On Sun, Sep 17, 2023 at 10:22 AM dweller dweller via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I decided to make a little test during spare time to investigate the
problem further:
[root@host-01 ~]# ipa dnszone-show test-krb1.novalocal Zone name: test-krb1.novalocal. Active zone: TRUE Authoritative nameserver: freeipa-master-01.test-krb1.novalocal. Administrator e-mail address: hostmaster.test-krb1.novalocal. SOA serial: 1694341901 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TEST-KRB1.NOVALOCAL krb5-self * A; grant
TEST-KRB1.NOVALOCAL krb5-self * AAAA; grant TEST-KRB1.NOVALOCAL krb5-self * SSHFP;
Dynamic update: TRUE Allow query: any; Allow transfer: none; [root@host-01 ~]# [root@host-01 ~]# cat dns_update.txt update delete host-01.test-krb1.novalocal. IN A show send
update delete host-01.test-krb1.novalocal. IN AAAA show send
update add host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97 show send [root@host-01 ~]# nsupdate -g dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 0 ANY A
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 0 ANY AAAA
update failed: REFUSED Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: host-01.test-krb1.novalocal. 1200 IN A 172.28.19.97
update failed: REFUSED
And this is from the dns logs:
[root@freeipa-master-01 bind]# tail -f /var/lib/bind/data/named.run 17-Sep-2023 16:03:39.500 client @0x7f73801235f0 172.28.19.96#37737/key
admin@TEST-KRB1.NOVALOCAL: updating zone 'test-krb1.novalocal/IN': update failed: rejected by secure update (REFUSED)
Any suggestions on why is update getting refused?
IIRC, you can't use your user credentials for `nsupdate -g` to update a host DNS entry.
Try retrieving the host keytab, and kinit with it (I'm making a wild guess on the realm name): ``` ipa-getkeytab -s `hostname` -p host/host-01.test-krb1.novalocal.@TEST-KRB1.NOVALOCAL -k keytab kinit -k -t keytab host/test.example.test nsupdate -g ```
Rafael
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat