[Freeipa-users] DNS configuration
Petr Spacek
pspacek at redhat.com
Mon Dec 8 07:56:14 UTC 2014
On 8.12.2014 05:02, Dmitri Pal wrote:
> On 12/07/2014 10:10 PM, Matthew Herzog wrote:
>> So should the FreeIPA server be authoritative for the Kerb. realm/DNS domain
>> or can it/should it be a slave DNS server instead? Or caching only?
>
> IPA DNS can't be a slave so you either delegate a whole zone to it or manage
> IPA DNS domain via your own DNS server.
Generally, "slave" is not allowed to do any changes so it is useless in your
scenario.
You can run ipa-server-install *without* --setup-dns option and at the end of
installation it will produce DNS records which you have to manually add to
your existing DNS database.
Did you try that?
Petr^2 Spacek
>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 12/07/2014 09:51 PM, Matthew Herzog wrote:
>>> What must be done in or on the ipa server with regard to DNS, if
>>> anything?
>>>
>>> Our DNS works. It works well. We have four Linux DNS servers and
>>> two AD domain controllers that also do DNS.
>>>
>>> So if we already have DNS working well in our domain, why do we
>>> want to manage DNS in IPA?
>>
>> Let us keep the discussion on the list.
>> IPA when used with AD trust presents itself as a separate forest.
>> AD thinks that it is working with another AD forest.
>> For that to work we need to follow MSFT rules about relationship
>> between Kerberos realm and DNS domain.
>> AD assumes that for every trusted forest Kerberos realm = DNS
>> domain. IPA makes it easy to do because it has integrated tools to
>> manage IPA DNS domain.
>> If you want to manage it yourself through your DNS you can do it,
>> just more manual operations for you.
>>
>> HTH
>>
>> Thanks
>> Dmitri
>>
>>
>>>
>>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <dpal at redhat.com
>>> <mailto:dpal at redhat.com>> wrote:
>>>
>>> On 12/07/2014 06:44 PM, Matthew Herzog wrote:
>>>> Thanks guys. I'm sorry for my delay in responding.
>>>>
>>>> Firstly, I was under the impression (from reading the docs)
>>>> that having named running on IPA server was critical.
>>>
>>> Properly configured DNS is critical.
>>> How you accomplish it is up to you.
>>> IPA allows you to have a DNS server that would simplify DNS
>>> management but it can be done manually too. This is why DNS
>>> is optional.
>>>
>>>
>>>> Also, the first question the ipa-server-install script asks
>>>> is, "Do you want to configure integrated DNS (BIND)? ."
>>>> While it's true the default answer is no, it leads one to
>>>> believe that DNS is central to IPA. Also the
>>>> ipa-client-install script says,
>>>>
>>>> [root at freeipa-poc-client02 ~]# ipa-client-install
>>>> DNS discovery failed to determine your DNS domain
>>>> Provide the domain name of your IPA server (ex: example.com
>>>> <http://example.com>):
>>>>
>>>> I can resolve -anything- from the machine using dig or whatever.
>>>>
>>>> Ultimately, the reason I started to be concerned about my
>>>> IPA server's DNS config was because I was not able to
>>>> authenticate AD accounts to a client machine. I saw a bunch
>>>> of errors in the client's sssd logs which of course I can't
>>>> find now.
>>>>
>>>> Perhaps it was these . . .
>>>>
>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>> Service nss replied to ping
>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>> Service sudo replied to ping
>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>> Service pam replied to ping
>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>> Service ssh replied to ping
>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>> Service pac replied to ping
>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>> Service bo3.e-bozo.com <http://bo3.e-bozo.com> replied to ping
>>>>
>>>> I'm not allowed onto the AD domain controllers to examine
>>>> log files or I'd be checking those first.
>>>>
>>>> So ultimately the goal is to authenticate AD users and users
>>>> that exist in our ldap schema. We need to set up groups of
>>>> users that can run sudo commands on specific groups of hosts.
>>>
>>> Did you setup trusts as explained on the following page?
>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>
>>>
>>>>
>>>>
>>>>
>>>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek
>>>> <pspacek at redhat.com <mailto:pspacek at redhat.com>> wrote:
>>>>
>>>> On 3.12.2014 04:35, Dmitri Pal wrote:
>>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
>>>> >> Any other ideas? I just spun up a new VM and took the
>>>> defaults on everything
>>>> >> while running ipa-server-install (the defaults did
>>>> make sense) and my new VM
>>>> >> can't resolve -anything- in the domain in which it
>>>> lives. The "old" VM
>>>> >> (running the same versions of everything on the same
>>>> OS) can't even resolve
>>>> >> the clients I have registered with it!
>>>> >>
>>>> >> So I'm pretty frustrated and am wondering, what
>>>> _exactly_ is the role of
>>>> >> bind in the IPA server and how is it expected to know
>>>> anything about the
>>>> >> local DNS domain without becoming a bind slave server?
>>>> >
>>>> > I am not sure I am 100% with you but...
>>>> > If you use the defaults and nothing else you get to
>>>> the scenario when IPA has
>>>> > its DNS but it is a self contained environment. It
>>>> seems that this is what you
>>>> > observe.
>>>> > It is expected that you decide in advance what you
>>>> want to do with DNS. There
>>>> > are several options:
>>>> > 1) You can delegate a zone to IPA to manage, then you
>>>> need to connect your IPA
>>>> > DNS to your existing DNS during install or after.
>>>> > In this case the systems joined to IPA will be a part
>>>> of IPA domain/zone and
>>>> > would also be able to resolve other systems around
>>>> > 2) Not use IPA DNS if you do not want to take
>>>> advantage of it
>>>> > 3) Have a self contained demo/lab environment that you
>>>> currently observe.
