[Freeipa-users] DNS forwarding issue

William Muriithi william.muriithi at gmail.com
Thu May 4 21:51:33 UTC 2017 

Hello,

I have a problem with Samba setup that I haven't been able to overcome for
months.  I am trying to setup samba on RHEL 7 using SSSD instead of winbind

Currently, I have a one way trust between the production Active directory
and productin IPA.  I have users on IPA and Active directory. For example,
I have an account called william at activedirectory.example.com and
william at ipa.example.com.  To get sharing working, I have created a posix
group that now have of the above users.  The intent is, I should be able to
write to my Linux home user irrespective of what account I log in with.


[homes]
        comment = Home Directories
        path = /home/william
        browseable = yes
        writeable = yes
        valid users = @william_posix_group


 From any of the IPA clients, samba seem to work fine.  I can login with
samba client, delete, list and do anything.  With klist, I do see both the
CIFS and Linux host ticket.

>From Windows though, it don't work.  I see that the Windows system did
actually get the host ticket for the server running samba,  the Windows
hots ticket  but the CIFS ticket is missing.

With that background, I have setup a dummy active directory called
test.local.  Essentially, I intend to destroy it once I verify that the
behaviour is consistent with the production active directory.  I am however
stuck with DNS setup, and can't therefore establish trust between
production IPA and dummy active directory.

Would you know what I could be doing wrong with from the logs below?

[root at lithium ~]# ipa dnsforwardzone-add test.local.
--forwarder=192.168.11.56 --forward-policy=first
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNSSEC validation failed: record 'test.local. SOA' failed
DNSSEC validation on server 192.168.20.1.
Please verify your DNSSEC configuration or disable DNSSEC validation on all
IPA servers.
  Zone name: test.local.
  Active zone: TRUE
  Zone forwarders: 192.168.11.56
  Forward policy: first
[root at lithium ~]# dig  +short -t SRV _kerberos._udp.dc._msdcs.test.local
[root at lithium ~]# dig @192.168.11.56  +short -t SRV
_kerberos._udp.dc._msdcs.test.local
0 100 88 server.test.local.
[root at lithium ~]#


Regards,
William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170504/79b8acca/attachment.htm>

More information about the Freeipa-users mailing list