Re: [Freeipa-users] DNS update failing

Thu, 11 May 2017 01:09:59 -0700 


On 10.05.2017 18:38, Jason Sherrill wrote:

Hello,


I've recently implemented freeIPA in a mixed environment of Mac OS 
10.12 and Windows 10 with limited issues!



One issue is that updating the reverse zone via nsupdate works without 
issue, updating to the forward zone results in a REFUSED status. Below 
is my zone config, named.conf, and an example of client-side 
behavior.  I'm new to nearly all systems involved- misconfiguration is 
likely. Thanks!



    From freeIPA server:

    #  ipa dnszone-show int.dplcl.com <http://int.dplcl.com> --all


     dn: idnsname=int.dplcl.com
    <http://int.dplcl.com>.,cn=dns,dc=int,dc=dplcl,dc=com

     Zone name: int.dplcl.com <http://int.dplcl.com>.

     Active zone: TRUE

     Authoritative nameserver: ipa-1.int.dplcl.com
    <http://ipa-1.int.dplcl.com>.

     Administrator e-mail address: hostmaster.int.dplcl.com
    <http://hostmaster.int.dplcl.com>.

     SOA serial: 1494344164

     SOA refresh: 3600

     SOA retry: 900

     SOA expire: 1209600

     SOA minimum: 3600

     BIND update policy: grant INT.DPLCL.COM <http://INT.DPLCL.COM>
    krb5-self * A; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
    krb5-self * AAAA; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
    krb5-self *

                         SSHFP;

     Dynamic update: TRUE

     Allow query: any;

     Allow transfer: none;

     Allow PTR sync: TRUE

     Allow in-line DNSSEC signing: FALSE

     nsrecord: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>.

     objectclass: idnszone, top, idnsrecord, ipadnszone


    /etc/named.conf from IPA server:

    options {

           // turns on IPv6 for port 53, IPv4 is on by default for all
    ifaces

           listen-on-v6 {any;};


           // Put files that named is allowed to write in the data/
    directory:

           directory "/var/named"; // the default

           dump-file               "data/cache_dump.db";

           statistics-file         "data/named_stats.txt";

           memstatistics-file      "data/named_mem_stats.txt";


           // Any host is permitted to issue recursive queries

           allow-recursion { any; };


           tkey-gssapi-keytab "/etc/named.keytab";

           pid-file "/run/named/named.pid";


           dnssec-enable no;

           dnssec-validation no;


           /* Path to ISC DLV key */

           bindkeys-file "/etc/named.iscdlv.key";


           managed-keys-directory "/var/named/dynamic";

    };


    /* If you want to enable debugging, eg. using the 'rndc trace'
    command,

    * By default, SELinux policy does not allow named to modify the
    /var/named directory,

    * so put the default debug log file in data/ :

    */

    logging {

           channel default_debug {

                   file "data/named.run";

                   severity dynamic;

                   print-time yes;

           };

    };


    zone "." IN {

           type hint;

           file "named.ca <http://named.ca>";

    };


    include "/etc/named.rfc1912.zones";

    include "/etc/named.root.key";


    dynamic-db "ipa" {

           library "ldap.so";

           arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";

           arg "base cn=dns, dc=int,dc=dplcl,dc=com";

           arg "server_id ipa-1.int.dplcl.com
    <http://ipa-1.int.dplcl.com>";

           arg "auth_method sasl";

           arg "sasl_mech GSSAPI";

           arg "sasl_user DNS/ipa-1.int.dplcl.com
    <http://ipa-1.int.dplcl.com>";

           arg "serial_autoincrement yes";

    };



    From client macbook:

    testbook3:etc jsherrill$ nsupdate

    > debug

    > update add testbook3.int.dplcl.com <http://testbook3.int.dplcl.com> 86400 
a
    10.0.1.36


    > 


    Reply from SOA query:

    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:   3049

    ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
    ADDITIONAL: 0

    ;; QUESTION SECTION:

    ;testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.INSOA


    ;; AUTHORITY SECTION:

    int.dplcl.com <http://int.dplcl.com>.0INSOAipa-1.int.dplcl.com
    <http://ipa-1.int.dplcl.com>. hostmaster.int.dplcl.com
    <http://hostmaster.int.dplcl.com>. 1494425173 3600 900 1209600 3600


    Found zone name: int.dplcl.com <http://int.dplcl.com>

    The master is: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>

    Sending update to 10.0.1.5#53

    Outgoing update query:

    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  33167

    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0

    ;; UPDATE SECTION:

    testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.
    86400INA10.0.1.36



    Reply from update query:

    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  33167

    ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

    ;; ZONE SECTION:

    ;int.dplcl.com <http://int.dplcl.com>.INSOA

    -- 



*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>





Hello,


DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so you 
cannot use plain nsupdate without providing credentials


Here is policy, hosts can update only its records using GSS-TSIG (kerberos)


BIND update policy: grant INT.DPLCL.COM <http://INT.DPLCL.COM> krb5-self 
* A; grant INT.DPLCL.COM <http://INT.DPLCL.COM> krb5-self * AAAA; grant 
INT.DPLCL.COM <http://INT.DPLCL.COM> krb5-self *


                     SSHFP;

So for manual updates via nsupdate, you have to do following steps:

1, kinit -kt /etc/krb5.keytab

2, nsupdate -g

... update A records ...


I don't know why a reverse zone works for you, you should check policy 
of the reverse zone.


Martin

--
Martin Bašti
Software Engineer
Red Hat Czech


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to