[Freeipa-users] DNS configuration
Matthew Herzog
matthew.herzog at gmail.com
Mon Dec 8 22:58:47 UTC 2014
Also, I just realized the AD I'm trying to connect to is of type Windows
2000. Yay!
On Mon, Dec 8, 2014 at 5:54 PM, Matthew Herzog <matthew.herzog at gmail.com>
wrote:
> OK, I deserve a slap. I had forgotten to set up the two-way trust again
> since the ipa-server-install --uninstall && reinstall. That's back in place.
>
> So I found Sumit Bose's https://www.youtube.com/watch?v=infot4cmZgM and
> realized I could not add groups to any new, external user group using the
> ipa server's web interface.
>
> Error in the GUI is, E-BOZO.COM\Domain Users: invalid 'truster domain
> object': no trusted domain matched the specified flat name.
>
>
>
> On Mon, Dec 8, 2014 at 2:49 PM, Matthew Herzog <matthew.herzog at gmail.com>
> wrote:
>
>> sssd_<hostname>.log
>> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]]
>> [sysdb_search_groups] (0x2000): No such entry
>> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]]
>> [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
>> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]]
>> [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
>> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]]
>> [sdap_process_result] (0x2000): Trace: sh[0x17b0030], connected[1],
>> ops[(nil)], ldap[0x17ab240]
>> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]]
>> [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
>> (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch]
>> (0x4000): dbus conn: 0x178eb70
>> (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch]
>> (0x4000): Dispatching.
>>
>>
>> On Mon, Dec 8, 2014 at 2:32 PM, Matthew Herzog <matthew.herzog at gmail.com>
>> wrote:
>>
>>> ipa-client-3.0.0-42.el6.x86_64 on OEL 6.5 (server has 3.3.3 IPA)
>>>
>>>
>>> On Mon, Dec 8, 2014 at 2:26 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>
>>>> On 12/08/2014 02:10 PM, Matthew Herzog wrote:
>>>>
>>>> Here are some errors I'm seeing on the client.
>>>>
>>>> tail -f sssd_lnx.e-bozo.com.log
>>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch]
>>>> (0x4000): dbus conn: 0x1e72ad0
>>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch]
>>>> (0x4000): Dispatching.
>>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]]
>>>> [sbus_message_handler] (0x4000): Received SBUS method [ping]
>>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]]
>>>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
>>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]]
>>>> [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]
>>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch]
>>>> (0x4000): dbus conn: 0x1e72ad0
>>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch]
>>>> (0x4000): Dispatching.
>>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]]
>>>> [sbus_message_handler] (0x4000): Received SBUS method [ping]
>>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]]
>>>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
>>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]]
>>>> [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]
>>>> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch]
>>>> (0x4000): dbus conn: 0x1e72ad0
>>>> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch]
>>>> (0x4000): Dispatching.
>>>>
>>>> [root at freeipa-poc-client02 sssd]# tail -f sssd_ssh.log
>>>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010):
>>>> sss_process_init() failed
>>>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed
>>>> to connect to monitor services.
>>>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010):
>>>> fatal error setting up backend connector
>>>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010):
>>>> sss_process_init() failed
>>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed
>>>> to connect to monitor services.
>>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010):
>>>> fatal error setting up backend connector
>>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010):
>>>> sss_process_init() failed
>>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed
>>>> to connect to monitor services.
>>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010):
>>>> fatal error setting up backend connector
>>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010):
>>>> sss_process_init() failed
>>>>
>>>>
>>>> What is the version of the client?
>>>> Please add debug_level=9 to sssd.conf in different sections to rise the
>>>> verbosity of the log and see what is really going on there.
>>>> https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog <
>>>> matthew.herzog at gmail.com> wrote:
>>>>
>>>>> I have never seen my IPA servers produce a zone file nor has the
>>>>> install script ever mentioned the creation of such. In fact, I just ran
>>>>> ipa-server-install --uninstall && ipa-server-install and there was no
>>>>> mention of a zone file.
>>>>>
>>>>> Where should I look in the file system to be sure? I see nothing in
>>>>> /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's yum repo.
>>>>> (Not my choice.)
