Discussion:
[Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified.
Tyrell Jentink
2016-10-27 02:43:54 UTC
Permalink
Hello all,

I'm still having problems with my IPA Client install... My errors aren't
bringing up any meaningful results on Google, so I really appreciate any
hints anyone might have!

To narrow the scope of the problem, I simply rebuilt both the server and
the client from scratch... This time without Active Directory Realm trusts,
so things are nice and clean. To wit, I have been using
http://www.freeipa.org/page/Active_Directory_trust_setup and
https://blog.christophersmart.com/articles/freeipa-how-to-fedora/ as
references, and I have run the following:

ON THE SERVER:

- dnf -y update && dnf install -y "*ipa-server" "*ipa-server-trust-ad"
"*ipa-server-dns" bind bind-dyndb-ldap
- echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >>
/etc/hosts
(I also added the AD server to my hosts file, although that shouldn't be
messing with anything...)
- hostname ipa_hostname.ipa_domain
- hostnamectl set-hostname ipa_hostname.ipa_domain
- reboot (And took a snapshot of the VM)
- for x in freeipa-ldap freeipa-ldaps dns ntp; do firewall-cmd
--permanent --zone=FedoraServer --add-service=${x} ; done
- systemctl reload firewalld.service
- ipa-server-install --setup-dns --no-forwarders
(I had no errors there... But I can share my logs if anyone wants to
see them)
- And I rebooted again, took another snapshot, and verified the
following:
- kinit admin
id admin
getent passwd admin
All return appropriate values on the server...
- nslookup ipa_hostname.ipa_domain works on both the server and on
the client...

So, ON TO THE CLIENT:

- echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >>
/etc/hosts
- echo "nameserver ipa_ip_address" >> /etc/resolv.conf
- (OF course, I verified that the client can ping the server, and
nslookup against the server)
- ipa-client-install --enable-dns-updates --ssh-trust-dns --force-ntpd
And this is where I ran into problems... My output:

Discovery was successful!
Client hostname: trainmaster.ipa.rxrhouse.net
Realm: IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
DNS Domain: ipa.rxrhouse.net
IPA Server: ipa-pdc.ipa.rxrhouse.net
BaseDN: dc=ipa,dc=rxrhouse,dc=net
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please
check
that 123 UDP port is opened.
User authorized to enroll computers: admin
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
<http://ipa.rxrhouse.net/>
Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
<http://ipa.rxrhouse.net/>
Valid From: Thu Sep 08 17:27:47 2016 UTC
Valid Until: Mon Sep 08 17:27:47 2036 UTC
Enrolled in IPA realm IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
<http://ipa.rxrhouse.net/>
trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
Forwarding 'ping' to json server 'https://ipa-pdc.ipa.rxrhouse.
net/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipa-pdc.ipa.rxrhouse.
net/ipa/json'
Systemwide CA database updated.
Failed to update DNS records.
Missing reverse record(s) for address(es): 10.42.0.100.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server 'https://ipa-pdc.ipa.rxrhouse.
net/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.rxrhouse.net as NIS domain.
Client configuration complete.
- Of interest, I DID solve my NTP issues from before! On the downside,
that wasn't the source of my DNS issues...
In /var/log/ipaclient-install, I still have the following clipping of
errors, which I'm merely assuming are the relevant piece:

