[Freeipa-users] DNS configuration
Dmitri Pal
dpal at redhat.com
Mon Dec 8 04:02:00 UTC 2014
On 12/07/2014 10:10 PM, Matthew Herzog wrote:
> So should the FreeIPA server be authoritative for the Kerb. realm/DNS
> domain or can it/should it be a slave DNS server instead? Or caching only?
IPA DNS can't be a slave so you either delegate a whole zone to it or
manage IPA DNS domain via your own DNS server.
>
> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 12/07/2014 09:51 PM, Matthew Herzog wrote:
>> What must be done in or on the ipa server with regard to DNS, if
>> anything?
>>
>> Our DNS works. It works well. We have four Linux DNS servers and
>> two AD domain controllers that also do DNS.
>>
>> So if we already have DNS working well in our domain, why do we
>> want to manage DNS in IPA?
>
> Let us keep the discussion on the list.
> IPA when used with AD trust presents itself as a separate forest.
> AD thinks that it is working with another AD forest.
> For that to work we need to follow MSFT rules about relationship
> between Kerberos realm and DNS domain.
> AD assumes that for every trusted forest Kerberos realm = DNS
> domain. IPA makes it easy to do because it has integrated tools to
> manage IPA DNS domain.
> If you want to manage it yourself through your DNS you can do it,
> just more manual operations for you.
>
> HTH
>
> Thanks
> Dmitri
>
>
>>
>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 12/07/2014 06:44 PM, Matthew Herzog wrote:
>>> Thanks guys. I'm sorry for my delay in responding.
>>>
>>> Firstly, I was under the impression (from reading the docs)
>>> that having named running on IPA server was critical.
>>
>> Properly configured DNS is critical.
>> How you accomplish it is up to you.
>> IPA allows you to have a DNS server that would simplify DNS
>> management but it can be done manually too. This is why DNS
>> is optional.
>>
>>
>>> Also, the first question the ipa-server-install script asks
>>> is, "Do you want to configure integrated DNS (BIND)? ."
>>> While it's true the default answer is no, it leads one to
>>> believe that DNS is central to IPA. Also the
>>> ipa-client-install script says,
>>>
>>> [root at freeipa-poc-client02 ~]# ipa-client-install
>>> DNS discovery failed to determine your DNS domain
>>> Provide the domain name of your IPA server (ex: example.com
>>> <http://example.com>):
>>>
>>> I can resolve -anything- from the machine using dig or whatever.
>>>
>>> Ultimately, the reason I started to be concerned about my
>>> IPA server's DNS config was because I was not able to
>>> authenticate AD accounts to a client machine. I saw a bunch
>>> of errors in the client's sssd logs which of course I can't
>>> find now.
>>>
>>> Perhaps it was these . . .
>>>
>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>> Service nss replied to ping
>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>> Service sudo replied to ping
>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>> Service pam replied to ping
>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>> Service ssh replied to ping
>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>> Service pac replied to ping
>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>> Service bo3.e-bozo.com <http://bo3.e-bozo.com> replied to ping
>>>
>>> I'm not allowed onto the AD domain controllers to examine
>>> log files or I'd be checking those first.
>>>
>>> So ultimately the goal is to authenticate AD users and users
>>> that exist in our ldap schema. We need to set up groups of
>>> users that can run sudo commands on specific groups of hosts.
>>
>> Did you setup trusts as explained on the following page?
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>
>>
>>>
>>>
>>>
>>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek
>>> <pspacek at redhat.com <mailto:pspacek at redhat.com>> wrote:
>>>
>>> On 3.12.2014 04:35, Dmitri Pal wrote:
>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
>>> >> Any other ideas? I just spun up a new VM and took the
>>> defaults on everything
>>> >> while running ipa-server-install (the defaults did
>>> make sense) and my new VM
>>> >> can't resolve -anything- in the domain in which it
>>> lives. The "old" VM
>>> >> (running the same versions of everything on the same
>>> OS) can't even resolve
>>> >> the clients I have registered with it!
>>> >>
>>> >> So I'm pretty frustrated and am wondering, what
>>> _exactly_ is the role of
>>> >> bind in the IPA server and how is it expected to know
>>> anything about the
>>> >> local DNS domain without becoming a bind slave server?
>>> >
>>> > I am not sure I am 100% with you but...
>>> > If you use the defaults and nothing else you get to
>>> the scenario when IPA has
>>> > its DNS but it is a self contained environment. It
>>> seems that this is what you
>>> > observe.
>>> > It is expected that you decide in advance what you
>>> want to do with DNS. There
>>> > are several options:
>>> > 1) You can delegate a zone to IPA to manage, then you
>>> need to connect your IPA
>>> > DNS to your existing DNS during install or after.
>>> > In this case the systems joined to IPA will be a part
>>> of IPA domain/zone and
>>> > would also be able to resolve other systems around
>>> > 2) Not use IPA DNS if you do not want to take
>>> advantage of it
>>> > 3) Have a self contained demo/lab environment that you
>>> currently observe.
>>> >
>>> > What is the intent?
>>>
>>> I agree with Dmitri, we need more information from you:
>>> - You said "my new VM can't resolve -anything- in the
>>> domain in which it
>>> lives." - Which domain do you mean?
