[Freeipa-users] FreeIPA + /etc/named.conf

Martin Basti mbasti at redhat.com
Mon Jan 9 09:51:42 UTC 2017 


On 06.01.2017 18:14, TomK wrote:
> On 1/5/2017 2:17 PM, Martin Basti wrote:
>>
>>
>> On 05.01.2017 20:03, TomK wrote:
>>> Hey All,
>>>
>>> QQ.
>>>
>>> Should the DNS forwarders be updated in /etc/named.conf? Until I
>>> manually change /etc/named.conf, can't ping the windows AD cluster:
>>> mds.xyz.  Nor can I get dig to resolve the SRV records (dig SRV
>>> _ldap._tcp.mds.xyz).
>>>
>>> sssd-ipa-1.14.0-43.el7_3.4.x86_64
>>> ipa-client-4.4.0-14.el7.centos.x86_64
>>>
>>> IPA command below indicates that it's set to 'first' but that's not
>>> what's in /etc/named.conf file when I check.  Again, it works if I
>>> change /etc/named.conf manually.
>>>
>>
>> Forwarder settings has priority:
>>
>> named.conf < global forwarders (ipa dnsconfig-mod) < local dns server
>> config (ipa dnsserver-*) < forwardzones (applied per query, not as
>> global forwarder)
>>
>> so what is in named.conf is usually always overwritten
>>
>>
>> How did you edited the named.conf?
>>
>> Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works?
>> Do you have any errors in journalctl -u named-pkcs11 ??
>>
>> Martin
>
> Thanks Martin.
>
> Yes, with the manual update of /etc/named.conf this command works, as 
> I posted earlier (It doesn't work without the manual update of 
> /etc/named.conf to  forward first; ):
>
> dig @192.168.0.224 SRV _ldap._tcp.mds.xyz.
>
> ;; ANSWER SECTION:
> _ldap._tcp.mds.xyz.     3600    IN      SRV     0 100 389 
> winad02.mds.xyz.
> _ldap._tcp.mds.xyz.     600     IN      SRV     0 100 389 
> winad01.mds.xyz.
>
> Yes I stumbled on the journalctl command but really haven't seen 
> anything applicable to my scenario AFAIKT.  Nontheless, logs available 
> below:
>
> http://microdevsys.com/freeipa/named-pkcs11-working.log
> http://microdevsys.com/freeipa/named-pkcs11-non-working.log
> http://microdevsys.com/freeipa/named-pkcs11-working-again.log
>
> I'm still going over them.  The only message that seamed to make sense 
> was:
>
> ignoring inherited 'forward first;' for zone '.' - did you want 
> 'forward only;' to override automatic empty zone
>
> but it appears in both the working and non-working situations so isn't 
> looking significant ATM and nothing I found applied to this scenario.  
> Btw:
>
> [root at idmipa01 log]# cat /etc/resolv.conf
> search nix.mds.xyz mds.xyz
> nameserver 127.0.0.1
> You have new mail in /var/spool/mail/root
> [root at idmipa01 log]#
>
> And based on earlier chats, that's how it should stay.  Resolution of 
> AD ID's does work from clients though (When I have forward first; in 
> /etc/named.conf)
>
>
>


For me it looks like some DNSSEC validation issue, could you temporarily 
disable DNSSEC validation in /etc/named.conf on IPA server and then try 
again with forward only?

Martin

More information about the Freeipa-users mailing list