<p dir="ltr">Dont allow clients to ddns update. Force the update to occur from dhcpd to named</p>
<div class="gmail_quote">On Apr 3, 2014 1:53 PM, "Simo Sorce" <<a href="mailto:simo@redhat.com">simo@redhat.com</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="quoted-text">On Thu, 2014-04-03 at 10:38 -0700, Andy Tomlin wrote:<br>
> I posted this on the DHCP mailing list, but think it may belong here<br>
> instead.<br>
><br>
><br>
><br>
> I am running Centos 6.5 and have installed ipa to allow all our linux<br>
> machines to authenticate. We have windows machines that get their ip address<br>
> from server and since installing ipa the ddns no longer works. Googling<br>
> around does not show much help. The key files match.<br>
<br>
</div>There is a bug in kerberos libraries that prevent Windows clients from<br>
successfully performing DDNS against BIND servers that we fixed only<br>
recently.<br>
<br>
This is the fedora bugzilla:<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1066000" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1066000</a><br>
<br>
Not sure if this has been backported to RHEL/CentOS tbh.<br>
<br>
This is for Windows clients directly performing DDNS updates using<br>
GSS-TSIG.<br>
<br>
--<br>
<br>
Now reading the following lines it seem you are mixing GSS-TSIG and<br>
plain TSIG, well you can't do that.<br>
<br>
ATM I think we accept only GSS-TSIG updates in IPA, while BIND DHCP seem<br>
to be capable only of TSIG updates.<br>
<br>
CCing Petr as he may have some ideas on whether this is something we can<br>
work around.<br>
<br>
<br>
Simo.<br>
<div class="elided-text"><br>
<br>
><br>
><br>
> My named.conf is as follows:<br>
><br>
><br>
><br>
> [root@alfred ~]# cat /etc/named.conf<br>
><br>
> options {<br>
><br>
> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces<br>
><br>
> listen-on-v6 {any;};<br>
><br>
> listen-on port 53 { 127.0.0.1; 10.0.1.2; };<br>
><br>
><br>
><br>
> // Put files that named is allowed to write in the data/ directory:<br>
><br>
> directory "/var/named"; // the default<br>
><br>
> dump-file "data/cache_dump.db";<br>
><br>
> statistics-file "data/named_stats.txt";<br>
><br>
> memstatistics-file "data/named_mem_stats.txt";<br>
><br>
><br>
><br>
> //forward first;<br>
><br>
> //forwarders {<br>
><br>
> // 192.168.1.254;<br>
><br>
> // 8.8.8.8;<br>
><br>
> //};<br>
><br>
><br>
><br>
> // Any host is permitted to issue recursive queries<br>
><br>
> allow-recursion { any; };<br>
><br>
><br>
><br>
> tkey-gssapi-credential "DNS/<a href="http://alfred.xxxxxxx.com" target="_blank">alfred.xxxxxxx.com</a>";<br>
><br>
> tkey-domain "xxxxxxx.COM";<br>
><br>
> };<br>
><br>
><br>
><br>
> include "/etc/named/ddns.key";<br>
><br>
><br>
><br>
> /* If you want to enable debugging, eg. using the 'rndc trace' command,<br>
><br>
> * By default, SELinux policy does not allow named to modify the /var/named<br>
> directory,<br>
><br>
> * so put the default debug log file in data/ :<br>
><br>
> */<br>
><br>
> logging {<br>
><br>
> channel default_debug {<br>
><br>
> file "data/named.run";<br>
><br>
> severity dynamic;<br>
><br>
> };<br>
><br>
> };<br>
><br>
><br>
><br>
> zone "." IN {<br>
><br>
> type hint;<br>
><br>
> file "<a href="http://named.ca" target="_blank">named.ca</a>";<br>
><br>
> };<br>
><br>
><br>
><br>
> include "/etc/named.rfc1912.zones";<br>
><br>
><br>
><br>
> dynamic-db "ipa" {<br>
><br>
> library "ldap.so";<br>
><br>
> arg "uri ldapi://%2fvar%2frun%2fslapd-xxxxxxx-COM.socket";<br>
><br>
> arg "base cn=dns, dc=xxxxxxx,dc=com";<br>
