[Freeipa-users] automatic dns update failing

Jakub Hrozek jhrozek at redhat.com
Mon Feb 20 21:27:57 UTC 2012 

On Mon, Feb 20, 2012 at 10:06:21PM +0100, Petr Spacek wrote:
> On 02/20/2012 05:08 PM, Marco Pizzoli wrote:
> >On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <mkosek at redhat.com
> ><mailto:mkosek at redhat.com>> wrote:
> >
> >    On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> >     > Hi,
> >     > During my setup today I'm always failing in enrolling clients with
> >     > automatic dns updates.
> >     > I'm playing with FreeIPA 2.1.90, but I guess this is a general
> >     > problem, not strictly due to the alpha version.
> >     >
> >     > I'm doing a "ipa-client-install --enable-dns-updates" and at the
> >     > console I see:
> >     > Failed to update DNS A record. (Command '/usr/bin/nsupdate
> >     > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2)
> >     >
> >     > I see in server logs that named refuses it:
> >     > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558:
> >     > update 'internet.unix.mydomain.it/IN
> >    <http://internet.unix.mydomain.it/IN>' denied
> >     > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809:
> >     > update 'internet.unix.mydomain.it/IN
> >    <http://internet.unix.mydomain.it/IN>' denied
> >     >
> >     > What is the cause? What other informations do you need about my
> >     > deployment?
> >     >
> >     > Thanks in advance as usual
> >     > Marco
> >
> >    Hello Marco,
> >
> >    please check the settings of the zone you are trying to add clients to.
> >    GSS-TSIG updates are not enabled by default for new zones, it may be
> >    your case.
> >
> >    This is an entry for my zone 'example.com <http://example.com>'
> >    where dynamic updates are
> >    enabled:
> >
> >    # ipa dnszone-show example.com <http://example.com> --all
> >      dn: idnsname=example.com
> >    <http://example.com>,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> >      Zone name: example.com <http://example.com>
> >      Authoritative nameserver: ns.example.com <http://ns.example.com>.
> >      Administrator e-mail address: hostmaster.example.com
> >    <http://hostmaster.example.com>.
> >      SOA serial: 2012200201 <tel:2012200201>
> >      SOA refresh: 3600
> >      SOA retry: 900
> >      SOA expire: 1209600
> >      SOA minimum: 3600
> >     > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM
> >    <http://IDM.LAB.BOS.REDHAT.COM> krb5-self * A; grant
> >    IDM.LAB.BOS.REDHAT.COM <http://IDM.LAB.BOS.REDHAT.COM>
> >     >                     krb5-self * AAAA; grant
> >    IDM.LAB.BOS.REDHAT.COM <http://IDM.LAB.BOS.REDHAT.COM> krb5-self *
> >    SSHFP;
> >      Active zone: TRUE
> >     > Dynamic update: TRUE
> >      nsrecord: ns.example.com <http://ns.example.com>.
> >      objectclass: top, idnsrecord, idnszone
> >
> >    I have marked the important attributes with ">". I would also make sure
> >    that the zone is properly loaded in bind-dyndb-ldap plugin (you can for
> >    example try to retrieve its SOA record with dig).
> >
> >
> >Hi Martin,
> >yes this is the case:
> >
> >[root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
> ><http://internet.unix.mydomain.it> --all
> >   dn: idnsname=internet.unix.mydomain.it
> ><http://internet.unix.mydomain.it>,cn=dns,dc=unix,dc=mydomain,dc=it
> >   Zone name: internet.unix.mydomain.it <http://internet.unix.mydomain.it>
> >   Authoritative nameserver: freeipa01.unix.mydomain.it
> ><http://freeipa01.unix.mydomain.it>.
> >   Administrator e-mail address: hostmaster.internet.unix.mydomain.it
> ><http://hostmaster.internet.unix.mydomain.it>.
> >   SOA serial: 2012180201
> >   SOA refresh: 3600
> >   SOA retry: 900
> >   SOA expire: 1209600
> >   SOA minimum: 3600
> >   Active zone: TRUE
> >   Dynamic update: FALSE
> >   nsrecord: freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it>.
> >   objectclass: top, idnsrecord, idnszone
> >
> >So, could you tell me how should I do to have my (new) zone being
> >eventually updated?
> >A link to a doc page would suffices.
> >
> >Thanks a lot
> >Marco
> 
> Hello Marco,
> 
> I think the important part of configuration is:
> 
> On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> > [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
> >    Dynamic update: FALSE
> 
> Please try to enable dynamic update for this zone and then retry
> ipa-client-install
> 
> 
> Dynamic update setting can be changed with command:
> 
> ipa dnszone-mod internet.unix.mydomain.it --addattr=idnsAllowDynUpdate=TRUE
> 
> This command in current aplha doesn't work for me, so please
> create/modify idnsAllowDynUpdate attribute for zone in LDAP
> manually. Value has to be TRUE with capital letters.
> 
> Documentation about DNS-in-LDAP can be found in
> /usr/share/doc/bind-dyndb-ldap-1.1.0/README .
> 
> You can allow dynamic updates generally in /etc/named.conf or
> per-zone through idnsAllowDynUpdate in LDAP, see README.
> 
> After altering named.conf it is necessary to reload bind via 'rndc
> reload', changes in LDAP are reflected immediately.
> 
> 
> If problem persists, try to set zone's idnsUpdatePolicy to 'grant *
> wildcard *;' (relaxes/disables various access policy checks)
> 
> 

You can also enable logging by putting this snippet into your
named.conf:

----
logging {
        channel ldap {
                file "data/ldap.log";
                severity debug 9;
        };
        category database {
                ldap;
        };
};
----

And restarting named.

The logs should then be written to /var/named/data/ldap.log

More information about the Freeipa-users mailing list