<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/07/2014 09:51 PM, Matthew Herzog
wrote:<br>
</div>
<blockquote
cite="mid:CABhyZ36DDM6icM+haMbVErdVdDWonGqbPE+3Tpad4K=u9QHjAQ@mail.gmail.com"
type="cite">
<div dir="ltr">What must be done in or on the ipa server with
regard to DNS, if anything?
<div><br>
</div>
<div>Our DNS works. It works well. We have four Linux DNS
servers and two AD domain controllers that also do DNS.</div>
<div><br>
</div>
<div>So if we already have DNS working well in our domain, why
do we want to manage DNS in IPA?</div>
</div>
</blockquote>
<br>
Let us keep the discussion on the list.<br>
IPA when used with AD trust presents itself as a separate forest. AD
thinks that it is working with another AD forest.<br>
For that to work we need to follow MSFT rules about relationship
between Kerberos realm and DNS domain.<br>
AD assumes that for every trusted forest Kerberos realm = DNS
domain. IPA makes it easy to do because it has integrated tools to
manage IPA DNS domain.<br>
If you want to manage it yourself through your DNS you can do it,
just more manual operations for you.<br>
<br>
HTH<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote
cite="mid:CABhyZ36DDM6icM+haMbVErdVdDWonGqbPE+3Tpad4K=u9QHjAQ@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Dec 7, 2014 at 9:44 PM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 12/07/2014 06:44 PM, Matthew Herzog wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thanks guys. I'm sorry for my delay in
responding.
<div><br>
</div>
<div>Firstly, I was under the impression (from
reading the docs) that having named running on IPA
server was critical. <br>
</div>
</div>
</blockquote>
<br>
</span> Properly configured DNS is critical.<br>
How you accomplish it is up to you.<br>
IPA allows you to have a DNS server that would simplify
DNS management but it can be done manually too. This is
why DNS is optional.<span class=""><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>Also, the first question the ipa-server-install
script asks is, "Do you want to configure
integrated DNS (BIND)? ." While it's true the
default answer is no, it leads one to believe that
DNS is central to IPA. Also the ipa-client-install
script says, </div>
<div><br>
</div>
<div><font size="1">[root@freeipa-poc-client02 ~]#
ipa-client-install</font></div>
<div><font size="1">DNS discovery failed to
determine your DNS domain</font></div>
<div><font size="1">Provide the domain name of your
IPA server (ex: <a moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a>):</font></div>
<div><br>
</div>
<div>I can resolve -anything- from the machine using
dig or whatever.</div>
<div><br>
</div>
<div>Ultimately, the reason I started to be
concerned about my IPA server's DNS config was
because I was not able to authenticate AD accounts
to a client machine. I saw a bunch of errors in
the client's sssd logs which of course I can't
find now. <br>
</div>
<div><br>
</div>
<div>Perhaps it was these . . .</div>
<div><br>
</div>
<div>
<div>(Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100): Service nss replied to
ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100): Service sudo replied to
ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100): Service pam replied to
ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100): Service ssh replied to
ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100): Service pac replied to
ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd]
[ping_check] (0x0100): Service <a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>
replied to ping</div>
<div><br>
</div>
<div>I'm not allowed onto the AD domain
controllers to examine log files or I'd be
checking those first.<br>
</div>
<div><br>
</div>
<div>So ultimately the goal is to authenticate AD
users and users that exist in our ldap schema.
We need to set up groups of users that can run
sudo commands on specific groups of hosts.</div>
</div>
</div>
</blockquote>
<br>
</span> Did you setup trusts as explained on the following
page?<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup"
target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup</a>
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec 3, 2014 at
3:46 AM, Petr Spacek <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span>On 3.12.2014
04:35, Dmitri Pal wrote:<br>
> On 12/02/2014 08:54 PM, Matthew Herzog
wrote:<br>
>> Any other ideas? I just spun up a
new VM and took the defaults on everything<br>
>> while running ipa-server-install
(the defaults did make sense) and my new VM<br>
>> can't resolve -anything- in the
domain in which it lives. The "old" VM<br>
>> (running the same versions of
everything on the same OS) can't even
resolve<br>
>> the clients I have registered with
it!<br>
>><br>
>> So I'm pretty frustrated and am
wondering, what _exactly_ is the role of<br>
>> bind in the IPA server and how is
it expected to know anything about the<br>
>> local DNS domain without becoming a
bind slave server?<br>
><br>
> I am not sure I am 100% with you but...<br>
> If you use the defaults and nothing
else you get to the scenario when IPA has<br>
> its DNS but it is a self contained
environment. It seems that this is what you<br>
> observe.<br>
> It is expected that you decide in
advance what you want to do with DNS. There<br>
> are several options:<br>
> 1) You can delegate a zone to IPA to
manage, then you need to connect your IPA<br>
> DNS to your existing DNS during install
or after.<br>
> In this case the systems joined to IPA
will be a part of IPA domain/zone and<br>
> would also be able to resolve other
systems around<br>
> 2) Not use IPA DNS if you do not want
to take advantage of it<br>
> 3) Have a self contained demo/lab
environment that you currently observe.<br>
><br>
> What is the intent?<br>
<br>
</span>I agree with Dmitri, we need more
information from you:<br>
- You said "my new VM can't resolve -anything-
in the domain in which it<br>
lives." - Which domain do you mean?<br>
<br>
- Apparently you have configured FreeIPA to
serve zone <a moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">e-bozo.com</a>.
