[Freeipa-users] Fwd: DNS update failing
Martin Bašti
mbasti at redhat.com
Fri May 12 13:27:03 UTC 2017
Hello, could you check journalctl -u named-pkcs11 on server, there might
be more detailed description why it failed. What do you have configured
in /etc/resolv.conf on client side, is there directly IP address of the
server?
On 12.05.2017 15:04, Jason Sherrill wrote:
> Mistakenly failed to post to freeipa-users.
>
> ---------- Forwarded message ----------
> From: *Jason Sherrill* <jason at deeplocal.com <mailto:jason at deeplocal.com>>
> Date: Thu, May 11, 2017 at 9:16 AM
> Subject: Re: [Freeipa-users] DNS update failing
> To: Martin Bašti <mbasti at redhat.com <mailto:mbasti at redhat.com>>
>
>
> Thank you for the assistance, Martin. The reverse zone is working
> because of a policy I'd added: grant * tcp-self *. The same entry did
> for the the forward zone did not work. I ran the manual update as
> described and was refused. It seems GSS-TSIG is working, but the
> update is still refused:
>
> [root at ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab
>
> [root at ipa-1 jsherrill]# nsupdate -g
>
> > debug
>
> > update add testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>. 86400 a
> 10.0.1.36
>
> >
>
> Reply from SOA query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996
>
> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.INSOA
>
>
> ;; AUTHORITY SECTION:
>
> int.dplcl.com <http://int.dplcl.com>.3600INSOAipa-1.int.dplcl.com
> <http://ipa-1.int.dplcl.com>. hostmaster.int.dplcl.com
> <http://hostmaster.int.dplcl.com>. 1494432187 3600 900 1209600 3600
>
>
> Found zone name: int.dplcl.com <http://int.dplcl.com>
>
> The master is: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>
>
> start_gssrequest
>
> Found realm from ticket: INT.DPLCL.COM <http://INT.DPLCL.COM>
>
> send_gssrequest
>
> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
>
> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
>
> ;3601322568.sig-ipa-1.int.dplcl.com
> <http://3601322568.sig-ipa-1.int.dplcl.com>. ANYTKEY
>
>
> ;; ADDITIONAL SECTION:
>
> 3601322568.sig-ipa-1.int.dplcl.com
> <http://3601322568.sig-ipa-1.int.dplcl.com>. 0 ANY TKEYgss-tsig. ****
>
>
> recvmsg reply from GSS-TSIG query
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
>
> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> ;3601322568.sig-ipa-1.int.dplcl.com
> <http://3601322568.sig-ipa-1.int.dplcl.com>. ANYTKEY
>
>
> ;; ANSWER SECTION:
>
> 3601322568.sig-ipa-1.int.dplcl.com
> <http://3601322568.sig-ipa-1.int.dplcl.com>. 0 ANY TKEYgss-tsig. ****
>
>
> Sending update to 10.0.1.5#53
>
> Outgoing update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230
>
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>
> ;; UPDATE SECTION:
>
> testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.
> 86400INA10.0.1.36
>
>
> ;; TSIG PSEUDOSECTION:
>
> 3601322568.sig-ipa-1.int.dplcl.com
> <http://3601322568.sig-ipa-1.int.dplcl.com>. 0 ANY TSIGgss-tsig.
> **** 13230 NOERROR 0
>
>
>
> Reply from update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230
>
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>
> ;; ZONE SECTION:
>
> ;int.dplcl.com <http://int.dplcl.com>.INSOA
>
>
> ;; TSIG PSEUDOSECTION:
>
> 3601322568.sig-ipa-1.int.dplcl.com
> <http://3601322568.sig-ipa-1.int.dplcl.com>. 0 ANY TSIGgss-tsig.
> ****13230 NOERROR 0
>
>
> On Thu, May 11, 2017 at 4:09 AM, Martin Bašti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
>
>
> On 10.05.2017 18:38, Jason Sherrill wrote:
>> Hello,
>>
>> I've recently implemented freeIPA in a mixed environment of Mac
>> OS 10.12 and Windows 10 with limited issues!
>>
>> One issue is that updating the reverse zone via nsupdate works
>> without issue, updating to the forward zone results in a REFUSED
>> status. Below is my zone config, named.conf, and an example of
>> client-side behavior. I'm new to nearly all systems involved-
>> misconfiguration is likely. Thanks!
>>
>>
>> From freeIPA server:
>>
>> # ipa dnszone-show int.dplcl.com <http://int.dplcl.com> --all
>>
>>
>> dn: idnsname=int.dplcl.com
>> <http://int.dplcl.com>.,cn=dns,dc=int,dc=dplcl,dc=com
>>
>> Zone name: int.dplcl.com <http://int.dplcl.com>.
>>
>> Active zone: TRUE
>>
>> Authoritative nameserver: ipa-1.int.dplcl.com
>> <http://ipa-1.int.dplcl.com>.
>>
>> Administrator e-mail address: hostmaster.int.dplcl.com
>> <http://hostmaster.int.dplcl.com>.
>>
>> SOA serial: 1494344164
>>
>> SOA refresh: 3600
>>
>> SOA retry: 900
>>
>> SOA expire: 1209600
>>
>> SOA minimum: 3600
>>
>> BIND update policy: grant INT.DPLCL.COM
>> <http://INT.DPLCL.COM> krb5-self * A; grant INT.DPLCL.COM
>> <http://INT.DPLCL.COM> krb5-self * AAAA; grant INT.DPLCL.COM
>> <http://INT.DPLCL.COM> krb5-self *
>>
>> SSHFP;
>>
>> Dynamic update: TRUE
>>
>> Allow query: any;
>>
>> Allow transfer: none;
>>
>> Allow PTR sync: TRUE
>>
>> Allow in-line DNSSEC signing: FALSE
>>
>> nsrecord: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>.
