On Sun, Sep 17, 2023 at 10:22 AM dweller dweller via FreeIPA-users < [email protected]> wrote: > > I decided to make a little test during spare time to investigate the problem further: > > >[root@host-01 ~]# ipa dnszone-show test-krb1.novalocal > > Zone name: test-krb1.novalocal. > > Active zone: TRUE > > Authoritative nameserver: freeipa-master-01.test-krb1.novalocal. > > Administrator e-mail address: hostmaster.test-krb1.novalocal. > > SOA serial: 1694341901 > > SOA refresh: 3600 > > SOA retry: 900 > > SOA expire: 1209600 > > SOA minimum: 3600 > > BIND update policy: grant TEST-KRB1.NOVALOCAL krb5-self * A; grant TEST-KRB1.NOVALOCAL krb5-self * AAAA; grant TEST-KRB1.NOVALOCAL krb5-self * SSHFP; > > Dynamic update: TRUE > > Allow query: any; > > Allow transfer: none; > >[root@host-01 ~]# > >[root@host-01 ~]# cat dns_update.txt > >update delete host-01.test-krb1.novalocal. IN A > >show > >send > > > >update delete host-01.test-krb1.novalocal. IN AAAA > >show > >send > > > >update add host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97 > >show > >send > >[root@host-01 ~]# nsupdate -g dns_update.txt > >Outgoing update query: > >;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >;; UPDATE SECTION: > >host-01.test-krb1.novalocal. 0 ANY A > > > >update failed: REFUSED > >Outgoing update query: > >;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >;; UPDATE SECTION: > >host-01.test-krb1.novalocal. 0 ANY AAAA > > > >update failed: REFUSED > >Outgoing update query: > >;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >;; UPDATE SECTION: > >host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97 > > > >update failed: REFUSED > > And this is from the dns logs: > > >[root@freeipa-master-01 bind]# tail -f /var/lib/bind/data/named.run > >17-Sep-2023 16:03:39.500 client @0x7f73801235f0 172.28.19.96#37737/key admin\@TEST-KRB1.NOVALOCAL: updating zone 'test-krb1.novalocal/IN': update failed: rejected by secure update (REFUSED) > > Any suggestions on why is update getting refused?
IIRC, you can't use your user credentials for `nsupdate -g` to update a host DNS entry. Try retrieving the host keytab, and kinit with it (I'm making a wild guess on the realm name): ``` ipa-getkeytab -s `hostname` -p host/[email protected] -k keytab kinit -k -t keytab host/test.example.test nsupdate -g ``` Rafael > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
