[Freeipa-users] DNS configuration
Dmitri Pal
dpal at redhat.com
Mon Dec 8 23:17:54 UTC 2014
On 12/08/2014 05:58 PM, Matthew Herzog wrote:
> Also, I just realized the AD I'm trying to connect to is of type
> Windows 2000. Yay!
This one would not work...
>
> On Mon, Dec 8, 2014 at 5:54 PM, Matthew Herzog
> <matthew.herzog at gmail.com <mailto:matthew.herzog at gmail.com>> wrote:
>
> OK, I deserve a slap. I had forgotten to set up the two-way trust
> again since the ipa-server-install --uninstall && reinstall.
> That's back in place.
>
> So I found Sumit Bose's
> https://www.youtube.com/watch?v=infot4cmZgM and realized I could
> not add groups to any new, external user group using the ipa
> server's web interface.
>
> Error in the GUI is, E-BOZO.COM <http://E-BOZO.COM>\Domain Users:
> invalid 'truster domain object': no trusted domain matched the
> specified flat name.
>
>
>
> On Mon, Dec 8, 2014 at 2:49 PM, Matthew Herzog
> <matthew.herzog at gmail.com <mailto:matthew.herzog at gmail.com>> wrote:
>
> sssd_<hostname>.log
> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com
> <http://bo3.e-bozo.com>]]] [sysdb_search_groups] (0x2000): No
> such entry
> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com
> <http://bo3.e-bozo.com>]]] [sysdb_delete_user] (0x0400):
> Error: 2 (No such file or directory)
> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com
> <http://bo3.e-bozo.com>]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com
> <http://bo3.e-bozo.com>]]] [sdap_process_result] (0x2000):
> Trace: sh[0x17b0030], connected[1], ops[(nil)], ldap[0x17ab240]
> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com
> <http://bo3.e-bozo.com>]]] [sdap_process_result] (0x2000):
> Trace: ldap_result found nothing!
> (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com
> <http://bo3.e-bozo.com>]]] [sbus_dispatch] (0x4000): dbus
> conn: 0x178eb70
> (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com
> <http://bo3.e-bozo.com>]]] [sbus_dispatch] (0x4000): Dispatching.
>
>
> On Mon, Dec 8, 2014 at 2:32 PM, Matthew Herzog
> <matthew.herzog at gmail.com <mailto:matthew.herzog at gmail.com>>
> wrote:
>
> ipa-client-3.0.0-42.el6.x86_64 on OEL 6.5 (server has
> 3.3.3 IPA)
>
>
> On Mon, Dec 8, 2014 at 2:26 PM, Dmitri Pal
> <dpal at redhat.com <mailto:dpal at redhat.com>> wrote:
>
> On 12/08/2014 02:10 PM, Matthew Herzog wrote:
>> Here are some errors I'm seeing on the client.
>>
>> tail -f sssd_lnx.e-bozo.com.log
>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000):
>> dbus conn: 0x1e72ad0
>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000):
>> Dispatching.
>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_message_handler]
>> (0x4000): Received SBUS method [ping]
>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_get_sender_id_send]
>> (0x2000): Not a sysbus message, quit
>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]]
>> [sbus_handler_got_caller_id] (0x4000): Received SBUS
>> method [ping]
>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000):
>> dbus conn: 0x1e72ad0
>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000):
>> Dispatching.
>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_message_handler]
>> (0x4000): Received SBUS method [ping]
>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_get_sender_id_send]
>> (0x2000): Not a sysbus message, quit
>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]]
>> [sbus_handler_got_caller_id] (0x4000): Received SBUS
>> method [ping]
>> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000):
>> dbus conn: 0x1e72ad0
>> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com
>> <http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000):
>> Dispatching.
>>
>> [root at freeipa-poc-client02 sssd]# tail -f sssd_ssh.log
>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]]
>> [ssh_process_init] (0x0010): sss_process_init() failed
>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init]
>> (0x0010): Failed to connect to monitor services.
>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]]
>> [sss_process_init] (0x0010): fatal error setting up
>> backend connector
>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]]
>> [ssh_process_init] (0x0010): sss_process_init() failed
>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init]
>> (0x0010): Failed to connect to monitor services.
