<div dir="ltr">I have been trying to register a new node in my FreeIPA server and it isn’t adding DNS records.  The host itself gets registered, but DNS updates during the ipa-client-install script fails.  The servers and the client are both CentOS 7.1 running version 4.1.0-18.  Below is the output showing the IPA server showing the host is registered, the zone allowing dynamic updates, and an attempted DNS update from the new host.  I am able to get a host ticket which seems to validate that the host is properly registered.  What am I missing or any other thoughts?<div><br></div><div>Thanks</div><div>jl</div><div><br></div><div><br></div><div><div>From the IPA server:</div><div>$ ipa dnszone-show <a href="http://domain.com">domain.com</a> --all --rights</div><div>  dn: idnsname=<a href="http://domain.com">domain.com</a>.,cn=dns,dc=domain,dc=com</div><div>  Zone name: <a href="http://domain.com">domain.com</a>.</div><div>  Active zone: TRUE</div><div>  Authoritative nameserver: <a href="http://ipa1.domain.com">ipa1.domain.com</a>.</div><div>  Administrator e-mail address: <a href="http://hostmaster.domain.com">hostmaster.domain.com</a>.</div><div>  SOA serial: 1445289950</div><div>  SOA refresh: 3600</div><div>  SOA retry: 900</div><div>  SOA expire: 1209600</div><div>  SOA minimum: 3600</div><div>  BIND update policy: grant <a href="http://DOMAIN.COM">DOMAIN.COM</a> krb5-self * A; grant <a href="http://DOMAIN.COM">DOMAIN.COM</a> krb5-self * AAAA; grant <a href="http://DOMAIN.COM">DOMAIN.COM</a> krb5-self * SSHFP;</div><div>  Dynamic update: TRUE</div><div>  Allow query: any;</div><div>  Allow transfer: none;</div><div>  Allow PTR sync: TRUE</div><div>  attributelevelrights: {u'sshfprecord': u'rscwo', u'cn': u'rscwo', u'kxrecord': u'rscwo', u'nsec3paramrecord': u'rscwo', u'idnsallowtransfer': u'rscwo', u'mxrecord': u'rscwo', u'idnsforwarders': u'rscwo', u'idnssoarefresh': u'rscwo', u'idnsallowsyncptr': u'rscwo', u'nsaccountlock': u'rscwo', u'idnsallowdynupdate': u'rscwo', u'mdrecord': u'rscwo', u'arecord': u'rscwo', u'dlvrecord': u'rscwo', u'idnsforwardpolicy': u'rscwo', u'ptrrecord': u'rscwo', u'idnssoaretry': u'rscwo', u'nxtrecord': u'rscwo', u'idnsupdatepolicy': u'rscwo', u'idnsallowquery': u'rscwo', u'idnsname': u'rscwo', u'afsdbrecord': u'rscwo', u'idnssoamname': u'rscwo', u'dnsttl': u'rscwo', u'idnszoneactive': u'rscwo', u'nsrecord': u'rscwo', u'locrecord': u'rscwo', u'sigrecord': u'rscwo', u'idnssoaminimum': u'rscwo', u'dnsclass': u'rscwo', u'aaaarecord': u'rscwo', u'rrsigrecord': u'rscwo', u'tlsarecord': u'rscwo', u'hinforecord': u'rscwo', u'idnssoaexpire': u'rscwo', u'idnssecinlinesigning': u'rscwo', u'cnamerecord': u'rscwo', u'dnamerecord': u'rscwo', u'objectclass': u'rscwo', u'aci': u'rscwo', u'certrecord': u'rscwo', u'srvrecord': u'rscwo', u'keyrecord': u'rscwo', u'idnssoaserial': u'rscwo', u'dsrecord': u'rscwo', u'txtrecord': u'rscwo', u'nsecrecord': u'rscwo', u'a6record': u'rscwo', u'naptrrecord': u'rscwo', u'idnssoarname': u'rscwo', u'minforecord': u'rscwo'}</div><div>  mxrecord: 10 <a href="http://mail1.domain.com">mail1.domain.com</a>., 10 <a href="http://mail02.domain.com">mail02.domain.com</a>.</div><div>  nsrecord: <a href="http://ipa1.domain.com">ipa1.domain.com</a>., <a href="http://ipa2.domain.com">ipa2.domain.com</a>.