Thank you, dump sent privately On 23 March 2015 at 13:33, Petr Spacek <pspa...@redhat.com> wrote:
> On 23.3.2015 12:33, Roberto Cornacchia wrote: > > OK, thanks. > > That would be "Dynamic updates", right? Then it is enabled. > > > > $ ipa dnszone-show --all > > Zone name: hq.example.com > > dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com > > Zone name: hq.example.com. > > Active zone: TRUE > > Authoritative nameserver: ipa.hq.example.com. > > Administrator e-mail address: hostmaster.hq.example.com. > > SOA serial: 1427108043 > > SOA refresh: 3600 > > SOA retry: 900 > > SOA expire: 1209600 > > SOA minimum: 3600 > > BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant > HQ.EXAMPLE.COM > > krb5-self * AAAA; grant HQ.EXAMPLE.COM krb5-self * SSHFP; > > Dynamic update: TRUE > > This is correct (but it should not affect SOA query anyway). > > Could you share named logs on debug level 10 with us? It would be even > better > is you could provide us tcpdump with transactions in question. > > On the client (before you start installation) please: > 1) Execute command $ tcpdump -i any -w /tmp/dns.pcap 'port 53' > 2) Run ipa-client-install > 3) Kill the tcpdump: $ pkill tcpdump > 4) Send us the file. > > Feel free to send the files to me (pspa...@redhat.com) and Martin^2 > (mba...@redhat.com) privately if you do not want to make them public. > > Have a nice day! > > Petr^2 Spacek > > > Allow query: any; > > Allow transfer: none; > > Allow PTR sync: FALSE > > nsrecord: ipa.hq.example.com. > > objectclass: idnszone, top, idnsrecord > > > > > > On 23 March 2015 at 12:27, Martin Basti <mba...@redhat.com> wrote: > > > >> On 23/03/15 12:19, Roberto Cornacchia wrote: > >> > >> BTW, shouldn't named.conf contain an "allow-update" statement? Mine > >> doesn't. Or is this managed differently? > >> > >> It is not needed. > >> bind-dyndb-ldap plugin overrides this configuration, you just need to > >> enable updates in IPA zone setting. > >> > >> Martin > >> > >> > >> > >> On 23 March 2015 at 12:16, Roberto Cornacchia < > >> roberto.cornacc...@gmail.com> wrote: > >> > >>> > >>> > >>> On 23 March 2015 at 10:35, Petr Spacek <pspa...@redhat.com> wrote: > >>> > >>>> On 23.3.2015 10:21, Roberto Cornacchia wrote: > >>>>> About the DNS update, this is what the debug log has to say: > >>>>> > >>>>> Found zone name: hq.example.com > >>>>> The master is: ipa.hq.example.com > >>>>> start_gssrequest > >>>>> Found realm from ticket: HQ.EXAMPLE.COM > >>>>> send_gssrequest > >>>>> *; Communication with 192.168.0.72#53 failed: operation canceled* > >>>>> *Reply from SOA query:* > >>>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4923 > >>>>> ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > >>>>> ;; QUESTION SECTION: > >>>>> ;1835417091.sig-ipa.hq.example.com. ANY TKEY > >>>>> > >>>>> response to SOA query was unsuccessful > >>>> > >>>> - Please verify that 192.168.0.72 is the correct IP address of the > >>>> FreeIPA server. > >>>> > >>> > >>> Positive > >>> > >>> > >>>> - Please check named.logs on the server side to see if there are any > >>>> complains > >>>> about unsuccessful key negotiation with client. > >>>> > >>>> > >>> I raised named's log level to debug 10 and restarted > >>> Ran ipa-client-install again. > >>> The log shows many queries from the client, for A/AAA/SOA record types, > >>> both about the server and the client. All approved, no problem. > >>> The log does not seem to contain a single failure / rejection. > >>> > >>> However: > >>> 1) The client reports that response to SOA query was unsuccessful. The > >>> server log does not say anything about this. > >>> 2) The server log does not contain any update request > >>> > >>> > >>>>> Notice that is is *different* from what I got before the chronyd > >>>> change. > >>>>> Before, there was not even a reply: > >>>>> > >>>>> Found zone name: hq.example.com > >>>>> The master is: ipa.hq.example.com > >>>>> start_gssrequest > >>>>> Found realm from ticket: HQ.EXAMPLE.COM > >>>>> send_gssrequest > >>>>> *; Communication with 192.168.0.72#53 failed: operation canceled* > >>>>> *could not reach any name server* > >>>> > >>>> Interesting, this should not be related to time synchronization in any > >>>> way. > >>>> DNS server simply did not return any answer. > >>>> > >>>> -- > >>>> Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project