[Freeipa-users] DNS configuration
Matthew Herzog
matthew.herzog at gmail.com
Mon Dec 8 03:10:59 UTC 2014
So should the FreeIPA server be authoritative for the Kerb. realm/DNS
domain or can it/should it be a slave DNS server instead? Or caching only?
On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 12/07/2014 09:51 PM, Matthew Herzog wrote:
>
> What must be done in or on the ipa server with regard to DNS, if anything?
>
> Our DNS works. It works well. We have four Linux DNS servers and two AD
> domain controllers that also do DNS.
>
> So if we already have DNS working well in our domain, why do we want to
> manage DNS in IPA?
>
>
> Let us keep the discussion on the list.
> IPA when used with AD trust presents itself as a separate forest. AD
> thinks that it is working with another AD forest.
> For that to work we need to follow MSFT rules about relationship between
> Kerberos realm and DNS domain.
> AD assumes that for every trusted forest Kerberos realm = DNS domain. IPA
> makes it easy to do because it has integrated tools to manage IPA DNS
> domain.
> If you want to manage it yourself through your DNS you can do it, just
> more manual operations for you.
>
> HTH
>
> Thanks
> Dmitri
>
>
>
> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 12/07/2014 06:44 PM, Matthew Herzog wrote:
>>
>> Thanks guys. I'm sorry for my delay in responding.
>>
>> Firstly, I was under the impression (from reading the docs) that having
>> named running on IPA server was critical.
>>
>>
>> Properly configured DNS is critical.
>> How you accomplish it is up to you.
>> IPA allows you to have a DNS server that would simplify DNS management
>> but it can be done manually too. This is why DNS is optional.
>>
>>
>> Also, the first question the ipa-server-install script asks is, "Do you
>> want to configure integrated DNS (BIND)? ." While it's true the default
>> answer is no, it leads one to believe that DNS is central to IPA. Also the
>> ipa-client-install script says,
>>
>> [root at freeipa-poc-client02 ~]# ipa-client-install
>> DNS discovery failed to determine your DNS domain
>> Provide the domain name of your IPA server (ex: example.com):
>>
>> I can resolve -anything- from the machine using dig or whatever.
>>
>> Ultimately, the reason I started to be concerned about my IPA server's
>> DNS config was because I was not able to authenticate AD accounts to a
>> client machine. I saw a bunch of errors in the client's sssd logs which of
>> course I can't find now.
>>
>> Perhaps it was these . . .
>>
>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service nss
>> replied to ping
>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service sudo
>> replied to ping
>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pam
>> replied to ping
>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service ssh
>> replied to ping
>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pac
>> replied to ping
>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service
>> bo3.e-bozo.com replied to ping
>>
>> I'm not allowed onto the AD domain controllers to examine log files or
>> I'd be checking those first.
>>
>> So ultimately the goal is to authenticate AD users and users that exist
>> in our ldap schema. We need to set up groups of users that can run sudo
>> commands on specific groups of hosts.
>>
>>
>> Did you setup trusts as explained on the following page?
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>
>>
>>
>>
>>
>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek <pspacek at redhat.com> wrote:
>>
>>> On 3.12.2014 04:35, Dmitri Pal wrote:
>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
>>> >> Any other ideas? I just spun up a new VM and took the defaults on
>>> everything
>>> >> while running ipa-server-install (the defaults did make sense) and my
>>> new VM
>>> >> can't resolve -anything- in the domain in which it lives. The "old" VM
>>> >> (running the same versions of everything on the same OS) can't even
>>> resolve
>>> >> the clients I have registered with it!
>>> >>
>>> >> So I'm pretty frustrated and am wondering, what _exactly_ is the role
>>> of
>>> >> bind in the IPA server and how is it expected to know anything about
>>> the
>>> >> local DNS domain without becoming a bind slave server?
>>> >
>>> > I am not sure I am 100% with you but...
>>> > If you use the defaults and nothing else you get to the scenario when
>>> IPA has
>>> > its DNS but it is a self contained environment. It seems that this is
>>> what you
>>> > observe.
>>> > It is expected that you decide in advance what you want to do with
>>> DNS. There
>>> > are several options:
>>> > 1) You can delegate a zone to IPA to manage, then you need to connect
>>> your IPA
>>> > DNS to your existing DNS during install or after.
>>> > In this case the systems joined to IPA will be a part of IPA
>>> domain/zone and
>>> > would also be able to resolve other systems around
>>> > 2) Not use IPA DNS if you do not want to take advantage of it
>>> > 3) Have a self contained demo/lab environment that you currently
>>> observe.
>>> >
>>> > What is the intent?
>>>
>>> I agree with Dmitri, we need more information from you:
>>> - You said "my new VM can't resolve -anything- in the domain in which it
>>> lives." - Which domain do you mean?
