[Freeipa-users] automatic dns update failing
Marco Pizzoli
marco.pizzoli at gmail.com
Mon Feb 20 16:08:29 UTC 2012
On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <mkosek at redhat.com> wrote:
> On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> > Hi,
> > During my setup today I'm always failing in enrolling clients with
> > automatic dns updates.
> > I'm playing with FreeIPA 2.1.90, but I guess this is a general
> > problem, not strictly due to the alpha version.
> >
> > I'm doing a "ipa-client-install --enable-dns-updates" and at the
> > console I see:
> > Failed to update DNS A record. (Command '/usr/bin/nsupdate
> > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2)
> >
> > I see in server logs that named refuses it:
> > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558:
> > update 'internet.unix.mydomain.it/IN' denied
> > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809:
> > update 'internet.unix.mydomain.it/IN' denied
> >
> > What is the cause? What other informations do you need about my
> > deployment?
> >
> > Thanks in advance as usual
> > Marco
>
> Hello Marco,
>
> please check the settings of the zone you are trying to add clients to.
> GSS-TSIG updates are not enabled by default for new zones, it may be
> your case.
>
> This is an entry for my zone 'example.com' where dynamic updates are
> enabled:
>
> # ipa dnszone-show example.com --all
> dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> Zone name: example.com
> Authoritative nameserver: ns.example.com.
> Administrator e-mail address: hostmaster.example.com.
> SOA serial: 2012200201
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant
> IDM.LAB.BOS.REDHAT.COM
> > krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COMkrb5-self * SSHFP;
> Active zone: TRUE
> > Dynamic update: TRUE
> nsrecord: ns.example.com.
> objectclass: top, idnsrecord, idnszone
>
> I have marked the important attributes with ">". I would also make sure
> that the zone is properly loaded in bind-dyndb-ldap plugin (you can for
> example try to retrieve its SOA record with dig).
>
Hi Martin,
yes this is the case:
[root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it --all
dn: idnsname=internet.unix.mydomain.it,cn=dns,dc=unix,dc=mydomain,dc=it
Zone name: internet.unix.mydomain.it
Authoritative nameserver: freeipa01.unix.mydomain.it.
Administrator e-mail address: hostmaster.internet.unix.mydomain.it.
SOA serial: 2012180201
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Dynamic update: FALSE
nsrecord: freeipa01.unix.mydomain.it.
objectclass: top, idnsrecord, idnszone
So, could you tell me how should I do to have my (new) zone being
eventually updated?
A link to a doc page would suffices.
Thanks a lot
Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120220/8f43aad3/attachment.htm>
More information about the Freeipa-users
mailing list