[Freeipa-users] SSHFP upload

Fri May 6 19:18:18 UTC 2016

Hi All,

  Wondering if someone knows how the SSHFPs of a box are getting uploaded
to IPA during ipa-client-install --enable-dns-updates?  Is it going over
port 389,636,22?

Have an issue that on one network my enrolls work fine and everything gets
updated.  A new network was put in place but still part of the same domain
and I get SSHFP failed to upload.  I was assuming this has something to do
with DNS but Network team says bi directional port 53 is good and I can
nslookup.  Both new and old networks point to the same IPA DNS server for
enrolling.  The IPs of the new network still fall in my reverse zone.

So My DNS is setup with:
test.local
10.in-addr.arpa

and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x

Results of current Network

 Enrolled in IPA realm TEST.LOCAL                       
 Created /etc/ipa/default.conf                          
 New SSSD config will be created                        
 Configured sudoers in /etc/nsswitch.conf               
 Configured /etc/sssd/sssd.conf                         
 Configured /etc/krb5.conf for IPA realm TEST.LOCAL     
 trying https://bob.test.local/ipa/xml                  
 Forwarding 'env' to server                             
 u'https://bob.test.local/ipa/xml'                      
 DNS server record set to: dingle.test.local -> IP of   
 dingle                                                 
 Adding SSH public key                                  
 from /etc/ssh/ssh_host_dsa_key.pub                     
 Adding SSH public key                                  
 from /etc/ssh/ssh_host_rsa_key.pub                     
 Forwarding 'host_mod' to server                        
 u'https://bob.test.local/ipa/xml'                      
 SSSD enabled                                           
 Configuring test.local as NIS domain                   
 Configured /etc/openldap/ldap.conf                     
 NTP enabled                                            
 Configured /etc/ssh/ssh_config                         
 Configured /etc/ssh/sshd_config                        
 Client configuration complete.                         

Results of New network

 Enrolled in IPA realm TEST.LOCAL                       
 Attempting to get host TGT...                          
 Created /etc/ipa/default.conf                          
 New SSSD config will be created                        
 Configured sudoers in /etc/nsswitch.conf               
 Configured /etc/sssd/sssd.conf                         
 Configured /etc/krb5.conf for IPA realm TEST.LOCAL     
 trying https://bob.test.local/ipa/xml                  
 Forwarding 'env' to server                             
 u'https://bob.test.local/ipa/xml'                      
 Failed to update DNS records.                          
 Adding SSH public key                                  
 from /etc/ssh/ssh_host_rsa_key.pub                     
 Adding SSH public key                                  
 from /etc/ssh/ssh_host_dsa_key.pub                     
 Forwarding 'host_mod' to server                        
 u'https://bob.test.local/ipa/xml'                      
 Could not update DNS SSHFP records.                    
 SSSD enabled                                           
 Configuring test.local as NIS domain                   
 Configured /etc/openldap/ldap.conf                     
 NTP enabled                                            
 Configured /etc/ssh/ssh_config                         
 Configured /etc/ssh/sshd_config                        
 Client configuration complete                          

Sean Hogan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160506/ac21d077/attachment.htm>