<html><body bgcolor="#FFFFFF">Sorry guys... this is on us. They also missed a few other rules in the request so please disregard. But for clarity in resolution: Make sure firewalls have right rules set. In this instance TCP 53 bi directional as the they only did uni directional which spawned the SOA issue. All good now. Thanks for the help. Sean Hogan <img width="16" height="16" src="cid:1__=88BBF538DFE548B38f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Sean Hogan---05/06/2016 02:36:03 PM---Hi Martin, TCP 53 was not open as per the firewall request a">Sean Hogan---05/06/2016 02:36:03 PM---Hi Martin, TCP 53 was not open as per the firewall request and ipa docs. That is corrected now b From: Sean Hogan/Durham/IBM To: Martin Basti <mbasti@redhat.com> Cc: freeipa-users <freeipa-users@redhat.com> Date: 05/06/2016 02:36 PM Subject: Re: [Freeipa-users] SSHFP upload <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> Hi Martin, TCP 53 was not open as per the firewall request and ipa docs. That is corrected now but it is still failing to update sshfp but now instead of can not comm with DNS server I am getting the below. This is on a box that was enrolled... I ipa client-install --uninstall ... remove ca.crt and krb5.keytab and then ran ipa-client-install --enable-dns-update --force 2016-05-06T21:27:16Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-05-06T21:27:16Z DEBUG stdout= 2016-05-06T21:27:16Z DEBUG stderr=; Communication with Correct DNS IP#53 failed: operation canceled ; response to SOA query was unsuccessful 2016-05-06T21:27:16Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2016-05-06T21:27:16Z WARNING Could not update DNS SSHFP records. 2016-05-06T21:27:16Z DEBUG args=/sbin/service nscd status 2016-05-06T21:27:16Z DEBUG stdout= 2016-05-06T21:27:16Z DEBUG stderr=nscd: unrecognized service Sean Hogan <img width="16" height="16" src="cid:1__=88BBF538DFE548B38f9e8a93df938690918c88B@" border="0" alt="Inactive hide details for Martin Basti ---05/06/2016 01:25:32 PM---On 06.05.2016 22:18, Sean Hogan wrote: >">Martin Basti ---05/06/2016 01:25:32 PM---On 06.05.2016 22:18, Sean Hogan wrote: > From: Martin Basti <mbasti@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users <freeipa-users@redhat.com> Date: 05/06/2016 01:25 PM Subject: Re: [Freeipa-users] SSHFP upload <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> On 06.05.2016 22:18, Sean Hogan wrote:<ul><ul>Yes sir.. Dynamic update value is set to true on both test.local and the reverse zone. Form what Robert mentioned I am looking at the install logs now. So this is where DNS update is bombing: 2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-04-26T16:31:08Z DEBUG stdout= 2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed: operation canceled could not talk to any default name server</ul></ul>That is weird, maybe do you have allowed TCP/53? It may try to use TCP instead of UDP And please check on "Correct DNS server" if there is any logged entry about dynamic update from client (journalctl -u named[-pkcs11]) Martin<ul><ul> 2016-04-26T16:31:08Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i pa/.dns_update.txt' returned non-zero exit status 1 2016-04-26T16:31:08Z ERROR Failed to update DNS records. And this is where SSHFP updates are bombing: 2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-04-26T16:31:09Z DEBUG stdout= 2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed: operation canceled could not talk to any default name server 2016-04-26T16:31:09Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i pa/.dns_update.txt' returned non-zero exit status 1 2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records. 2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status 2016-04-26T16:31:09Z DEBUG stdout= 2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service So it looks like it can not talk to port 53 but nslookup is working fine from the box and outputting the server response as the correct dns ip which is in the logs Server: correct IP of DNS server Address: correct IP of DNS server#53 Name: dingle.test.local Address: correct ip of dingle reoslv.conf has 1st listing as the same ip as in the logs and nslookup result. Sean Hogan <img src="cid:1__=88BBF538DFE548B38f9e8a93df938690918c88B@" width="16" height="16" alt="Inactive hide details for Martin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated by nslookup do you have allowed d">Martin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated by nslookup do you have allowed dynamic updates in the zone settings? From: Martin Basti <a href="mailto:mbasti@redhat.com"><mbasti@redhat.com></a> To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users <a href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a> Date: 05/06/2016 12:25 PM Subject: Re: [Freeipa-users] SSHFP upload <hr width="100%" size="2" align="left" noshade style="color:#000000; "> Hello, records are updated by nslookup do you have allowed dynamic updates in the zone settings?Martin On 06.05.2016 21:18, Sean Hogan wrote:<ul><ul><ul><ul>Hi All, Wondering if someone knows how the SSHFPs of a box are getting uploaded to IPA during ipa-client-install --enable-dns-updates? Is it going over port 389,636,22? Have an issue that on one network my enrolls work fine and everything gets updated. A new network was put in place but still part of the same domain and I get SSHFP failed to upload. I was assuming this has something to do with DNS but Network team says bi directional port 53 is good and I can nslookup. Both new and old networks point to the same IPA DNS server for enrolling. The IPs of the new network still fall in my reverse zone. So My DNS is setup with: test.local 10.in-addr.arpa and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x Results of current Network <table border="0" cellspacing="0" cellpadding="0"><tr valign="top"><td width="431">Enrolled in IPA realm TEST.LOCAL Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying <a href="https://rtpvxl0068.watson.local/ipa/xml">https://bob.test.local/ipa/xml</a> Forwarding 'env' to server u'<a href="https://bob.test.local/ipa/xml"></a><a href="https://bob.test.local/ipa/xml">https://bob.test.local/ipa/xml</a>' DNS server record set to: dingle.test.local -> IP of dingle Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'<a href="https://bob.test.local/ipa/xml"></a><a href="https://bob.test.local/ipa/xml">https://bob.test.local/ipa/xml</a>' SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. </td></tr></table> Results of New network <table border="0" cellspacing="0" cellpadding="0"><tr valign="top"><td width="431">Enrolled in IPA realm TEST.LOCAL Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying <a href="https://rtpvxl0068.watson.local/ipa/xml">https://bob.test.local/ipa/xml</a> Forwarding 'env' to server u'<a href="https://bob.test.local/ipa/xml"></a><a href="https://bob.test.local/ipa/xml">https://bob.test.local/ipa/xml</a>' Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'<a href="https://bob.test.local/ipa/xml"></a><a href="https://bob.test.local/ipa/xml">https://bob.test.local/ipa/xml</a>' Could not update DNS SSHFP records. SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete </td></tr></table> Sean Hogan </ul></ul></ul></ul> </ul></ul> </body></html>