[Freeipa-users] DNS configuration
Dmitri Pal
dpal at redhat.com
Mon Dec 8 02:44:30 UTC 2014
On 12/07/2014 06:44 PM, Matthew Herzog wrote:
> Thanks guys. I'm sorry for my delay in responding.
>
> Firstly, I was under the impression (from reading the docs) that
> having named running on IPA server was critical.
Properly configured DNS is critical.
How you accomplish it is up to you.
IPA allows you to have a DNS server that would simplify DNS management
but it can be done manually too. This is why DNS is optional.
> Also, the first question the ipa-server-install script asks is, "Do
> you want to configure integrated DNS (BIND)? ." While it's true the
> default answer is no, it leads one to believe that DNS is central to
> IPA. Also the ipa-client-install script says,
>
> [root at freeipa-poc-client02 ~]# ipa-client-install
> DNS discovery failed to determine your DNS domain
> Provide the domain name of your IPA server (ex: example.com
> <http://example.com>):
>
> I can resolve -anything- from the machine using dig or whatever.
>
> Ultimately, the reason I started to be concerned about my IPA server's
> DNS config was because I was not able to authenticate AD accounts to a
> client machine. I saw a bunch of errors in the client's sssd logs
> which of course I can't find now.
>
> Perhaps it was these . . .
>
> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service nss
> replied to ping
> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service sudo
> replied to ping
> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pam
> replied to ping
> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service ssh
> replied to ping
> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pac
> replied to ping
> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service
> bo3.e-bozo.com <http://bo3.e-bozo.com> replied to ping
>
> I'm not allowed onto the AD domain controllers to examine log files or
> I'd be checking those first.
>
> So ultimately the goal is to authenticate AD users and users that
> exist in our ldap schema. We need to set up groups of users that can
> run sudo commands on specific groups of hosts.
Did you setup trusts as explained on the following page?
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>
>
>
> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek <pspacek at redhat.com
> <mailto:pspacek at redhat.com>> wrote:
>
> On 3.12.2014 04:35, Dmitri Pal wrote:
> > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
> >> Any other ideas? I just spun up a new VM and took the defaults
> on everything
> >> while running ipa-server-install (the defaults did make sense)
> and my new VM
> >> can't resolve -anything- in the domain in which it lives. The
> "old" VM
> >> (running the same versions of everything on the same OS) can't
> even resolve
> >> the clients I have registered with it!
> >>
> >> So I'm pretty frustrated and am wondering, what _exactly_ is
> the role of
> >> bind in the IPA server and how is it expected to know anything
> about the
> >> local DNS domain without becoming a bind slave server?
> >
> > I am not sure I am 100% with you but...
> > If you use the defaults and nothing else you get to the scenario
> when IPA has
> > its DNS but it is a self contained environment. It seems that
> this is what you
> > observe.
> > It is expected that you decide in advance what you want to do
> with DNS. There
> > are several options:
> > 1) You can delegate a zone to IPA to manage, then you need to
> connect your IPA
> > DNS to your existing DNS during install or after.
> > In this case the systems joined to IPA will be a part of IPA
> domain/zone and
> > would also be able to resolve other systems around
> > 2) Not use IPA DNS if you do not want to take advantage of it
> > 3) Have a self contained demo/lab environment that you currently
> observe.
> >
> > What is the intent?
>
> I agree with Dmitri, we need more information from you:
> - You said "my new VM can't resolve -anything- in the domain in
> which it
> lives." - Which domain do you mean?
>
> - Apparently you have configured FreeIPA to serve zone e-bozo.com
> <http://e-bozo.com>. Do you have
> this zone configured on some other DNS server at the same time?
>
> Please keep in mind that authoritative servers should share the
> database. You
> will get naming collisions if e-bozo.com <http://e-bozo.com> is
> served by FreeIPA DNS servers and
> some other servers at the same time. Maybe that is the problem you
> see right now.
>
> As Dmitri said, the architecturally correct solution is to decide
> if you want
> to use FreeIPA DNS or not. You have option to either remove
> non-FreeIPA DNS
> servers and import data to FreeIPA or to add FreeIPA-specific DNS
> records to
> existing DNS servers and do not configure FreeIPA to act as DNS
> server.