>>>
>>> - Apparently you have configured FreeIPA to serve zone
>>> e-bozo.com <http://e-bozo.com>. Do you have
>>> this zone configured on some other DNS server at the
>>> same time?
>>>
>>> Please keep in mind that authoritative servers should
>>> share the database. You
>>> will get naming collisions if e-bozo.com
>>> <http://e-bozo.com> is served by FreeIPA DNS servers and
>>> some other servers at the same time. Maybe that is the
>>> problem you see right now.
>>>
>>> As Dmitri said, the architecturally correct solution is
>>> to decide if you want
>>> to use FreeIPA DNS or not. You have option to either
>>> remove non-FreeIPA DNS
>>> servers and import data to FreeIPA or to add
>>> FreeIPA-specific DNS records to
>>> existing DNS servers and do not configure FreeIPA to act
>>> as DNS server.
>>>
>>> Petr^2 Spacek
>>>
>>> >> Thanks.
>>> >>
>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek
>>> <pspacek at redhat.com <mailto:pspacek at redhat.com>
>>> >> <mailto:pspacek at redhat.com
>>> <mailto:pspacek at redhat.com>>> wrote:
>>> >>
>>> >> On 2.12.2014 17:36, Martin Basti wrote:
>>> >> > On 02/12/14 17:28, Matthew Herzog wrote:
>>> >> >> I just realized that my IPA servers cannot
>>> resolve ANY servers
>>> >> in my domain.
>>> >> >> What do I need to do to fix this? Below is my
>>> named.conf.
>>> >> >>
>>> >> >>
>>> >> >> options {
>>> >> >> // turns on IPv6 for port 53, IPv4 is on by
>>> default for
>>> >> all ifaces
>>> >> >> listen-on-v6 {any;};
>>> >> >>
>>> >> >> // Put files that named is allowed to write
>>> in the
>>> >> data/ directory:
>>> >> >> directory "/var/named"; // the default
>>> >> >> dump-file "data/cache_dump.db";
>>> >> >> statistics-file "data/named_stats.txt";
>>> >> >> memstatistics-file "data/named_mem_stats.txt";
>>> >> >>
>>> >> >> forward first;
>>> >> >> forwarders {
>>> >> >> 10.100.8.41;
>>> >> >> 10.100.8.40;
>>> >> >> 10.100.4.13;
>>> >> >> 10.100.4.14;
>>> >> >> 10.100.4.19;
>>> >> >> 10.100.4.44;
>>> >> >> };
>>> >> >>
>>> >> >> // Any host is permitted to issue recursive
>>> queries
>>> >> >> allow-recursion { any; };
>>> >> >>
>>> >> >> tkey-gssapi-keytab "/etc/named.keytab";
>>> >> >> pid-file "/run/named/named.pid";
>>> >> >> };
>>> >> >>
>>> >> >> /* If you want to enable debugging, eg. using
>>> the 'rndc trace'
>>> >> command,
>>> >> >> * By default, SELinux policy does not allow
>>> named to modify
>>> >> the /var/named
>>> >> >> directory,
>>> >> >> * so put the default debug log file in data/ :
>>> >> >> */
>>> >> >> logging {
>>> >> >> channel default_debug {
>>> >> >> file "data/named.run";
>>> >> >> severity dynamic;
>>> >> >> print-time yes;
>>> >> >> };
>>> >> >> };
>>> >> >> };
>>> >> >>
>>> >> >> zone "." IN {
>>> >> >> type hint;
>>> >> >> file "named.ca <http://named.ca>
>>> <http://named.ca> <http://named.ca>";
>>> >> >> };
>>> >> >>
>>> >> >> include "/etc/named.rfc1912.zones";
>>> >> >>
>>> >> >> dynamic-db "ipa" {
>>> >> >> library "ldap.so";
>>> >> >> arg "uri
>>> >> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
>>> >> >> arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com";
>>> >> >> arg "fake_mname freeipa-poc01.bo3.e-bozo.com
>>> <http://freeipa-poc01.bo3.e-bozo.com>
>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>.";
>>> >> >> arg "auth_method sasl";
>>> >> >> arg "sasl_mech GSSAPI";
>>> >> >> arg "sasl_user
>>> DNS/freeipa-poc01.bo3.e-bozo.com
>>> <http://freeipa-poc01.bo3.e-bozo.com>
>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>";
>>> >> >> arg "serial_autoincrement yes";
>>> >> >> };
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> > Hello,
>>> >> >
>>> >> > which version ipa do you use? which platform?
>>> Which version
>>> >> bind-dyndb-ldap?
>>> >> >
>>> >> > Can you run these commands, and check if there
>>> any errors?
>>> >> > ipactl status
>>> >> > systemctl status named (respectively
>>> journalctl -u named)
>>> >>
>>> >> We also may want to see information listed on page
>>> >>
>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>>
>>>
>>>
>>>
>>> --
>>> If life gives you melons, you may be dyslexic.
>>>
>>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>>
>>
>>
>> --
>> If life gives you melons, you may be dyslexic.
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
>
>
> --
> If life gives you melons, you may be dyslexic.
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141207/228298fe/attachment.htm>
More information about the Freeipa-users
mailing list