<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/08/2014 02:10 PM, Matthew Herzog
wrote:<br>
</div>
<blockquote
cite="mid:CABhyZ34exwjj4o8RRu651w2kik96wMS3Y6dvEk14MG1Y+LkY9w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Here are some errors I'm seeing on the client.</div>
<div><br>
</div>
<div>tail -f sssd_lnx.e-bozo.com.log<br>
</div>
<div>(Mon Dec 8 14:03:20 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0</div>
<div>(Mon Dec 8 14:03:20 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_dispatch] (0x4000): Dispatching.</div>
<div>(Mon Dec 8 14:03:20 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_message_handler] (0x4000): Received SBUS method [ping]</div>
<div>(Mon Dec 8 14:03:20 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit</div>
<div>(Mon Dec 8 14:03:20 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_handler_got_caller_id] (0x4000): Received SBUS method
[ping]</div>
<div>(Mon Dec 8 14:03:30 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0</div>
<div>(Mon Dec 8 14:03:30 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_dispatch] (0x4000): Dispatching.</div>
<div>(Mon Dec 8 14:03:30 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_message_handler] (0x4000): Received SBUS method [ping]</div>
<div>(Mon Dec 8 14:03:30 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit</div>
<div>(Mon Dec 8 14:03:30 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_handler_got_caller_id] (0x4000): Received SBUS method
[ping]</div>
<div>(Mon Dec 8 14:03:40 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0</div>
<div>(Mon Dec 8 14:03:40 2014) [sssd[be[<a
moz-do-not-send="true" href="http://lnx.e-bozo.com">lnx.e-bozo.com</a>]]]
[sbus_dispatch] (0x4000): Dispatching.</div>
<div><br>
</div>
<div>[root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log</div>
<div>(Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init]
(0x0010): sss_process_init() failed</div>
<div>(Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init]
(0x0010): Failed to connect to monitor services.</div>
<div>(Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init]
(0x0010): fatal error setting up backend connector</div>
<div>(Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init]
(0x0010): sss_process_init() failed</div>
<div>(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init]
(0x0010): Failed to connect to monitor services.</div>
<div>(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init]
(0x0010): fatal error setting up backend connector</div>
<div>(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init]
(0x0010): sss_process_init() failed</div>
<div>(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init]
(0x0010): Failed to connect to monitor services.</div>
<div>(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init]
(0x0010): fatal error setting up backend connector</div>
<div>(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init]
(0x0010): sss_process_init() failed</div>
</div>
</blockquote>
<br>
What is the version of the client?<br>
Please add debug_level=9 to sssd.conf in different sections to rise
the verbosity of the log and see what is really going on there.<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting">https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting</a><br>
<br>
<br>
<blockquote
cite="mid:CABhyZ34exwjj4o8RRu651w2kik96wMS3Y6dvEk14MG1Y+LkY9w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 8, 2014 at 11:48 AM,
Matthew Herzog <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:matthew.herzog@gmail.com" target="_blank">matthew.herzog@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I have never seen my IPA servers produce a
zone file nor has the install script ever mentioned the
creation of such. In fact, I just ran ipa-server-install
--uninstall && ipa-server-install and there was no
mention of a zone file.
<div><br>
</div>
<div>Where should I look in the file system to be sure? I
see nothing in /var/named. I'm using 3.3.3 IPA on Oracle
Linux from Oracle's yum repo. (Not my choice.)
<div><br>
</div>
<div>dsee7 is <i>not </i>running Kerberos. dsee7 is <i>not
</i>configured with SRV records. I guess I'll need to
add SRV records for all my Linux hosts.<br>
<div><br>
<div><br>
</div>
<div><br>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra">
<div>
<div class="h5"><br>
<div class="gmail_quote">On Mon, Dec 8, 2014 at 10:41
AM, Petr Spacek <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On
8.12.2014 14:44, Matthew Herzog wrote:<br>
> Petr said, "You can run ipa-server-install
*without* --setup-dns option and<br>
> at the end of<br>
> installation it will produce DNS records
which you have to manually add to<br>
> your existing DNS database."<br>
><br>
> I can't see how this would be useful or
which machines I would need to add<br>
> to our DNS.<br>
><br>
> Perhaps I should have explained that we are
not going to set up a new DNS<br>
> domain for the ipa-managed servers.<br>
</span>Good.<br>
<br>
Now you should run ipa-server-install *without*
--setup-dns, using<br>
<a moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>
as you IPA domain. It will install full IPA server
and spit out<br>
DNS zone file.<br>
<br>
Then you *have to* take this zone file and import
it to your existing DNS<br>
infrastructure - that will give you fully
functional IPA domain <a moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>.<br>
<br>
Caveat:<br>
Preceding text assumes that 'dsee7' is nor using
either Kerberos nor DNS SRV<br>
records for LDAP service in domain <a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>,
i.e. clients connecting to<br>
DSEE7 should be (most likely) statically
configured with DSEE7 server name.<br>
<br>
Petr^2 Spacek<br>
<div>
<div><br>
> We have an Oracle dsee7 server doing<br>
> LDAP for our Linux servers and accounts.
