[Freeipa-users] DNS configuration

Mon Dec 8 02:44:30 UTC 2014

On 12/07/2014 06:44 PM, Matthew Herzog wrote:
> Thanks guys. I'm sorry for my delay in responding.
>
> Firstly, I was under the impression (from reading the docs) that 
> having named running on IPA server was critical.

Properly configured DNS is critical.
How you accomplish it is up to you.
IPA allows you to have a DNS server that would simplify DNS management 
but it can be done manually too. This is why DNS is optional.

> Also, the first question the ipa-server-install script asks is, "Do 
> you want to configure integrated DNS (BIND)? ." While it's true the 
> default answer is no, it leads one to believe that DNS is central to 
> IPA. Also the ipa-client-install script says,
>
> [root at freeipa-poc-client02 ~]# ipa-client-install
> DNS discovery failed to determine your DNS domain
> Provide the domain name of your IPA server (ex: example.com 
> <http://example.com>):
>
> I can resolve -anything- from the machine using dig or whatever.
>
> Ultimately, the reason I started to be concerned about my IPA server's 
> DNS config was because I was not able to authenticate AD accounts to a 
> client machine. I saw a bunch of errors in the client's sssd logs 
> which of course I can't find now.
>
> Perhaps it was these . . .
>
> (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service nss 
> replied to ping
> (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service sudo 
> replied to ping
> (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pam 
> replied to ping
> (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service ssh 
> replied to ping
> (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pac 
> replied to ping
> (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service 
> bo3.e-bozo.com <http://bo3.e-bozo.com> replied to ping
>
> I'm not allowed onto the AD domain controllers to examine log files or 
> I'd be checking those first.
>
> So ultimately the goal is to authenticate AD users and users that 
> exist in our ldap schema. We need to set up groups of users that can 
> run sudo commands on specific groups of hosts.

Did you setup trusts as explained on the following page?
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup

