[Freeipa-users] Ping forwarded domain name.
TomK
tk at mdevsys.com
Sat Nov 26 00:46:21 UTC 2016
On 11/25/2016 9:09 AM, Petr Spacek wrote:
> On 25.11.2016 14:48, TomK wrote:
>> On 11/25/2016 4:00 AM, Petr Spacek wrote:
>>> On 25.11.2016 05:57, TomK wrote:
>>>> On 11/24/2016 4:49 AM, Petr Spacek wrote:
>>>>> On 24.11.2016 06:08, TomK wrote:
>>>>>> On 11/23/2016 3:28 AM, Martin Basti wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 23.11.2016 03:48, TomK wrote:
>>>>>>>> On 11/22/2016 10:22 AM, Martin Basti wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 22.11.2016 13:57, TomK wrote:
>>>>>>>>>> On 11/22/2016 2:59 AM, Martin Basti wrote:
>>>>>>>>>>> Hey,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 22.11.2016 06:33, TomK wrote:
>>>>>>>>>>>> Hey Guy's,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
>>>>>>>>>>>> over to
>>>>>>>>>>>> my dual Free IPA server. The Free IPA servers are authoritative for
>>>>>>>>>>>> this subdomain. The Windows Server 2012 DNS is resolves on abc.xyz
>>>>>>>>>>>> and forwards dom.abc.xyz.
>>>>>>>>>>> Do you have configured proper zone delegation for subdomain
>>>>>>>>>>> dom.abc.xyz?
>>>>>>>>>>> Proper NS and glue records
>>>>>>>>>>> http://www.zytrax.com/books/dns/ch9/delegate.html
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I cannot ping dom.abc.xyz. Everything else, including client
>>>>>>>>>>>> registrations, work fine. If Free IPA is authoritative on
>>>>>>>>>>>> dom.abc.xyz, should it not create DNS entries so the sub domain
>>>>>>>>>>>> can be
>>>>>>>>>>>> pinged as well?
>>>>>>>>>>>
>>>>>>>>>>> What do you mean by "ping"?
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> /etc/resolv.conf also get's regenerated on reboot on the IPA Servers
>>>>>>>>>>>> and wanted to ask if you can point me to some materials online to
>>>>>>>>>>>> determine where can I permanently adjust the search to add
>>>>>>>>>>>> dom.abc.xyz
>>>>>>>>>>>> to the already present abc.xyz . I wasn't able to locate what I
>>>>>>>>>>>> needed in my searches.
>>>>>>>>>>>>
>>>>>>>>>>>> I'm using the latest v4.
>>>>>>>>>>>
>>>>>>>>>>> It depends on what are you using, probably you have NetworkManager
>>>>>>>>>>> there
>>>>>>>>>>> that is editing /etc/resolv.conf
>>>>>>>>>>>
>>>>>>>>>>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Martin
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I Uninstalled NetworkManager. Still changes.
>>>>>>>>>> ping dom.abc.com results in "ping: unknown host"
>>>>>>>>>>
>>>>>>>>>> I'll have a look at the first link, ty.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ping (ICMP protocol) and DNS system are different things, do you have
>>>>>>>>> hostname dom.abc.com with A record or it is a zone?
>>>>>>>>>
>>>>>>>>> with ping command hostname "dom.abc.com" is resolved to IP address
>>>>>>>>> first, do you have A record set for dom.abc.com in zone apex or what are
>>>>>>>>> you trying to achieve with ping command?
>>>>>>>>>
>>>>>>>>> for testing DNS try to use commands: dig, host, nslookup
>>>>>>>>>
>>>>>>>>> Martin
>>>>>>>>>
>>>>>>>>
>>>>>>>> Apologize for the long reply but it should give some background on
>>>>>>>> what it is that I'm doing.
>>>>>>>>
>>>>>>>> 1) dom.abc.com is a zone. There is no A record for dom.abc.com in
>>>>>>>> FreeIPA (Confirmed by Petr). I get the point Petr Spacek pointed out
>>>>>>>> in his comment as well. What should it really point too? ( I kind of
>>>>>>>> answer this question below so please read on. ) Where I'm getting
>>>>>>>> this from is that in Windows Server 2012 abc.com returns the IP of any
>>>>>>>> of the participating AD / DNS servers within the cluster (The two
>>>>>>>> Windows Server 2012 are a combined clustered AD + DNS servers.).