We want to migrate to IPA so we<br>
> don't have to maintain a Linux/LDAP
account for every user who needs access<br>
> to Linux servers. All of our users start
with an account in AD and since<br>
> none of my predecessors knew about
Winbind, they set up dsee7.<br>
><br>
> So I'm thinking we'll need to import all
our dsee7 accounts AND make it<br>
> possible for AD users to access the Linux
systems without needing to create<br>
> them in IPA.<br>
><br>
> On Mon, Dec 8, 2014 at 2:56 AM, Petr
Spacek <<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>
wrote:<br>
><br>
>> On 8.12.2014 05:02, Dmitri Pal wrote:<br>
>>> On 12/07/2014 10:10 PM, Matthew
Herzog wrote:<br>
>>>> So should the FreeIPA server
be authoritative for the Kerb. realm/DNS<br>
>> domain<br>
>>>> or can it/should it be a
slave DNS server instead? Or caching only?<br>
>>><br>
>>> IPA DNS can't be a slave so you
either delegate a whole zone to it or<br>
>> manage<br>
>>> IPA DNS domain via your own DNS
server.<br>
>><br>
>> Generally, "slave" is not allowed to
do any changes so it is useless in<br>
>> your<br>
>> scenario.<br>
>><br>
>> You can run ipa-server-install
*without* --setup-dns option and at the end<br>
>> of<br>
>> installation it will produce DNS
records which you have to manually add to<br>
>> your existing DNS database.<br>
>><br>
>> Did you try that?<br>
>><br>
>> Petr^2 Spacek<br>
>><br>
>>>> On Sun, Dec 7, 2014 at 9:57
PM, Dmitri Pal <<a moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a><br>
>>>> <mailto:<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>>>
wrote:<br>
>>>><br>
>>>> On 12/07/2014 09:51 PM,
Matthew Herzog wrote:<br>
>>>>> What must be done in
or on the ipa server with regard to DNS, if<br>
>>>>> anything?<br>
>>>>><br>
>>>>> Our DNS works. It
works well. We have four Linux DNS servers and<br>
>>>>> two AD domain
controllers that also do DNS.<br>
>>>>><br>
>>>>> So if we already have
DNS working well in our domain, why do we<br>
>>>>> want to manage DNS in
IPA?<br>
>>>><br>
>>>> Let us keep the
discussion on the list.<br>
>>>> IPA when used with AD
trust presents itself as a separate forest.<br>
>>>> AD thinks that it is
working with another AD forest.<br>
>>>> For that to work we need
to follow MSFT rules about relationship<br>
>>>> between Kerberos realm
and DNS domain.<br>
>>>> AD assumes that for every
trusted forest Kerberos realm = DNS<br>
>>>> domain. IPA makes it easy
to do because it has integrated tools to<br>
>>>> manage IPA DNS domain.<br>
>>>> If you want to manage it
yourself through your DNS you can do it,<br>
>>>> just more manual
operations for you.<br>
>>>><br>
>>>> HTH<br>
>>>><br>
>>>> Thanks<br>
>>>> Dmitri<br>
>>>><br>
>>>><br>
>>>>><br>
>>>>> On Sun, Dec 7, 2014
at 9:44 PM, Dmitri Pal <<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a><br>
>>>>> <mailto:<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>>>
wrote:<br>
>>>>><br>
>>>>> On 12/07/2014
06:44 PM, Matthew Herzog wrote:<br>
>>>>>> Thanks guys.
