[Freeipa-users] Using DHCPD with IPA

[~Stack~]

Hello everyone!

Short update for those who have been helping me along both on and off
the list.
For the last week or so I have had problems getting IPA to integrate
into my network setup. It has been frustrating but I have learned so
much doing it. Today, I finally had that moment where things just
clicked and I realized I was trying to force IPA and BIND (named) to do
things that it was already trying to do. That was the source of all my
problems. By managing my DNS system *through* the IPA interface
*instead* of named.conf the vast majority of my problems went away. I
don't know why it took me so long to realize that IPA was /managing/
BIND and not just /adding to/ BIND but it did.

Current questions that have me stumped at the moment.

1) Where are the BIND configurations for IPA?

The problems I have been having stemmed from the fact that IPA adds just
a small blurb at the end of a very vanilla named.conf. Even though IPA
is managing my DNS zone and reverse zone, there is nothing in
named.conf. Therefore, when I tried to force-cram add my zones to BIND I
got lots of errors. As long as I manage my zones from the CLI or web
interface, things work, but when I tinker around with the vanilla
named.conf file (which does *not* list my IPA configured zones) things
break.

I poked around but couldn't figure out where this information was
stored. This was particularly confusing to me (I am not a named/dhcpd
expert by any means) since named.conf didn't include the zone
information and I was under the impression I had to include it so that I
could share my rndc-key between dhcpd and named (next question). This
very frustrating misunderstanding led to all my problems.

Back to the point of this question, where does IPA store its zone
information for named? I never found any good information in the docs on
this subject and would like to know for future reference.

2) How do I get dhcpd to update DNS?

Since I can't find the place to add rndc-keys to BIND, right now I have
to add every host manually in the web interface because dhcpd isn't
updating named. This is time consuming and a pain when dealing with
large amounts of systems. If I could figure out where the named zones
are stored in IPA I should be able to add my rndc-key and be OK, but
that gets back into question 1.

My /etc/dhcp/dhcpd.conf file is pretty basic but all the PXE clients
have host entries to match their MAC with the group that allows PXE
booting (ex: host pxe001.project.local{hardware ethernet
00:16:17:AB:E9:88; fixed-address 172.31.203.1}).  Unless I mange both
this file and the IPA interface, the nodes have issues figuring out
their name. One or the other and the node has issues; both and it works.
I would really prefer not to manage two locations for all these nodes.

The normal way for dhcpd to talk to BIND(named) is by having a rndc-key.
However, me fighting with named.conf was the big part of my problems
before so I am hoping there is a simple way of doing this inside IPA.

Any ideas?

I did see an email in the list a few months back saying that adding
dhcpd to IPA was probably not going to happen because IPA isn't a
network manager, but I am pretty sure if you ask most people dhcp and
dns kinda go hand-in-hand. It should at least be easier to work with the
two if IPA is going to completely manage DNS. I found very little in my
search of the answer. Maybe I am still just too dumb in these matters to
figure it out right now. :-) At least I am learning new stuff!


3) The very first time when I PXEBoot/tftp/kickstart a machine and it
auto installs, everything works great. The ipa-client-install runs with
all my parameters and it just works. However, the second time the node
boots and installs, I get complaints that the system is already registered.

(fresh install)
# ipa-client-install --mkhomedir
...[snip]...
Joining realm failed: Host is already joined.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

If I try to -f force it, I get errors and nothing seems to work.
# ipa-client-install --mkhomedir -f
...[snip]...
Joining realm failed: Host is already joined.
Use ipa-getkeytab to obtain a host principle for this server.
...[snip]...
Unable to find 'admin' user with 'getent passwd admin'!

For PXEboot nodes that may/will end up with a fresh install, how do I
best configure them in IPA? Automatically would be best.

Thanks!

~Stack~

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120124/4d8039a7/attachment.sig>