> wrote:
Hello,
do you have enabled DNS dynamic updates for hq.example.zone?
You can check it in zone settings.
Are there any log entries in dns log related to nsupdate executed
from a client?
$ journalctl -b -u named-pkcs11
On 20/03/15 09:53, Roberto Cornacchia wrote:
It seems so:
$ firewall-cmd --list-all
FedoraServer (default, active)
interfaces: em2
sources:
services: cockpit dhcpv6-client ssh
ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp
88/udp 464/udp 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp
7389/tcp 9444/tcp 9445/tcp 8011/tcp 53/udp 8082/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
On 20 March 2015 at 00:53, Dmitri Pal <d...@redhat.com
<mailto:d...@redhat.com>> wrote:
On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
Yes.
[root@meson ~]# cat /etc/resolv.conf
search hq.example.com <http://hq.example.com>
nameserver 192.168.0.72
Sorry from the short log I posted it's not visible, but that
ip address is the address of the ipa server
(ipa.hq.example.com <http://ipa.hq.example.com>)
[root@meson ~]# dig ipa.hq.example.com
<http://ipa.hq.example.com>
; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>>
ipa.hq.example.com <http://ipa.hq.example.com>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53238
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipa.hq.example.com.INA
;; ANSWER SECTION:
ipa.hq.example.com. 1200INA192.168.0.72
;; AUTHORITY SECTION:
hq.example.com.86400INNSipa.hq.example.com.
;; Query time: 1 msec
;; SERVER: 192.168.0.72#53(192.168.0.72)
;; WHEN: do mrt 19 22:02:04 CET 2015
;; MSG SIZE rcvd: 83
OK so you can in fact lookup the server.
Have you opened all required ports for ldap and kerberos and
other protocols in the firewall both UDP and TCP?
On 19 March 2015 at 21:55, Dmitri Pal <d...@redhat.com
<mailto:d...@redhat.com>> wrote:
On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
Hi,
This should really work like a charm, and I'm sure it
is a stupid mistake of mine if it doesn't, but I really
can't find out what goes wrong.
Both IPA server and client are on FC21, very up to date.
Server installation (standard, with dns) worked well.
Required ports open in the firewall. Everything seems
to work.
I did try to use the IPA server as a DNS (with
forwarders) and NTP server from non-ipa clients, no
problem.
I also tried to use it as LDAP server, from a
non-fedora machine (a synology). It worked well and I
could see users.
When trying to enroll a client, the enrollment itself
seems to succeed, but:
- Unable to sync time with NTP server
- Unable to update DNS
- Unable to find users
I include below the short installation log (I changed
the real domain into hq.example.com
<http://hq.example.com>), and in attachment, the full
log with debug on.
From the debug log, about the DNS update failure, I can
see this:
; Communication with 192.168.0.72#53 failed:
operation canceled
could not reach any name server
I'm not sure what communication problem this could be,
as the server (which is both the IPA and the DNS
servers), clearly can be reached.
Any idea where to look at?
Do you have the IPA DNS server in the resolv.conf of the
client?
Thanks,
Roberto
[root@meson ~]# ipa-client-install --mkhomedir
--ssh-trust-dns --force-ntpd
--hostname=meson.hq.example.com
<http://meson.hq.example.com>
Discovery was successful!
Hostname: meson.hq.example.com
<http://meson.hq.example.com>
Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
DNS Domain: hq.example.com <http://hq.example.com>
IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
BaseDN: dc=hq,dc=example,dc=com
Continue to configure the system with these values?
[no]: yes
Synchronizing time with KDC...
*Unable to sync time with IPA NTP server, assuming the
time is in sync. Please check that 123 UDP port is opened.*
User authorized to enroll computers: admin
Password for ad...@hq.example.com
<mailto:ad...@hq.example.com>:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HQ.EXAMPLE.COM
<http://HQ.EXAMPLE.COM>
Issuer: CN=Certificate Authority,O=HQ.EXAMPLE.COM
<http://HQ.EXAMPLE.COM>
Valid From: Mon Mar 16 18:44:35 2015 UTC
Valid Until: Fri Mar 16 18:44:35 2035 UTC
Enrolled in IPA realm HQ.EXAMPLE.COM
<http://HQ.EXAMPLE.COM>
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
<http://HQ.EXAMPLE.COM>
trying https://ipa.hq.example.com/ipa/json
Forwarding 'ping' to json server
'https://ipa.hq.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server
'https://ipa.hq.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (meson.hq.example.com
<http://meson.hq.example.com>) not found in DNS
*Failed to update DNS records.*
Adding SSH public key from
/etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server
'https://ipa.hq.example.com/ipa/json'
*Could not update DNS SSHFP records.*
SSSD enabled
Configured /etc/openldap/ldap.conf
*Unable to find 'admin' user with 'getent passwd
ad...@hq.example.com <mailto:ad...@hq.example.com>'!*
*Unable to reliably detect configuration. Check NSS
setup manually.*
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring hq.example.com <http://hq.example.com> as
NIS domain.
Client configuration complete.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Martin Basti
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project