[Freeipa-users] ipa-client-install failure
Roberto Cornacchia
roberto.cornacchia at gmail.com
Mon Mar 23 11:33:28 UTC 2015
OK, thanks.
That would be "Dynamic updates", right? Then it is enabled.
$ ipa dnszone-show --all
Zone name: hq.example.com
dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
Zone name: hq.example.com.
Active zone: TRUE
Authoritative nameserver: ipa.hq.example.com.
Administrator e-mail address: hostmaster.hq.example.com.
SOA serial: 1427108043
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM
krb5-self * AAAA; grant HQ.EXAMPLE.COM krb5-self * SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: FALSE
nsrecord: ipa.hq.example.com.
objectclass: idnszone, top, idnsrecord
On 23 March 2015 at 12:27, Martin Basti <mbasti at redhat.com> wrote:
> On 23/03/15 12:19, Roberto Cornacchia wrote:
>
> BTW, shouldn't named.conf contain an "allow-update" statement? Mine
> doesn't. Or is this managed differently?
>
> It is not needed.
> bind-dyndb-ldap plugin overrides this configuration, you just need to
> enable updates in IPA zone setting.
>
> Martin
>
>
>
> On 23 March 2015 at 12:16, Roberto Cornacchia <
> roberto.cornacchia at gmail.com> wrote:
>
>>
>>
>> On 23 March 2015 at 10:35, Petr Spacek <pspacek at redhat.com> wrote:
>>
>>> On 23.3.2015 10:21, Roberto Cornacchia wrote:
>>> > About the DNS update, this is what the debug log has to say:
>>> >
>>> > Found zone name: hq.example.com
>>> > The master is: ipa.hq.example.com
>>> > start_gssrequest
>>> > Found realm from ticket: HQ.EXAMPLE.COM
>>> > send_gssrequest
>>> > *; Communication with 192.168.0.72#53 failed: operation canceled*
>>> > *Reply from SOA query:*
>>> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4923
>>> > ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>> > ;; QUESTION SECTION:
>>> > ;1835417091.sig-ipa.hq.example.com. ANY TKEY
>>> >
>>> > response to SOA query was unsuccessful
>>>
>>> - Please verify that 192.168.0.72 is the correct IP address of the
>>> FreeIPA server.
>>>
>>
>> Positive
>>
>>
>>> - Please check named.logs on the server side to see if there are any
>>> complains
>>> about unsuccessful key negotiation with client.
>>>
>>>
>> I raised named's log level to debug 10 and restarted
>> Ran ipa-client-install again.
>> The log shows many queries from the client, for A/AAA/SOA record types,
>> both about the server and the client. All approved, no problem.
>> The log does not seem to contain a single failure / rejection.
>>
>> However:
>> 1) The client reports that response to SOA query was unsuccessful. The
>> server log does not say anything about this.
>> 2) The server log does not contain any update request
>>
>>
>>> > Notice that is is *different* from what I got before the chronyd
>>> change.
>>> > Before, there was not even a reply:
>>> >
>>> > Found zone name: hq.example.com
>>> > The master is: ipa.hq.example.com
>>> > start_gssrequest
>>> > Found realm from ticket: HQ.EXAMPLE.COM
>>> > send_gssrequest
>>> > *; Communication with 192.168.0.72#53 failed: operation canceled*
>>> > *could not reach any name server*
>>>
>>> Interesting, this should not be related to time synchronization in any
>>> way.
>>> DNS server simply did not return any answer.
>>>
>>> --
>>> Petr^2 Spacek
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>
>
>
>
> --
> Martin Basti
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150323/13325e0e/attachment.htm>
More information about the Freeipa-users
mailing list