<div dir="ltr"><div><font face="arial, helvetica, sans-serif">The zone settings:</font></div><div><div style="font-family:arial,helvetica,sans-serif"><br></div><div><font face="monospace, monospace">$ ipa dnszone-show --all</font></div><div><font face="monospace, monospace">Zone name: <a href="http://hq.example.com">hq.example.com</a>.</font></div><div><font face="monospace, monospace"> dn: idnsname=<a href="http://hq.example.com">hq.example.com</a>.,cn=dns,dc=hq,dc=example,dc=com</font></div><div><font face="monospace, monospace"> Zone name: <a href="http://hq.example.com">hq.example.com</a>.</font></div><div><font face="monospace, monospace"> Active zone: TRUE</font></div><div><font face="monospace, monospace"> Authoritative nameserver: <a href="http://ipa.hq.example.com">ipa.hq.example.com</a>.</font></div><div><font face="monospace, monospace"> Administrator e-mail address: <a href="http://hostmaster.hq.example.com">hostmaster.hq.example.com</a>.</font></div><div><font face="monospace, monospace"> SOA serial: 1426857128</font></div><div><font face="monospace, monospace"> SOA refresh: 3600</font></div><div><font face="monospace, monospace"> SOA retry: 900</font></div><div><font face="monospace, monospace"> SOA expire: 1209600</font></div><div><font face="monospace, monospace"> SOA minimum: 3600</font></div><div><font face="monospace, monospace"> BIND update policy: grant <a href="http://HQ.EXAMPLE.COM">HQ.EXAMPLE.COM</a> krb5-self * A; grant HQ.</font><span style="font-family:monospace,monospace">EXAMPLE</span><font face="monospace, monospace">.COM krb5-self * AAAA; grant HQ.</font><span style="font-family:monospace,monospace">EXAMPLE</span><font face="monospace, monospace">.COM krb5-self * SSHFP;</font></div><div><font face="monospace, monospace"> Dynamic update: TRUE</font></div><div><font face="monospace, monospace"> Allow query: any;</font></div><div><font face="monospace, monospace"> Allow transfer: none;</font></div><div><font face="monospace, monospace"> nsrecord: <a href="http://ipa.hq.example.com">ipa.hq.example.com</a>.</font></div><div><font face="monospace, monospace"> objectclass: idnszone, top, idnsrecord</font></div><div style="font-family:arial,helvetica,sans-serif"><br></div></div><div class="gmail_extra"><div class="gmail_quote">The DNS log doesn't mention anything about updates. It does contain some errors about unreachable hosts, but that's because I had a temporary interruption towards the gateway from the ipa server.</div><div class="gmail_quote"><br></div><div class="gmail_quote">One thing I did after installing the IPA server is to turn off support for ipv6, using </div>$ echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf<br>$ sysctl -p<div class="gmail_quote"><br></div><div class="gmail_quote">Do you think it could have any influence?</div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">On 20 March 2015 at 12:31, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hello,<br>
<br>
do you have enabled DNS dynamic updates for hq.example.zone?<br>
You can check it in zone settings.<br>
<br>
Are there any log entries in dns log related to nsupdate executed
from a client?<br>
$ journalctl -b -u named-pkcs11<div><div><br>
<br>
On 20/03/15 09:53, Roberto Cornacchia wrote:<br>
</div></div></div><div><div>
<blockquote type="cite">
<div dir="ltr">
<div><font face="arial, helvetica, sans-serif">It seems so:</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">$ firewall-cmd --list-all</font></div>
<div><font face="monospace, monospace">FedoraServer (default,
active)</font></div>
<div><font face="monospace, monospace"> interfaces: em2</font></div>
<div><font face="monospace, monospace"> sources:</font></div>
<div><font face="monospace, monospace"> services: cockpit
dhcpv6-client ssh</font></div>
<div><font face="monospace, monospace"> ports: 8009/tcp 443/tcp
7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp 8010/tcp
88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp
9445/tcp 8011/tcp 53/udp 8082/tcp</font></div>
<div><font face="monospace, monospace"> masquerade: no</font></div>
<div><font face="monospace, monospace"> forward-ports:</font></div>
<div><font face="monospace, monospace"> icmp-blocks:</font></div>
<div><font face="monospace, monospace"> rich rules:</font></div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 20 March 2015 at 00:53, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Yes.</div>
<div><br>
</div>
<div><font face="monospace, monospace">[root@meson
~]# cat /etc/resolv.conf </font></div>
<div><font face="monospace, monospace">search <a href="http://hq.example.com" target="_blank">hq.example.com</a></font></div>
<div><font face="monospace, monospace">nameserver
192.168.0.72</font></div>
<div><br>
</div>
<div>Sorry from the short log I posted it's not
visible, but that ip address is the address of the
