<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/07/2014 10:10 PM, Matthew Herzog
wrote:<br>
</div>
<blockquote
cite="mid:CABhyZ36D_SVLezC=wZ3tsYHn00tdBGsxpOxCtpVgWZo8EdH2hw@mail.gmail.com"
type="cite">
<div dir="ltr">So should the FreeIPA server be authoritative for
the Kerb. realm/DNS domain or can it/should it be a slave DNS
server instead? Or caching only?</div>
</blockquote>
<br>
IPA DNS can't be a slave so you either delegate a whole zone to it
or manage IPA DNS domain via your own DNS server.<br>
<br>
<blockquote
cite="mid:CABhyZ36D_SVLezC=wZ3tsYHn00tdBGsxpOxCtpVgWZo8EdH2hw@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Dec 7, 2014 at 9:57 PM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 12/07/2014 09:51 PM, Matthew Herzog wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">What must be done in or on the ipa
server with regard to DNS, if anything?
<div><br>
</div>
<div>Our DNS works. It works well. We have four
Linux DNS servers and two AD domain controllers
that also do DNS.</div>
<div><br>
</div>
<div>So if we already have DNS working well in our
domain, why do we want to manage DNS in IPA?</div>
</div>
</blockquote>
<br>
</span> Let us keep the discussion on the list.<br>
IPA when used with AD trust presents itself as a separate
forest. AD thinks that it is working with another AD
forest.<br>
For that to work we need to follow MSFT rules about
relationship between Kerberos realm and DNS domain.<br>
AD assumes that for every trusted forest Kerberos realm =
DNS domain. IPA makes it easy to do because it has
integrated tools to manage IPA DNS domain.<br>
If you want to manage it yourself through your DNS you can
do it, just more manual operations for you.<br>
<br>
HTH<br>
<br>
Thanks<span class="HOEnZb"><font color="#888888"><br>
Dmitri</font></span>
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Dec 7, 2014 at
9:44 PM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<div>On 12/07/2014 06:44 PM, Matthew
Herzog wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thanks guys. I'm sorry
for my delay in responding.
<div><br>
</div>
<div>Firstly, I was under the
impression (from reading the docs)
that having named running on IPA
server was critical. <br>
</div>
</div>
</blockquote>
<br>
</span> Properly configured DNS is critical.<br>
How you accomplish it is up to you.<br>
IPA allows you to have a DNS server that
would simplify DNS management but it can be
done manually too. This is why DNS is
optional.<span><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>Also, the first question the
ipa-server-install script asks is,
"Do you want to configure integrated
DNS (BIND)? ." While it's true the
default answer is no, it leads one
to believe that DNS is central to
IPA. Also the ipa-client-install
script says, </div>
<div><br>
</div>
<div><font size="1">[root@freeipa-poc-client02
~]# ipa-client-install</font></div>
<div><font size="1">DNS discovery
failed to determine your DNS
domain</font></div>
<div><font size="1">Provide the domain
name of your IPA server (ex: <a
moz-do-not-send="true"
href="http://example.com"
target="_blank">example.com</a>):</font></div>
<div><br>
</div>
<div>I can resolve -anything- from the
machine using dig or whatever.</div>
<div><br>
</div>
<div>Ultimately, the reason I started
to be concerned about my IPA
server's DNS config was because I
was not able to authenticate AD
accounts to a client machine. I saw
a bunch of errors in the client's
sssd logs which of course I can't
find now. <br>
</div>
<div><br>
</div>
<div>Perhaps it was these . . .</div>
<div><br>
</div>
<div>
<div>(Thu Dec 4 13:45:23 2014)
[sssd] [ping_check] (0x0100):
Service nss replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014)
[sssd] [ping_check] (0x0100):
Service sudo replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014)
[sssd] [ping_check] (0x0100):
Service pam replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014)
[sssd] [ping_check] (0x0100):
Service ssh replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014)
