On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote:
I have a setup with 2 zones:
My IPA realm is mob.nuance.com <http://mob.nuance.com>
My first IPA server was built out with the DNS zone
prod.mcs.som.mob.nuance.com <http://prod.mcs.som.mob.nuance.com>
My second IPA server is in a DNS zone of
dev.mcs.az-eastus2.mob.nuance.com
<http://dev.mcs.az-eastus2.mob.nuance.com>
I can successfully add client to my first IPA server, and everything
works as expected, including DNS updates.
When I add clients to my second IPA server, they complete successfully
for everything except updating DNS.
I recreated the DNS Update file from ipa-client install log, and
executed it manually as "admin" with debug. Any ideas what is wrong?
# kinit admin
Password for ad...@mob.nuance.com <mailto:ad...@mob.nuance.com>:
# id admin
uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins)
# getent passwd admin
admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash
# kinit -k
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI
Default principal:
host/metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance....@mob.nuance.com
<mailto:metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance....@mob.nuance.com>
Valid starting Expires Service principal
06/05/2017 18:11:39 06/06/2017 18:11:39
krbtgt/mob.nuance....@mob.nuance.com
<mailto:mob.nuance....@mob.nuance.com>
# nsupdate -v -g ./dns_update.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com
<http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>. 0 ANY A
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com
<http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>. IN SOA
;; AUTHORITY SECTION:
dev.mcs.az-eastus2.mob.nuance.com
<http://dev.mcs.az-eastus2.mob.nuance.com>. 0
INSOAfreeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
hostmaster.dev.mcs.az-eastus2.mob.nuance.com
<http://hostmaster.dev.mcs.az-eastus2.mob.nuance.com>. 1496548206 3600
900 1209600 3600
Found zone name: dev.mcs.az-eastus2.mob.nuance.com
<http://dev.mcs.az-eastus2.mob.nuance.com>
The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
ANY TKEY
;; ADDITIONAL SECTION:
2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
0 ANY TKEYgss-tsig. 1496686456 1496686456 3 NOERROR 750
YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA
AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg
AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1
czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB
OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r
5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8
UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9
MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6
j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2
uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq
gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ
1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C
tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC
1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa
dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ
+YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU
1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze
voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301
;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
ANY TKEY
*response to GSS-TSIG query was unsuccessful*
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hello,
please kinit as host, only hosts are allowed to update their DNS records
over DDNS
kinit -kt /etc/krb5.keytab
nsupdate -v -g ....
Could you please provide output of nsupdate from ipa-client-install log?
Martin
--
Martin Bašti
Software Engineer
Red Hat Czech
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org