[Freeipa-users] automatic dns update failing
Petr Spacek
pspacek at redhat.com
Mon Feb 20 21:06:21 UTC 2012
On 02/20/2012 05:08 PM, Marco Pizzoli wrote:
> On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> > Hi,
> > During my setup today I'm always failing in enrolling clients with
> > automatic dns updates.
> > I'm playing with FreeIPA 2.1.90, but I guess this is a general
> > problem, not strictly due to the alpha version.
> >
> > I'm doing a "ipa-client-install --enable-dns-updates" and at the
> > console I see:
> > Failed to update DNS A record. (Command '/usr/bin/nsupdate
> > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2)
> >
> > I see in server logs that named refuses it:
> > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558:
> > update 'internet.unix.mydomain.it/IN
> <http://internet.unix.mydomain.it/IN>' denied
> > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809:
> > update 'internet.unix.mydomain.it/IN
> <http://internet.unix.mydomain.it/IN>' denied
> >
> > What is the cause? What other informations do you need about my
> > deployment?
> >
> > Thanks in advance as usual
> > Marco
>
> Hello Marco,
>
> please check the settings of the zone you are trying to add clients to.
> GSS-TSIG updates are not enabled by default for new zones, it may be
> your case.
>
> This is an entry for my zone 'example.com <http://example.com>'
> where dynamic updates are
> enabled:
>
> # ipa dnszone-show example.com <http://example.com> --all
> dn: idnsname=example.com
> <http://example.com>,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> Zone name: example.com <http://example.com>
> Authoritative nameserver: ns.example.com <http://ns.example.com>.
> Administrator e-mail address: hostmaster.example.com
> <http://hostmaster.example.com>.
> SOA serial: 2012200201 <tel:2012200201>
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM
> <http://IDM.LAB.BOS.REDHAT.COM> krb5-self * A; grant
> IDM.LAB.BOS.REDHAT.COM <http://IDM.LAB.BOS.REDHAT.COM>
> > krb5-self * AAAA; grant
> IDM.LAB.BOS.REDHAT.COM <http://IDM.LAB.BOS.REDHAT.COM> krb5-self *
> SSHFP;
> Active zone: TRUE
> > Dynamic update: TRUE
> nsrecord: ns.example.com <http://ns.example.com>.
> objectclass: top, idnsrecord, idnszone
>
> I have marked the important attributes with ">". I would also make sure
> that the zone is properly loaded in bind-dyndb-ldap plugin (you can for
> example try to retrieve its SOA record with dig).
>
>
> Hi Martin,
> yes this is the case:
>
> [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
> <http://internet.unix.mydomain.it> --all
> dn: idnsname=internet.unix.mydomain.it
> <http://internet.unix.mydomain.it>,cn=dns,dc=unix,dc=mydomain,dc=it
> Zone name: internet.unix.mydomain.it <http://internet.unix.mydomain.it>
> Authoritative nameserver: freeipa01.unix.mydomain.it
> <http://freeipa01.unix.mydomain.it>.
> Administrator e-mail address: hostmaster.internet.unix.mydomain.it
> <http://hostmaster.internet.unix.mydomain.it>.
> SOA serial: 2012180201
> SOA refresh: 3600
> SOA retry: 900
> SOA expire: 1209600
> SOA minimum: 3600
> Active zone: TRUE
> Dynamic update: FALSE
> nsrecord: freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it>.
> objectclass: top, idnsrecord, idnszone
>
> So, could you tell me how should I do to have my (new) zone being
> eventually updated?
> A link to a doc page would suffices.
>
> Thanks a lot
> Marco
Hello Marco,
I think the important part of configuration is:
On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote:
> [root at freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it
> Dynamic update: FALSE
Please try to enable dynamic update for this zone and then retry
ipa-client-install
Dynamic update setting can be changed with command:
ipa dnszone-mod internet.unix.mydomain.it --addattr=idnsAllowDynUpdate=TRUE
This command in current aplha doesn't work for me, so please
create/modify idnsAllowDynUpdate attribute for zone in LDAP manually.
Value has to be TRUE with capital letters.
Documentation about DNS-in-LDAP can be found in
/usr/share/doc/bind-dyndb-ldap-1.1.0/README .
You can allow dynamic updates generally in /etc/named.conf or per-zone
through idnsAllowDynUpdate in LDAP, see README.
After altering named.conf it is necessary to reload bind via 'rndc
reload', changes in LDAP are reflected immediately.
If problem persists, try to set zone's idnsUpdatePolicy to 'grant *
wildcard *;' (relaxes/disables various access policy checks)
Best regards,
--
Petr Spacek
More information about the Freeipa-users
mailing list