On 06.05.2016 22:18, Sean Hogan wrote:

Yes sir..

Dynamic update value is set to true on both test.local and the reverse zone.

Form what Robert mentioned I am looking at the install logs now.


So this is where DNS update is bombing:
2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2016-04-26T16:31:08Z DEBUG stdout=
2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed:
operation canceled
could not talk to any default name server

That is weird, maybe do you have allowed TCP/53? It may try to use TCP instead of UDP

And please check on "Correct DNS server" if there is any logged entry about dynamic update from client (journalctl -u named[-pkcs11])

Martin


2016-04-26T16:31:08Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i
pa/.dns_update.txt' returned non-zero exit status 1
2016-04-26T16:31:08Z ERROR Failed to update DNS records.

And this is where SSHFP updates are bombing:
2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2016-04-26T16:31:09Z DEBUG stdout=
2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed:
operation canceled
could not talk to any default name server

2016-04-26T16:31:09Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i
pa/.dns_update.txt' returned non-zero exit status 1
2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records.
2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status
2016-04-26T16:31:09Z DEBUG stdout=
2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service


So it looks like it can not talk to port 53 but nslookup is working fine from the box and outputting the server response as the correct dns ip which is in the logs
Server: correct IP of DNS server
Address: correct IP of DNS server#53

Name: dingle.test.local
Address: correct ip of dingle

reoslv.conf has 1st listing as the same ip as in the logs and nslookup result.

Sean Hogan





Inactive hide details for Martin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated by nslookup do you have allowed dMartin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated by nslookup do you have allowed dynamic updates in the zone settings?

From: Martin Basti <mba...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users <freeipa-users@redhat.com>
Date: 05/06/2016 12:25 PM
Subject: Re: [Freeipa-users] SSHFP upload

------------------------------------------------------------------------



Hello, records are updated by nslookup

do you have allowed dynamic updates in the zone settings?

Martin


On 06.05.2016 21:18, Sean Hogan wrote:

        Hi All,

        Wondering if someone knows how the SSHFPs of a box are getting
        uploaded to IPA during ipa-client-install
        --enable-dns-updates? Is it going over port 389,636,22?

        Have an issue that on one network my enrolls work fine and
        everything gets updated. A new network was put in place but
        still part of the same domain and I get SSHFP failed to
        upload. I was assuming this has something to do with DNS but
        Network team says bi directional port 53 is good and I can
        nslookup. Both new and old networks point to the same IPA DNS
        server for enrolling. The IPs of the new network still fall in
        my reverse zone.

        So My DNS is setup with:
        test.local
        10.in-addr.arpa

        and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x



        Results of current Network

        Enrolled in IPA realm TEST.LOCAL
        Created /etc/ipa/default.conf
        New SSSD config will be created
        Configured sudoers in /etc/nsswitch.conf
        Configured /etc/sssd/sssd.conf
        Configured /etc/krb5.conf for IPA realm TEST.LOCAL
        trying *_https://bob.test.local/ipa/xml_*
        <https://rtpvxl0068.watson.local/ipa/xml>
        Forwarding 'env' to server u'_https://bob.test.local/ipa/xml_'
        DNS server record set to: dingle.test.local -> IP of dingle
        Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
        Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
        Forwarding 'host_mod' to server
        u'_https://bob.test.local/ipa/xml_'
        SSSD enabled
        Configuring test.local as NIS domain
        Configured /etc/openldap/ldap.conf
        NTP enabled
        Configured /etc/ssh/ssh_config
        Configured /etc/ssh/sshd_config
        Client configuration complete.




        Results of New network
        Enrolled in IPA realm TEST.LOCAL
        Attempting to get host TGT...
        Created /etc/ipa/default.conf
        New SSSD config will be created
        Configured sudoers in /etc/nsswitch.conf
        Configured /etc/sssd/sssd.conf
        Configured /etc/krb5.conf for IPA realm TEST.LOCAL
        trying *_https://bob.test.local/ipa/xml_*
        <https://rtpvxl0068.watson.local/ipa/xml>
        Forwarding 'env' to server u'_https://bob.test.local/ipa/xml_'
        Failed to update DNS records.
        Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
        Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
        Forwarding 'host_mod' to server
        u'_https://bob.test.local/ipa/xml_'
        Could not update DNS SSHFP records.
        SSSD enabled
        Configuring test.local as NIS domain
        Configured /etc/openldap/ldap.conf
        NTP enabled
        Configured /etc/ssh/ssh_config
        Configured /etc/ssh/sshd_config
        Client configuration complete





        Sean Hogan






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to