[Freeipa-users] automatic dns update failing

[Martin Kosek]

On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> Hi,
> During my setup today I'm always failing in enrolling clients with
> automatic dns updates.
> I'm playing with FreeIPA 2.1.90, but I guess this is a general
> problem, not strictly due to the alpha version.
> 
> I'm doing a "ipa-client-install --enable-dns-updates" and at the
> console I see:
> Failed to update DNS A record. (Command '/usr/bin/nsupdate
> -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2)
> 
> I see in server logs that named refuses it:
> Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558:
> update 'internet.unix.mydomain.it/IN' denied
> Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809:
> update 'internet.unix.mydomain.it/IN' denied
> 
> What is the cause? What other informations do you need about my
> deployment?
> 
> Thanks in advance as usual
> Marco

Hello Marco,

please check the settings of the zone you are trying to add clients to.
GSS-TSIG updates are not enabled by default for new zones, it may be
your case.

This is an entry for my zone 'example.com' where dynamic updates are
enabled:

# ipa dnszone-show example.com --all
  dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Zone name: example.com
  Authoritative nameserver: ns.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 2012200201
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
> BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant IDM.LAB.BOS.REDHAT.COM
>                     krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP;
  Active zone: TRUE
> Dynamic update: TRUE
  nsrecord: ns.example.com.
  objectclass: top, idnsrecord, idnszone

I have marked the important attributes with ">". I would also make sure
that the zone is properly loaded in bind-dyndb-ldap plugin (you can for
example try to retrieve its SOA record with dig).

HTH,
Martin