IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"

List overview All Threads
Download

newer

older

certificate has expired?

Josh Pavel

5 Jun 2017 5 Jun '17

1:39 p.m.

I have a setup with 2 zones:

My IPA realm is mob.nuance.com My first IPA server was built out with the DNS zone prod.mcs.som.mob.nuance.com My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuance.com

I can successfully add client to my first IPA server, and everything works as expected, including DNS updates. When I add clients to my second IPA server, they complete successfully for everything except updating DNS.

I recreated the DNS Update file from ipa-client install log, and executed it manually as "admin" with debug. Any ideas what is wrong?

# kinit admin

Password for admin@MOB.NUANCE.COM:

# id admin

uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins)

# getent passwd admin

admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash

# kinit -k

# klist

Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI

Default principal: host/ metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com@MOB.NUANCE.COM

Valid starting Expires Service principal

06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/ MOB.NUANCE.COM@MOB.NUANCE.COM

# nsupdate -v -g ./dns_update.txt

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0

;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; UPDATE SECTION:

metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA

;; AUTHORITY SECTION:

dev.mcs.az-eastus2.mob.nuance.com. 0 IN SOA freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 3600 900 1209600 3600

Found zone name: dev.mcs.az-eastus2.mob.nuance.com

The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com

start_gssrequest

send_gssrequest

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

;; ADDITIONAL SECTION:

2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY TKEY gss-tsig. 1496686456 1496686456 3 NOERROR 750 YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1 czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r 5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8 UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9 MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6 j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2 uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ +YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU 1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0

recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301

;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

*response to GSS-TSIG query was unsuccessful*

Attachments:

attachment.html (text/html — 7.6 KB)

Show replies by date

Martin Bašti

6 Jun 6 Jun

6 a.m.

New subject: IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"

On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote:

...

I have a setup with 2 zones:

My IPA realm is mob.nuance.com http://mob.nuance.com My first IPA server was built out with the DNS zone prod.mcs.som.mob.nuance.com http://prod.mcs.som.mob.nuance.com My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuance.com http://dev.mcs.az-eastus2.mob.nuance.com

I can successfully add client to my first IPA server, and everything works as expected, including DNS updates. When I add clients to my second IPA server, they complete successfully for everything except updating DNS.

I recreated the DNS Update file from ipa-client install log, and executed it manually as "admin" with debug. Any ideas what is wrong?

# kinit admin

Password for admin@MOB.NUANCE.COM mailto:admin@MOB.NUANCE.COM:

# id admin

uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins)

# getent passwd admin

admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash

# kinit -k

# klist

Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI

Default principal: host/metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com@MOB.NUANCE.COM mailto:metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com@MOB.NUANCE.COM

Valid starting Expires Service principal

06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/MOB.NUANCE.COM@MOB.NUANCE.COM mailto:MOB.NUANCE.COM@MOB.NUANCE.COM

# nsupdate -v -g ./dns_update.txt

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0

;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; UPDATE SECTION:

metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA

;; AUTHORITY SECTION:

dev.mcs.az-eastus2.mob.nuance.com http://dev.mcs.az-eastus2.mob.nuance.com. 0 INSOAfreeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. hostmaster.dev.mcs.az-eastus2.mob.nuance.com http://hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 3600 900 1209600 3600

Found zone name: dev.mcs.az-eastus2.mob.nuance.com http://dev.mcs.az-eastus2.mob.nuance.com

The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com

start_gssrequest

send_gssrequest

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

;; ADDITIONAL SECTION:

2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY TKEYgss-tsig. 1496686456 1496686456 3 NOERROR 750 YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1 czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r 5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8 UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9 MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6 j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2 uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ +YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU 1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0

recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301

;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

*response to GSS-TSIG query was unsuccessful*

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

Hello,

please kinit as host, only hosts are allowed to update their DNS records over DDNS

kinit -kt /etc/krb5.keytab nsupdate -v -g ....

Could you please provide output of nsupdate from ipa-client-install log?

Martin

-- Martin Bašti Software Engineer Red Hat Czech

Martin Bašti

6:41 a.m.

New subject: IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"

On 06.06.2017 13:00, Martin Bašti via FreeIPA-users wrote:

...

