On 10.05.2017 18:38, Jason Sherrill wrote:

I've recently implemented freeIPA in a mixed environment of Mac OS 10.12 and Windows 10 with limited issues!

One issue is that updating the reverse zone via nsupdate works without issue, updating to the forward zone results in a REFUSED status. Below is my zone config, named.conf, and an example of client-side behavior. I'm new to nearly all systems involved- misconfiguration is likely. Thanks!

    From freeIPA server:

    #  ipa dnszone-show int.dplcl.com <http://int.dplcl.com> --all

     dn: idnsname=int.dplcl.com

     Zone name: int.dplcl.com <http://int.dplcl.com>.

     Active zone: TRUE

     Authoritative nameserver: ipa-1.int.dplcl.com

     Administrator e-mail address: hostmaster.int.dplcl.com

     SOA serial: 1494344164

     SOA refresh: 3600

     SOA retry: 900

     SOA expire: 1209600

     SOA minimum: 3600

     BIND update policy: grant INT.DPLCL.COM <http://INT.DPLCL.COM>
    krb5-self * A; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
    krb5-self * AAAA; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
    krb5-self *


     Dynamic update: TRUE

     Allow query: any;

     Allow transfer: none;

     Allow PTR sync: TRUE

     Allow in-line DNSSEC signing: FALSE

     nsrecord: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>.

     objectclass: idnszone, top, idnsrecord, ipadnszone

    /etc/named.conf from IPA server:

    options {

           // turns on IPv6 for port 53, IPv4 is on by default for all

           listen-on-v6 {any;};

           // Put files that named is allowed to write in the data/

           directory "/var/named"; // the default

           dump-file               "data/cache_dump.db";

           statistics-file         "data/named_stats.txt";

           memstatistics-file      "data/named_mem_stats.txt";

           // Any host is permitted to issue recursive queries

           allow-recursion { any; };

           tkey-gssapi-keytab "/etc/named.keytab";

           pid-file "/run/named/named.pid";

           dnssec-enable no;

           dnssec-validation no;

           /* Path to ISC DLV key */

           bindkeys-file "/etc/named.iscdlv.key";

           managed-keys-directory "/var/named/dynamic";


    /* If you want to enable debugging, eg. using the 'rndc trace'

    * By default, SELinux policy does not allow named to modify the
    /var/named directory,

    * so put the default debug log file in data/ :


    logging {

           channel default_debug {

                   file "data/named.run";

                   severity dynamic;

                   print-time yes;



    zone "." IN {

           type hint;

           file "named.ca <http://named.ca>";


    include "/etc/named.rfc1912.zones";

    include "/etc/named.root.key";

    dynamic-db "ipa" {

           library "ldap.so";

           arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";

           arg "base cn=dns, dc=int,dc=dplcl,dc=com";

           arg "server_id ipa-1.int.dplcl.com

           arg "auth_method sasl";

           arg "sasl_mech GSSAPI";

           arg "sasl_user DNS/ipa-1.int.dplcl.com

           arg "serial_autoincrement yes";


    From client macbook:

    testbook3:etc jsherrill$ nsupdate

    > debug

    > update add testbook3.int.dplcl.com <http://testbook3.int.dplcl.com> 86400 

    Reply from SOA query:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:   3049

    ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,


    ;testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.INSOA


    int.dplcl.com <http://int.dplcl.com>.0INSOAipa-1.int.dplcl.com
    <http://ipa-1.int.dplcl.com>. hostmaster.int.dplcl.com
    <http://hostmaster.int.dplcl.com>. 1494425173 3600 900 1209600 3600

    Found zone name: int.dplcl.com <http://int.dplcl.com>

    The master is: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>

    Sending update to

    Outgoing update query:

    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  33167

    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0


    testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.

    Reply from update query:

    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  33167

    ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0


    ;int.dplcl.com <http://int.dplcl.com>.INSOA

*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>


DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so you cannot use plain nsupdate without providing credentials

Here is policy, hosts can update only its records using GSS-TSIG (kerberos)

BIND update policy: grant INT.DPLCL.COM <http://INT.DPLCL.COM> krb5-self * A; grant INT.DPLCL.COM <http://INT.DPLCL.COM> krb5-self * AAAA; grant INT.DPLCL.COM <http://INT.DPLCL.COM> krb5-self *


So for manual updates via nsupdate, you have to do following steps:

1, kinit -kt /etc/krb5.keytab

2, nsupdate -g

... update A records ...

I don't know why a reverse zone works for you, you should check policy of the reverse zone.


Martin Bašti
Software Engineer
Red Hat Czech

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to