[Freeipa-users] Ping forwarded domain name.
TomK
tk at mdevsys.com
Fri Nov 25 13:48:45 UTC 2016
On 11/25/2016 4:00 AM, Petr Spacek wrote:
> On 25.11.2016 05:57, TomK wrote:
>> On 11/24/2016 4:49 AM, Petr Spacek wrote:
>>> On 24.11.2016 06:08, TomK wrote:
>>>> On 11/23/2016 3:28 AM, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 23.11.2016 03:48, TomK wrote:
>>>>>> On 11/22/2016 10:22 AM, Martin Basti wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 22.11.2016 13:57, TomK wrote:
>>>>>>>> On 11/22/2016 2:59 AM, Martin Basti wrote:
>>>>>>>>> Hey,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 22.11.2016 06:33, TomK wrote:
>>>>>>>>>> Hey Guy's,
>>>>>>>>>>
>>>>>>>>>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
>>>>>>>>>> over to
>>>>>>>>>> my dual Free IPA server. The Free IPA servers are authoritative for
>>>>>>>>>> this subdomain. The Windows Server 2012 DNS is resolves on abc.xyz
>>>>>>>>>> and forwards dom.abc.xyz.
>>>>>>>>> Do you have configured proper zone delegation for subdomain
>>>>>>>>> dom.abc.xyz?
>>>>>>>>> Proper NS and glue records
>>>>>>>>> http://www.zytrax.com/books/dns/ch9/delegate.html
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I cannot ping dom.abc.xyz. Everything else, including client
>>>>>>>>>> registrations, work fine. If Free IPA is authoritative on
>>>>>>>>>> dom.abc.xyz, should it not create DNS entries so the sub domain
>>>>>>>>>> can be
>>>>>>>>>> pinged as well?
>>>>>>>>>
>>>>>>>>> What do you mean by "ping"?
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> /etc/resolv.conf also get's regenerated on reboot on the IPA Servers
>>>>>>>>>> and wanted to ask if you can point me to some materials online to
>>>>>>>>>> determine where can I permanently adjust the search to add
>>>>>>>>>> dom.abc.xyz
>>>>>>>>>> to the already present abc.xyz . I wasn't able to locate what I
>>>>>>>>>> needed in my searches.
>>>>>>>>>>
>>>>>>>>>> I'm using the latest v4.
>>>>>>>>>
>>>>>>>>> It depends on what are you using, probably you have NetworkManager
>>>>>>>>> there
>>>>>>>>> that is editing /etc/resolv.conf
>>>>>>>>>
>>>>>>>>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Martin
>>>>>>>>
>>>>>>>>
>>>>>>>> I Uninstalled NetworkManager. Still changes.
>>>>>>>> ping dom.abc.com results in "ping: unknown host"
>>>>>>>>
>>>>>>>> I'll have a look at the first link, ty.
>>>>>>>>
>>>>>>>
>>>>>>> ping (ICMP protocol) and DNS system are different things, do you have
>>>>>>> hostname dom.abc.com with A record or it is a zone?
>>>>>>>
>>>>>>> with ping command hostname "dom.abc.com" is resolved to IP address
>>>>>>> first, do you have A record set for dom.abc.com in zone apex or what are
>>>>>>> you trying to achieve with ping command?
>>>>>>>
>>>>>>> for testing DNS try to use commands: dig, host, nslookup
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>
>>>>>> Apologize for the long reply but it should give some background on
>>>>>> what it is that I'm doing.
>>>>>>
>>>>>> 1) dom.abc.com is a zone. There is no A record for dom.abc.com in
>>>>>> FreeIPA (Confirmed by Petr). I get the point Petr Spacek pointed out
>>>>>> in his comment as well. What should it really point too? ( I kind of
>>>>>> answer this question below so please read on. ) Where I'm getting
>>>>>> this from is that in Windows Server 2012 abc.com returns the IP of any
>>>>>> of the participating AD / DNS servers within the cluster (The two
>>>>>> Windows Server 2012 are a combined clustered AD + DNS servers.).
