On 23/03/15 12:19, Roberto Cornacchia wrote:
BTW, shouldn't named.conf contain an "allow-update" statement? Mine doesn't. Or is this managed differently?
It is not needed.
bind-dyndb-ldap plugin overrides this configuration, you just need to enable updates in IPA zone setting.


Martin


On 23 March 2015 at 12:16, Roberto Cornacchia <roberto.cornacc...@gmail.com <mailto:roberto.cornacc...@gmail.com>> wrote:



    On 23 March 2015 at 10:35, Petr Spacek <pspa...@redhat.com
    <mailto:pspa...@redhat.com>> wrote:

        On 23.3.2015 10:21, Roberto Cornacchia wrote:
        > About the DNS update, this is what the debug log has to say:
        >
        > Found zone name: hq.example.com <http://hq.example.com>
        > The master is: ipa.hq.example.com <http://ipa.hq.example.com>
        > start_gssrequest
        > Found realm from ticket: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
        > send_gssrequest
        > *; Communication with 192.168.0.72#53 failed: operation canceled*
        > *Reply from SOA query:*
        > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:   4923
        > ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0,
        ADDITIONAL: 0
        > ;; QUESTION SECTION:
        > ;1835417091.sig-ipa.hq.example.com
        <http://1835417091.sig-ipa.hq.example.com>. ANY TKEY
        >
        > response to SOA query was unsuccessful

        - Please verify that 192.168.0.72 is the correct IP address of
        the FreeIPA server.


    Positive

        - Please check named.logs on the server side to see if there
        are any complains
        about unsuccessful key negotiation with client.


    I raised named's log level to debug 10 and restarted
    Ran ipa-client-install again.
    The log shows many queries from the client, for A/AAA/SOA record
    types, both about the server and the client. All approved, no problem.
    The log does not seem to contain a single failure / rejection.

    However:
    1) The client reports that response to SOA query was unsuccessful.
    The server log does not say anything about this.
    2) The server log does not contain any update request


        > Notice that is is *different* from what I got before the
        chronyd change.
        > Before, there was not even a reply:
        >
        > Found zone name: hq.example.com <http://hq.example.com>
        > The master is: ipa.hq.example.com <http://ipa.hq.example.com>
        > start_gssrequest
        > Found realm from ticket: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
        > send_gssrequest
        > *; Communication with 192.168.0.72#53 failed: operation canceled*
        > *could not reach any name server*

        Interesting, this should not be related to time
        synchronization in any way.
        DNS server simply did not return any answer.

        --
        Petr^2 Spacek

        --
        Manage your subscription for the Freeipa-users mailing list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
        Go to http://freeipa.org for more info on the project







--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to