>
>
>
> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek <pspacek at redhat.com 
> <mailto:pspacek at redhat.com>> wrote:
>
>     On 3.12.2014 04:35, Dmitri Pal wrote:
>     > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
>     >> Any other ideas? I just spun up a new VM and took the defaults
>     on everything
>     >> while running ipa-server-install (the defaults did make sense)
>     and my new VM
>     >> can't resolve -anything- in the domain in which it lives. The
>     "old" VM
>     >> (running the same versions of everything on the same OS) can't
>     even resolve
>     >> the clients I have registered with it!
>     >>
>     >> So I'm pretty frustrated and am wondering, what _exactly_ is
>     the role of
>     >> bind in the IPA server and how is it expected to know anything
>     about the
>     >> local DNS domain without becoming a bind slave server?
>     >
>     > I am not sure I am 100% with you but...
>     > If you use the defaults and nothing else you get to the scenario
>     when IPA has
>     > its DNS but it is a self contained environment. It seems that
>     this is what you
>     > observe.
>     > It is expected that you decide in advance what you want to do
>     with DNS. There
>     > are several options:
>     > 1) You can delegate a zone to IPA to manage, then you need to
>     connect your IPA
>     > DNS to your existing DNS during install or after.
>     > In this case the systems joined to IPA will be a part of IPA
>     domain/zone and
>     > would also be able to resolve other systems around
>     > 2) Not use IPA DNS if you do not want to take advantage of it
>     > 3) Have a self contained demo/lab environment that you currently
>     observe.
>     >
>     > What is the intent?
>
>     I agree with Dmitri, we need more information from you:
>     - You said "my new VM can't resolve -anything- in the domain in
>     which it
>     lives." - Which domain do you mean?
>
>     - Apparently you have configured FreeIPA to serve zone e-bozo.com
>     <http://e-bozo.com>. Do you have
>     this zone configured on some other DNS server at the same time?
>
>     Please keep in mind that authoritative servers should share the
>     database. You
>     will get naming collisions if e-bozo.com <http://e-bozo.com> is
>     served by FreeIPA DNS servers and
>     some other servers at the same time. Maybe that is the problem you
>     see right now.
>
>     As Dmitri said, the architecturally correct solution is to decide
>     if you want
>     to use FreeIPA DNS or not. You have option to either remove
>     non-FreeIPA DNS
>     servers and import data to FreeIPA or to add FreeIPA-specific DNS
>     records to
>     existing DNS servers and do not configure FreeIPA to act as DNS
>     server.
>
>     Petr^2 Spacek
>
>     >> Thanks.
>     >>
>     >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek
>     <pspacek at redhat.com <mailto:pspacek at redhat.com>
>     >> <mailto:pspacek at redhat.com <mailto:pspacek at redhat.com>>> wrote:
>     >>
>     >>     On 2.12.2014 17:36, Martin Basti wrote:
>     >>     > On 02/12/14 17:28, Matthew Herzog wrote:
>     >>     >> I just realized that my IPA servers cannot resolve ANY
>     servers
>     >>     in my domain.
>     >>     >> What do I need to do to fix this? Below is my named.conf.
>     >>     >>
>     >>     >>
>     >>     >> options {
>     >>     >>         // turns on IPv6 for port 53, IPv4 is on by
>     default for
>     >>     all ifaces
>     >>     >>         listen-on-v6 {any;};
>     >>     >>
>     >>     >>         // Put files that named is allowed to write in the
>     >>     data/ directory:
>     >>     >>         directory "/var/named"; // the default
>     >>     >>         dump-file "data/cache_dump.db";
>     >>     >>         statistics-file "data/named_stats.txt";
>     >>     >>         memstatistics-file "data/named_mem_stats.txt";
>     >>     >>
>     >>     >>         forward first;
>     >>     >>         forwarders {
>     >>     >>                 10.100.8.41;
>     >>     >>                 10.100.8.40;
>     >>     >>                 10.100.4.13;
>     >>     >>                 10.100.4.14;
>     >>     >>                 10.100.4.19;
>     >>     >>                 10.100.4.44;
>     >>     >>         };
>     >>     >>
>     >>     >>         // Any host is permitted to issue recursive queries
>     >>     >>         allow-recursion { any; };
>     >>     >>
>     >>     >>         tkey-gssapi-keytab "/etc/named.keytab";
>     >>     >>         pid-file "/run/named/named.pid";
>     >>     >> };
>     >>     >>
>     >>     >> /* If you want to enable debugging, eg. using the 'rndc
>     trace'
>     >>     command,
>     >>     >>  * By default, SELinux policy does not allow named to modify
>     >>     the /var/named
>     >>     >> directory,
>     >>     >>  * so put the default debug log file in data/ :
>     >>     >>  */
>     >>     >> logging {
>     >>     >>         channel default_debug {
>     >>     >>                 file "data/named.run";
>     >>     >>                 severity dynamic;
>     >>     >>                 print-time yes;
>     >>     >>         };
>     >>     >>         };
>     >>     >> };
>     >>     >>
>     >>     >> zone "." IN {
>     >>     >>         type hint;
>     >>     >>         file "named.ca <http://named.ca>
>     <http://named.ca> <http://named.ca>";
>     >>     >> };
>     >>     >>
>     >>     >> include "/etc/named.rfc1912.zones";
>     >>     >>
>     >>     >> dynamic-db "ipa" {
>     >>     >>         library "ldap.so";
>     >>     >>         arg "uri
>     >>  ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
>     >>     >>         arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com";
>     >>     >>         arg "fake_mname freeipa-poc01.bo3.e-bozo.com
>     <http://freeipa-poc01.bo3.e-bozo.com>
>     >>     <http://freeipa-poc01.bo3.e-bozo.com>
>     >>     >> <http://freeipa-poc01.bo3.e-bozo.com>.";
>     >>     >>         arg "auth_method sasl";
>     >>     >>         arg "sasl_mech GSSAPI";
>     >>     >>         arg "sasl_user DNS/freeipa-poc01.bo3.e-bozo.com
>     <http://freeipa-poc01.bo3.e-bozo.com>
>     >>     <http://freeipa-poc01.bo3.e-bozo.com>
>     >>     >> <http://freeipa-poc01.bo3.e-bozo.com>";
>     >>     >>         arg "serial_autoincrement yes";
>     >>     >> };
>     >>     >>
>     >>     >>
>     >>     >>
>     >>     >>
>     >>     > Hello,
>     >>     >
>     >>     > which version ipa do you use? which platform? Which version
>     >>     bind-dyndb-ldap?
>     >>     >
>     >>     > Can you run these commands, and check if there any errors?
>     >>     > ipactl status
>     >>     > systemctl status named  (respectively journalctl -u named)
>     >>
>     >>     We also may want to see information listed on page
>     >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go To http://freeipa.org for more info on the project
>
>
>
>
> -- 
> If life gives you melons, you may be dyslexic.
>
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141207/b872b820/attachment.htm>