I think I got it working. Solution in my case was to run following on client nodes:
yum install sssd-1.12.4-47.el6.x86_64 And on IPA server for each Forward and Reverse lookup zone I ran: ipa dnszone-mod XXXXXXXXX.COM. --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa dnszone-mod 44.28.10.in-addr.arpa. --allow-sync-ptr=TRUE --dynamic-update=TRUE Ultimately I think bringing all nodes to SSSD 1.12.4 version solved the problem. Thank you, IPA team, for your support! Regards, Andrey Ptashnik On 9/17/15, 10:32 AM, "Rob Crittenden" <[email protected]> wrote: >Andrey Ptashnik wrote: >> Any ideas on that? > >/var/log/ipaclient-install.log probably has more details on the DNS >update failure. > >rob > >> >> Regards, >> >> Andrey Ptashnik | Network Architect >> CCC Information Services Inc. >> 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 >> Office: +1-312-229-2533 | Cell : +1-773-315-0200 | [email protected] >> >> >> >> >> >> >> >> On 9/16/15, 11:30 AM, "[email protected] on behalf of Andrey >> Ptashnik" <[email protected] on behalf of >> [email protected]> wrote: >> >>> Alexander, >>> >>> Thank you for your feedback! >>> >>> In my environment I noticed that client machines that are on Red Hat 6 have >>> version 3.0.0 of IPA client installed. >>> >>> [root@ptr-test-6 ~]# yum list installed | grep ipa >>> ipa-client.x86_64 3.0.0-47.el6 >>> ipa-python.x86_64 3.0.0-47.el6 >>> >>> >>> [root@ptr-test-6 ~]# yum list installed | grep sssd >>> python-sssdconfig.noarch 1.12.4-47.el6 >>> sssd.x86_64 1.12.4-47.el6 >>> sssd-ad.x86_64 1.12.4-47.el6 >>> sssd-client.x86_64 1.12.4-47.el6 >>> sssd-common.x86_64 1.12.4-47.el6 >>> sssd-common-pac.x86_64 1.12.4-47.el6 >>> sssd-ipa.x86_64 1.12.4-47.el6 >>> sssd-krb5.x86_64 1.12.4-47.el6 >>> sssd-krb5-common.x86_64 1.12.4-47.el6 >>> sssd-ldap.x86_64 1.12.4-47.el6 >>> sssd-proxy.x86_64 1.12.4-47.el6 >>> [root@ptr-test-6 ~]# >>> >>> >>> And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 >>> - when I add machines to the domain using command below: >>> >>> # ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir >>> >>> DNS record populate in Forward lookup zone, but no PTR records appear in >>> Reverse lookup zones. That behavior is not the same with IPA client 4.1 and >>> IPA server 4.1 version combination. >>> >>> Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see >>> output below: >>> >>> Synchronizing time with KDC... >>> Enrolled in IPA realm XXXXXXXXX.COM >>> Attempting to get host TGT... >>> Created /etc/ipa/default.conf >>> New SSSD config will be created >>> Configured sudoers in /etc/nsswitch.conf >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm XXXXXXXXX.COM >>> trying https://ipa-idm.XXXXXXXXX.COM/ipa/xml >>> Forwarding 'env' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >>> Failed to update DNS records. >>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >>> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >>> Forwarding 'host_mod' to server u'https://ipa-idm.XXXXXXXXX.COM/ipa/xml' >>> SSSD enabled >>> Configuring XXXXXXXXX.COM as NIS domain >>> Configured /etc/openldap/ldap.conf >>> NTP enabled >>> Configured /etc/ssh/ssh_config >>> Configured /etc/ssh/sshd_config >>> Client configuration complete. >>> >>> >>> Regards, >>> >>> Andrey Ptashnik >>> >>> >>> >>> >>> >>> >>> On 9/16/15, 8:43 AM, "Alexander Bokovoy" <[email protected]> wrote: >>> >>>> On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>>>> Dear IPA Team, >>>>> >>>>> We have a situation in our datacenter where we deployed Red Hat 7.1 >>>>> with IPA server 4.1 and on the other hand we still have older machines >>>>> with Red Hat 5 and 6. I noticed that repositories associated with >>>>> version 6 have older version of the client software – v.3.0. Therefore >>>>> some functionality is missing from client package 3 vs 4, like >>>>> automatic update of both forward and reverse DNS records. >>>>> >>>>> Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>>>> much breaking dependencies in OS? >>>> You don't need to install IPA python packages on older machines. These >>>> packages are mostly for administration purposes. >>>> >>>> Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >>>> version of SSSD is on par with RHEL 7 version in the recent updates. >>>> Additionally, MIT Kerberos backports were done in the recent updates to >>>> allow OTP functionality in RHEL6 as well. So most of features are there >>>> already, client-wise. >>>> >>>> RHEL5 version does not have such updates and you can implement most of >>>> the support with existing SSSD and output of 'ipa-advise' tool on IPA >>>> masters. nsupdate integration would probably need to be done >>>> differently. >>>> >>>> Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >>>> much sense. >>>> >>>> -- >>>> / Alexander Bokovoy >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