><br>
> arg "fake_mname <a href="http://alfred.xxxxxxx.com" target="_blank">alfred.xxxxxxx.com</a>.";<br>
><br>
> arg "auth_method sasl";<br>
><br>
> arg "sasl_mech GSSAPI";<br>
><br>
> arg "sasl_user DNS/<a href="http://alfred.xxxxxxx.com" target="_blank">alfred.xxxxxxx.com</a>";<br>
><br>
> arg "zone_refresh 0";<br>
><br>
> arg "psearch yes";<br>
><br>
> arg "serial_autoincrement yes";<br>
><br>
> };<br>
><br>
><br>
><br>
> My dhcpd.conf is as follows:<br>
><br>
> [root@alfred ~]# cat /etc/dhcp/dhcpd.conf<br>
><br>
> # dhcpd.conf<br>
><br>
> #<br>
><br>
> # Sample configuration file for ISC dhcpd<br>
><br>
> #<br>
><br>
><br>
><br>
> # option definitions common to all supported networks...<br>
><br>
> option domain-name "<a href="http://xxxxxxx.com" target="_blank">xxxxxxx.com</a>";<br>
><br>
> option domain-name-servers 10.0.1.2, 8.8.8.8, 8.8.4.4;<br>
><br>
><br>
><br>
> ddns-updates on;<br>
><br>
> ddns-update-style interim;<br>
><br>
> ignore client-updates;<br>
><br>
> update-static-leases on;<br>
><br>
><br>
><br>
> default-lease-time 600;<br>
><br>
> max-lease-time 7200;<br>
><br>
><br>
><br>
> # Use this to enble / disable dynamic dns updates globally.<br>
><br>
> #ddns-update-style none;<br>
><br>
><br>
><br>
> # If this DHCP server is the official DHCP server for the local<br>
><br>
> # network, the authoritative directive should be uncommented.<br>
><br>
> authoritative;<br>
><br>
><br>
><br>
> # Use this to send dhcp log messages to a different log file (you also<br>
><br>
> # have to hack syslog.conf to complete the redirection).<br>
><br>
> log-facility local7;<br>
><br>
><br>
><br>
> # No service will be given on this subnet, but declaring it helps the<br>
><br>
> # DHCP server to understand the network topology.<br>
><br>
><br>
><br>
> #subnet 10.152.187.0 netmask 255.255.255.0 {<br>
><br>
> #}<br>
><br>
><br>
><br>
> include "/etc/dhcp/ddns.key";<br>
><br>
><br>
><br>
> zone <a href="http://xxxxxxx.com" target="_blank">xxxxxxx.com</a>. {<br>
><br>
> primary 127.0.0.1;<br>
><br>
> key DDNS_UPDATE;<br>
><br>
> }<br>
><br>
><br>
><br>
> zone 2.0.10.in-addr.arpa. {<br>
><br>
> primary 127.0.0.1;<br>
><br>
> key DDNS_UPDATE;<br>
><br>
> }<br>
><br>
><br>
><br>
> # This is a very basic subnet declaration.<br>
><br>
><br>
><br>
> subnet 10.0.0.0 netmask 255.255.0.0 {<br>
><br>
> range 10.0.2.50 10.0.2.250;<br>
><br>
> option routers 10.0.1.2;<br>
><br>
> }<br>
><br>
><br>
><br>
> [root@alfred ~]#<br>
><br>
><br>
><br>
> When windows client gets a dhcp address, the following is in the log<br>
><br>
><br>
><br>
> [root@alfred ~]# tail -n50 /var/log/messages<br>
><br>
> Apr 2 19:40:50 alfred named[8491]: client 127.0.0.1#59786: updating zone<br>
> '<a href="http://xxxxxxx.com/IN" target="_blank">xxxxxxx.com/IN</a>': update failed: rejected by secure update (REFUSED)<br>
><br>
> Apr 2 19:40:50 alfred dhcpd: Unable to add forward map from<br>
> <a href="http://atomlin.xxxxxxx.com" target="_blank">atomlin.xxxxxxx.com</a> to <a href="http://10.0.2.51" target="_blank">10.0.2.51</a>: timed out<br>
><br>
> Apr 2 19:40:50 alfred dhcpd: DHCPREQUEST for 10.0.2.51 from<br>
> 0c:54:a5:08:5f:cc (atomlin) via eth0<br>
><br>
> Apr 2 19:40:50 alfred dhcpd: DHCPACK on 10.0.2.51 to 0c:54:a5:08:5f:cc<br>
> (atomlin) via eth0<br>
><br>
> [root@alfred ~]#<br>
><br>
><br>
><br>
><br>
><br>
</div>> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<font color="#888888"><br>
<br>
--<br>
Simo Sorce * Red Hat, Inc * New York<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</font></blockquote></div>