[sssd] [ping_check] (0x0100):
Service pac replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014)
[sssd] [ping_check] (0x0100):
Service <a moz-do-not-send="true"
href="http://bo3.e-bozo.com"
target="_blank">bo3.e-bozo.com</a>
replied to ping</div>
<div><br>
</div>
<div>I'm not allowed onto the AD
domain controllers to examine log
files or I'd be checking those
first.<br>
</div>
<div><br>
</div>
<div>So ultimately the goal is to
authenticate AD users and users
that exist in our ldap schema. We
need to set up groups of users
that can run sudo commands on
specific groups of hosts.</div>
</div>
</div>
</blockquote>
<br>
</span> Did you setup trusts as explained on
the following page?<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup"
target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup</a>
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec
3, 2014 at 3:46 AM, Petr Spacek <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"><span>On
3.12.2014 04:35, Dmitri Pal
wrote:<br>
> On 12/02/2014 08:54 PM,
Matthew Herzog wrote:<br>
>> Any other ideas? I
just spun up a new VM and took
the defaults on everything<br>
>> while running
ipa-server-install (the
defaults did make sense) and
my new VM<br>
>> can't resolve
-anything- in the domain in
which it lives. The "old" VM<br>
>> (running the same
versions of everything on the
same OS) can't even resolve<br>
>> the clients I have
registered with it!<br>
>><br>
>> So I'm pretty
frustrated and am wondering,
what _exactly_ is the role of<br>
>> bind in the IPA
server and how is it expected
to know anything about the<br>
>> local DNS domain
without becoming a bind slave
server?<br>
><br>
> I am not sure I am 100%
with you but...<br>
> If you use the defaults
and nothing else you get to
the scenario when IPA has<br>
> its DNS but it is a self
contained environment. It
seems that this is what you<br>
> observe.<br>
> It is expected that you
decide in advance what you
want to do with DNS. There<br>
> are several options:<br>
> 1) You can delegate a
zone to IPA to manage, then
you need to connect your IPA<br>
> DNS to your existing DNS
during install or after.<br>
> In this case the systems
joined to IPA will be a part
of IPA domain/zone and<br>
> would also be able to
resolve other systems around<br>
> 2) Not use IPA DNS if you
do not want to take advantage
of it<br>
> 3) Have a self contained
demo/lab environment that you
currently observe.<br>
><br>
> What is the intent?<br>
<br>
</span>I agree with Dmitri, we
need more information from you:<br>
- You said "my new VM can't
resolve -anything- in the domain
in which it<br>
lives." - Which domain do you
mean?<br>
<br>
- Apparently you have configured
FreeIPA to serve zone <a
moz-do-not-send="true"
href="http://e-bozo.com"
target="_blank">e-bozo.com</a>.
Do you have<br>
this zone configured on some
other DNS server at the same
time?<br>
<br>
Please keep in mind that
authoritative servers should
share the database. You<br>
will get naming collisions if <a
moz-do-not-send="true"
href="http://e-bozo.com"
target="_blank">e-bozo.com</a>
is served by FreeIPA DNS servers
and<br>
some other servers at the same
time. Maybe that is the problem
you see right now.<br>
<br>
As Dmitri said, the
architecturally correct solution
is to decide if you want<br>
to use FreeIPA DNS or not. You
have option to either remove
non-FreeIPA DNS<br>
servers and import data to
FreeIPA or to add
FreeIPA-specific DNS records to<br>
existing DNS servers and do not
configure FreeIPA to act as DNS
server.<br>
<br>
Petr^2 Spacek<br>
<span><br>
>> Thanks.<br>
>><br>
>> On Tue, Dec 2, 2014
at 11:58 AM, Petr Spacek <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a><br>
</span>
<div>
<div>>> <mailto:<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>>
wrote:<br>
>><br>
>> On 2.12.2014
17:36, Martin Basti wrote:<br>
>> > On
02/12/14 17:28, Matthew
Herzog wrote:<br>
>> >> I just
realized that my IPA servers
cannot resolve ANY servers<br>
>> in my domain.<br>
>> >> What
do I need to do to fix this?