>>>>>
>>>>> dsee7 is *not *running Kerberos. dsee7 is *not *configured with SRV
>>>>> records. I guess I'll need to add SRV records for all my Linux hosts.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek <pspacek at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> On 8.12.2014 14:44, Matthew Herzog wrote:
>>>>>> > Petr said, "You can run ipa-server-install *without* --setup-dns
>>>>>> option and
>>>>>> > at the end of
>>>>>> > installation it will produce DNS records which you have to manually
>>>>>> add to
>>>>>> > your existing DNS database."
>>>>>> >
>>>>>> > I can't see how this would be useful or which machines I would need
>>>>>> to add
>>>>>> > to our DNS.
>>>>>> >
>>>>>> > Perhaps I should have explained that we are not going to set up a
>>>>>> new DNS
>>>>>> > domain for the ipa-managed servers.
>>>>>> Good.
>>>>>>
>>>>>> Now you should run ipa-server-install *without* --setup-dns, using
>>>>>> lnx.e-bozo.com as you IPA domain. It will install full IPA server
>>>>>> and spit out
>>>>>> DNS zone file.
>>>>>>
>>>>>> Then you *have to* take this zone file and import it to your existing
>>>>>> DNS
>>>>>> infrastructure - that will give you fully functional IPA domain
>>>>>> lnx.e-bozo.com.
>>>>>>
>>>>>> Caveat:
>>>>>> Preceding text assumes that 'dsee7' is nor using either Kerberos nor
>>>>>> DNS SRV
>>>>>> records for LDAP service in domain lnx.e-bozo.com, i.e. clients
>>>>>> connecting to
>>>>>> DSEE7 should be (most likely) statically configured with DSEE7 server
>>>>>> name.
>>>>>>
>>>>>> Petr^2 Spacek
>>>>>>
>>>>>> > We have an Oracle dsee7 server doing
>>>>>> > LDAP for our Linux servers and accounts. We want to migrate to IPA
>>>>>> so we
>>>>>> > don't have to maintain a Linux/LDAP account for every user who
>>>>>> needs access
>>>>>> > to Linux servers. All of our users start with an account in AD and
>>>>>> since
>>>>>> > none of my predecessors knew about Winbind, they set up dsee7.
>>>>>> >
>>>>>> > So I'm thinking we'll need to import all our dsee7 accounts AND
>>>>>> make it
>>>>>> > possible for AD users to access the Linux systems without needing
>>>>>> to create
>>>>>> > them in IPA.
>>>>>> >
>>>>>> > On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek <pspacek at redhat.com>
>>>>>> wrote:
>>>>>> >
>>>>>> >> On 8.12.2014 05:02, Dmitri Pal wrote:
>>>>>> >>> On 12/07/2014 10:10 PM, Matthew Herzog wrote:
>>>>>> >>>> So should the FreeIPA server be authoritative for the Kerb.
>>>>>> realm/DNS
>>>>>> >> domain
>>>>>> >>>> or can it/should it be a slave DNS server instead? Or caching
>>>>>> only?
>>>>>> >>>
>>>>>> >>> IPA DNS can't be a slave so you either delegate a whole zone to
>>>>>> it or
>>>>>> >> manage
>>>>>> >>> IPA DNS domain via your own DNS server.
>>>>>> >>
>>>>>> >> Generally, "slave" is not allowed to do any changes so it is
>>>>>> useless in
>>>>>> >> your
>>>>>> >> scenario.
>>>>>> >>
>>>>>> >> You can run ipa-server-install *without* --setup-dns option and at
>>>>>> the end
>>>>>> >> of
>>>>>> >> installation it will produce DNS records which you have to
>>>>>> manually add to
>>>>>> >> your existing DNS database.
>>>>>> >>
>>>>>> >> Did you try that?
>>>>>> >>
>>>>>> >> Petr^2 Spacek
>>>>>> >>
>>>>>> >>>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <dpal at redhat.com
>>>>>> >>>> <mailto:dpal at redhat.com>> wrote:
>>>>>> >>>>
>>>>>> >>>> On 12/07/2014 09:51 PM, Matthew Herzog wrote:
>>>>>> >>>>> What must be done in or on the ipa server with regard to
>>>>>> DNS, if
>>>>>> >>>>> anything?
