The following log entry from *named-pkcs11* coincides with update attempts via nsupdate:
May 12 10:07:49 ipa-1.int.dplcl.com named-pkcs11[1350]: client 10.0.1.5#47261/key host/ipa-1.int.dplcl.com\@INT.DPLCL.COM: updating zone ' int.dplcl.com/IN': update failed: rejected by secure update (REFUSED) The client is running macos X with network services configured to use 10.0.1.5 and the following /etc/resolv.conf: search int.dplcl.com nameserver 10.0.1.5 nameserver 8.8.8.8 Thanks! On Fri, May 12, 2017 at 9:27 AM, Martin Bašti <mba...@redhat.com> wrote: > Hello, could you check journalctl -u named-pkcs11 on server, there might > be more detailed description why it failed. What do you have configured in > /etc/resolv.conf on client side, is there directly IP address of the server? > > On 12.05.2017 15:04, Jason Sherrill wrote: > > Mistakenly failed to post to freeipa-users. > > ---------- Forwarded message ---------- > From: Jason Sherrill <ja...@deeplocal.com> > Date: Thu, May 11, 2017 at 9:16 AM > Subject: Re: [Freeipa-users] DNS update failing > To: Martin Bašti <mba...@redhat.com> > > > Thank you for the assistance, Martin. The reverse zone is working because > of a policy I'd added: grant * tcp-self *. The same entry did for the the > forward zone did not work. I ran the manual update as described and was > refused. It seems GSS-TSIG is working, but the update is still refused: > > [root@ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab > > [root@ipa-1 jsherrill]# nsupdate -g > > > debug > > > update add testbook3.int.dplcl.com. 86400 a 10.0.1.36 > > > > > Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996 > > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;testbook3.int.dplcl.com. IN SOA > > ;; AUTHORITY SECTION: > > int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. > 1494432187 3600 900 1209600 3600 > > Found zone name: int.dplcl.com > > The master is: ipa-1.int.dplcl.com > > start_gssrequest > > Found realm from ticket: INT.DPLCL.COM > > send_gssrequest > > Outgoing update query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 > > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY > > ;; ADDITIONAL SECTION: > > 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** > > recvmsg reply from GSS-TSIG query > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 > > ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY > > ;; ANSWER SECTION: > > 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** > > Sending update to 10.0.1.5#53 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230 > > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 > > ;; UPDATE SECTION: > > testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 > > ;; TSIG PSEUDOSECTION: > > 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230 > NOERROR 0 > > > Reply from update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230 > > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > > ;; ZONE SECTION: > > ;int.dplcl.com. IN SOA > > ;; TSIG PSEUDOSECTION: > > 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230 > NOERROR 0 > > > On Thu, May 11, 2017 at 4:09 AM, Martin Bašti <mba...@redhat.com> wrote: > >> >> >> On 10.05.2017 18:38, Jason Sherrill wrote: >> >> Hello, >> >> I've recently implemented freeIPA in a mixed environment of Mac OS 10.12 >> and Windows 10 with limited issues! >> >> One issue is that updating the reverse zone via nsupdate works without >> issue, updating to the forward zone results in a REFUSED status. Below is >> my zone config, named.conf, and an example of client-side behavior. I'm >> new to nearly all systems involved- misconfiguration is likely. Thanks! >> >> >> From freeIPA server: >> >> # ipa dnszone-show int.dplcl.com --all >> >> >> dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com >> >> Zone name: int.dplcl.com. >> >> Active zone: TRUE >> >> Authoritative nameserver: ipa-1.int.dplcl.com. >> >> Administrator e-mail address: hostmaster.int.dplcl.com. >> >> SOA serial: 1494344164 >> >> SOA refresh: 3600 >> >> SOA retry: 900 >> >> SOA expire: 1209600 >> >> SOA minimum: 3600 >> >> BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant >> INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self * >> >> SSHFP; >> >> Dynamic update: TRUE >> >> Allow query: any; >> >> Allow transfer: none; >> >> Allow PTR sync: TRUE >> >> Allow in-line DNSSEC signing: FALSE >> >> nsrecord: ipa-1.int.dplcl.com. >> >> objectclass: idnszone, top, idnsrecord, ipadnszone >> >> /etc/named.conf from IPA server: >> >> options { >> >> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces >> >> listen-on-v6 {any;}; >> >> // Put files that named is allowed to write in the data/ directory: >> >> directory "/var/named"; // the default >> >> dump-file "data/cache_dump.db"; >> >> statistics-file "data/named_stats.txt"; >> >> memstatistics-file "data/named_mem_stats.txt"; >> >> // Any host is permitted to issue recursive queries >> >> allow-recursion { any; }; >> >> tkey-gssapi-keytab "/etc/named.keytab"; >> >> pid-file "/run/named/named.pid"; >> >> dnssec-enable no; >> >> dnssec-validation no; >> >> /* Path to ISC DLV key */ >> >> bindkeys-file "/etc/named.iscdlv.key"; >> >> managed-keys-directory "/var/named/dynamic"; >> >> }; >> >> /* If you want to enable debugging, eg. using the 'rndc trace' command, >> >> * By default, SELinux policy does not allow named to modify the >> /var/named directory, >> >> * so put the default debug log file in data/ : >> >> */ >> >> logging { >> >> channel default_debug { >> >> file "data/named.run"; >> >> severity dynamic; >> >> print-time yes; >> >> }; >> >> }; >> >> zone "." IN { >> >> type hint; >> >> file "named.ca"; >> >> }; >> >> include "/etc/named.rfc1912.zones"; >> >> include "/etc/named.root.key"; >> >> dynamic-db "ipa" { >> >> library "ldap.so"; >> >> arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket"; >> >> arg "base cn=dns, dc=int,dc=dplcl,dc=com"; >> >> arg "server_id ipa-1.int.dplcl.com"; >> >> arg "auth_method sasl"; >> >> arg "sasl_mech GSSAPI"; >> >> arg "sasl_user DNS/ipa-1.int.dplcl.com"; >> >> arg "serial_autoincrement yes"; >> >> }; >> >> >> From client macbook: >> >> testbook3:etc jsherrill$ nsupdate >> >> > debug >> >> > update add testbook3.int.dplcl.com 86400 a 10.0.1.36 >> >> > >> >> Reply from SOA query: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049 >> >> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> >> ;testbook3.int.dplcl.com. IN SOA >> >> ;; AUTHORITY SECTION: >> >> int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. >> 1494425173 3600 900 1209600 3600 >> >> Found zone name: int.dplcl.com >> >> The master is: ipa-1.int.dplcl.com >> >> Sending update to 10.0.1.5#53 >> >> Outgoing update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167 >> >> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 >> >> ;; UPDATE SECTION: >> >> testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 >> >> >> Reply from update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167 >> >> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> >> ;; ZONE SECTION: >> ;int.dplcl.com. >> >> ... > > [Message clipped] -- *Jason Sherrill* Deeplocal Inc. <http://deeplocal.com/> mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project