</div><div>  objectclass: idnszone, top, idnsrecord</div><div>  </div><div>$ ipa host-show newhost</div><div>  Host name: <a href="http://newhost.domain.com">newhost.domain.com</a></div><div>  Principal name: host/<a href="mailto:newhost.domain.com@DOMAIN.COM">newhost.domain.com@DOMAIN.COM</a></div><div>  Password: False</div><div>  Member of host-groups: test</div><div>  Indirect Member of HBAC rule: test</div><div>  Keytab: True</div><div>  Managed by: <a href="http://newhost.domain.com">newhost.domain.com</a></div><div>  SSH public key fingerprint: 35:31:77:48:F1:59:48:03:9F:63:80:D5:3B:3C:03:7F (ssh-rsa), BE:3B:A5:CB:00:11:76:DD:C4:B7:D8:C4:87:3F:CA:1E</div><div>                              (ecdsa-sha2-nistp256), D2:29:FE:7D:22:6A:8C:DF:E7:AA:D4:F8:07:65:6D:4B (ssh-ed25519)</div><div>  </div><div>----------------------------------------------------------------------------------------</div><div>On the new client:</div><div><br></div><div><br></div><div>$ cat dns_update.txt</div><div>debug</div><div>zone <a href="http://domain.com">domain.com</a>.</div><div>update delete <a href="http://newhost.domain.com">newhost.domain.com</a>. IN A</div><div>show</div><div>send</div><div>update add <a href="http://newhost.domain.com">newhost.domain.com</a>. 1200 IN A 172.123.123.123</div><div>show</div><div>send</div><div><br></div><div><br></div><div>$ /usr/bin/kinit -k -t /etc/krb5.keytab host/`hostname`@<a href="http://DOMAIN.COM">DOMAIN.COM</a></div><div>$ nsupdate -g /etc/ipa/dns_update.txt</div><div>Outgoing update query:</div><div>;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0</div><div>;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0</div><div>;; ZONE SECTION:</div><div>;<a href="http://domain.com">domain.com</a>.<span class="" style="white-space:pre">                    </span>IN<span class="" style="white-space:pre">        </span>SOA</div><div><br></div><div>;; UPDATE SECTION:</div><div><a href="http://newhost.domain.com">newhost.domain.com</a>.<span class="" style="white-space:pre">     </span>0<span class="" style="white-space:pre"> </span>ANY<span class="" style="white-space:pre">       </span>A</div><div><br></div><div>Reply from SOA query:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  20269</div><div>;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2</div><div>;; QUESTION SECTION:</div><div>;<a href="http://domain.com">domain.com</a>.<span class="" style="white-space:pre">                 </span>IN<span class="" style="white-space:pre">        </span>SOA</div><div><br></div><div>;; ANSWER SECTION:</div><div><a href="http://domain.com">domain.com</a>.<span class="" style="white-space:pre">             </span>86400<span class="" style="white-space:pre">     </span>IN<span class="" style="white-space:pre">        </span>SOA<span class="" style="white-space:pre">       </span><a href="http://ipa1.domain.com">ipa1.domain.com</a>. <a href="http://hostmaster.domain.com">hostmaster.domain.com</a>. 1445289950 3600 900 1209600 3600</div><div><br></div><div>;; AUTHORITY SECTION:</div><div><a href="http://domain.com">domain.com</a>.<span class="" style="white-space:pre">         </span>86400<span class="" style="white-space:pre">     </span>IN<span class="" style="white-space:pre">        </span>NS<span class="" style="white-space:pre">        </span><a href="http://ipa1.domain.com">ipa1.domain.com</a>.</div><div><a href="http://domain.com">domain.com</a>.