2016-10-26T23:30:40Z DEBUG Starting external process
2016-10-26T23:30:40Z DEBUG args=/sbin/ip -oneline address show dev enp1s6
2016-10-26T23:30:40Z DEBUG Process finished, return code=0
2016-10-26T23:30:40Z DEBUG stdout=2: enp1s6 inet 10.42.0.100/8 brd
10.255.255.255 scope global dynamic enp1s6\ valid_lft 588384sec
preferred_lft 588384sec
2: enp1s6 inet6 fe80::e779:3263:960d:ff87/64 scope link \
valid_lft forever preferred_lft forever
2016-10-26T23:30:40Z DEBUG stderr=
2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to
2016-10-26T23:30:40Z DEBUG debug
update delete trainmaster.ipa.rxrhouse.net. IN A
show
send
update delete trainmaster.ipa.rxrhouse.net. IN AAAA
show
send
update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100
show
send
2016-10-26T23:30:40Z DEBUG Starting external process
2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt
2016-10-26T23:30:40Z DEBUG Process finished, return code=1
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
trainmaster.ipa.rxrhouse.net. 0 ANY A
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1477524640
1477524640 3 NOERROR 683
YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA
AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow
KKADAgEBoSEwHxsDRE5TGxhpc
GEtcGRjLmlwYS5yeHJob3VzZS5uZXSj
ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIRyL2cGKhgVeg8UlZTp1+Eyg
QTBUAKE0e6NMtlIkxk9oJWldmUiP6UW7gcoxn66qvHyzHAqrlUNdFAcC
jKlsM2cRchfNTTom0QCeFn37eQICFdYo7NsrugG4DN/XT/rjNhohCSEl
O2tKYqiVBpjnyDF4OwC1nLcDpzBJr3nbSl
sh21NQJhGj+B/GPMJqpkl/
12HJpyjeaRjqzCD2csdvGOolH89yAhFjbmpAErBdVPD+ATAEYX+aRbEc
3k2idj7AcEqeQpNr5XCoCLAeyqOz/qgYrHYnrBabysbkjF0JRRoEO6BD
cJjeMpqai36WtW1MAs+byXBtudap0UEnx8xpub/MN7cCzJYn5sEkTOyK
pSp4s/fiRyaX9O+dxXK1xrBblg6kgfAwge2gAwIBEqK
B5QSB4rnd/vP+ s2nrQ/yBkWRVnvqyWrTqfc213iyvIR+pNvE2T9t3F1qRPcdF4OQ8soQ4
kQIVQOZUQZlY3NhYS08M/Rb3wUfi+Im/Z47v6//QMxb2igbPMx7/RELf
YHbZorXSKwzx5tkV2+JwtelUW6T5yw3PugyRueg0tdQH5lp4nrEbWNhY
VTDe9njUO/WCgp6ZEp+aJGVxR9qeZMVrJMYwHHF+je2fwZifztXD
6cU/ Eki79Nk6HzhilK3pMOLuIvF2Kfpucj6aDiabvlplptzio9cqml8Li3E0
gEN/ATloKcVgtNA= 0
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;trainmaster.ipa.rxrhouse.net. IN SOA
ipa.rxrhouse.net. 0 IN SOA ipa-pdc.ipa.rxrhouse.net.
hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600
Found zone name: ipa.rxrhouse.net
The master is: ipa-pdc.ipa.rxrhouse.net
start_gssrequest
Found realm from ticket: IPA.RXRHOUSE.NET
send_gssrequest
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466301805
1466388205 3 NOERROR 101
YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw
MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
AwIBAaELMAkbB2FkLXBkYyQ=
0
dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
failure. Minor code may provide more information, Minor = Message stream
modified.
2016-10-26T23:30:40Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2016-10-26T23:30:40Z ERROR Failed to update DNS records.
trainmaster.ipa.rxrhouse.net IN A
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
trainmaster.ipa.rxrhouse.net IN AAAA
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
2016-10-26T23:30:40Z DEBUG DNS resolver: Query: 100.0.42.10.in-addr.arpa.
IN PTR
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host
trainmaster.ipa.rxrhouse.net: 10.42.0.100.
10.42.0.100.
-- Full logs can be found here: http://pastebin.com/90dG9Ffu

- For grins, I decided to test:
kinit admin
id admin
getent passwd admin
on the client, and all of those all made valid responses... So
authentication is working, I just can't update DNS records.


