<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/08/2014 08:44 AM, Matthew Herzog
wrote:<br>
</div>
<blockquote
cite="mid:CABhyZ34Pbr4J6YDdLSmP=qPqAB7Pa=tWvw273aB-BNX4dRq-GQ@mail.gmail.com"
type="cite">
<div dir="ltr"><span style="font-size:17.77777862548828px">Petr
said, "You can run ipa-server-install *without* --setup-dns
option and at the end of</span><br
style="font-size:17.77777862548828px">
<span style="font-size:17.77777862548828px">installation it will
produce DNS records which you have to manually add to</span><br
style="font-size:17.77777862548828px">
<span style="font-size:17.77777862548828px">your existing DNS
database."</span><br style="font-size:17.77777862548828px">
<div><span style="font-size:17.77777862548828px"><br>
</span></div>
<div><span style="font-size:17.77777862548828px">I can't see how
this would be useful or which machines I would need to add
to our DNS. </span></div>
<div><span style="font-size:17.77777862548828px"><br>
</span></div>
<div><span style="font-size:17.77777862548828px">Perhaps I
should have explained that we are not going to set up a new
DNS domain for the ipa-managed servers. We have an Oracle
dsee7 server doing LDAP for our Linux servers and accounts.
We want to migrate to IPA so we don't have to maintain a
Linux/LDAP account for every user who needs access to Linux
servers. All of our users start with an account in AD and
since none of my </span><span
style="font-size:17.77777862548828px">predecessors </span><span
style="font-size:17.77777862548828px">knew about Winbind,
they set up dsee7.</span></div>
<div><span style="font-size:17.77777862548828px"><br>
</span></div>
<div><span style="font-size:17.77777862548828px">So I'm thinking
we'll need to import all our dsee7 accounts AND make it
possible for AD users to access the Linux systems without
needing to create them in IPA.</span></div>
</div>
</blockquote>
<br>
<br>
So the approach would be:<br>
<br>
1) Install IPA (do not migrate users)<br>
2) Establish trust with AD<br>
3) Start switching client configuration from using LDAP with dsee7
to SSSD pointing to IPA<br>
<br>
You do not need to migrate users.<br>
<br>
<blockquote
cite="mid:CABhyZ34Pbr4J6YDdLSmP=qPqAB7Pa=tWvw273aB-BNX4dRq-GQ@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 8, 2014 at 2:56 AM, Petr
Spacek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On 8.12.2014 05:02, Dmitri Pal wrote:<br>
> On 12/07/2014 10:10 PM, Matthew Herzog wrote:<br>
>> So should the FreeIPA server be authoritative for
the Kerb. realm/DNS domain<br>
>> or can it/should it be a slave DNS server
instead? Or caching only?<br>
><br>
> IPA DNS can't be a slave so you either delegate a
whole zone to it or manage<br>
> IPA DNS domain via your own DNS server.<br>
<br>
</span>Generally, "slave" is not allowed to do any changes
so it is useless in your<br>
scenario.<br>
<br>
You can run ipa-server-install *without* --setup-dns option
and at the end of<br>
installation it will produce DNS records which you have to
manually add to<br>
your existing DNS database.<br>
<br>
Did you try that?<br>
<br>
Petr^2 Spacek<br>
<span class=""><br>
>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <<a
moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
</span><span class="">>> <mailto:<a
moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>
wrote:<br>
>><br>
>> On 12/07/2014 09:51 PM, Matthew Herzog wrote:<br>
>>> What must be done in or on the ipa server
with regard to DNS, if<br>
>>> anything?<br>
>>><br>
>>> Our DNS works. It works well. We have
four Linux DNS servers and<br>
>>> two AD domain controllers that also do
DNS.<br>
>>><br>
>>> So if we already have DNS working well in
our domain, why do we<br>
>>> want to manage DNS in IPA?<br>
>><br>
>> Let us keep the discussion on the list.<br>
>> IPA when used with AD trust presents itself
as a separate forest.<br>
>> AD thinks that it is working with another AD
forest.<br>