>>>
>>> - Apparently you have configured FreeIPA to serve zone e-bozo.com. Do
>>> you have
>>> this zone configured on some other DNS server at the same time?
>>>
>>> Please keep in mind that authoritative servers should share the
>>> database. You
>>> will get naming collisions if e-bozo.com is served by FreeIPA DNS
>>> servers and
>>> some other servers at the same time. Maybe that is the problem you see
>>> right now.
>>>
>>> As Dmitri said, the architecturally correct solution is to decide if you
>>> want
>>> to use FreeIPA DNS or not. You have option to either remove non-FreeIPA
>>> DNS
>>> servers and import data to FreeIPA or to add FreeIPA-specific DNS
>>> records to
>>> existing DNS servers and do not configure FreeIPA to act as DNS server.
>>>
>>> Petr^2 Spacek
>>>
>>> >> Thanks.
>>> >>
>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek <pspacek at redhat.com
>>> >> <mailto:pspacek at redhat.com>> wrote:
>>> >>
>>> >> On 2.12.2014 17:36, Martin Basti wrote:
>>> >> > On 02/12/14 17:28, Matthew Herzog wrote:
>>> >> >> I just realized that my IPA servers cannot resolve ANY servers
>>> >> in my domain.
>>> >> >> What do I need to do to fix this? Below is my named.conf.
>>> >> >>
>>> >> >>
>>> >> >> options {
>>> >> >> // turns on IPv6 for port 53, IPv4 is on by default for
>>> >> all ifaces
>>> >> >> listen-on-v6 {any;};
>>> >> >>
>>> >> >> // Put files that named is allowed to write in the
>>> >> data/ directory:
>>> >> >> directory "/var/named"; // the default
>>> >> >> dump-file "data/cache_dump.db";
>>> >> >> statistics-file "data/named_stats.txt";
>>> >> >> memstatistics-file "data/named_mem_stats.txt";
>>> >> >>
>>> >> >> forward first;
>>> >> >> forwarders {
>>> >> >> 10.100.8.41;
>>> >> >> 10.100.8.40;
>>> >> >> 10.100.4.13;
>>> >> >> 10.100.4.14;
>>> >> >> 10.100.4.19;
>>> >> >> 10.100.4.44;
>>> >> >> };
>>> >> >>
>>> >> >> // Any host is permitted to issue recursive queries
>>> >> >> allow-recursion { any; };
>>> >> >>
>>> >> >> tkey-gssapi-keytab "/etc/named.keytab";
>>> >> >> pid-file "/run/named/named.pid";
>>> >> >> };
>>> >> >>
>>> >> >> /* If you want to enable debugging, eg. using the 'rndc trace'
>>> >> command,
>>> >> >> * By default, SELinux policy does not allow named to modify
>>> >> the /var/named
>>> >> >> directory,
>>> >> >> * so put the default debug log file in data/ :
>>> >> >> */
>>> >> >> logging {
>>> >> >> channel default_debug {
>>> >> >> file "data/named.run";
>>> >> >> severity dynamic;
>>> >> >> print-time yes;
>>> >> >> };
>>> >> >> };
>>> >> >> };
>>> >> >>
>>> >> >> zone "." IN {
>>> >> >> type hint;
>>> >> >> file "named.ca <http://named.ca> <http://named.ca>";
>>> >> >> };
>>> >> >>
>>> >> >> include "/etc/named.rfc1912.zones";
>>> >> >>
>>> >> >> dynamic-db "ipa" {
>>> >> >> library "ldap.so";
>>> >> >> arg "uri
>>> >> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
>>> >> >> arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com";
>>> >> >> arg "fake_mname freeipa-poc01.bo3.e-bozo.com
>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>.";
>>> >> >> arg "auth_method sasl";
>>> >> >> arg "sasl_mech GSSAPI";
>>> >> >> arg "sasl_user DNS/freeipa-poc01.bo3.e-bozo.com
>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>";
>>> >> >> arg "serial_autoincrement yes";
>>> >> >> };
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> > Hello,
>>> >> >
>>> >> > which version ipa do you use? which platform? Which version
>>> >> bind-dyndb-ldap?
>>> >> >
>>> >> > Can you run these commands, and check if there any errors?
>>> >> > ipactl status
>>> >> > systemctl status named (respectively journalctl -u named)
>>> >>
>>> >> We also may want to see information listed on page
>>> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>>
>>
>>
>>
>> --
>> If life gives you melons, you may be dyslexic.
>>
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
>
> --
> If life gives you melons, you may be dyslexic.
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
--
If life gives you melons, you may be dyslexic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141207/c99ab9d6/attachment.htm>
More information about the Freeipa-users
mailing list