[Freeipa-users] FW: named and IpA

Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) licause at hp.com
Fri Oct 3 15:13:04 UTC 2014 


-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
Sent: Friday, October 03, 2014 1:26 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] named and IpA

On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
> We have IdM running on a RHEL V7 system and have configured a local 
> DNS server in our test lab.
>
> We have loaded the various SRV and TXT records needed by the IdM server.
>
>
> PROBLEM:
>
>>From the IdM server we can only lookup local records.  The name 
>>resolver will not
> attempt to look to another other name servers or domains defined in 
> /etc/resolv.conf
>
> If I shutdown IdM using ipactl stop and then restart named, the name 
> resolver works for local and remote hosts, addresses and domains as 
> well as serving up the SRV records defined on the local host.
>
> Am I correct in assuming that while IdM is up and running, the only 
> other systems it will communicate with at least with regard to name 
> services is another host also running IdM defined either as a server or a client ?
>
> If this is case, is there anyone to better integrate some of these 
> common services such as named into an existing network such that you are not limited by the IdM components ?

I would like to get additional information about your environment:
- Is the IPA server is installed with DNS or not? Did you use option --setup-dns during ipa-server-install?

>>   I have tried it both ways, but the most current in which we see this behavior I ran ipa-server-install with
>>   no arguments and said yes to the question about installing DNS.     I then replied with two valid forwarders.
>>   In a previous installation,  we added two of our local zones from one of the other dns server 
>>   and then added the sample zone provided by the installation which contained the various SRV and TXT
>>   records.       But for current reporting of this problem, we did not add/load the other zone files.

- Which DNS zones do you have defined on IPA server? You can use command "ipa dnszone-find" to list all zones.

[root at linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40
ipa: ERROR: no modifications to be performed
bash: 16.112.240.40: command not found...
[root at linux named]# ipa dnszone-find
  Zone name: 240.112.16.in-addr.arpa.
  Authoritative nameserver: linux.osn.cxo.cpqcorp.net.
  Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net.
  SOA serial: 1412344406
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: osn.cxo.cpqcorp.net
  Authoritative nameserver: linux.osn.cxo.cpqcorp.net.
  Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net.
  SOA serial: 1412344406
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

- Is there any other DNS servers serving same DNS zones?

>>  Yes....we left the other two existing DNS servers in place as they are our primary name servers for this lab segment.
>>  Those are the two systems we have entered as forwarders.

- Did you configure forwarders in /etc/named.conf or via ipa command line tools (ipa dnsconfig-mod or --forwarder option during ipa-server-install)?

>>  The forwarders were placed in the /etc/named.conf file by the ipa-server-install script or one of its subordinate scripts
>>  I  did try entering the forward policy and forwarders using ipa dnsconfig-mod but they didn't seem to change the behavior.
>>   One thing I did notice was that ipa dnsconfig-mod  --forwarder=      only allowed one forwarder to be entered.....adding
>>   a second entry on the line resulted in an error.    If entered with a second --forwarders command, the previous forwarder
>>   was replaced by the new one.      So if there is a particular syntax that would allow more than one entry, can you please
>>   post same ?

- Please attach result of DNS lookups using "dig" command: One output when it doesn't work (i.e. with IPA running) and the other when it works as you expect (i.e. after "ipactl stop" and "service named restart").

>> with ipa running:

[root at linux named]# nslookup dl160a.osn.cxo.cpqcorp.net
Server:         16.112.240.59
Address:        16.112.240.59#53

** server can't find dl160a.osn.cxo.cpqcorp.net: NXDOMAIN

[root at linux named]# dig dl160a.osn.cxo.cpqcorp.net

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6571
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dl160a.osn.cxo.cpqcorp.net.    IN      A

;; AUTHORITY SECTION:
osn.cxo.cpqcorp.net.    3600    IN      SOA     linux.osn.cxo.cpqcorp.net. hostmaster.osn.cxo.cpqcorp.net. 1412344406 3600 900 1209600 3600

;; Query time: 1 msec
;; SERVER: 16.112.240.59#53(16.112.240.59)
;; WHEN: Fri Oct 03 11:08:35 EDT 2014
;; MSG SIZE  rcvd: 108

 
[root at linux named]# ipactl stop
Stopping Directory Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
ipa: INFO: The ipactl command was successful
 
[root at linux named]# systemctl start named
[root at linux named]#
[root at linux named]#
[root at linux named]# dig dl160a.osn.cxo.cpqcorp.net

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28446
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dl160a.osn.cxo.cpqcorp.net.    IN      A

;; ANSWER SECTION:
dl160a.osn.cxo.cpqcorp.net. 43200 IN    A       16.112.240.191

;; AUTHORITY SECTION:
osn.cxo.cpqcorp.net.    43200   IN      NS      cluster.osn.cxo.cpqcorp.net.
osn.cxo.cpqcorp.net.    43200   IN      NS      win2008.osn.cxo.cpqcorp.net.
osn.cxo.cpqcorp.net.    43200   IN      NS      denali.osn.cxo.cpqcorp.net.

;; ADDITIONAL SECTION:
win2008.osn.cxo.cpqcorp.net. 43200 IN   A       16.112.240.55
cluster.osn.cxo.cpqcorp.net. 43200 IN   A       16.112.240.27
denali.osn.cxo.cpqcorp.net. 43200 IN    A       16.112.240.40

;; Query time: 4 msec
;; SERVER: 16.112.240.59#53(16.112.240.59)
;; WHEN: Fri Oct 03 11:10:54 EDT 2014
;; MSG SIZE  rcvd: 184


Thank you.

--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list