[Freeipa-users] Ping forwarded domain name.
Petr Spacek
pspacek at redhat.com
Fri Nov 25 09:00:32 UTC 2016
On 25.11.2016 05:57, TomK wrote:
> On 11/24/2016 4:49 AM, Petr Spacek wrote:
>> On 24.11.2016 06:08, TomK wrote:
>>> On 11/23/2016 3:28 AM, Martin Basti wrote:
>>>>
>>>>
>>>> On 23.11.2016 03:48, TomK wrote:
>>>>> On 11/22/2016 10:22 AM, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 22.11.2016 13:57, TomK wrote:
>>>>>>> On 11/22/2016 2:59 AM, Martin Basti wrote:
>>>>>>>> Hey,
>>>>>>>>
>>>>>>>>
>>>>>>>> On 22.11.2016 06:33, TomK wrote:
>>>>>>>>> Hey Guy's,
>>>>>>>>>
>>>>>>>>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
>>>>>>>>> over to
>>>>>>>>> my dual Free IPA server. The Free IPA servers are authoritative for
>>>>>>>>> this subdomain. The Windows Server 2012 DNS is resolves on abc.xyz
>>>>>>>>> and forwards dom.abc.xyz.
>>>>>>>> Do you have configured proper zone delegation for subdomain
>>>>>>>> dom.abc.xyz?
>>>>>>>> Proper NS and glue records
>>>>>>>> http://www.zytrax.com/books/dns/ch9/delegate.html
>>>>>>>>
>>>>>>>>>
>>>>>>>>> I cannot ping dom.abc.xyz. Everything else, including client
>>>>>>>>> registrations, work fine. If Free IPA is authoritative on
>>>>>>>>> dom.abc.xyz, should it not create DNS entries so the sub domain
>>>>>>>>> can be
>>>>>>>>> pinged as well?
>>>>>>>>
>>>>>>>> What do you mean by "ping"?
>>>>>>>>
>>>>>>>>>
>>>>>>>>> /etc/resolv.conf also get's regenerated on reboot on the IPA Servers
>>>>>>>>> and wanted to ask if you can point me to some materials online to
>>>>>>>>> determine where can I permanently adjust the search to add
>>>>>>>>> dom.abc.xyz
>>>>>>>>> to the already present abc.xyz . I wasn't able to locate what I
>>>>>>>>> needed in my searches.
>>>>>>>>>
>>>>>>>>> I'm using the latest v4.
>>>>>>>>
>>>>>>>> It depends on what are you using, probably you have NetworkManager
>>>>>>>> there
>>>>>>>> that is editing /etc/resolv.conf
>>>>>>>>
>>>>>>>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Martin
>>>>>>>
>>>>>>>
>>>>>>> I Uninstalled NetworkManager. Still changes.
>>>>>>> ping dom.abc.com results in "ping: unknown host"
>>>>>>>
>>>>>>> I'll have a look at the first link, ty.
>>>>>>>
>>>>>>
>>>>>> ping (ICMP protocol) and DNS system are different things, do you have
>>>>>> hostname dom.abc.com with A record or it is a zone?
>>>>>>
>>>>>> with ping command hostname "dom.abc.com" is resolved to IP address
>>>>>> first, do you have A record set for dom.abc.com in zone apex or what are
>>>>>> you trying to achieve with ping command?
>>>>>>
>>>>>> for testing DNS try to use commands: dig, host, nslookup
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>> Apologize for the long reply but it should give some background on
>>>>> what it is that I'm doing.
>>>>>
>>>>> 1) dom.abc.com is a zone. There is no A record for dom.abc.com in
>>>>> FreeIPA (Confirmed by Petr). I get the point Petr Spacek pointed out
>>>>> in his comment as well. What should it really point too? ( I kind of
>>>>> answer this question below so please read on. ) Where I'm getting
>>>>> this from is that in Windows Server 2012 abc.com returns the IP of any
>>>>> of the participating AD / DNS servers within the cluster (The two
>>>>> Windows Server 2012 are a combined clustered AD + DNS servers.).
>>>>> Being able to resolve abc.xyz is handy. During a lookup, I can get a
>>>>> list of all the IP's associated with that domain which would indicate
>>>>> all the DNS + AD servers online under that domain or serving that domain:
>>>>>
>>>>>
>>>>> # nslookup abc.xyz
>>>>> Server: 192.168.0.3
>>>>> Address: 192.168.0.3#53
>>>>>
>>>>> Name: abc.xyz
>>>>> Address: 192.168.0.3
>>>>> Name: abc.xyz
>>>>> Address: 192.168.0.1
>>>>> Name: abc.xyz
>>>>> Address: 192.168.0.2
>>>>> #
>>>>>
>>>>> Again, where this is handy is when configuring sssd.conf for example
>>>>> or other apps for that matter. I can just point the app to
>>>>> authenticate against the domain and I have my redundancy solved.