<span class="" style="white-space:pre">               </span>86400<span class="" style="white-space:pre">     </span>IN<span class="" style="white-space:pre">        </span>NS<span class="" style="white-space:pre">        </span><a href="http://ipa2.domain.com">ipa2.domain.com</a>.</div><div><br></div><div>;; ADDITIONAL SECTION:</div><div><a href="http://ipa1.domain.com">ipa1.domain.com</a>.<span class="" style="white-space:pre">       </span>1200<span class="" style="white-space:pre">      </span>IN<span class="" style="white-space:pre">        </span>A<span class="" style="white-space:pre"> </span>172.123.123.120</div><div><a href="http://ipa2.domain.com">ipa2.domain.com</a>.<span class="" style="white-space:pre"> </span>1200<span class="" style="white-space:pre">      </span>IN<span class="" style="white-space:pre">        </span>A<span class="" style="white-space:pre"> </span>172.123.123.121</div><div><br></div><div>Found zone name: <a href="http://domain.com">domain.com</a></div><div>The master is: <a href="http://ipa1.domain.com">ipa1.domain.com</a></div><div>start_gssrequest</div><div>Found realm from ticket: <a href="http://DOMAIN.COM">DOMAIN.COM</a></div><div>send_gssrequest</div><div>Outgoing update query:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  16484</div><div>;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</div><div>;; QUESTION SECTION:</div><div>;<a href="http://2667812275.sig-ipa1.domain.com">2667812275.sig-ipa1.domain.com</a>. ANY<span class="" style="white-space:pre">     </span>TKEY</div><div><br></div><div>;; ADDITIONAL SECTION:</div><div><a href="http://2667812275.sig-ipa1.domain.com">2667812275.sig-ipa1.domain.com</a>. 0 ANY TKEY<span class="" style="white-space:pre">     </span>gss-tsig. 1445445558 1445445558 3 NOERROR 631 YIICcwYJKoZIhvcSAQICAQBuggJiMIICXqADAgEFoQMCAQ6iBwMFACAA AACjggFmYYIBYjCCAV6gAwIBBaEJGwdJTkVVLlVToiQwIqADAgEBoRsw GRsDRE5TGxJ1ZTFhLWlwYTAxLmluZXUudXOjggEkMIIBIKADAgESoQMC AQKiggESBIIBDlqpCYbm7lCR05AcWuviLHSrYDD6LEwfhILsssYZAu/m pBLrA8UK7JGBEu7MjkSrUHQnvAZF1uY0Ts9B8WXFAQtSoutV0YX95Syy vWV8WuQqXdblmJrUHBewC9PsDfBMEMMFLRNnpw8XFnKVPg81m3UGo6RA jdKOExJWOu5kY5+8oK4s0ZVNXolOs39poK70hDs8lrCrGPZwzAO0GnAt yEejzh4ajyh8n2wLPdRVWkFP0pLZDv5KvTPy+Vm8FHjLZm0evLa7lZhu lrjq5KU2kaLfuQwTCJQIfVnXwDm/+jzVstHQVmzKjgJyY3xm7FFdrmv9 160uh6qxpzlux3Te5Tnil0J3yK7FTtt61q8Pq6SB3jCB26ADAgESooHT BIHQKjcpMj4qJ8bK157Oqv7iOBsIUQ2pPCKfDYqvFlmC0u8LreIoEmFf SzABdQzsY09mQUoXB7CWoX8DSkwMBfQ13YsPIOdcjTxNRLAOeMxOLVE8 zxQV0RTbBRj9cgrF1fs68w2QmdIQuUAZ1YyCsWfG4nqSbrkr3agg1Wdz PIoo5CO7npU4tVgAN7a5zvrSBHVdTp5zrxe3KFDw0cEkFJ6Jf1XtNUt0 UuSQRFi7NQBmrBgoCnxEkmBzwBogQ4cxjGj14xvzjJxNe7vISylb32t6 GQ== 0</div><div><br></div><div>recvmsg reply from GSS-TSIG query</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  16484</div><div>;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0</div><div>;; QUESTION SECTION:</div><div>;<a href="http://2667812275.sig-ipa1.domain.com">2667812275.sig-ipa1.domain.com</a>. ANY<span class="" style="white-space:pre">     </span>TKEY</div><div><br></div><div>;; ANSWER SECTION:</div><div><a href="http://2667812275.sig-ipa1.domain.com">2667812275.sig-ipa1.domain.com</a>. 0 ANY TKEY<span class="" style="white-space:pre"> </span>gss-tsig. 0 0 3 BADKEY 0  0</div><div><br></div><div>dns_tkey_negotiategss: TKEY is unacceptable</div><div><br></div></div></div>