>>>> >
>>>> > What is the intent?
>>>>
>>>> I agree with Dmitri, we need more information from you:
>>>> - You said "my new VM can't resolve -anything- in the
>>>> domain in which it
>>>> lives." - Which domain do you mean?
>>>>
>>>> - Apparently you have configured FreeIPA to serve zone
>>>> e-bozo.com <http://e-bozo.com>. Do you have
>>>> this zone configured on some other DNS server at the
>>>> same time?
>>>>
>>>> Please keep in mind that authoritative servers should
>>>> share the database. You
>>>> will get naming collisions if e-bozo.com
>>>> <http://e-bozo.com> is served by FreeIPA DNS servers and
>>>> some other servers at the same time. Maybe that is the
>>>> problem you see right now.
>>>>
>>>> As Dmitri said, the architecturally correct solution is
>>>> to decide if you want
>>>> to use FreeIPA DNS or not. You have option to either
>>>> remove non-FreeIPA DNS
>>>> servers and import data to FreeIPA or to add
>>>> FreeIPA-specific DNS records to
>>>> existing DNS servers and do not configure FreeIPA to act
>>>> as DNS server.
>>>>
>>>> Petr^2 Spacek
>>>>
>>>> >> Thanks.
>>>> >>
>>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek
>>>> <pspacek at redhat.com <mailto:pspacek at redhat.com>
>>>> >> <mailto:pspacek at redhat.com
>>>> <mailto:pspacek at redhat.com>>> wrote:
>>>> >>
>>>> >> On 2.12.2014 17:36, Martin Basti wrote:
>>>> >> > On 02/12/14 17:28, Matthew Herzog wrote:
>>>> >> >> I just realized that my IPA servers cannot
>>>> resolve ANY servers
>>>> >> in my domain.
>>>> >> >> What do I need to do to fix this? Below is my
>>>> named.conf.
>>>> >> >>
>>>> >> >>
>>>> >> >> options {
>>>> >> >> // turns on IPv6 for port 53, IPv4 is on by
>>>> default for
>>>> >> all ifaces
>>>> >> >> listen-on-v6 {any;};
>>>> >> >>
>>>> >> >> // Put files that named is allowed to write
>>>> in the
>>>> >> data/ directory:
>>>> >> >> directory "/var/named"; // the default
>>>> >> >> dump-file "data/cache_dump.db";
>>>> >> >> statistics-file "data/named_stats.txt";
>>>> >> >> memstatistics-file "data/named_mem_stats.txt";
>>>> >> >>
>>>> >> >> forward first;
>>>> >> >> forwarders {
>>>> >> >> 10.100.8.41;
>>>> >> >> 10.100.8.40;
>>>> >> >> 10.100.4.13;
>>>> >> >> 10.100.4.14;
>>>> >> >> 10.100.4.19;
>>>> >> >> 10.100.4.44;
>>>> >> >> };
>>>> >> >>
>>>> >> >> // Any host is permitted to issue recursive
>>>> queries
>>>> >> >> allow-recursion { any; };
>>>> >> >>
>>>> >> >> tkey-gssapi-keytab "/etc/named.keytab";
>>>> >> >> pid-file "/run/named/named.pid";
>>>> >> >> };
>>>> >> >>
>>>> >> >> /* If you want to enable debugging, eg. using
>>>> the 'rndc trace'
>>>> >> command,
>>>> >> >> * By default, SELinux policy does not allow
>>>> named to modify
>>>> >> the /var/named
>>>> >> >> directory,
>>>> >> >> * so put the default debug log file in data/ :
>>>> >> >> */
>>>> >> >> logging {
>>>> >> >> channel default_debug {
>>>> >> >> file "data/named.run";
>>>> >> >> severity dynamic;
>>>> >> >> print-time yes;
>>>> >> >> };
>>>> >> >> };
>>>> >> >> };
>>>> >> >>
>>>> >> >> zone "." IN {
>>>> >> >> type hint;
>>>> >> >> file "named.ca <http://named.ca>
>>>> <http://named.ca> <http://named.ca>";
>>>> >> >> };
>>>> >> >>
>>>> >> >> include "/etc/named.rfc1912.zones";
>>>> >> >>
>>>> >> >> dynamic-db "ipa" {
>>>> >> >> library "ldap.so";
>>>> >> >> arg "uri
>>>> >> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
>>>> >> >> arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com";
>>>> >> >> arg "fake_mname freeipa-poc01.bo3.e-bozo.com
>>>> <http://freeipa-poc01.bo3.e-bozo.com>
>>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>.";
>>>> >> >> arg "auth_method sasl";
>>>> >> >> arg "sasl_mech GSSAPI";
>>>> >> >> arg "sasl_user
>>>> DNS/freeipa-poc01.bo3.e-bozo.com
>>>> <http://freeipa-poc01.bo3.e-bozo.com>
>>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>";
>>>> >> >> arg "serial_autoincrement yes";
>>>> >> >> };
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> > Hello,
>>>> >> >
>>>> >> > which version ipa do you use? which platform?
>>>> Which version
>>>> >> bind-dyndb-ldap?
>>>> >> >
>>>> >> > Can you run these commands, and check if there
>>>> any errors?
>>>> >> > ipactl status
>>>> >> > systemctl status named (respectively
>>>> journalctl -u named)
>>>> >>
>>>> >> We also may want to see information listed on page
>>>> >>
>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting
More information about the Freeipa-users
mailing list