>>>>> Windows Server 2012 does it, but FreeIPA didn't, so I threw the
>>>>> question out there.
>>>>
>>>> IPA uses SRV records heavily, all IPA related services have SRV records,
>>>> SSSD uses SRV records of IPA, client should use SRV record to connect to
>>>> the right service (or URI record - will be in next IPA). SRV records
>>>> work for IPA locations mechanism, we cannot achieve this with pure A
>>>> records.
>>>>
>>>>>
>>>>> Delegation from this Windows DNS works as expected. Any lookup from
>>>>> dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
>>>>> this out. No issue with this.
>>>>>
>>>>> I did see earlier that there is no A record for dom.abc.xyz in
>>>>> FreeIPA. My reasons for asking if there was an IP on the subdomain in
>>>>> FreeIPA were above but the missing IP on the subdomain isn't a major
>>>>> issue for me. Things are working without dom.abc.xyz resolving to an
>>>>> IP. What I was hoping for is to have a VIP for the IPA servers and
>>>>> one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf. (I
>>>>> have the VIP for the windows server). One forwarding to the other for
>>>>> a given domain. This is all for testing a) redundancy, b) forwarding,
>>>>> a) authentication .
>>>>>
>>>>> IE:
>>>>>
>>>>> # cat /etc/resolv.conf
>>>>> search dom.abc.xyz abc.xyz
>>>>> nameserver 192.168.0.3 <------------ Win Cluster DNS VIP
>>>>> nameserver 192.168.0.4 <------------ IPA Cluster DNS VIP
>>>>>
>>>>> * Just what I want to achieve above. VIP 192.168.0.4 doesn't exist on
>>>>> my cluster yet. I'm looking to integrate ucarp with the above IPA
>>>>> servers.
>>>>>
>>>>>
>>>>> 2) More to the topic of my second question however, is that
>>>>> /etc/resolv.conf, on the IPA servers themselves, get's rewritten on
>>>>> restart. Would like to know by what if I already uninstalled
>>>>> NetworkManager? When I configured the FreeIPA server, I used:
>>>>>
>>>>> ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a
>>>>> "Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz
>>>>>
>>>>> Notice I used the VIP of the Windows Server 2012 Cluster when
>>>>> installing FreeIPA. This is nice for redundancy. So the resolv.conf
>>>>> ends up being:
>>>>>
>>>>> # cat /etc/resolv.conf
>>>>> # Generated by NetworkManager
>>>>> search abc.xyz
>>>>> nameserver 192.168.0.3
>>>>> nameserver 123.123.123.1
>>>>> nameserver 123.123.123.2
>>>>>
>>>>> Then I add:
>>>>>
>>>>> search dom.abc.xyz abc.xyz
>>>>>
>>>>> but it changes back to search abc.xyz (the Windows Server 2012 DNS).
>>>>> This all works, except for the above minor items, and I can resolve
>>>>> anything over this network. ( Thinking this is fine because the
>>>>> forward is on the subdomain. I haven't had issues with forwarding
>>>>> through this setup. )
>>>>>
>>>>> # cat /etc/resolv.conf
>>>>> # Generated by NetworkManager
>>>>> search abc.xyz
>>>>> nameserver 192.168.0.3
>>>>> nameserver 123.123.123.1
>>>>> nameserver 123.123.123.2
>>>>>
>>>>> But NetworkManager is not installed on these IPA servers. I've
>>>>> removed it earlier:
>>>>>
>>>>> # rpm -aq|grep -i NetworkManager
>>>>> #
>>>>>
>>>>> Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere?
>>>>
>>>> On servers with DNS /etc/resolv.conf should point to 127.0.0.1 and ::1,
>>>> and global or per server dns forwarders should be configured instead
>>>>
>>>> Have you properly stopped NetworkManager using systemctl stop and
>>>> systemctl disable ? In case you just removed rpm files service can still
>>>> work.
>>>> I recommend to update network manager config, not to remove it :)
>>>>
>>>> As last resort way, you can set immutable bit to resolv.conf if
>>>> something is still changing your resolv.conf file
>>>>
>>>>>
>>>>> 3) After running:
>>>>>
>>>>> ipa-client-install --mkhomedir --enable-dns-updates
>>>>>
>>>>> on a new host, the hostname of the new host doesn't resolve for a few
>>>>> minutes. How do I make this instantaneous? (Other then that,
>>>>> autodiscovery of the IPA servers is excellent!). Before installing
>>>>> the IPA Client, the new hosts /etc/resolv.conf file looks like this:
>>>>>
>>>>> # cat /etc/resolv.conf
>>>>> search abc.xyz
>>>>> nameserver 192.168.0.3
>>>>> nameserver 123.123.123.1
>>>>> nameserver 123.123.123.2
>>>>>
>>>>> I did dig, host, nslookup earlier. Verified all except for the items
>>>>> I'm inquiring about.
