[Freeipa-users] Unable to enroll new client in DNS
Justin Lambert
jlambert at letsevenup.com
Wed Oct 21 20:43:04 UTC 2015
I have been trying to register a new node in my FreeIPA server and it isn’t
adding DNS records. The host itself gets registered, but DNS updates
during the ipa-client-install script fails. The servers and the client are
both CentOS 7.1 running version 4.1.0-18. Below is the output showing the
IPA server showing the host is registered, the zone allowing dynamic
updates, and an attempted DNS update from the new host. I am able to get a
host ticket which seems to validate that the host is properly registered.
What am I missing or any other thoughts?
Thanks
jl
>From the IPA server:
$ ipa dnszone-show domain.com --all --rights
dn: idnsname=domain.com.,cn=dns,dc=domain,dc=com
Zone name: domain.com.
Active zone: TRUE
Authoritative nameserver: ipa1.domain.com.
Administrator e-mail address: hostmaster.domain.com.
SOA serial: 1445289950
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant DOMAIN.COM krb5-self * A; grant DOMAIN.COM
krb5-self * AAAA; grant DOMAIN.COM krb5-self * SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
attributelevelrights: {u'sshfprecord': u'rscwo', u'cn': u'rscwo',
u'kxrecord': u'rscwo', u'nsec3paramrecord': u'rscwo', u'idnsallowtransfer':
u'rscwo', u'mxrecord': u'rscwo', u'idnsforwarders': u'rscwo',
u'idnssoarefresh': u'rscwo', u'idnsallowsyncptr': u'rscwo',
u'nsaccountlock': u'rscwo', u'idnsallowdynupdate': u'rscwo', u'mdrecord':
u'rscwo', u'arecord': u'rscwo', u'dlvrecord': u'rscwo',
u'idnsforwardpolicy': u'rscwo', u'ptrrecord': u'rscwo', u'idnssoaretry':
u'rscwo', u'nxtrecord': u'rscwo', u'idnsupdatepolicy': u'rscwo',
u'idnsallowquery': u'rscwo', u'idnsname': u'rscwo', u'afsdbrecord':
u'rscwo', u'idnssoamname': u'rscwo', u'dnsttl': u'rscwo',
u'idnszoneactive': u'rscwo', u'nsrecord': u'rscwo', u'locrecord': u'rscwo',
u'sigrecord': u'rscwo', u'idnssoaminimum': u'rscwo', u'dnsclass': u'rscwo',
u'aaaarecord': u'rscwo', u'rrsigrecord': u'rscwo', u'tlsarecord': u'rscwo',
u'hinforecord': u'rscwo', u'idnssoaexpire': u'rscwo',
u'idnssecinlinesigning': u'rscwo', u'cnamerecord': u'rscwo',
u'dnamerecord': u'rscwo', u'objectclass': u'rscwo', u'aci': u'rscwo',
u'certrecord': u'rscwo', u'srvrecord': u'rscwo', u'keyrecord': u'rscwo',
u'idnssoaserial': u'rscwo', u'dsrecord': u'rscwo', u'txtrecord': u'rscwo',
u'nsecrecord': u'rscwo', u'a6record': u'rscwo', u'naptrrecord': u'rscwo',
u'idnssoarname': u'rscwo', u'minforecord': u'rscwo'}
mxrecord: 10 mail1.domain.com., 10 mail02.domain.com.
nsrecord: ipa1.domain.com., ipa2.domain.com.
objectclass: idnszone, top, idnsrecord
$ ipa host-show newhost
Host name: newhost.domain.com
Principal name: host/newhost.domain.com at DOMAIN.COM
Password: False
Member of host-groups: test
Indirect Member of HBAC rule: test
Keytab: True
Managed by: newhost.domain.com
SSH public key fingerprint:
35:31:77:48:F1:59:48:03:9F:63:80:D5:3B:3C:03:7F (ssh-rsa),
BE:3B:A5:CB:00:11:76:DD:C4:B7:D8:C4:87:3F:CA:1E
(ecdsa-sha2-nistp256),
D2:29:FE:7D:22:6A:8C:DF:E7:AA:D4:F8:07:65:6D:4B (ssh-ed25519)
----------------------------------------------------------------------------------------
On the new client:
$ cat dns_update.txt
debug
zone domain.com.
