DHCPD update DDNS with ipa

Andy Tomlin atomlin at engineer.com
Thu Apr 3 02:52:48 UTC 2014

I am running Centos 6.5 and have installed ipa to allow all our linux
machines to authenticate. We have windows machines that get their ip address
from server and since installing ipa the ddns no longer works. Googling
around does not show much help. The key files match.




My named.conf is as follows:


[root at alfred ~]# cat /etc/named.conf

options {

        // turns on IPv6 for port 53, IPv4 is on by default for all ifaces

        listen-on-v6 {any;};

        listen-on port 53 {;; };


        // Put files that named is allowed to write in the data/ directory:

        directory "/var/named"; // the default

        dump-file               "data/cache_dump.db";

        statistics-file         "data/named_stats.txt";

        memstatistics-file      "data/named_mem_stats.txt";


        //forward first;

        //forwarders {





        // Any host is permitted to issue recursive queries

        allow-recursion { any; };


        tkey-gssapi-credential "DNS/alfred.xxxxxxx.com";

        tkey-domain "xxxxxxx.COM";



include "/etc/named/ddns.key";


/* If you want to enable debugging, eg. using the 'rndc trace' command,

* By default, SELinux policy does not allow named to modify the /var/named

* so put the default debug log file in data/ :


logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;




zone "." IN {

        type hint;

        file "named.ca";



include "/etc/named.rfc1912.zones";


dynamic-db "ipa" {

        library "ldap.so";

        arg "uri ldapi://%2fvar%2frun%2fslapd-xxxxxxx-COM.socket";

        arg "base cn=dns, dc=xxxxxxx,dc=com";

        arg "fake_mname alfred.xxxxxxx.com.";

        arg "auth_method sasl";

        arg "sasl_mech GSSAPI";

        arg "sasl_user DNS/alfred.xxxxxxx.com";

        arg "zone_refresh 0";

        arg "psearch yes";

        arg "serial_autoincrement yes";



My dhcpd.conf is as follows:

[root at alfred ~]# cat /etc/dhcp/dhcpd.conf

# dhcpd.conf


# Sample configuration file for ISC dhcpd



# option definitions common to all supported networks...

option domain-name "xxxxxxx.com";

option domain-name-servers,,;


ddns-updates on;

ddns-update-style interim;

ignore client-updates;

update-static-leases on;


default-lease-time 600;

max-lease-time 7200;


# Use this to enble / disable dynamic dns updates globally.

#ddns-update-style none;


# If this DHCP server is the official DHCP server for the local

# network, the authoritative directive should be uncommented.



# Use this to send dhcp log messages to a different log file (you also

# have to hack syslog.conf to complete the redirection).

log-facility local7;


# No service will be given on this subnet, but declaring it helps the

# DHCP server to understand the network topology.


#subnet netmask {



include "/etc/dhcp/ddns.key";


zone xxxxxxx.com. {





zone 2.0.10.in-addr.arpa. {





# This is a very basic subnet declaration.


subnet netmask {


  option routers;



[root at alfred ~]#


When windows client gets a dhcp address, the following is in the log


[root at alfred ~]# tail -n50 /var/log/messages

Apr  2 19:40:50 alfred named[8491]: client updating zone
'xxxxxxx.com/IN': update failed: rejected by secure update (REFUSED)

Apr  2 19:40:50 alfred dhcpd: Unable to add forward map from
atomlin.xxxxxxx.com to timed out

Apr  2 19:40:50 alfred dhcpd: DHCPREQUEST for from
0c:54:a5:08:5f:cc (atomlin) via eth0

Apr  2 19:40:50 alfred dhcpd: DHCPACK on to 0c:54:a5:08:5f:cc
(atomlin) via eth0

[root at alfred ~]#


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20140402/9243579e/attachment.html>

More information about the dhcp-users mailing list