>>>>>
>>>>
>>>> That weird, because ipa-client-install creates A records directly to DNS
>>>> server using nsupdate, so it should be accessible instantly. Do you have
>>>> any caching DNS servers?
>>>>
>>>> Martin
>>>>
>>>
>>> No caching DNS servers.
>>>
>>> On the topic of NetworkManager. It's completely gone yet still the
>>> /etc/resolv.conf file is being replaced with the text # Generated by
>>> NetworkManager.
>>>
>>> # systemctl show NetworkManager.service --property=Id,Names,Description
>>> Id=NetworkManager.service
>>> Names=NetworkManager.service
>>> Description=NetworkManager.service
>>> #
>>>
>>> # systemctl list-units --type service --all|grep -i network
>>> network.service loaded active exited LSB: Bring
>>> up/down networking
>>> â NetworkManager-wait-online.service not-found inactive dead
>>> NetworkManager-wait-online.service
>>> â NetworkManager.service not-found inactive dead
>>> NetworkManager.service
>>> ntpd.service loaded active running Network
>>> Time Service
>>> rhel-domainname.service loaded active exited Read and
>>> set NIS domainname from /etc/sysconfig/network
>>> rhel-import-state.service loaded active exited Import
>>> network configuration from initramfs
>>> #
>>>
>>>
>>> The only thing that is left of the NetworkManager service is the above.
>>> Nothing I type from systemd removed it completely. So I've reverted to the
>>> last resort:
>>>
>>> # lsattr /etc/resolv.conf
>>> ----i----------- /etc/resolv.conf
>>> #
>>>
>>> With the above, I'm trying to see what's writing to the file by using this
>>> auditctl and found that postfix seems to be doing this:
>>>
>>> ----
>>> time->Wed Nov 23 23:14:47 2016
>>> type=PATH msg=audit(1479960887.978:293): item=0 name="/etc/resolv.conf"
>>> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
>>> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>> type=CWD msg=audit(1479960887.978:293): cwd="/"
>>> type=SYSCALL msg=audit(1479960887.978:293): arch=c000003e syscall=2
>>> success=yes exit=4 a0=7ffb36b6f43a a1=80000 a2=1b6 a3=24 items=1 ppid=1
>>> pid=5527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>> fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix"
>>> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
>>> ----
>>> time->Wed Nov 23 23:14:48 2016
>>> type=PATH msg=audit(1479960888.013:301): item=0 name="/etc/resolv.conf"
>>> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
>>> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>> type=CWD msg=audit(1479960888.013:301): cwd="/var/spool/postfix"
>>> type=SYSCALL msg=audit(1479960888.013:301): arch=c000003e syscall=2
>>> success=yes exit=3 a0=7f32c163043a a1=80000 a2=1b6 a3=24 items=1 ppid=5545
>>> pid=5546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>> fsgid=0 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf"
>>> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
>>
>> It usually helps to run ausearch -i, it translates numberic codes to names.
>>
>> Assuming you are running Linux on x86_64, it would be interpreted like this:
>>
>> ----
>> type=SYSCALL msg=audit(24.11.2016 05:14:47.978:293) : arch=x86_64 syscall=open
>> success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>> items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root
>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix
>> exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0
>> key=/root/resolv.conf-file
>> type=CWD msg=audit(24.11.2016 05:14:47.978:293) : cwd=/
>> type=PATH msg=audit(24.11.2016 05:14:47.978:293) : item=0
>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>> ----
>> type=SYSCALL msg=audit(24.11.2016 05:14:48.013:301) : arch=x86_64 syscall=open
>> success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>> items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root
>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf
>> exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0
>> key=/root/resolv.conf-file
>> type=CWD msg=audit(24.11.2016 05:14:48.013:301) : cwd=/var/spool/postfix
>> type=PATH msg=audit(24.11.2016 05:14:48.013:301) : item=0
>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>
>>
>> In other words, /root/resolv.conf-file is open for reading.
>>
>> It is interesting ... What does the file contain?
