[Freeipa-users] Ping forwarded domain name.

TomK tk at mdevsys.com
Wed Nov 23 02:48:25 UTC 2016 

On 11/22/2016 10:22 AM, Martin Basti wrote:
>
>
> On 22.11.2016 13:57, TomK wrote:
>> On 11/22/2016 2:59 AM, Martin Basti wrote:
>>> Hey,
>>>
>>>
>>> On 22.11.2016 06:33, TomK wrote:
>>>> Hey Guy's,
>>>>
>>>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012 over to
>>>> my dual Free IPA server.  The Free IPA servers are authoritative for
>>>> this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
>>>> and forwards dom.abc.xyz.
>>> Do you have configured proper zone delegation for subdomain dom.abc.xyz?
>>> Proper NS and glue records
>>> http://www.zytrax.com/books/dns/ch9/delegate.html
>>>
>>>>
>>>> I cannot ping dom.abc.xyz.  Everything else, including client
>>>> registrations, work fine.  If Free IPA is authoritative  on
>>>> dom.abc.xyz, should it not create DNS entries so the sub domain can be
>>>> pinged as well?
>>>
>>> What do you mean by "ping"?
>>>
>>>>
>>>> /etc/resolv.conf also get's regenerated on reboot on the IPA Servers
>>>> and wanted to ask if you can point me to some materials online to
>>>> determine where can I permanently adjust the search to add dom.abc.xyz
>>>> to the already present abc.xyz .  I wasn't able to locate what I
>>>> needed in my searches.
>>>>
>>>> I'm using the latest v4.
>>>
>>> It depends on what are you using, probably you have NetworkManager there
>>> that is editing /etc/resolv.conf
>>>
>>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/
>>>
>>>
>>>
>>> Martin
>>
>>
>> I Uninstalled NetworkManager.  Still changes.
>> ping dom.abc.com results in "ping: unknown host"
>>
>> I'll have a look at the first link, ty.
>>
>
> ping (ICMP protocol) and DNS system are different things, do you have
> hostname dom.abc.com with A record or it is a zone?
>
> with ping command hostname "dom.abc.com" is resolved to IP address
> first, do you have A record set for dom.abc.com in zone apex or what are
> you trying to achieve with ping command?
>
> for testing DNS try to use commands: dig, host, nslookup
>
> Martin
>

Apologize for the long reply but it should give some background on what 
it is that I'm doing.

1) dom.abc.com is a zone.  There is no A record for dom.abc.com in 
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out in 
his comment as well.  What should it really point too? ( I kind of 
answer this question below so please read on. )  Where I'm getting this 
from is that in Windows Server 2012 abc.com returns the IP of any of the 
participating AD / DNS servers within the cluster (The two Windows 
Server 2012 are a combined clustered AD + DNS servers.).  Being able to 
resolve abc.xyz is handy.  During a lookup, I can get a list of all the 
IP's associated with that domain which would indicate all the DNS + AD 
servers online under that domain or serving that domain:


# nslookup abc.xyz
Server:         192.168.0.3
Address:        192.168.0.3#53

Name:   abc.xyz
Address: 192.168.0.3
Name:   abc.xyz
Address: 192.168.0.1
Name:   abc.xyz
Address: 192.168.0.2
#

Again, where this is handy is when configuring sssd.conf for example or 
other apps for that matter.  I can just point the app to authenticate 
against the domain and I have my redundancy solved.  Windows Server 2012 
does it, but FreeIPA didn't, so I threw the question out there.

Delegation from this Windows DNS works as expected.  Any lookup from 
dom.abc.xyz is forwarded too and handled by FreeIPA servers.  Tested 
this out. No issue with this.

I did see earlier that there is no A record for dom.abc.xyz in FreeIPA. 
My reasons for asking if there was an IP on the subdomain in FreeIPA 
were above but the missing IP on the subdomain isn't a major issue for 
me.  Things are working without dom.abc.xyz resolving to an IP.  What I 
was hoping for is to have a VIP for the IPA servers and one for the 
Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I have the VIP 
for the windows server).  One forwarding to the other for a given 
domain.  This is all for testing a) redundancy, b) forwarding, a) 
authentication .

IE:

# cat /etc/resolv.conf
search nix.mds.xyz mds.xyz
nameserver 192.168.0.3            <------------ Win Cluster DNS VIP
nameserver 192.168.0.4            <------------ IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on 
my cluster yet.  I'm looking to integrate ucarp with the above IPA 
servers.


2) More to the topic of my second question however, is that 
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on 
restart.  Would like to know by what if I already uninstalled 
NetworkManager?  When I configured the FreeIPA server, I used:

ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a 
"Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz

Notice I used the VIP of the Windows Server 2012 Cluster when installing 
FreeIPA.  This is nice for redundancy.  So the resolv.conf ends up being:

# cat /etc/resolv.conf
# Generated by NetworkManager
search abc.xyz
nameserver 192.168.0.3
nameserver 123.123.123.1
nameserver 123.123.123.2

Then I add:

search dom.abc.xyz abc.xyz

but it changes back to search abc.xyz (the Windows Server 2012 DNS). 
This all works, except for the above minor items, and I can resolve 
anything over this network.  (  Thinking this is fine because the 
forward is on the subdomain.  I haven't had issues with forwarding 
through this setup.  )

# cat /etc/resolv.conf
# Generated by NetworkManager
search abc.xyz
nameserver 192.168.0.3
nameserver 123.123.123.1
nameserver 123.123.123.2

But NetworkManager is not installed on these IPA servers.  I've removed 
it earlier:

# rpm -aq|grep -i NetworkManager
#

Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere?

3) After running:

ipa-client-install --mkhomedir --enable-dns-updates

on a new host, the hostname of the new host doesn't resolve for a few 
minutes.  How do I make this instantaneous?  (Other then that, 
autodiscovery of the IPA servers is excellent!).  Before installing the 
IPA Client, the new hosts /etc/resolv.conf file looks like this:

# cat /etc/resolv.conf
search abc.xyz
nameserver 192.168.0.3
nameserver 123.123.123.1
nameserver 123.123.123.2

I did dig, host, nslookup earlier.  Verified all except for the items 
I'm inquiring about.

-- 
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.

More information about the Freeipa-users mailing list