#3658 ipa-client-install : can not create SSHFP record
Closed: Invalid None Opened 10 years ago by yizhangid.

I expect a DNS SSHFP will be created for ipa client host but It is failed

IPA master installed with the following command:
domain=yzhang.redhat.com
realm=YZHANG.REDHAT.COM
password=Secret123
forwarder=192.168.122.1
ipa-server-install --hostname=$hostname --domain=$domain --realm=$realm --ds-password=$pw --master-password=$pw --admin-password=$pw --unattended --setup-dns --forwarder $forwarder

=== Server install success, no issues found

IPA Client install with this command:
ipa-client-install --domain=yzhang.redhat.com --server=f18a.yzhang.redhat.com --realm=YZHANG.REDHAT.COM --principal=admin --password=Secret123 --force-ntpd --enable-dns-updates -U

=== Ipa client install also success except no SSHFP record created.


The key error message:

2013-05-24T21:59:36Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = KDC has no support for encryption type.

What is the KDC logging?

Please try following steps:
- kinit -kt (i.e. kinit as the host)
- create a file with following content:

debug
zone yzhang.redhat.com.
update delete f18b.yzhang.redhat.com. IN A
send
update add f18b.yzhang.redhat.com. 1200 IN A 192.168.122.22
send

- run `nsupdate -g /tmp/your_file`
- attach output to this ticket
- attach `/etc/resolv.conf` to this ticket
[root@f18a (F-i386) ~] kinit -kt /etc/krb5.keytab 
[root@f18a (F-i386) ~] klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/f18a.yzhang.redhat.com@YZHANG.REDHAT.COM

Valid starting     Expires            Service principal
05/28/13 06:40:46  05/29/13 06:40:46  krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM
[root@f18a (F-i386) ~] vi nsdebug.txt
[root@f18a (F-i386) ~] cat nsdebug.txt 
debug
zone yzhang.redhat.com.
update delete f18b.yzhang.redhat.com. IN A
send
update add f18b.yzhang.redhat.com. 1200 IN A 192.168.122.22
send




[root@f18a (F-i386) ~] nsupdate -g ./nsdebug.txt 
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  30205
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;yzhang.redhat.com.     IN  SOA

;; ANSWER SECTION:
yzhang.redhat.com.  86400   IN  SOA env.yzhang.redhat.com. master.env.yzhang.redhat.com. 2013023000 21600 60 604800 86400

;; AUTHORITY SECTION:
yzhang.redhat.com.  86400   IN  NS  env.yzhang.redhat.com.

;; ADDITIONAL SECTION:
env.yzhang.redhat.com.  86400   IN  A   192.168.122.1

Found zone name: yzhang.redhat.com
The master is: env.yzhang.redhat.com
start_gssrequest
Found realm from ticket: YZHANG.REDHAT.COM
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = KDC has no support for encryption type.





[root@f18a (F-i386) ~] cat /etc/resolv.conf 
# Generated by ipa.prepare.system.sh
domain yzhang.redhat.com
search yzhang.redhat.com sjc.redhat.com redhat.com
nameserver 10.14.16.25

Note: the nameserver 10.14.16.25 in my /etc/resolv.conf file is my vm hoster. It has 2 ip-address: 10.14.16.25 & 192.168.122.1. The ip: 192.168.122.1 is resolved as: env.yzhang.redhat.com

See the line

The master is: env.yzhang.redhat.com

i.e. the DNS update request is sent to the machine

env.yzhang.redhat.com.  86400   IN  A   192.168.122.1

Is it correct? Is it your IPA server? The update will fail for sure if the machine env.yzhang.redhat.com. is not the IPA server.

The name of master server is read from SOA record in enclosing zone:

Found zone name: yzhang.redhat.com

You need to fix your name resolution if it is wrong.

I have no idea why it think env.yzhang.redhat.com is the IPA master. It should NOT.

As I mentioned earlier, the ipa master should be f18b.yzhang.redhat.com. I installed the ipa master as the following command

ipa-server-install --hostname=f18b.yzhang.redhat.com --domain=yzhang.redhat.com --realm=YZHANG.REDHAT.COM --ds-password=Secret123 --master-password=Secret123 --admin-password=Secret123 --unattended --setup-dns --forwarder 192.168.122.1

How come the 192.168.122.1 (env.yzhang.redhat.com) becomes IPA master?

Your /etc/resolv.conf points to the server

nameserver 10.14.16.25

and this server replied with the SOA record you can see above. This SOA record contains name of the DNS master.

IMHO the problem is that your IPA server 'hijacked' the zone yzhang.redhat.com and now you have two DNS servers which don't agree on content of the zone. (The two servers are 'vm hoster' and the 'IPA server'.)

The correct solution is to create sub-domain (e.g. 'ipa.yzhang.redhat.com') and delegate this domain from 'vm hoster' to the 'IPA server' via NS record.

As a workaround, you can place IP address of your IPA server on the first place in /etc/resolv.conf, but it is ugly workaround and it can break after some time (NetworkManager will overwrite the file etc.).

My recommendation is to do proper zone delegation, otherwise you will do tests in inconsistent environment.

you are right. once i get rid of the other dns server from client's /etc/resolv.conf, the SSHFP record is being successfully created in IPA Master server.

the SSHFP record can be verified by:

nslookup -q=SSHFP <hostname>

Thanks for the troubleshooting. i will close this ticket as this is my env issue.

Metadata Update from @yizhangid:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Login to comment on this ticket.

Metadata