[Freeipa-users] FW: named and IpA

Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) licause at hp.com
Fri Oct 3 14:32:42 UTC 2014 


-----Original Message-----
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) 
Sent: Friday, October 03, 2014 6:31 AM
To: 'Jan Pazdziora'
Subject: RE: [Freeipa-users] named and IpA


Jan,

After submitting this request and since these are crash and burn lab systems, I reran the ipa-server-install --uninstall and ran the installation script again this time without 
allowing a local dns server to be created.    Once we got all of our zone files corrected
the system was able to resolve names and addresses but I have rerun the configurator again today so I can try to answer your questions.

Just after running the configurator and setting up a new IdM server, the resolve.conf contains the following:

search osn.cxo.cpqcorp.net
nameserver 16.112.240.59

This is the domain in which this server resides and this is the servers ip address.

By default, the /etc/named.conf file that is created only loads the root servers zone       
and the dynamic-db "ipa" data.     It also contains the following forwarder information
which includes the two forwarders as requested in the installation script.

	forward first;
        forwarders {
                16.112.240.27;
                16.112.240.40;
        };

These forwarders are the two primary dns servers in the domain.

Given that information, the only host that can be resolved at the moment is the local servers name which is linux:

[root at linux named]# nslookup linux
Server:         16.112.240.59
Address:        16.112.240.59#53

Name:   linux.osn.cxo.cpqcorp.net
Address: 16.112.240.59

[root at linux named]#
[root at linux named]#
[root at linux named]#
[root at linux named]# nslookup denali
Server:         16.112.240.59
Address:        16.112.240.59#53

** server can't find denali: NXDOMAIN

[root at linux named]# nslookup denali.osn.cxo.cpqcorp.net
Server:         16.112.240.59
Address:        16.112.240.59#53

** server can't find denali.osn.cxo.cpqcorp.net: NXDOMAIN


[root at linux named]# nslookup 16.112.240.27
Server:         16.112.240.59
Address:        16.112.240.59#53

** server can't find 27.240.112.16.in-addr.arpa.: NXDOMAIN

[root at linux named]# nslookup www.pbs.org
Server:         16.112.240.59
Address:        16.112.240.59#53

Non-authoritative answer:
www.pbs.org     canonical name = r53-vip.pbs.org.
Name:   r53-vip.pbs.org
Address: 54.160.180.54


As you can see from above, only the local host was successfully resolved using nslookup.
Attempts to look up any other host within our own address space fails.   We can lookup
hosts and addresses that are in the public space from the hints zone in the named.conf file.

# dig denali

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> denali ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30298 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;denali.                                IN      A

;; AUTHORITY SECTION:
.                       10564   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2014100300 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03 09:23:13 EDT 2014 ;; MSG SIZE  rcvd: 110


As you can see from the dig command, the request is not going past the local host.

But now if I stop ipa and then restart named on this host, the forwarders appear to work just fine:

[root at linux named]# ipactl stop
Stopping Directory Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
ipa: INFO: The ipactl command was successful [root at linux named]# [root at linux named]# [root at linux named]# systemctl start named [root at linux named]# [root at linux named]# [root at linux named]# systemctl status named.service named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
   Active: active (running) since Fri 2014-10-03 09:24:26 EDT; 8s ago
  Process: 7801 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 7820 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 7818 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)  Main PID: 7823 (named)
   CGroup: /system.slice/named.service
           ââ7823 /usr/sbin/named -u named

Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: managed-keys-zone:...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 0.in-addr.arp...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 1.0.0.127.in-...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 1.0.0.0.0.0.0...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone localhost/IN:...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone localhost.loc...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: all zones loaded Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: running Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: ldap_psearch_watch...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net systemd[1]: Started Berkeley In...
Hint: Some lines were ellipsized, use -l to show in full.
 

[root at linux named]# dig denali

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> denali ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14741 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;denali.                                IN      A

;; AUTHORITY SECTION:
.                       10473   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2014100300 1800 900 604800 86400

;; Query time: 4 msec
;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03 09:24:44 EDT 2014 ;; MSG SIZE  rcvd: 110

[root at linux named]#
[root at linux named]#
[root at linux named]# nslookup denali
Server:         16.112.240.59
Address:        16.112.240.59#53

Non-authoritative answer:
Name:   denali.osn.cxo.cpqcorp.net
Address: 16.112.240.40

[root at linux named]# nslookup dl160a
Server:         16.112.240.59
Address:        16.112.240.59#53

Non-authoritative answer:
Name:   dl160a.osn.cxo.cpqcorp.net
Address: 16.112.240.191
 

So I have to ask what is IdM doing internally that prevents the name service from correctly forwarding requests to other local name servers ?

Or....what have I failed to configure to get this to work correctly ?

I did notice the following text displayed toward the end of the ipa-server-install script run that states this:

Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files

Could it be that once we use dnsconfig-mod to add some dns information to the local
389 directory server that this will repair this problem ?

And if so, what specifically needs to be added ?

Thanks
Al


-----Original Message-----
From: Jan Pazdziora [mailto:jpazdziora at redhat.com]
Sent: Thursday, October 02, 2014 11:23 PM
To: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] named and IpA

On Thu, Oct 02, 2014 at 05:05:10PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
> 
> >From the IdM server we can only lookup local records.  The name 
> >resolver will not
> attempt to look to another other name servers or domains defined in 
> /etc/resolv.conf

What exactly is in your /etc/resolv.conf? Just the IP address of the IPA server (localhost), or some other records?

> If I shutdown IdM using ipactl stop and then restart named, the name 
> resolver works for local and remote hosts, addresses and domains as 
> well as serving up the SRV records defined on the local host.

So if all IdM services are running, you do not seem to have named observing forwarders settings but if you only run named on the IdM machine and nothing else, it starts to observe them?

Can you show dig output for one of the problematic records to see which DNS server is answering the query?

--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Freeipa-users mailing list