Discussion:
[Freeipa-users] One kerberos realm, two dns zones and SSHFP records
Ranbir
2017-03-22 19:29:06 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Everyone,

I'm using a fully updated CentOS 7.3 environment for two IPA servers. I
have one kerberos realm, one dns zone with the same name as the
kerberos realm and another dns zone with a different name. DNS is
managed by IPA. For the sake of this message:

realm: REALM.IPA
dnszone1: realm.ipa
dnszone2: random.ipa

When I join a server that's going into the realm.ipa dns zone to the
IPA domain, SSHFP records for that server get automatically created in
realm.ipa. But, when I do the same for a server going into the
random.ipa dns zone, the SSHFP aren't automatically created. I have to
do add the SSHFP records manually after the client install completes.

Why are SSHFP records not added automatically for the second dns zone
and I how can I fix this situation?

Thanks in advance.

Ranbir


- --
Ranbir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJY0tCCAAoJEN7T/ly5z1dik3cP/0Xx0Vk0cIfbloYJuVb1ffMH
mJzKg3BaSEasWL3mJSsgPQS7CZWFi6PgBZLc79nwJhve1tAZC5+pMwVZwY9F7U9a
liZdK1l7a0agpDwnupISdih5PG6TGNEfVjHezKKwnDgjUWMOqak7BM3KIffjhNzc
SpuZHUDuY8QD2DeyO8iuuJjt+BUiWJ+Weh1OJq4UKWT68wALc/TbdtLi5OWlFtnV
rClTbOhPvm8I4Md3DT0vDdhKqPiUvBGPKgse7HZIN9G4W6/wpM3hU1+ETYgXWqIX
yRSK0rjjxfrWKIqRUB1sCKLlkdd+wMaRa/uCnRgvRhYjYUrwyPaH11N41lvE7zUz
ccJnaZXkDcIWW9wkAQxx3XXx5vHR33VTS13nkZv4QsHSoJOXcqrsr+Q1r28WmLcZ
wb3osINWIEmFCX6knZVRZLDhAefHz+FVsJwzsh6iCdqar+LzFvR0hRUJ0Fepxs8M
bkKEZ3LztTtDssX+AO7CqkMZSQ5DHiT9Yo1gHXr2zTEt3qzxyuE0GjMyXzBWyMV4
TpOXoRVQMUvEEV2ecpEATBEKghqXOMqhSeGAObfdlEKADTt11u8ONxwutFYPxybD
Sxfd6yvg2/QvB8GYgLMkENuJWdwbFYrlb3GQ04TKjcW6TklcRyjsI8x/Wg3LjofQ
AEtlIGyrGau9jPaeHYwd
=mJn4
-----END PGP SIGNATURE-----
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
David Kupka
2017-03-23 07:14:10 UTC
Permalink
Post by Ranbir
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Everyone,
I'm using a fully updated CentOS 7.3 environment for two IPA servers. I
have one kerberos realm, one dns zone with the same name as the
kerberos realm and another dns zone with a different name. DNS is
realm: REALM.IPA
dnszone1: realm.ipa
dnszone2: random.ipa
When I join a server that's going into the realm.ipa dns zone to the
IPA domain, SSHFP records for that server get automatically created in
realm.ipa. But, when I do the same for a server going into the
random.ipa dns zone, the SSHFP aren't automatically created. I have to
do add the SSHFP records manually after the client install completes.
Why are SSHFP records not added automatically for the second dns zone
and I how can I fix this situation?
Thanks in advance.
Ranbir
- --
Ranbir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJY0tCCAAoJEN7T/ly5z1dik3cP/0Xx0Vk0cIfbloYJuVb1ffMH
