On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek <[email protected]> wrote:
> On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > Hi, > > During my setup today I'm always failing in enrolling clients with > > automatic dns updates. > > I'm playing with FreeIPA 2.1.90, but I guess this is a general > > problem, not strictly due to the alpha version. > > > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > > console I see: > > Failed to update DNS A record. (Command '/usr/bin/nsupdate > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > > > I see in server logs that named refuses it: > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > > update 'internet.unix.mydomain.it/IN' denied > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > > update 'internet.unix.mydomain.it/IN' denied > > > > What is the cause? What other informations do you need about my > > deployment? > > > > Thanks in advance as usual > > Marco > > Hello Marco, > > please check the settings of the zone you are trying to add clients to. > GSS-TSIG updates are not enabled by default for new zones, it may be > your case. > > This is an entry for my zone 'example.com' where dynamic updates are > enabled: > > # ipa dnszone-show example.com --all > dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > Zone name: example.com > Authoritative nameserver: ns.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 2012200201 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant > IDM.LAB.BOS.REDHAT.COM > > krb5-self * AAAA; grant IDM.LAB.BOS.REDHAT.COMkrb5-self > > * SSHFP; > Active zone: TRUE > > Dynamic update: TRUE > nsrecord: ns.example.com. > objectclass: top, idnsrecord, idnszone > > I have marked the important attributes with ">". I would also make sure > that the zone is properly loaded in bind-dyndb-ldap plugin (you can for > example try to retrieve its SOA record with dig). > Hi Martin, yes this is the case: [root@freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it --all dn: idnsname=internet.unix.mydomain.it,cn=dns,dc=unix,dc=mydomain,dc=it Zone name: internet.unix.mydomain.it Authoritative nameserver: freeipa01.unix.mydomain.it. Administrator e-mail address: hostmaster.internet.unix.mydomain.it. SOA serial: 2012180201 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE nsrecord: freeipa01.unix.mydomain.it. objectclass: top, idnsrecord, idnszone So, could you tell me how should I do to have my (new) zone being eventually updated? A link to a doc page would suffices. Thanks a lot Marco
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
