[Freeipa-users] Ping forwarded domain name.
Petr Spacek
pspacek at redhat.com
Thu Nov 24 09:49:54 UTC 2016
On 24.11.2016 06:08, TomK wrote:
> On 11/23/2016 3:28 AM, Martin Basti wrote:
>>
>>
>> On 23.11.2016 03:48, TomK wrote:
>>> On 11/22/2016 10:22 AM, Martin Basti wrote:
>>>>
>>>>
>>>> On 22.11.2016 13:57, TomK wrote:
>>>>> On 11/22/2016 2:59 AM, Martin Basti wrote:
>>>>>> Hey,
>>>>>>
>>>>>>
>>>>>> On 22.11.2016 06:33, TomK wrote:
>>>>>>> Hey Guy's,
>>>>>>>
>>>>>>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
>>>>>>> over to
>>>>>>> my dual Free IPA server. The Free IPA servers are authoritative for
>>>>>>> this subdomain. The Windows Server 2012 DNS is resolves on abc.xyz
>>>>>>> and forwards dom.abc.xyz.
>>>>>> Do you have configured proper zone delegation for subdomain
>>>>>> dom.abc.xyz?
>>>>>> Proper NS and glue records
>>>>>> http://www.zytrax.com/books/dns/ch9/delegate.html
>>>>>>
>>>>>>>
>>>>>>> I cannot ping dom.abc.xyz. Everything else, including client
>>>>>>> registrations, work fine. If Free IPA is authoritative on
>>>>>>> dom.abc.xyz, should it not create DNS entries so the sub domain
>>>>>>> can be
>>>>>>> pinged as well?
>>>>>>
>>>>>> What do you mean by "ping"?
>>>>>>
>>>>>>>
>>>>>>> /etc/resolv.conf also get's regenerated on reboot on the IPA Servers
>>>>>>> and wanted to ask if you can point me to some materials online to
>>>>>>> determine where can I permanently adjust the search to add
>>>>>>> dom.abc.xyz
>>>>>>> to the already present abc.xyz . I wasn't able to locate what I
>>>>>>> needed in my searches.
>>>>>>>
>>>>>>> I'm using the latest v4.
>>>>>>
>>>>>> It depends on what are you using, probably you have NetworkManager
>>>>>> there
>>>>>> that is editing /etc/resolv.conf
>>>>>>
>>>>>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Martin
>>>>>
>>>>>
>>>>> I Uninstalled NetworkManager. Still changes.
>>>>> ping dom.abc.com results in "ping: unknown host"
>>>>>
>>>>> I'll have a look at the first link, ty.
>>>>>
>>>>
>>>> ping (ICMP protocol) and DNS system are different things, do you have
>>>> hostname dom.abc.com with A record or it is a zone?
>>>>
>>>> with ping command hostname "dom.abc.com" is resolved to IP address
>>>> first, do you have A record set for dom.abc.com in zone apex or what are
>>>> you trying to achieve with ping command?
>>>>
>>>> for testing DNS try to use commands: dig, host, nslookup
>>>>
>>>> Martin
>>>>
>>>
>>> Apologize for the long reply but it should give some background on
>>> what it is that I'm doing.
>>>
>>> 1) dom.abc.com is a zone. There is no A record for dom.abc.com in
>>> FreeIPA (Confirmed by Petr). I get the point Petr Spacek pointed out
>>> in his comment as well. What should it really point too? ( I kind of
>>> answer this question below so please read on. ) Where I'm getting
>>> this from is that in Windows Server 2012 abc.com returns the IP of any
>>> of the participating AD / DNS servers within the cluster (The two
>>> Windows Server 2012 are a combined clustered AD + DNS servers.).
>>> Being able to resolve abc.xyz is handy. During a lookup, I can get a
>>> list of all the IP's associated with that domain which would indicate
>>> all the DNS + AD servers online under that domain or serving that domain:
>>>
>>>
>>> # nslookup abc.xyz
>>> Server: 192.168.0.3
>>> Address: 192.168.0.3#53
>>>
>>> Name: abc.xyz
>>> Address: 192.168.0.3
>>> Name: abc.xyz
>>> Address: 192.168.0.1
>>> Name: abc.xyz
>>> Address: 192.168.0.2
>>> #
>>>
>>> Again, where this is handy is when configuring sssd.conf for example
>>> or other apps for that matter. I can just point the app to
>>> authenticate against the domain and I have my redundancy solved.
