On 5.6.2015 08:27, Martin Kosek wrote: > On 06/05/2015 12:27 AM, [email protected] wrote: >>>> I am running FreeIPA 4.1.3 on CentOS7. >>>> >>>> I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42. >>>> >>>> The client hostname is ipaclient.login.mydomain.net. >>>> >>>> The FreeIPA domain is mydomain.net. >>>> >>>> This post here : >>>> https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html >>>> states that making all dns entries into a single zone rather than having >>>> a >>>> separate zone for login.mydomain.net is a perfectly acceptable design >>>> choice. >>>> >>>> However, an issue occurs when joining the client. It joins to the >>>> domain >>>> fine and creates the initial DNS A entry, but then according to the >>>> logs, >>>> when it goes to update the DNSSSHFP records, it fails because it tries >>>> to >>>> update the nonexistent zone login.mydomain.net instead of just updating >>>> mydomain.net. To be clear, the SSH host keys are in the client record so >>>> the only issue is with adding them to DNS >>>> >>>> Here are the relevant log entries generated with ipa-client-install: >>>> >>>> 2015-06-03T16:11:12Z DEBUG stderr= >>>> 2015-06-03T16:11:12Z DEBUG Writing nsupdate commands to >>>> /etc/ipa/.dns_update.txt: >>>> 2015-06-03T16:11:12Z DEBUG zone login.mydomain.net. >>>> update delete ipaclient.login.mydomain.net. IN SSHFP >>>> send >>>> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 1 1 >>>> 1D17A1B7DCB75242AEBBBFEF7CE68844B530AE60 >>>> update add ipaclient.login.mydomain.net. 1200 IN SSHFP 2 1 >>>> 11D3F076F616F02AD74BFF4D48E8BBA239063E8F >>>> send >>>> >>>> 2015-06-03T16:11:13Z DEBUG args=/usr/bin/nsupdate -g >>>> /etc/ipa/.dns_update.txt >>>> 2015-06-03T16:11:13Z DEBUG stdout= >>>> 2015-06-03T16:11:13Z DEBUG stderr=update failed: NOTAUTH >>>> update failed: NOTAUTH >>>> >>>> 2015-06-03T16:11:13Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate >>>> -g >>>> /etc/ipa/.dns_update.txt' returned non-zero exit status 2 >>>> 2015-06-03T16:11:13Z WARNING Could not update DNS SSHFP records. >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> Here are some more entries from /var/named/data/named.run. >>> >>> You'll notice in the first set of entries, I added the hosts with the >>> incorrect subdomain set and it worked fine. >>> >>> In the second set, I gave the correct hostnames and even though it claims >>> it's still trying to update the mydomain.net file it says it's not >>> authorized. I am thoroughly confused by this behavior. >>> >>> successful >>> ---------- >>> 01-Jun-2015 18:36:04.580 client 10.21.5.206#40096/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' A >>> 01-Jun-2015 18:36:04.590 client 10.21.5.206#34641/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' A >>> 01-Jun-2015 18:36:25.582 client 10.21.5.206#49800/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': deleting rrset at 'ipaclient.mydomain.net' SSHFP >>> 01-Jun-2015 18:36:25.595 client 10.21.5.206#34081/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP >>> 01-Jun-2015 18:36:26.363 client 10.21.5.206#34081/key >>> host/ipaclient.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': adding an RR at 'ipaclient.mydomain.net' SSHFP >>> >>> unsuccessful >>> ------------ >>> 03-Jun-2015 16:10:56.407 client 10.21.5.206#52739/key >>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': update failed: not authoritative for update zone >>> (NOTAUTH) >>> 03-Jun-2015 16:10:56.420 client 10.21.5.206#50551/key >>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': update failed: not authoritative for update zone >>> (NOTAUTH) >>> 03-Jun-2015 16:11:12.993 client 10.21.5.206#39633/key >>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': update failed: not authoritative for update zone >>> (NOTAUTH) >>> 03-Jun-2015 16:11:13.005 client 10.21.5.206#50415/key >>> host/ipaclient.login.mydomain.net\@mydomain.NET: updating zone >>> 'mydomain.net/IN': update failed: not authoritative for update zone >>> (NOTAUTH) >>> >>> >>> >> >> So can anyone at least tell me whether it is intended that you have to >> create a separate DNS subdomain rather than one big domain file in order >> to get DNSSSHFP records to save or is that a bug and you should be able to >> just have one large domain and not break out the subdomains? > > I thought it is not needed to create subdomains in order for nsupdate to work. > Maybe it is a Update policy thing? Petr, do you know?
I'm sorry for the late reply. Nathan is most probably facing this bug: https://fedorahosted.org/freeipa/ticket/4780 It was fixed in FreeIPA 4.1.3, patch is here: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=8b4301473233afdf0ae3c72ad33bcd04182e63c6 Please note that SSSD has the very same bug (unnecessary/wrong use of explicit zone statement in nsupdate input): https://fedorahosted.org/sssd/ticket/2540 This will affect A/AAAA/PTR updates done by SSSD after ipa-client-install. This should be fixed in upcoming SSSD 1.13. I do not see any other workaround except for splitting zones, sorry! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