So that's what I've tried, and where I'm at... My client machines running
modern client software can NOT update DNS records, complaining about GSSAPI
"Message Stream Modified" errors... And I have no idea how to troubleshoot
that... Any ideas?
Thank you, Rob.
For reference, my full log can be found here: http://pastebin.com/6VLaQjYw
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
trainmaster.ipa.rxrhouse.net. 0 ANY A
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1476223815
1476223815 3 NOERROR 683 YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA
AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow
KKADAgEBoSEwHxsDRE5TGxhpcGEtcGRjLmlwYS5yeHJob3VzZS5uZXSj
ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIeFubKS/x0aKfc7u/f9Z5Ro8
pZZ4RkIlwOWAAuiSxJNmoaIhYgYNitn2pkAII+eKtdialtAI/1418exm
sM7zahCj0MWpBIYQZB4tsN9JZMaKF7SK5TlewH9mZitjd+hbQ5iwjklV
8P6OOMsIRIytywnd8eD/988GQz3C5CfBU1pQM5Bkox4vSRawZJRUy0xx
C8H4nOOPsJZd9AozsaAZSR4EeA05IbW+gxxIeXjShPDwRF6fs4sNxZUt
FEkdujVZOaM4M4olLadzScsXDi2pO/8WqjJdDwMfLD95+CHSiFMSyJqy
nwem6dzJTJvyLTq4fKO+ajmUHw5tV30Pg7w9krEiFSTuFkCmKW1a2GQo
5Lm3VQF34cnYTA+5K8yEwLiTqX+kgfAwge2gAwIBEqKB5QSB4u9m77de
VD1pQ+DUyBKaC2jOgD/uUWAyfNNojNAtKAMGbHzDWSRASe1Xd+RNgwIa
QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Qe6p8CGaQ6IvPGm4838TlGdGhuS
YpUwVAEqvl85S23+yT3Qo/O8Qffhi4i/WDdiBHGGDrKF4CCZXJrr/F+L
Pd8oabRE81h+4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQzbpc2ZjXaVLi3ai
uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEluP2qfbo6XuO4UHoF7rN8d28bnw
bhUsEYaVs1r8Pxk= 0
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18681
;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;trainmaster.ipa.rxrhouse.net. IN SOA
ipa.rxrhouse.net. 60 IN SOA ipa-pdc.ipa.rxrhouse.net
. hostmaster.ipa.rxrhouse.net. 1476221978 3600 900 1209600 3600
ipa-pdc.ipa.rxrhouse.net. 353 IN A 10.42.0.11
Found zone name: ipa.rxrhouse.net
The master is: ipa-pdc.ipa.rxrhouse.net
start_gssrequest
Found realm from ticket: IPA.RXRHOUSE.NET <http://ipa.rxrhouse.net/>
send_gssrequest
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971
;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466641678
1466728078 3 NOERROR 101 YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MjMw
MDI3NThapQUCAwVDn6YDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
AwIBAaELMAkbB2FkLXBkYyQ= 0
dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
failure. Minor code may provide more information, Minor = Message stream
modified.
2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
2016-10-11T22:10:15Z ERROR Failed to update DNS records.
This isn't the first time I've seen this "Unspecified GSS failure [...]
Message stream modified" error, and I suspect it to be the root of my
problem... But my google-foo is not strong with this one... I'm not sure
how to proceed.
First off... new to the list, thank you in advance for your assistance!
My server is Fedora 24 Server, running in a VirtualBox virtual machine.
I have FreeIPA Server 4.3.2-2.fc24, installed from the standard
repositories, and dnf says it's up to date. FreeIPA has a trust set up
with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to
be working...
The first client I connected was a Raspberry Pi running Pidora. This
client appears to have connected fine, and appears to be working (I
guess I haven't tried logging in as an ActiveDirectory user; But it's
certainly NOT having any DNS issues, as other clients are; See below...)
Then I tried connecting a second client, a system running Fedora 24 with
FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to
Discovery was successful!
Client hostname: trainmaster.ipa.rxrhouse.net
<http://trainmaster.ipa.rxrhouse.net>
Realm: IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
DNS Domain: ipa.rxrhouse.net <http://ipa.rxrhouse.net>
IPA Server: ipa-pdc.ipa.rxrhouse.net <http://ipa-pdc.ipa.rxrhouse.n
et>
BaseDN: dc=ipa,dc=rxrhouse,dc=net
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync.
Please check
that 123 UDP port is opened.
User authorized to enroll computers: admin
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
<http://IPA.RXRHOUSE.NET>
Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
<http://IPA.RXRHOUSE.NET>
Valid From: Thu Sep 08 17:27:47 2016 UTC
Valid Until: Mon Sep 08 17:27:47 2036 UTC
Enrolled in IPA realm IPA.RXRHOUSE.NET <http://IPA.RXRHOUSE.NET>
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
<http://IPA.RXRHOUSE.NET>
trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
Forwarding 'ping' to json server
'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
Forwarding 'ca_is_enabled' to json server
'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
Systemwide CA database updated.
Failed to update DNS records.
Missing reverse record(s) for address(es): 10.42.0.100.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server
'https://ipa-pdc.ipa.rxrhouse.net/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.rxrhouse.net <http://ipa.rxrhouse.net> as NIS
domain.
Client configuration complete.
Of concern, the installer failed to update DNS records, resulting in a
missing reverse record, and eventually failing to update the DNS SSHFP
records. Looking in the Web UI for FreeIPA server, I see that the
client is registered, but it doesn't have any SSH keys , and as
expected, doesn't have a reverse zone... But the Raspberry Pi DOES.
Just to be fully sure something was wrong... I tried connecting with a
clean install of Fedora 24 running in a virtual machine, and had the
same issue. I've googled around, and can't find anyone having any
similar issues... And I didn't accidentally stumble across anything
interesting while exploring logs... But I honestly don't know where to
look.
TO BE CLEAR, things appear to work just fine from freeipa-client version
3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the
latest versions from Fedora 24 on x86_64 hardware...
Where should I look first? Thank you for any assistance...
Look in /var/log/ipaclient-install.log for debug logging of the install.
rob
Petr Spacek
2016-10-27 06:36:56 UTC
Permalink
Post by Tyrell Jentink
2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to
2016-10-26T23:30:40Z DEBUG debug
update delete trainmaster.ipa.rxrhouse.net. IN A
show
send
update delete trainmaster.ipa.rxrhouse.net. IN AAAA
show
send
update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100
show
send
2016-10-26T23:30:40Z DEBUG Starting external process
2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt
2016-10-26T23:30:40Z DEBUG Process finished, return code=1
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
trainmaster.ipa.rxrhouse.net. 0 ANY A
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1477524640
[...]
Post by Tyrell Jentink
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;trainmaster.ipa.rxrhouse.net. IN SOA
ipa.rxrhouse.net. 0 IN SOA ipa-pdc.ipa.rxrhouse.net.
hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600
Found zone name: ipa.rxrhouse.net
The master is: ipa-pdc.ipa.rxrhouse.net
start_gssrequest
Found realm from ticket: IPA.RXRHOUSE.NET
send_gssrequest
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466301805
1466388205 3 NOERROR 101
YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw
MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
AwIBAaELMAkbB2FkLXBkYyQ=
0
dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
failure. Minor code may provide more information, Minor = Message stream
modified.
2016-10-26T23:30:40Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2016-10-26T23:30:40Z ERROR Failed to update DNS records.
trainmaster.ipa.rxrhouse.net IN A
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
trainmaster.ipa.rxrhouse.net IN AAAA
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
2016-10-26T23:30:40Z DEBUG DNS resolver: Query: 100.0.42.10.in-addr.arpa.
IN PTR
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host
trainmaster.ipa.rxrhouse.net: 10.42.0.100.
10.42.0.100.
-- Full logs can be found here: http://pastebin.com/90dG9Ffu
kinit admin
id admin
getent passwd admin
on the client, and all of those all made valid responses... So
authentication is working, I just can't update DNS records.
So that's what I've tried, and where I'm at... My client machines running
modern client software can NOT update DNS records, complaining about GSSAPI
"Message Stream Modified" errors... And I have no idea how to troubleshoot
that... Any ideas?
Interesting, I haven't seen this one :-)

