<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style></style></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1>That would be my preference, would then work same as bind/dhcpd before switching to ipa. I just dont know how to do it correctly…<o:p></o:p><a name="_MailEndCompose"><o:p> </o:p></a>From: brendan kearney [mailto:bpk678@gmail.com] Sent: Thursday, April 3, 2014 10:59 AM To: Simo Sorce Cc: freeipa-users@redhat.com; atomlin@engineer.com Subject: Re: [Freeipa-users] DDNS with DHCPD and IPA<o:p></o:p><o:p> </o:p>Dont allow clients to ddns update. Force the update to occur from dhcpd to named<o:p></o:p><div>On Apr 3, 2014 1:53 PM, "Simo Sorce" <<a href="mailto:simo@redhat.com">simo@redhat.com</a>> wrote:<o:p></o:p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div>On Thu, 2014-04-03 at 10:38 -0700, Andy Tomlin wrote: > I posted this on the DHCP mailing list, but think it may belong here > instead. > > > > I am running Centos 6.5 and have installed ipa to allow all our linux > machines to authenticate. We have windows machines that get their ip address > from server and since installing ipa the ddns no longer works. Googling > around does not show much help. The key files match.<o:p></o:p></div>There is a bug in kerberos libraries that prevent Windows clients from successfully performing DDNS against BIND servers that we fixed only recently. This is the fedora bugzilla: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1066000" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1066000</a> Not sure if this has been backported to RHEL/CentOS tbh. This is for Windows clients directly performing DDNS updates using GSS-TSIG. -- Now reading the following lines it seem you are mixing GSS-TSIG and plain TSIG, well you can't do that. ATM I think we accept only GSS-TSIG updates in IPA, while BIND DHCP seem to be capable only of TSIG updates. CCing Petr as he may have some ideas on whether this is something we can work around. Simo.<o:p></o:p><div> > > > My named.conf is as follows: > > > > [root@alfred ~]# cat /etc/named.conf > > options { > > // turns on IPv6 for port 53, IPv4 is on by default for all ifaces > > listen-on-v6 {any;}; > > listen-on port 53 { 127.0.0.1; 10.0.1.2; }; > > > > // Put files that named is allowed to write in the data/ directory: > > directory "/var/named"; // the default > > dump-file "data/cache_dump.db"; > > statistics-file "data/named_stats.txt"; > > memstatistics-file "data/named_mem_stats.txt"; > > > > //forward first; > > //forwarders { > > // 192.168.1.254; > > // 8.8.8.8; > > //}; > > > > // Any host is permitted to issue recursive queries > > allow-recursion { any; }; > > > > tkey-gssapi-credential "DNS/<a href="http://alfred.xxxxxxx.com" target="_blank">alfred.xxxxxxx.com</a>"; > > tkey-domain "xxxxxxx.COM"; > > }; > > > > include "/etc/named/ddns.key"; > > > > /* If you want to enable debugging, eg. using the 'rndc trace' command, > > * By default, SELinux policy does not allow named to modify the /var/named > directory, > > * so put the default debug log file in data/ : > > */ > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > }; > > }; > > > > zone "." IN { > > type hint; > > file "<a href="http://named.ca" target="_blank">named.ca</a>"; > > }; > > > > include "/etc/named.rfc1912.zones"; > > > > dynamic-db "ipa" { > > library "ldap.so"; > > arg "uri ldapi://%2fvar%2frun%2fslapd-xxxxxxx-COM.socket"; > > arg "base cn=dns, dc=xxxxxxx,dc=com"; > > arg "fake_mname <a href="http://alfred.xxxxxxx.com" target="_blank">alfred.xxxxxxx.com</a>."; > > arg "auth_method sasl"; > > arg "sasl_mech GSSAPI"; > > arg "sasl_user DNS/<a href="http://alfred.xxxxxxx.com" target="_blank">alfred.xxxxxxx.com</a>"; > > arg "zone_refresh 0"; > > arg "psearch yes"; > > arg "serial_autoincrement yes"; > > }; > > > > My dhcpd.conf is as follows: > > [root@alfred ~]# cat /etc/dhcp/dhcpd.conf > > # dhcpd.conf > > # > > # Sample configuration file for ISC dhcpd > > # > > > > # option definitions common to all supported networks... > > option domain-name "<a href="http://xxxxxxx.com" target="_blank">xxxxxxx.com</a>"; > > option domain-name-servers 10.0.1.2, 8.8.8.8, 8.8.4.4; > > > > ddns-updates on; > > ddns-update-style interim; > > ignore client-updates; > > update-static-leases on; > > > > default-lease-time 600; > > max-lease-time 7200; > > > > # Use this to enble / disable dynamic dns updates globally. > > #ddns-update-style none; > > > > # If this DHCP server is the official DHCP server for the local > > # network, the authoritative directive should be uncommented. > > authoritative; > > > > # Use this to send dhcp log messages to a different log file (you also > > # have to hack syslog.conf to complete the redirection). > > log-facility local7; > > > > # No service will be given on this subnet, but declaring it helps the > > # DHCP server to understand the network topology. > > > > #subnet 10.152.187.0 netmask 255.255.255.0 { > > #} > > > > include "/etc/dhcp/ddns.key"; > > > > zone <a href="http://xxxxxxx.com" target="_blank">xxxxxxx.com</a>. { > > primary 127.0.0.1; > > key DDNS_UPDATE; > > } > > > > zone 2.0.10.in-addr.arpa. { > > primary 127.0.0.1; > > key DDNS_UPDATE; > > } > > > > # This is a very basic subnet declaration. > > > > subnet 10.0.0.0 netmask 255.255.0.0 { > > range 10.0.2.50 10.0.2.250; > > option routers 10.0.1.2; > > } > > > > [root@alfred ~]# > > > > When windows client gets a dhcp address, the following is in the log > > > > [root@alfred ~]# tail -n50 /var/log/messages > > Apr 2 19:40:50 alfred named[8491]: client 127.0.0.1#59786: updating zone > '<a href="http://xxxxxxx.com/IN" target="_blank">xxxxxxx.com/IN</a>': update failed: rejected by secure update (REFUSED) > > Apr 2 19:40:50 alfred dhcpd: Unable to add forward map from > <a href="http://atomlin.xxxxxxx.com" target="_blank">atomlin.xxxxxxx.com</a> to <a href="http://10.0.2.51" target="_blank">10.0.2.51</a>: timed out > > Apr 2 19:40:50 alfred dhcpd: DHCPREQUEST for 10.0.2.51 from > 0c:54:a5:08:5f:cc (atomlin) via eth0 > > Apr 2 19:40:50 alfred dhcpd: DHCPACK on 10.0.2.51 to 0c:54:a5:08:5f:cc > (atomlin) via eth0 > > [root@alfred ~]# > > > > ><o:p></o:p></div>> _______________________________________________ > Freeipa-users mailing list > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></blockquote></div></div></body></html>