Re: [Freeipa-users] Dynamic DNS Questions

2016-06-08 Thread Detlev Habicht 
Thank you, this is it.

This entry was already in sssd.conf (with the wrong interface). But i was 
looking for an
IP number … Ignoring interfaces. Stupid, my fault.

Thank you again

Detlev
 
--
  Detlev  | Institut fuer Mikroelektronische Systeme
  Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de
  + Handy+49 172 5415752  ---



Am 08.06.2016 um 13:17 schrieb Martin Štefany :

> Hello Detlev,
> 
> FreeIPA/SSSD client use IP address of interface/vlan/subnet which is use to 
> communicate (LDAP) with FreeIPA server.
> 
> However, if you have dyndns_update set to True in sssd.conf, you can also set 
> dyndns_iface to point to correct interface which IP addresses will be 
> dynamically updated in DNS, see:
> 
> $ man sssd-ipa
> [stripped]
>   dyndns_iface (string)
>   Optional. Applicable only when dyndns_update is true. Choose the 
> interface or a list of interfaces whose IP addresses should be used for 
> dynamic DNS updates. Special value “*” implies that IPs from all interfaces
>   should be used.
> 
>   NOTE: While it is still possible to use the old ipa_dyndns_iface 
> option, users should migrate to using dyndns_iface in their config file.
> 
>   Default: Use the IP addresses of the interface which is used for 
> IPA LDAP connection
> 
>   Example: dyndns_iface = em1, vnet1, vnet2
> [stripped]
> 
> Kind regards,
> Martin
> 
> 
> 
> On 6/8/2016 1:00 PM, Detlev Habicht wrote:
>> Hi all,
>> 
>> well, i am really a beginner with IPA and just trying to setup some
>> test systems. In the moment one IPA server, one NFS/Samba server and a
>> fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23.
>> 
>> The most important things are running now.
>> 
>> But i have a problem with DNS entries left. Maybe while installing
>> IPA i make mistakes with the NFS Server. On this NFS server i have 5
>> interfaces. 4
>> of them now as bond interface. So i am running two IPs now: nn.16 and
>> nn.33.
>> 
>> But while installing IPA (with DNS) it takes the wrong one (16):
>> 
>> 2016-05-26T14:08:12Z DEBUG Writing nsupdate commands to
>> /etc/ipa/.dns_update.txt:
>> 2016-05-26T14:08:12Z DEBUG debug
>> update delete nnnix.nnn.intern. IN A
>> show
>> send
>> update delete nnnix.nnn.intern. IN 
>> show
>> send
>> update add nnnix.nnn.intern. 1200 IN A nnn.nn.nn.16
>> show
>> send
>> 2016-05-26T14:08:12Z DEBUG Starting external process
>> 2016-05-26T14:08:12Z DEBUG args='/usr/bin/nsupdate' '-g'
>> '/etc/ipa/.dns_update.txt'
>> 
>> 
>> I can change the DNS entry on the IPA server to nn.33 at runtime. Then
>> everything
>> is ok. But when i boot the NFS server, it is changing the DNS entry on
>> the IPA Server to nn.16.
>> 
>> What can i do so the IPA client (here my NFS Server) is using the right IP?
>> I don’t find any conf-File … Is there any point where i can change this IP?
>> 
>> Thanx for any help!
>> 
>> Detlev
>> 
>> 
>> --
>>  Detlev  | Institut fuer Mikroelektronische Systeme
>>  Habicht | D-30167 Hannover +49 511
>> 76219662 habi...@ims.uni-hannover.de 
>>  + Handy+49 172 5415752  ---
>> 
>> 
>> 
>> 
>> 
> 
> -- 
> --
> Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dynamic DNS Questions

2016-06-08 Thread Martin Štefany 

Hello Detlev,

FreeIPA/SSSD client use IP address of interface/vlan/subnet which is use 
to communicate (LDAP) with FreeIPA server.


However, if you have dyndns_update set to True in sssd.conf, you can 
also set dyndns_iface to point to correct interface which IP addresses 
will be dynamically updated in DNS, see:


$ man sssd-ipa
[stripped]
   dyndns_iface (string)
   Optional. Applicable only when dyndns_update is true. Choose 
the interface or a list of interfaces whose IP addresses should be used 
for dynamic DNS updates. Special value “*” implies that IPs from all 
interfaces

   should be used.