>>>>>>>> Being able to resolve abc.xyz is handy. During a lookup, I can get a
>>>>>>>> list of all the IP's associated with that domain which would indicate
>>>>>>>> all the DNS + AD servers online under that domain or serving that domain:
>>>>>>>>
>>>>>>>>
>>>>>>>> # nslookup abc.xyz
>>>>>>>> Server: 192.168.0.3
>>>>>>>> Address: 192.168.0.3#53
>>>>>>>>
>>>>>>>> Name: abc.xyz
>>>>>>>> Address: 192.168.0.3
>>>>>>>> Name: abc.xyz
>>>>>>>> Address: 192.168.0.1
>>>>>>>> Name: abc.xyz
>>>>>>>> Address: 192.168.0.2
>>>>>>>> #
>>>>>>>>
>>>>>>>> Again, where this is handy is when configuring sssd.conf for example
>>>>>>>> or other apps for that matter. I can just point the app to
>>>>>>>> authenticate against the domain and I have my redundancy solved.
>>>>>>>> Windows Server 2012 does it, but FreeIPA didn't, so I threw the
>>>>>>>> question out there.
>>>>>>>
>>>>>>> IPA uses SRV records heavily, all IPA related services have SRV records,
>>>>>>> SSSD uses SRV records of IPA, client should use SRV record to connect to
>>>>>>> the right service (or URI record - will be in next IPA). SRV records
>>>>>>> work for IPA locations mechanism, we cannot achieve this with pure A
>>>>>>> records.
>>>>>>>
>>>>>>>>
>>>>>>>> Delegation from this Windows DNS works as expected. Any lookup from
>>>>>>>> dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
>>>>>>>> this out. No issue with this.
>>>>>>>>
>>>>>>>> I did see earlier that there is no A record for dom.abc.xyz in
>>>>>>>> FreeIPA. My reasons for asking if there was an IP on the subdomain in
>>>>>>>> FreeIPA were above but the missing IP on the subdomain isn't a major
>>>>>>>> issue for me. Things are working without dom.abc.xyz resolving to an
>>>>>>>> IP. What I was hoping for is to have a VIP for the IPA servers and
>>>>>>>> one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf. (I
>>>>>>>> have the VIP for the windows server). One forwarding to the other for
>>>>>>>> a given domain. This is all for testing a) redundancy, b) forwarding,
>>>>>>>> a) authentication .
>>>>>>>>
>>>>>>>> IE:
>>>>>>>>
>>>>>>>> # cat /etc/resolv.conf
>>>>>>>> search dom.abc.xyz abc.xyz
>>>>>>>> nameserver 192.168.0.3 <------------ Win Cluster DNS VIP
>>>>>>>> nameserver 192.168.0.4 <------------ IPA Cluster DNS VIP
>>>>>>>>
>>>>>>>> * Just what I want to achieve above. VIP 192.168.0.4 doesn't exist on
>>>>>>>> my cluster yet. I'm looking to integrate ucarp with the above IPA
>>>>>>>> servers.
>>>>>>>>
>>>>>>>>
>>>>>>>> 2) More to the topic of my second question however, is that
>>>>>>>> /etc/resolv.conf, on the IPA servers themselves, get's rewritten on
>>>>>>>> restart. Would like to know by what if I already uninstalled
>>>>>>>> NetworkManager? When I configured the FreeIPA server, I used:
>>>>>>>>
>>>>>>>> ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a
>>>>>>>> "Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz
>>>>>>>>
>>>>>>>> Notice I used the VIP of the Windows Server 2012 Cluster when
>>>>>>>> installing FreeIPA. This is nice for redundancy. So the resolv.conf
>>>>>>>> ends up being:
>>>>>>>>
>>>>>>>> # cat /etc/resolv.conf
>>>>>>>> # Generated by NetworkManager
>>>>>>>> search abc.xyz
>>>>>>>> nameserver 192.168.0.3
>>>>>>>> nameserver 123.123.123.1
>>>>>>>> nameserver 123.123.123.2
>>>>>>>>
>>>>>>>> Then I add:
>>>>>>>>
>>>>>>>> search dom.abc.xyz abc.xyz
>>>>>>>>
>>>>>>>> but it changes back to search abc.xyz (the Windows Server 2012 DNS).