Do you have<br>
this zone configured on some other DNS server
at the same time?<br>
<br>
Please keep in mind that authoritative servers
should share the database. You<br>
will get naming collisions if <a
moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">e-bozo.com</a>
is served by FreeIPA DNS servers and<br>
some other servers at the same time. Maybe
that is the problem you see right now.<br>
<br>
As Dmitri said, the architecturally correct
solution is to decide if you want<br>
to use FreeIPA DNS or not. You have option to
either remove non-FreeIPA DNS<br>
servers and import data to FreeIPA or to add
FreeIPA-specific DNS records to<br>
existing DNS servers and do not configure
FreeIPA to act as DNS server.<br>
<br>
Petr^2 Spacek<br>
<span><br>
>> Thanks.<br>
>><br>
>> On Tue, Dec 2, 2014 at 11:58 AM,
Petr Spacek <<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a><br>
</span>
<div>
<div>>> <mailto:<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>>
wrote:<br>
>><br>
>> On 2.12.2014 17:36, Martin
Basti wrote:<br>
>> > On 02/12/14 17:28,
Matthew Herzog wrote:<br>
>> >> I just realized that
my IPA servers cannot resolve ANY servers<br>
>> in my domain.<br>
>> >> What do I need to do
to fix this? Below is my named.conf.<br>
>> >><br>
>> >><br>
>> >> options {<br>
>> >> // turns on
IPv6 for port 53, IPv4 is on by default
for<br>
>> all ifaces<br>
>> >> listen-on-v6
{any;};<br>
>> >><br>
>> >> // Put files
that named is allowed to write in the<br>
>> data/ directory:<br>
>> >> directory
"/var/named"; // the default<br>
>> >> dump-file
"data/cache_dump.db";<br>
>> >>
statistics-file "data/named_stats.txt";<br>
>> >>
memstatistics-file
"data/named_mem_stats.txt";<br>
>> >><br>
>> >> forward
first;<br>
>> >> forwarders {<br>
>> >>
10.100.8.41;<br>
>> >>
10.100.8.40;<br>
>> >>
10.100.4.13;<br>
>> >>
10.100.4.14;<br>
>> >>
10.100.4.19;<br>
>> >>
10.100.4.44;<br>
>> >> };<br>
>> >><br>
>> >> // Any host
is permitted to issue recursive queries<br>
>> >>
allow-recursion { any; };<br>
>> >><br>
>> >>
tkey-gssapi-keytab "/etc/named.keytab";<br>
>> >> pid-file
"/run/named/named.pid";<br>
>> >> };<br>
>> >><br>
>> >> /* If you want to
enable debugging, eg. using the 'rndc
trace'<br>
>> command,<br>
>> >> * By default,
SELinux policy does not allow named to
modify<br>
>> the /var/named<br>
>> >> directory,<br>
>> >> * so put the
default debug log file in data/ :<br>
>> >> */<br>
>> >> logging {<br>
>> >> channel
default_debug {<br>
>> >> file
"data/named.run";<br>
>> >>
severity dynamic;<br>
>> >>
print-time yes;<br>
>> >> };<br>
>> >> };<br>
>> >> };<br>
>> >><br>
>> >> zone "." IN {<br>
>> >> type hint;<br>
</div>
</div>
>> >> file "<a
moz-do-not-send="true"
href="http://named.ca" target="_blank">named.ca</a>
<<a moz-do-not-send="true"
href="http://named.ca" target="_blank">http://named.ca</a>>
<<a moz-do-not-send="true"
href="http://named.ca" target="_blank">http://named.ca</a>>";<br>
<span>>> >> };<br>
>> >><br>
>> >> include
"/etc/named.rfc1912.zones";<br>
>> >><br>
>> >> dynamic-db "ipa" {<br>
>> >> library
"ldap.so";<br>
>> >> arg "uri<br>
>>
ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";<br>
>> >> arg "base
cn=dns, dc=bo3,dc=e-bozo,dc=com";<br>
>> >> arg
"fake_mname <a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>> <<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>> >> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>.";<br>
>> >> arg
"auth_method sasl";<br>
>> >> arg "sasl_mech
GSSAPI";<br>
>> >> arg "sasl_user
DNS/<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>> <<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>> >> <<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>";<br>
>> >> arg
"serial_autoincrement yes";<br>
>> >> };<br>
>> >><br>
>> >><br>
>> >><br>
>> >><br>
>> > Hello,<br>
>> ><br>
>> > which version ipa do you
use? which platform? Which version<br>
>> bind-dyndb-ldap?<br>
>> ><br>
>> > Can you run these
commands, and check if there any errors?<br>
>> > ipactl status<br>
>> > systemctl status named
(respectively journalctl -u named)<br>
>><br>
>> We also may want to see
information listed on page<br>
>> <a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting</a><br>
<br>
--<br>
</span>
<div>
<div>Manage your subscription for the
Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org"
target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">If life gives you melons, you may
be dyslexic. </div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
<span class="">
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">If life gives you melons, you may be dyslexic.
</div>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>