[Freeipa-users] automatic dns update failing
Martin Kosek
mkosek at redhat.com
Mon Feb 20 08:46:34 UTC 2012
On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> Hi,
> During my setup today I'm always failing in enrolling clients with
> automatic dns updates.
> I'm playing with FreeIPA 2.1.90, but I guess this is a general
> problem, not strictly due to the alpha version.
>
> I'm doing a "ipa-client-install --enable-dns-updates" and at the
> console I see:
> Failed to update DNS A record. (Command '/usr/bin/nsupdate
> -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2)
>
> I see in server logs that named refuses it:
> Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558:
> update 'internet.unix.mydomain.it/IN' denied
> Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809:
> update 'internet.unix.mydomain.it/IN' denied
>
> What is the cause? What other informations do you need about my
> deployment?
>
> Thanks in advance as usual
> Marco
Hello Marco,
please check the settings of the zone you are trying to add clients to.
GSS-TSIG updates are not enabled by default for new zones, it may be
your case.
This is an entry for my zone 'example.com' where dynamic updates are
enabled:
# ipa dnszone-show example.com --all
dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
Zone name: example.com
Authoritative nameserver: ns.example.com.
Administrator e-mail address: hostmaster.example.com.
SOA serial: 2012200201
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
> BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant IDM.LAB.BOS.REDHAT.COM
> krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP;
Active zone: TRUE
> Dynamic update: TRUE
nsrecord: ns.example.com.
objectclass: top, idnsrecord, idnszone
I have marked the important attributes with ">". I would also make sure
that the zone is properly loaded in bind-dyndb-ldap plugin (you can for
example try to retrieve its SOA record with dig).
HTH,
Martin
More information about the Freeipa-users
mailing list