>> For that to work we need to follow MSFT rules
about relationship<br>
>> between Kerberos realm and DNS domain.<br>
>> AD assumes that for every trusted forest
Kerberos realm = DNS<br>
>> domain. IPA makes it easy to do because it
has integrated tools to<br>
>> manage IPA DNS domain.<br>
>> If you want to manage it yourself through
your DNS you can do it,<br>
>> just more manual operations for you.<br>
>><br>
>> HTH<br>
>><br>
>> Thanks<br>
>> Dmitri<br>
>><br>
>><br>
>>><br>
>>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri
Pal <<a moz-do-not-send="true"
href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
</span><span class="">>>> <mailto:<a
moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>
wrote:<br>
>>><br>
>>> On 12/07/2014 06:44 PM, Matthew
Herzog wrote:<br>
>>>> Thanks guys. I'm sorry for my
delay in responding.<br>
>>>><br>
>>>> Firstly, I was under the
impression (from reading the docs)<br>
>>>> that having named running on IPA
server was critical.<br>
>>><br>
>>> Properly configured DNS is critical.<br>
>>> How you accomplish it is up to you.<br>
>>> IPA allows you to have a DNS server
that would simplify DNS<br>
>>> management but it can be done
manually too. This is why DNS<br>
>>> is optional.<br>
>>><br>
>>><br>
>>>> Also, the first question the
ipa-server-install script asks<br>
>>>> is, "Do you want to configure
integrated DNS (BIND)? ."<br>
>>>> While it's true the default
answer is no, it leads one to<br>
>>>> believe that DNS is central to
IPA. Also the<br>
>>>> ipa-client-install script says,<br>
>>>><br>
>>>> [root@freeipa-poc-client02 ~]#
ipa-client-install<br>
>>>> DNS discovery failed to determine
your DNS domain<br>
>>>> Provide the domain name of your
IPA server (ex: <a moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a><br>
</span>>>>> <<a
moz-do-not-send="true" href="http://example.com"
target="_blank">http://example.com</a>>):<br>
<span class="">>>>><br>
>>>> I can resolve -anything- from the
machine using dig or whatever.<br>
>>>><br>
>>>> Ultimately, the reason I started
to be concerned about my<br>
>>>> IPA server's DNS config was
because I was not able to<br>
>>>> authenticate AD accounts to a
client machine. I saw a bunch<br>
>>>> of errors in the client's sssd
logs which of course I can't<br>
>>>> find now.<br>
>>>><br>
>>>> Perhaps it was these . . .<br>
>>>><br>
>>>> (Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100):<br>
>>>> Service nss replied to ping<br>
>>>> (Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100):<br>
>>>> Service sudo replied to ping<br>
>>>> (Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100):<br>
>>>> Service pam replied to ping<br>
>>>> (Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100):<br>
>>>> Service ssh replied to ping<br>
>>>> (Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100):<br>
>>>> Service pac replied to ping<br>
>>>> (Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100):<br>
</span>>>>> Service <a
moz-do-not-send="true" href="http://bo3.e-bozo.com"
target="_blank">bo3.e-bozo.com</a> <<a
moz-do-not-send="true" href="http://bo3.e-bozo.com"
target="_blank">http://bo3.e-bozo.com</a>> replied to
ping<br>
<span class="">>>>><br>
>>>> I'm not allowed onto the AD
domain controllers to examine<br>
>>>> log files or I'd be checking
those first.<br>
>>>><br>
>>>> So ultimately the goal is to
authenticate AD users and users<br>
>>>> that exist in our ldap schema. We
need to set up groups of<br>
>>>> users that can run sudo commands
on specific groups of hosts.<br>
>>><br>
>>> Did you setup trusts as explained on
the following page?<br>
>>> <a moz-do-not-send="true"
href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup"
target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup</a><br>
>>><br>
>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> On Wed, Dec 3, 2014 at 3:46 AM,
Petr Spacek<br>
</span>
<div>
