[Freeipa-users] DDNS with DHCPD and IPA

Andy Tomlin atomlin at engineer.com
Thu Apr 3 18:02:13 UTC 2014 

That would be my preference, would then work same as bind/dhcpd before
switching to ipa. I just dont know how to do it correctly.

 

From: brendan kearney [mailto:bpk678 at gmail.com] 
Sent: Thursday, April 3, 2014 10:59 AM
To: Simo Sorce
Cc: freeipa-users at redhat.com; atomlin at engineer.com
Subject: Re: [Freeipa-users] DDNS with DHCPD and IPA

 

Dont allow clients to ddns update.  Force the update to occur from dhcpd to
named

On Apr 3, 2014 1:53 PM, "Simo Sorce" <simo at redhat.com
<mailto:simo at redhat.com> > wrote:

On Thu, 2014-04-03 at 10:38 -0700, Andy Tomlin wrote:
> I posted this on the DHCP mailing list, but think it may belong here
> instead.
>
>
>
> I am running Centos 6.5 and have installed ipa to allow all our linux
> machines to authenticate. We have windows machines that get their ip
address
> from server and since installing ipa the ddns no longer works. Googling
> around does not show much help. The key files match.

There is a bug in kerberos libraries that prevent Windows clients from
successfully performing DDNS against BIND servers that we fixed only
recently.

This is the fedora bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1066000

Not sure if this has been backported to RHEL/CentOS tbh.

This is for Windows clients directly performing DDNS updates using
GSS-TSIG.

--

Now reading the following lines it seem you are mixing GSS-TSIG and
plain TSIG, well you can't do that.

ATM I think we accept only GSS-TSIG updates in IPA, while BIND DHCP seem
to be capable only of TSIG updates.

CCing Petr as he may have some ideas on whether this is something we can
work around.


Simo.



>
>
> My named.conf is as follows:
>
>
>
> [root at alfred ~]# cat /etc/named.conf
>
> options {
>
>         // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
>
>         listen-on-v6 {any;};
>
>         listen-on port 53 { 127.0.0.1; 10.0.1.2; };
>
>
>
>         // Put files that named is allowed to write in the data/
directory:
>
>         directory "/var/named"; // the default
>
>         dump-file               "data/cache_dump.db";
>
>         statistics-file         "data/named_stats.txt";
>
>         memstatistics-file      "data/named_mem_stats.txt";
>
>
>
>         //forward first;
>
>         //forwarders {
>
>         //      192.168.1.254;
>
>         //      8.8.8.8;
>
>         //};
>
>
>
>         // Any host is permitted to issue recursive queries
>
>         allow-recursion { any; };
>
>
>
>         tkey-gssapi-credential "DNS/alfred.xxxxxxx.com
<http://alfred.xxxxxxx.com> ";
>
>         tkey-domain "xxxxxxx.COM";
>
> };
>
>
>
> include "/etc/named/ddns.key";
>
>
>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
>
> * By default, SELinux policy does not allow named to modify the /var/named
> directory,
>
> * so put the default debug log file in data/ :
>
> */
>
> logging {
>
>         channel default_debug {
>
>                 file "data/named.run";
>
>                 severity dynamic;
>
>         };
>
> };
>
>
>
> zone "." IN {
>
>         type hint;
>
>         file "named.ca <http://named.ca> ";
>
> };
>
>
>
> include "/etc/named.rfc1912.zones";
>
>
>
> dynamic-db "ipa" {
>
>         library "ldap.so";
>
>         arg "uri ldapi://%2fvar%2frun%2fslapd-xxxxxxx-COM.socket";
>
>         arg "base cn=dns, dc=xxxxxxx,dc=com";
>
>         arg "fake_mname alfred.xxxxxxx.com <http://alfred.xxxxxxx.com> .";
>
>         arg "auth_method sasl";
>
>         arg "sasl_mech GSSAPI";
>
>         arg "sasl_user DNS/alfred.xxxxxxx.com <http://alfred.xxxxxxx.com>
";
>
>         arg "zone_refresh 0";
>
>         arg "psearch yes";
>
>         arg "serial_autoincrement yes";
>
> };
>
>
>
> My dhcpd.conf is as follows:
>
> [root at alfred ~]# cat /etc/dhcp/dhcpd.conf
>
> # dhcpd.conf
>
> #
>
> # Sample configuration file for ISC dhcpd
>
> #
>
>
>
> # option definitions common to all supported networks...
>
> option domain-name "xxxxxxx.com <http://xxxxxxx.com> ";
>
> option domain-name-servers 10.0.1.2, 8.8.8.8, 8.8.4.4;
>
>
>
> ddns-updates on;
>
> ddns-update-style interim;
>
> ignore client-updates;
>
> update-static-leases on;
>
>
>
> default-lease-time 600;
>
> max-lease-time 7200;
>
>
>
> # Use this to enble / disable dynamic dns updates globally.
>
> #ddns-update-style none;
>
>
>
> # If this DHCP server is the official DHCP server for the local
>
> # network, the authoritative directive should be uncommented.
>
> authoritative;
>
>
>
> # Use this to send dhcp log messages to a different log file (you also
>
> # have to hack syslog.conf to complete the redirection).
>
> log-facility local7;
>
>
>
> # No service will be given on this subnet, but declaring it helps the
>
> # DHCP server to understand the network topology.
>
>
>
> #subnet 10.152.187.0 netmask 255.255.255.0 {
>
> #}
>
>
>
> include "/etc/dhcp/ddns.key";
>
>
>
> zone xxxxxxx.com <http://xxxxxxx.com> . {
>
>   primary 127.0.0.1;
>
>   key DDNS_UPDATE;
>
> }
>
>
>
> zone 2.0.10.in-addr.arpa. {
>
>   primary 127.0.0.1;
>
>   key DDNS_UPDATE;
>
> }
>
>
>
> # This is a very basic subnet declaration.
>
>
>
> subnet 10.0.0.0 netmask 255.255.0.0 {
>
>   range 10.0.2.50 10.0.2.250;
>
>   option routers 10.0.1.2;
>
> }
>
>
>
> [root at alfred ~]#
>
>
>
> When windows client gets a dhcp address, the following is in the log
>
>
>
> [root at alfred ~]# tail -n50 /var/log/messages
>
> Apr  2 19:40:50 alfred named[8491]: client 127.0.0.1#59786: updating zone
> 'xxxxxxx.com/IN <http://xxxxxxx.com/IN> ': update failed: rejected by
secure update (REFUSED)
>
> Apr  2 19:40:50 alfred dhcpd: Unable to add forward map from
> atomlin.xxxxxxx.com <http://atomlin.xxxxxxx.com>  to 10.0.2.51
<http://10.0.2.51> : timed out
>
> Apr  2 19:40:50 alfred dhcpd: DHCPREQUEST for 10.0.2.51 from
> 0c:54:a5:08:5f:cc (atomlin) via eth0
>
> Apr  2 19:40:50 alfred dhcpd: DHCPACK on 10.0.2.51 to 0c:54:a5:08:5f:cc
> (atomlin) via eth0
>
> [root at alfred ~]#
>
>
>
>
>

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com> 
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com> 
https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140403/e2a8b5d0/attachment.htm>

More information about the Freeipa-users mailing list