>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]]
>> [sss_process_init] (0x0010): fatal error setting up
>> backend connector
>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]]
>> [ssh_process_init] (0x0010): sss_process_init() failed
>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init]
>> (0x0010): Failed to connect to monitor services.
>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]]
>> [sss_process_init] (0x0010): fatal error setting up
>> backend connector
>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]]
>> [ssh_process_init] (0x0010): sss_process_init() failed
>
> What is the version of the client?
> Please add debug_level=9 to sssd.conf in different
> sections to rise the verbosity of the log and see what
> is really going on there.
> https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting
>
>
>
>
>>
>>
>> On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog
>> <matthew.herzog at gmail.com
>> <mailto:matthew.herzog at gmail.com>> wrote:
>>
>> I have never seen my IPA servers produce a zone
>> file nor has the install script ever mentioned
>> the creation of such. In fact, I just ran
>> ipa-server-install --uninstall
>> && ipa-server-install and there was no mention of
>> a zone file.
>>
>> Where should I look in the file system to be
>> sure? I see nothing in /var/named. I'm using
>> 3.3.3 IPA on Oracle Linux from Oracle's yum repo.
>> (Not my choice.)
>>
>> dsee7 is /not /running Kerberos. dsee7 is /not
>> /configured with SRV records. I guess I'll need
>> to add SRV records for all my Linux hosts.
>>
>>
>>
>>
>>
>>
>> On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek
>> <pspacek at redhat.com <mailto:pspacek at redhat.com>>
>> wrote:
>>
>> On 8.12.2014 14:44, Matthew Herzog wrote:
>> > Petr said, "You can run ipa-server-install
>> *without* --setup-dns option and
>> > at the end of
>> > installation it will produce DNS records
>> which you have to manually add to
>> > your existing DNS database."
>> >
>> > I can't see how this would be useful or
>> which machines I would need to add
>> > to our DNS.
>> >
>> > Perhaps I should have explained that we are
>> not going to set up a new DNS
>> > domain for the ipa-managed servers.
>> Good.
>>
>> Now you should run ipa-server-install
>> *without* --setup-dns, using
>> lnx.e-bozo.com <http://lnx.e-bozo.com> as you
>> IPA domain. It will install full IPA server
>> and spit out
>> DNS zone file.
>>
>> Then you *have to* take this zone file and
>> import it to your existing DNS
>> infrastructure - that will give you fully
>> functional IPA domain lnx.e-bozo.com
>> <http://lnx.e-bozo.com>.
>>
>> Caveat:
>> Preceding text assumes that 'dsee7' is nor
>> using either Kerberos nor DNS SRV
>> records for LDAP service in domain
>> lnx.e-bozo.com <http://lnx.e-bozo.com>, i.e.
>> clients connecting to
>> DSEE7 should be (most likely) statically
>> configured with DSEE7 server name.
>>
>> Petr^2 Spacek
>>
>> > We have an Oracle dsee7 server doing
>> > LDAP for our Linux servers and accounts. We
>> want to migrate to IPA so we
>> > don't have to maintain a Linux/LDAP account
>> for every user who needs access
>> > to Linux servers. All of our users start
>> with an account in AD and since
>> > none of my predecessors knew about Winbind,
>> they set up dsee7.
>> >
>> > So I'm thinking we'll need to import all
>> our dsee7 accounts AND make it
>> > possible for AD users to access the Linux
>> systems without needing to create
>> > them in IPA.
>> >
>> > On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek
>> <pspacek at redhat.com
>> <mailto:pspacek at redhat.com>> wrote:
>> >
>> >> On 8.12.2014 05:02, Dmitri Pal wrote:
>> >>> On 12/07/2014 10:10 PM, Matthew Herzog wrote:
>> >>>> So should the FreeIPA server be
>> authoritative for the Kerb. realm/DNS
>> >> domain
>> >>>> or can it/should it be a slave DNS
>> server instead? Or caching only?
>> >>>
>> >>> IPA DNS can't be a slave so you either
>> delegate a whole zone to it or
>> >> manage
>> >>> IPA DNS domain via your own DNS server.
>> >>
>> >> Generally, "slave" is not allowed to do
>> any changes so it is useless in
>> >> your
>> >> scenario.
