On 06/05/2015 12:27 AM, nat...@nathanpeters.com wrote:
I am running FreeIPA 4.1.3 on CentOS7.

I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42.

The client hostname is ipaclient.login.mydomain.net.

The FreeIPA domain is mydomain.net.

This post here :
https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html
states that making all dns entries into a single zone rather than having
a
separate zone for login.mydomain.net is a perfectly acceptable design
choice.

However, an issue occurs when joining the client.  It joins to the
domain
fine and creates the initial DNS A entry, but then according to the
logs,
when it goes to update the DNSSSHFP records, it fails because it tries
to
update the nonexistent zone login.mydomain.net instead of just updating
mydomain.net. To be clear, the SSH host keys are in the client record so
the only issue is with adding them to DNS

Here are the relevant log entries generated with ipa-client-install:

2015-06-03T16:11:12Z DEBUG stderr=
2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to
/etc/ipa/.dns_update.txt:
2015-06-03T16:11:12Z DEBUG zone login.mydomain.net.
update delete ipaclient.login.mydomain.net. IN SSHFP
send
update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1
1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60
update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1
11D3F076F616F02AD74BFF4D48E8BBA239063E8F
send

2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt
2015-06-03T16:11:13Z DEBUG stdout=
2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH
update failed: NOTAUTH

2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
-g
/etc/ipa/.dns_update.txt' returned non-zero exit status 2
2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Here are some more entries from /var/named/data/named.run.

You'll notice in the first set of entries, I added the hosts with the
incorrect subdomain set and it worked fine.

In the second set, I gave the correct hostnames and even though it claims
it's still trying to update the mydomain.net file it says it's not
authorized.  I am thoroughly confused by this behavior.

successful
----------
01-Jun-2015 18:36:04.580 client 10.21.5.206#40096/key
host/ipaclient.mydomain.net\@mydomain.NET: updating zone
'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' A
01-Jun-2015 18:36:04.590 client 10.21.5.206#34641/key
host/ipaclient.mydomain.net\@mydomain.NET: updating zone
'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' A
01-Jun-2015 18:36:25.582 client 10.21.5.206#49800/key
host/ipaclient.mydomain.net\@mydomain.NET: updating zone
'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' SSHFP
01-Jun-2015 18:36:25.595 client 10.21.5.206#34081/key
host/ipaclient.mydomain.net\@mydomain.NET: updating zone
'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP
01-Jun-2015 18:36:26.363 client 10.21.5.206#34081/key
host/ipaclient.mydomain.net\@mydomain.NET: updating zone
'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP

unsuccessful
------------
03-Jun-2015 16:10:56.407 client 10.21.5.206#52739/key
host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone
'mydomain.net/IN': update failed: not authoritative for update zone
(NOTAUTH)
03-Jun-2015 16:10:56.420 client 10.21.5.206#50551/key
host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone
'mydomain.net/IN': update failed: not authoritative for update zone
(NOTAUTH)
03-Jun-2015 16:11:12.993 client 10.21.5.206#39633/key
host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone
'mydomain.net/IN': update failed: not authoritative for update zone
(NOTAUTH)
03-Jun-2015 16:11:13.005 client 10.21.5.206#50415/key
host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone
'mydomain.net/IN': update failed: not authoritative for update zone
(NOTAUTH)




So can anyone at least tell me whether it is intended that you have to
create a separate DNS subdomain rather than one big domain file in order
to get DNSSSHFP records to save or is that a bug and you should be able to
just have one large domain and not break out the subdomains?

I thought it is not needed to create subdomains in order for nsupdate to work. Maybe it is a Update policy thing? Petr, do you know?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to