[Freeipa-users] FW: named and IpA
Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
licause at hp.com
Fri Oct 3 15:13:04 UTC 2014
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
Sent: Friday, October 03, 2014 1:26 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] named and IpA
On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
> We have IdM running on a RHEL V7 system and have configured a local
> DNS server in our test lab.
>
> We have loaded the various SRV and TXT records needed by the IdM server.
>
>
> PROBLEM:
>
>>From the IdM server we can only lookup local records. The name
>>resolver will not
> attempt to look to another other name servers or domains defined in
> /etc/resolv.conf
>
> If I shutdown IdM using ipactl stop and then restart named, the name
> resolver works for local and remote hosts, addresses and domains as
> well as serving up the SRV records defined on the local host.
>
> Am I correct in assuming that while IdM is up and running, the only
> other systems it will communicate with at least with regard to name
> services is another host also running IdM defined either as a server or a client ?
>
> If this is case, is there anyone to better integrate some of these
> common services such as named into an existing network such that you are not limited by the IdM components ?
I would like to get additional information about your environment:
- Is the IPA server is installed with DNS or not? Did you use option --setup-dns during ipa-server-install?
>> I have tried it both ways, but the most current in which we see this behavior I ran ipa-server-install with
>> no arguments and said yes to the question about installing DNS. I then replied with two valid forwarders.
>> In a previous installation, we added two of our local zones from one of the other dns server
>> and then added the sample zone provided by the installation which contained the various SRV and TXT
>> records. But for current reporting of this problem, we did not add/load the other zone files.
- Which DNS zones do you have defined on IPA server? You can use command "ipa dnszone-find" to list all zones.
[root at linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40
ipa: ERROR: no modifications to be performed
bash: 16.112.240.40: command not found...
[root at linux named]# ipa dnszone-find
Zone name: 240.112.16.in-addr.arpa.
Authoritative nameserver: linux.osn.cxo.cpqcorp.net.
Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net.
SOA serial: 1412344406
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Allow query: any;
Allow transfer: none;
Zone name: osn.cxo.cpqcorp.net
Authoritative nameserver: linux.osn.cxo.cpqcorp.net.
Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net.
SOA serial: 1412344406
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Allow query: any;
Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------
- Is there any other DNS servers serving same DNS zones?
>> Yes....we left the other two existing DNS servers in place as they are our primary name servers for this lab segment.
>> Those are the two systems we have entered as forwarders.
- Did you configure forwarders in /etc/named.conf or via ipa command line tools (ipa dnsconfig-mod or --forwarder option during ipa-server-install)?
>> The forwarders were placed in the /etc/named.conf file by the ipa-server-install script or one of its subordinate scripts
>> I did try entering the forward policy and forwarders using ipa dnsconfig-mod but they didn't seem to change the behavior.
>> One thing I did notice was that ipa dnsconfig-mod --forwarder= only allowed one forwarder to be entered.....adding
>> a second entry on the line resulted in an error. If entered with a second --forwarders command, the previous forwarder
>> was replaced by the new one. So if there is a particular syntax that would allow more than one entry, can you please
>> post same ?
- Please attach result of DNS lookups using "dig" command: One output when it doesn't work (i.e. with IPA running) and the other when it works as you expect (i.e. after "ipactl stop" and "service named restart").
>> with ipa running:
[root at linux named]# nslookup dl160a.osn.cxo.cpqcorp.net
Server: 16.112.240.59
Address: 16.112.240.59#53
** server can't find dl160a.osn.cxo.cpqcorp.net: NXDOMAIN
[root at linux named]# dig dl160a.osn.cxo.cpqcorp.net
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6571
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dl160a.osn.cxo.cpqcorp.net. IN A
;; AUTHORITY SECTION:
osn.cxo.cpqcorp.net. 3600 IN SOA linux.osn.cxo.cpqcorp.net. hostmaster.osn.cxo.cpqcorp.net. 1412344406 3600 900 1209600 3600
;; Query time: 1 msec
;; SERVER: 16.112.240.59#53(16.112.240.59)
;; WHEN: Fri Oct 03 11:08:35 EDT 2014
;; MSG SIZE rcvd: 108
[root at linux named]# ipactl stop
Stopping Directory Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
ipa: INFO: The ipactl command was successful
[root at linux named]# systemctl start named
[root at linux named]#
[root at linux named]#
[root at linux named]# dig dl160a.osn.cxo.cpqcorp.net
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28446
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dl160a.osn.cxo.cpqcorp.net. IN A
;; ANSWER SECTION:
dl160a.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.191
;; AUTHORITY SECTION:
osn.cxo.cpqcorp.net. 43200 IN NS cluster.osn.cxo.cpqcorp.net.
osn.cxo.cpqcorp.net. 43200 IN NS win2008.osn.cxo.cpqcorp.net.
osn.cxo.cpqcorp.net. 43200 IN NS denali.osn.cxo.cpqcorp.net.
;; ADDITIONAL SECTION:
win2008.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.55
cluster.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.27
denali.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.40
;; Query time: 4 msec
;; SERVER: 16.112.240.59#53(16.112.240.59)
;; WHEN: Fri Oct 03 11:10:54 EDT 2014
;; MSG SIZE rcvd: 184
Thank you.
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list