>> >>
>> >> You can run ipa-server-install *without*
>> --setup-dns option and at the end
>> >> of
>> >> installation it will produce DNS records
>> which you have to manually add to
>> >> your existing DNS database.
>> >>
>> >> Did you try that?
>> >>
>> >> Petr^2 Spacek
>> >>
>> >>>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri
>> Pal <dpal at redhat.com <mailto:dpal at redhat.com>
>> >>>> <mailto:dpal at redhat.com
>> <mailto:dpal at redhat.com>>> wrote:
>> >>>>
>> >>>> On 12/07/2014 09:51 PM, Matthew
>> Herzog wrote:
>> >>>>> What must be done in or on the ipa
>> server with regard to DNS, if
>> >>>>> anything?
>> >>>>>
>> >>>>> Our DNS works. It works well. We
>> have four Linux DNS servers and
>> >>>>> two AD domain controllers that also
>> do DNS.
>> >>>>>
>> >>>>> So if we already have DNS working
>> well in our domain, why do we
>> >>>>> want to manage DNS in IPA?
>> >>>>
>> >>>> Let us keep the discussion on the list.
>> >>>> IPA when used with AD trust presents
>> itself as a separate forest.
>> >>>> AD thinks that it is working with
>> another AD forest.
>> >>>> For that to work we need to follow
>> MSFT rules about relationship
>> >>>> between Kerberos realm and DNS domain.
>> >>>> AD assumes that for every trusted
>> forest Kerberos realm = DNS
>> >>>> domain. IPA makes it easy to do
>> because it has integrated tools to
>> >>>> manage IPA DNS domain.
>> >>>> If you want to manage it yourself
>> through your DNS you can do it,
>> >>>> just more manual operations for you.
>> >>>>
>> >>>> HTH
>> >>>>
>> >>>> Thanks
>> >>>> Dmitri
>> >>>>
>> >>>>
>> >>>>>
>> >>>>> On Sun, Dec 7, 2014 at 9:44 PM,
>> Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>
>> >>>>> <mailto:dpal at redhat.com
>> <mailto:dpal at redhat.com>>> wrote:
>> >>>>>
>> >>>>> On 12/07/2014 06:44 PM, Matthew
>> Herzog wrote:
>> >>>>>> Thanks guys. I'm sorry for my
>> delay in responding.
>> >>>>>>
>> >>>>>> Firstly, I was under the impression
>> (from reading the docs)
>> >>>>>> that having named running on
>> IPA server was critical.
>> >>>>>
>> >>>>> Properly configured DNS is critical.
>> >>>>> How you accomplish it is up to you.
>> >>>>> IPA allows you to have a DNS
>> server that would simplify DNS
>> >>>>> management but it can be done manually
>> too. This is why DNS
>> >>>>> is optional.
>> >>>>>
>> >>>>>
>> >>>>>> Also, the first question the
>> ipa-server-install script asks
>> >>>>>> is, "Do you want to configure
>> integrated DNS (BIND)? ."
>> >>>>>> While it's true the default
>> answer is no, it leads one to
>> >>>>>> believe that DNS is central to
>> IPA. Also the
>> >>>>>> ipa-client-install script says,
>> >>>>>>
>> >>>>>> [root at freeipa-poc-client02 ~]#
>> ipa-client-install
>> >>>>>> DNS discovery failed to
>> determine your DNS domain
>> >>>>>> Provide the domain name of your
>> IPA server (ex: example.com <http://example.com>
>> >>>>>> <http://example.com>):
>> >>>>>>
>> >>>>>> I can resolve -anything- from
>> the machine using dig or
>> >> whatever.
>> >>>>>>
>> >>>>>> Ultimately, the reason I started to
>> be concerned about my
>> >>>>>> IPA server's DNS config was
>> because I was not able to
>> >>>>>> authenticate AD accounts to a client
>> machine. I saw a bunch
>> >>>>>> of errors in the client's sssd
>> logs which of course I can't
>> >>>>>> find now.
>> >>>>>>
>> >>>>>> Perhaps it was these . . .
