Dont allow clients to ddns update. Force the update to occur from dhcpd to named On Apr 3, 2014 1:53 PM, "Simo Sorce" <s...@redhat.com> wrote:
On Thu, 2014-04-03 at 10:38 -0700, Andy Tomlin wrote: > I posted this on the DHCP mailing list, but think it may belong here > instead. > > > > I am running Centos 6.5 and have installed ipa to allow all our linux > machines to authenticate. We have windows machines that get their ip address > from server and since installing ipa the ddns no longer works. Googling > around does not show much help. The key files match. There is a bug in kerberos libraries that prevent Windows clients from successfully performing DDNS against BIND servers that we fixed only recently. This is the fedora bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1066000 Not sure if this has been backported to RHEL/CentOS tbh. This is for Windows clients directly performing DDNS updates using GSS-TSIG. -- Now reading the following lines it seem you are mixing GSS-TSIG and plain TSIG, well you can't do that. ATM I think we accept only GSS-TSIG updates in IPA, while BIND DHCP seem to be capable only of TSIG updates. CCing Petr as he may have some ideas on whether this is something we can work around. Simo. > > > My named.conf is as follows: > > > > [root@alfred ~]# cat /etc/named.conf > > options { > > // turns on IPv6 for port 53, IPv4 is on by default for all ifaces > > listen-on-v6 {any;}; > > listen-on port 53 { 127.0.0.1; 10.0.1.2; }; > > > > // Put files that named is allowed to write in the data/ directory: > > directory "/var/named"; // the default > > dump-file "data/cache_dump.db"; > > statistics-file "data/named_stats.txt"; > > memstatistics-file "data/named_mem_stats.txt"; > > > > //forward first; > > //forwarders { > > // 192.168.1.254; > > // 8.8.8.8; > > //}; > > > > // Any host is permitted to issue recursive queries > > allow-recursion { any; }; > > > > tkey-gssapi-credential "DNS/alfred.xxxxxxx.com"; > > tkey-domain "xxxxxxx.COM"; > > }; > > > > include "/etc/named/ddns.key"; > > > > /* If you want to enable debugging, eg. using the 'rndc trace' command, > > * By default, SELinux policy does not allow named to modify the /var/named > directory, > > * so put the default debug log file in data/ : > > */ > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > }; > > }; > > > > zone "." IN { > > type hint; > > file "named.ca"; > > }; > > > > include "/etc/named.rfc1912.zones"; > > > > dynamic-db "ipa" { > > library "ldap.so"; > > arg "uri ldapi://%2fvar%2frun%2fslapd-xxxxxxx-COM.socket"; > > arg "base cn=dns, dc=xxxxxxx,dc=com"; > > arg "fake_mname alfred.xxxxxxx.com."; > > arg "auth_method sasl"; > > arg "sasl_mech GSSAPI"; > > arg "sasl_user DNS/alfred.xxxxxxx.com"; > > arg "zone_refresh 0"; > > arg "psearch yes"; > > arg "serial_autoincrement yes"; > > }; > > > > My dhcpd.conf is as follows: > > [root@alfred ~]# cat /etc/dhcp/dhcpd.conf > > # dhcpd.conf > > # > > # Sample configuration file for ISC dhcpd > > # > > > > # option definitions common to all supported networks... > > option domain-name "xxxxxxx.com"; > > option domain-name-servers 10.0.1.2, 8.8.8.8, 8.8.4.4; > > > > ddns-updates on; > > ddns-update-style interim; > > ignore client-updates; > > update-static-leases on; > > > > default-lease-time 600; > > max-lease-time 7200; > > > > # Use this to enble / disable dynamic dns updates globally. > > #ddns-update-style none; > > > > # If this DHCP server is the official DHCP server for the local > > # network, the authoritative directive should be uncommented. > > authoritative; > > > > # Use this to send dhcp log messages to a different log file (you also > > # have to hack syslog.conf to complete the redirection). > > log-facility local7; > > > > # No service will be given on this subnet, but declaring it helps the > > # DHCP server to understand the network topology. > > > > #subnet 10.152.187.0 netmask 255.255.255.0 { > > #} > > > > include "/etc/dhcp/ddns.key"; > > > > zone xxxxxxx.com. { > > primary 127.0.0.1; > > key DDNS_UPDATE; > > } > > > > zone 2.0.10.in-addr.arpa. { > > primary 127.0.0.1; > > key DDNS_UPDATE; > > } > > > > # This is a very basic subnet declaration. > > > > subnet 10.0.0.0 netmask 255.255.0.0 { > > range 10.0.2.50 10.0.2.250; > > option routers 10.0.1.2; > > } > > > > [root@alfred ~]# > > > > When windows client gets a dhcp address, the following is in the log > > > > [root@alfred ~]# tail -n50 /var/log/messages > > Apr 2 19:40:50 alfred named[8491]: client 127.0.0.1#59786: updating zone > 'xxxxxxx.com/IN': update failed: rejected by secure update (REFUSED) > > Apr 2 19:40:50 alfred dhcpd: Unable to add forward map from > atomlin.xxxxxxx.com to 10.0.2.51: timed out > > Apr 2 19:40:50 alfred dhcpd: DHCPREQUEST for 10.0.2.51 from > 0c:54:a5:08:5f:cc (atomlin) via eth0 > > Apr 2 19:40:50 alfred dhcpd: DHCPACK on 10.0.2.51 to 0c:54:a5:08:5f:cc > (atomlin) via eth0 > > [root@alfred ~]# > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
