Anybody know how to get more log information on what the IPA client does? I already know about the stuff in /var/log/sssd, but I'm looking for something in regards to dynamic dns updates failing.
When I ran `ipa-client-install` with the --enable-dns-updates option it kicked out an error saying it couldn't update the dns record. It doesn't show up in the server; obviously. I checked the ipaclient-install.log and tried to run the `nsupdate` command with a recreated command file or what ever. At best I got the following....
============================== [root@luna ipa]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@NEVERLAND.DDNS.ME
Valid starting Expires Service principal 08/01/2019 02:04:26 08/02/2019 02:04:20 krbtgt/NEVERLAND.DDNS.ME@NEVERLAND.DDNS.ME [root@luna ipa]# cat /etc/ipa/.dns_update.txt update delete luna.neverland.ddns.me. IN A show send
update delete luna.neverland.ddns.me. IN AAAA show send
update add luna.neverland.ddns.me. 1200 IN A 10.0.0.19 show send
update add luna.neverland.ddns.me. 1200 IN AAAA 2605:e000:1127:713::7 show send [root@luna ipa]# /usr/bin/nsupdate -v -g /etc/ipa/.dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 0 ANY A
response to SOA query was unsuccessful
On Thu, Aug 1, 2019 at 2:07 PM Boyd Ako via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Anybody know how to get more log information on what the IPA client does? I already know about the stuff in /var/log/sssd, but I'm looking for something in regards to dynamic dns updates failing.
Which version of sssd, ipa-server and ipa-client?
When I ran `ipa-client-install` with the --enable-dns-updates option it kicked out an error saying it couldn't update the dns record. It doesn't show up in the server; obviously.
Even in /var/named/data/named.run ?
I checked the ipaclient-install.log and tried to run the `nsupdate` command with a recreated command file or what ever. At best I got the following....
============================== [root@luna ipa]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@NEVERLAND.DDNS.ME
Valid starting Expires Service principal 08/01/2019 02:04:26 08/02/2019 02:04:20 krbtgt/NEVERLAND.DDNS.ME@NEVERLAND.DDNS.ME [root@luna ipa]# cat /etc/ipa/.dns_update.txt update delete luna.neverland.ddns.me. IN A show send
update delete luna.neverland.ddns.me. IN AAAA show send
update add luna.neverland.ddns.me. 1200 IN A 10.0.0.19 show send
update add luna.neverland.ddns.me. 1200 IN AAAA 2605:e000:1127:713::7 show send [root@luna ipa]# /usr/bin/nsupdate -v -g /etc/ipa/.dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 0 ANY A
response to SOA query was unsuccessful _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Aug 1, 2019, at 02:22, François Cami fcami@redhat.com wrote:
Which version of sssd, ipa-server and ipa-client?
— server — [root@ipa data]# for pkg in sssd ipa-server ipa-client; do printf "=== %s ===\n" "$pkg"; yum info $pkg | egrep -e "Version" -e "Release" -e "Repo" ; done === sssd === Version : 1.16.2 Release : 13.el7_6.8 Repo : installed === ipa-server === Version : 4.6.4 Release : 10.el7.centos.3 Repo : installed === ipa-client === Version : 4.6.4 Release : 10.el7.centos.3 Repo : installed
— client — === sssd === Version : 1.16.2 Release : 13.el7_6.8 Repo : installed === ipa-server === Version : 4.6.4 Release : 10.el7.centos.6 Repo : updates/7/x86_64 === ipa-client === Version : 4.6.4 Release : 10.el7.centos.6 Repo : installed
Even in /var/named/data/named.run ?
Ah… so I changed resolve.conf to direct use the IPA server for DNS
==== Client ==== [root@luna void]# /usr/bin/nsupdate -v -g /etc/ipa/.dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 0 ANY A
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 0 ANY AAAA
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 1200 IN A 10.0.0.19
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 1200 IN AAAA 2605:e000:1127:713::7
update failed: REFUSED
==== IPA Server ==== [root@ipa data]# tail -n 0 -f named.run 01-Aug-2019 22:42:52.834 client 2605:e000:1127:713::7#46253/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED) 01-Aug-2019 22:42:52.867 client 2605:e000:1127:713::7#50118/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED) 01-Aug-2019 22:42:52.901 client 2605:e000:1127:713::7#59892/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED) 01-Aug-2019 22:42:52.945 client 2605:e000:1127:713::7#49581/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED)
Domo,
Boyd H. Ako
boyd.hanalei.ako@gmail.com (424) 244-9653 https://www.boydhanaleiako.me
“Coming together is a beginning. Keeping together is progress. Working together is success.” -Henry Ford
PGP/GPG Public Key: https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
On Fri, Aug 2, 2019 at 10:43 AM Boyd Ako boyd.hanalei.ako@gmail.com wrote:
On Aug 1, 2019, at 02:22, François Cami fcami@redhat.com wrote:
Which version of sssd, ipa-server and ipa-client?