On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote:

...
I have a setup with 2 zones:

My IPA realm is mob.nuance.com http://mob.nuance.com My first IPA server was built out with the DNS zone prod.mcs.som.mob.nuance.com http://prod.mcs.som.mob.nuance.com My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuance.com http://dev.mcs.az-eastus2.mob.nuance.com

I can successfully add client to my first IPA server, and everything works as expected, including DNS updates. When I add clients to my second IPA server, they complete successfully for everything except updating DNS.

I recreated the DNS Update file from ipa-client install log, and executed it manually as "admin" with debug. Any ideas what is wrong?

# kinit admin

Password for admin@MOB.NUANCE.COM mailto:admin@MOB.NUANCE.COM:

# id admin

uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins)

# getent passwd admin

admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash

# kinit -k

# klist

Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI

Default principal: host/metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com@MOB.NUANCE.COM mailto:metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com@MOB.NUANCE.COM

Valid starting Expires Service principal

06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/MOB.NUANCE.COM@MOB.NUANCE.COM mailto:MOB.NUANCE.COM@MOB.NUANCE.COM

# nsupdate -v -g ./dns_update.txt

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0

;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; UPDATE SECTION:

metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA

;; AUTHORITY SECTION:

dev.mcs.az-eastus2.mob.nuance.com http://dev.mcs.az-eastus2.mob.nuance.com. 0 INSOAfreeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. hostmaster.dev.mcs.az-eastus2.mob.nuance.com http://hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 3600 900 1209600 3600

Found zone name: dev.mcs.az-eastus2.mob.nuance.com http://dev.mcs.az-eastus2.mob.nuance.com

The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com

start_gssrequest

send_gssrequest

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

;; ADDITIONAL SECTION:

2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY TKEYgss-tsig. 1496686456 1496686456 3 NOERROR 750 YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1 czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r 5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8 UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9 MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6 j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2 uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ +YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU 1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0

recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301

;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

*response to GSS-TSIG query was unsuccessful*

FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org

Hello,

please kinit as host, only hosts are allowed to update their DNS records over DDNS

kinit -kt /etc/krb5.keytab nsupdate -v -g ....

Could you please provide output of nsupdate from ipa-client-install log?

Martin

Martin Bašti Software Engineer Red Hat Czech

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

I was told and now I see you used host principal. Could you please check zone settings of this zone dev.mcs.az-eastus2.mob.nuance.com http://dev.mcs.az-eastus2.mob.nuance.com , do you have dynamic updates enabled?

Do you have any error output in journalct -u named-pkcs11 on the DNS server?

Martin

-- Martin Bašti Software Engineer Red Hat Czech

Josh Pavel

12:08 p.m.

New subject: IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"

Dynamic updates are enabled:

dynamic-db "ipa" {

library "ldap.so";

arg "uri ldapi://%2fvar%2frun%2fslapd-MOB-NUANCE-COM.socket";

arg "base cn=dns, dc=mob,dc=nuance,dc=com";

arg "server_id freeipa-01.dev.mcs.az-eastus2.mob.nuance.com";

arg "auth_method sasl";

arg "sasl_mech GSSAPI";

arg "sasl_user DNS/freeipa-01.dev.mcs.az-eastus2.mob.nuance.com";

arg "serial_autoincrement yes";

};

Nothing was logged at the default level (dynamic), but I changed it to debug 10. Nothing strikes me when I look at that log... everything I see has query approved, the only thing that surprised me a bit was that the requests are signed - I'm not sure if they're supposed to be or not.

Here's a snippet - as you'd expect from debug 10, there is a lot of logs.

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: UDP request

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: using view '_default'

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: request is not signed

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: recursion available

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: query

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_attach: ref = 1

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): query (cache) ' metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com/AAAA/IN' approved

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): replace

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach: ref = 0

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach: ref = 0

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest

On Tue, Jun 6, 2017 at 7:41 AM, Martin Bašti mbasti@redhat.com wrote:

...

On 06.06.2017 13:00, Martin Bašti via FreeIPA-users wrote:

On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote:

I have a setup with 2 zones:

My IPA realm is mob.nuance.com My first IPA server was built out with the DNS zone prod.mcs.som.mob.nuance.com My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuance.com

I can successfully add client to my first IPA server, and everything works as expected, including DNS updates. When I add clients to my second IPA server, they complete successfully for everything except updating DNS.

I recreated the DNS Update file from ipa-client install log, and executed it manually as "admin" with debug. Any ideas what is wrong?

# kinit admin

Password for admin@MOB.NUANCE.COM:

# id admin

uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins)

# getent passwd admin

admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash

# kinit -k

# klist

Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI

Default principal: host/metrics-frontend-01.dev. mcs.az-eastus2.mob.nuance.com@MOB.NUANCE.COM

Valid starting Expires Service principal

06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/MOB.NUANCE.COM@MOB. NUANCE.COM

# nsupdate -v -g ./dns_update.txt

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0

;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; UPDATE SECTION:

metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA

;; AUTHORITY SECTION:

dev.mcs.az-eastus2.mob.nuance.com. 0 IN SOA freeipa-01.dev.mcs.az-eastus2. mob.nuance.com. hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 3600 900 1209600 3600

Found zone name: dev.mcs.az-eastus2.mob.nuance.com

The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com

start_gssrequest

send_gssrequest

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

;; ADDITIONAL SECTION:

2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY TKEY gss-tsig. 1496686456 1496686456 3 NOERROR 750 YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1 czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r 5FEux+ izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8 UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9 MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6 j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2 uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ + YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU 1/ 8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0

recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301

;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

*response to GSS-TSIG query was unsuccessful*

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

Hello,

please kinit as host, only hosts are allowed to update their DNS records over DDNS

kinit -kt /etc/krb5.keytab nsupdate -v -g ....

Could you please provide output of nsupdate from ipa-client-install log?

Martin

-- Martin Bašti Software Engineer Red Hat Czech

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

I was told and now I see you used host principal. Could you please check zone settings of this zone dev.mcs.az-eastus2.mob.nuance.com , do you have dynamic updates enabled?

Do you have any error output in journalct -u named-pkcs11 on the DNS server?

Martin

-- Martin Bašti Software Engineer Red Hat Czech

Martin Bašti

7 Jun 7 Jun

2:31 a.m.

New subject: IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"

I meant dynamic updates in zone config. ipa dnszone-show dev.mcs.az-eastus2.mob.nuance.com http://dev.mcs.az-eastus2.mob.nuance.com --all

On 06.06.2017 19:08, Josh Pavel wrote:

...

Dynamic updates are enabled:

dynamic-db "ipa" {

library "ldap.so";

arg "uri ldapi://%2fvar%2frun%2fslapd-MOB-NUANCE-COM.socket";

arg "base cn=dns, dc=mob,dc=nuance,dc=com";

arg "server_id freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com";

arg "auth_method sasl";

arg "sasl_mech GSSAPI";

arg "sasl_user DNS/freeipa-01.dev.mcs.az-eastus2.mob.nuance.com http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com";

arg "serial_autoincrement yes";

};

Nothing was logged at the default level (dynamic), but I changed it to debug 10. Nothing strikes me when I look at that log... everything I see has query approved, the only thing that surprised me a bit was that the requests are signed - I'm not sure if they're supposed to be or not.

Here's a snippet - as you'd expect from debug 10, there is a lot of logs.

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: UDP request

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: using view '_default'

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: request is not signed

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: recursion available

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: query

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_attach: ref = 1

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): query (cache) 'metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com/AAAA/IN http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com/AAAA/IN' approved

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): replace

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach: ref = 0

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach: ref = 0

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 (metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest

On Tue, Jun 6, 2017 at 7:41 AM, Martin Bašti <mbasti@redhat.com mailto:mbasti@redhat.com> wrote:
On 06.06.2017 13:00, Martin Bašti via FreeIPA-users wrote:
...
On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote:
...
I have a setup with 2 zones:

My IPA realm is mob.nuance.com <http://mob.nuance.com>
My first IPA server was built out with the DNS zone
prod.mcs.som.mob.nuance.com <http://prod.mcs.som.mob.nuance.com>
My second IPA server is in a DNS zone of
dev.mcs.az-eastus2.mob.nuance.com
<http://dev.mcs.az-eastus2.mob.nuance.com>

I can successfully add client to my first IPA server, and
everything works as expected, including DNS updates.
When I add clients to my second IPA server, they complete
successfully for everything except updating DNS.

I recreated the DNS Update file from ipa-client install log, and
executed it manually as "admin" with debug. Any ideas what is wrong?

