I expect a DNS SSHFP will be created for ipa client host but It is failed
IPA master installed with the following command: domain=yzhang.redhat.com realm=YZHANG.REDHAT.COM password=Secret123 forwarder=192.168.122.1 ipa-server-install --hostname=$hostname --domain=$domain --realm=$realm --ds-password=$pw --master-password=$pw --admin-password=$pw --unattended --setup-dns --forwarder $forwarder
=== Server install success, no issues found
IPA Client install with this command: ipa-client-install --domain=yzhang.redhat.com --server=f18a.yzhang.redhat.com --realm=YZHANG.REDHAT.COM --principal=admin --password=Secret123 --force-ntpd --enable-dns-updates -U
=== Ipa client install also success except no SSHFP record created.
ipa client install log ipaclient-install.log
The key error message:
2013-05-24T21:59:36Z DEBUG stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = KDC has no support for encryption type.
What is the KDC logging?
Please try following steps: - kinit -kt (i.e. kinit as the host) - create a file with following content:
kinit -kt
debug zone yzhang.redhat.com. update delete f18b.yzhang.redhat.com. IN A send update add f18b.yzhang.redhat.com. 1200 IN A 192.168.122.22 send - run `nsupdate -g /tmp/your_file` - attach output to this ticket - attach `/etc/resolv.conf` to this ticket
[root@f18a (F-i386) ~] kinit -kt /etc/krb5.keytab [root@f18a (F-i386) ~] klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/f18a.yzhang.redhat.com@YZHANG.REDHAT.COM Valid starting Expires Service principal 05/28/13 06:40:46 05/29/13 06:40:46 krbtgt/YZHANG.REDHAT.COM@YZHANG.REDHAT.COM [root@f18a (F-i386) ~] vi nsdebug.txt [root@f18a (F-i386) ~] cat nsdebug.txt debug zone yzhang.redhat.com. update delete f18b.yzhang.redhat.com. IN A send update add f18b.yzhang.redhat.com. 1200 IN A 192.168.122.22 send [root@f18a (F-i386) ~] nsupdate -g ./nsdebug.txt Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30205 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;yzhang.redhat.com. IN SOA ;; ANSWER SECTION: yzhang.redhat.com. 86400 IN SOA env.yzhang.redhat.com. master.env.yzhang.redhat.com. 2013023000 21600 60 604800 86400 ;; AUTHORITY SECTION: yzhang.redhat.com. 86400 IN NS env.yzhang.redhat.com. ;; ADDITIONAL SECTION: env.yzhang.redhat.com. 86400 IN A 192.168.122.1 Found zone name: yzhang.redhat.com The master is: env.yzhang.redhat.com start_gssrequest Found realm from ticket: YZHANG.REDHAT.COM tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = KDC has no support for encryption type. [root@f18a (F-i386) ~] cat /etc/resolv.conf # Generated by ipa.prepare.system.sh domain yzhang.redhat.com search yzhang.redhat.com sjc.redhat.com redhat.com nameserver 10.14.16.25
Note: the nameserver 10.14.16.25 in my /etc/resolv.conf file is my vm hoster. It has 2 ip-address: 10.14.16.25 & 192.168.122.1. The ip: 192.168.122.1 is resolved as: env.yzhang.redhat.com
See the line
The master is: env.yzhang.redhat.com
i.e. the DNS update request is sent to the machine
env.yzhang.redhat.com. 86400 IN A 192.168.122.1
Is it correct? Is it your IPA server? The update will fail for sure if the machine env.yzhang.redhat.com. is not the IPA server.
env.yzhang.redhat.com.
The name of master server is read from SOA record in enclosing zone:
SOA
Found zone name: yzhang.redhat.com
You need to fix your name resolution if it is wrong.
I have no idea why it think env.yzhang.redhat.com is the IPA master. It should NOT.
As I mentioned earlier, the ipa master should be f18b.yzhang.redhat.com. I installed the ipa master as the following command
ipa-server-install --hostname=f18b.yzhang.redhat.com --domain=yzhang.redhat.com --realm=YZHANG.REDHAT.COM --ds-password=Secret123 --master-password=Secret123 --admin-password=Secret123 --unattended --setup-dns --forwarder 192.168.122.1
How come the 192.168.122.1 (env.yzhang.redhat.com) becomes IPA master?
Your /etc/resolv.conf points to the server
/etc/resolv.conf
nameserver 10.14.16.25
and this server replied with the SOA record you can see above. This SOA record contains name of the DNS master.
IMHO the problem is that your IPA server 'hijacked' the zone yzhang.redhat.com and now you have two DNS servers which don't agree on content of the zone. (The two servers are 'vm hoster' and the 'IPA server'.)
yzhang.redhat.com
The correct solution is to create sub-domain (e.g. 'ipa.yzhang.redhat.com') and delegate this domain from 'vm hoster' to the 'IPA server' via NS record.
As a workaround, you can place IP address of your IPA server on the first place in /etc/resolv.conf, but it is ugly workaround and it can break after some time (NetworkManager will overwrite the file etc.).
My recommendation is to do proper zone delegation, otherwise you will do tests in inconsistent environment.
you are right. once i get rid of the other dns server from client's /etc/resolv.conf, the SSHFP record is being successfully created in IPA Master server.
the SSHFP record can be verified by:
nslookup -q=SSHFP <hostname>
Thanks for the troubleshooting. i will close this ticket as this is my env issue.
Metadata Update from @yizhangid: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.