[Freeipa-users] ipa-client-install failure

[Petr Spacek]

On 23.3.2015 12:33, Roberto Cornacchia wrote:
> OK, thanks.
> That would be "Dynamic updates", right? Then it is enabled.
> 
> $ ipa dnszone-show --all
> Zone name: hq.example.com
>   dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
>   Zone name: hq.example.com.
>   Active zone: TRUE
>   Authoritative nameserver: ipa.hq.example.com.
>   Administrator e-mail address: hostmaster.hq.example.com.
>   SOA serial: 1427108043
>   SOA refresh: 3600
>   SOA retry: 900
>   SOA expire: 1209600
>   SOA minimum: 3600
>   BIND update policy: grant HQ.EXAMPLE.COM krb5-self * A; grant HQ.EXAMPLE.COM
> krb5-self * AAAA; grant HQ.EXAMPLE.COM krb5-self * SSHFP;
>   Dynamic update: TRUE

This is correct (but it should not affect SOA query anyway).

Could you share named logs on debug level 10 with us? It would be even better
is you could provide us tcpdump with transactions in question.

On the client (before you start installation) please:
1) Execute command $ tcpdump -i any -w /tmp/dns.pcap 'port 53'
2) Run ipa-client-install
3) Kill the tcpdump: $ pkill tcpdump
4) Send us the file.

Feel free to send the files to me (pspacek at redhat.com) and Martin^2
(mbasti at redhat.com) privately if you do not want to make them public.

Have a nice day!

Petr^2 Spacek

>   Allow query: any;
>   Allow transfer: none;
>   Allow PTR sync: FALSE
>   nsrecord: ipa.hq.example.com.
>   objectclass: idnszone, top, idnsrecord
> 
> 
> On 23 March 2015 at 12:27, Martin Basti <mbasti at redhat.com> wrote:
> 
>>  On 23/03/15 12:19, Roberto Cornacchia wrote:
>>
>> BTW, shouldn't named.conf contain an "allow-update" statement? Mine
>> doesn't. Or is this managed differently?
>>
>> It is not needed.
>> bind-dyndb-ldap plugin overrides this configuration, you just need to
>> enable updates in IPA zone setting.
>>
>> Martin
>>
>>
>>
>> On 23 March 2015 at 12:16, Roberto Cornacchia <
>> roberto.cornacchia at gmail.com> wrote:
>>
>>>
>>>
>>> On 23 March 2015 at 10:35, Petr Spacek <pspacek at redhat.com> wrote:
>>>
>>>> On 23.3.2015 10:21, Roberto Cornacchia wrote:
>>>>> About the DNS update, this is what the debug log has to say:
>>>>>
>>>>> Found zone name: hq.example.com
>>>>> The master is: ipa.hq.example.com
>>>>> start_gssrequest
>>>>> Found realm from ticket: HQ.EXAMPLE.COM
>>>>> send_gssrequest
>>>>> *; Communication with 192.168.0.72#53 failed: operation canceled*
>>>>> *Reply from SOA query:*
>>>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:   4923
>>>>> ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>>>> ;; QUESTION SECTION:
>>>>> ;1835417091.sig-ipa.hq.example.com. ANY TKEY
>>>>>
>>>>> response to SOA query was unsuccessful
>>>>
>>>> - Please verify that 192.168.0.72 is the correct IP address of the
>>>> FreeIPA server.
>>>>
>>>
>>>  Positive
>>>
>>>
>>>> - Please check named.logs on the server side to see if there are any
>>>> complains
>>>> about unsuccessful key negotiation with client.
>>>>
>>>>
>>>  I raised named's log level to debug 10 and restarted
>>> Ran ipa-client-install again.
>>> The log shows many queries from the client, for A/AAA/SOA record types,
>>> both about the server and the client. All approved, no problem.
>>> The log does not seem to contain a single failure / rejection.
>>>
>>>  However:
>>> 1) The client reports that response to SOA query was unsuccessful. The
>>> server log does not say anything about this.
>>> 2) The server log does not contain any update request
>>>
>>>
>>>>> Notice that is is *different* from what I got before the chronyd
>>>> change.
>>>>> Before, there was not even a reply:
>>>>>
>>>>> Found zone name: hq.example.com
>>>>> The master is: ipa.hq.example.com
>>>>> start_gssrequest
>>>>> Found realm from ticket: HQ.EXAMPLE.COM
>>>>> send_gssrequest
>>>>> *; Communication with 192.168.0.72#53 failed: operation canceled*
>>>>> *could not reach any name server*
>>>>
>>>> Interesting, this should not be related to time synchronization in any
>>>> way.
>>>> DNS server simply did not return any answer.
>>>>
>>>> --
>>>> Petr^2 Spacek