# kinit admin

Password for admin@MOB.NUANCE.COM <mailto:admin@MOB.NUANCE.COM>:

# id admin

uid=1294000000(admin) gid=1294000000(admins)
groups=1294000000(admins)

# getent passwd admin

admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash

# kinit -k

# klist

Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI

Default principal:
host/metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com@MOB.NUANCE.COM
<mailto:metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com@MOB.NUANCE.COM>


Valid starting       Expires Service principal

06/05/2017 18:11:39  06/06/2017 18:11:39 
krbtgt/MOB.NUANCE.COM@MOB.NUANCE.COM
<mailto:MOB.NUANCE.COM@MOB.NUANCE.COM>


# nsupdate -v -g ./dns_update.txt

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0

;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; UPDATE SECTION:

metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com
<http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>.
0 ANY A


Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  58840

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 0

;; QUESTION SECTION:

;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com
<http://metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com>.
IN SOA


;; AUTHORITY SECTION:

dev.mcs.az-eastus2.mob.nuance.com
<http://dev.mcs.az-eastus2.mob.nuance.com>. 0
INSOAfreeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
hostmaster.dev.mcs.az-eastus2.mob.nuance.com
<http://hostmaster.dev.mcs.az-eastus2.mob.nuance.com>.
1496548206 3600 900 1209600 3600


Found zone name: dev.mcs.az-eastus2.mob.nuance.com
<http://dev.mcs.az-eastus2.mob.nuance.com>

The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>

start_gssrequest

send_gssrequest

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  14301

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
ANY TKEY


;; ADDITIONAL SECTION:

2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
0 ANY TKEYgss-tsig. 1496686456 1496686456 3 NOERROR 750
YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA
AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg
AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1
czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB
OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r
5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8
UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9
MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6
j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2
uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq
gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ
1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C
tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC
1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa
dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ
+YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU
1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze
voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0


recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id:  14301

;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com
<http://2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com>.
ANY TKEY


*response to GSS-TSIG query was unsuccessful*





_______________________________________________
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Hello,

please kinit as host, only hosts are allowed to update their DNS
records over DDNS

kinit -kt /etc/krb5.keytab
nsupdate -v -g ....

Could you please provide output of nsupdate from
ipa-client-install log?

Martin
-- 
Martin Bašti
Software Engineer
Red Hat Czech


_______________________________________________
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
I was told and now I see you used host principal. Could you please
check zone settings of this zone dev.mcs.az-eastus2.mob.nuance.com
<http://dev.mcs.az-eastus2.mob.nuance.com> , do you have dynamic
updates enabled?

Do you have any error output in journalct -u named-pkcs11 on the
DNS server?

Martin

-- 
Martin Bašti
Software Engineer
Red Hat Czech

-- Martin Bašti Software Engineer Red Hat Czech

Josh Pavel

8:09 a.m.

New subject: IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"

Still true. :-)

# ipa dnszone-show dev.mcs.az-eastus2.mob.nuance.com --all

dn: idnsname=dev.mcs.az-eastus2.mob.nuance.com .,cn=dns,dc=mob,dc=nuance,dc=com

Zone name: dev.mcs.az-eastus2.mob.nuance.com.

Active zone: TRUE

Managedby permission: cn=Manage DNS zone dev.mcs.az-eastus2.mob.nuance.com .,cn=permissions,cn=pbac,dc=mob,dc=nuance,dc=com

Authoritative nameserver: freeipa-01.prod.mcs.som.mob.nuance.com.

Administrator e-mail address: hostmaster

SOA serial: 1496769265

SOA refresh: 3600

SOA retry: 900

SOA expire: 1209600

SOA minimum: 3600

BIND update policy: grant MOB.NUANCE.COM krb5-self * A; grant MOB.NUANCE.COM krb5-self * AAAA; grant MOB.NUANCE.COM krb5-self * SSHFP;

Dynamic update: TRUE

Allow query: any;

Allow transfer: none;

Allow PTR sync: TRUE

nsrecord: freeipa-01.prod.mcs.som.mob.nuance.com., freeipa-02.dev.mcs.az-eastus2.mob.nuance.com., freeipa-01.dev.mcs.az-eastus2.mob.nuance.com.

objectclass: idnszone, top, idnsrecord, ipadnszone

On Wed, Jun 7, 2017 at 3:31 AM, Martin Bašti mbasti@redhat.com wrote:

...

