[Freeipa-users] Ping forwarded domain name.

Petr Spacek pspacek at redhat.com
Thu Nov 24 09:49:54 UTC 2016 

On 24.11.2016 06:08, TomK wrote:
> On 11/23/2016 3:28 AM, Martin Basti wrote:
>>
>>
>> On 23.11.2016 03:48, TomK wrote:
>>> On 11/22/2016 10:22 AM, Martin Basti wrote:
>>>>
>>>>
>>>> On 22.11.2016 13:57, TomK wrote:
>>>>> On 11/22/2016 2:59 AM, Martin Basti wrote:
>>>>>> Hey,
>>>>>>
>>>>>>
>>>>>> On 22.11.2016 06:33, TomK wrote:
>>>>>>> Hey Guy's,
>>>>>>>
>>>>>>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
>>>>>>> over to
>>>>>>> my dual Free IPA server.  The Free IPA servers are authoritative for
>>>>>>> this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
>>>>>>> and forwards dom.abc.xyz.
>>>>>> Do you have configured proper zone delegation for subdomain
>>>>>> dom.abc.xyz?
>>>>>> Proper NS and glue records
>>>>>> http://www.zytrax.com/books/dns/ch9/delegate.html
>>>>>>
>>>>>>>
>>>>>>> I cannot ping dom.abc.xyz.  Everything else, including client
>>>>>>> registrations, work fine.  If Free IPA is authoritative on
>>>>>>> dom.abc.xyz, should it not create DNS entries so the sub domain
>>>>>>> can be
>>>>>>> pinged as well?
>>>>>>
>>>>>> What do you mean by "ping"?
>>>>>>
>>>>>>>
>>>>>>> /etc/resolv.conf also get's regenerated on reboot on the IPA Servers
>>>>>>> and wanted to ask if you can point me to some materials online to
>>>>>>> determine where can I permanently adjust the search to add
>>>>>>> dom.abc.xyz
>>>>>>> to the already present abc.xyz .  I wasn't able to locate what I
>>>>>>> needed in my searches.
>>>>>>>
>>>>>>> I'm using the latest v4.
>>>>>>
>>>>>> It depends on what are you using, probably you have NetworkManager
>>>>>> there
>>>>>> that is editing /etc/resolv.conf
>>>>>>
>>>>>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Martin
>>>>>
>>>>>
>>>>> I Uninstalled NetworkManager.  Still changes.
>>>>> ping dom.abc.com results in "ping: unknown host"
>>>>>
>>>>> I'll have a look at the first link, ty.
>>>>>
>>>>
>>>> ping (ICMP protocol) and DNS system are different things, do you have
>>>> hostname dom.abc.com with A record or it is a zone?
>>>>
>>>> with ping command hostname "dom.abc.com" is resolved to IP address
>>>> first, do you have A record set for dom.abc.com in zone apex or what are
>>>> you trying to achieve with ping command?
>>>>
>>>> for testing DNS try to use commands: dig, host, nslookup
>>>>
>>>> Martin
>>>>
>>>
>>> Apologize for the long reply but it should give some background on
>>> what it is that I'm doing.
>>>
>>> 1) dom.abc.com is a zone.  There is no A record for dom.abc.com in
>>> FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out
>>> in his comment as well.  What should it really point too? ( I kind of
>>> answer this question below so please read on. )  Where I'm getting
>>> this from is that in Windows Server 2012 abc.com returns the IP of any
>>> of the participating AD / DNS servers within the cluster (The two
>>> Windows Server 2012 are a combined clustered AD + DNS servers.).
>>> Being able to resolve abc.xyz is handy.  During a lookup, I can get a
>>> list of all the IP's associated with that domain which would indicate
>>> all the DNS + AD servers online under that domain or serving that domain:
>>>
>>>
>>> # nslookup abc.xyz
>>> Server:         192.168.0.3
>>> Address:        192.168.0.3#53
>>>
>>> Name:   abc.xyz
>>> Address: 192.168.0.3
>>> Name:   abc.xyz
>>> Address: 192.168.0.1
>>> Name:   abc.xyz
>>> Address: 192.168.0.2
>>> #
>>>
>>> Again, where this is handy is when configuring sssd.conf for example
>>> or other apps for that matter.  I can just point the app to
>>> authenticate against the domain and I have my redundancy solved.
>>> Windows Server 2012 does it, but FreeIPA didn't, so I threw the
>>> question out there.
>>
>> IPA uses SRV records heavily, all IPA related services have SRV records,
>> SSSD uses SRV records of IPA, client should use SRV record to connect to
>> the right service (or URI record - will be in next IPA). SRV records
>> work for IPA locations mechanism, we cannot achieve this with pure A
>> records.
>>
>>>
>>> Delegation from this Windows DNS works as expected.  Any lookup from
>>> dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
>>> this out. No issue with this.
>>>
>>> I did see earlier that there is no A record for dom.abc.xyz in
>>> FreeIPA. My reasons for asking if there was an IP on the subdomain in
>>> FreeIPA were above but the missing IP on the subdomain isn't a major
>>> issue for me.  Things are working without dom.abc.xyz resolving to an
>>> IP.  What I was hoping for is to have a VIP for the IPA servers and
>>> one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I
>>> have the VIP for the windows server).  One forwarding to the other for
>>> a given domain.  This is all for testing a) redundancy, b) forwarding,
>>> a) authentication .
>>>
>>> IE:
>>>
>>> # cat /etc/resolv.conf
>>> search dom.abc.xyz abc.xyz
>>> nameserver 192.168.0.3            <------------ Win Cluster DNS VIP
>>> nameserver 192.168.0.4            <------------ IPA Cluster DNS VIP
>>>
>>> * Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on
>>> my cluster yet.  I'm looking to integrate ucarp with the above IPA
