[Freeipa-users] Fwd: DNS update failing

Jason Sherrill jason at deeplocal.com
Fri May 12 14:49:46 UTC 2017 

I apologize, nsupdate is working as intended, I was attempting to update a
client from the host ipa. I've a separate issue from clients when running

testbook3:etc jsherrill$ kinit -kt /etc/krb5.keytab


Thanks again!

On Fri, May 12, 2017 at 10:34 AM, Jason Sherrill <jason at deeplocal.com>
wrote:

> The following log entry from *named-pkcs11* coincides with update
> attempts via nsupdate:
>
>
> May 12 10:07:49 ipa-1.int.dplcl.com named-pkcs11[1350]: client
> 10.0.1.5#47261/key host/ipa-1.int.dplcl.com\@INT.DPLCL.COM: updating zone
> 'int.dplcl.com/IN': update failed: rejected by secure update (REFUSED)
>
> The client is running macos X with network services configured to use
> 10.0.1.5 and the following /etc/resolv.conf:
>
> search int.dplcl.com
>
> nameserver 10.0.1.5
>
> nameserver 8.8.8.8
>
>
> Thanks!
>
>
> On Fri, May 12, 2017 at 9:27 AM, Martin Bašti <mbasti at redhat.com> wrote:
>
>> Hello, could you check journalctl -u named-pkcs11 on server, there might
>> be more detailed description why it failed. What do you have configured in
>> /etc/resolv.conf on client side, is there directly IP address of the server?
>>
>> On 12.05.2017 15:04, Jason Sherrill wrote:
>>
>> Mistakenly failed to post to freeipa-users.
>>
>> ---------- Forwarded message ----------
>> From: Jason Sherrill <jason at deeplocal.com>
>> Date: Thu, May 11, 2017 at 9:16 AM
>> Subject: Re: [Freeipa-users] DNS update failing
>> To: Martin Bašti <mbasti at redhat.com>
>>
>>
>> Thank you for the assistance, Martin. The reverse zone is working because
>> of a policy I'd added: grant * tcp-self *. The same entry did for the the
>> forward zone did not work. I ran the manual update as described and was
>> refused. It seems GSS-TSIG is working, but the update is still refused:
>>
>> [root at ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab
>>
>> [root at ipa-1 jsherrill]# nsupdate -g
>>
>> > debug
>>
>> > update add testbook3.int.dplcl.com. 86400 a 10.0.1.36
>>
>> >
>>
>> Reply from SOA query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  45996
>>
>> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>>
>> ;testbook3.int.dplcl.com. IN SOA
>>
>> ;; AUTHORITY SECTION:
>>
>> int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
>> 1494432187 3600 900 1209600 3600
>>
>> Found zone name: int.dplcl.com
>>
>> The master is: ipa-1.int.dplcl.com
>>
>> start_gssrequest
>>
>> Found realm from ticket: INT.DPLCL.COM
>>
>> send_gssrequest
>>
>> Outgoing update query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23945
>>
>> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>>
>> ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
>>
>> ;; ADDITIONAL SECTION:
>>
>> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****
>>
>> recvmsg reply from GSS-TSIG query
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23945
>>
>> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>>
>> ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
>>
>> ;; ANSWER SECTION:
>>
>> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. ****
>>
>> Sending update to 10.0.1.5#53
>>
>> Outgoing update query:
>>
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  13230
>>
>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>>
>> ;; UPDATE SECTION:
>>
>> testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
>>
>> ;; TSIG PSEUDOSECTION:
>>
>> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230
>> NOERROR 0
>>
>>
>> Reply from update query:
>>
>> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  13230
>>
>> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>>
>> ;; ZONE SECTION:
>>
>> ;int.dplcl.com. IN SOA
>>
>> ;; TSIG PSEUDOSECTION:
>>
>> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230
>> NOERROR 0
>>
>>
>> On Thu, May 11, 2017 at 4:09 AM, Martin Bašti <mbasti at redhat.com> wrote:
>>
>>>
>>>
>>> On 10.05.2017 18:38, Jason Sherrill wrote:
>>>
>>> Hello,
>>>
>>> I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
>>> and Windows 10 with limited issues!
>>>
>>> One issue is that updating the reverse zone via nsupdate works without
>>> issue, updating to the forward zone results in a REFUSED status. Below is
>>> my zone config, named.conf, and an example of client-side behavior.  I'm
>>> new to nearly all systems involved- misconfiguration is likely. Thanks!