There is something fishy in GSSAPI negotiation between the client and DNS server.

I would try this (and watch out for suspicious messages along the way):

1) To be sure, please double-check that ipa-pdc.ipa.rxrhouse.net. resolves
(from the client) to correct IP address of IPA DNS server.

2) Verify that Kerberos ticket for the DNS server can be obtained:
$ kinit -k
$ kvno DNS/ipa-pdc.ipa.rxrhouse.net
$ klist # it should list Kerberos ticket for ipa-pdc.ipa.rxrhouse.net

3) Create a plain text file with update message content:
cat > /tmp/dnsupdate <<<EOF
debug
update delete trainmaster.ipa.rxrhouse.net. IN A
send
EOF

4) call nsupdate on it
$ KRB5_TRACE=/dev/stdout nsupdate -g /tmp/dnsupdate

Does it produce the same error? (It should, but with more debuginfo.)


What version of server and client packages are you using?
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tyrell Jentink
2016-10-27 19:47:11 UTC
Permalink
Thank you Petr! I found the problem, but quite by accident... There may
be a Best Practice at hand that I wasn't aware of...

I still have the Windows AD server sitting on the side, serving as DHCP
server and waiting patiently for my Cross Realm Trust; That server will
forward DNS requests to the IPA server, and return a non-authoritative
answer. Occasionally, that server will seemingly loose track of the IPA
server, and stop returning results... And that happened while I was trying
to follow through with your request for info... So as a quick work around,
I simply dropped the AD server from my resolv.conf...