>>> Windows Server 2012 does it, but FreeIPA didn't, so I threw the
>>> question out there.
>>
>> IPA uses SRV records heavily, all IPA related services have SRV records,
>> SSSD uses SRV records of IPA, client should use SRV record to connect to
>> the right service (or URI record - will be in next IPA). SRV records
>> work for IPA locations mechanism, we cannot achieve this with pure A
>> records.
>>
>>>
>>> Delegation from this Windows DNS works as expected. Any lookup from
>>> dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
>>> this out. No issue with this.
>>>
>>> I did see earlier that there is no A record for dom.abc.xyz in
>>> FreeIPA. My reasons for asking if there was an IP on the subdomain in
>>> FreeIPA were above but the missing IP on the subdomain isn't a major
>>> issue for me. Things are working without dom.abc.xyz resolving to an
>>> IP. What I was hoping for is to have a VIP for the IPA servers and
>>> one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf. (I
>>> have the VIP for the windows server). One forwarding to the other for
>>> a given domain. This is all for testing a) redundancy, b) forwarding,
>>> a) authentication .
>>>
>>> IE:
>>>
>>> # cat /etc/resolv.conf
>>> search dom.abc.xyz abc.xyz
>>> nameserver 192.168.0.3 <------------ Win Cluster DNS VIP
>>> nameserver 192.168.0.4 <------------ IPA Cluster DNS VIP
>>>
>>> * Just what I want to achieve above. VIP 192.168.0.4 doesn't exist on
>>> my cluster yet. I'm looking to integrate ucarp with the above IPA
>>> servers.
>>>
>>>
>>> 2) More to the topic of my second question however, is that
>>> /etc/resolv.conf, on the IPA servers themselves, get's rewritten on
>>> restart. Would like to know by what if I already uninstalled
>>> NetworkManager? When I configured the FreeIPA server, I used:
>>>
>>> ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a
>>> "Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz
>>>
>>> Notice I used the VIP of the Windows Server 2012 Cluster when
>>> installing FreeIPA. This is nice for redundancy. So the resolv.conf
>>> ends up being:
>>>
>>> # cat /etc/resolv.conf
>>> # Generated by NetworkManager
>>> search abc.xyz
>>> nameserver 192.168.0.3
>>> nameserver 123.123.123.1
>>> nameserver 123.123.123.2
>>>
>>> Then I add:
>>>
>>> search dom.abc.xyz abc.xyz
>>>
>>> but it changes back to search abc.xyz (the Windows Server 2012 DNS).
>>> This all works, except for the above minor items, and I can resolve
>>> anything over this network. ( Thinking this is fine because the
>>> forward is on the subdomain. I haven't had issues with forwarding
>>> through this setup. )
>>>
>>> # cat /etc/resolv.conf
>>> # Generated by NetworkManager
>>> search abc.xyz
>>> nameserver 192.168.0.3
>>> nameserver 123.123.123.1
>>> nameserver 123.123.123.2
>>>
>>> But NetworkManager is not installed on these IPA servers. I've
>>> removed it earlier:
>>>
>>> # rpm -aq|grep -i NetworkManager
>>> #
>>>
>>> Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere?
>>
>> On servers with DNS /etc/resolv.conf should point to 127.0.0.1 and ::1,
>> and global or per server dns forwarders should be configured instead
>>
>> Have you properly stopped NetworkManager using systemctl stop and
>> systemctl disable ? In case you just removed rpm files service can still
>> work.
>> I recommend to update network manager config, not to remove it :)
>>
>> As last resort way, you can set immutable bit to resolv.conf if
>> something is still changing your resolv.conf file
>>
>>>
>>> 3) After running:
>>>
>>> ipa-client-install --mkhomedir --enable-dns-updates
>>>
>>> on a new host, the hostname of the new host doesn't resolve for a few
>>> minutes. How do I make this instantaneous? (Other then that,
>>> autodiscovery of the IPA servers is excellent!). Before installing
>>> the IPA Client, the new hosts /etc/resolv.conf file looks like this:
>>>
>>> # cat /etc/resolv.conf
>>> search abc.xyz
>>> nameserver 192.168.0.3
>>> nameserver 123.123.123.1
>>> nameserver 123.123.123.2
>>>
>>> I did dig, host, nslookup earlier. Verified all except for the items
>>> I'm inquiring about.
