[Freeipa-users] SSHFP upload
Martin Basti
mbasti at redhat.com
Fri May 6 20:25:20 UTC 2016
On 06.05.2016 22:18, Sean Hogan wrote:
>
> Yes sir..
>
> Dynamic update value is set to true on both test.local and the reverse
> zone.
>
> Form what Robert mentioned I am looking at the install logs now.
>
>
> So this is where DNS update is bombing:
> 2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt
> 2016-04-26T16:31:08Z DEBUG stdout=
> 2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS
> server IP"#53 failed:
> operation canceled
> could not talk to any default name server
>
That is weird, maybe do you have allowed TCP/53? It may try to use TCP
instead of UDP
And please check on "Correct DNS server" if there is any logged entry
about dynamic update from client (journalctl -u named[-pkcs11])
Martin
>
>
> 2016-04-26T16:31:08Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
> -g /etc/i
> pa/.dns_update.txt' returned non-zero exit status 1
> 2016-04-26T16:31:08Z ERROR Failed to update DNS records.
>
> And this is where SSHFP updates are bombing:
> 2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate -g
> /etc/ipa/.dns_update.txt
> 2016-04-26T16:31:09Z DEBUG stdout=
> 2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS
> server IP"#53 failed:
> operation canceled
> could not talk to any default name server
>
> 2016-04-26T16:31:09Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
> -g /etc/i
> pa/.dns_update.txt' returned non-zero exit status 1
> 2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records.
> 2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status
> 2016-04-26T16:31:09Z DEBUG stdout=
> 2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service
>
>
> So it looks like it can not talk to port 53 but nslookup is working
> fine from the box and outputting the server response as the correct
> dns ip which is in the logs
> Server: correct IP of DNS server
> Address: correct IP of DNS server#53
>
> Name: dingle.test.local
> Address: correct ip of dingle
>
> reoslv.conf has 1st listing as the same ip as in the logs and nslookup
> result.
>
> Sean Hogan
>
>
>
>
>
> Inactive hide details for Martin Basti ---05/06/2016 12:25:59
> PM---Hello, records are updated by nslookup do you have allowed
> dMartin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated
> by nslookup do you have allowed dynamic updates in the zone settings?
>
> From: Martin Basti <mbasti at redhat.com>
> To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users <freeipa-users at redhat.com>
> Date: 05/06/2016 12:25 PM
> Subject: Re: [Freeipa-users] SSHFP upload
>
> ------------------------------------------------------------------------
>
>
>
> Hello, records are updated by nslookup
>
> do you have allowed dynamic updates in the zone settings?
>
> Martin
>
>
> On 06.05.2016 21:18, Sean Hogan wrote:
>
> Hi All,
>
> Wondering if someone knows how the SSHFPs of a box are getting
> uploaded to IPA during ipa-client-install
> --enable-dns-updates? Is it going over port 389,636,22?
>
> Have an issue that on one network my enrolls work fine and
> everything gets updated. A new network was put in place but
> still part of the same domain and I get SSHFP failed to
> upload. I was assuming this has something to do with DNS but
> Network team says bi directional port 53 is good and I can
> nslookup. Both new and old networks point to the same IPA DNS
> server for enrolling. The IPs of the new network still fall in
> my reverse zone.
>
> So My DNS is setup with:
> test.local
> 10.in-addr.arpa
>
> and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x
>
>
>
> Results of current Network
>
> Enrolled in IPA realm TEST.LOCAL
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm TEST.LOCAL
> trying *_https://bob.test.local/ipa/xml_*
> <https://rtpvxl0068.watson.local/ipa/xml>
> Forwarding 'env' to server u'_https://bob.test.local/ipa/xml_'
> DNS server record set to: dingle.test.local -> IP of dingle
> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Forwarding 'host_mod' to server
> u'_https://bob.test.local/ipa/xml_'
> SSSD enabled
> Configuring test.local as NIS domain
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Client configuration complete.
>
>
>
>
> Results of New network
> Enrolled in IPA realm TEST.LOCAL
> Attempting to get host TGT...
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm TEST.LOCAL
> trying *_https://bob.test.local/ipa/xml_*
> <https://rtpvxl0068.watson.local/ipa/xml>
> Forwarding 'env' to server u'_https://bob.test.local/ipa/xml_'
> Failed to update DNS records.
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
> Forwarding 'host_mod' to server
> u'_https://bob.test.local/ipa/xml_'
> Could not update DNS SSHFP records.
> SSSD enabled
> Configuring test.local as NIS domain
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Client configuration complete
>
>
>
>
>
> Sean Hogan
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160506/cfe35024/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160506/cfe35024/attachment.gif>
More information about the Freeipa-users
mailing list