[Freeipa-users] DNS SOA Records
Jakub Hrozek
jhrozek at redhat.com
Thu May 15 07:40:07 UTC 2014
On Wed, May 14, 2014 at 10:57:04AM +0200, Petr Spacek wrote:
> On 13.5.2014 21:32, Dmitri Pal wrote:
> >On 05/13/2014 02:12 PM, Bob wrote:
> >>I ran
> >>
> >>ipa dnszone-mod vh1.vzwnet.com <http://vh1.vzwnet.com>
> >>--update-policy="grant bob-key name test.vh1.vzwnet.com.;"
> >>
> >>I then execute the nsupdate:
> >>
> >>[root at nj51rhidms16v ~]# ./bobtest.sh
> >>; TSIG error with server: tsig indicates error
> >>update failed: NOTAUTH(BADKEY)
> >>
> >>
> >>[root at nj51rhidms16v ~]# cat ./bobtest.sh
> >>#!/bin/ksh
> >>#
> >>keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww==
> >>print "update add test.vh1.vzwnet.com <http://test.vh1.vzwnet.com> 90 CNAME
> >>txslxngda5.nss.vzwnet.com <http://txslxngda5.nss.vzwnet.com>\n"|nsupdate -y
> >>$keyfile
> >>
> >>[root at nj51rhidms16v log]# tail daemon
> >>May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing
> >>keytab file [default]: Principal
> >>[host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM
> >><mailto:nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM>] was not found.
> >>Unable to create GSSAPI-encrypted LDAP connection.
> >>May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to
> >>key table
> >>May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program /usr/sbin/rhn_check
> >>May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program /usr/sbin/rhn_check
> >>May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing
> >>keytab file [default]: Principal
> >>[host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM
> >><mailto:nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM>] was not found.
> >>Unable to create GSSAPI-encrypted LDAP connection.
> >>May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to
> >>key table
> >>May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program /usr/sbin/rhn_check
> >>May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739:
> All errors above are irrelevant to nsupdate. It points to an problem
> with SSSD configuration but this should not affect nsupdate with
> TSIG at all.
Hi,
sorry to come late to the thread, I'm catching up on freeipa-users. I
agree with Petr that this is a generic failure related to a wrong
keytab.
Does "klist -k" list the keys you would expect to have in the keytab?
Does "kinit -k" allow you to kinit using the keytab?
I would expect one or both of them to fail, in which case you should
either re-enroll the client or just fetch a new keytab using
ipa-getkeytab.
More information about the Freeipa-users
mailing list