I am running FreeIPA 4.1.3 on CentOS7. I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42.
The client hostname is ipaclient.login.mydomain.net. The FreeIPA domain is mydomain.net. This post here : https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html states that making all dns entries into a single zone rather than having a separate zone for login.mydomain.net is a perfectly acceptable design choice. However, an issue occurs when joining the client. It joins to the domain fine and creates the initial DNS A entry, but then according to the logs, when it goes to update the DNSSSHFP records, it fails because it tries to update the nonexistent zone login.mydomain.net instead of just updating mydomain.net. To be clear, the SSH host keys are in the client record so the only issue is with adding them to DNS Here are the relevant log entries generated with ipa-client-install: 2015-06-03T16:11:12Z DEBUG stderr= 2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2015-06-03T16:11:12Z DEBUG zone login.mydomain.net. update delete ipaclient.login.mydomain.net. IN SSHFP send update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1 1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60 update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1 11D3F076F616F02AD74BFF4D48E8BBA239063E8F send 2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2015-06-03T16:11:13Z DEBUG stdout= 2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH update failed: NOTAUTH 2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2 2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