And then performed your requests, without errors. I ran the DNS Update
from the ipa-server-install script, and that worked without errors. I
added the AD server back into resolv.conf, and everything failed again. I
put the AD server as the SECOND name server in resolv.conf, and the errors
went away. So I've clearly identified the problem.

I uninstalled the client, and reinstalled the client, and everything went
cleanly.

To prevent this problem in the future... I will be changing the DHCP
options to list the IPA DNS first for the Linux clients, and the AD DNS
first for Windows clients; I still want the AD DNS server in the list, as a
fallback. Is this plan the best practice here?
Post by Tyrell Jentink
2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to
2016-10-26T23:30:40Z DEBUG debug
update delete trainmaster.ipa.rxrhouse.net. IN A
show
send
update delete trainmaster.ipa.rxrhouse.net. IN AAAA
show
send
update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100
show
send
2016-10-26T23:30:40Z DEBUG Starting external process
2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt
2016-10-26T23:30:40Z DEBUG Process finished, return code=1
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
trainmaster.ipa.rxrhouse.net. 0 ANY A
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig.
1477524640
[...]
Post by Tyrell Jentink
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 0
Post by Tyrell Jentink
;trainmaster.ipa.rxrhouse.net. IN SOA
ipa.rxrhouse.net. 0 IN SOA
ipa-pdc.ipa.rxrhouse.net.
Post by Tyrell Jentink
hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600
Found zone name: ipa.rxrhouse.net
The master is: ipa-pdc.ipa.rxrhouse.net
start_gssrequest
Found realm from ticket: IPA.RXRHOUSE.NET
send_gssrequest
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig.
1466301805
Post by Tyrell Jentink
1466388205 3 NOERROR 101
YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw
MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
AwIBAaELMAkbB2FkLXBkYyQ=
0
dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
failure. Minor code may provide more information, Minor = Message
stream
Post by Tyrell Jentink
modified.
2016-10-26T23:30:40Z DEBUG nsupdate failed: Command
'/usr/bin/nsupdate -g
Post by Tyrell Jentink
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2016-10-26T23:30:40Z ERROR Failed to update DNS records.
trainmaster.ipa.rxrhouse.net IN A
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
trainmaster.ipa.rxrhouse.net IN AAAA
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
100.0.42.10.in-addr.arpa.
Post by Tyrell Jentink
IN PTR
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host
trainmaster.ipa.rxrhouse.net: 10.42.0.100.
2016-10-26T23:30:40Z WARNING Missing reverse record(s) for
10.42.0.100.
-- Full logs can be found here: http://pastebin.com/90dG9Ffu
kinit admin
id admin
getent passwd admin
on the client, and all of those all made valid responses... So
authentication is working, I just can't update DNS records.
So that's what I've tried, and where I'm at... My client machines
running
Post by Tyrell Jentink
modern client software can NOT update DNS records, complaining about
GSSAPI
Post by Tyrell Jentink
"Message Stream Modified" errors... And I have no idea how to
troubleshoot
Post by Tyrell Jentink
that... Any ideas?
Interesting, I haven't seen this one :-)
There is something fishy in GSSAPI negotiation between the client and DNS server.
1) To be sure, please double-check that ipa-pdc.ipa.rxrhouse.net. resolves
(from the client) to correct IP address of IPA DNS server.
$ kinit -k
$ kvno DNS/ipa-pdc.ipa.rxrhouse.net
$ klist # it should list Kerberos ticket for ipa-pdc.ipa.rxrhouse.net
cat > /tmp/dnsupdate <<<EOF
debug
update delete trainmaster.ipa.rxrhouse.net. IN A
send
EOF
4) call nsupdate on it
$ KRB5_TRACE=/dev/stdout nsupdate -g /tmp/dnsupdate
Does it produce the same error? (It should, but with more debuginfo.)
What version of server and client packages are you using?
--
Petr^2 Spacek
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Petr Spacek
2016-11-03 09:30:25 UTC
Permalink
Post by Tyrell Jentink
Thank you Petr! I found the problem, but quite by accident... There may
be a Best Practice at hand that I wasn't aware of...
I still have the Windows AD server sitting on the side, serving as DHCP
server and waiting patiently for my Cross Realm Trust; That server will
forward DNS requests to the IPA server, and return a non-authoritative
answer. Occasionally, that server will seemingly loose track of the IPA
server, and stop returning results... And that happened while I was trying
to follow through with your request for info... So as a quick work around,
I simply dropped the AD server from my resolv.conf...
And then performed your requests, without errors. I ran the DNS Update
from the ipa-server-install script, and that worked without errors. I
added the AD server back into resolv.conf, and everything failed again. I
put the AD server as the SECOND name server in resolv.conf, and the errors
went away. So I've clearly identified the problem.
I uninstalled the client, and reinstalled the client, and everything went
cleanly.
To prevent this problem in the future... I will be changing the DHCP
options to list the IPA DNS first for the Linux clients, and the AD DNS
first for Windows clients; I still want the AD DNS server in the list, as a
fallback. Is this plan the best practice here?
Well, the ordering of the servers does not matter as long as they can resolve
records properly. The key problem is
Post by Tyrell Jentink
answer. Occasionally, that server will seemingly loose track of the IPA
server, and stop returning results... And that happened while I was trying
...