>>>>>> >>>>>
>>>>>> >>>>> Our DNS works. It works well. We have four Linux DNS
>>>>>> servers and
>>>>>> >>>>> two AD domain controllers that also do DNS.
>>>>>> >>>>>
>>>>>> >>>>> So if we already have DNS working well in our domain, why
>>>>>> do we
>>>>>> >>>>> want to manage DNS in IPA?
>>>>>> >>>>
>>>>>> >>>> Let us keep the discussion on the list.
>>>>>> >>>> IPA when used with AD trust presents itself as a separate
>>>>>> forest.
>>>>>> >>>> AD thinks that it is working with another AD forest.
>>>>>> >>>> For that to work we need to follow MSFT rules about
>>>>>> relationship
>>>>>> >>>> between Kerberos realm and DNS domain.
>>>>>> >>>> AD assumes that for every trusted forest Kerberos realm = DNS
>>>>>> >>>> domain. IPA makes it easy to do because it has integrated
>>>>>> tools to
>>>>>> >>>> manage IPA DNS domain.
>>>>>> >>>> If you want to manage it yourself through your DNS you can
>>>>>> do it,
>>>>>> >>>> just more manual operations for you.
>>>>>> >>>>
>>>>>> >>>> HTH
>>>>>> >>>>
>>>>>> >>>> Thanks
>>>>>> >>>> Dmitri
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>>>
>>>>>> >>>>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <dpal at redhat.com
>>>>>> >>>>> <mailto:dpal at redhat.com>> wrote:
>>>>>> >>>>>
>>>>>> >>>>> On 12/07/2014 06:44 PM, Matthew Herzog wrote:
>>>>>> >>>>>> Thanks guys. I'm sorry for my delay in responding.
>>>>>> >>>>>>
>>>>>> >>>>>> Firstly, I was under the impression (from reading the
>>>>>> docs)
>>>>>> >>>>>> that having named running on IPA server was critical.
>>>>>> >>>>>
>>>>>> >>>>> Properly configured DNS is critical.
>>>>>> >>>>> How you accomplish it is up to you.
>>>>>> >>>>> IPA allows you to have a DNS server that would simplify
>>>>>> DNS
>>>>>> >>>>> management but it can be done manually too. This is why
>>>>>> DNS
>>>>>> >>>>> is optional.
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>> Also, the first question the ipa-server-install script
>>>>>> asks
>>>>>> >>>>>> is, "Do you want to configure integrated DNS (BIND)? ."
>>>>>> >>>>>> While it's true the default answer is no, it leads one
>>>>>> to
>>>>>> >>>>>> believe that DNS is central to IPA. Also the
>>>>>> >>>>>> ipa-client-install script says,
>>>>>> >>>>>>
>>>>>> >>>>>> [root at freeipa-poc-client02 ~]# ipa-client-install
>>>>>> >>>>>> DNS discovery failed to determine your DNS domain
>>>>>> >>>>>> Provide the domain name of your IPA server (ex:
>>>>>> example.com
>>>>>> >>>>>> <http://example.com>):
>>>>>> >>>>>>
>>>>>> >>>>>> I can resolve -anything- from the machine using dig or
>>>>>> >> whatever.
>>>>>> >>>>>>
>>>>>> >>>>>> Ultimately, the reason I started to be concerned about
>>>>>> my
>>>>>> >>>>>> IPA server's DNS config was because I was not able to
>>>>>> >>>>>> authenticate AD accounts to a client machine. I saw a
>>>>>> bunch
>>>>>> >>>>>> of errors in the client's sssd logs which of course I
>>>>>> can't
>>>>>> >>>>>> find now.
>>>>>> >>>>>>
>>>>>> >>>>>> Perhaps it was these . . .