>>
>> objectclass: idnszone, top, idnsrecord, ipadnszone
>>
>>
>> /etc/named.conf from IPA server:
>>
>> options {
>>
>> // turns on IPv6 for port 53, IPv4 is on by default
>> for all ifaces
>>
>> listen-on-v6 {any;};
>>
>>
>> // Put files that named is allowed to write in the
>> data/ directory:
>>
>> directory "/var/named"; // the default
>>
>> dump-file "data/cache_dump.db";
>>
>> statistics-file "data/named_stats.txt";
>>
>> memstatistics-file "data/named_mem_stats.txt";
>>
>>
>> // Any host is permitted to issue recursive queries
>>
>> allow-recursion { any; };
>>
>>
>> tkey-gssapi-keytab "/etc/named.keytab";
>>
>> pid-file "/run/named/named.pid";
>>
>>
>> dnssec-enable no;
>>
>> dnssec-validation no;
>>
>>
>> /* Path to ISC DLV key */
>>
>> bindkeys-file "/etc/named.iscdlv.key";
>>
>>
>> managed-keys-directory "/var/named/dynamic";
>>
>> };
>>
>>
>> /* If you want to enable debugging, eg. using the 'rndc
>> trace' command,
>>
>> * By default, SELinux policy does not allow named to modify
>> the /var/named directory,
>>
>> * so put the default debug log file in data/ :
>>
>> */
>>
>> logging {
>>
>> channel default_debug {
>>
>> file "data/named.run";
>>
>> severity dynamic;
>>
>> print-time yes;
>>
>> };
>>
>> };
>>
>>
>> zone "." IN {
>>
>> type hint;
>>
>> file "named.ca <http://named.ca>";
>>
>> };
>>
>>
>> include "/etc/named.rfc1912.zones";
>>
>> include "/etc/named.root.key";
>>
>>
>> dynamic-db "ipa" {
>>
>> library "ldap.so";
>>
>> arg "uri
>> ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";
>>
>> arg "base cn=dns, dc=int,dc=dplcl,dc=com";
>>
>> arg "server_id ipa-1.int.dplcl.com
>> <http://ipa-1.int.dplcl.com>";
>>
>> arg "auth_method sasl";
>>
>> arg "sasl_mech GSSAPI";
>>
>> arg "sasl_user DNS/ipa-1.int.dplcl.com
>> <http://ipa-1.int.dplcl.com>";
>>
>> arg "serial_autoincrement yes";
>>
>> };
>>
>>
>>
>> From client macbook:
>>
>> testbook3:etc jsherrill$ nsupdate
>>
>> > debug
>>
>> > update add testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>
>> 86400 a 10.0.1.36
>>
>> >
>>
>> Reply from SOA query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049
>>
>> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
>> ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>>
>> ;testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.INSOA
>>
>>
>> ;; AUTHORITY SECTION:
>>
>> int.dplcl.com
>> <http://int.dplcl.com>.0INSOAipa-1.int.dplcl.com
>> <http://ipa-1.int.dplcl.com>. hostmaster.int.dplcl.com
>> <http://hostmaster.int.dplcl.com>. 1494425173 3600 900
>> 1209600 3600
>>
>>
>> Found zone name: int.dplcl.com <http://int.dplcl.com>
>>
>> The master is: ipa-1.int.dplcl.com <http://ipa-1.int.dplcl.com>
>>
>> Sending update to 10.0.1.5#53
>>
>> Outgoing update query:
>>
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167
>>
>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
>>
>> ;; UPDATE SECTION:
>>
>> testbook3.int.dplcl.com <http://testbook3.int.dplcl.com>.
>> 86400INA10.0.1.36
>>
>>
>>
>> Reply from update query:
>>
>> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167
>>
>> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>
>> ;; ZONE SECTION:
>>
>> ;int.dplcl.com <http://int.dplcl.com>.INSOA
>> --
>>
>>
>> *Jason Sherrill*
>> Deeplocal Inc. <http://deeplocal.com/>
>> mobile: 412-636-2073 <tel:%28412%29%20636-2073>
>> office: 412-362-0201 <tel:%28412%29%20362-0201>
>>
>>
>
>
> Hello,
>
> DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so
> you cannot use plain nsupdate without providing credentials
>
> Here is policy, hosts can update only its records using GSS-TSIG
> (kerberos)
>
> BIND update policy: grant INT.DPLCL.COM <http://INT.DPLCL.COM>
> krb5-self * A; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
> krb5-self * AAAA; grant INT.DPLCL.COM <http://INT.DPLCL.COM>
> krb5-self *
>
> SSHFP;
>
> So for manual updates via nsupdate, you have to do following steps:
>
> 1, kinit -kt /etc/krb5.keytab
>
> 2, nsupdate -g
>
> ... update A records ...
>
> I don't know why a reverse zone works for you, you should check
> policy of the reverse zone.
>
> Martin
>
> --
> Martin Bašti
> Software Engineer
> Red Hat Czech
>
>
>
>
> --
>
> *Jason Sherrill*
> Deeplocal Inc. <http://deeplocal.com/>
> mobile: 412-636-2073 <tel:%28412%29%20636-2073>
> office: 412-362-0201 <tel:%28412%29%20362-0201>
>
>
>
> --
>
> *Jason Sherrill*
> Deeplocal Inc. <http://deeplocal.com/>
> mobile: 412-636-2073 <tel:%28412%29%20636-2073>
> office: 412-362-0201 <tel:%28412%29%20362-0201>
>
>
--
Martin Bašti
Software Engineer
Red Hat Czech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170512/61f1a439/attachment.htm>
More information about the Freeipa-users
mailing list