>>> servers.
>>>
>>>
>>> 2) More to the topic of my second question however, is that
>>> /etc/resolv.conf, on the IPA servers themselves, get's rewritten on
>>> restart.  Would like to know by what if I already uninstalled
>>> NetworkManager?  When I configured the FreeIPA server, I used:
>>>
>>> ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a
>>> "Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz
>>>
>>> Notice I used the VIP of the Windows Server 2012 Cluster when
>>> installing FreeIPA.  This is nice for redundancy.  So the resolv.conf
>>> ends up being:
>>>
>>> # cat /etc/resolv.conf
>>> # Generated by NetworkManager
>>> search abc.xyz
>>> nameserver 192.168.0.3
>>> nameserver 123.123.123.1
>>> nameserver 123.123.123.2
>>>
>>> Then I add:
>>>
>>> search dom.abc.xyz abc.xyz
>>>
>>> but it changes back to search abc.xyz (the Windows Server 2012 DNS).
>>> This all works, except for the above minor items, and I can resolve
>>> anything over this network.  (  Thinking this is fine because the
>>> forward is on the subdomain.  I haven't had issues with forwarding
>>> through this setup.  )
>>>
>>> # cat /etc/resolv.conf
>>> # Generated by NetworkManager
>>> search abc.xyz
>>> nameserver 192.168.0.3
>>> nameserver 123.123.123.1
>>> nameserver 123.123.123.2
>>>
>>> But NetworkManager is not installed on these IPA servers.  I've
>>> removed it earlier:
>>>
>>> # rpm -aq|grep -i NetworkManager
>>> #
>>>
>>> Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere?
>>
>> On servers with DNS /etc/resolv.conf should point to 127.0.0.1 and ::1,
>> and global or per server dns forwarders should be configured instead
>>
>> Have you properly stopped NetworkManager using systemctl stop and
>> systemctl disable ? In case you just removed rpm files service can still
>> work.
>> I recommend to update network manager config, not to remove it :)
>>
>> As last resort way, you can set immutable bit to resolv.conf if
>> something is still changing your resolv.conf file
>>
>>>
>>> 3) After running:
>>>
>>> ipa-client-install --mkhomedir --enable-dns-updates
>>>
>>> on a new host, the hostname of the new host doesn't resolve for a few
>>> minutes.  How do I make this instantaneous?  (Other then that,
>>> autodiscovery of the IPA servers is excellent!).  Before installing
>>> the IPA Client, the new hosts /etc/resolv.conf file looks like this:
>>>
>>> # cat /etc/resolv.conf
>>> search abc.xyz
>>> nameserver 192.168.0.3
>>> nameserver 123.123.123.1
>>> nameserver 123.123.123.2
>>>
>>> I did dig, host, nslookup earlier.  Verified all except for the items
>>> I'm inquiring about.
>>>
>>
>> That weird, because ipa-client-install creates A records directly to DNS
>> server using nsupdate, so it should be accessible instantly. Do you have
>> any caching DNS servers?
>>
>> Martin
>>
> 
> No caching DNS servers.
> 
> On the topic of NetworkManager.  It's completely gone yet still the
> /etc/resolv.conf file is being replaced with the text # Generated by
> NetworkManager.
> 
> # systemctl show NetworkManager.service --property=Id,Names,Description
> Id=NetworkManager.service
> Names=NetworkManager.service
> Description=NetworkManager.service
> #
> 
> # systemctl list-units --type service --all|grep -i network
>   network.service                        loaded    active   exited LSB: Bring
> up/down networking
> â NetworkManager-wait-online.service     not-found inactive dead
> NetworkManager-wait-online.service
> â NetworkManager.service                 not-found inactive dead
> NetworkManager.service
>   ntpd.service                           loaded    active   running Network
> Time Service
>   rhel-domainname.service                loaded    active   exited Read and
> set NIS domainname from /etc/sysconfig/network
>   rhel-import-state.service              loaded    active   exited Import
> network configuration from initramfs
> #
> 
> 
> The only thing that is left of the NetworkManager service is the above.
> Nothing I type from systemd removed it completely.  So I've reverted to the
> last resort:
> 
> # lsattr /etc/resolv.conf
> ----i----------- /etc/resolv.conf
> #
> 
> With the above, I'm trying to see what's writing to the file by using this
> auditctl and found that postfix seems to be doing this:
> 
> ----
> time->Wed Nov 23 23:14:47 2016
> type=PATH msg=audit(1479960887.978:293): item=0 name="/etc/resolv.conf"
> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(1479960887.978:293):  cwd="/"
> type=SYSCALL msg=audit(1479960887.978:293): arch=c000003e syscall=2
> success=yes exit=4 a0=7ffb36b6f43a a1=80000 a2=1b6 a3=24 items=1 ppid=1
> pid=5527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix"
> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
> ----
> time->Wed Nov 23 23:14:48 2016
> type=PATH msg=audit(1479960888.013:301): item=0 name="/etc/resolv.conf"
> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(1479960888.013:301):  cwd="/var/spool/postfix"
> type=SYSCALL msg=audit(1479960888.013:301): arch=c000003e syscall=2
> success=yes exit=3 a0=7f32c163043a a1=80000 a2=1b6 a3=24 items=1 ppid=5545
> pid=5546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf"
> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"