>>>>>> >>>>>>
>>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
>>>>>> (0x0100):
>>>>>> >>>>>> Service nss replied to ping
>>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
>>>>>> (0x0100):
>>>>>> >>>>>> Service sudo replied to ping
>>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
>>>>>> (0x0100):
>>>>>> >>>>>> Service pam replied to ping
>>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
>>>>>> (0x0100):
>>>>>> >>>>>> Service ssh replied to ping
>>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
>>>>>> (0x0100):
>>>>>> >>>>>> Service pac replied to ping
>>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
>>>>>> (0x0100):
>>>>>> >>>>>> Service bo3.e-bozo.com <http://bo3.e-bozo.com>
>>>>>> replied to
>>>>>> >> ping
>>>>>> >>>>>>
>>>>>> >>>>>> I'm not allowed onto the AD domain controllers to
>>>>>> examine
>>>>>> >>>>>> log files or I'd be checking those first.
>>>>>> >>>>>>
>>>>>> >>>>>> So ultimately the goal is to authenticate AD users and
>>>>>> users
>>>>>> >>>>>> that exist in our ldap schema. We need to set up
>>>>>> groups of
>>>>>> >>>>>> users that can run sudo commands on specific groups of
>>>>>> hosts.
>>>>>> >>>>>
>>>>>> >>>>> Did you setup trusts as explained on the following page?
>>>>>> >>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>>
>>>>>> >>>>>>
>>>>>> >>>>>>
>>>>>> >>>>>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek
>>>>>> >>>>>> <pspacek at redhat.com <mailto:pspacek at redhat.com>>
>>>>>> wrote:
>>>>>> >>>>>>
>>>>>> >>>>>> On 3.12.2014 04:35, Dmitri Pal wrote:
>>>>>> >>>>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
>>>>>> >>>>>> >> Any other ideas? I just spun up a new VM and
>>>>>> took the
>>>>>> >>>>>> defaults on everything
>>>>>> >>>>>> >> while running ipa-server-install (the defaults
>>>>>> did
>>>>>> >>>>>> make sense) and my new VM
>>>>>> >>>>>> >> can't resolve -anything- in the domain in which
>>>>>> it
>>>>>> >>>>>> lives. The "old" VM
>>>>>> >>>>>> >> (running the same versions of everything on the
>>>>>> same
>>>>>> >>>>>> OS) can't even resolve
>>>>>> >>>>>> >> the clients I have registered with it!
>>>>>> >>>>>> >>
>>>>>> >>>>>> >> So I'm pretty frustrated and am wondering, what
>>>>>> >>>>>> _exactly_ is the role of
>>>>>> >>>>>> >> bind in the IPA server and how is it expected
>>>>>> to know
>>>>>> >>>>>> anything about the
>>>>>> >>>>>> >> local DNS domain without becoming a bind slave
>>>>>> server?
>>>>>> >>>>>> >
>>>>>> >>>>>> > I am not sure I am 100% with you but...
>>>>>> >>>>>> > If you use the defaults and nothing else you get
>>>>>> to
>>>>>> >>>>>> the scenario when IPA has
>>>>>> >>>>>> > its DNS but it is a self contained environment.
>>>>>> It
>>>>>> >>>>>> seems that this is what you
>>>>>> >>>>>> > observe.
>>>>>> >>>>>> > It is expected that you decide in advance what
>>>>>> you
>>>>>> >>>>>> want to do with DNS. There
>>>>>> >>>>>> > are several options:
>>>>>> >>>>>> > 1) You can delegate a zone to IPA to manage,
>>>>>> then you
>>>>>> >>>>>> need to connect your IPA
>>>>>> >>>>>> > DNS to your existing DNS during install or after.
>>>>>> >>>>>> > In this case the systems joined to IPA will be a
>>>>>> part
>>>>>> >>>>>> of IPA domain/zone and
>>>>>> >>>>>> > would also be able to resolve other systems
>>>>>> around
>>>>>> >>>>>> > 2) Not use IPA DNS if you do not want to take
>>>>>> >>>>>> advantage of it
>>>>>> >>>>>> > 3) Have a self contained demo/lab environment
>>>>>> that you
>>>>>> >>>>>> currently observe.
>>>>>> >>>>>> >
>>>>>> >>>>>> > What is the intent?
