[Freeipa-users] ipa-client-install failure

Martin Basti mbasti at redhat.com
Mon Mar 23 11:27:13 UTC 2015 

On 23/03/15 12:19, Roberto Cornacchia wrote:
> BTW, shouldn't named.conf contain an "allow-update" statement? Mine 
> doesn't. Or is this managed differently?
It is not needed.
bind-dyndb-ldap plugin overrides this configuration, you just need to 
enable updates in IPA zone setting.

Martin
>
>
> On 23 March 2015 at 12:16, Roberto Cornacchia 
> <roberto.cornacchia at gmail.com <mailto:roberto.cornacchia at gmail.com>> 
> wrote:
>
>
>
>     On 23 March 2015 at 10:35, Petr Spacek <pspacek at redhat.com
>     <mailto:pspacek at redhat.com>> wrote:
>
>         On 23.3.2015 10:21, Roberto Cornacchia wrote:
>         > About the DNS update, this is what the debug log has to say:
>         >
>         > Found zone name: hq.example.com <http://hq.example.com>
>         > The master is: ipa.hq.example.com <http://ipa.hq.example.com>
>         > start_gssrequest
>         > Found realm from ticket: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>         > send_gssrequest
>         > *; Communication with 192.168.0.72#53 failed: operation canceled*
>         > *Reply from SOA query:*
>         > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:   4923
>         > ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0,
>         ADDITIONAL: 0
>         > ;; QUESTION SECTION:
>         > ;1835417091.sig-ipa.hq.example.com
>         <http://1835417091.sig-ipa.hq.example.com>. ANY TKEY
>         >
>         > response to SOA query was unsuccessful
>
>         - Please verify that 192.168.0.72 is the correct IP address of
>         the FreeIPA server.
>
>
>     Positive
>
>         - Please check named.logs on the server side to see if there
>         are any complains
>         about unsuccessful key negotiation with client.
>
>
>     I raised named's log level to debug 10 and restarted
>     Ran ipa-client-install again.
>     The log shows many queries from the client, for A/AAA/SOA record
>     types, both about the server and the client. All approved, no problem.
>     The log does not seem to contain a single failure / rejection.
>
>     However:
>     1) The client reports that response to SOA query was unsuccessful.
>     The server log does not say anything about this.
>     2) The server log does not contain any update request
>
>
>         > Notice that is is *different* from what I got before the
>         chronyd change.
>         > Before, there was not even a reply:
>         >
>         > Found zone name: hq.example.com <http://hq.example.com>
>         > The master is: ipa.hq.example.com <http://ipa.hq.example.com>
>         > start_gssrequest
>         > Found realm from ticket: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>         > send_gssrequest
>         > *; Communication with 192.168.0.72#53 failed: operation canceled*
>         > *could not reach any name server*
>
>         Interesting, this should not be related to time
>         synchronization in any way.
>         DNS server simply did not return any answer.
>
>         --
>         Petr^2 Spacek
>
>         --
>         Manage your subscription for the Freeipa-users mailing list:
>         https://www.redhat.com/mailman/listinfo/freeipa-users
>         Go to http://freeipa.org for more info on the project
>
>
>
>
>


-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150323/182b1bf1/attachment.htm>

More information about the Freeipa-users mailing list