[Freeipa-users] automatic dns update failing
Jakub Hrozek
jhrozek at redhat.com
Mon Feb 20 21:27:57 UTC 2012
On Mon, Feb 20, 2012 at 10:06:21PM +0100, Petr Spacek wrote:
> On 02/20/2012 05:08 PM, Marco Pizzoli wrote:
> >On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <mkosek at redhat.com
> ><mailto:mkosek at redhat.com>> wrote:
> >
> > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> > > Hi,
> > > During my setup today I'm always failing in enrolling clients with
> > > automatic dns updates.
> > > I'm playing with FreeIPA 2.1.90, but I guess this is a general
> > > problem, not strictly due to the alpha version.
> > >
> > > I'm doing a "ipa-client-install --enable-dns-updates" and at the
> > > console I see:
> > > Failed to update DNS A record. (Command '/usr/bin/nsupdate
> > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2)
> > >
> > > I see in server logs that named refuses it:
> > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558:
> > > update 'internet.unix.mydomain.it/IN
> > <http://internet.unix.mydomain.it/IN>' denied
> > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809:
> > > update 'internet.unix.mydomain.it/IN
> > <http://internet.unix.mydomain.it/IN>' denied
> > >
> > > What is the cause? What other informations do you need about my
> > > deployment?
> > >
> > > Thanks in advance as usual
> > > Marco
> >
> > Hello Marco,
> >
> > please check the settings of the zone you are trying to add clients to.
> > GSS-TSIG updates are not enabled by default for new zones, it may be
> > your case.
> >
> > This is an entry for my zone 'example.com <http://example.com>'
> > where dynamic updates are
> > enabled:
> >
> > # ipa dnszone-show example.com <http://example.com> --all
> > dn: idnsname=example.com
> > <http://example.com>,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> > Zone name: example.com <http://example.com>
> > Authoritative nameserver: ns.example.com <http://ns.example.com>.
> > Administrator e-mail address: hostmaster.example.com
> > <http://hostmaster.example.com>.
> > SOA serial: 2012200201 <tel:2012200201>
> > SOA refresh: 3600
> > SOA retry: 900
> > SOA expire: 1209600
> > SOA minimum: 3600
> > > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM
> > <http://IDM.LAB.BOS.REDHAT.COM> krb5-self * A; grant
> > IDM.LAB.BOS.REDHAT.COM <http://IDM.LAB.BOS.REDHAT.COM>
> > > krb5-self * AAAA; grant
> > IDM.LAB.BOS.REDHAT.COM <http://IDM.LAB.BOS.REDHAT.COM> krb5-self *
> > SSHFP;
> > Active zone: TRUE
> > > Dynamic update: TRUE
> > nsrecord: ns.example.com <http://ns.example.com>.
> > objectclass: top, idnsrecord, idnszone
> >
> > I have marked the important attributes with ">". I would also make sure
> > that the zone is properly loaded in bind-dyndb-ldap plugin (you can for
> > example try to retrieve its SOA record with dig).
> >
> >
> >Hi Martin,
> >yes this is the case:
> >
> >[root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
> ><http://internet.unix.mydomain.it> --all
> > dn: idnsname=internet.unix.mydomain.it
> ><http://internet.unix.mydomain.it>,cn=dns,dc=unix,dc=mydomain,dc=it
> > Zone name: internet.unix.mydomain.it <http://internet.unix.mydomain.it>
> > Authoritative nameserver: freeipa01.unix.mydomain.it
> ><http://freeipa01.unix.mydomain.it>.
> > Administrator e-mail address: hostmaster.internet.unix.mydomain.it
> ><http://hostmaster.internet.unix.mydomain.it>.
> > SOA serial: 2012180201
> > SOA refresh: 3600
> > SOA retry: 900
> > SOA expire: 1209600
> > SOA minimum: 3600
> > Active zone: TRUE
> > Dynamic update: FALSE
> > nsrecord: freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it>.
> > objectclass: top, idnsrecord, idnszone
> >
> >So, could you tell me how should I do to have my (new) zone being
> >eventually updated?
> >A link to a doc page would suffices.
> >
> >Thanks a lot
> >Marco
>
> Hello Marco,
>
> I think the important part of configuration is:
>
> On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> > [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
> > Dynamic update: FALSE
>
> Please try to enable dynamic update for this zone and then retry
> ipa-client-install
>
>
> Dynamic update setting can be changed with command:
>
> ipa dnszone-mod internet.unix.mydomain.it --addattr=idnsAllowDynUpdate=TRUE
>
> This command in current aplha doesn't work for me, so please
> create/modify idnsAllowDynUpdate attribute for zone in LDAP
> manually. Value has to be TRUE with capital letters.
>
> Documentation about DNS-in-LDAP can be found in
> /usr/share/doc/bind-dyndb-ldap-1.1.0/README .
>
> You can allow dynamic updates generally in /etc/named.conf or
> per-zone through idnsAllowDynUpdate in LDAP, see README.
>
> After altering named.conf it is necessary to reload bind via 'rndc
> reload', changes in LDAP are reflected immediately.
>
>
> If problem persists, try to set zone's idnsUpdatePolicy to 'grant *
> wildcard *;' (relaxes/disables various access policy checks)
>
>
You can also enable logging by putting this snippet into your
named.conf:
----
logging {
channel ldap {
file "data/ldap.log";
severity debug 9;
};
category database {
ldap;
};
};
----
And restarting named.
The logs should then be written to /var/named/data/ldap.log
More information about the Freeipa-users
mailing list