>>>>>>>> This all works, except for the above minor items, and I can resolve
>>>>>>>> anything over this network. ( Thinking this is fine because the
>>>>>>>> forward is on the subdomain. I haven't had issues with forwarding
>>>>>>>> through this setup. )
>>>>>>>>
>>>>>>>> # cat /etc/resolv.conf
>>>>>>>> # Generated by NetworkManager
>>>>>>>> search abc.xyz
>>>>>>>> nameserver 192.168.0.3
>>>>>>>> nameserver 123.123.123.1
>>>>>>>> nameserver 123.123.123.2
>>>>>>>>
>>>>>>>> But NetworkManager is not installed on these IPA servers. I've
>>>>>>>> removed it earlier:
>>>>>>>>
>>>>>>>> # rpm -aq|grep -i NetworkManager
>>>>>>>> #
>>>>>>>>
>>>>>>>> Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere?
>>>>>>>
>>>>>>> On servers with DNS /etc/resolv.conf should point to 127.0.0.1 and ::1,
>>>>>>> and global or per server dns forwarders should be configured instead
>>>>>>>
>>>>>>> Have you properly stopped NetworkManager using systemctl stop and
>>>>>>> systemctl disable ? In case you just removed rpm files service can still
>>>>>>> work.
>>>>>>> I recommend to update network manager config, not to remove it :)
>>>>>>>
>>>>>>> As last resort way, you can set immutable bit to resolv.conf if
>>>>>>> something is still changing your resolv.conf file
>>>>>>>
>>>>>>>>
>>>>>>>> 3) After running:
>>>>>>>>
>>>>>>>> ipa-client-install --mkhomedir --enable-dns-updates
>>>>>>>>
>>>>>>>> on a new host, the hostname of the new host doesn't resolve for a few
>>>>>>>> minutes. How do I make this instantaneous? (Other then that,
>>>>>>>> autodiscovery of the IPA servers is excellent!). Before installing
>>>>>>>> the IPA Client, the new hosts /etc/resolv.conf file looks like this:
>>>>>>>>
>>>>>>>> # cat /etc/resolv.conf
>>>>>>>> search abc.xyz
>>>>>>>> nameserver 192.168.0.3
>>>>>>>> nameserver 123.123.123.1
>>>>>>>> nameserver 123.123.123.2
>>>>>>>>
>>>>>>>> I did dig, host, nslookup earlier. Verified all except for the items
>>>>>>>> I'm inquiring about.
>>>>>>>>
>>>>>>>
>>>>>>> That weird, because ipa-client-install creates A records directly to DNS
>>>>>>> server using nsupdate, so it should be accessible instantly. Do you have
>>>>>>> any caching DNS servers?
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>
>>>>>> No caching DNS servers.
>>>>>>
>>>>>> On the topic of NetworkManager. It's completely gone yet still the
>>>>>> /etc/resolv.conf file is being replaced with the text # Generated by
>>>>>> NetworkManager.
>>>>>>
>>>>>> # systemctl show NetworkManager.service --property=Id,Names,Description
>>>>>> Id=NetworkManager.service
>>>>>> Names=NetworkManager.service
>>>>>> Description=NetworkManager.service
>>>>>> #
>>>>>>
>>>>>> # systemctl list-units --type service --all|grep -i network
>>>>>> network.service loaded active exited LSB:
>>>>>> Bring
>>>>>> up/down networking
>>>>>> â NetworkManager-wait-online.service not-found inactive dead
>>>>>> NetworkManager-wait-online.service
>>>>>> â NetworkManager.service not-found inactive dead
>>>>>> NetworkManager.service
>>>>>> ntpd.service loaded active running Network
>>>>>> Time Service
>>>>>> rhel-domainname.service loaded active exited Read and
>>>>>> set NIS domainname from /etc/sysconfig/network
>>>>>> rhel-import-state.service loaded active exited Import
>>>>>> network configuration from initramfs
>>>>>> #
>>>>>>
>>>>>>
>>>>>> The only thing that is left of the NetworkManager service is the above.
