Re: [Freeipa-users] Unable to enroll new client in DNS
On 22.10.2015 14:23, Justin Lambert wrote: > When I looked at the DNS logs there was nothing of any value (with a fresh > attempt of registering DNS records) so I added a logging channel for ldap > at severity 9. After restarting bind the DNS registration worked without > issue. Removing the logging channel and re-running the update worked. It > appears that restarting bind fixed the issue, which is a bit scary. I’m > running bind-dyndb-ldap-6.0.2. Do you know if anyone has seen this issue > before? No, I did not hear about this particular issue. Please let me know if it happens again. Have a nice day! Petr^2 Spacek > > On Thu, Oct 22, 2015 at 1:24 AM, Petr Spacek wrote: > >> On 21.10.2015 22:43, Justin Lambert wrote: >>> ;; ANSWER SECTION: >>> 2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 >>> >>> dns_tkey_negotiategss: TKEY is unacceptable >> >> Please consult named logs on server ipa1.domain.com and see if there are >> any >> errors related to dynamic update. >> >> Speaking about GSS-TSIG, one of problems can be clock skew between DNS >> server >> and client. >> >> Also, please add information about package versions: >> $ rpm -q bind bind-dyndb-ldap >> >> Thank you. >> >> -- >> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to enroll new client in DNS
When I looked at the DNS logs there was nothing of any value (with a fresh attempt of registering DNS records) so I added a logging channel for ldap at severity 9. After restarting bind the DNS registration worked without issue. Removing the logging channel and re-running the update worked. It appears that restarting bind fixed the issue, which is a bit scary. I’m running bind-dyndb-ldap-6.0.2. Do you know if anyone has seen this issue before? On Thu, Oct 22, 2015 at 1:24 AM, Petr Spacek wrote: > On 21.10.2015 22:43, Justin Lambert wrote: > > ;; ANSWER SECTION: > > 2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 > > > > dns_tkey_negotiategss: TKEY is unacceptable > > Please consult named logs on server ipa1.domain.com and see if there are > any > errors related to dynamic update. > > Speaking about GSS-TSIG, one of problems can be clock skew between DNS > server > and client. > > Also, please add information about package versions: > $ rpm -q bind bind-dyndb-ldap > > Thank you. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to enroll new client in DNS
On 21.10.2015 22:43, Justin Lambert wrote: > ;; ANSWER SECTION: > 2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 > > dns_tkey_negotiategss: TKEY is unacceptable Please consult named logs on server ipa1.domain.com and see if there are any errors related to dynamic update. Speaking about GSS-TSIG, one of problems can be clock skew between DNS server and client. Also, please add information about package versions: $ rpm -q bind bind-dyndb-ldap Thank you. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
