I have a setup with 2 zones: My IPA realm is mob.nuance.com My first IPA server was built out with the DNS zone prod.mcs.som.mob.nuance.com My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuance.com
I can successfully add client to my first IPA server, and everything works as expected, including DNS updates. When I add clients to my second IPA server, they complete successfully for everything except updating DNS. I recreated the DNS Update file from ipa-client install log, and executed it manually as "admin" with debug. Any ideas what is wrong? # kinit admin Password for ad...@mob.nuance.com: # id admin uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins) # getent passwd admin admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash # kinit -k # klist Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI Default principal: host/ metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance....@mob.nuance.com Valid starting Expires Service principal 06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/ mob.nuance....@mob.nuance.com # nsupdate -v -g ./dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA ;; AUTHORITY SECTION: dev.mcs.az-eastus2.mob.nuance.com. 0 IN SOA freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 3600 900 1209600 3600 Found zone name: dev.mcs.az-eastus2.mob.nuance.com The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com start_gssrequest send_gssrequest Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY ;; ADDITIONAL SECTION: 2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY TKEY gss-tsig. 1496686456 1496686456 3 NOERROR 750 YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1 czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r 5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8 UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9 MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6 j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2 uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ +YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU 1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0 recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301 ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY *response to GSS-TSIG query was unsuccessful*
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org