I'm sorry for my delay in responding.<br>
>>>>>><br>
>>>>>> Firstly, I
was under the impression (from reading the
docs)<br>
>>>>>> that having
named running on IPA server was critical.<br>
>>>>><br>
>>>>> Properly
configured DNS is critical.<br>
>>>>> How you
accomplish it is up to you.<br>
>>>>> IPA allows you to
have a DNS server that would simplify DNS<br>
>>>>> management but it
can be done manually too. This is why DNS<br>
>>>>> is optional.<br>
>>>>><br>
>>>>><br>
>>>>>> Also, the
first question the ipa-server-install script
asks<br>
>>>>>> is, "Do you
want to configure integrated DNS (BIND)? ."<br>
>>>>>> While it's
true the default answer is no, it leads one to<br>
>>>>>> believe that
DNS is central to IPA. Also the<br>
>>>>>>
ipa-client-install script says,<br>
>>>>>><br>
>>>>>>
[root@freeipa-poc-client02 ~]#
ipa-client-install<br>
>>>>>> DNS discovery
failed to determine your DNS domain<br>
>>>>>> Provide the
domain name of your IPA server (ex: <a
moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a><br>
>>>>>> <<a
moz-do-not-send="true"
href="http://example.com" target="_blank">http://example.com</a>>):<br>
>>>>>><br>
>>>>>> I can resolve
-anything- from the machine using dig or<br>
>> whatever.<br>
>>>>>><br>
>>>>>> Ultimately,
the reason I started to be concerned about my<br>
>>>>>> IPA server's
DNS config was because I was not able to<br>
>>>>>> authenticate
AD accounts to a client machine. I saw a bunch<br>
>>>>>> of errors in
the client's sssd logs which of course I can't<br>
>>>>>> find now.<br>
>>>>>><br>
>>>>>> Perhaps it
was these . . .<br>
>>>>>><br>
>>>>>> (Thu Dec 4
13:45:23 2014) [sssd] [ping_check] (0x0100):<br>
>>>>>> Service nss
replied to ping<br>
>>>>>> (Thu Dec 4
13:45:23 2014) [sssd] [ping_check] (0x0100):<br>
>>>>>> Service sudo
replied to ping<br>
>>>>>> (Thu Dec 4
13:45:23 2014) [sssd] [ping_check] (0x0100):<br>
>>>>>> Service pam
replied to ping<br>
>>>>>> (Thu Dec 4
13:45:23 2014) [sssd] [ping_check] (0x0100):<br>
>>>>>> Service ssh
replied to ping<br>
>>>>>> (Thu Dec 4
13:45:23 2014) [sssd] [ping_check] (0x0100):<br>
>>>>>> Service pac
replied to ping<br>
>>>>>> (Thu Dec 4
13:45:23 2014) [sssd] [ping_check] (0x0100):<br>
>>>>>> Service <a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>
<<a moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">http://bo3.e-bozo.com</a>>
replied to<br>
>> ping<br>
>>>>>><br>
>>>>>> I'm not
allowed onto the AD domain controllers to
examine<br>
>>>>>> log files or
I'd be checking those first.<br>
>>>>>><br>
>>>>>> So ultimately
the goal is to authenticate AD users and users<br>
>>>>>> that exist in
our ldap schema. We need to set up groups of<br>
>>>>>> users that
can run sudo commands on specific groups of
hosts.<br>
>>>>><br>
>>>>> Did you setup
trusts as explained on the following page?<br>
>>>>> <a
moz-do-not-send="true"
href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup"
target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup</a><br>
>>>>><br>
>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>> On Wed, Dec
3, 2014 at 3:46 AM, Petr Spacek<br>
>>>>>> <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>>
wrote:<br>
>>>>>><br>
>>>>>> On
3.12.2014 04:35, Dmitri Pal wrote:<br>
>>>>>> > On
12/02/2014 08:54 PM, Matthew Herzog wrote:<br>
>>>>>> >>
Any other ideas? I just spun up a new VM and
took the<br>
>>>>>> defaults
on everything<br>
>>>>>> >>
while running ipa-server-install (the defaults
did<br>
>>>>>> make
sense) and my new VM<br>
>>>>>> >>
can't resolve -anything- in the domain in
which it<br>
>>>>>> lives.
