<div class="gmail_quote">On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="im">On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: </div><div><div class="h5">> Hi, > During my setup today I'm always failing in enrolling clients with > automatic dns updates. > I'm playing with FreeIPA 2.1.90, but I guess this is a general > problem, not strictly due to the alpha version. > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > console I see: > Failed to update DNS A record. (Command '/usr/bin/nsupdate > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > I see in server logs that named refuses it: > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > update '<a href="http://internet.unix.mydomain.it/IN" target="_blank">internet.unix.mydomain.it/IN</a>' denied > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > update '<a href="http://internet.unix.mydomain.it/IN" target="_blank">internet.unix.mydomain.it/IN</a>' denied > > What is the cause? What other informations do you need about my > deployment? > > Thanks in advance as usual > Marco </div></div>Hello Marco, please check the settings of the zone you are trying to add clients to. GSS-TSIG updates are not enabled by default for new zones, it may be your case. This is an entry for my zone '<a href="http://example.com" target="_blank">example.com</a>' where dynamic updates are enabled: # ipa dnszone-show <a href="http://example.com" target="_blank">example.com</a> --all dn: idnsname=<a href="http://example.com" target="_blank">example.com</a>,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Zone name: <a href="http://example.com" target="_blank">example.com</a> Authoritative nameserver: <a href="http://ns.example.com" target="_blank">ns.example.com</a>. Administrator e-mail address: <a href="http://hostmaster.example.com" target="_blank">hostmaster.example.com</a>. SOA serial: <a href="tel:2012200201" value="+12012200201">2012200201</a> SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 > BIND update policy: grant <a href="http://IDM.LAB.BOS.REDHAT.COM" target="_blank">IDM.LAB.BOS.REDHAT.COM</a> krb5-self * A; grant <a href="http://IDM.LAB.BOS.REDHAT.COM" target="_blank">IDM.LAB.BOS.REDHAT.COM</a> > krb5-self * AAAA; grant <a href="http://IDM.LAB.BOS.REDHAT.COM" target="_blank">IDM.LAB.BOS.REDHAT.COM</a> krb5-self * SSHFP; Active zone: TRUE > Dynamic update: TRUE nsrecord: <a href="http://ns.example.com" target="_blank">ns.example.com</a>. objectclass: top, idnsrecord, idnszone I have marked the important attributes with ">". I would also make sure that the zone is properly loaded in bind-dyndb-ldap plugin (you can for example try to retrieve its SOA record with dig). </blockquote><div> Hi Martin, yes this is the case: [root@freeipa01 ~]# ipa dnszone-show <a href="http://internet.unix.mydomain.it">internet.unix.mydomain.it</a> --all dn: idnsname=<a href="http://internet.unix.mydomain.it">internet.unix.mydomain.it</a>,cn=dns,dc=unix,dc=mydomain,dc=it Zone name: <a href="http://internet.unix.mydomain.it">internet.unix.mydomain.it</a> Authoritative nameserver: <a href="http://freeipa01.unix.mydomain.it">freeipa01.unix.mydomain.it</a>. Administrator e-mail address: <a href="http://hostmaster.internet.unix.mydomain.it">hostmaster.internet.unix.mydomain.it</a>. SOA serial: 2012180201 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE nsrecord: <a href="http://freeipa01.unix.mydomain.it">freeipa01.unix.mydomain.it</a>. objectclass: top, idnsrecord, idnszone So, could you tell me how should I do to have my (new) zone being eventually updated? A link to a doc page would suffices. Thanks a lot Marco </div></div>