>>>
>>
>> That weird, because ipa-client-install creates A records directly to DNS
>> server using nsupdate, so it should be accessible instantly. Do you have
>> any caching DNS servers?
>>
>> Martin
>>
>
> No caching DNS servers.
>
> On the topic of NetworkManager. It's completely gone yet still the
> /etc/resolv.conf file is being replaced with the text # Generated by
> NetworkManager.
>
> # systemctl show NetworkManager.service --property=Id,Names,Description
> Id=NetworkManager.service
> Names=NetworkManager.service
> Description=NetworkManager.service
> #
>
> # systemctl list-units --type service --all|grep -i network
> network.service loaded active exited LSB: Bring
> up/down networking
> â NetworkManager-wait-online.service not-found inactive dead
> NetworkManager-wait-online.service
> â NetworkManager.service not-found inactive dead
> NetworkManager.service
> ntpd.service loaded active running Network
> Time Service
> rhel-domainname.service loaded active exited Read and
> set NIS domainname from /etc/sysconfig/network
> rhel-import-state.service loaded active exited Import
> network configuration from initramfs
> #
>
>
> The only thing that is left of the NetworkManager service is the above.
> Nothing I type from systemd removed it completely. So I've reverted to the
> last resort:
>
> # lsattr /etc/resolv.conf
> ----i----------- /etc/resolv.conf
> #
>
> With the above, I'm trying to see what's writing to the file by using this
> auditctl and found that postfix seems to be doing this:
>
> ----
> time->Wed Nov 23 23:14:47 2016
> type=PATH msg=audit(1479960887.978:293): item=0 name="/etc/resolv.conf"
> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(1479960887.978:293): cwd="/"
> type=SYSCALL msg=audit(1479960887.978:293): arch=c000003e syscall=2
> success=yes exit=4 a0=7ffb36b6f43a a1=80000 a2=1b6 a3=24 items=1 ppid=1
> pid=5527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix"
> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
> ----
> time->Wed Nov 23 23:14:48 2016
> type=PATH msg=audit(1479960888.013:301): item=0 name="/etc/resolv.conf"
> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(1479960888.013:301): cwd="/var/spool/postfix"
> type=SYSCALL msg=audit(1479960888.013:301): arch=c000003e syscall=2
> success=yes exit=3 a0=7f32c163043a a1=80000 a2=1b6 a3=24 items=1 ppid=5545
> pid=5546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf"
> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
It usually helps to run ausearch -i, it translates numberic codes to names.
Assuming you are running Linux on x86_64, it would be interpreted like this:
----
type=SYSCALL msg=audit(24.11.2016 05:14:47.978:293) : arch=x86_64 syscall=open
success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix
exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0
key=/root/resolv.conf-file
type=CWD msg=audit(24.11.2016 05:14:47.978:293) : cwd=/
type=PATH msg=audit(24.11.2016 05:14:47.978:293) : item=0
name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
----
type=SYSCALL msg=audit(24.11.2016 05:14:48.013:301) : arch=x86_64 syscall=open
success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf
exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0
key=/root/resolv.conf-file
type=CWD msg=audit(24.11.2016 05:14:48.013:301) : cwd=/var/spool/postfix
type=PATH msg=audit(24.11.2016 05:14:48.013:301) : item=0
name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
In other words, /root/resolv.conf-file is open for reading.
It is interesting ... What does the file contain?
Petr^2 Spacek
>
> This in turn appears to be called by started by:
>
> # grep postfix access|tail -n 1
> [23/Nov/2016:23:42:04 -0500] conn=34 op=5 SRCH
> base="cn=accounts,dc=dom,dc=abc,dc=xyz" scope=2
> filter="(&(uid=postfix)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
> attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
> loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier
> modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning
> shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
> pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock
> host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey
> ipaUserAuthType usercertificate;binary"
> # pwd
> /var/log/dirsrv/slapd-DOM-ABC-XYZ
More information about the Freeipa-users
mailing list