Re: [Freeipa-users] One kerberos realm, two dns zones and SSHFP records
On 03/22/2017 08:29 PM, Ranbir wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Everyone, I'm using a fully updated CentOS 7.3 environment for two IPA servers. I have one kerberos realm, one dns zone with the same name as the kerberos realm and another dns zone with a different name. DNS is managed by IPA. For the sake of this message: realm: REALM.IPA dnszone1: realm.ipa dnszone2: random.ipa When I join a server that's going into the realm.ipa dns zone to the IPA domain, SSHFP records for that server get automatically created in realm.ipa. But, when I do the same for a server going into the random.ipa dns zone, the SSHFP aren't automatically created. I have to do add the SSHFP records manually after the client install completes. Why are SSHFP records not added automatically for the second dns zone and I how can I fix this situation? Thanks in advance. Ranbir - -- Ranbir -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJY0tCCAAoJEN7T/ly5z1dik3cP/0Xx0Vk0cIfbloYJuVb1ffMH mJzKg3BaSEasWL3mJSsgPQS7CZWFi6PgBZLc79nwJhve1tAZC5+pMwVZwY9F7U9a liZdK1l7a0agpDwnupISdih5PG6TGNEfVjHezKKwnDgjUWMOqak7BM3KIffjhNzc SpuZHUDuY8QD2DeyO8iuuJjt+BUiWJ+Weh1OJq4UKWT68wALc/TbdtLi5OWlFtnV rClTbOhPvm8I4Md3DT0vDdhKqPiUvBGPKgse7HZIN9G4W6/wpM3hU1+ETYgXWqIX yRSK0rjjxfrWKIqRUB1sCKLlkdd+wMaRa/uCnRgvRhYjYUrwyPaH11N41lvE7zUz ccJnaZXkDcIWW9wkAQxx3XXx5vHR33VTS13nkZv4QsHSoJOXcqrsr+Q1r28WmLcZ wb3osINWIEmFCX6knZVRZLDhAefHz+FVsJwzsh6iCdqar+LzFvR0hRUJ0Fepxs8M bkKEZ3LztTtDssX+AO7CqkMZSQ5DHiT9Yo1gHXr2zTEt3qzxyuE0GjMyXzBWyMV4 TpOXoRVQMUvEEV2ecpEATBEKghqXOMqhSeGAObfdlEKADTt11u8ONxwutFYPxybD Sxfd6yvg2/QvB8GYgLMkENuJWdwbFYrlb3GQ04TKjcW6TklcRyjsI8x/Wg3LjofQ AEtlIGyrGau9jPaeHYwd =mJn4 -END PGP SIGNATURE- Do you have enabled dynamic-updates in random.ipa. zone? Could you check nsupdate output in /var/log/ipaclient-install.log ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] One kerberos realm, two dns zones and SSHFP records
On Wed, Mar 22, 2017 at 03:29:06PM -0400, Ranbir wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi Everyone, > > I'm using a fully updated CentOS 7.3 environment for two IPA servers. I > have one kerberos realm, one dns zone with the same name as the > kerberos realm and another dns zone with a different name. DNS is > managed by IPA. For the sake of this message: > > realm: REALM.IPA > dnszone1: realm.ipa > dnszone2: random.ipa > > When I join a server that's going into the realm.ipa dns zone to the > IPA domain, SSHFP records for that server get automatically created in > realm.ipa. But, when I do the same for a server going into the > random.ipa dns zone, the SSHFP aren't automatically created. I have to > do add the SSHFP records manually after the client install completes. > > Why are SSHFP records not added automatically for the second dns zone > and I how can I fix this situation? > > Thanks in advance. > > Ranbir > > > - -- > Ranbir > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQIcBAEBCgAGBQJY0tCCAAoJEN7T/ly5z1dik3cP/0Xx0Vk0cIfbloYJuVb1ffMH > mJzKg3BaSEasWL3mJSsgPQS7CZWFi6PgBZLc79nwJhve1tAZC5+pMwVZwY9F7U9a > liZdK1l7a0agpDwnupISdih5PG6TGNEfVjHezKKwnDgjUWMOqak7BM3KIffjhNzc > SpuZHUDuY8QD2DeyO8iuuJjt+BUiWJ+Weh1OJq4UKWT68wALc/TbdtLi5OWlFtnV > rClTbOhPvm8I4Md3DT0vDdhKqPiUvBGPKgse7HZIN9G4W6/wpM3hU1+ETYgXWqIX > yRSK0rjjxfrWKIqRUB1sCKLlkdd+wMaRa/uCnRgvRhYjYUrwyPaH11N41lvE7zUz > ccJnaZXkDcIWW9wkAQxx3XXx5vHR33VTS13nkZv4QsHSoJOXcqrsr+Q1r28WmLcZ > wb3osINWIEmFCX6knZVRZLDhAefHz+FVsJwzsh6iCdqar+LzFvR0hRUJ0Fepxs8M > bkKEZ3LztTtDssX+AO7CqkMZSQ5DHiT9Yo1gHXr2zTEt3qzxyuE0GjMyXzBWyMV4 > TpOXoRVQMUvEEV2ecpEATBEKghqXOMqhSeGAObfdlEKADTt11u8ONxwutFYPxybD > Sxfd6yvg2/QvB8GYgLMkENuJWdwbFYrlb3GQ04TKjcW6TklcRyjsI8x/Wg3LjofQ > AEtlIGyrGau9jPaeHYwd > =mJn4 > -END PGP SIGNATURE- > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project Hello Ranbir, are other records (A, , PTR, ...) created for the client in random.ipa and just SSHFP missing? Is the domain random.ipa properly delegated? Is sshd installed and keys generated on client in random.ipa? -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] One kerberos realm, two dns zones and SSHFP records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Everyone, I'm using a fully updated CentOS 7.3 environment for two IPA servers. I have one kerberos realm, one dns zone with the same name as the kerberos realm and another dns zone with a different name. DNS is managed by IPA. For the sake of this message: realm: REALM.IPA dnszone1: realm.ipa dnszone2: random.ipa When I join a server that's going into the realm.ipa dns zone to the IPA domain, SSHFP records for that server get automatically created in realm.ipa. But, when I do the same for a server going into the random.ipa dns zone, the SSHFP aren't automatically created. I have to do add the SSHFP records manually after the client install completes. Why are SSHFP records not added automatically for the second dns zone and I how can I fix this situation? Thanks in advance. Ranbir - -- Ranbir -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJY0tCCAAoJEN7T/ly5z1dik3cP/0Xx0Vk0cIfbloYJuVb1ffMH mJzKg3BaSEasWL3mJSsgPQS7CZWFi6PgBZLc79nwJhve1tAZC5+pMwVZwY9F7U9a liZdK1l7a0agpDwnupISdih5PG6TGNEfVjHezKKwnDgjUWMOqak7BM3KIffjhNzc SpuZHUDuY8QD2DeyO8iuuJjt+BUiWJ+Weh1OJq4UKWT68wALc/TbdtLi5OWlFtnV rClTbOhPvm8I4Md3DT0vDdhKqPiUvBGPKgse7HZIN9G4W6/wpM3hU1+ETYgXWqIX yRSK0rjjxfrWKIqRUB1sCKLlkdd+wMaRa/uCnRgvRhYjYUrwyPaH11N41lvE7zUz ccJnaZXkDcIWW9wkAQxx3XXx5vHR33VTS13nkZv4QsHSoJOXcqrsr+Q1r28WmLcZ wb3osINWIEmFCX6knZVRZLDhAefHz+FVsJwzsh6iCdqar+LzFvR0hRUJ0Fepxs8M bkKEZ3LztTtDssX+AO7CqkMZSQ5DHiT9Yo1gHXr2zTEt3qzxyuE0GjMyXzBWyMV4 TpOXoRVQMUvEEV2ecpEATBEKghqXOMqhSeGAObfdlEKADTt11u8ONxwutFYPxybD Sxfd6yvg2/QvB8GYgLMkENuJWdwbFYrlb3GQ04TKjcW6TklcRyjsI8x/Wg3LjofQ AEtlIGyrGau9jPaeHYwd =mJn4 -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project