<div class="h5">>>>> <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>>
wrote:<br>
>>>><br>
>>>> On 3.12.2014 04:35, Dmitri
Pal wrote:<br>
>>>> > On 12/02/2014 08:54
PM, Matthew Herzog wrote:<br>
>>>> >> Any other ideas? I
just spun up a new VM and took the<br>
>>>> defaults on everything<br>
>>>> >> while running
ipa-server-install (the defaults did<br>
>>>> make sense) and my new VM<br>
>>>> >> can't resolve
-anything- in the domain in which it<br>
>>>> lives. The "old" VM<br>
>>>> >> (running the same
versions of everything on the same<br>
>>>> OS) can't even resolve<br>
>>>> >> the clients I have
registered with it!<br>
>>>> >><br>
>>>> >> So I'm pretty
frustrated and am wondering, what<br>
>>>> _exactly_ is the role of<br>
>>>> >> bind in the IPA
server and how is it expected to know<br>
>>>> anything about the<br>
>>>> >> local DNS domain
without becoming a bind slave server?<br>
>>>> ><br>
>>>> > I am not sure I am
100% with you but...<br>
>>>> > If you use the
defaults and nothing else you get to<br>
>>>> the scenario when IPA has<br>
>>>> > its DNS but it is a
self contained environment. It<br>
>>>> seems that this is what you<br>
>>>> > observe.<br>
>>>> > It is expected that
you decide in advance what you<br>
>>>> want to do with DNS. There<br>
>>>> > are several options:<br>
>>>> > 1) You can delegate a
zone to IPA to manage, then you<br>
>>>> need to connect your IPA<br>
>>>> > DNS to your existing
DNS during install or after.<br>
>>>> > In this case the
systems joined to IPA will be a part<br>
>>>> of IPA domain/zone and<br>
>>>> > would also be able to
resolve other systems around<br>
>>>> > 2) Not use IPA DNS if
you do not want to take<br>
>>>> advantage of it<br>
>>>> > 3) Have a self
contained demo/lab environment that you<br>
>>>> currently observe.<br>
>>>> ><br>
>>>> > What is the intent?<br>
>>>><br>
>>>> I agree with Dmitri, we
need more information from you:<br>
>>>> - You said "my new VM can't
resolve -anything- in the<br>
>>>> domain in which it<br>
>>>> lives." - Which domain do
you mean?<br>
>>>><br>
>>>> - Apparently you have
configured FreeIPA to serve zone<br>
</div>
</div>
>>>> <a moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">e-bozo.com</a>
<<a moz-do-not-send="true" href="http://e-bozo.com"
target="_blank">http://e-bozo.com</a>>. Do you have<br>
<span class="">>>>> this zone
configured on some other DNS server at the<br>
>>>> same time?<br>
>>>><br>
>>>> Please keep in mind that
authoritative servers should<br>
>>>> share the database. You<br>
>>>> will get naming collisions if
<a moz-do-not-send="true" href="http://e-bozo.com"
target="_blank">e-bozo.com</a><br>
</span>>>>> <<a
moz-do-not-send="true" href="http://e-bozo.com"
target="_blank">http://e-bozo.com</a>> is served by
FreeIPA DNS servers and<br>
<span class="">>>>> some other
servers at the same time. Maybe that is the<br>
>>>> problem you see right now.<br>
>>>><br>
>>>> As Dmitri said, the
architecturally correct solution is<br>
>>>> to decide if you want<br>
>>>> to use FreeIPA DNS or not.
You have option to either<br>
>>>> remove non-FreeIPA DNS<br>
>>>> servers and import data to
FreeIPA or to add<br>
>>>> FreeIPA-specific DNS records
to<br>
>>>> existing DNS servers and do
not configure FreeIPA to act<br>
>>>> as DNS server.<br>
>>>><br>
>>>> Petr^2 Spacek<br>
>>>><br>
>>>> >> Thanks.<br>
>>>> >><br>
>>>> >> On Tue, Dec 2, 2014
at 11:58 AM, Petr Spacek<br>
>>>> <<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>><br>
</span>>>>> >> <mailto:<a
moz-do-not-send="true" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a><br>
<div class="HOEnZb">
<div class="h5">>>>> <mailto:<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>>>
wrote:<br>
>>>> >><br>
>>>> >> On 2.12.2014
17:36, Martin Basti wrote:<br>
>>>> >> > On
02/12/14 17:28, Matthew Herzog wrote:<br>
>>>> >> >> I
just realized that my IPA servers cannot<br>
>>>> resolve ANY servers<br>
>>>> >> in my domain.<br>
