Still true. :-)
# ipa dnszone-show dev.mcs.az-eastus2.mob.nuance.com --all
dn: idnsname=dev.mcs.az-eastus2.mob.nuance.com
.,cn=dns,dc=mob,dc=nuance,dc=com
Zone name: dev.mcs.az-eastus2.mob.nuance.com.
Active zone: TRUE
Managedby permission: cn=Manage DNS zone dev.mcs.az-eastus2.mob.nuance.com
.,cn=permissions,cn=pbac,dc=mob,dc=nuance,dc=com
Authoritative nameserver: freeipa-01.prod.mcs.som.mob.nuance.com.
Administrator e-mail address: hostmaster
SOA serial: 1496769265
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant MOB.NUANCE.COM krb5-self * A; grant
MOB.NUANCE.COM krb5-self * AAAA; grant MOB.NUANCE.COM krb5-self * SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
nsrecord: freeipa-01.prod.mcs.som.mob.nuance.com.,
freeipa-02.dev.mcs.az-eastus2.mob.nuance.com.,
freeipa-01.dev.mcs.az-eastus2.mob.nuance.com.
objectclass: idnszone, top, idnsrecord, ipadnszone
On Wed, Jun 7, 2017 at 3:31 AM, Martin Bašti <mba...@redhat.com> wrote:
> I meant dynamic updates in zone config. ipa dnszone-show
> dev.mcs.az-eastus2.mob.nuance.com --all
>
> On 06.06.2017 19:08, Josh Pavel wrote:
>
> Dynamic updates are enabled:
>
>
> dynamic-db "ipa" {
>
> library "ldap.so";
>
> arg "uri ldapi://%2fvar%2frun%2fslapd-MOB-NUANCE-COM.socket";
>
> arg "base cn=dns, dc=mob,dc=nuance,dc=com";
>
> arg "server_id freeipa-01.dev.mcs.az-eastus2.mob.nuance.com";
>
> arg "auth_method sasl";
>
> arg "sasl_mech GSSAPI";
>
> arg "sasl_user DNS/freeipa-01.dev.mcs.az-eastus2.mob.nuance.com";
>
> arg "serial_autoincrement yes";
>
> };
>
>
> Nothing was logged at the default level (dynamic), but I changed it to
> debug 10. Nothing strikes me when I look at that log... everything I see
> has query approved, the only thing that surprised me a bit was that the
> requests are signed - I'm not sure if they're supposed to be or not.
>
> Here's a snippet - as you'd expect from debug 10, there is a lot of logs.
>
>
>
> 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: UDP request
>
> 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: using view '_default'
>
> 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: request is not signed
>
> 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: recursion available
>
> 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: query
>
> 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_attach:
> ref = 1
>
> 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): query (cache) '
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com/AAAA/IN' approved
>
> 06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): replace
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach:
> ref = 0
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach:
> ref = 0
>
> 06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (
> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest
>
> On Tue, Jun 6, 2017 at 7:41 AM, Martin Bašti <mba...@redhat.com> wrote:
>
>>
>>
>> On 06.06.2017 13:00, Martin Bašti via FreeIPA-users wrote:
>>
>>
>>
>> On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote:
>>
>> I have a setup with 2 zones:
>>
>> My IPA realm is mob.nuance.com
>> My first IPA server was built out with the DNS zone
>> prod.mcs.som.mob.nuance.com
>> My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuan
>> ce.com
>>
>> I can successfully add client to my first IPA server, and everything
>> works as expected, including DNS updates.
>> When I add clients to my second IPA server, they complete successfully
>> for everything except updating DNS.
>>
>> I recreated the DNS Update file from ipa-client install log, and executed
>> it manually as "admin" with debug. Any ideas what is wrong?
>>
>> # kinit admin
>>
>> Password for ad...@mob.nuance.com:
>>
>> # id admin
>>
>> uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins)
>>
>> # getent passwd admin
>>
>> admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash
>>
>> # kinit -k
>>
>> # klist
>>
>> Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI
>>
>> Default principal: host/metrics-frontend-01.dev.m
>> cs.az-eastus2.mob.nuance....@mob.nuance.com
>>
>>
>> Valid starting Expires Service principal
>>
>> 06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/mob.nuance....@mob.nuan
>> CE.COM
>>
>> # nsupdate -v -g ./dns_update.txt
>>
>> Outgoing update query:
>>
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>
>> ;; UPDATE SECTION:
>>
>> metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A
>>
>>
>> Reply from SOA query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840
>>
>> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>>
>> ;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA
>>
>>
>> ;; AUTHORITY SECTION:
>>
>> dev.mcs.az-eastus2.mob.nuance.com. 0 IN SOA
>> freeipa-01.dev.mcs.az-eastus2.mob.nuance.com.
>> hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 3600 900
>> 1209600 3600
>>
>>
>> Found zone name: dev.mcs.az-eastus2.mob.nuance.com
>>
>> The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
>>
>> start_gssrequest
>>
>> send_gssrequest
>>
>> Outgoing update query:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301
>>
>> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; QUESTION SECTION:
>>
>> ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY
>>
>>
>> ;; ADDITIONAL SECTION:
>>
>> 2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY TKEY
>> gss-tsig.
>> 1496686456 1496686456 3 NOERROR 750
>> YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA
>> AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg
>> AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1
>> czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB
>> OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r
>> 5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8
>> UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9
>> MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6
>> j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2
>> uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq
>> gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ
>> 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C
>> tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC
>> 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa
>> dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ
>> +YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU
>> 1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze
>> voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0
>>
>>
>> recvmsg reply from GSS-TSIG query
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301
>>
>> ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>>
>> ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY
>>
>>
>> *response to GSS-TSIG query was unsuccessful*
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
>>
>> Hello,
>>
>> please kinit as host, only hosts are allowed to update their DNS records
>> over DDNS
>>
>> kinit -kt /etc/krb5.keytab
>> nsupdate -v -g ....
>>
>> Could you please provide output of nsupdate from ipa-client-install log?
>>
>> Martin
>>
>> --
>> Martin Bašti
>> Software Engineer
>> Red Hat Czech
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
>>
>> I was told and now I see you used host principal. Could you please check
>> zone settings of this zone dev.mcs.az-eastus2.mob.nuance.com , do you
>> have dynamic updates enabled?
>>
>> Do you have any error output in journalct -u named-pkcs11 on the DNS
>> server?
>>
>> Martin
>>
>> --
>> Martin Bašti
>> Software Engineer
>> Red Hat Czech
>>
>>
>
> --
> Martin Bašti
> Software Engineer
> Red Hat Czech
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
