[Freeipa-users] Fwd: DNS update failing
Jason Sherrill
jason at deeplocal.com
Fri May 12 13:04:08 UTC 2017
Mistakenly failed to post to freeipa-users.
---------- Forwarded message ----------
From: Jason Sherrill <jason at deeplocal.com>
Date: Thu, May 11, 2017 at 9:16 AM
Subject: Re: [Freeipa-users] DNS update failing
To: Martin Bašti <mbasti at redhat.com>
Thank you for the assistance, Martin. The reverse zone is working because
of a policy I'd added: grant * tcp-self *. The same entry did for the the
forward zone did not work. I ran the manual update as described and was
refused. It seems GSS-TSIG is working, but the update is still refused:
[root at ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab
[root at ipa-1 jsherrill]# nsupdate -g
> debug
> update add testbook3.int.dplcl.com. 86400 a 10.0.1.36
>
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;testbook3.int.dplcl.com. IN SOA
;; AUTHORITY SECTION:
int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494432187 3600 900 1209600 3600
Found zone name: int.dplcl.com
The master is: ipa-1.int.dplcl.com
start_gssrequest
Found realm from ticket: INT.DPLCL.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
;; ADDITIONAL SECTION:
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
;; ANSWER SECTION:
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****
Sending update to 10.0.1.5#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
;; TSIG PSEUDOSECTION:
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230 NOERROR
0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;int.dplcl.com. IN SOA
;; TSIG PSEUDOSECTION:
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230 NOERROR
0
On Thu, May 11, 2017 at 4:09 AM, Martin Bašti <mbasti at redhat.com> wrote:
>
>
> On 10.05.2017 18:38, Jason Sherrill wrote:
>
> Hello,
>
> I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
> and Windows 10 with limited issues!
>
> One issue is that updating the reverse zone via nsupdate works without
> issue, updating to the forward zone results in a REFUSED status. Below is
> my zone config, named.conf, and an example of client-side behavior. I'm
> new to nearly all systems involved- misconfiguration is likely. Thanks!
>
>
> From freeIPA server:
>
> # ipa dnszone-show int.dplcl.com --all
>
>
> dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com
>
> Zone name: int.dplcl.com.
>
> Active zone: TRUE
>
> Authoritative nameserver: ipa-1.int.dplcl.com.
>
> Administrator e-mail address: hostmaster.int.dplcl.com.
>
> SOA serial: 1494344164
>
> SOA refresh: 3600
>
> SOA retry: 900
>
> SOA expire: 1209600
>
> SOA minimum: 3600
>
> BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant
> INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self *
>
> SSHFP;
>
> Dynamic update: TRUE
>
> Allow query: any;
>
> Allow transfer: none;
>
> Allow PTR sync: TRUE
>
> Allow in-line DNSSEC signing: FALSE
>
> nsrecord: ipa-1.int.dplcl.com.
>
> objectclass: idnszone, top, idnsrecord, ipadnszone
>
> /etc/named.conf from IPA server:
>
> options {
>
> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
>
> listen-on-v6 {any;};
>
> // Put files that named is allowed to write in the data/ directory:
>
> directory "/var/named"; // the default
>
> dump-file "data/cache_dump.db";
>
> statistics-file "data/named_stats.txt";
>
> memstatistics-file "data/named_mem_stats.txt";
>
> // Any host is permitted to issue recursive queries
>
> allow-recursion { any; };
>
> tkey-gssapi-keytab "/etc/named.keytab";
>
> pid-file "/run/named/named.pid";
>
> dnssec-enable no;
>
> dnssec-validation no;
>
> /* Path to ISC DLV key */
>
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic";
>
> };
>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,
>
> * By default, SELinux policy does not allow named to modify the /var/named
> directory,
>
> * so put the default debug log file in data/ :
>
> */
>
> logging {
>
> channel default_debug {
>
> file "data/named.run";
>
> severity dynamic;
>
> print-time yes;
>
> };
>
> };
>
> zone "." IN {
>
> type hint;
>
> file "named.ca";
>
> };
>
> include "/etc/named.rfc1912.zones";
>
> include "/etc/named.root.key";
>
> dynamic-db "ipa" {
>
> library "ldap.so";
>
> arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";
>
> arg "base cn=dns, dc=int,dc=dplcl,dc=com";
>
> arg "server_id ipa-1.int.dplcl.com";
>
> arg "auth_method sasl";
>
> arg "sasl_mech GSSAPI";
>
> arg "sasl_user DNS/ipa-1.int.dplcl.com";
>
> arg "serial_autoincrement yes";
>
> };
>
>
> From client macbook:
>
> testbook3:etc jsherrill$ nsupdate
>
> > debug
>
> > update add testbook3.int.dplcl.com 86400 a 10.0.1.36
>
> >
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049
>
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;testbook3.int.dplcl.com. IN SOA
>
> ;; AUTHORITY SECTION:
>
> int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
> 1494425173 3600 900 1209600 3600
>
> Found zone name: int.dplcl.com
>
> The master is: ipa-1.int.dplcl.com
>
> Sending update to 10.0.1.5#53
>
> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167
>
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
>
> ;; UPDATE SECTION:
>
> testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
>
>
> Reply from update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167
>
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>
> ;; ZONE SECTION:
> ;int.dplcl.com. IN SOA
> --
>
>
> *Jason Sherrill*
> Deeplocal Inc. <http://deeplocal.com/>
> mobile: 412-636-2073 <%28412%29%20636-2073>
> office: 412-362-0201 <%28412%29%20362-0201>
>
>
>
>
> Hello,
>
> DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so you
> cannot use plain nsupdate without providing credentials
>
> Here is policy, hosts can update only its records using GSS-TSIG (kerberos)
>
> BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant INT.DPLCL.COM
> krb5-self * AAAA; grant INT.DPLCL.COM krb5-self *
>
> SSHFP;
>
> So for manual updates via nsupdate, you have to do following steps:
>
> 1, kinit -kt /etc/krb5.keytab
>
> 2, nsupdate -g
>
> ... update A records ...
>
> I don't know why a reverse zone works for you, you should check policy of
> the reverse zone.
>
> Martin
>
> --
> Martin Bašti
> Software Engineer
> Red Hat Czech
>
>
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170512/c0ee8ca0/attachment.htm>
More information about the Freeipa-users
mailing list