>>>> >> >> What
do I need to do to fix this? Below is my<br>
>>>> named.conf.<br>
>>>> >> >><br>
>>>> >> >><br>
>>>> >> >>
options {<br>
>>>> >> >> //
turns on IPv6 for port 53, IPv4 is on by<br>
>>>> default for<br>
>>>> >> all ifaces<br>
>>>> >> >>
listen-on-v6 {any;};<br>
>>>> >> >><br>
>>>> >> >> //
Put files that named is allowed to write<br>
>>>> in the<br>
>>>> >> data/
directory:<br>
>>>> >> >>
directory "/var/named"; // the default<br>
>>>> >> >>
dump-file "data/cache_dump.db";<br>
>>>> >> >>
statistics-file "data/named_stats.txt";<br>
>>>> >> >>
memstatistics-file "data/named_mem_stats.txt";<br>
>>>> >> >><br>
>>>> >> >>
forward first;<br>
>>>> >> >>
forwarders {<br>
>>>> >> >>
10.100.8.41;<br>
>>>> >> >>
10.100.8.40;<br>
>>>> >> >>
10.100.4.13;<br>
>>>> >> >>
10.100.4.14;<br>
>>>> >> >>
10.100.4.19;<br>
>>>> >> >>
10.100.4.44;<br>
>>>> >> >> };<br>
>>>> >> >><br>
>>>> >> >> //
Any host is permitted to issue recursive<br>
>>>> queries<br>
>>>> >> >>
allow-recursion { any; };<br>
>>>> >> >><br>
>>>> >> >>
tkey-gssapi-keytab "/etc/named.keytab";<br>
>>>> >> >>
pid-file "/run/named/named.pid";<br>
>>>> >> >> };<br>
>>>> >> >><br>
>>>> >> >> /* If
you want to enable debugging, eg. using<br>
>>>> the 'rndc trace'<br>
>>>> >> command,<br>
>>>> >> >> * By
default, SELinux policy does not allow<br>
>>>> named to modify<br>
>>>> >> the /var/named<br>
>>>> >> >>
directory,<br>
>>>> >> >> * so
put the default debug log file in data/ :<br>
>>>> >> >> */<br>
>>>> >> >>
logging {<br>
>>>> >> >>
channel default_debug {<br>
>>>> >> >>
file "data/named.run";<br>
>>>> >> >>
severity dynamic;<br>
>>>> >> >>
print-time yes;<br>
>>>> >> >> };<br>
>>>> >> >> };<br>
>>>> >> >> };<br>
>>>> >> >><br>
>>>> >> >> zone
"." IN {<br>
>>>> >> >> type
hint;<br>
>>>> >> >> file
"<a moz-do-not-send="true" href="http://named.ca"
target="_blank">named.ca</a> <<a
moz-do-not-send="true" href="http://named.ca"
target="_blank">http://named.ca</a>><br>
>>>> <<a
moz-do-not-send="true" href="http://named.ca"
target="_blank">http://named.ca</a>> <<a
moz-do-not-send="true" href="http://named.ca"
target="_blank">http://named.ca</a>>";<br>
>>>> >> >> };<br>
>>>> >> >><br>
>>>> >> >>
include "/etc/named.rfc1912.zones";<br>
>>>> >> >><br>
>>>> >> >>
dynamic-db "ipa" {<br>
>>>> >> >>
library "ldap.so";<br>
>>>> >> >> arg
"uri<br>
>>>> >>
ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";<br>
>>>> >> >> arg
"base cn=dns, dc=bo3,dc=e-bozo,dc=com";<br>
>>>> >> >> arg
"fake_mname <a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>>>> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>> >> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>> >> >> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>.";<br>
>>>> >> >> arg
"auth_method sasl";<br>
>>>> >> >> arg
"sasl_mech GSSAPI";<br>
>>>> >> >> arg
"sasl_user<br>
>>>> DNS/<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>>>> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>> >> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>> >> >> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>";<br>
>>>> >> >> arg
"serial_autoincrement yes";<br>
>>>> >> >> };<br>
>>>> >> >><br>
>>>> >> >><br>
>>>> >> >><br>
>>>> >> >><br>
>>>> >> > Hello,<br>
>>>> >> ><br>
>>>> >> > which
version ipa do you use? which platform?<br>
>>>> Which version<br>
>>>> >>
bind-dyndb-ldap?<br>
>>>> >> ><br>
>>>> >> > Can you
run these commands, and check if there<br>
>>>> any errors?<br>
>>>> >> > ipactl
status<br>
>>>> >> > systemctl
status named (respectively<br>
>>>> journalctl -u named)<br>
>>>> >><br>
>>>> >> We also may
want to see information listed on page<br>
>>>> >><br>
>>>> <a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting</a><br>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing
list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">If life gives you melons, you may be dyslexic.
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>