>> >>>>>>
>> >>>>>> (Thu Dec 4 13:45:23 2014)
>> [sssd] [ping_check] (0x0100):
>> >>>>>> Service nss replied to ping
>> >>>>>> (Thu Dec 4 13:45:23 2014)
>> [sssd] [ping_check] (0x0100):
>> >>>>>> Service sudo replied to ping
>> >>>>>> (Thu Dec 4 13:45:23 2014)
>> [sssd] [ping_check] (0x0100):
>> >>>>>> Service pam replied to ping
>> >>>>>> (Thu Dec 4 13:45:23 2014)
>> [sssd] [ping_check] (0x0100):
>> >>>>>> Service ssh replied to ping
>> >>>>>> (Thu Dec 4 13:45:23 2014)
>> [sssd] [ping_check] (0x0100):
>> >>>>>> Service pac replied to ping
>> >>>>>> (Thu Dec 4 13:45:23 2014)
>> [sssd] [ping_check] (0x0100):
>> >>>>>> Service bo3.e-bozo.com
>> <http://bo3.e-bozo.com>
>> <http://bo3.e-bozo.com> replied to
>> >> ping
>> >>>>>>
>> >>>>>> I'm not allowed onto the AD
>> domain controllers to examine
>> >>>>>> log files or I'd be checking
>> those first.
>> >>>>>>
>> >>>>>> So ultimately the goal is to
>> authenticate AD users and users
>> >>>>>> that exist in our ldap schema.
>> We need to set up groups of
>> >>>>>> users that can run sudo
>> commands on specific groups of hosts.
>> >>>>>
>> >>>>> Did you setup trusts as
>> explained on the following page?
>> >>>>>
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>> >>>>>
>> >>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> On Wed, Dec 3, 2014 at 3:46 AM,
>> Petr Spacek
>> >>>>>> <pspacek at redhat.com
>> <mailto:pspacek at redhat.com>
>> <mailto:pspacek at redhat.com
>> <mailto:pspacek at redhat.com>>> wrote:
>> >>>>>>
>> >>>>>> On 3.12.2014 04:35, Dmitri
>> Pal wrote:
>> >>>>>> > On 12/02/2014 08:54 PM, Matthew
>> Herzog wrote:
>> >>>>>> >> Any other ideas? I just spun up a
>> new VM and took the
>> >>>>>> defaults on everything
>> >>>>>> >> while running ipa-server-install
>> (the defaults did
>> >>>>>> make sense) and my new VM
>> >>>>>> >> can't resolve -anything- in the
>> domain in which it
>> >>>>>> lives. The "old" VM
>> >>>>>> >> (running the same versions of
>> everything on the same
>> >>>>>> OS) can't even resolve
>> >>>>>> >> the clients I have registered with it!
>> >>>>>> >>
>> >>>>>> >> So I'm pretty frustrated and am
>> wondering, what
>> >>>>>> _exactly_ is the role of
>> >>>>>> >> bind in the IPA server and how is
>> it expected to know
>> >>>>>> anything about the
>> >>>>>> >> local DNS domain without becoming
>> a bind slave server?
>> >>>>>> >
>> >>>>>> > I am not sure I am 100% with you but...
>> >>>>>> > If you use the defaults and nothing
>> else you get to
>> >>>>>> the scenario when IPA has
>> >>>>>> > its DNS but it is a self contained
>> environment. It
>> >>>>>> seems that this is what you
>> >>>>>> > observe.
>> >>>>>> > It is expected that you decide in
>> advance what you
>> >>>>>> want to do with DNS. There
>> >>>>>> > are several options:
>> >>>>>> > 1) You can delegate a zone to IPA
>> to manage, then you
>> >>>>>> need to connect your IPA
>> >>>>>> > DNS to your existing DNS during
>> install or after.
>> >>>>>> > In this case the systems joined to
>> IPA will be a part
>> >>>>>> of IPA domain/zone and
>> >>>>>> > would also be able to resolve other
>> systems around
>> >>>>>> > 2) Not use IPA DNS if you do not
>> want to take
>> >>>>>> advantage of it
>> >>>>>> > 3) Have a self contained demo/lab
>> environment that you
>> >>>>>> currently observe.
>> >>>>>> >
>> >>>>>> > What is the intent?
