Re: [Freeipa-users] Fwd: DNS update failing
I apologize, nsupdate is working as intended, I was attempting to update a client from the host ipa. I've a separate issue from clients when running testbook3:etc jsherrill$ kinit -kt /etc/krb5.keytab Thanks again! On Fri, May 12, 2017 at 10:34 AM, Jason Sherrill <ja...@deeplocal.com> wrote: > The following log entry from *named-pkcs11* coincides with update > attempts via nsupdate: > > > May 12 10:07:49 ipa-1.int.dplcl.com named-pkcs11[1350]: client > 10.0.1.5#47261/key host/ipa-1.int.dplcl.com\@INT.DPLCL.COM: updating zone > 'int.dplcl.com/IN': update failed: rejected by secure update (REFUSED) > > The client is running macos X with network services configured to use > 10.0.1.5 and the following /etc/resolv.conf: > > search int.dplcl.com > > nameserver 10.0.1.5 > > nameserver 8.8.8.8 > > > Thanks! > > > On Fri, May 12, 2017 at 9:27 AM, Martin Bašti <mba...@redhat.com> wrote: > >> Hello, could you check journalctl -u named-pkcs11 on server, there might >> be more detailed description why it failed. What do you have configured in >> /etc/resolv.conf on client side, is there directly IP address of the server? >> >> On 12.05.2017 15:04, Jason Sherrill wrote: >> >> Mistakenly failed to post to freeipa-users. >> >> -- Forwarded message -- >> From: Jason Sherrill <ja...@deeplocal.com> >> Date: Thu, May 11, 2017 at 9:16 AM >> Subject: Re: [Freeipa-users] DNS update failing >> To: Martin Bašti <mba...@redhat.com> >> >> >> Thank you for the assistance, Martin. The reverse zone is working because >> of a policy I'd added: grant * tcp-self *. The same entry did for the the >> forward zone did not work. I ran the manual update as described and was >> refused. It seems GSS-TSIG is working, but the update is still refused: >> >> [root@ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab >> >> [root@ipa-1 jsherrill]# nsupdate -g >> >> > debug >> >> > update add testbook3.int.dplcl.com. 86400 a 10.0.1.36 >> >> > >> >> Reply from SOA query: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996 >> >> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> >> ;testbook3.int.dplcl.com. IN SOA >> >> ;; AUTHORITY SECTION: >> >> int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. >> 1494432187 3600 900 1209600 3600 >> >> Found zone name: int.dplcl.com >> >> The master is: ipa-1.int.dplcl.com >> >> start_gssrequest >> >> Found realm from ticket: INT.DPLCL.COM >> >> send_gssrequest >> >> Outgoing update query: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 >> >> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; QUESTION SECTION: >> >> ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY >> >> ;; ADDITIONAL SECTION: >> >> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. >> >> recvmsg reply from GSS-TSIG query >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 >> >> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> >> ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY >> >> ;; ANSWER SECTION: >> >> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. >> >> Sending update to 10.0.1.5#53 >> >> Outgoing update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230 >> >> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 >> >> ;; UPDATE SECTION: >> >> testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 >> >> ;; TSIG PSEUDOSECTION: >> >> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. 13230 >> NOERROR 0 >> >> >> Reply from update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230 >> >> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 >> >> ;; ZONE SECTION: >> >> ;int.dplcl.com. IN SOA >> >> ;; TSIG PSEUDOSECTION: >> >> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. 13230 >> NOERROR 0 >> >> >> On Thu, May 11, 2017 at 4:09 AM, Martin Bašti <mba...@redhat.com> wrote: >> >>> >>> >>> On 10.05.2017 18:38, Jason Sherrill wrote: >>> >>> Hello, >&
[Freeipa-users] Fwd: DNS update failing
Mistakenly failed to post to freeipa-users.
-- Forwarded message --
From: Jason Sherrill <ja...@deeplocal.com>
Date: Thu, May 11, 2017 at 9:16 AM
Subject: Re: [Freeipa-users] DNS update failing
To: Martin Bašti <mba...@redhat.com>
Thank you for the assistance, Martin. The reverse zone is working because
of a policy I'd added: grant * tcp-self *. The same entry did for the the
forward zone did not work. I ran the manual update as described and was
refused. It seems GSS-TSIG is working, but the update is still refused:
[root@ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab
[root@ipa-1 jsherrill]# nsupdate -g
> debug
> update add testbook3.int.dplcl.com. 86400 a 10.0.1.36
>
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;testbook3.int.dplcl.com. IN SOA
;; AUTHORITY SECTION:
int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494432187 3600 900 1209600 3600
Found zone name: int.dplcl.com
The master is: ipa-1.int.dplcl.com
start_gssrequest
Found realm from ticket: INT.DPLCL.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
;; ADDITIONAL SECTION:
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig.
