On Wed, May 14, 2014 at 10:57:04AM +0200, Petr Spacek wrote: > On 13.5.2014 21:32, Dmitri Pal wrote: > >On 05/13/2014 02:12 PM, Bob wrote: > >>I ran > >> > >>ipa dnszone-mod vh1.vzwnet.com <http://vh1.vzwnet.com> > >>--update-policy="grant bob-key name test.vh1.vzwnet.com.;" > >> > >>I then execute the nsupdate: > >> > >>[root@nj51rhidms16v ~]# ./bobtest.sh > >>; TSIG error with server: tsig indicates error > >>update failed: NOTAUTH(BADKEY) > >> > >> > >>[root@nj51rhidms16v ~]# cat ./bobtest.sh > >>#!/bin/ksh > >># > >>keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww== > >>print "update add test.vh1.vzwnet.com <http://test.vh1.vzwnet.com> 90 CNAME > >>txslxngda5.nss.vzwnet.com <http://txslxngda5.nss.vzwnet.com>\n"|nsupdate -y > >>$keyfile > >> > >>[root@nj51rhidms16v log]# tail daemon > >>May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing > >>keytab file [default]: Principal > >>[host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com > >><mailto:nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com>] was not found. > >>Unable to create GSSAPI-encrypted LDAP connection. > >>May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to > >>key table > >>May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program > >>/usr/sbin/rhn_check > >>May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program > >>/usr/sbin/rhn_check > >>May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing > >>keytab file [default]: Principal > >>[host/nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com > >><mailto:nj51rhidms16v.nss.vzwnet....@ipa.nss.vzwnet.com>] was not found. > >>Unable to create GSSAPI-encrypted LDAP connection. > >>May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to > >>key table > >>May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program > >>/usr/sbin/rhn_check > >>May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739: > All errors above are irrelevant to nsupdate. It points to an problem > with SSSD configuration but this should not affect nsupdate with > TSIG at all.
Hi, sorry to come late to the thread, I'm catching up on freeipa-users. I agree with Petr that this is a generic failure related to a wrong keytab. Does "klist -k" list the keys you would expect to have in the keytab? Does "kinit -k" allow you to kinit using the keytab? I would expect one or both of them to fail, in which case you should either re-enroll the client or just fetch a new keytab using ipa-getkeytab. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users