>> >>>>>>
>> >>>>>> I agree with Dmitri, we
>> need more information from you:
>> >>>>>> - You said "my new VM can't
>> resolve -anything- in the
>> >>>>>> domain in which it
>> >>>>>> lives." - Which domain do you mean?
>> >>>>>>
>> >>>>>> - Apparently you have
>> configured FreeIPA to serve zone
>> >>>>>> e-bozo.com <http://e-bozo.com>
>> <http://e-bozo.com>. Do you have
>> >>>>>> this zone configured on some other
>> DNS server at the
>> >>>>>> same time?
>> >>>>>>
>> >>>>>> Please keep in mind that
>> authoritative servers should
>> >>>>>> share the database. You
>> >>>>>> will get naming collisions if
>> e-bozo.com <http://e-bozo.com>
>> >>>>>> <http://e-bozo.com> is served by
>> FreeIPA DNS servers and
>> >>>>>> some other servers at the same time.
>> Maybe that is the
>> >>>>>> problem you see right now.
>> >>>>>>
>> >>>>>> As Dmitri said, the
>> architecturally correct solution is
>> >>>>>> to decide if you want
>> >>>>>> to use FreeIPA DNS or not.
>> You have option to either
>> >>>>>> remove non-FreeIPA DNS
>> >>>>>> servers and import data to FreeIPA or
>> to add
>> >>>>>> FreeIPA-specific DNS records to
>> >>>>>> existing DNS servers and do not
>> configure FreeIPA to act
>> >>>>>> as DNS server.
>> >>>>>>
>> >>>>>> Petr^2 Spacek
>> >>>>>>
>> >>>>>> >> Thanks.
>> >>>>>> >>
>> >>>>>> >> On Tue, Dec 2, 2014 at 11:58 AM,
>> Petr Spacek
>> >>>>>> <pspacek at redhat.com
>> <mailto:pspacek at redhat.com>
>> <mailto:pspacek at redhat.com
>> <mailto:pspacek at redhat.com>>
>> >>>>>> >> <mailto:pspacek at redhat.com
>> <mailto:pspacek at redhat.com>
>> >>>>>> <mailto:pspacek at redhat.com
>> <mailto:pspacek at redhat.com>>>> wrote:
>> >>>>>> >>
>> >>>>>> >> On 2.12.2014 17:36, Martin Basti
>> wrote:
>> >>>>>> >> > On 02/12/14 17:28, Matthew
>> Herzog wrote:
>> >>>>>> >> >> I just realized that my IPA
>> servers cannot
>> >>>>>> resolve ANY servers
>> >>>>>> >> in my domain.
>> >>>>>> >> >> What do I need to do to fix
>> this? Below is my
>> >>>>>> named.conf.
>> >>>>>> >> >>
>> >>>>>> >> >>
>> >>>>>> >> >> options {
>> >>>>>> >> >> // turns on IPv6 for port 53,
>> IPv4 is on by
>> >>>>>> default for
>> >>>>>> >> all ifaces
>> >>>>>> >> >> listen-on-v6 {any;};
>> >>>>>> >> >>
>> >>>>>> >> >> // Put files that named is
>> allowed to write
>> >>>>>> in the
>> >>>>>> >> data/ directory:
>> >>>>>> >> >> directory "/var/named"; // the
>> default
>> >>>>>> >> >> dump-file "data/cache_dump.db";
>> >>>>>> >> >> statistics-file
>> "data/named_stats.txt";
>> >>>>>> >> >> memstatistics-file
>> "data/named_mem_stats.txt";
>> >>>>>> >> >>
>> >>>>>> >> >> forward first;
>> >>>>>> >> >> forwarders {
>> >>>>>> >> >> 10.100.8.41;
>> >>>>>> >> >> 10.100.8.40;
>> >>>>>> >> >> 10.100.4.13;
>> >>>>>> >> >> 10.100.4.14;
>> >>>>>> >> >> 10.100.4.19;
>> >>>>>> >> >> 10.100.4.44;
>> >>>>>> >> >> };
>> >>>>>> >> >>
>> >>>>>> >> >> // Any host is permitted to
>> issue recursive
>> >>>>>> queries
>> >>>>>> >> >> allow-recursion { any; };
>> >>>>>> >> >>
>> >>>>>> >> >> tkey-gssapi-keytab
>> "/etc/named.keytab";
>> >>>>>> >> >> pid-file "/run/named/named.pid";