>>>>>> >>>>>>
>>>>>> >>>>>> I agree with Dmitri, we need more information from
>>>>>> you:
>>>>>> >>>>>> - You said "my new VM can't resolve -anything- in
>>>>>> the
>>>>>> >>>>>> domain in which it
>>>>>> >>>>>> lives." - Which domain do you mean?
>>>>>> >>>>>>
>>>>>> >>>>>> - Apparently you have configured FreeIPA to serve
>>>>>> zone
>>>>>> >>>>>> e-bozo.com <http://e-bozo.com>. Do you have
>>>>>> >>>>>> this zone configured on some other DNS server at
>>>>>> the
>>>>>> >>>>>> same time?
>>>>>> >>>>>>
>>>>>> >>>>>> Please keep in mind that authoritative servers
>>>>>> should
>>>>>> >>>>>> share the database. You
>>>>>> >>>>>> will get naming collisions if e-bozo.com
>>>>>> >>>>>> <http://e-bozo.com> is served by FreeIPA DNS
>>>>>> servers and
>>>>>> >>>>>> some other servers at the same time. Maybe that is
>>>>>> the
>>>>>> >>>>>> problem you see right now.
>>>>>> >>>>>>
>>>>>> >>>>>> As Dmitri said, the architecturally correct
>>>>>> solution is
>>>>>> >>>>>> to decide if you want
>>>>>> >>>>>> to use FreeIPA DNS or not. You have option to
>>>>>> either
>>>>>> >>>>>> remove non-FreeIPA DNS
>>>>>> >>>>>> servers and import data to FreeIPA or to add
>>>>>> >>>>>> FreeIPA-specific DNS records to
>>>>>> >>>>>> existing DNS servers and do not configure FreeIPA
>>>>>> to act
>>>>>> >>>>>> as DNS server.
>>>>>> >>>>>>
>>>>>> >>>>>> Petr^2 Spacek
>>>>>> >>>>>>
>>>>>> >>>>>> >> Thanks.
>>>>>> >>>>>> >>
>>>>>> >>>>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek
>>>>>> >>>>>> <pspacek at redhat.com <mailto:pspacek at redhat.com>
>>>>>> >>>>>> >> <mailto:pspacek at redhat.com
>>>>>> >>>>>> <mailto:pspacek at redhat.com>>> wrote:
>>>>>> >>>>>> >>
>>>>>> >>>>>> >> On 2.12.2014 17:36, Martin Basti wrote:
>>>>>> >>>>>> >> > On 02/12/14 17:28, Matthew Herzog wrote:
>>>>>> >>>>>> >> >> I just realized that my IPA servers
>>>>>> cannot
>>>>>> >>>>>> resolve ANY servers
>>>>>> >>>>>> >> in my domain.
>>>>>> >>>>>> >> >> What do I need to do to fix this? Below
>>>>>> is my
>>>>>> >>>>>> named.conf.
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >> options {
>>>>>> >>>>>> >> >> // turns on IPv6 for port 53, IPv4 is
>>>>>> on by
>>>>>> >>>>>> default for
>>>>>> >>>>>> >> all ifaces
>>>>>> >>>>>> >> >> listen-on-v6 {any;};
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >> // Put files that named is allowed to
>>>>>> write
>>>>>> >>>>>> in the
>>>>>> >>>>>> >> data/ directory:
>>>>>> >>>>>> >> >> directory "/var/named"; // the default
>>>>>> >>>>>> >> >> dump-file "data/cache_dump.db";
>>>>>> >>>>>> >> >> statistics-file "data/named_stats.txt";
>>>>>> >>>>>> >> >> memstatistics-file
>>>>>> "data/named_mem_stats.txt";
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >> forward first;
>>>>>> >>>>>> >> >> forwarders {
>>>>>> >>>>>> >> >> 10.100.8.41;
>>>>>> >>>>>> >> >> 10.100.8.40;
>>>>>> >>>>>> >> >> 10.100.4.13;
>>>>>> >>>>>> >> >> 10.100.4.14;
>>>>>> >>>>>> >> >> 10.100.4.19;
>>>>>> >>>>>> >> >> 10.100.4.44;
>>>>>> >>>>>> >> >> };
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >> // Any host is permitted to issue
>>>>>> recursive
>>>>>> >>>>>> queries
>>>>>> >>>>>> >> >> allow-recursion { any; };
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >> tkey-gssapi-keytab "/etc/named.keytab";
>>>>>> >>>>>> >> >> pid-file "/run/named/named.pid";
>>>>>> >>>>>> >> >> };
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >> /* If you want to enable debugging, eg.