The "old" VM<br>
>>>>>> >>
(running the same versions of everything on
the same<br>
>>>>>> OS) can't
even resolve<br>
>>>>>> >>
the clients I have registered with it!<br>
>>>>>> >><br>
>>>>>> >>
So I'm pretty frustrated and am wondering,
what<br>
>>>>>> _exactly_
is the role of<br>
>>>>>> >>
bind in the IPA server and how is it expected
to know<br>
>>>>>> anything
about the<br>
>>>>>> >>
local DNS domain without becoming a bind slave
server?<br>
>>>>>> ><br>
>>>>>> > I am
not sure I am 100% with you but...<br>
>>>>>> > If
you use the defaults and nothing else you get
to<br>
>>>>>> the
scenario when IPA has<br>
>>>>>> > its
DNS but it is a self contained environment. It<br>
>>>>>> seems
that this is what you<br>
>>>>>> >
observe.<br>
>>>>>> > It
is expected that you decide in advance what
you<br>
>>>>>> want to
do with DNS. There<br>
>>>>>> > are
several options:<br>
>>>>>> > 1)
You can delegate a zone to IPA to manage, then
you<br>
>>>>>> need to
connect your IPA<br>
>>>>>> > DNS
to your existing DNS during install or after.<br>
>>>>>> > In
this case the systems joined to IPA will be a
part<br>
>>>>>> of IPA
domain/zone and<br>
>>>>>> >
would also be able to resolve other systems
around<br>
>>>>>> > 2)
Not use IPA DNS if you do not want to take<br>
>>>>>> advantage
of it<br>
>>>>>> > 3)
Have a self contained demo/lab environment
that you<br>
>>>>>> currently
observe.<br>
>>>>>> ><br>
>>>>>> > What
is the intent?<br>
>>>>>><br>
>>>>>> I agree
with Dmitri, we need more information from
you:<br>
>>>>>> - You
said "my new VM can't resolve -anything- in
the<br>
>>>>>> domain in
which it<br>
>>>>>> lives." -
Which domain do you mean?<br>
>>>>>><br>
>>>>>> -
Apparently you have configured FreeIPA to
serve zone<br>
>>>>>> <a
moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">e-bozo.com</a>
<<a moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">http://e-bozo.com</a>>.
Do you have<br>
>>>>>> this zone
configured on some other DNS server at the<br>
>>>>>> same
time?<br>
>>>>>><br>
>>>>>> Please
keep in mind that authoritative servers should<br>
>>>>>> share the
database. You<br>
>>>>>> will get
naming collisions if <a
moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">e-bozo.com</a><br>
>>>>>> <<a
moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">http://e-bozo.com</a>>
is served by FreeIPA DNS servers and<br>
>>>>>> some
other servers at the same time. Maybe that is
the<br>
>>>>>> problem
you see right now.<br>
>>>>>><br>
>>>>>> As Dmitri
said, the architecturally correct solution is<br>
>>>>>> to decide
if you want<br>
>>>>>> to use
FreeIPA DNS or not. You have option to either<br>
>>>>>> remove
non-FreeIPA DNS<br>
>>>>>> servers
and import data to FreeIPA or to add<br>
>>>>>>
FreeIPA-specific DNS records to<br>
>>>>>> existing
DNS servers and do not configure FreeIPA to
act<br>
>>>>>> as DNS
server.<br>
>>>>>><br>
>>>>>> Petr^2
Spacek<br>
>>>>>><br>
>>>>>> >>
Thanks.<br>
>>>>>> >><br>
>>>>>> >>
On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek<br>
>>>>>> <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>><br>
>>>>>> >>
<mailto:<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a><br>
>>>>>>
<mailto:<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>>>
wrote:<br>
>>>>>> >><br>
>>>>>> >>
On 2.12.2014 17:36, Martin Basti wrote:<br>
>>>>>> >>
> On 02/12/14 17:28, Matthew Herzog
wrote:<br>
>>>>>> >>
>> I just realized that my IPA
servers cannot<br>
>>>>>> resolve
ANY servers<br>
>>>>>> >>
in my domain.<br>
>>>>>> >>
>> What do I need to do to fix this?
