Closed mprenditore closed 3 years ago
abbra
commented
3 years ago Please read ipa-client-install manual page. --domain option (represented with ipaclient_domain in ansible-freeipa) is not your client's DNS domain. It is primary DNS domain of IPA deployment, equal to its Kerberos realm.
mprenditore
commented
3 years ago Thanks for the tip.
I've switched back the ipaclient_domain to the primary one and the enroll still works, I've added also all the system DNS records from the primary domain to the secondary one but still the DNS are not created automatically, nsupdate is failing as per the following log:
...
2020-12-10T14:02:27Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2020-12-10T14:02:28Z DEBUG Process finished, return code=2
...Am I missing some other step to configure the DNS automatically?
abbra
commented
3 years ago Right after 'Process finished ...' you should have output from nsupdate tool. Can you attach it here?
mprenditore
commented
3 years ago This is the relevant part requested. I've just removed all the possible sensitive data:
2020-12-10T14:02:27Z DEBUG Starting external process
2020-12-10T14:02:27Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2020-12-10T14:02:28Z DEBUG Process finished, return code=2
2020-12-10T14:02:28Z DEBUG stdout=Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
host001.domain2.lan. 0 ANY SSHFP
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3502
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;1725163136.sig-ipa.domain1.lan. ANY TKEY
;; ADDITIONAL SECTION:
1725163136.sig-ipa.domain1.lan. 0 ANY TKEY gss-tsig. 1607608947 1607608947 3 NOERROR 648 <<REDACTED>> 0
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 44765
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
host001.domain2.lan. 0 ANY SSHFP
;; TSIG PSEUDOSECTION:
1725163136.sig-ipa.domain1.lan. 0 ANY TSIG gss-tsig. 1607608947 300 28 BAQE//////<<REDACTED>>== 44765 NOERROR 0
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
host001.domain2.lan. 1200 IN SSHFP 1 1 <<REDACTED>>
host001.domain2.lan. 1200 IN SSHFP 1 2 <<REDACTED>> 8A57B1B8
host001.domain2.lan. 1200 IN SSHFP 3 1 <<REDACTED>>
host001.domain2.lan. 1200 IN SSHFP 3 2 <<REDACTED>> E0102F9B
host001.domain2.lan. 1200 IN SSHFP 4 1 <<REDACTED>>
host001.domain2.lan. 1200 IN SSHFP 4 2 <<REDACTED>> 7418E59A
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64089
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;574310536.sig-ipa.domain1.lan. ANY TKEY
;; ADDITIONAL SECTION:
574310536.sig-ipa.domain1.lan. 0 ANY TKEY gss-tsig. 1607608948 1607608948 3 NOERROR 648 <<REDACTED>> 0
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 483
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 6, ADDITIONAL: 1
;; UPDATE SECTION:
host001.domain2.lan. 1200 IN SSHFP 1 1 <<REDACTED>>
host001.domain2.lan. 1200 IN SSHFP 1 2 <<REDACTED>> 8A57B1B8
host001.domain2.lan. 1200 IN SSHFP 3 1 <<REDACTED>>
host001.domain2.lan. 1200 IN SSHFP 3 2 <<REDACTED>> E0102F9B
host001.domain2.lan. 1200 IN SSHFP 4 1 <<REDACTED>>
host001.domain2.lan. 1200 IN SSHFP 4 2 <<REDACTED>> 7418E59A
;; TSIG PSEUDOSECTION:
574310536.sig-ipa.domain1.lan. 0 ANY TSIG gss-tsig. 1607608948 300 28 BAQE//////<<REDACTED>>== 483 NOERROR 0
2020-12-10T14:02:28Z DEBUG stderr=Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55905
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;host001.domain2.lan. IN SOA
;; AUTHORITY SECTION:
domain2.lan. 0 IN SOA ipa.domain1.lan. hostmaster.domain2.lan. 1607595044 3600 900 1209600 3600
Found zone name: domain2.lan
The master is: ipa.domain1.lan
start_gssrequest
Found realm from ticket: DOMAIN.LAN
send_gssrequest
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3502
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;1725163136.sig-ipa.domain1.lan. ANY TKEY
;; ANSWER SECTION:
1725163136.sig-ipa.domain1.lan. 0 ANY TKEY gss-tsig. 1607608947 1607612547 3 NOERROR 156 <<REDACTED>> 0
Sending update to 10.1.1.254#53
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 44765
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;domain2.lan. IN SOA
;; TSIG PSEUDOSECTION:
1725163136.sig-ipa.domain1.lan. 0 ANY TSIG gss-tsig. 1607608947 300 28 BAQF//////<<REDACTED>>== 44765 NOERROR 0
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23886
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;host001.domain2.lan. IN SOA
;; AUTHORITY SECTION:
domain2.lan. 0 IN SOA ipa.domain1.lan. hostmaster.domain2.lan. 1607595044 3600 900 1209600 3600
Found zone name: domain2.lan
The master is: ipa.domain1.lan
start_gssrequest
send_gssrequest
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64089
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;574310536.sig-ipa.domain1.lan. ANY TKEY
;; ANSWER SECTION:
574310536.sig-ipa.domain1.lan. 0 ANY TKEY gss-tsig. 1607608948 1607612548 3 NOERROR 156 <<REDACTED>> 0
Sending update to 10.1.1.254#53
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 483
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;domain2.lan. IN SOA
;; TSIG PSEUDOSECTION:
574310536.sig-ipa.domain1.lan. 0 ANY TSIG gss-tsig. 1607608948 300 28 BAQF//////<<REDACTED>>== 483 NOERROR 0
2020-12-10T14:02:28Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2
2020-12-10T14:02:28Z WARNING Could not update DNS SSHFP records.So, host record does not exist in DNS zone and thus updating records for it was not allowed. You may enable logging of queries on the DNS server side with
# rndc querylog on
# rndc trace 2
.. run test ...
# rndc querylog off
# rndc notraceThen /var/named/data/data.run would contain specifics of the communication with the client and what bind-dyndb-ldap and bind itself were doing.
mprenditore
commented
3 years ago @abbra thanks for the help, going through the logs of named I found this line:
10-Dec-2020 18:08:18.850 client @0x7f7aea86f440 10.2.4.226#58044/key host/host01.domain2.lan\@DOMAIN.LAN: updating zone 'domain2.lan/IN': update failed: rejected by secure update (REFUSED)Going online I've found someone that was referring to granting permissions to BIND, so while going around to search out how to do that on FreeIPA, I've discovered the Settings tab of the DNS zone and in there I've found that the option Dynamic Update was set to false. Switching it to *true solved my issue!
I was looking everywhere but in the zone setting, I feel like a complete idiot :)
abbra
commented
3 years ago Glad it worked! Yes, the most obvious things are not always the first thing to remember to look at ;)
Hello, I have a FreeIPA server that was setup without this playbook long time ago, but I'm successfully using the
install_clientplaybook to enroll new servers on it.Now I've added a new domain to this FreeIPA Server so that now I have:
I've created the DNS zones as well and the DNS resolution works.
This is to have a single point where to handle users and permissions across different infrastructures and handling DNS as well.
If I enroll a machine specifying
ipaclient_domain: domain1.laneverything works just fine and the DNS entries are created. If I enroll the same machine withipaclient_domain: domain2.lanthe host is enrolled but no DNS entry is set.There is something else that I've to change in order to get the auto DNS creation working on the second domain?
Cheers!