Below is my named.conf.<br>
>> >><br>
>> >><br>
>> >>
options {<br>
>> >>
// turns on IPv6 for port
53, IPv4 is on by default
for<br>
>> all ifaces<br>
>> >>
listen-on-v6 {any;};<br>
>> >><br>
>> >>
// Put files that named is
allowed to write in the<br>
>> data/
directory:<br>
>> >>
directory "/var/named"; //
the default<br>
>> >>
dump-file
"data/cache_dump.db";<br>
>> >>
statistics-file
"data/named_stats.txt";<br>
>> >>
memstatistics-file
"data/named_mem_stats.txt";<br>
>> >><br>
>> >>
forward first;<br>
>> >>
forwarders {<br>
>> >>
10.100.8.41;<br>
>> >>
10.100.8.40;<br>
>> >>
10.100.4.13;<br>
>> >>
10.100.4.14;<br>
>> >>
10.100.4.19;<br>
>> >>
10.100.4.44;<br>
>> >>
};<br>
>> >><br>
>> >>
// Any host is permitted to
issue recursive queries<br>
>> >>
allow-recursion { any; };<br>
>> >><br>
>> >>
tkey-gssapi-keytab
"/etc/named.keytab";<br>
>> >>
pid-file
"/run/named/named.pid";<br>
>> >> };<br>
>> >><br>
>> >> /* If
you want to enable
debugging, eg. using the
'rndc trace'<br>
>> command,<br>
>> >> * By
default, SELinux policy does
not allow named to modify<br>
>> the /var/named<br>
>> >>
directory,<br>
>> >> * so
put the default debug log
file in data/ :<br>
>> >> */<br>
>> >>
logging {<br>
>> >>
channel default_debug {<br>
>> >>
file
"data/named.run";<br>
>> >>
severity dynamic;<br>
>> >>
print-time yes;<br>
>> >>
};<br>
>> >>
};<br>
>> >> };<br>
>> >><br>
>> >> zone
"." IN {<br>
>> >>
type hint;<br>
</div>
</div>
>> >>
file "<a moz-do-not-send="true"
href="http://named.ca"
target="_blank">named.ca</a>
<<a moz-do-not-send="true"
href="http://named.ca"
target="_blank">http://named.ca</a>>
<<a moz-do-not-send="true"
href="http://named.ca"
target="_blank">http://named.ca</a>>";<br>
<span>>> >> };<br>
>> >><br>
>> >> include
"/etc/named.rfc1912.zones";<br>
>> >><br>
>> >>
dynamic-db "ipa" {<br>
>> >>
library "ldap.so";<br>
>> >>
arg "uri<br>
>>
ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";<br>
>> >>
arg "base cn=dns,
dc=bo3,dc=e-bozo,dc=com";<br>
>> >>
arg "fake_mname <a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>> >> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>.";<br>
>> >>
arg "auth_method sasl";<br>
>> >>
arg "sasl_mech GSSAPI";<br>
>> >>
arg "sasl_user DNS/<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>> >> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>";<br>
>> >>
arg "serial_autoincrement
yes";<br>
>> >> };<br>
>> >><br>
>> >><br>
>> >><br>
>> >><br>
>> > Hello,<br>
>> ><br>
>> > which
version ipa do you use? which
platform? Which version<br>
>> bind-dyndb-ldap?<br>
>> ><br>
>> > Can you run
these commands, and check if
there any errors?<br>
>> > ipactl
status<br>
>> > systemctl
status named (respectively
journalctl -u named)<br>
>><br>
>> We also may want
to see information listed on
page<br>
>> <a
moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting</a><br>
<br>
--<br>
</span>
<div>
<div>Manage your subscription
for the Freeipa-users
mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a
moz-do-not-send="true"
href="http://freeipa.org"
target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">If life gives you
melons, you may be dyslexic. </div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
<span>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">If life gives you melons, you may
be dyslexic. </div>
</div>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">If life gives you melons, you may be dyslexic.
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>