ipa server (<a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a>)<br>
</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">[root@meson
~]# dig <a href="http://ipa.hq.example.com">ipa.hq.example.com</a></font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">;
<<>> DiG
9.9.6-P1-RedHat-9.9.6-8.P1.fc21
<<>> <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a></font></div>
<div><font face="monospace, monospace">;; global
options: +cmd</font></div>
<div><font face="monospace, monospace">;; Got
answer:</font></div>
<div><font face="monospace, monospace">;;
->>HEADER<<- opcode: QUERY,
status: NOERROR, id: 53238</font></div>
<div><font face="monospace, monospace">;; flags:
qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY:
1, ADDITIONAL: 1</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">;; OPT
PSEUDOSECTION:</font></div>
<div><font face="monospace, monospace">; EDNS:
version: 0, flags:; udp: 4096</font></div>
<div><font face="monospace, monospace">;; QUESTION
SECTION:</font></div>
<div><font face="monospace, monospace">;ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.<span style="white-space:pre-wrap"> </span>IN<span style="white-space:pre-wrap"> </span>A</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">;; ANSWER
SECTION:</font></div>
<div><font face="monospace, monospace">ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com. 1200<span style="white-space:pre-wrap"> </span>IN<span style="white-space:pre-wrap"> </span>A<span style="white-space:pre-wrap"> </span>192.168.0.72</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">;;
AUTHORITY SECTION:</font></div>
<div><font face="monospace, monospace">hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.<span style="white-space:pre-wrap"> </span>86400<span style="white-space:pre-wrap"> </span>IN<span style="white-space:pre-wrap"> </span>NS<span style="white-space:pre-wrap"> </span>ipa.hq.</font><span style="font-family:monospace,monospace">example</span><font face="monospace, monospace">.com.</font></div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">;; Query
time: 1 msec</font></div>
<div><font face="monospace, monospace">;; SERVER:
192.168.0.72#53(192.168.0.72)</font></div>
<div><font face="monospace, monospace">;; WHEN: do
mrt 19 22:02:04 CET 2015</font></div>
<div><font face="monospace, monospace">;; MSG SIZE
rcvd: 83</font></div>
</div>
</div>
</blockquote>
<br>
<br>
</span> OK so you can in fact lookup the server.<br>
Have you opened all required ports for ldap and kerberos
and other protocols in the firewall both UDP and TCP?
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 19 March 2015 at
21:55, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 03/19/2015 04:46 PM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><font face="arial, helvetica,
sans-serif">Hi, </font></div>
<div><font face="arial, helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif">This should really
work like a charm, and I'm sure it
is a stupid mistake of mine if it
doesn't, but I really can't find
out what goes wrong.</font></div>
<div><font face="arial, helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif">Both IPA server and
client are on FC21, very up to
date.</font></div>
<div><font face="arial, helvetica,
sans-serif">Server installation
(standard, with dns) worked well.
Required ports open in the
firewall. Everything seems to
work.</font></div>
<div><font face="arial, helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif">I did try to use the
IPA server as a DNS (with
forwarders) and NTP server from
non-ipa clients, no problem.</font></div>
<div>I also tried to use it as LDAP
server, from a non-fedora machine (a
synology). It worked well and I
could see users.</div>
<div><br>
</div>
<div>When trying to enroll a client,
the enrollment itself seems to
succeed, but:</div>
<div>- Unable to sync time with NTP
server</div>
<div>- Unable to update DNS</div>
<div>- Unable to find users</div>
<div><br>
</div>
<div>I include below the short
installation log (I changed the real
domain into <a href="http://hq.example.com" target="_blank">hq.example.com</a>),
and in attachment, the full log with
debug on.</div>
<div><br>
</div>
<div>From the debug log, about the DNS
update failure, I can see this:</div>
<div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace"> ; Communication
with 192.168.0.72#53 failed:
operation canceled</font></div>
<div><font face="monospace,
monospace"> could not reach any
name server</font></div>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div>I'm not sure what communication
problem this could be, as the server
(which is both the IPA and the DNS
servers), clearly can be reached.</div>
<div><br>
</div>
<div>Any idea where to look at?</div>
</div>
</blockquote>
<br>
</span> Do you have the IPA DNS server in
the resolv.conf of the client?