— server — [root@ipa data]# for pkg in sssd ipa-server ipa-client; do printf "=== %s ===\n" "$pkg"; yum info $pkg | egrep -e "Version" -e "Release" -e "Repo" ; done === sssd === Version : 1.16.2 Release : 13.el7_6.8 Repo : installed === ipa-server === Version : 4.6.4 Release : 10.el7.centos.3 Repo : installed === ipa-client === Version : 4.6.4 Release : 10.el7.centos.3 Repo : installed
— client — === sssd === Version : 1.16.2 Release : 13.el7_6.8 Repo : installed === ipa-server === Version : 4.6.4 Release : 10.el7.centos.6 Repo : updates/7/x86_64 === ipa-client === Version : 4.6.4 Release : 10.el7.centos.6 Repo : installed
Even in /var/named/data/named.run ?
Ah… so I changed resolve.conf to direct use the IPA server for DNS
==== Client ==== [root@luna void]# /usr/bin/nsupdate -v -g /etc/ipa/.dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 0 ANY A
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 0 ANY AAAA
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 1200 IN A 10.0.0.19
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 1200 IN AAAA 2605:e000:1127:713::7
update failed: REFUSED
==== IPA Server ==== [root@ipa data]# tail -n 0 -f named.run 01-Aug-2019 22:42:52.834 client 2605:e000:1127:713::7#46253/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED) 01-Aug-2019 22:42:52.867 client 2605:e000:1127:713::7#50118/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED) 01-Aug-2019 22:42:52.901 client 2605:e000:1127:713::7#59892/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED) 01-Aug-2019 22:42:52.945 client 2605:e000:1127:713::7#49581/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED)
So please first, as Flo asked before, check that the client FQDN belongs to a domain managed by IPA server.
You can check the zones managed by IPA with $ kinit admin $ ipa dnszone-find
If the client FQDN (luna.neverland.ddns.me right?) belongs to such a zone, please check that the zone accepts dynamic updates using e.g. for neverland.ddns.me:
$ ipa dnszone-show --all neverland.ddns.me.
Regards, François
Domo,
Boyd H. Ako
boyd.hanalei.ako@gmail.com (424) 244-9653 https://www.boydhanaleiako.me
“Coming together is a beginning. Keeping together is progress. Working together is success.” -Henry Ford
PGP/GPG Public Key: https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
--- Client --- === sssd === Version : 1.16.2 Release : 13.el7_6.8 Repo : installed === ipa-server === Version : 4.6.4 Release : 10.el7.centos.6 Repo : updates/7/x86_64 === ipa-client === Version : 4.6.4 Release : 10.el7.centos.6 Repo : installed
--- Server --- === sssd === Version : 1.16.2 Release : 13.el7_6.8 Repo : installed === ipa-server === Version : 4.6.4 Release : 10.el7.centos.3 Repo : installed === ipa-client === Version : 4.6.4 Release : 10.el7.centos.3 Repo : installed
Apparently on the server...
[root@ipa data]# tail -n 0 -f named.run 03-Aug-2019 02:04:46.888 client 2605:e000:1127:713::7#41778/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED) 03-Aug-2019 02:04:46.932 client 2605:e000:1127:713::7#36265/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED) 03-Aug-2019 02:04:46.977 client 2605:e000:1127:713::7#49845/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED) 03-Aug-2019 02:04:47.021 client 2605:e000:1127:713::7#60462/key admin@NEVERLAND.DDNS.ME: updating zone 'neverland.ddns.me/IN': update failed: rejected by secure update (REFUSED)
On 8/1/19 2:06 PM, Boyd Ako via FreeIPA-users wrote:
Anybody know how to get more log information on what the IPA client does? I already know about the stuff in /var/log/sssd, but I'm looking for something in regards to dynamic dns updates failing.
When I ran `ipa-client-install` with the --enable-dns-updates option it kicked out an error saying it couldn't update the dns record. It doesn't show up in the server; obviously. I checked the ipaclient-install.log and tried to run the `nsupdate` command with a recreated command file or what ever. At best I got the following....
What is the client FQDN? Is its domain managed by IPA server?
You can check the zones managed by IPA with $ kinit admin $ ipa dnszone-find
If the client's domain is not managed by IPA, IPA server won't accept the nsupdate command.
