[Freeipa-users] automatic dns update failing

Petr Spacek pspacek at redhat.com
Mon Feb 20 21:06:21 UTC 2012 

On 02/20/2012 05:08 PM, Marco Pizzoli wrote:
> On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
>     On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
>      > Hi,
>      > During my setup today I'm always failing in enrolling clients with
>      > automatic dns updates.
>      > I'm playing with FreeIPA 2.1.90, but I guess this is a general
>      > problem, not strictly due to the alpha version.
>      >
>      > I'm doing a "ipa-client-install --enable-dns-updates" and at the
>      > console I see:
>      > Failed to update DNS A record. (Command '/usr/bin/nsupdate
>      > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2)
>      >
>      > I see in server logs that named refuses it:
>      > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558:
>      > update 'internet.unix.mydomain.it/IN
>     <http://internet.unix.mydomain.it/IN>' denied
>      > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809:
>      > update 'internet.unix.mydomain.it/IN
>     <http://internet.unix.mydomain.it/IN>' denied
>      >
>      > What is the cause? What other informations do you need about my
>      > deployment?
>      >
>      > Thanks in advance as usual
>      > Marco
>
>     Hello Marco,
>
>     please check the settings of the zone you are trying to add clients to.
>     GSS-TSIG updates are not enabled by default for new zones, it may be
>     your case.
>
>     This is an entry for my zone 'example.com <http://example.com>'
>     where dynamic updates are
>     enabled:
>
>     # ipa dnszone-show example.com <http://example.com> --all
>       dn: idnsname=example.com
>     <http://example.com>,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>       Zone name: example.com <http://example.com>
>       Authoritative nameserver: ns.example.com <http://ns.example.com>.
>       Administrator e-mail address: hostmaster.example.com
>     <http://hostmaster.example.com>.
>       SOA serial: 2012200201 <tel:2012200201>
>       SOA refresh: 3600
>       SOA retry: 900
>       SOA expire: 1209600
>       SOA minimum: 3600
>      > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM
>     <http://IDM.LAB.BOS.REDHAT.COM> krb5-self * A; grant
>     IDM.LAB.BOS.REDHAT.COM <http://IDM.LAB.BOS.REDHAT.COM>
>      >                     krb5-self * AAAA; grant
>     IDM.LAB.BOS.REDHAT.COM <http://IDM.LAB.BOS.REDHAT.COM> krb5-self *
>     SSHFP;
>       Active zone: TRUE
>      > Dynamic update: TRUE
>       nsrecord: ns.example.com <http://ns.example.com>.
>       objectclass: top, idnsrecord, idnszone
>
>     I have marked the important attributes with ">". I would also make sure
>     that the zone is properly loaded in bind-dyndb-ldap plugin (you can for
>     example try to retrieve its SOA record with dig).
>
>
> Hi Martin,
> yes this is the case:
>
> [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
> <http://internet.unix.mydomain.it> --all
>    dn: idnsname=internet.unix.mydomain.it
> <http://internet.unix.mydomain.it>,cn=dns,dc=unix,dc=mydomain,dc=it
>    Zone name: internet.unix.mydomain.it <http://internet.unix.mydomain.it>
>    Authoritative nameserver: freeipa01.unix.mydomain.it
> <http://freeipa01.unix.mydomain.it>.
>    Administrator e-mail address: hostmaster.internet.unix.mydomain.it
> <http://hostmaster.internet.unix.mydomain.it>.
>    SOA serial: 2012180201
>    SOA refresh: 3600
>    SOA retry: 900
>    SOA expire: 1209600
>    SOA minimum: 3600
>    Active zone: TRUE
>    Dynamic update: FALSE
>    nsrecord: freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it>.
>    objectclass: top, idnsrecord, idnszone
>
> So, could you tell me how should I do to have my (new) zone being
> eventually updated?
> A link to a doc page would suffices.
>
> Thanks a lot
> Marco

Hello Marco,

I think the important part of configuration is:

On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
 > [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
 >    Dynamic update: FALSE

Please try to enable dynamic update for this zone and then retry 
ipa-client-install


Dynamic update setting can be changed with command:

ipa dnszone-mod internet.unix.mydomain.it --addattr=idnsAllowDynUpdate=TRUE

This command in current aplha doesn't work for me, so please 
create/modify idnsAllowDynUpdate attribute for zone in LDAP manually. 
Value has to be TRUE with capital letters.

Documentation about DNS-in-LDAP can be found in 
/usr/share/doc/bind-dyndb-ldap-1.1.0/README .

You can allow dynamic updates generally in /etc/named.conf or per-zone 
through idnsAllowDynUpdate in LDAP, see README.

After altering named.conf it is necessary to reload bind via 'rndc 
reload', changes in LDAP are reflected immediately.


If problem persists, try to set zone's idnsUpdatePolicy to 'grant * 
wildcard *;' (relaxes/disables various access policy checks)


Best regards,

-- 
Petr Spacek

More information about the Freeipa-users mailing list