Re: [Freeipa-users] nsupdate refused
Hello, On 28.4.2013 19:50, Jakub Hrozek wrote: get a single machine to be able to perform any update, and have this as one of the entries in my bind update policy: grant SERVICE\047foreman.collmedia@collmedia.net wildcard * ANY; String SERVICE/ipaserver.example@example.com in the example is full principal name including Kerberos REALM. The string SERVICE has to be replaced with real service name. Everything is case sensitive! See http://www.zytrax.com/tech/survival/kerberos.html#terminology for some Kerberos basics. Your zone update policy should include something like grant host/\047foreman.collmedia@collmedia.net wildcard * ANY; This example contains an error: Character '/' in principal name has be to replaced with \047. The corrected example is: grant host\047foreman.collmedia@collmedia.net wildcard * ANY; -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] nsupdate refused
On Sat, Apr 27, 2013 at 02:34:27PM -0430, Loris Santamaria wrote: Hi El sáb, 27-04-2013 a las 10:35 -0400, Guy Matz escribió: Hi! Anyone out there know how to get nsupdate to work with an IPA controlled DNS server? I have followed the instructions at http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG in an attempt to get a single machine to be able to perform any update, and have this as one of the entries in my bind update policy: grant SERVICE\047foreman.collmedia@collmedia.net wildcard * ANY; Your zone update policy should include something like grant host/\047foreman.collmedia@collmedia.net wildcard * ANY; After that on foreman.collmedia.net you should call kinit followed by nsupdate: # kinit -k host/foreman.collmedia.net # nsupdate -g Also the SSSD logs on a high debug level (7+ IIRC) include the full nsupdate message that might come handy when troubleshooting. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] nsupdate refused
Hi! Anyone out there know how to get nsupdate to work with an IPA controlled DNS server? I have followed the instructions at http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG in an attempt to get a single machine to be able to perform any update, and have this as one of the entries in my bind update policy: grant SERVICE\047foreman.collmedia@collmedia.net wildcard * ANY; and dynamic update is set to true, but still I get this in /var/log/messages on my IPA server when attempting an update from the foreman server in the grant statement above: ipadevmstr named[27956]: client 192.168.8.113#60749: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Any help is greatly appreciated! Thanks, Guy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] nsupdate refused
Hi El sáb, 27-04-2013 a las 10:35 -0400, Guy Matz escribió: Hi! Anyone out there know how to get nsupdate to work with an IPA controlled DNS server? I have followed the instructions at http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG in an attempt to get a single machine to be able to perform any update, and have this as one of the entries in my bind update policy: grant SERVICE\047foreman.collmedia@collmedia.net wildcard * ANY; Your zone update policy should include something like grant host/\047foreman.collmedia@collmedia.net wildcard * ANY; After that on foreman.collmedia.net you should call kinit followed by nsupdate: # kinit -k host/foreman.collmedia.net # nsupdate -g Hope this helps. and dynamic update is set to true, but still I get this in /var/log/messages on my IPA server when attempting an update from the foreman server in the grant statement above: ipadevmstr named[27956]: client 192.168.8.113#60749: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Any help is greatly appreciated! Thanks, Guy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users