Hello everyone. I need some insight on a particular issue.
Is it true that the command 'ipa-client-install' won't automatically add an A-record for the new host, even when dyndns is set to True for the zone? Currently, I can only seem to create an A-record during host enrollment when I use the '--enable-dns-update' option. Is this the intended behavior or am I perhaps making a mistake, and the 'ipa-client-install' command should attempt to add an A-record by default?
I have attached the log of the 'ipa-client-install' command for reference: https://pastebin.com/2Bbs55Ja
dweller dweller via FreeIPA-users wrote:
Hello everyone. I need some insight on a particular issue.
Is it true that the command 'ipa-client-install' won't automatically add an A-record for the new host, even when dyndns is set to True for the zone? Currently, I can only seem to create an A-record during host enrollment when I use the '--enable-dns-update' option. Is this the intended behavior or am I perhaps making a mistake, and the 'ipa-client-install' command should attempt to add an A-record by default?
I have attached the log of the 'ipa-client-install' command for reference: https://pastebin.com/2Bbs55Ja
Your pastebin expired so its not possible to see what is going on.
An A/AAAA record will be added under a number of conditions by ipa-client-install:
* --enable-dns-updates is set * --ip-address is set * --all-ip-addresses is set * the client hostname DNS lookup fails
rob
Yep, sorry. I reuploaded it to github https://github.com/vudex/for-freeipa-users/blob/main/ipaclient-install.log.
Connectivity to ipa replica is definetly there:
[root@host-01 ~]# telnet freeipa-master-01.test-krb1.novalocal 53 Trying 172.28.19.229... Connected to freeipa-master-01.test-krb1.novalocal. Escape character is '^]'.
So, Rob, as I understood from your reply, A-record should be added *almost* always when we are enrolling new host, because DNS lookup will fail (considering we are using freeipa-dns and relying on enrollment process to setup records).
So I do not need to specify options: * --enable-dns-updates is set * --ip-address is set * --all-ip-addresses is set
if I'm relying on failing of DNS lookup
dweller dweller via FreeIPA-users wrote:
Yep, sorry. I reuploaded it to github https://github.com/vudex/for-freeipa-users/blob/main/ipaclient-install.log.
Connectivity to ipa replica is definetly there:
[root@host-01 ~]# telnet freeipa-master-01.test-krb1.novalocal 53 Trying 172.28.19.229... Connected to freeipa-master-01.test-krb1.novalocal. Escape character is '^]'.
So, Rob, as I understood from your reply, A-record should be added *almost* always when we are enrolling new host, because DNS lookup will fail (considering we are using freeipa-dns and relying on enrollment process to setup records).
So I do not need to specify options:
- --enable-dns-updates is set
- --ip-address is set
- --all-ip-addresses is set
if I'm relying on failing of DNS lookup
An A record was found for host-01.test-krb1.novalocal:
From the log:
2023-09-10T06:48:34Z DEBUG found 1 A records for host-01.test-krb1.novalocal.: 172.28.19.96 2023-09-10T06:48:34Z DEBUG The DNS response does not contain an answer to the question: host-01.test-krb1.novalocal. IN AAAA
Later you'll see an nsupdate to update DNS:
2023-09-10T06:48:34Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2023-09-10T06:48:34Z DEBUG debug
update delete host-01.test-krb1.novalocal. IN A show send
update delete host-01.test-krb1.novalocal. IN AAAA show send
update add host-01.test-krb1.novalocal. 1200 IN A 172.28.19.96 show send
That update is failing but I can't tell why. We validate that the update succeeded by looking up the expected results, and they aren't there, except apparently for the reverse:
2023-09-10T06:48:34Z DEBUG DNS resolver: Query: host-01.test-krb1.novalocal IN A 2023-09-10T06:48:34Z DEBUG DNS resolver: Query: host-01.test-krb1.novalocal IN AAAA 2023-09-10T06:48:34Z DEBUG DNS resolver: No record. 2023-09-10T06:48:34Z DEBUG DNS resolver: Query: 96.19.28.172.in-addr.arpa. IN PTR
Strangely though we also print a summary of missing entries and that isn't logged. I'd expect something like "Missing A/AAAA record(s) for host host-01.test-krb1.novalocal" but it isn't logged.
rob
I decided to make a little test during spare time to investigate the problem further:
[root@host-01 ~]# ipa dnszone-show test-krb1.novalocal Zone name: test-krb1.novalocal. Active zone: TRUE Authoritative nameserver: freeipa-master-01.test-krb1.novalocal. Administrator e-mail address: hostmaster.test-krb1.novalocal. SOA serial: 1694341901 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TEST-KRB1.NOVALOCAL krb5-self * A; grant TEST-KRB1.NOVALOCAL krb5-self * AAAA; grant TEST-KRB1.NOVALOCAL krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; [root@host-01 ~]# [root@host-01 ~]# cat dns_update.txt update delete host-01.test-krb1.novalocal. IN A show send
update delete host-01.test-krb1.novalocal. IN AAAA show send
update add host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97 show send [root@host-01 ~]# nsupdate -g dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 0 ANY A
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 0 ANY AAAA
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97
update failed: REFUSED
And this is from the dns logs:
[root@freeipa-master-01 bind]# tail -f /var/lib/bind/data/named.run 17-Sep-2023 16:03:39.500 client @0x7f73801235f0 172.28.19.96#37737/key admin@TEST-KRB1.NOVALOCAL: updating zone 'test-krb1.novalocal/IN': update failed: rejected by secure update (REFUSED)
Any suggestions on why is update getting refused?
On Sun, Sep 17, 2023 at 10:22 AM dweller dweller via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I decided to make a little test during spare time to investigate the
problem further:
[root@host-01 ~]# ipa dnszone-show test-krb1.novalocal Zone name: test-krb1.novalocal. Active zone: TRUE Authoritative nameserver: freeipa-master-01.test-krb1.novalocal. Administrator e-mail address: hostmaster.test-krb1.novalocal. SOA serial: 1694341901 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TEST-KRB1.NOVALOCAL krb5-self * A; grant
TEST-KRB1.NOVALOCAL krb5-self * AAAA; grant TEST-KRB1.NOVALOCAL krb5-self * SSHFP;
Dynamic update: TRUE Allow query: any; Allow transfer: none; [root@host-01 ~]# [root@host-01 ~]# cat dns_update.txt update delete host-01.test-krb1.novalocal. IN A show send
update delete host-01.test-krb1.novalocal. IN AAAA show send
update add host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97 show send [root@host-01 ~]# nsupdate -g dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 0 ANY A
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 0 ANY AAAA
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97
update failed: REFUSED
And this is from the dns logs:
[root@freeipa-master-01 bind]# tail -f /var/lib/bind/data/named.run 17-Sep-2023 16:03:39.500 client @0x7f73801235f0 172.28.19.96#37737/key
admin@TEST-KRB1.NOVALOCAL: updating zone 'test-krb1.novalocal/IN': update failed: rejected by secure update (REFUSED)
Any suggestions on why is update getting refused?
IIRC, you can't use your user credentials for `nsupdate -g` to update a host DNS entry.
Try retrieving the host keytab, and kinit with it (I'm making a wild guess on the realm name): ``` ipa-getkeytab -s `hostname` -p host/host-01.test-krb1.novalocal.@TEST-KRB1.NOVALOCAL -k keytab kinit -k -t keytab host/test.example.test nsupdate -g ```
Rafael
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
Unfortunately you are right :) update went fine via host principal
[root@host-01 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_4CnGVjr Default principal: host/host-01.test-krb1.novalocal@TEST-KRB1.NOVALOCAL
Valid starting Expires Service principal 18.09.2023 04:22:42 19.09.2023 04:22:42 krbtgt/TEST-KRB1.NOVALOCAL@TEST-KRB1.NOVALOCAL
[root@host-01 ~]# nsupdate -g dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 0 ANY A
Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 0 ANY AAAA
Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97
I guess the only way right now to follow source code of ipa-client-install command and debug what is going on with more precision.
freeipa-users@lists.fedorahosted.org