>>>>>> Being able to resolve abc.xyz is handy. During a lookup, I can get a
>>>>>> list of all the IP's associated with that domain which would indicate
>>>>>> all the DNS + AD servers online under that domain or serving that domain:
>>>>>>
>>>>>>
>>>>>> # nslookup abc.xyz
>>>>>> Server: 192.168.0.3
>>>>>> Address: 192.168.0.3#53
>>>>>>
>>>>>> Name: abc.xyz
>>>>>> Address: 192.168.0.3
>>>>>> Name: abc.xyz
>>>>>> Address: 192.168.0.1
>>>>>> Name: abc.xyz
>>>>>> Address: 192.168.0.2
>>>>>> #
>>>>>>
>>>>>> Again, where this is handy is when configuring sssd.conf for example
>>>>>> or other apps for that matter. I can just point the app to
>>>>>> authenticate against the domain and I have my redundancy solved.
>>>>>> Windows Server 2012 does it, but FreeIPA didn't, so I threw the
>>>>>> question out there.
>>>>>
>>>>> IPA uses SRV records heavily, all IPA related services have SRV records,
>>>>> SSSD uses SRV records of IPA, client should use SRV record to connect to
>>>>> the right service (or URI record - will be in next IPA). SRV records
>>>>> work for IPA locations mechanism, we cannot achieve this with pure A
>>>>> records.
>>>>>
>>>>>>
>>>>>> Delegation from this Windows DNS works as expected. Any lookup from
>>>>>> dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
>>>>>> this out. No issue with this.
>>>>>>
>>>>>> I did see earlier that there is no A record for dom.abc.xyz in
>>>>>> FreeIPA. My reasons for asking if there was an IP on the subdomain in
>>>>>> FreeIPA were above but the missing IP on the subdomain isn't a major
>>>>>> issue for me. Things are working without dom.abc.xyz resolving to an
>>>>>> IP. What I was hoping for is to have a VIP for the IPA servers and
>>>>>> one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf. (I
>>>>>> have the VIP for the windows server). One forwarding to the other for
>>>>>> a given domain. This is all for testing a) redundancy, b) forwarding,
>>>>>> a) authentication .
>>>>>>
>>>>>> IE:
>>>>>>
>>>>>> # cat /etc/resolv.conf
>>>>>> search dom.abc.xyz abc.xyz
>>>>>> nameserver 192.168.0.3 <------------ Win Cluster DNS VIP
>>>>>> nameserver 192.168.0.4 <------------ IPA Cluster DNS VIP
>>>>>>
>>>>>> * Just what I want to achieve above. VIP 192.168.0.4 doesn't exist on
>>>>>> my cluster yet. I'm looking to integrate ucarp with the above IPA
>>>>>> servers.
>>>>>>
>>>>>>
>>>>>> 2) More to the topic of my second question however, is that
>>>>>> /etc/resolv.conf, on the IPA servers themselves, get's rewritten on
>>>>>> restart. Would like to know by what if I already uninstalled
>>>>>> NetworkManager? When I configured the FreeIPA server, I used:
>>>>>>
>>>>>> ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a
>>>>>> "Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz
>>>>>>
>>>>>> Notice I used the VIP of the Windows Server 2012 Cluster when
>>>>>> installing FreeIPA. This is nice for redundancy. So the resolv.conf
>>>>>> ends up being:
>>>>>>
>>>>>> # cat /etc/resolv.conf
>>>>>> # Generated by NetworkManager
>>>>>> search abc.xyz
>>>>>> nameserver 192.168.0.3
>>>>>> nameserver 123.123.123.1
>>>>>> nameserver 123.123.123.2
>>>>>>
>>>>>> Then I add:
>>>>>>
>>>>>> search dom.abc.xyz abc.xyz
>>>>>>
>>>>>> but it changes back to search abc.xyz (the Windows Server 2012 DNS).