>>>>>> using
>>>>>> >>>>>> the 'rndc trace'
>>>>>> >>>>>> >> command,
>>>>>> >>>>>> >> >> * By default, SELinux policy does not
>>>>>> allow
>>>>>> >>>>>> named to modify
>>>>>> >>>>>> >> the /var/named
>>>>>> >>>>>> >> >> directory,
>>>>>> >>>>>> >> >> * so put the default debug log file in
>>>>>> data/ :
>>>>>> >>>>>> >> >> */
>>>>>> >>>>>> >> >> logging {
>>>>>> >>>>>> >> >> channel default_debug {
>>>>>> >>>>>> >> >> file "data/named.run";
>>>>>> >>>>>> >> >> severity dynamic;
>>>>>> >>>>>> >> >> print-time yes;
>>>>>> >>>>>> >> >> };
>>>>>> >>>>>> >> >> };
>>>>>> >>>>>> >> >> };
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >> zone "." IN {
>>>>>> >>>>>> >> >> type hint;
>>>>>> >>>>>> >> >> file "named.ca <http://named.ca>
>>>>>> >>>>>> <http://named.ca> <http://named.ca>";
>>>>>> >>>>>> >> >> };
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >> include "/etc/named.rfc1912.zones";
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >> dynamic-db "ipa" {
>>>>>> >>>>>> >> >> library "ldap.so";
>>>>>> >>>>>> >> >> arg "uri
>>>>>> >>>>>> >>
>>>>>> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
>>>>>> >>>>>> >> >> arg "base cn=dns,
>>>>>> dc=bo3,dc=e-bozo,dc=com";
>>>>>> >>>>>> >> >> arg "fake_mname
>>>>>> freeipa-poc01.bo3.e-bozo.com
>>>>>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> >>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>.";
>>>>>> >>>>>> >> >> arg "auth_method sasl";
>>>>>> >>>>>> >> >> arg "sasl_mech GSSAPI";
>>>>>> >>>>>> >> >> arg "sasl_user
>>>>>> >>>>>> DNS/freeipa-poc01.bo3.e-bozo.com
>>>>>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> >>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>";
>>>>>> >>>>>> >> >> arg "serial_autoincrement yes";
>>>>>> >>>>>> >> >> };
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> >>
>>>>>> >>>>>> >> > Hello,
>>>>>> >>>>>> >> >
>>>>>> >>>>>> >> > which version ipa do you use? which
>>>>>> platform?
>>>>>> >>>>>> Which version
>>>>>> >>>>>> >> bind-dyndb-ldap?
>>>>>> >>>>>> >> >
>>>>>> >>>>>> >> > Can you run these commands, and check if
>>>>>> there
>>>>>> >>>>>> any errors?
>>>>>> >>>>>> >> > ipactl status
>>>>>> >>>>>> >> > systemctl status named (respectively
>>>>>> >>>>>> journalctl -u named)
>>>>>> >>>>>> >>
>>>>>> >>>>>> >> We also may want to see information listed
>>>>>> on page
>>>>>> >>>>>> >>
>>>>>> >>>>>>
>>>>>> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting
>>>>>>
>>>>>> --
>>>>>> Petr^2 Spacek
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> If life gives you melons, you may be dyslexic.
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> If life gives you melons, you may be dyslexic.
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager IdM portfolio
>>>> Red Hat, Inc.
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go To http://freeipa.org for more info on the project
>>>>
>>>
>>>
>>>
>>> --
>>> If life gives you melons, you may be dyslexic.
>>>
>>
>>
>>
>> --
>> If life gives you melons, you may be dyslexic.
>>
>
>
>
> --
> If life gives you melons, you may be dyslexic.
>
--
If life gives you melons, you may be dyslexic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141208/262997c4/attachment.htm>
More information about the Freeipa-users
mailing list