Below is my<br>
>>>>>>
named.conf.<br>
>>>>>> >>
>><br>
>>>>>> >>
>><br>
>>>>>> >>
>> options {<br>
>>>>>> >>
>> // turns on IPv6 for port 53,
IPv4 is on by<br>
>>>>>> default
for<br>
>>>>>> >>
all ifaces<br>
>>>>>> >>
>> listen-on-v6 {any;};<br>
>>>>>> >>
>><br>
>>>>>> >>
>> // Put files that named is
allowed to write<br>
>>>>>> in the<br>
>>>>>> >>
data/ directory:<br>
>>>>>> >>
>> directory "/var/named"; // the
default<br>
>>>>>> >>
>> dump-file "data/cache_dump.db";<br>
>>>>>> >>
>> statistics-file
"data/named_stats.txt";<br>
>>>>>> >>
>> memstatistics-file
"data/named_mem_stats.txt";<br>
>>>>>> >>
>><br>
>>>>>> >>
>> forward first;<br>
>>>>>> >>
>> forwarders {<br>
>>>>>> >>
>> 10.100.8.41;<br>
>>>>>> >>
>> 10.100.8.40;<br>
>>>>>> >>
>> 10.100.4.13;<br>
>>>>>> >>
>> 10.100.4.14;<br>
>>>>>> >>
>> 10.100.4.19;<br>
>>>>>> >>
>> 10.100.4.44;<br>
>>>>>> >>
>> };<br>
>>>>>> >>
>><br>
>>>>>> >>
>> // Any host is permitted to issue
recursive<br>
>>>>>> queries<br>
>>>>>> >>
>> allow-recursion { any; };<br>
>>>>>> >>
>><br>
>>>>>> >>
>> tkey-gssapi-keytab
"/etc/named.keytab";<br>
>>>>>> >>
>> pid-file "/run/named/named.pid";<br>
>>>>>> >>
>> };<br>
>>>>>> >>
>><br>
>>>>>> >>
>> /* If you want to enable
debugging, eg. using<br>
>>>>>> the 'rndc
trace'<br>
>>>>>> >>
command,<br>
>>>>>> >>
>> * By default, SELinux policy does
not allow<br>
>>>>>> named to
modify<br>
>>>>>> >>
the /var/named<br>
>>>>>> >>
>> directory,<br>
>>>>>> >>
>> * so put the default debug log
file in data/ :<br>
>>>>>> >>
>> */<br>
>>>>>> >>
>> logging {<br>
>>>>>> >>
>> channel default_debug {<br>
>>>>>> >>
>> file "data/named.run";<br>
>>>>>> >>
>> severity dynamic;<br>
>>>>>> >>
>> print-time yes;<br>
>>>>>> >>
>> };<br>
>>>>>> >>
>> };<br>
>>>>>> >>
>> };<br>
>>>>>> >>
>><br>
>>>>>> >>
>> zone "." IN {<br>
>>>>>> >>
>> type hint;<br>
>>>>>> >>
>> file "<a moz-do-not-send="true"
href="http://named.ca" target="_blank">named.ca</a>
<<a moz-do-not-send="true"
href="http://named.ca" target="_blank">http://named.ca</a>><br>
>>>>>> <<a
moz-do-not-send="true"
href="http://named.ca" target="_blank">http://named.ca</a>>
<<a moz-do-not-send="true"
href="http://named.ca" target="_blank">http://named.ca</a>>";<br>
>>>>>> >>
>> };<br>
>>>>>> >>
>><br>
>>>>>> >>
>> include
"/etc/named.rfc1912.zones";<br>
>>>>>> >>
>><br>
>>>>>> >>
>> dynamic-db "ipa" {<br>
>>>>>> >>
>> library "ldap.so";<br>
>>>>>> >>
>> arg "uri<br>
>>>>>> >>
ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";<br>
>>>>>> >>
>> arg "base cn=dns,
dc=bo3,dc=e-bozo,dc=com";<br>
>>>>>> >>
>> arg "fake_mname <a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>>>>>> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>>>> >>
<<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>>>> >>
>> <<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>.";<br>
>>>>>> >>
>> arg "auth_method sasl";<br>
>>>>>> >>
>> arg "sasl_mech GSSAPI";<br>
>>>>>> >>
>> arg "sasl_user<br>
>>>>>> DNS/<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>>>>>> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>>>> >>
<<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>>>> >>
>> <<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>";<br>
>>>>>> >>
>> arg "serial_autoincrement yes";<br>
>>>>>> >>
>> };<br>
>>>>>> >>
>><br>
>>>>>> >>
>><br>
>>>>>> >>
>><br>
>>>>>> >>
>><br>
>>>>>> >>
> Hello,<br>
>>>>>> >>
><br>
>>>>>> >>
> which version ipa do you use? which
platform?<br>
>>>>>> Which
version<br>
>>>>>> >>
bind-dyndb-ldap?<br>
>>>>>> >>
><br>
>>>>>> >>
> Can you run these commands, and check
if there<br>
>>>>>> any
errors?<br>
>>>>>> >>
> ipactl status<br>
>>>>>> >>
> systemctl status named (respectively<br>
>>>>>>
journalctl -u named)<br>
>>>>>> >><br>
>>>>>> >>
We also may want to see information listed
on page<br>
>>>>>> >><br>
>>>>>><br>
>> <a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting</a><br>
<br>
--<br>
</div>
</div>
Petr^2 Spacek<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
</div>
</div>
<span class="">-- <br>
<div>
<div dir="ltr">If life gives you melons, you may be
dyslexic. </div>
</div>
</span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">If life gives you melons, you may be dyslexic.
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>