update delete newhost.domain.com. IN A
show
send
update add newhost.domain.com. 1200 IN A 172.123.123.123
show
send
$ /usr/bin/kinit -k -t /etc/krb5.keytab host/`hostname`@DOMAIN.COM
$ nsupdate -g /etc/ipa/dns_update.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;domain.com. IN SOA
;; UPDATE SECTION:
newhost.domain.com. 0 ANY A
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20269
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;domain.com. IN SOA
;; ANSWER SECTION:
domain.com. 86400 IN SOA ipa1.domain.com. hostmaster.domain.com. 1445289950
3600 900 1209600 3600
;; AUTHORITY SECTION:
domain.com. 86400 IN NS ipa1.domain.com.
domain.com. 86400 IN NS ipa2.domain.com.
;; ADDITIONAL SECTION:
ipa1.domain.com. 1200 IN A 172.123.123.120
ipa2.domain.com. 1200 IN A 172.123.123.121
Found zone name: domain.com
The master is: ipa1.domain.com
start_gssrequest
Found realm from ticket: DOMAIN.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16484
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2667812275.sig-ipa1.domain.com. ANY TKEY
;; ADDITIONAL SECTION:
2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 1445445558 1445445558
3 NOERROR 631 YIICcwYJKoZIhvcSAQICAQBuggJiMIICXqADAgEFoQMCAQ6iBwMFACAA
AACjggFmYYIBYjCCAV6gAwIBBaEJGwdJTkVVLlVToiQwIqADAgEBoRsw
GRsDRE5TGxJ1ZTFhLWlwYTAxLmluZXUudXOjggEkMIIBIKADAgESoQMC
AQKiggESBIIBDlqpCYbm7lCR05AcWuviLHSrYDD6LEwfhILsssYZAu/m
pBLrA8UK7JGBEu7MjkSrUHQnvAZF1uY0Ts9B8WXFAQtSoutV0YX95Syy
vWV8WuQqXdblmJrUHBewC9PsDfBMEMMFLRNnpw8XFnKVPg81m3UGo6RA
jdKOExJWOu5kY5+8oK4s0ZVNXolOs39poK70hDs8lrCrGPZwzAO0GnAt
yEejzh4ajyh8n2wLPdRVWkFP0pLZDv5KvTPy+Vm8FHjLZm0evLa7lZhu
lrjq5KU2kaLfuQwTCJQIfVnXwDm/+jzVstHQVmzKjgJyY3xm7FFdrmv9
160uh6qxpzlux3Te5Tnil0J3yK7FTtt61q8Pq6SB3jCB26ADAgESooHT
BIHQKjcpMj4qJ8bK157Oqv7iOBsIUQ2pPCKfDYqvFlmC0u8LreIoEmFf
SzABdQzsY09mQUoXB7CWoX8DSkwMBfQ13YsPIOdcjTxNRLAOeMxOLVE8
zxQV0RTbBRj9cgrF1fs68w2QmdIQuUAZ1YyCsWfG4nqSbrkr3agg1Wdz
PIoo5CO7npU4tVgAN7a5zvrSBHVdTp5zrxe3KFDw0cEkFJ6Jf1XtNUt0
UuSQRFi7NQBmrBgoCnxEkmBzwBogQ4cxjGj14xvzjJxNe7vISylb32t6 GQ== 0
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16484
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2667812275.sig-ipa1.domain.com. ANY TKEY
;; ANSWER SECTION:
2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0
dns_tkey_negotiategss: TKEY is unacceptable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151021/6f842e47/attachment.htm>
More information about the Freeipa-users
mailing list