>>>>>> This all works, except for the above minor items, and I can resolve
>>>>>> anything over this network. ( Thinking this is fine because the
>>>>>> forward is on the subdomain. I haven't had issues with forwarding
>>>>>> through this setup. )
>>>>>>
>>>>>> # cat /etc/resolv.conf
>>>>>> # Generated by NetworkManager
>>>>>> search abc.xyz
>>>>>> nameserver 192.168.0.3
>>>>>> nameserver 123.123.123.1
>>>>>> nameserver 123.123.123.2
>>>>>>
>>>>>> But NetworkManager is not installed on these IPA servers. I've
>>>>>> removed it earlier:
>>>>>>
>>>>>> # rpm -aq|grep -i NetworkManager
>>>>>> #
>>>>>>
>>>>>> Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere?
>>>>>
>>>>> On servers with DNS /etc/resolv.conf should point to 127.0.0.1 and ::1,
>>>>> and global or per server dns forwarders should be configured instead
>>>>>
>>>>> Have you properly stopped NetworkManager using systemctl stop and
>>>>> systemctl disable ? In case you just removed rpm files service can still
>>>>> work.
>>>>> I recommend to update network manager config, not to remove it :)
>>>>>
>>>>> As last resort way, you can set immutable bit to resolv.conf if
>>>>> something is still changing your resolv.conf file
>>>>>
>>>>>>
>>>>>> 3) After running:
>>>>>>
>>>>>> ipa-client-install --mkhomedir --enable-dns-updates
>>>>>>
>>>>>> on a new host, the hostname of the new host doesn't resolve for a few
>>>>>> minutes. How do I make this instantaneous? (Other then that,
>>>>>> autodiscovery of the IPA servers is excellent!). Before installing
>>>>>> the IPA Client, the new hosts /etc/resolv.conf file looks like this:
>>>>>>
>>>>>> # cat /etc/resolv.conf
>>>>>> search abc.xyz
>>>>>> nameserver 192.168.0.3
>>>>>> nameserver 123.123.123.1
>>>>>> nameserver 123.123.123.2
>>>>>>
>>>>>> I did dig, host, nslookup earlier. Verified all except for the items
>>>>>> I'm inquiring about.
>>>>>>
>>>>>
>>>>> That weird, because ipa-client-install creates A records directly to DNS
>>>>> server using nsupdate, so it should be accessible instantly. Do you have
>>>>> any caching DNS servers?
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> No caching DNS servers.
>>>>
>>>> On the topic of NetworkManager. It's completely gone yet still the
>>>> /etc/resolv.conf file is being replaced with the text # Generated by
>>>> NetworkManager.
>>>>
>>>> # systemctl show NetworkManager.service --property=Id,Names,Description
>>>> Id=NetworkManager.service
>>>> Names=NetworkManager.service
>>>> Description=NetworkManager.service
>>>> #
>>>>
>>>> # systemctl list-units --type service --all|grep -i network
>>>> network.service loaded active exited LSB: Bring
>>>> up/down networking
>>>> â NetworkManager-wait-online.service not-found inactive dead
>>>> NetworkManager-wait-online.service
>>>> â NetworkManager.service not-found inactive dead
>>>> NetworkManager.service
>>>> ntpd.service loaded active running Network
>>>> Time Service
>>>> rhel-domainname.service loaded active exited Read and
>>>> set NIS domainname from /etc/sysconfig/network
>>>> rhel-import-state.service loaded active exited Import
>>>> network configuration from initramfs
>>>> #
>>>>
>>>>
>>>> The only thing that is left of the NetworkManager service is the above.