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY
;; ANSWER SECTION:
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig.
Sending update to 10.0.1.5#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
;; TSIG PSEUDOSECTION:
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. 13230 NOERROR
0
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;int.dplcl.com. IN SOA
;; TSIG PSEUDOSECTION:
3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. 13230 NOERROR
0
On Thu, May 11, 2017 at 4:09 AM, Martin Bašti <mba...@redhat.com> wrote:
>
>
> On 10.05.2017 18:38, Jason Sherrill wrote:
>
> Hello,
>
> I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
> and Windows 10 with limited issues!
>
> One issue is that updating the reverse zone via nsupdate works without
> issue, updating to the forward zone results in a REFUSED status. Below is
> my zone config, named.conf, and an example of client-side behavior. I'm
> new to nearly all systems involved- misconfiguration is likely. Thanks!
>
>
> From freeIPA server:
>
> # ipa dnszone-show int.dplcl.com --all
>
>
> dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com
>
> Zone name: int.dplcl.com.
>
> Active zone: TRUE
>
> Authoritative nameserver: ipa-1.int.dplcl.com.
>
> Administrator e-mail address: hostmaster.int.dplcl.com.
>
> SOA serial: 1494344164
>
> SOA refresh: 3600
>
> SOA retry: 900
>
> SOA expire: 1209600
>
> SOA minimum: 3600
>
> BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant
> INT.DPLCL.COM krb5-self * ; grant INT.DPLCL.COM krb5-self *
>
> SSHFP;
>
> Dynamic update: TRUE
>
> Allow query: any;
>
> Allow transfer: none;
>
> Allow PTR sync: TRUE
>
> Allow in-line DNSSEC signing: FALSE
>
> nsrecord: ipa-1.int.dplcl.com.
>
> objectclass: idnszone, top, idnsrecord, ipadnszone
>
> /etc/named.conf from IPA server:
>
> options {
>
>// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
>
>listen-on-v6 {any;};
>
>// Put files that named is allowed to write in the data/ directory:
>
>directory "/var/named"; // the default
>
>dump-file "data/cache_dump.db";
>
>statistics-file "data/named_stats.txt";
>
>memstatistics-file "data/named_mem_stats.txt";
>
>// Any host is permitted to issue recursive queries
>
>allow-recursion { any; };
>
>tkey-gssapi-keytab "/etc/named.keytab";
>
>pid-file "/run/named/named.pid";
>
>dnssec-enable no;
>
>dnssec-validation no;
>
>/* Path to ISC DLV k
[Freeipa-users] DNS update failing
Hello,
I've recently implemented freeIPA in a mixed environment of Mac OS 10.12
and Windows 10 with limited issues!
One issue is that updating the reverse zone via nsupdate works without
issue, updating to the forward zone results in a REFUSED status. Below is
my zone config, named.conf, and an example of client-side behavior. I'm
new to nearly all systems involved- misconfiguration is likely. Thanks!
>From freeIPA server:
# ipa dnszone-show int.dplcl.com --all
dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com
Zone name: int.dplcl.com.
Active zone: TRUE
Authoritative nameserver: ipa-1.int.dplcl.com.
Administrator e-mail address: hostmaster.int.dplcl.com.
SOA serial: 1494344164
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant INT.DPLCL.COM
krb5-self * ; grant INT.DPLCL.COM krb5-self *
SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
Allow in-line DNSSEC signing: FALSE
nsrecord: ipa-1.int.dplcl.com.
objectclass: idnszone, top, idnsrecord, ipadnszone
/etc/named.conf from IPA server:
options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid";
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the /var/named
directory,
* so put the default debug log file in data/ :
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket";
arg "base cn=dns, dc=int,dc=dplcl,dc=com";
arg "server_id ipa-1.int.dplcl.com";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/ipa-1.int.dplcl.com";
arg "serial_autoincrement yes";
};
>From client macbook:
testbook3:etc jsherrill$ nsupdate
> debug
> update add testbook3.int.dplcl.com 86400 a 10.0.1.36
>
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;testbook3.int.dplcl.com. IN SOA
;; AUTHORITY SECTION:
int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com.
1494425173 3600 900 1209600 3600
Found zone name: int.dplcl.com
The master is: ipa-1.int.dplcl.com
Sending update to 10.0.1.5#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
;; UPDATE SECTION:
testbook3.int.dplcl.com. 86400 IN A 10.0.1.36
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;int.dplcl.com. IN SOA
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