>>>
>>>
>>> From freeIPA server:
>>>
>>> #  ipa dnszone-show int.dplcl.com --all
>>>
>>>
>>>  dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com
>>>
>>>  Zone name: int.dplcl.com.
>>>
>>>  Active zone: TRUE
>>>
>>>  Authoritative nameserver: ipa-1.int.dplcl.com.
>>>
>>>  Administrator e-mail address: hostmaster.int.dplcl.com.
>>>
>>>  SOA serial: 1494344164
>>>
>>>  SOA refresh: 3600
>>>
>>>  SOA retry: 900
>>>
>>>  SOA expire: 1209600
>>>
>>>  SOA minimum: 3600
>>>
>>>  BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant
>>> INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self *
>>>
>>>                      SSHFP;
>>>
>>>  Dynamic update: TRUE
>>>
>>>  Allow query: any;
>>>
>>>  Allow transfer: none;
>>>
>>>  Allow PTR sync: TRUE
>>>
>>>  Allow in-line DNSSEC signing: FALSE
>>>
>>>  nsrecord: ipa-1.int.dplcl.com.
>>>
>>>  objectclass: idnszone, top, idnsrecord, ipadnszone
>>>
>>> /etc/named.conf from IPA server:
>>>
>>> options {
>>>
>>>        // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
>>>
>>>        listen-on-v6 {any;};
>>>
>>>        // Put files that named is allowed to write in the data/
>>> directory:
>>>
>>>        directory "/var/named"; // the default
>>>
>>>        dump-file               "data/cache_dump.db";
>>>
>>>        statistics-file         "data/named_stats.txt";
>>>
>>>        memstatistics-file      "data/named_mem_stats.txt";
>>>
>>>        // Any host is permitted to issue recursive queries
>>>
>>>        allow-recursion { any; };
>>>
>>>        tkey-gssapi-keytab "/etc/named.keytab";
>>>
>>>        pid-file "/run/named/named.pid";
>>>
>>>        dnssec-enable no;
>>>
>>>        dnssec-validation no;
>>>
>>>        /* Path to ISC DLV key */
>>>
>>>        bindkeys-file "/etc/named.iscdlv.key";
>>>
>>>        managed-keys-directory "/var/named/dynamic";
>>>
>>> };
>>>
>>> /* If you want to enable debugging, eg. using the 'rndc trace' command,
>>>
>>> * By default, SELinux policy does not allow named to modify the
>>> /var/named directory,
>>>
>>> * so put the default debug log file in data/ :
>>>
>>> */
>>>
>>> logging {
>>>
>>>        channel default_debug {
>>>
>>>                file "data/named.run";
>>>
>>>                severity dynamic;
>>>
>>>                print-time yes;
>>>
>>>        };
>>>
>>> };
>>>
>>> zone "." IN {
>>>
>>>        type hint;
>>>
>>>        file "named.ca";
>>>
>>> };
>>>
>>> include "/etc/named.rfc1912.zones";
>>>
>>> include "/etc/named.root.key";
>>>
>>> dynamic-db "ipa" {
>>>
>>>        library "ldap.so";
>>>
>>>        arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";
>>>
>>>        arg "base cn=dns, dc=int,dc=dplcl,dc=com";
>>>
>>>        arg "server_id ipa-1.int.dplcl.com";
>>>
>>>        arg "auth_method sasl";
>>>
>>>        arg "sasl_mech GSSAPI";
>>>
>>>        arg "sasl_user DNS/ipa-1.int.dplcl.com";
>>>
>>>        arg "serial_autoincrement yes";
>>>
>>> };
>>>
>>>
>>> From client macbook:
>>>
>>> testbook3:etc jsherrill$ nsupdate
>>>
>>> > debug
>>>
>>> > update add testbook3.int.dplcl.com 86400 a 10.0.1.36
>>>
>>> >
>>>
>>> Reply from SOA query:
>>>
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:   3049
>>>
>>> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
>>> 0
>>>
>>> ;; QUESTION SECTION:
>>>
>>> ;testbook3.int.dplcl.com. IN SOA
>>>
>>> ;; AUTHORITY SECTION:
>>>
>>> int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
>>> 1494425173 3600 900 1209600 3600
>>>
>>> Found zone name: int.dplcl.com
>>>
>>> The master is: ipa-1.int.dplcl.com
>>>
>>> Sending update to 10.0.1.5#53
>>>
>>> Outgoing update query:
>>>
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  33167
>>>
>>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
>>>
>>> ;; UPDATE SECTION:
>>>
>>> testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
>>>
>>>
>>> Reply from update query:
>>>
>>> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  33167
>>>
>>> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>
>>> ;; ZONE SECTION:
>>> ;int.dplcl.com.
>>>
>>> ...
>>
>> [Message clipped]
>
>
>
>
> --
>
> *Jason Sherrill*
> Deeplocal Inc. <http://deeplocal.com/>
> mobile: 412-636-2073 <(412)%20636-2073>
> office: 412-362-0201 <(412)%20362-0201>
>



-- 

*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170512/a754209c/attachment.htm>

More information about the Freeipa-users mailing list