The other point to check is that the client's /etc/resolv.conf correctly points to the the DNS server. flo
============================== [root@luna ipa]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@NEVERLAND.DDNS.ME
Valid starting Expires Service principal 08/01/2019 02:04:26 08/02/2019 02:04:20 krbtgt/NEVERLAND.DDNS.ME@NEVERLAND.DDNS.ME [root@luna ipa]# cat /etc/ipa/.dns_update.txt update delete luna.neverland.ddns.me. IN A show send
update delete luna.neverland.ddns.me. IN AAAA show send
update add luna.neverland.ddns.me. 1200 IN A 10.0.0.19 show send
update add luna.neverland.ddns.me. 1200 IN AAAA 2605:e000:1127:713::7 show send [root@luna ipa]# /usr/bin/nsupdate -v -g /etc/ipa/.dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: luna.neverland.ddns.me. 0 ANY A
response to SOA query was unsuccessful _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Aug 1, 2019, at 03:47, Florence Blanc-Renaud flo@redhat.com wrote:
What is the client FQDN? Is its domain managed by IPA server?
luna.neverland.ddns.me
You can check the zones managed by IPA with $ kinit admin $ ipa dnszone-find
— IPA server — [root@ipa data]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@NEVERLAND.DDNS.ME
Valid starting Expires Service principal 08/01/2019 22:44:29 08/02/2019 22:44:18 HTTP/ipa.neverland.ddns.me@NEVERLAND.DDNS.ME 08/01/2019 22:44:24 08/02/2019 22:44:18 krbtgt/NEVERLAND.DDNS.ME@NEVERLAND.DDNS.ME [root@ipa data]# ipa dnszone-find Zone name: 0.0.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa.neverland.ddns.me. Administrator e-mail address: hostmaster.neverland.ddns.me. SOA serial: 1564568614 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none;
Zone name: 3.1.7.0.7.2.1.1.0.0.0.e.5.0.6.2.ip6.arpa. Active zone: TRUE Authoritative nameserver: ipa.neverland.ddns.me. Administrator e-mail address: hostmaster.neverland.ddns.me. SOA serial: 1564567633 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none;
Zone name: neverland.ddns.me. Active zone: TRUE Authoritative nameserver: ipa.neverland.ddns.me. Administrator e-mail address: hostmaster.neverland.ddns.me. SOA serial: 1564568773 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 3 ----------------------------
If the client's domain is not managed by IPA, IPA server won't accept the nsupdate command.
It is.
The other point to check is that the client's /etc/resolv.conf correctly points to the the DNS server.
Yep… apparently that was one of the issues. But, still failing. See previous post.
Domo,
Boyd H. Ako
boyd.hanalei.ako@gmail.com (424) 244-9653 https://www.boydhanaleiako.me
“Coming together is a beginning. Keeping together is progress. Working together is success.” -Henry Ford
PGP/GPG Public Key: https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
Boyd Ako via FreeIPA-users wrote:
On Aug 1, 2019, at 03:47, Florence Blanc-Renaud flo@redhat.com wrote:
What is the client FQDN? Is its domain managed by IPA server?
luna.neverland.ddns.me
You can check the zones managed by IPA with $ kinit admin $ ipa dnszone-find
— IPA server — [root@ipa data]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@NEVERLAND.DDNS.ME
Valid starting Expires Service principal 08/01/2019 22:44:29 08/02/2019 22:44:18 HTTP/ipa.neverland.ddns.me@NEVERLAND.DDNS.ME 08/01/2019 22:44:24 08/02/2019 22:44:18 krbtgt/NEVERLAND.DDNS.ME@NEVERLAND.DDNS.ME [root@ipa data]# ipa dnszone-find Zone name: 0.0.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa.neverland.ddns.me. Administrator e-mail address: hostmaster.neverland.ddns.me. SOA serial: 1564568614 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none;
Zone name: 3.1.7.0.7.2.1.1.0.0.0.e.5.0.6.2.ip6.arpa. Active zone: TRUE Authoritative nameserver: ipa.neverland.ddns.me. Administrator e-mail address: hostmaster.neverland.ddns.me. SOA serial: 1564567633 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none;
Zone name: neverland.ddns.me. Active zone: TRUE Authoritative nameserver: ipa.neverland.ddns.me. Administrator e-mail address: hostmaster.neverland.ddns.me. SOA serial: 1564568773 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none;
Number of entries returned 3
If you add --all you'll get the update policy. I'd verify that as well.
rob
freeipa-users@lists.fedorahosted.org