   NOTE: While it is still possible to use the old 
ipa_dyndns_iface option, users should migrate to using dyndns_iface in 
their config file.


   Default: Use the IP addresses of the interface which is used 
for IPA LDAP connection


   Example: dyndns_iface = em1, vnet1, vnet2
[stripped]

Kind regards,
Martin



On 6/8/2016 1:00 PM, Detlev Habicht wrote:

Hi all,

well, i am really a beginner with IPA and just trying to setup some
test systems. In the moment one IPA server, one NFS/Samba server and a
fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23.

The most important things are running now.

But i have a problem with DNS entries left. Maybe while installing
IPA i make mistakes with the NFS Server. On this NFS server i have 5
interfaces. 4
of them now as bond interface. So i am running two IPs now: nn.16 and
nn.33.

But while installing IPA (with DNS) it takes the wrong one (16):

2016-05-26T14:08:12Z DEBUG Writing nsupdate commands to
/etc/ipa/.dns_update.txt:
2016-05-26T14:08:12Z DEBUG debug
update delete nnnix.nnn.intern. IN A
show
send
update delete nnnix.nnn.intern. IN 
show
send
update add nnnix.nnn.intern. 1200 IN A nnn.nn.nn.16
show
send
2016-05-26T14:08:12Z DEBUG Starting external process
2016-05-26T14:08:12Z DEBUG args='/usr/bin/nsupdate' '-g'
'/etc/ipa/.dns_update.txt'


I can change the DNS entry on the IPA server to nn.33 at runtime. Then
everything
is ok. But when i boot the NFS server, it is changing the DNS entry on
the IPA Server to nn.16.

What can i do so the IPA client (here my NFS Server) is using the right IP?
I don’t find any conf-File … Is there any point where i can change this IP?

Thanx for any help!

Detlev


--
  Detlev  | Institut fuer Mikroelektronische Systeme
  Habicht | D-30167 Hannover +49 511
76219662 habi...@ims.uni-hannover.de 
  + Handy+49 172 5415752  ---







--
--
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dynamic DNS Questions

2016-06-08 Thread Martin Basti 



On 08.06.2016 13:00, Detlev Habicht wrote:

Hi all,

well, i am really a beginner with IPA and just trying to setup some
test systems. In the moment one IPA server, one NFS/Samba server and a
fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23.

The most important things are running now.

But i have a problem with DNS entries left. Maybe while installing
IPA i make mistakes with the NFS Server. On this NFS server i have 5 
interfaces. 4
of them now as bond interface. So i am running two IPs now: nn.16 and 
nn.33.


But while installing IPA (with DNS) it takes the wrong one (16):

2016-05-26T14:08:12Z DEBUG Writing nsupdate commands to 
/etc/ipa/.dns_update.txt:

2016-05-26T14:08:12Z DEBUG debug
update delete nnnix.nnn.intern. IN A
show
send
update delete nnnix.nnn.intern. IN 
show
send
update add nnnix.nnn.intern. 1200 IN A nnn.nn.nn.16
show
send
2016-05-26T14:08:12Z DEBUG Starting external process
2016-05-26T14:08:12Z DEBUG args='/usr/bin/nsupdate' '-g' 
'/etc/ipa/.dns_update.txt'



I can change the DNS entry on the IPA server to nn.33 at runtime. Then 
everything

is ok. But when i boot the NFS server, it is changing the DNS entry on
the IPA Server to nn.16.

What can i do so the IPA client (here my NFS Server) is using the 
right IP?
I don’t find any conf-File … Is there any point where i can change 
this IP?


Thanx for any help!

Detlev


--
  Detlev  | Institut fuer Mikroelektronische Systeme
  Habicht | D-30167 Hannover +49 511 76219662 
habi...@ims.uni-hannover.de 

  + Handy+49 172 5415752  ---







Hello,

DNS updates are done by sssd daemon on the client, you may want to 
disable dynamic updates or set interfaces which should be used


man sssd-ipa  find for dyndns_update and dyndns_iface

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] dynamic dns working for forward zone but not reverse zone

2016-05-31 Thread Brian J. Murrell 
On Mon, 2016-05-30 at 13:43 +0200, Petr Spacek wrote:
> 
> Can you query the SOA record from the reverse zone, please?
> 
> $ dig @10.75.22.247 0.10.8.in-addr.arpa. SOA

Ahhh.  That's the problem.  The subnet is 10.8.0.0/24 so the query
should be for 0.8.10.in-addr.arpa.

