On 23 March 2015 at 10:35, Petr Spacek <[email protected]> wrote: > On 23.3.2015 10:21, Roberto Cornacchia wrote: > > About the DNS update, this is what the debug log has to say: > > > > Found zone name: hq.example.com > > The master is: ipa.hq.example.com > > start_gssrequest > > Found realm from ticket: HQ.EXAMPLE.COM > > send_gssrequest > > *; Communication with 192.168.0.72#53 failed: operation canceled* > > *Reply from SOA query:* > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4923 > > ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;1835417091.sig-ipa.hq.example.com. ANY TKEY > > > > response to SOA query was unsuccessful > > - Please verify that 192.168.0.72 is the correct IP address of the FreeIPA > server. >
Positive > - Please check named.logs on the server side to see if there are any > complains > about unsuccessful key negotiation with client. > > I raised named's log level to debug 10 and restarted Ran ipa-client-install again. The log shows many queries from the client, for A/AAA/SOA record types, both about the server and the client. All approved, no problem. The log does not seem to contain a single failure / rejection. However: 1) The client reports that response to SOA query was unsuccessful. The server log does not say anything about this. 2) The server log does not contain any update request > > Notice that is is *different* from what I got before the chronyd change. > > Before, there was not even a reply: > > > > Found zone name: hq.example.com > > The master is: ipa.hq.example.com > > start_gssrequest > > Found realm from ticket: HQ.EXAMPLE.COM > > send_gssrequest > > *; Communication with 192.168.0.72#53 failed: operation canceled* > > *could not reach any name server* > > Interesting, this should not be related to time synchronization in any way. > DNS server simply did not return any answer. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