It should just work if you fix this.

I hope it helps.
Post by Tyrell Jentink
Post by Tyrell Jentink
2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to
2016-10-26T23:30:40Z DEBUG debug
update delete trainmaster.ipa.rxrhouse.net. IN A
show
send
update delete trainmaster.ipa.rxrhouse.net. IN AAAA
show
send
update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100
show
send
2016-10-26T23:30:40Z DEBUG Starting external process
2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g
/etc/ipa/.dns_update.txt
2016-10-26T23:30:40Z DEBUG Process finished, return code=1
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
trainmaster.ipa.rxrhouse.net. 0 ANY A
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig.
1477524640
[...]
Post by Tyrell Jentink
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 0
Post by Tyrell Jentink
;trainmaster.ipa.rxrhouse.net. IN SOA
ipa.rxrhouse.net. 0 IN SOA
ipa-pdc.ipa.rxrhouse.net.
Post by Tyrell Jentink
hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600
Found zone name: ipa.rxrhouse.net
The master is: ipa-pdc.ipa.rxrhouse.net
start_gssrequest
Found realm from ticket: IPA.RXRHOUSE.NET
send_gssrequest
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562
;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY
3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig.
1466301805
Post by Tyrell Jentink
1466388205 3 NOERROR 101
YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw
MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg
AwIBAaELMAkbB2FkLXBkYyQ=
0
dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS
failure. Minor code may provide more information, Minor = Message
stream
Post by Tyrell Jentink
modified.
2016-10-26T23:30:40Z DEBUG nsupdate failed: Command
'/usr/bin/nsupdate -g
Post by Tyrell Jentink
/etc/ipa/.dns_update.txt' returned non-zero exit status 1
2016-10-26T23:30:40Z ERROR Failed to update DNS records.
trainmaster.ipa.rxrhouse.net IN A
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
trainmaster.ipa.rxrhouse.net IN AAAA
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
100.0.42.10.in-addr.arpa.
Post by Tyrell Jentink
IN PTR
2016-10-26T23:30:40Z DEBUG DNS resolver: No record.
2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host
trainmaster.ipa.rxrhouse.net: 10.42.0.100.
2016-10-26T23:30:40Z WARNING Missing reverse record(s) for
10.42.0.100.
-- Full logs can be found here: http://pastebin.com/90dG9Ffu
kinit admin
id admin
getent passwd admin
on the client, and all of those all made valid responses... So
authentication is working, I just can't update DNS records.
So that's what I've tried, and where I'm at... My client machines
running
Post by Tyrell Jentink
modern client software can NOT update DNS records, complaining about
GSSAPI
Post by Tyrell Jentink
"Message Stream Modified" errors... And I have no idea how to
troubleshoot
Post by Tyrell Jentink
that... Any ideas?
Interesting, I haven't seen this one :-)
There is something fishy in GSSAPI negotiation between the client and DNS server.
1) To be sure, please double-check that ipa-pdc.ipa.rxrhouse.net. resolves
(from the client) to correct IP address of IPA DNS server.
$ kinit -k
$ kvno DNS/ipa-pdc.ipa.rxrhouse.net
$ klist # it should list Kerberos ticket for ipa-pdc.ipa.rxrhouse.net
cat > /tmp/dnsupdate <<<EOF
debug
update delete trainmaster.ipa.rxrhouse.net. IN A
send
EOF
4) call nsupdate on it
$ KRB5_TRACE=/dev/stdout nsupdate -g /tmp/dnsupdate
Does it produce the same error? (It should, but with more debuginfo.)
What version of server and client packages are you using?
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...