I am running FreeIPA 4.1.3 on CentOS7.

I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42.

The client hostname is ipaclient.login.mydomain.net.

The FreeIPA domain is mydomain.net.

This post here :
states that making all dns entries into a single zone rather than having a
separate zone for login.mydomain.net is a perfectly acceptable design

However, an issue occurs when joining the client.  It joins to the domain
fine and creates the initial DNS A entry, but then according to the logs,
when it goes to update the DNSSSHFP records, it fails because it tries to
update the nonexistent zone login.mydomain.net instead of just updating
mydomain.net. To be clear, the SSH host keys are in the client record so
the only issue is with adding them to DNS

Here are the relevant log entries generated with ipa-client-install:

2015-06-03T16:11:12Z DEBUG stderr=
2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to
2015-06-03T16:11:12Z DEBUG zone login.mydomain.net.
update delete ipaclient.login.mydomain.net. IN SSHFP
update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1
update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1

2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2015-06-03T16:11:13Z DEBUG stdout=
2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH
update failed: NOTAUTH

2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 2
2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to