>>>>>> Nothing I type from systemd removed it completely. So I've reverted to the
>>>>>> last resort:
>>>>>>
>>>>>> # lsattr /etc/resolv.conf
>>>>>> ----i----------- /etc/resolv.conf
>>>>>> #
>>>>>>
>>>>>> With the above, I'm trying to see what's writing to the file by using this
>>>>>> auditctl and found that postfix seems to be doing this:
>>>>>>
>>>>>> ----
>>>>>> time->Wed Nov 23 23:14:47 2016
>>>>>> type=PATH msg=audit(1479960887.978:293): item=0 name="/etc/resolv.conf"
>>>>>> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
>>>>>> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>>>> type=CWD msg=audit(1479960887.978:293): cwd="/"
>>>>>> type=SYSCALL msg=audit(1479960887.978:293): arch=c000003e syscall=2
>>>>>> success=yes exit=4 a0=7ffb36b6f43a a1=80000 a2=1b6 a3=24 items=1 ppid=1
>>>>>> pid=5527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>>> fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix"
>>>>>> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
>>>>>> ----
>>>>>> time->Wed Nov 23 23:14:48 2016
>>>>>> type=PATH msg=audit(1479960888.013:301): item=0 name="/etc/resolv.conf"
>>>>>> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
>>>>>> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>>>> type=CWD msg=audit(1479960888.013:301): cwd="/var/spool/postfix"
>>>>>> type=SYSCALL msg=audit(1479960888.013:301): arch=c000003e syscall=2
>>>>>> success=yes exit=3 a0=7f32c163043a a1=80000 a2=1b6 a3=24 items=1 ppid=5545
>>>>>> pid=5546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>>> fsgid=0 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf"
>>>>>> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
>>>>>
>>>>> It usually helps to run ausearch -i, it translates numberic codes to names.
>>>>>
>>>>> Assuming you are running Linux on x86_64, it would be interpreted like this:
>>>>>
>>>>> ----
>>>>> type=SYSCALL msg=audit(24.11.2016 05:14:47.978:293) : arch=x86_64
>>>>> syscall=open
>>>>> success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>>>>> items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root
>>>>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix
>>>>> exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0
>>>>> key=/root/resolv.conf-file
>>>>> type=CWD msg=audit(24.11.2016 05:14:47.978:293) : cwd=/
>>>>> type=PATH msg=audit(24.11.2016 05:14:47.978:293) : item=0
>>>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>>> ----
>>>>> type=SYSCALL msg=audit(24.11.2016 05:14:48.013:301) : arch=x86_64
>>>>> syscall=open
>>>>> success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>>>>> items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root
>>>>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf
>>>>> exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0
>>>>> key=/root/resolv.conf-file
>>>>> type=CWD msg=audit(24.11.2016 05:14:48.013:301) : cwd=/var/spool/postfix
>>>>> type=PATH msg=audit(24.11.2016 05:14:48.013:301) : item=0
>>>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>>>
>>>>>
>>>>> In other words, /root/resolv.conf-file is open for reading.
>>>>>
>>>>> It is interesting ... What does the file contain?
>>>>>
>>>>> Petr^2 Spacek
>>>>>
>>>>>
>>>>>>
>>>>>> This in turn appears to be called by started by:
>>>>>>
>>>>>> # grep postfix access|tail -n 1
>>>>>> [23/Nov/2016:23:42:04 -0500] conn=34 op=5 SRCH
>>>>>> base="cn=accounts,dc=dom,dc=abc,dc=xyz" scope=2
>>>>>> filter="(&(uid=postfix)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
>>>>>>
>>>>>>
>>>>>> attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
>>>>>> loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier
>>>>>> modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning
>>>>>> shadowInactive shadowExpire shadowFlag krbLastPwdChange
>>>>>> krbPasswordExpiration
>>>>>> pwdattribute authorizedService accountexpires useraccountcontrol
>>>>>> nsAccountLock
>>>>>> host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey
>>>>>> ipaUserAuthType usercertificate;binary"
>>>>>> # pwd
>>>>>> /var/log/dirsrv/slapd-DOM-ABC-XYZ
>>>>
>>>> root/resolv.conf-file is only a identifier (key) by which auditctl marked
>>>> events that occurred on /etc/resolv.conf. In other words, it was just a
>>>> custom assigned identifier I used that read / write requests got tagged with.
>>>> I really should have called it 'resolv-conf-identifier' or similar to avoid
>>>> confusion. It's not a file.