<div>
<div><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Thanks,</div>
<div>Roberto </div>
<div><br>
</div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">[root@meson ~]#
ipa-client-install --mkhomedir
--ssh-trust-dns --force-ntpd
--hostname=<a href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a> </font></div>
<div><font face="monospace,
monospace">Discovery was
successful!</font></div>
<div><font face="monospace,
monospace">Hostname: <a href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a></font></div>
<div><font face="monospace,
monospace">Realm: <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace">DNS Domain: <a href="http://hq.example.com" target="_blank">hq.example.com</a></font></div>
<div><font face="monospace,
monospace">IPA Server: <a href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a></font></div>
<div><font face="monospace,
monospace">BaseDN:
dc=hq,dc=example,dc=com</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">Continue to configure
the system with these values?
[no]: yes</font></div>
<div><font face="monospace,
monospace">Synchronizing time
with KDC...</font></div>
<div><font face="monospace,
monospace"><b><font color="#ff0000">Unable to
sync time with IPA NTP
server, assuming the time is
in sync. Please check that
123 UDP port is opened.</font></b></font></div>
<div><font face="monospace,
monospace">User authorized to
enroll computers: admin</font></div>
<div><font face="monospace,
monospace">Password for <a href="mailto:admin@HQ.EXAMPLE.COM" target="_blank">admin@HQ.EXAMPLE.COM</a>: </font></div>
<div><font face="monospace,
monospace">Successfully
retrieved CA cert</font></div>
<div><font face="monospace,
monospace"> Subject:
CN=Certificate Authority,O=<a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace"> Issuer:
CN=Certificate Authority,O=<a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace"> Valid From: Mon
Mar 16 18:44:35 2015 UTC</font></div>
<div><font face="monospace,
monospace"> Valid Until: Fri
Mar 16 18:44:35 2035 UTC</font></div>
<div><font face="monospace,
monospace"><br>
</font></div>
<div><font face="monospace,
monospace">Enrolled in IPA realm
<a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace">Created
/etc/ipa/default.conf</font></div>
<div><font face="monospace,
monospace">New SSSD config will
be created</font></div>
<div><font face="monospace,
monospace">Configured sudoers in
/etc/nsswitch.conf</font></div>
<div><font face="monospace,
monospace">Configured
/etc/sssd/sssd.conf</font></div>
<div><font face="monospace,
monospace">Configured
/etc/krb5.conf for IPA realm <a href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a></font></div>
<div><font face="monospace,
monospace">trying <a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a></font></div>
<div><font face="monospace,
monospace">Forwarding 'ping' to
json server '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace,
monospace">Forwarding
'ca_is_enabled' to json server '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font face="monospace,
monospace">Systemwide CA
database updated.</font></div>
<div><font face="monospace,
monospace">Added CA certificates
to the default NSS database.</font></div>
<div><font face="monospace,
monospace">Hostname (<a href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a>)
not found in DNS</font></div>
<div><font color="#ff0000" face="monospace, monospace"><b>Failed
to update DNS records.</b></font></div>
<div><font face="monospace,
monospace">Adding SSH public key
from
/etc/ssh/ssh_host_ed25519_key.pub</font></div>
<div><font face="monospace,
monospace">Adding SSH public key
from
/etc/ssh/ssh_host_ecdsa_key.pub</font></div>
<div><font face="monospace,
monospace">Adding SSH public key
from
/etc/ssh/ssh_host_rsa_key.pub</font></div>
<div><font face="monospace,
monospace">Forwarding 'host_mod'
to json server '<a href="https://ipa.hq.example.com/ipa/json" target="_blank">https://ipa.hq.example.com/ipa/json</a>'</font></div>
<div><font color="#ff0000" face="monospace, monospace"><b>Could
not update DNS SSHFP records.</b></font></div>
<div><font face="monospace,
monospace">SSSD enabled</font></div>
<div><font face="monospace,
monospace">Configured
/etc/openldap/ldap.conf</font></div>
<div><font color="#ff0000" face="monospace, monospace"><b>Unable
to find 'admin' user with
'getent passwd <a href="mailto:admin@hq.example.com" target="_blank">admin@hq.example.com</a>'!</b></font></div>
<div><font color="#ff0000" face="monospace, monospace"><b>Unable
to reliably detect
configuration. Check NSS setup
manually.</b></font></div>
<div><font face="monospace,
monospace">NTP enabled</font></div>
<div><font face="monospace,
monospace">Configured
/etc/ssh/ssh_config</font></div>
<div><font face="monospace,
monospace">Configured
/etc/ssh/sshd_config</font></div>
<div><font face="monospace,
monospace">Configuring <a href="http://hq.example.com" target="_blank">hq.example.com</a>
as NIS domain.</font></div>
<div><font face="monospace,
monospace">Client configuration
complete.</font></div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
<span><font color="#888888">
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div>
</div>
</div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div></div><span><font color="#888888"><pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote></div><br></div></div>