> I am running FreeIPA 4.1.3 on CentOS7. > > I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42. > > The client hostname is ipaclient.login.mydomain.net. > > The FreeIPA domain is mydomain.net. > > This post here : > https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html > states that making all dns entries into a single zone rather than having a > separate zone for login.mydomain.net is a perfectly acceptable design > choice. > > However, an issue occurs when joining the client. It joins to the domain > fine and creates the initial DNS A entry, but then according to the logs, > when it goes to update the DNSSSHFP records, it fails because it tries to > update the nonexistent zone login.mydomain.net instead of just updating > mydomain.net. To be clear, the SSH host keys are in the client record so > the only issue is with adding them to DNS > > Here are the relevant log entries generated with ipa-client-install: > > 2015-06-03T16:11:12Z DEBUG stderr= > 2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to > /etc/ipa/.dns_update.txt: > 2015-06-03T16:11:12Z DEBUG zone login.mydomain.net. > update delete ipaclient.login.mydomain.net. IN SSHFP > send > update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1 > 1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60 > update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1 > 11D3F076F616F02AD74BFF4D48E8BBA239063E8F > send > > 2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt > 2015-06-03T16:11:13Z DEBUG stdout= > 2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH > update failed: NOTAUTH > > 2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt' returned non-zero exit status 2 > 2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records. > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
Here are some more entries from /var/named/data/named.run. You'll notice in the first set of entries, I added the hosts with the incorrect subdomain set and it worked fine. In the second set, I gave the correct hostnames and even though it claims it's still trying to update the mydomain.net file it says it's not authorized. I am thoroughly confused by this behavior. successful ---------- 01-Jun-2015 18:36:04.580 client 10.21.5.206#40096/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' A 01-Jun-2015 18:36:04.590 client 10.21.5.206#34641/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' A 01-Jun-2015 18:36:25.582 client 10.21.5.206#49800/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' SSHFP 01-Jun-2015 18:36:25.595 client 10.21.5.206#34081/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP 01-Jun-2015 18:36:26.363 client 10.21.5.206#34081/key host/ipaclient.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP unsuccessful ------------ 03-Jun-2015 16:10:56.407 client 10.21.5.206#52739/key host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': update failed: not authoritative for update zone (NOTAUTH) 03-Jun-2015 16:10:56.420 client 10.21.5.206#50551/key host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': update failed: not authoritative for update zone (NOTAUTH) 03-Jun-2015 16:11:12.993 client 10.21.5.206#39633/key host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': update failed: not authoritative for update zone (NOTAUTH) 03-Jun-2015 16:11:13.005 client 10.21.5.206#50415/key host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone 'mydomain.net/IN': update failed: not authoritative for update zone (NOTAUTH) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