Sometimes it just takes a fresh set of eyes to stop seeing what we want
to see and see what's really there.  Thanks for being those eyes for
me.

Cheers,
b.




signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] dynamic dns working for forward zone but not reverse zone

2016-05-30 Thread Petr Spacek 
On 27.5.2016 15:27, Brian J. Murrell wrote:
> I have a FreeIPA 4.2.0 on CentOS 7.2.  I have dynamic DNS updates
> working for a forward zone but they are failing (NOTAUTH) for a reverse
> zone.  Here are configuration of the two zones:
> 
>   dn: idnsname=example.com.,cn=dns,dc=example,dc=com
>   Zone name: example.com.
>   Active zone: TRUE
>   Authoritative nameserver: server.example.com.
>   Administrator e-mail address: hostmaster.example.com.
>   SOA serial: 1464354354
>   SOA refresh: 3600
>   SOA retry: 900
>   SOA expire: 1209600
>   SOA minimum: 3600
>   BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM 
> krb5-self * ; grant EXAMPLE.COM krb5-self * SSHFP; grant 
> linux_home_nsupdate wildcard * ANY;
>   Dynamic update: TRUE
>   Allow query: any;
>   Allow transfer: 10.75.22.1;
>   mxrecord: 200 linux
>   nsrecord: server.example.com.
>   objectclass: idnszone, top, idnsrecord
>   txtrecord: "v=spf1 a:server.klug.on.ca"
> 
> 
>   dn: idnsname=0.8.10.in-addr.arpa.,cn=dns,dc=example,dc=com
>   Zone name: 0.8.10.in-addr.arpa.
>   Active zone: TRUE
>   Authoritative nameserver: server.example.com.
>   Administrator e-mail address: hostmaster
>   SOA serial: 1464354356
>   SOA refresh: 3600
>   SOA retry: 900
>   SOA expire: 1209600
>   SOA minimum: 3600
>   BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.8.10.in-addr.arpa. 
> PTR; grant linux_home_nsupdate wildcard * ANY;
>   Dynamic update: TRUE
>   Allow query: any;
>   Allow transfer: none;
>   nsrecord: server.example.com.
>   objectclass: idnszone, top, idnsrecord
> 
> Here are example updates to the two zones:
> 
> # nsupdate -y linux_home_nsupdate: -d /tmp/fwdupdate 
> Creating key...
> namefromtext
> keycreate
> Sending update to 10.75.22.247#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  53154
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;example.com. IN  SOA
> 
> ;; UPDATE SECTION:
> chost.example.com. 0  ANY A   
> chost.example.com. 60 IN  A   10.8.0.2
> 
> ;; TSIG PSEUDOSECTION:
> linux_home_nsupdate.  0   ANY TSIGhmac-md5.sig-alg.reg.int. 
> 1464355147 300 16 oRoIWfkmmmCKQWj9NrrRDw== 53154 NOERROR 0 
> 
> 
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  53154
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;example.com. IN  SOA
> 
> ;; TSIG PSEUDOSECTION:
> linux_home_nsupdate.  0   ANY TSIGhmac-md5.sig-alg.reg.int. 
> 1464355225 300 16 3IVCZr+MjyD75sHr53LEHw== 53154 NOERROR 0 
> 
> 
> # nsupdate -y linux_home_nsupdate: -d /tmp/revupdate 
> Creating key...
> namefromtext
> keycreate
> Sending update to 10.75.22.247#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  26720
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;0.10.8.in-addr.arpa. IN  SOA
> 
> ;; UPDATE SECTION:
> 2.0.10.8.in-addr.arpa.0   ANY PTR 
> 2.0.10.8.in-addr.arpa.60  IN  PTR chost.example.com.
> 
> ;; TSIG PSEUDOSECTION:
> linux_home_nsupdate.  0   ANY TSIGhmac-md5.sig-alg.reg.int. 
> 1464355166 300 16 ooWRdNhQ1170LkSjIiCqSA== 26720 NOERROR 0 
> 
> 
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:  26720
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;0.10.8.in-addr.arpa. IN  SOA
> 
> ;; TSIG PSEUDOSECTION:
> linux_home_nsupdate.  0   ANY TSIGhmac-md5.sig-alg.reg.int. 
> 1464355244 300 16 N5Dg0rMokW9sNGGO9BwGNQ== 26720 NOERROR 0 
> 
> When the first update is done the following is logged by named-pkcs11:
> 
> client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 
> 'example.com/IN': deleting rrset at 'chost.example.com' A
> client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 
> 'example.com/IN': adding an RR at 'chost.example.com' A
> 
> Nothing is logged for the second update attempt.
> 
> Any ideas why one is working and the other is not?