>>>> Nothing I type from systemd removed it completely. So I've reverted to the
>>>> last resort:
>>>>
>>>> # lsattr /etc/resolv.conf
>>>> ----i----------- /etc/resolv.conf
>>>> #
>>>>
>>>> With the above, I'm trying to see what's writing to the file by using this
>>>> auditctl and found that postfix seems to be doing this:
>>>>
>>>> ----
>>>> time->Wed Nov 23 23:14:47 2016
>>>> type=PATH msg=audit(1479960887.978:293): item=0 name="/etc/resolv.conf"
>>>> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
>>>> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>> type=CWD msg=audit(1479960887.978:293): cwd="/"
>>>> type=SYSCALL msg=audit(1479960887.978:293): arch=c000003e syscall=2
>>>> success=yes exit=4 a0=7ffb36b6f43a a1=80000 a2=1b6 a3=24 items=1 ppid=1
>>>> pid=5527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>> fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix"
>>>> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
>>>> ----
>>>> time->Wed Nov 23 23:14:48 2016
>>>> type=PATH msg=audit(1479960888.013:301): item=0 name="/etc/resolv.conf"
>>>> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
>>>> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>> type=CWD msg=audit(1479960888.013:301): cwd="/var/spool/postfix"
>>>> type=SYSCALL msg=audit(1479960888.013:301): arch=c000003e syscall=2
>>>> success=yes exit=3 a0=7f32c163043a a1=80000 a2=1b6 a3=24 items=1 ppid=5545
>>>> pid=5546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>> fsgid=0 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf"
>>>> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
>>>
>>> It usually helps to run ausearch -i, it translates numberic codes to names.
>>>
>>> Assuming you are running Linux on x86_64, it would be interpreted like this:
>>>
>>> ----
>>> type=SYSCALL msg=audit(24.11.2016 05:14:47.978:293) : arch=x86_64 syscall=open
>>> success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>>> items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root
>>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix
>>> exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0
>>> key=/root/resolv.conf-file
>>> type=CWD msg=audit(24.11.2016 05:14:47.978:293) : cwd=/
>>> type=PATH msg=audit(24.11.2016 05:14:47.978:293) : item=0
>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>> ----
>>> type=SYSCALL msg=audit(24.11.2016 05:14:48.013:301) : arch=x86_64 syscall=open
>>> success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>>> items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root
>>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf
>>> exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0
>>> key=/root/resolv.conf-file
>>> type=CWD msg=audit(24.11.2016 05:14:48.013:301) : cwd=/var/spool/postfix
>>> type=PATH msg=audit(24.11.2016 05:14:48.013:301) : item=0
>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>
>>>
>>> In other words, /root/resolv.conf-file is open for reading.
>>>
>>> It is interesting ... What does the file contain?
>>>
>>> Petr^2 Spacek
>>>
>>>
>>>>
>>>> This in turn appears to be called by started by:
>>>>
>>>> # grep postfix access|tail -n 1
>>>> [23/Nov/2016:23:42:04 -0500] conn=34 op=5 SRCH
>>>> base="cn=accounts,dc=dom,dc=abc,dc=xyz" scope=2
>>>> filter="(&(uid=postfix)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
>>>>
>>>> attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
>>>> loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier
>>>> modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning
>>>> shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
>>>> pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock
>>>> host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey
>>>> ipaUserAuthType usercertificate;binary"
>>>> # pwd
>>>> /var/log/dirsrv/slapd-DOM-ABC-XYZ
>>
>> root/resolv.conf-file is only a identifier (key) by which auditctl marked
>> events that occurred on /etc/resolv.conf. In other words, it was just a
>> custom assigned identifier I used that read / write requests got tagged with.
>> I really should have called it 'resolv-conf-identifier' or similar to avoid
>> confusion. It's not a file.