>>>>
>>>> The commands I used to watch the file are:
>>>>
>>>> /sbin/ausearch -f /etc/resolv.conf -key=/root/resolv.conf-file
>>>>
>>>> Then to get events:
>>>>
>>>> /sbin/ausearch -f /etc/resolv.conf --key "/root/resolv.conf-file"
>>>>
>>>> Adding the -i as per your note, I get this:
>>>>
>>>>
>>>> [root at idmipa01 ~]# /sbin/ausearch -f /etc/resolv.conf --key
>>>> "/root/resolv.conf-file" -i
>>>> ----
>>>> type=PATH msg=audit(11/23/2016 23:14:04.708:287) : item=0
>>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>> type=CWD msg=audit(11/23/2016 23:14:04.708:287) :
>>>> cwd=/var/log/dirsrv/slapd-NIX-MDS-XYZ
>>>> type=SYSCALL msg=audit(11/23/2016 23:14:04.708:287) : arch=x86_64 syscall=open
>>>> success=yes exit=53 a0=0x7f66d82c243a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>>>> items=1 ppid=1 pid=5080 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv
>>>> suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none)
>>>> ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd
>>>> subj=system_u:system_r:dirsrv_t:s0 key=/root/resolv.conf-file
>>>> ----
>>>> type=PATH msg=audit(11/23/2016 23:14:32.182:288) : item=0
>>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>> type=CWD msg=audit(11/23/2016 23:14:32.182:288) : cwd=/var/log/audit
>>>> type=SYSCALL msg=audit(11/23/2016 23:14:32.182:288) : arch=x86_64 syscall=open
>>>> success=yes exit=3 a0=0x7fffd2fa47ff a1=O_RDONLY|O_NONBLOCK a2=0x7fffd2fa2f00
>>>> a3=0x7fffd2fa2c70 items=1 ppid=2389 pid=5511 auid=root uid=root gid=root
>>>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1
>>>> comm=chattr exe=/usr/bin/chattr
>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>> key=/root/resolv.conf-file
>>>> ----
>>>> type=PATH msg=audit(11/23/2016 23:14:32.182:289) : item=0
>>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>> type=CWD msg=audit(11/23/2016 23:14:32.182:289) : cwd=/var/log/audit
>>>> type=SYSCALL msg=audit(11/23/2016 23:14:32.182:289) : arch=x86_64 syscall=open
>>>> success=yes exit=3 a0=0x7fffd2fa47ff a1=O_RDONLY|O_NONBLOCK a2=0x7fffd2fa2f00
>>>> a3=0x7fffd2fa2d50 items=1 ppid=2389 pid=5511 auid=root uid=root gid=root
>>>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1
>>>> comm=chattr exe=/usr/bin/chattr
>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>> key=/root/resolv.conf-file
>>>> ----
>>>> type=PATH msg=audit(11/23/2016 23:14:36.847:290) : item=0
>>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>> type=CWD msg=audit(11/23/2016 23:14:36.847:290) : cwd=/var/log/audit
>>>> type=SYSCALL msg=audit(11/23/2016 23:14:36.847:290) : arch=x86_64 syscall=open
>>>> success=yes exit=3 a0=0x7fff791a17ff a1=O_RDONLY|O_NONBLOCK a2=0x7fff791a0180
>>>> a3=0x7fff7919fef0 items=1 ppid=2389 pid=5512 auid=root uid=root gid=root
>>>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1
>>>> comm=lsattr exe=/usr/bin/lsattr
>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>> key=/root/resolv.conf-file
>>>> ----
>>>> type=PATH msg=audit(11/23/2016 23:14:47.978:293) : item=0
>>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>> type=CWD msg=audit(11/23/2016 23:14:47.978:293) : cwd=/
>>>> type=SYSCALL msg=audit(11/23/2016 23:14:47.978:293) : arch=x86_64 syscall=open
>>>> success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>>>> items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root
>>>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix
>>>> exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0
>>>> key=/root/resolv.conf-file
>>>> ----
>>>> type=PATH msg=audit(11/23/2016 23:14:48.013:301) : item=0
>>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root
>>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
>>>> type=CWD msg=audit(11/23/2016 23:14:48.013:301) : cwd=/var/spool/postfix
>>>> type=SYSCALL msg=audit(11/23/2016 23:14:48.013:301) : arch=x86_64 syscall=open
>>>> success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24
>>>> items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root
>>>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf
>>>> exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0
>>>> key=/root/resolv.conf-file
>>>> [root at idmipa01 ~]#
>>>
>>> Okay, the important part is that all open() syscalls have parameter O_RDONLY
>>> so there is nothing writing to the file.
