On 23/03/15 12:19, Roberto Cornacchia wrote:
BTW, shouldn't named.conf contain an "allow-update" statement? Mine
doesn't. Or is this managed differently?
It is not needed.
bind-dyndb-ldap plugin overrides this configuration, you just need to
enable updates in IPA zone setting.
Martin
On 23 March 2015 at 12:16, Roberto Cornacchia
<[email protected] <mailto:[email protected]>>
wrote:
On 23 March 2015 at 10:35, Petr Spacek <[email protected]
<mailto:[email protected]>> wrote:
On 23.3.2015 10:21, Roberto Cornacchia wrote:
> About the DNS update, this is what the debug log has to say:
>
> Found zone name: hq.example.com <http://hq.example.com>
> The master is: ipa.hq.example.com <http://ipa.hq.example.com>
> start_gssrequest
> Found realm from ticket: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
> send_gssrequest
> *; Communication with 192.168.0.72#53 failed: operation canceled*
> *Reply from SOA query:*
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4923
> ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;1835417091.sig-ipa.hq.example.com
<http://1835417091.sig-ipa.hq.example.com>. ANY TKEY
>
> response to SOA query was unsuccessful
- Please verify that 192.168.0.72 is the correct IP address of
the FreeIPA server.
Positive
- Please check named.logs on the server side to see if there
are any complains
about unsuccessful key negotiation with client.
I raised named's log level to debug 10 and restarted
Ran ipa-client-install again.
The log shows many queries from the client, for A/AAA/SOA record
types, both about the server and the client. All approved, no problem.
The log does not seem to contain a single failure / rejection.
However:
1) The client reports that response to SOA query was unsuccessful.
The server log does not say anything about this.
2) The server log does not contain any update request
> Notice that is is *different* from what I got before the
chronyd change.
> Before, there was not even a reply:
>
> Found zone name: hq.example.com <http://hq.example.com>
> The master is: ipa.hq.example.com <http://ipa.hq.example.com>
> start_gssrequest
> Found realm from ticket: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
> send_gssrequest
> *; Communication with 192.168.0.72#53 failed: operation canceled*
> *could not reach any name server*
Interesting, this should not be related to time
synchronization in any way.
DNS server simply did not return any answer.
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Martin Basti
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