I meant dynamic updates in zone config. ipa dnszone-show dev.mcs.az-eastus2.mob.nuance.com --all

On 06.06.2017 19:08, Josh Pavel wrote:

Dynamic updates are enabled:

dynamic-db "ipa" {

library "ldap.so";

arg "uri ldapi://%2fvar%2frun%2fslapd-MOB-NUANCE-COM.socket";

arg "base cn=dns, dc=mob,dc=nuance,dc=com";

arg "server_id freeipa-01.dev.mcs.az-eastus2.mob.nuance.com";

arg "auth_method sasl";

arg "sasl_mech GSSAPI";

arg "sasl_user DNS/freeipa-01.dev.mcs.az-eastus2.mob.nuance.com";

arg "serial_autoincrement yes";

};

Nothing was logged at the default level (dynamic), but I changed it to debug 10. Nothing strikes me when I look at that log... everything I see has query approved, the only thing that surprised me a bit was that the requests are signed - I'm not sure if they're supposed to be or not.

Here's a snippet - as you'd expect from debug 10, there is a lot of logs.

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: UDP request

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: using view '_default'

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: request is not signed

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: recursion available

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182: query

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_attach: ref = 1

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): query (cache) ' metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com/AAAA/IN' approved

06-Jun-2017 15:54:22.214 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): replace

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach: ref = 0

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): send

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): sendto

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): senddone

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): next

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): ns_client_detach: ref = 0

06-Jun-2017 15:54:23.525 client 10.0.3.7#46182 ( metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com): endrequest

On Tue, Jun 6, 2017 at 7:41 AM, Martin Bašti mbasti@redhat.com wrote:

...
On 06.06.2017 13:00, Martin Bašti via FreeIPA-users wrote:

On 05.06.2017 20:39, Josh Pavel via FreeIPA-users wrote:

I have a setup with 2 zones:

My IPA realm is mob.nuance.com My first IPA server was built out with the DNS zone prod.mcs.som.mob.nuance.com My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuan ce.com

I can successfully add client to my first IPA server, and everything works as expected, including DNS updates. When I add clients to my second IPA server, they complete successfully for everything except updating DNS.

I recreated the DNS Update file from ipa-client install log, and executed it manually as "admin" with debug. Any ideas what is wrong?

# kinit admin

Password for admin@MOB.NUANCE.COM:

# id admin

uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins)

# getent passwd admin

admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash

# kinit -k

# klist

Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI

Default principal: host/metrics-frontend-01.dev.m cs.az-eastus2.mob.nuance.com@MOB.NUANCE.COM

Valid starting Expires Service principal

06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/MOB.NUANCE.COM@MOB.NUAN CE.COM

# nsupdate -v -g ./dns_update.txt

Outgoing update query:

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0

;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; UPDATE SECTION:

metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A

Reply from SOA query:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840

;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA

;; AUTHORITY SECTION:

dev.mcs.az-eastus2.mob.nuance.com. 0 IN SOA freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 3600 900 1209600 3600

Found zone name: dev.mcs.az-eastus2.mob.nuance.com

The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com

start_gssrequest

send_gssrequest

Outgoing update query:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301

;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

;; ADDITIONAL SECTION:

2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY TKEY gss-tsig. 1496686456 1496686456 3 NOERROR 750 YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1 czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r 5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8 UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9 MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6 j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2 uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ +YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU 1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0

recvmsg reply from GSS-TSIG query

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301

;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY

*response to GSS-TSIG query was unsuccessful*

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

Hello,

please kinit as host, only hosts are allowed to update their DNS records over DDNS

kinit -kt /etc/krb5.keytab nsupdate -v -g ....

Could you please provide output of nsupdate from ipa-client-install log?

Martin

-- Martin Bašti Software Engineer Red Hat Czech

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

I was told and now I see you used host principal. Could you please check zone settings of this zone dev.mcs.az-eastus2.mob.nuance.com , do you have dynamic updates enabled?

Do you have any error output in journalct -u named-pkcs11 on the DNS server?

Martin

-- Martin Bašti Software Engineer Red Hat Czech

-- Martin Bašti Software Engineer Red Hat Czech

2523

Age (days ago)

2525

Last active (days ago)

freeipa-users@lists.fedorahosted.org

5 comments

2 participants

tags (0)

participants (2)

Josh Pavel
Martin Bašti