[Freeipa-users] automatic dns update failing

Marco Pizzoli marco.pizzoli at gmail.com
Mon Feb 20 16:08:29 UTC 2012 

On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <mkosek at redhat.com> wrote:

> On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> > Hi,
> > During my setup today I'm always failing in enrolling clients with
> > automatic dns updates.
> > I'm playing with FreeIPA 2.1.90, but I guess this is a general
> > problem, not strictly due to the alpha version.
> >
> > I'm doing a "ipa-client-install --enable-dns-updates" and at the
> > console I see:
> > Failed to update DNS A record. (Command '/usr/bin/nsupdate
> > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2)
> >
> > I see in server logs that named refuses it:
> > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558:
> > update 'internet.unix.mydomain.it/IN' denied
> > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809:
> > update 'internet.unix.mydomain.it/IN' denied
> >
> > What is the cause? What other informations do you need about my
> > deployment?
> >
> > Thanks in advance as usual
> > Marco
>
> Hello Marco,
>
> please check the settings of the zone you are trying to add clients to.
> GSS-TSIG updates are not enabled by default for new zones, it may be
> your case.
>
> This is an entry for my zone 'example.com' where dynamic updates are
> enabled:
>
> # ipa dnszone-show example.com --all
>  dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>  Zone name: example.com
>  Authoritative nameserver: ns.example.com.
>  Administrator e-mail address: hostmaster.example.com.
>  SOA serial: 2012200201
>  SOA refresh: 3600
>  SOA retry: 900
>  SOA expire: 1209600
>  SOA minimum: 3600
> > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant
> IDM.LAB.BOS.REDHAT.COM
> >                     krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COMkrb5-self * SSHFP;
>  Active zone: TRUE
> > Dynamic update: TRUE
>  nsrecord: ns.example.com.
>  objectclass: top, idnsrecord, idnszone
>
> I have marked the important attributes with ">". I would also make sure
> that the zone is properly loaded in bind-dyndb-ldap plugin (you can for
> example try to retrieve its SOA record with dig).
>

Hi Martin,
yes this is the case:

[root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it --all
  dn: idnsname=internet.unix.mydomain.it,cn=dns,dc=unix,dc=mydomain,dc=it
  Zone name: internet.unix.mydomain.it
  Authoritative nameserver: freeipa01.unix.mydomain.it.
  Administrator e-mail address: hostmaster.internet.unix.mydomain.it.
  SOA serial: 2012180201
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Dynamic update: FALSE
  nsrecord: freeipa01.unix.mydomain.it.
  objectclass: top, idnsrecord, idnszone

So, could you tell me how should I do to have my (new) zone being
eventually updated?
A link to a doc page would suffices.

Thanks a lot
Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120220/8f43aad3/attachment.htm>

More information about the Freeipa-users mailing list