[Freeipa-users] SSHFP upload
Sean Hogan
schogan at us.ibm.com
Fri May 6 21:36:03 UTC 2016
Hi Martin,
TCP 53 was not open as per the firewall request and ipa docs. That is
corrected now but it is still failing to update sshfp but now instead of
can not comm with DNS server I am getting the below.
This is on a box that was enrolled... I ipa client-install --uninstall ...
remove ca.crt and krb5.keytab and then ran ipa-client-install
--enable-dns-update --force
2016-05-06T21:27:16Z DEBUG args=/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt
2016-05-06T21:27:16Z DEBUG stdout=
2016-05-06T21:27:16Z DEBUG stderr=; Communication with Correct DNS IP#53
failed: operation canceled
; response to SOA query was unsuccessful
2016-05-06T21:27:16Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
2016-05-06T21:27:16Z WARNING Could not update DNS SSHFP records.
2016-05-06T21:27:16Z DEBUG args=/sbin/service nscd status
2016-05-06T21:27:16Z DEBUG stdout=
2016-05-06T21:27:16Z DEBUG stderr=nscd: unrecognized service
Sean Hogan
From: Martin Basti <mbasti at redhat.com>
To: Sean Hogan/Durham/IBM at IBMUS
Cc: freeipa-users <freeipa-users at redhat.com>
Date: 05/06/2016 01:25 PM
Subject: Re: [Freeipa-users] SSHFP upload
On 06.05.2016 22:18, Sean Hogan wrote:
Yes sir..
Dynamic update value is set to true on both test.local and the
reverse zone.
Form what Robert mentioned I am looking at the install logs now.
So this is where DNS update is bombing:
2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt
2016-04-26T16:31:08Z DEBUG stdout=
2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS
server IP"#53 failed:
operation canceled
could not talk to any default name server
That is weird, maybe do you have allowed TCP/53? It may try to use TCP
instead of UDP
And please check on "Correct DNS server" if there is any logged entry about
dynamic update from client (journalctl -u named[-pkcs11])
Martin
2016-04-26T16:31:08Z DEBUG nsupdate failed: Command
'/usr/bin/nsupdate -g /etc/i
pa/.dns_update.txt' returned non-zero exit status 1
2016-04-26T16:31:08Z ERROR Failed to update DNS records.
And this is where SSHFP updates are bombing:
2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt
2016-04-26T16:31:09Z DEBUG stdout=
2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS
server IP"#53 failed:
operation canceled
could not talk to any default name server
2016-04-26T16:31:09Z DEBUG nsupdate failed: Command
'/usr/bin/nsupdate -g /etc/i
pa/.dns_update.txt' returned non-zero exit status 1
2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records.
2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status
2016-04-26T16:31:09Z DEBUG stdout=
2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service
So it looks like it can not talk to port 53 but nslookup is working
fine from the box and outputting the server response as the correct
dns ip which is in the logs
Server: correct IP of DNS server
Address: correct IP of DNS server#53
Name: dingle.test.local
Address: correct ip of dingle
reoslv.conf has 1st listing as the same ip as in the logs and
nslookup result.
Sean Hogan
Inactive
hide details for Martin Basti ---05/06/2016
12:25:59
PM---Hello, records are updated by nslookup do you
have
allowed dMartin Basti ---05/06/2016 12:25:59
PM---Hello, records are updated by nslookup do you have allowed
dynamic updates in the zone settings?
From: Martin Basti <mbasti at redhat.com>
To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users
<freeipa-users at redhat.com>
Date: 05/06/2016 12:25 PM
Subject: Re: [Freeipa-users] SSHFP upload
Hello, records are updated by nslookup
do you have allowed dynamic updates in the zone settings?
Martin
On 06.05.2016 21:18, Sean Hogan wrote:
Hi All,
Wondering if someone knows how the SSHFPs of a box are
getting uploaded to IPA during ipa-client-install
--enable-dns-updates? Is it going over port 389,636,22?
Have an issue that on one network my enrolls work fine
and everything gets updated. A new network was put in
place but still part of the same domain and I get SSHFP
failed to upload. I was assuming this has something to do
with DNS but Network team says bi directional port 53 is
good and I can nslookup. Both new and old networks point
to the same IPA DNS server for enrolling. The IPs of the
new network still fall in my reverse zone.
So My DNS is setup with:
test.local
10.in-addr.arpa
and the IP scheme for new net is 10.5.x.x, old net is
10.35.x.x
Results of current Network
Enrolled in IPA realm TEST.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.LOCAL
trying https://bob.test.local/ipa/xml
Forwarding 'env' to server u'
https://bob.test.local/ipa/xml'
DNS server record set to: dingle.test.local -> IP of
dingle
Adding SSH public key
from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key
from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'
https://bob.test.local/ipa/xml'
SSSD enabled
Configuring test.local as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
Results of New network
Enrolled in IPA realm TEST.LOCAL
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.LOCAL
trying https://bob.test.local/ipa/xml
Forwarding 'env' to server u'
https://bob.test.local/ipa/xml'
Failed to update DNS records.
Adding SSH public key
from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key
from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'
https://bob.test.local/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring test.local as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete
Sean Hogan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160506/030da824/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160506/030da824/attachment.gif>
More information about the Freeipa-users
mailing list