RHEL Identity Management (IdM): set up IPA client: Failed to update DNS records, Could not update DNS SSHFP records

CHAPTER 2. INSTALLING AN IDM SERVER: WITH INTEGRATED
DNS, WITH AN INTEGRATED CA AS THE ROOT CA

I successfully “Enrolled in IPA realm” a client accept I had some failures,

  1. Failed to update DNS records.
  2. Could not update DNS SSHFP records.
[root@mariadbserver etc]# ipa-client-install --enable-dns-updates --mkhomedir
This program will set up IPA client.
Version 4.10.0

Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 10.30.70.1
Enter a NTP source pool address, or press Enter to skip: 
Client hostname: mariadbserver.kbbn-7.com
Realm: KBBN-7.COM
DNS Domain: kbbn-7.com
IPA Server: idmserver1c.kbbn-7.com
BaseDN: dc=kbbn-7,dc=com
NTP server: 10.30.70.1

Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@KBBN-7.COM: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=KBBN-7.COM
    Issuer:      CN=Certificate Authority,O=KBBN-7.COM
    Valid From:  2023-04-03 08:49:27
    Valid Until: 2043-04-03 08:49:27

Enrolled in IPA realm KBBN-7.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Failed to update DNS records. <--------------------------------------<<
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records. <-----------------------------<<
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring kbbn-7.com as NIS domain.
Configured /etc/krb5.conf for IPA realm KBBN-7.COM
Client configuration complete.
The ipa-client-install command was successful

I was not able to do this until I added the SRV to pfSense DNS Resolver:

server:
include: /var/unbound/pfb_dnsbl.*conf
local-data: "_kerberos-master._tcp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver1c.kbbn-7.com."
local-data: "_kerberos-master._udp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver1c.kbbn-7.com."
local-data: "_kerberos._tcp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver1c.kbbn-7.com."
local-data: "_kerberos._udp.kbbn-7.com. 3600 IN SRV 0 100 88 idmserver1c.kbbn-7.com."
local-data: "_kerberos.kbbn-7.com. 3600 IN TXT KBBN-7.COM"
local-data: "_kerberos.kbbn-7.com. 3600 IN URI 0 100 krb5srv:m:tcp:idmserver1c.kbbn-7.com."
local-data: "_kerberos.kbbn-7.com. 3600 IN URI 0 100 krb5srv:m:udp:idmserver1c.kbbn-7.com."
local-data: "_kpasswd._tcp.kbbn-7.com. 3600 IN SRV 0 100 464 idmserver1c.kbbn-7.com."
local-data: "_kpasswd._udp.kbbn-7.com. 3600 IN SRV 0 100 464 idmserver1c.kbbn-7.com."
local-data: "_kpasswd.kbbn-7.com. 3600 IN URI 0 100 krb5srv:m:tcp:idmserver1c.kbbn-7.com."
local-data: "_kpasswd.kbbn-7.com. 3600 IN URI 0 100 krb5srv:m:udp:idmserver1c.kbbn-7.com."
local-data: "_ldap._tcp.kbbn-7.com. 3600 IN SRV 0 100 389 idmserver1c.kbbn-7.com."
local-data: "ipa-ca.kbbn-7.com. 3600 IN A 10.30.70.106"

What may have caused this and how to correct it? I’m using pfSense for my DHCP, DNS Resovler as the Forwarder from the IDM Server, and NTP for the IDM Domain clock sync.

Network Topology

  1. After the installation script completes, update your DNS records in the following way:
    a. Add DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com
    parent domain.

Can anyone add clarification, I assumed it means adding to your Parent DNS which is my pfSense DNS and after adding:

local-data: '_dns._tcp.kbbn-7.com. 3600 IN NS 0 100 123 idmserver1c.kbbn-7.com.'
local-data: '_dns._udp.kbbn-7.com. 3600 IN NS 0 100 123 idmserver1c.kbbn-7.com.'

to Custom options, it still fails. Does any of these services need to be enabled and running:

enter image description here

You are using external DNS server, in FreeIPA terminology. In order to update entries in external DNS server, it needs to support one of methods used for updating those supported by FreeIPA (and SSSD, in this case). It most likely is not configured to do so.

Both IPA client installer and SSSD do use nsupdate utility to submit DNS records changes to update a DNS zone. They expect that they’d be able to use GSS-TSIG method to authenticate with a host Kerberos principal using the host keytab. After installation you might configure SSSD to use one of supported methods. See man page for sssd-ipa, dyndns_* parameters descriptions.

In general, auto-update of DNS zones is heavily tilted to be used with integrated DNS solutions that do support use of GSS-TSIG method and are enrolled into the same IPA domain (Kerberos-wise). If you are not using integrated DNS solution, you have to handle those configurations manually.

1 Like

Morning,

Are you saying, because of the results its trying to update my pfSense DNS? For this was not my intention, I want to use IPA’s integrated DNS / CA as you stated its terminology. However, during the install it did add the HOSTNAME, but fails to update IPA’s DNS Records as mention above.

P.S. this is my lab server (see Diagram above) so I can learn IPA before going production (will be same as lab).

Created another (IdM) VM to look over interactive installation, is this correct?