It usually helps to run ausearch -i, it translates numberic codes to names.

Assuming you are running Linux on x86_64, it would be interpreted like this:

----
type=SYSCALL msg=audit(24.11.2016 05:14:47.978:293) : arch=x86_64 syscall=open
success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix
exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0
key=/root/resolv.conf-file
type=CWD msg=audit(24.11.2016 05:14:47.978:293) :  cwd=/
type=PATH msg=audit(24.11.2016 05:14:47.978:293) : item=0
name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
----
type=SYSCALL msg=audit(24.11.2016 05:14:48.013:301) : arch=x86_64 syscall=open
success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf
exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0
key=/root/resolv.conf-file
type=CWD msg=audit(24.11.2016 05:14:48.013:301) :  cwd=/var/spool/postfix
type=PATH msg=audit(24.11.2016 05:14:48.013:301) : item=0
name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL


In other words, /root/resolv.conf-file is open for reading.

It is interesting ... What does the file contain?

Petr^2 Spacek


> 
> This in turn appears to be called by started by:
> 
> # grep postfix access|tail -n 1
> [23/Nov/2016:23:42:04 -0500] conn=34 op=5 SRCH
> base="cn=accounts,dc=dom,dc=abc,dc=xyz" scope=2
> filter="(&(uid=postfix)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
> attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
> loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier
> modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning
> shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
> pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock
> host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey
> ipaUserAuthType usercertificate;binary"
> # pwd
> /var/log/dirsrv/slapd-DOM-ABC-XYZ

More information about the Freeipa-users mailing list