Hi,
We have problems with client’s registering dns records at enrollment. Most of the time all
works ok but about 10% of the machines don’t create the A records or the SHHFP records.
Sometimes they don’t create both. In the ipaclient-install.log we see the following on
machines that doesn’t create the records. In this example the creation of the A records
succeeded but the creation of the SSHFP records failed with the following error:
2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
2019-12-20T13:19:51Z INFO Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
2019-12-20T13:19:51Z INFO [try 1]: Forwarding 'host_mod' to json server
'https://freeipa-002.ipa.cloud/ipa/session/json'
2019-12-20T13:19:51Z DEBUG HTTP connection keep-alive (freeipa-002.ipa.cloud)
2019-12-20T13:19:51Z DEBUG received Set-Cookie (<type
'list'>)'['ipa_session=MagBearerToken=tR1VkWrpjmoNh7aZDYiPzXSwFlkhsp1ENg%2b5y8orMo9P7EkiLQXey11TH9wIgc2xJjJ2xdly2hFyi6v58o2HhzEeQBi%2fcR%2flZ7nwFv8VX3WxCSwS%2beDVSu7%2f%2fjsSB%2b1NzyVHTNe5jkJK9pGXL1nR7QMtNrV2gFY7RyFrJns50dEC%2fi5C%2fEn0BgZAE4aLAiThG4SW3iGc0bfOGy%2bDpAGE17XzB8G978uKpqqHGC9aFDmMmXVFCfpwHoIWoBtJctgy7y6Q97rJnpkjbe2heYMwLQFbDkrTRlrjSDfla0XXCNvd7in6zEu0MZloOXqyXHiu;path=/ipa;httponly;secure;']'
2019-12-20T13:19:51Z DEBUG storing cookie
'ipa_session=MagBearerToken=tR1VkWrpjmoNh7aZDYiPzXSwFlkhsp1ENg%2b5y8orMo9P7EkiLQXey11TH9wIgc2xJjJ2xdly2hFyi6v58o2HhzEeQBi%2fcR%2flZ7nwFv8VX3WxCSwS%2beDVSu7%2f%2fjsSB%2b1NzyVHTNe5jkJK9pGXL1nR7QMtNrV2gFY7RyFrJns50dEC%2fi5C%2fEn0BgZAE4aLAiThG4SW3iGc0bfOGy%2bDpAGE17XzB8G978uKpqqHGC9aFDmMmXVFCfpwHoIWoBtJctgy7y6Q97rJnpkjbe2heYMwLQFbDkrTRlrjSDfla0XXCNvd7in6zEu0MZloOXqyXHiu;'
for principal host/adm-sdrn6419-2062.aal.ipa.cloud(a)RINIS.CLOUD
2019-12-20T13:19:51Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt:
2019-12-20T13:19:51Z DEBUG debug
update delete adm-sdrn6419-2062.aal.ipa.cloud. IN SSHFP
show
send
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 1 1
6134C7CDE12FDDFA33A068A273941697928FBCD7
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 1 2
2F41772E6CAD9C328730BFCED0E27350A6C20DE8499E60158635ED8419BF2022
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 3 1
FFE99F20A5C32D857535D13425A7F85F3A63E198
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 3 2
D2C7FC741E834D4E1FE51B7867AFA2D34D0685C769D9019D98093E01C8312118
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 4 1
ED5416B39F419E4F631AB6C9A9CFC0139907232E
update add adm-sdrn6419-2062.aal.ipa.cloud. 1200 IN SSHFP 4 2
7794DBAA391B2939476EDD3A0173162F9CD3BBE1E16B52754BB8C6B56DA26435
show
send
2019-12-20T13:19:51Z DEBUG Starting external process
2019-12-20T13:19:51Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
2019-12-20T13:19:51Z DEBUG Process finished, return code=1
2019-12-20T13:19:51Z DEBUG stdout=Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
adm-sdrn6419-2062.aal.ipa.cloud. 0 ANY SSHFP
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22636
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3648384014.sig-freeipa-001.ipa.cloud. ANY TKEY
;; ADDITIONAL SECTION:
3648384014.sig-freeipa-001.ipa.cloud. 0 ANY TKEY gss-tsig. 1576847991 1576847991 3 NOERROR
677 YIICoQYJKoZIhvcSAQICAQBuggKQMIICjKADAgEFoQMCAQ6iBwMFACAA
AACjggGCYYIBfjCCAXqgAwIBBaENGwtSSU5JUy5DTE9VRKIpMCegAwIB
AaEgMB4bA0ROUxsXYWRtLWFhYS0wMDEucmluaXMuY2xvdWSjggE3MIIB
M6ADAgESoQMCAQKiggElBIIBIWJzJaNElw4aQs2ZFHDopnUdH6vqowdG
ojmiCBIpmgFjPsHEl98zY+UX6OqfF3ovB/uMAuCF1eq3spIRtPjb7hUO
+lva9UtuvUJSV0pT9WI1B0ROZxzspkBQmZEYLRUCACxjW3Kw1F123ryy
Ga4JJ4cROOFf1GtTdEW3CmIJLlyKqWXDFSQzgnqvP/acb0mQIr0Wid6P
DJFaxYmm+uRHw5KBTg7hjeAQPFwgZxNdardv9hUvfhzElxtOK0Kj3ZDy
9lFdpemEtO+osfnwrwyX28xWGLZds/Gfpy0kfdihkUxT082eTWNftaE7
dX0LOb46j9sbMAFDbgHESCkXq5VFRBmtotnf3SRru/eBQFdbYq0/o/oY
PCmaTJ4HSymhjbkrVVqkgfAwge2gAwIBEqKB5QSB4tPwDLt7qpKesLJg
lGFXpoNqHOsGlFheQslzzkcWzjgoJDDRSJtjoaLgLFv0cITj+rr4dXcu
tdMNESwRObXQofsbO9E0HYfZWijSDEIVJlXETm+x8ca4Qf938u3RHV/U
+ZXmepZIBnMR4d70Vo+vz6CuXt0+HI0Dh6ot2whzX5g0MWHI0SfJElhO
pgWN59uMUC4E8HtLzNEoWljX25acK3mi8ZBgq8iFihfObfEP0Xmx11NE
Gru9QOiwMoxRUblws44U3sNOFRUgF9Ua3kKWXEfJ4wpPC3GwdMUajMkr V3wCXBc= 0
2019-12-20T13:19:51Z DEBUG stderr=Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13244
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;adm-sdrn6419-2062.aal.ipa.cloud. IN SOA
;; AUTHORITY SECTION:
aal.ipa.cloud. 0 IN SOA freeipa-001.ipa.cloud. hostmaster.aal.ipa.cloud. 1576848002 3600
60 1209600 60
Found zone name: aal.ipa.cloud
The master is: freeipa-001.ipa.cloud
start_gssrequest
Found realm from ticket: RINIS.CLOUD
send_gssrequest
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22636
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;3648384014.sig-freeipa-001.ipa.cloud. ANY TKEY
;; ANSWER SECTION:
3648384014.sig-freeipa-001.ipa.cloud. 0 ANY TKEY gss-tsig. 0 0 3 BADNAME 0 0
dns_tkey_gssnegotiate: TKEY is unacceptable
2019-12-20T13:19:51Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2019-12-20T13:19:51Z WARNING Could not update DNS SSHFP records.
When I run the nsupdate command manually after enrollment it will succeed and add the
missing records.
any ideas?
Show replies by date