>>
>> Petr^2 Spacek
>>
>>
>>>
>>> This in turn appears to be called by started by:
>>>
>>> # grep postfix access|tail -n 1
>>> [23/Nov/2016:23:42:04 -0500] conn=34 op=5 SRCH
>>> base="cn=accounts,dc=dom,dc=abc,dc=xyz" scope=2
>>> filter="(&(uid=postfix)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
>>>
>>> attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
>>> loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier
>>> modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning
>>> shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
>>> pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock
>>> host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey
>>> ipaUserAuthType usercertificate;binary"
>>> # pwd
>>> /var/log/dirsrv/slapd-DOM-ABC-XYZ
>
> root/resolv.conf-file is only a identifier (key) by which auditctl marked
> events that occurred on /etc/resolv.conf. In other words, it was just a
> custom assigned identifier I used that read / write requests got tagged with.
> I really should have called it 'resolv-conf-identifier' or similar to avoid
> confusion. It's not a file.
>
> The commands I used to watch the file are:
>
> /sbin/ausearch -f /etc/resolv.conf -key=/root/resolv.conf-file
>
> Then to get events:
>
> /sbin/ausearch -f /etc/resolv.conf --key "/root/resolv.conf-file"
>
> Adding the -i as per your note, I get this:
>
>
> [root at idmipa01 ~]# /sbin/ausearch -f /etc/resolv.conf --key
> "/root/resolv.conf-file" -i
> ----
> type=PATH msg=audit(11/23/2016 23:14:04.708:287) : item=0
> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(11/23/2016 23:14:04.708:287) :
> cwd=/var/log/dirsrv/slapd-NIX-MDS-XYZ
> type=SYSCALL msg=audit(11/23/2016 23:14:04.708:287) : arch=x86_64 syscall=open
> success=yes exit=53 a0=0x7f66d82c243a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
> items=1 ppid=1 pid=5080 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv
> suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none)
> ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd
> subj=system_u:system_r:dirsrv_t:s0 key=/root/resolv.conf-file
> ----
> type=PATH msg=audit(11/23/2016 23:14:32.182:288) : item=0
> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(11/23/2016 23:14:32.182:288) : cwd=/var/log/audit
> type=SYSCALL msg=audit(11/23/2016 23:14:32.182:288) : arch=x86_64 syscall=open
> success=yes exit=3 a0=0x7fffd2fa47ff a1=O_RDONLY|O_NONBLOCK a2=0x7fffd2fa2f00
> a3=0x7fffd2fa2c70 items=1 ppid=2389 pid=5511 auid=root uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1
> comm=chattr exe=/usr/bin/chattr
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=/root/resolv.conf-file
> ----
> type=PATH msg=audit(11/23/2016 23:14:32.182:289) : item=0
> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(11/23/2016 23:14:32.182:289) : cwd=/var/log/audit
> type=SYSCALL msg=audit(11/23/2016 23:14:32.182:289) : arch=x86_64 syscall=open
> success=yes exit=3 a0=0x7fffd2fa47ff a1=O_RDONLY|O_NONBLOCK a2=0x7fffd2fa2f00
> a3=0x7fffd2fa2d50 items=1 ppid=2389 pid=5511 auid=root uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1
> comm=chattr exe=/usr/bin/chattr
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=/root/resolv.conf-file
> ----
> type=PATH msg=audit(11/23/2016 23:14:36.847:290) : item=0
> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(11/23/2016 23:14:36.847:290) : cwd=/var/log/audit
> type=SYSCALL msg=audit(11/23/2016 23:14:36.847:290) : arch=x86_64 syscall=open
> success=yes exit=3 a0=0x7fff791a17ff a1=O_RDONLY|O_NONBLOCK a2=0x7fff791a0180
> a3=0x7fff7919fef0 items=1 ppid=2389 pid=5512 auid=root uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1
> comm=lsattr exe=/usr/bin/lsattr
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=/root/resolv.conf-file
> ----
> type=PATH msg=audit(11/23/2016 23:14:47.978:293) : item=0
> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(11/23/2016 23:14:47.978:293) : cwd=/
> type=SYSCALL msg=audit(11/23/2016 23:14:47.978:293) : arch=x86_64 syscall=open
> success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
> items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix
> exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0
> key=/root/resolv.conf-file
> ----
> type=PATH msg=audit(11/23/2016 23:14:48.013:301) : item=0
> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
> type=CWD msg=audit(11/23/2016 23:14:48.013:301) : cwd=/var/spool/postfix
> type=SYSCALL msg=audit(11/23/2016 23:14:48.013:301) : arch=x86_64 syscall=open
> success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
> items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf
> exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0
> key=/root/resolv.conf-file
> [root at idmipa01 ~]#
Okay, the important part is that all open() syscalls have parameter O_RDONLY
so there is nothing writing to the file.
The wrong value must have get into resolv.conf by some other means.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list