<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 23/03/15 12:19, Roberto Cornacchia
wrote:<br>
</div>
<blockquote
cite="mid:CAFGv-=eHPNxHeb8J8EWxq69o=e5taCiCUFLGZjp_+2wPgQJi9g@mail.gmail.com"
type="cite">
<div dir="ltr">BTW, shouldn't named.conf contain an "allow-update"
statement? Mine doesn't. Or is this managed differently?</div>
</blockquote>
It is not needed.<br>
bind-dyndb-ldap plugin overrides this configuration, you just need
to enable updates in IPA zone setting.<br>
<br>
Martin<br>
<blockquote
cite="mid:CAFGv-=eHPNxHeb8J8EWxq69o=e5taCiCUFLGZjp_+2wPgQJi9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 23 March 2015 at 12:16, Roberto
Cornacchia <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span class="">On 23 March 2015
at 10:35, Petr Spacek <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On
23.3.2015 10:21, Roberto Cornacchia wrote:<br>
> About the DNS update, this is what the
debug log has to say:<br>
><br>
> Found zone name: <a moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a><br>
> The master is: <a moz-do-not-send="true"
href="http://ipa.hq.example.com"
target="_blank">ipa.hq.example.com</a><br>
> start_gssrequest<br>
> Found realm from ticket: <a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a><br>
> send_gssrequest<br>
</span>> *; Communication with 192.168.0.72#53
failed: operation canceled*<br>
> *Reply from SOA query:*<br>
<span>> ;; ->>HEADER<<- opcode:
QUERY, status: SERVFAIL, id: 4923<br>
> ;; flags: qr ra; QUESTION: 1, ANSWER: 0,
AUTHORITY: 0, ADDITIONAL: 0<br>
> ;; QUESTION SECTION:<br>
> ;<a moz-do-not-send="true"
href="http://1835417091.sig-ipa.hq.example.com"
target="_blank">1835417091.sig-ipa.hq.example.com</a>.
ANY TKEY<br>
><br>
> response to SOA query was unsuccessful<br>
<br>
</span>- Please verify that 192.168.0.72 is the
correct IP address of the FreeIPA server.<br>
</blockquote>
<div><br>
</div>
</span>
<div>Positive</div>
<span class="">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">-
Please check named.logs on the server side to see
if there are any complains<br>
about unsuccessful key negotiation with client.<br>
<br>
</blockquote>
<div><br>
</div>
</span>
<div>I raised named's log level to debug 10 and
restarted</div>
<div>Ran ipa-client-install again.</div>
<div>The log shows many queries from the client, for
A/AAA/SOA record types, both about the server and
the client. All approved, no problem.</div>
<div>The log does not seem to contain a single failure
/ rejection.<br>
</div>
<div><br>
</div>
<div>However: </div>
<div>1) The client reports that response to SOA query
was unsuccessful. The server log does not say
anything about this.</div>
<div>2) The server log does not contain any update
request</div>
<span class="">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
> Notice that is is *different* from what I got
before the chronyd change.<br>
<span>> Before, there was not even a reply:<br>
><br>
> Found zone name: <a moz-do-not-send="true"
href="http://hq.example.com" target="_blank">hq.example.com</a><br>
> The master is: <a moz-do-not-send="true"
href="http://ipa.hq.example.com"
target="_blank">ipa.hq.example.com</a><br>
> start_gssrequest<br>
> Found realm from ticket: <a
moz-do-not-send="true"
href="http://HQ.EXAMPLE.COM" target="_blank">HQ.EXAMPLE.COM</a><br>
> send_gssrequest<br>
</span>> *; Communication with 192.168.0.72#53
failed: operation canceled*<br>
> *could not reach any name server*<br>
<br>
Interesting, this should not be related to time
synchronization in any way.<br>
DNS server simply did not return any answer.<br>
<span><font color="#888888"><br>
--<br>
Petr^2 Spacek<br>
</font></span>
<div>
<div><br>
--<br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</span></div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>