>>
>> The commands I used to watch the file are:
>>
>> /sbin/ausearch -f /etc/resolv.conf -key=/root/resolv.conf-file
>>
>> Then to get events:
>>
>> /sbin/ausearch -f /etc/resolv.conf --key "/root/resolv.conf-file"
>>
>> Adding the -i as per your note, I get this:
>>
>>
>> [root at idmipa01 ~]# /sbin/ausearch -f /etc/resolv.conf --key
>> "/root/resolv.conf-file" -i
>> ----
>> type=PATH msg=audit(11/23/2016 23:14:04.708:287) : item=0
>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>> type=CWD msg=audit(11/23/2016 23:14:04.708:287) :
>> cwd=/var/log/dirsrv/slapd-NIX-MDS-XYZ
>> type=SYSCALL msg=audit(11/23/2016 23:14:04.708:287) : arch=x86_64 syscall=open
>> success=yes exit=53 a0=0x7f66d82c243a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>> items=1 ppid=1 pid=5080 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv
>> suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none)
>> ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd
>> subj=system_u:system_r:dirsrv_t:s0 key=/root/resolv.conf-file
>> ----
>> type=PATH msg=audit(11/23/2016 23:14:32.182:288) : item=0
>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>> type=CWD msg=audit(11/23/2016 23:14:32.182:288) : cwd=/var/log/audit
>> type=SYSCALL msg=audit(11/23/2016 23:14:32.182:288) : arch=x86_64 syscall=open
>> success=yes exit=3 a0=0x7fffd2fa47ff a1=O_RDONLY|O_NONBLOCK a2=0x7fffd2fa2f00
>> a3=0x7fffd2fa2c70 items=1 ppid=2389 pid=5511 auid=root uid=root gid=root
>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1
>> comm=chattr exe=/usr/bin/chattr
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> key=/root/resolv.conf-file
>> ----
>> type=PATH msg=audit(11/23/2016 23:14:32.182:289) : item=0
>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>> type=CWD msg=audit(11/23/2016 23:14:32.182:289) : cwd=/var/log/audit
>> type=SYSCALL msg=audit(11/23/2016 23:14:32.182:289) : arch=x86_64 syscall=open
>> success=yes exit=3 a0=0x7fffd2fa47ff a1=O_RDONLY|O_NONBLOCK a2=0x7fffd2fa2f00
>> a3=0x7fffd2fa2d50 items=1 ppid=2389 pid=5511 auid=root uid=root gid=root
>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1
>> comm=chattr exe=/usr/bin/chattr
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> key=/root/resolv.conf-file
>> ----
>> type=PATH msg=audit(11/23/2016 23:14:36.847:290) : item=0
>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>> type=CWD msg=audit(11/23/2016 23:14:36.847:290) : cwd=/var/log/audit
>> type=SYSCALL msg=audit(11/23/2016 23:14:36.847:290) : arch=x86_64 syscall=open
>> success=yes exit=3 a0=0x7fff791a17ff a1=O_RDONLY|O_NONBLOCK a2=0x7fff791a0180
>> a3=0x7fff7919fef0 items=1 ppid=2389 pid=5512 auid=root uid=root gid=root
>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1
>> comm=lsattr exe=/usr/bin/lsattr
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> key=/root/resolv.conf-file
>> ----
>> type=PATH msg=audit(11/23/2016 23:14:47.978:293) : item=0
>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>> type=CWD msg=audit(11/23/2016 23:14:47.978:293) : cwd=/
>> type=SYSCALL msg=audit(11/23/2016 23:14:47.978:293) : arch=x86_64 syscall=open
>> success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>> items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root
>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix
>> exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0
>> key=/root/resolv.conf-file
>> ----
>> type=PATH msg=audit(11/23/2016 23:14:48.013:301) : item=0
>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>> type=CWD msg=audit(11/23/2016 23:14:48.013:301) : cwd=/var/spool/postfix
>> type=SYSCALL msg=audit(11/23/2016 23:14:48.013:301) : arch=x86_64 syscall=open
>> success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>> items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root
>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf
>> exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0
>> key=/root/resolv.conf-file
>> [root at idmipa01 ~]#
>
> Okay, the important part is that all open() syscalls have parameter O_RDONLY
> so there is nothing writing to the file.
>
> The wrong value must have get into resolv.conf by some other means.
>
So the only way for me to find out what's modifying that file is to step
through the boot process since auditctl might not be loading yet or
simply has to be loaded manually each time to capture anything of value.
The command I ran is:
/sbin/auditctl -w /etc/resolv.conf -p war -k /root/resolv.conf-file
Can't find a convenient way to capture this at boot. I know
/etc/resolv.conf changes through run level changes.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
More information about the Freeipa-users
mailing list