>>>
>>> The wrong value must have get into resolv.conf by some other means.
>>>
>>
>> So the only way for me to find out what's modifying that file is to step
>> through the boot process since auditctl might not be loading yet or simply has
>> to be loaded manually each time to capture anything of value.
>>
>> The command I ran is:
>>
>> /sbin/auditctl -w /etc/resolv.conf -p war -k /root/resolv.conf-file
>>
>> Can't find a convenient way to capture this at boot. I know /etc/resolv.conf
>> changes through run level changes.
>
> Maybe this is a stupid question, but ... did you try to put the rules into
> /etc/audit/rules.d/audit.rules ?
>
Yep I did:
# cat /etc/audit/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 320
-w /etc/resolv.conf -p wxr -k etc-resolv-conf-key
and could check now. Indeed it was the network scripts.
/etc/sysconfig/network-scripts/ifup-post
type=PATH msg=audit(11/25/2016 18:53:09.762:37) : item=1
name=/etc/resolv.conf inode=135699635 dev=fd:00 mode=file,644 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=PATH msg=audit(11/25/2016 18:53:09.762:37) : item=0 name=/etc/
inode=134299841 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(11/25/2016 18:53:09.762:37) :
cwd=/etc/sysconfig/network-scripts
type=SYSCALL msg=audit(11/25/2016 18:53:09.762:37) : arch=x86_64
syscall=open success=yes exit=3 a0=0x208c990 a1=O_WRONLY|O_CREAT|O_TRUNC
a2=0666 a3=0xfffffff0 items=2 ppid=770 pid=854 auid=unset uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=unset comm=ifup-post exe=/usr/bin/bash
subj=system_u:system_r:initrc_t:s0 key=etc-resolv-conf-key
So I've changed to the following:
# grep DNS ifcfg-eth0
PEERDNS=yes
DNS1=192.168.0.3
# vi ifcfg-eth0
# grep DNS ifcfg-eth0
PEERDNS=yes
DNS1=127.0.0.1
#
After I made the change to ifcfg-eth0 above and restarted the network,
all good and it set the entry from 192.168.0.3 to 127.0.0.1:
# cat /etc/resolv.conf
search com.abc.xyz abc.xyz
nameserver 127.0.0.1
#
Quite a few of those scripts change the /etc/resolv.conf:
# grep -i resolv *
ifdown-post:if [ "$PEERDNS" != "no" -o -n "$RESOLV_MODS" -a
"$RESOLV_MODS" != "no" ]; then
ifdown-post: if [ -f /etc/resolv.conf.save ]; then
ifdown-post: change_resolv_conf /etc/resolv.conf.save
ifdown-post: rm -f /etc/resolv.conf.save
ifup-post:if [ "$PEERDNS" != "no" ] ||[ -n "$RESOLV_MODS" -a
"$RESOLV_MODS" != "no" ]; then
ifup-post: if [ -n "$DNS1" ] && ! grep -q "^nameserver $DNS1"
/etc/resolv.conf &&
ifup-post: (cat /etc/resolv.conf ; echo EOF ; echo EOF) | while read
answer ; do
ifup-post: # backup resolv.conf
ifup-post: cp -af /etc/resolv.conf /etc/resolv.conf.save
ifup-post: change_resolv_conf $tr
ifup-ppp: cp -f /etc/resolv.conf /etc/resolv.conf.save
network-functions: if ! grep search /etc/resolv.conf >/dev/null 2>&1;
then
network-functions: cat /etc/resolv.conf > $rsctmp
network-functions: change_resolv_conf $rsctmp
network-functions:# Invoke this when /etc/resolv.conf has changed:
network-functions:change_resolv_conf ()
network-functions: s=$(/bin/grep '^[\ \ ]*option'
/etc/resolv.conf 2>/dev/null);
network-functions: (echo "$s" > /etc/resolv.conf;) >/dev/null 2>&1;
network-functions: [ -x /sbin/restorecon ] && /sbin/restorecon
/etc/resolv.conf >/dev/null 2>&1 # reset the correct context
network-functions: /usr/bin/logger -p local7.notice -t "NET" -i "$0
: updated /etc/resolv.conf";
network-functions-ipv6:## Resolve need of explicit next hop for an interface
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
More information about the Freeipa-users
mailing list