[Freeipa-users] DNS lookups after replica(master) added
Martin Basti
mbasti at redhat.com
Wed Apr 22 18:52:06 UTC 2015
On 22/04/15 18:40, Cory Carlton wrote:
> Hey all,
>
> I for some reason do not ever get responses from doing DNS lookups to
> my new servers that have been stood up and replicated as Masters with
> CA, and DNS options entered at command line.
>
> Is there any trick or configuration to allow anonymous for my servers
> without IPA Client installed to talk to these?
>
> it does not allow lookups,
> Ip-tables have even been turned off for testing.
> telnet to server via 53 Works
> Stand alone IPA server LDAP DNS Kerberose usages
>
>
> [root at DOMAIN ~]# ipa dnsconfig-show --rights --all --raw
> ---------------------------------
> Global DNS configuration is empty
> ---------------------------------
> dn: cn=dns,dc=int,dc=DOMAIN,dc=com
> aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow
> (read,search,compare) groupdn = "ldap:///cn=Read DNS
> Entries,cn=permissions,cn=pbac,dc=int,dc=DOMAIN,dc=com" or userattr =
> "parent[0,1].managedby#GROUPDN";)
> aci: (target =
> "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl
> "Add DNS entries in a zone";allow (add) userattr =
> "parent[1].managedby#GROUPDN";)
> aci: (target =
> "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl
> "Remove DNS entries from a zone";allow (delete) userattr =
> "parent[1].managedby#GROUPDN";)
> aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl
> || dnsclass || arecord || aaaarecord || a6record || nsrecord ||
> cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord ||
> mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord ||
> keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord ||
> certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord ||
> nsecrecord || idnsname || idnszoneactive || idnssoamname ||
> idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry ||
> idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery
> || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy ||
> idnsforwarders")(target =
> "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl
> "Update DNS entries in a zone";allow (write) userattr =
> "parent[0,1].managedby#GROUPDN";)
> attributelevelrights: {'cn': u'rscwo', 'idnsforwardpolicy':
> u'rscwo', 'objectclass': u'rscwo', 'idnsallowsyncptr': u'rscwo',
> 'idnsforwarders': u'rscwo', 'idnspersistentsearch': u'rscwo',
> 'idnszonerefresh': u'rscwo', 'aci': u'rscwo', 'nsaccountlock': u'rscwo'}
> cn: dns
> objectclass: idnsConfigObject
> objectclass: nsContainer
> objectclass: top
>
>
Hello,
Can you share more details please?
What is your IPA version?
What is your zone, how do you test it (dig/host command?), output from
these commands.
Do you have any errors in named log on replicas? journalctl -u named or
journalctl -u named-pkcs11 (depends on IPA version)
Is /etc/resolv.conf configured properly on client?
What kind of anonymous connections do you mind to DNS server? Standard
DNS queries? nsupdate?
Martin
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150422/f7b0297e/attachment.htm>
More information about the Freeipa-users
mailing list