>
> Petr^2 Spacek
>
> >> Thanks.
> >>
> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek
> <pspacek at redhat.com <mailto:pspacek at redhat.com>
> >> <mailto:pspacek at redhat.com <mailto:pspacek at redhat.com>>> wrote:
> >>
> >> On 2.12.2014 17:36, Martin Basti wrote:
> >> > On 02/12/14 17:28, Matthew Herzog wrote:
> >> >> I just realized that my IPA servers cannot resolve ANY
> servers
> >> in my domain.
> >> >> What do I need to do to fix this? Below is my named.conf.
> >> >>
> >> >>
> >> >> options {
> >> >> // turns on IPv6 for port 53, IPv4 is on by
> default for
> >> all ifaces
> >> >> listen-on-v6 {any;};
> >> >>
> >> >> // Put files that named is allowed to write in the
> >> data/ directory:
> >> >> directory "/var/named"; // the default
> >> >> dump-file "data/cache_dump.db";
> >> >> statistics-file "data/named_stats.txt";
> >> >> memstatistics-file "data/named_mem_stats.txt";
> >> >>
> >> >> forward first;
> >> >> forwarders {
> >> >> 10.100.8.41;
> >> >> 10.100.8.40;
> >> >> 10.100.4.13;
> >> >> 10.100.4.14;
> >> >> 10.100.4.19;
> >> >> 10.100.4.44;
> >> >> };
> >> >>
> >> >> // Any host is permitted to issue recursive queries
> >> >> allow-recursion { any; };
> >> >>
> >> >> tkey-gssapi-keytab "/etc/named.keytab";
> >> >> pid-file "/run/named/named.pid";
> >> >> };
> >> >>
> >> >> /* If you want to enable debugging, eg. using the 'rndc
> trace'
> >> command,
> >> >> * By default, SELinux policy does not allow named to modify
> >> the /var/named
> >> >> directory,
> >> >> * so put the default debug log file in data/ :
> >> >> */
> >> >> logging {
> >> >> channel default_debug {
> >> >> file "data/named.run";
> >> >> severity dynamic;
> >> >> print-time yes;
> >> >> };
> >> >> };
> >> >> };
> >> >>
> >> >> zone "." IN {
> >> >> type hint;
> >> >> file "named.ca <http://named.ca>
> <http://named.ca> <http://named.ca>";
> >> >> };
> >> >>
> >> >> include "/etc/named.rfc1912.zones";
> >> >>
> >> >> dynamic-db "ipa" {
> >> >> library "ldap.so";
> >> >> arg "uri
> >> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
> >> >> arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com";
> >> >> arg "fake_mname freeipa-poc01.bo3.e-bozo.com
> <http://freeipa-poc01.bo3.e-bozo.com>
> >> <http://freeipa-poc01.bo3.e-bozo.com>
> >> >> <http://freeipa-poc01.bo3.e-bozo.com>.";
> >> >> arg "auth_method sasl";
> >> >> arg "sasl_mech GSSAPI";
> >> >> arg "sasl_user DNS/freeipa-poc01.bo3.e-bozo.com
> <http://freeipa-poc01.bo3.e-bozo.com>
> >> <http://freeipa-poc01.bo3.e-bozo.com>
> >> >> <http://freeipa-poc01.bo3.e-bozo.com>";
> >> >> arg "serial_autoincrement yes";
> >> >> };
> >> >>
> >> >>
> >> >>
> >> >>
> >> > Hello,
> >> >
> >> > which version ipa do you use? which platform? Which version
> >> bind-dyndb-ldap?
> >> >
> >> > Can you run these commands, and check if there any errors?
> >> > ipactl status
> >> > systemctl status named (respectively journalctl -u named)
> >>
> >> We also may want to see information listed on page
> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
>
>
> --
> If life gives you melons, you may be dyslexic.
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141207/b872b820/attachment.htm>
More information about the Freeipa-users
mailing list