Hi,
We have problems with client’s registering dns records at enrollment. Most of the time all
works ok but about 10% of the machines don’t create the A records or the SHHFP records.
Sometimes they don’t create both. In the ipaclient-install.log we see the following on
machines that doesn’t create the records. In this example the creation of the A records
succeeded but the creation of the SSHFP records failed with the following error:
2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
2019-12-20T13:19:51Z INFO [try 1]: Forwarding 'host_mod' to json server
'https://freeipa-002.ipa.cloud/ipa/session/json'
2019-12-20T13:19:51Z DEBUG HTTP connection keep-alive (freeipa-002.ipa.cloud)
2019-12-20T13:19:51Z DEBUG received Set-Cookie (<type
'list'>)'['ipa_session=MagBearerToken=tR1VkWrpjmoNh7aZDYiPzXSwFlkhsp1ENg%2b5y8orMo9P7EkiLQXey11TH9wIgc2xJjJ2xdly2hFyi6v58o2HhzEeQBi%2fcR%2flZ7nwFv8VX3WxCSwS%2beDVSu7%2f%2fjsSB%2b1NzyVHTNe5jkJK9pGXL1nR7QMtNrV2gFY7RyFrJns50dEC%2fi5C%2fEn0BgZAE4aLAiThG4SW3iGc0bfOGy%2bDpAGE17XzB8G978uKpqqHGC9aFDmMmXVFCfpwHoIWoBtJctgy7y6Q97rJnpkjbe2heYMwLQFbDkrTRlrjSDfla0XXCNvd7in6zEu0MZloOXqyXHiu;path=/ipa;httponly;secure;']'
2019-12-20T13:19:51Z DEBUG storing cookie
'ipa_session=MagBearerToken=tR1VkWrpjmoNh7aZDYiPzXSwFlkhsp1ENg%2b5y8orMo9P7EkiLQXey11TH9wIgc2xJjJ2xdly2hFyi6v58o2HhzEeQBi%2fcR%2flZ7nwFv8VX3WxCSwS%2beDVSu7%2f%2fjsSB%2b1NzyVHTNe5jkJK9pGXL1nR7QMtNrV2gFY7RyFrJns50dEC%2fi5C%2fEn0BgZAE4aLAiThG4SW3iGc0bfOGy%2bDpAGE17XzB8G978uKpqqHGC9aFDmMmXVFCfpwHoIWoBtJctgy7y6Q97rJnpkjbe2heYMwLQFbDkrTRlrjSDfla0XXCNvd7in6zEu0MZloOXqyXHiu;'
for principal host/adm-sdrn6419-2062.aal.ipa.cloud(a)RINIS.CLOUD
2019-12-20T13:19:51Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2019-12-20T13:19:51Z DEBUG debug
update delete adm-sdrn6419-2062.aal.ipa.cloud. IN SSHFP
show
send
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 1 1
6134C7CDE12FDDFA33A068A273941697928FBCD7
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 1 2
2F41772E6CAD9C328730BFCED0E27350A6C20DE8499E60158635ED8419BF2022
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 3 1
FFE99F20A5C32D857535D13425A7F85F3A63E198
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 3 2
D2C7FC741E834D4E1FE51B7867AFA2D34D0685C769D9019D98093E01C8312118
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 4 1
ED5416B39F419E4F631AB6C9A9CFC0139907232E
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 4 2
7794DBAA391B2939476EDD3A0173162F9CD3BBE1E16B52754BB8C6B56DA26435
show
send
2019-12-20T13:19:51Z DEBUG Starting external process
2019-12-20T13:19:51Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2019-12-20T13:19:51Z DEBUG Process finished, return code=1
2019-12-20T13:19:51Z DEBUG stdout=Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
adm-sdrn6419-2062.aal.ipa.cloud. 0 ANY SSHFP
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22636
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3648384014.sig-freeipa-001.ipa.cloud. ANY TKEY
;; ADDITIONAL SECTION:
3648384014.sig-freeipa-001.ipa.cloud. 0 ANY TKEY gss-tsig. 1576847991 1576847991 3 NOERROR
677 YIICoQYJKoZIhvcSAQICAQBuggKQMIICjKADAgEFoQMCAQ6iBwMFACAA
AACjggGCYYIBfjCCAXqgAwIBBaENGwtSSU5JUy5DTE9VRKIpMCegAwIB
AaEgMB4bA0ROUxsXYWRtLWFhYS0wMDEucmluaXMuY2xvdWSjggE3MIIB
M6ADAgESoQMCAQKiggElBIIBIWJzJaNElw4aQs2ZFHDopnUdH6vqowdG
ojmiCBIpmgFjPsHEl98zY+UX6OqfF3ovB/uMAuCF1eq3spIRtPjb7hUO
+lva9UtuvUJSV0pT9WI1B0ROZxzspkBQmZEYLRUCACxjW3Kw1F123ryy
Ga4JJ4cROOFf1GtTdEW3CmIJLlyKqWXDFSQzgnqvP/acb0mQIr0Wid6P
DJFaxYmm+uRHw5KBTg7hjeAQPFwgZxNdardv9hUvfhzElxtOK0Kj3ZDy
9lFdpemEtO+osfnwrwyX28xWGLZds/Gfpy0kfdihkUxT082eTWNftaE7
dX0LOb46j9sbMAFDbgHESCkXq5VFRBmtotnf3SRru/eBQFdbYq0/o/oY
PCmaTJ4HSymhjbkrVVqkgfAwge2gAwIBEqKB5QSB4tPwDLt7qpKesLJg
lGFXpoNqHOsGlFheQslzzkcWzjgoJDDRSJtjoaLgLFv0cITj+rr4dXcu
tdMNESwRObXQofsbO9E0HYfZWijSDEIVJlXETm+x8ca4Qf938u3RHV/U
+ZXmepZIBnMR4d70Vo+vz6CuXt0+HI0Dh6ot2whzX5g0MWHI0SfJElhO
pgWN59uMUC4E8HtLzNEoWljX25acK3mi8ZBgq8iFihfObfEP0Xmx11NE
Gru9QOiwMoxRUblws44U3sNOFRUgF9Ua3kKWXEfJ4wpPC3GwdMUajMkr V3wCXBc= 0
2019-12-20T13:19:51Z DEBUG stderr=Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13244
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;adm-sdrn6419-2062.aal.ipa.cloud. IN SOA
;; AUTHORITY SECTION:
aal.ipa.cloud. 0 IN SOA freeipa-001.ipa.cloud. hostmaster.aal.ipa.cloud. 1576848002 3600
60 1209600 60
Found zone name: aal.ipa.cloud
The master is: freeipa-001.ipa.cloud
start_gssrequest
Found realm from ticket: RINIS.CLOUD
send_gssrequest
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22636
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;3648384014.sig-freeipa-001.ipa.cloud. ANY TKEY
;; ANSWER SECTION:
3648384014.sig-freeipa-001.ipa.cloud. 0 ANY TKEY gss-tsig. 0 0 3 BADNAME 0 0
dns_tkey_gssnegotiate: TKEY is unacceptable
2019-12-20T13:19:51Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2019-12-20T13:19:51Z WARNING Could not update DNS SSHFP records.
When I run the nsupdate command manually after enrollment it will succeed and add the
missing records.
any ideas?
Show replies by date
Hi,
were you able to solve the problem?
I'm facing the same issue with Freeipa 4.8.0
Thank you