mJzKg3BaSEasWL3mJSsgPQS7CZWFi6PgBZLc79nwJhve1tAZC5+pMwVZwY9F7U9a
liZdK1l7a0agpDwnupISdih5PG6TGNEfVjHezKKwnDgjUWMOqak7BM3KIffjhNzc
SpuZHUDuY8QD2DeyO8iuuJjt+BUiWJ+Weh1OJq4UKWT68wALc/TbdtLi5OWlFtnV
rClTbOhPvm8I4Md3DT0vDdhKqPiUvBGPKgse7HZIN9G4W6/wpM3hU1+ETYgXWqIX
yRSK0rjjxfrWKIqRUB1sCKLlkdd+wMaRa/uCnRgvRhYjYUrwyPaH11N41lvE7zUz
ccJnaZXkDcIWW9wkAQxx3XXx5vHR33VTS13nkZv4QsHSoJOXcqrsr+Q1r28WmLcZ
wb3osINWIEmFCX6knZVRZLDhAefHz+FVsJwzsh6iCdqar+LzFvR0hRUJ0Fepxs8M
bkKEZ3LztTtDssX+AO7CqkMZSQ5DHiT9Yo1gHXr2zTEt3qzxyuE0GjMyXzBWyMV4
TpOXoRVQMUvEEV2ecpEATBEKghqXOMqhSeGAObfdlEKADTt11u8ONxwutFYPxybD
Sxfd6yvg2/QvB8GYgLMkENuJWdwbFYrlb3GQ04TKjcW6TklcRyjsI8x/Wg3LjofQ
AEtlIGyrGau9jPaeHYwd
=mJn4
-----END PGP SIGNATURE-----
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hello Ranbir,
are other records (A, AAAA, PTR, ...) created for the client in random.ipa and
just SSHFP missing? Is the domain random.ipa properly delegated? Is sshd
installed and keys generated on client in random.ipa?
--
David Kupka
Martin Basti
2017-03-23 09:34:34 UTC
Permalink
Post by Ranbir
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Everyone,
I'm using a fully updated CentOS 7.3 environment for two IPA servers. I
have one kerberos realm, one dns zone with the same name as the
kerberos realm and another dns zone with a different name. DNS is
realm: REALM.IPA
dnszone1: realm.ipa
dnszone2: random.ipa
When I join a server that's going into the realm.ipa dns zone to the
IPA domain, SSHFP records for that server get automatically created in
realm.ipa. But, when I do the same for a server going into the
random.ipa dns zone, the SSHFP aren't automatically created. I have to
do add the SSHFP records manually after the client install completes.
Why are SSHFP records not added automatically for the second dns zone
and I how can I fix this situation?
Thanks in advance.
Ranbir
- --
Ranbir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJY0tCCAAoJEN7T/ly5z1dik3cP/0Xx0Vk0cIfbloYJuVb1ffMH
mJzKg3BaSEasWL3mJSsgPQS7CZWFi6PgBZLc79nwJhve1tAZC5+pMwVZwY9F7U9a
liZdK1l7a0agpDwnupISdih5PG6TGNEfVjHezKKwnDgjUWMOqak7BM3KIffjhNzc
SpuZHUDuY8QD2DeyO8iuuJjt+BUiWJ+Weh1OJq4UKWT68wALc/TbdtLi5OWlFtnV
rClTbOhPvm8I4Md3DT0vDdhKqPiUvBGPKgse7HZIN9G4W6/wpM3hU1+ETYgXWqIX
yRSK0rjjxfrWKIqRUB1sCKLlkdd+wMaRa/uCnRgvRhYjYUrwyPaH11N41lvE7zUz
ccJnaZXkDcIWW9wkAQxx3XXx5vHR33VTS13nkZv4QsHSoJOXcqrsr+Q1r28WmLcZ
wb3osINWIEmFCX6knZVRZLDhAefHz+FVsJwzsh6iCdqar+LzFvR0hRUJ0Fepxs8M
bkKEZ3LztTtDssX+AO7CqkMZSQ5DHiT9Yo1gHXr2zTEt3qzxyuE0GjMyXzBWyMV4
TpOXoRVQMUvEEV2ecpEATBEKghqXOMqhSeGAObfdlEKADTt11u8ONxwutFYPxybD
Sxfd6yvg2/QvB8GYgLMkENuJWdwbFYrlb3GQ04TKjcW6TklcRyjsI8x/Wg3LjofQ
AEtlIGyrGau9jPaeHYwd
=mJn4
-----END PGP SIGNATURE-----
Do you have enabled dynamic-updates in random.ipa. zone?
Could you check nsupdate output in /var/log/ipaclient-install.log ?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...