[Freeipa-users] FreeIPA + /etc/named.conf

TomK tk at mdevsys.com
Fri Jan 6 17:14:45 UTC 2017 

On 1/5/2017 2:17 PM, Martin Basti wrote:
>
>
> On 05.01.2017 20:03, TomK wrote:
>> Hey All,
>>
>> QQ.
>>
>> Should the DNS forwarders be updated in /etc/named.conf?  Until I
>> manually change /etc/named.conf, can't ping the windows AD cluster:
>> mds.xyz.  Nor can I get dig to resolve the SRV records (dig SRV
>> _ldap._tcp.mds.xyz).
>>
>> sssd-ipa-1.14.0-43.el7_3.4.x86_64
>> ipa-client-4.4.0-14.el7.centos.x86_64
>>
>> IPA command below indicates that it's set to 'first' but that's not
>> what's in /etc/named.conf file when I check.  Again, it works if I
>> change /etc/named.conf manually.
>>
>
> Forwarder settings has priority:
>
> named.conf < global forwarders (ipa dnsconfig-mod) < local dns server
> config (ipa dnsserver-*) < forwardzones (applied per query, not as
> global forwarder)
>
> so what is in named.conf is usually always overwritten
>
>
> How did you edited the named.conf?
>
> Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works?
> Do you have any errors in journalctl -u named-pkcs11 ??
>
> Martin

Thanks Martin.

Yes, with the manual update of /etc/named.conf this command works, as I 
posted earlier (It doesn't work without the manual update of 
/etc/named.conf to  forward first; ):

dig @192.168.0.224 SRV _ldap._tcp.mds.xyz.

;; ANSWER SECTION:
_ldap._tcp.mds.xyz.     3600    IN      SRV     0 100 389 winad02.mds.xyz.
_ldap._tcp.mds.xyz.     600     IN      SRV     0 100 389 winad01.mds.xyz.

Yes I stumbled on the journalctl command but really haven't seen 
anything applicable to my scenario AFAIKT.  Nontheless, logs available 
below:

http://microdevsys.com/freeipa/named-pkcs11-working.log
http://microdevsys.com/freeipa/named-pkcs11-non-working.log
http://microdevsys.com/freeipa/named-pkcs11-working-again.log

I'm still going over them.  The only message that seamed to make sense was:

ignoring inherited 'forward first;' for zone '.' - did you want 'forward 
only;' to override automatic empty zone

but it appears in both the working and non-working situations so isn't 
looking significant ATM and nothing I found applied to this scenario.  Btw:

[root at idmipa01 log]# cat /etc/resolv.conf
search nix.mds.xyz mds.xyz
nameserver 127.0.0.1
You have new mail in /var/spool/mail/root
[root at idmipa01 log]#

And based on earlier chats, that's how it should stay.  Resolution of AD 
ID's does work from clients though (When I have forward first; in 
/etc/named.conf)



-- 
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.

More information about the Freeipa-users mailing list