This is really weird.
Can you query the SOA record from the reverse zone, please?

$ dig @10.75.22.247 0.10.8.in-addr.arpa. SOA

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dynamic DNS

2013-04-30 Thread Lynn Root 
Hi Guy!

I've been working with this recently - maybe I can help.  

Have you enrolled the ipadevmstr.collmedia.net as a service with `ipa 
service-add DNS/ipadevmstr.collmedia.net`?  On the client, can you `kinit -kt 
$dnskeytab -p DNS/ipadevmstr.collmedia.net` just fine?  You'll have to kinit 
before you can do `nsupdate -g a_update`.  

If all else fails, on the IPA Server, what does your kdc log say in 
/var/log/krb5kdc.log?  


HTH,

Lynn Root
@roguelynn
Associate Software Engineer

On Apr 30, 2013, at 9:08 AM, Guy Matz gm...@collective.com wrote:

 hi!  Anyone out there gotten Dynamic DNS freeipa-managed DNS server?  I've 
 been trying for days following instructions from various freeipa and redhat 
 docs!  I've set up  keytabs, set up /etc/rndc.key, set Dynamic update to True 
 and put the following in my BIND update policy:
 grant host\047foreman.collmedia@collmedia.net wildcard * ANY;
 grant host\047ipadevmstr.collmedia@collmedia.net wildcard * ANY;
 
 I keep getting:
 
 # nsupdate -g a_update
 update failed: REFUSED
 update failed: REFUSED
 [root@ipadevmstr ~]# cat a_update
 server ipadevmstr.collmedia.net
 zone collmedia.net.
 update add client.collmedia.net.86400 IN  A   
 192.168.8.120
 send
 update delete client.collmedia.net. IN  A
 send
 
 tail /var/log/messages
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: 
 collmedia.net IN SOA - (192.168.8.111)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37600: query: 
 692300375.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#52609: updating 
 zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: 
 collmedia.net IN SOA - (192.168.8.111)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#40423: query: 
 718499086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: updating 
 zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED)
 
 Any help would be GREATLY appreciated . . .
 
 Thanks a lot,
 Guy
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dynamic DNS

2013-04-30 Thread Simo Sorce 
On Tue, 2013-04-30 at 12:08 -0400, Guy Matz wrote:
 hi!  Anyone out there gotten Dynamic DNS freeipa-managed DNS server?  
 I've been trying for days following instructions from various freeipa 
 and redhat docs!  I've set up  keytabs, set up /etc/rndc.key, set 
 Dynamic update to True and put the following in my BIND update policy:
 grant host\047foreman.collmedia@collmedia.net wildcard * ANY;
 grant host\047ipadevmstr.collmedia@collmedia.net wildcard * ANY;

This looks good, you've put these in LDAP right ?

Can you show the attributes as retrieved from a ldapsearch just to check
the formatting is correct ?

 I keep getting:
 
 # nsupdate -g a_update
 update failed: REFUSED
 update failed: REFUSED
 [root@ipadevmstr ~]# cat a_update
 server ipadevmstr.collmedia.net
 zone collmedia.net.
 update add client.collmedia.net.86400 IN  A   
 192.168.8.120
 send
 update delete client.collmedia.net. IN  A
 send

shouldn't you delete first add second ?

 tail /var/log/messages
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: 
 query: collmedia.net IN SOA - (192.168.8.111)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37600: 
 query: 692300375.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#52609: 
 updating zone 'collmedia.net/IN': update failed: rejected by secure 
 update (REFUSED)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: 
 query: collmedia.net IN SOA - (192.168.8.111)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#40423: 
 query: 718499086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111)
 Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: 
 updating zone 'collmedia.net/IN': update failed: rejected by secure 
 update (REFUSED)

Something seem wrong with the Access Control policy ...

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users