>> >>>>>> >> >> };
>> >>>>>> >> >>
>> >>>>>> >> >> /* If you want to enable
>> debugging, eg. using
>> >>>>>> the 'rndc trace'
>> >>>>>> >> command,
>> >>>>>> >> >> * By default, SELinux policy
>> does not allow
>> >>>>>> named to modify
>> >>>>>> >> the /var/named
>> >>>>>> >> >> directory,
>> >>>>>> >> >> * so put the default debug
>> log file in data/ :
>> >>>>>> >> >> */
>> >>>>>> >> >> logging {
>> >>>>>> >> >> channel default_debug {
>> >>>>>> >> >> file "data/named.run";
>> >>>>>> >> >> severity dynamic;
>> >>>>>> >> >> print-time yes;
>> >>>>>> >> >> };
>> >>>>>> >> >> };
>> >>>>>> >> >> };
>> >>>>>> >> >>
>> >>>>>> >> >> zone "." IN {
>> >>>>>> >> >> type hint;
>> >>>>>> >> >> file "named.ca
>> <http://named.ca> <http://named.ca>
>> >>>>>> <http://named.ca> <http://named.ca>";
>> >>>>>> >> >> };
>> >>>>>> >> >>
>> >>>>>> >> >> include
>> "/etc/named.rfc1912.zones";
>> >>>>>> >> >>
>> >>>>>> >> >> dynamic-db "ipa" {
>> >>>>>> >> >> library "ldap.so";
>> >>>>>> >> >> arg "uri
>> >>>>>> >>
>> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
>> >>>>>> >> >> arg "base cn=dns,
>> dc=bo3,dc=e-bozo,dc=com";
>> >>>>>> >> >> arg "fake_mname
>> freeipa-poc01.bo3.e-bozo.com
>> <http://freeipa-poc01.bo3.e-bozo.com>
>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com>
>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>> >>>>>> >> >>
>> <http://freeipa-poc01.bo3.e-bozo.com>.";
>> >>>>>> >> >> arg "auth_method sasl";
>> >>>>>> >> >> arg "sasl_mech GSSAPI";
>> >>>>>> >> >> arg "sasl_user
>> >>>>>> DNS/freeipa-poc01.bo3.e-bozo.com
>> <http://freeipa-poc01.bo3.e-bozo.com>
>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com>
>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>> >>>>>> >> >>
>> <http://freeipa-poc01.bo3.e-bozo.com>";
>> >>>>>> >> >> arg "serial_autoincrement yes";
>> >>>>>> >> >> };
>> >>>>>> >> >>
>> >>>>>> >> >>
>> >>>>>> >> >>
>> >>>>>> >> >>
>> >>>>>> >> > Hello,
>> >>>>>> >> >
>> >>>>>> >> > which version ipa do you use?
>> which platform?
>> >>>>>> Which version
>> >>>>>> >> bind-dyndb-ldap?
>> >>>>>> >> >
>> >>>>>> >> > Can you run these commands, and
>> check if there
>> >>>>>> any errors?
>> >>>>>> >> > ipactl status
>> >>>>>> >> > systemctl status named
>> (respectively
>> >>>>>> journalctl -u named)
>> >>>>>> >>
>> >>>>>> >> We also may want to see
>> information listed on page
>> >>>>>> >>
>> >>>>>>
>> >>
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting
>>
>> --
>> Petr^2 Spacek
>>
>>
>>
>>
>> --
>> If life gives you melons, you may be dyslexic.
>>
>>
>>
>>
>> --
>> If life gives you melons, you may be dyslexic.
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing
> list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
>
>
> --
> If life gives you melons, you may be dyslexic.
>
>
>
>
> --
> If life gives you melons, you may be dyslexic.
>
>
>
>
> --
> If life gives you melons, you may be dyslexic.
>
>
>
>
> --
> If life gives you melons, you may be dyslexic.
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141208/fa24c677/attachment.htm>
More information about the Freeipa-users
mailing list