The IPA Master Server will be configured with:
Hostname: rocky9idm1a.kbbn-7.com
IP address(es): 10.30.70.157
Domain name: kbbn-7.com
Realm name: KBBN-7.COM

The CA will be configured with:
Subject DN: CN=Certificate Authority,O=KBBN-7.COM
Subject base: O=KBBN-7.COM
Chaining: self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders: 10.30.70.1
Forward policy: only
Reverse zone(s): No reverse zone

NTP server: 10.30.70.1

If you have deployed with integrated DNS but your clients attempt to update a zone at a different DNS server, this means your DNS setup directs them to a wrong DNS server being authoritative. If were to build a lab like that, I would use a DNS zone under the zone controlled by the pfSense DNS zone. It would need to delegate IPA DNS zone to IPA DNS server. I would recommend to read about it somewhere, for example, at DNS zone delegation — NsLookup learning.

1 Like

I don’t know if its doing the lookup on the pfSense’s DNS, but I do know the clients hostsname was successfully added to the rocky9idm1a IPA Identity / Hosts list.

This is what I’m trying to figure out, why during the install its falling to find the the rocky9idm1a’s DNS when is successfully added the clients hostname to the Identity Hosts list. If its is trying update pfSense’s DNS, where is it getting its settings from to do this lookup and make the correction to do the lookup on the rocky9idm1a server.

I want the lab to act as a isolated intranet and use pfSense’s DNS to forward all unresolved lookups only. Some setting(s) is missing with this interactive installation that’s causing it to fail to update the DNS Records on the rocky9idm1a server.

If its trying to update the clients records on the pfSense DNS, I don’t know, but if it is, how and why. After the installation of the IPA on the rocky9idm1a server it states:

  1. After the installation script completes, update your DNS records in the following way:
    a. Add DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.

And its not clear where I’m suppose to add this record. But, when I added the records,

local-data: '_dns._tcp.kbbn-7.com. 3600 IN NS 0 100 123 rocky9idm1.kbbn-7.com.'
local-data: '_dns._udp.kbbn-7.com. 3600 IN NS 0 100 123 rocky9idm1.kbbn-7.com.'

to pfSense’s DNS to point to rocky9idm1 server, updating clients records to the rocky9idm1 DNS still fails. All my dig tests return the correct results according the RHEL instructions,

root@mxkbbn7:/# dig +short rhel9idm.kbbn-7.com A
10.30.70.154

root@mxkbbn7:/# dig +short -x 10.30.70.154
rhel9idm.kbbn-7.com.

root@mxkbbn7:/# dig +dnssec @10.30.70.154 . SOA

; <<>> DiG 9.16.37-Debian <<>> +dnssec @10.30.70.154 . SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51483
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 31cf6db092638a44010000006469acf56c953b8f025d34dd (good)
;; QUESTION SECTION:
;. IN SOA

;; ANSWER SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023052001 1800 900 604800 86400
. 86400 IN RRSIG SOA 8 0 86400 20230602170000 20230520160000 60955 . lAA0fldcg4t4Rx5GuN/Z7kXcsmbEMO+rbwWuAZeL0Ee2FrcSGnnViwQ5 Ce2OwblHTp87ZnpY5NkQiWOUCTi3ezmTiOblsnrFpl0CICKnVvsDUGS3 JasX0ZStEWk87PwCzfr1vLnPTvrQWQeaSb6aWyalC4c7yYk9OU8b4FBW JbFtnYisVDKDVtysgaOl8kWHfWMTYsVtiwrBRERCQr5TrgNzXWv/Qx5s 56S1w4c2ZGUh29ooBbXgM7xXrtn69tREuIr8PpCQnvdRCoaJj3gA0MY/ cYYVgYzZunrWf8p5uRxdWKcy4ShJcFJnJRldbDL+4W4RjIoLBVtz+uVK yCg63w==

;; Query time: 112 msec
;; SERVER: 10.30.70.154#53(10.30.70.154)
;; WHEN: Sat May 20 23:32:37 MDT 2023
;; MSG SIZE rcvd: 417

I followed this instructions,

  1. Run the ipa-client-install utility on the system that you want to configure as an IdM client.

ipa-client-install --mkhomedir

Add the –enable-dns-updates option to update the DNS records with the IP address of the
client system if either of the following conditions applies:

  • The IdM server the client will be enrolled with was installed with integrated DNS
  • The DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol

ipa-client-install --enable-dns-updates --mkhomedir

Enabling DNS updates is useful if your client:

  • has a dynamic IP address issued using the Dynamic Host Configuration Protocol
  • has a static IP address but it has just been allocated and the IdM server does not know about it

I ran ipa-client-install --enable-dns-updates --mkhomedir

This means something is missing or the DNS updating is failing. :weary:

Those _dns._tcp and _dns._udp records make no difference because nobody uses them except some dynamic DNS resolution software (Avahi?). They certainly aren’t used by the system DNS resolver.

All you need to do is to make DNS delegation or forwarding work properly between your clients and IPA deployment. I have no experience with pfSense myself so I cannot help with that. What typically is done in isolated labs:

  • either systems use IPA server as their DNS directly (in /etc/resolv.conf, for example), or
  • systems get configured to use a DNS server that knows that IPA DNS zone should be resolved by the IPA server and either delegates there or forwards to the IPA server

This is no different to any proper DNS zone deployment.

1 Like

Ah, I got you. I need to read more about setting up a proper network, I’m still in my learning stages of network management, thus the reason for the Lab. I have a business I want to start, and before hiring and allowing user sign on, I want to master my own network.

Thanks for your help, I have lot of reading and questions before going production. :nerd_face: