<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/07/2014 06:44 PM, Matthew Herzog
wrote:<br>
</div>
<blockquote
cite="mid:CABhyZ37XChaQF+4rRY-L=OU9pVNp7Mw_NQifTk3NhrewzJtyVQ@mail.gmail.com"
type="cite">
<div dir="ltr">Thanks guys. I'm sorry for my delay in responding.
<div><br>
</div>
<div>Firstly, I was under the impression (from reading the docs)
that having named running on IPA server was critical. <br>
</div>
</div>
</blockquote>
<br>
Properly configured DNS is critical.<br>
How you accomplish it is up to you.<br>
IPA allows you to have a DNS server that would simplify DNS
management but it can be done manually too. This is why DNS is
optional.<br>
<br>
<br>
<blockquote
cite="mid:CABhyZ37XChaQF+4rRY-L=OU9pVNp7Mw_NQifTk3NhrewzJtyVQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Also, the first question the ipa-server-install script asks
is, "Do you want to configure integrated DNS (BIND)? ." While
it's true the default answer is no, it leads one to believe
that DNS is central to IPA. Also the ipa-client-install script
says, </div>
<div><br>
</div>
<div><font size="1">[root@freeipa-poc-client02 ~]#
ipa-client-install</font></div>
<div><font size="1">DNS discovery failed to determine your DNS
domain</font></div>
<div><font size="1">Provide the domain name of your IPA server
(ex: <a moz-do-not-send="true" href="http://example.com">example.com</a>):</font></div>
<div><br>
</div>
<div>I can resolve -anything- from the machine using dig or
whatever.</div>
<div><br>
</div>
<div>Ultimately, the reason I started to be concerned about my
IPA server's DNS config was because I was not able to
authenticate AD accounts to a client machine. I saw a bunch of
errors in the client's sssd logs which of course I can't find
now. <br>
</div>
<div><br>
</div>
<div>Perhaps it was these . . .</div>
<div><br>
</div>
<div>
<div>(Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
Service nss replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
Service sudo replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
Service pam replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
Service ssh replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
Service pac replied to ping</div>
<div>(Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
Service <a moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>
replied to ping</div>
<div><br>
</div>
<div>I'm not allowed onto the AD domain controllers to examine
log files or I'd be checking those first.<br>
</div>
<div><br>
</div>
<div>So ultimately the goal is to authenticate AD users and
users that exist in our ldap schema. We need to set up
groups of users that can run sudo commands on specific
groups of hosts.</div>
</div>
</div>
</blockquote>
<br>
Did you setup trusts as explained on the following page?<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup</a><br>
<br>
<blockquote
cite="mid:CABhyZ37XChaQF+4rRY-L=OU9pVNp7Mw_NQifTk3NhrewzJtyVQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec 3, 2014 at 3:46 AM, Petr
Spacek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On 3.12.2014 04:35, Dmitri Pal wrote:<br>
> On 12/02/2014 08:54 PM, Matthew Herzog wrote:<br>
>> Any other ideas? I just spun up a new VM and took
the defaults on everything<br>
>> while running ipa-server-install (the defaults
did make sense) and my new VM<br>
>> can't resolve -anything- in the domain in which
it lives. The "old" VM<br>
>> (running the same versions of everything on the
same OS) can't even resolve<br>
>> the clients I have registered with it!<br>
>><br>
>> So I'm pretty frustrated and am wondering, what
_exactly_ is the role of<br>
>> bind in the IPA server and how is it expected to
know anything about the<br>
>> local DNS domain without becoming a bind slave
server?<br>
><br>
> I am not sure I am 100% with you but...<br>
> If you use the defaults and nothing else you get to
the scenario when IPA has<br>
> its DNS but it is a self contained environment. It
seems that this is what you<br>
> observe.<br>
> It is expected that you decide in advance what you
want to do with DNS. There<br>
> are several options:<br>
> 1) You can delegate a zone to IPA to manage, then you
need to connect your IPA<br>
> DNS to your existing DNS during install or after.<br>
> In this case the systems joined to IPA will be a part
of IPA domain/zone and<br>
> would also be able to resolve other systems around<br>
> 2) Not use IPA DNS if you do not want to take
advantage of it<br>
> 3) Have a self contained demo/lab environment that
you currently observe.<br>
><br>
> What is the intent?<br>
<br>
</span>I agree with Dmitri, we need more information from
you:<br>
- You said "my new VM can't resolve -anything- in the domain
in which it<br>
lives." - Which domain do you mean?<br>
<br>
- Apparently you have configured FreeIPA to serve zone <a
moz-do-not-send="true" href="http://e-bozo.com"
target="_blank">e-bozo.com</a>. Do you have<br>
this zone configured on some other DNS server at the same
time?<br>
<br>
Please keep in mind that authoritative servers should share
the database. You<br>
will get naming collisions if <a moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">e-bozo.com</a> is
served by FreeIPA DNS servers and<br>
some other servers at the same time. Maybe that is the
problem you see right now.<br>
<br>
As Dmitri said, the architecturally correct solution is to
decide if you want<br>
to use FreeIPA DNS or not. You have option to either remove
non-FreeIPA DNS<br>
servers and import data to FreeIPA or to add
FreeIPA-specific DNS records to<br>
existing DNS servers and do not configure FreeIPA to act as
DNS server.<br>
<br>
Petr^2 Spacek<br>
<span class=""><br>
>> Thanks.<br>
>><br>
>> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek <<a
moz-do-not-send="true" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a><br>
</span>
<div>
<div class="h5">>> <mailto:<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>>
wrote:<br>
>><br>
>> On 2.12.2014 17:36, Martin Basti wrote:<br>
>> > On 02/12/14 17:28, Matthew Herzog
wrote:<br>
>> >> I just realized that my IPA
servers cannot resolve ANY servers<br>
>> in my domain.<br>
>> >> What do I need to do to fix this?
Below is my named.conf.<br>
>> >><br>
>> >><br>
>> >> options {<br>
>> >> // turns on IPv6 for port
53, IPv4 is on by default for<br>
>> all ifaces<br>
>> >> listen-on-v6 {any;};<br>
>> >><br>
>> >> // Put files that named is
allowed to write in the<br>
>> data/ directory:<br>
>> >> directory "/var/named"; //
the default<br>
>> >> dump-file
"data/cache_dump.db";<br>
>> >> statistics-file
"data/named_stats.txt";<br>
>> >> memstatistics-file
"data/named_mem_stats.txt";<br>
>> >><br>
>> >> forward first;<br>
>> >> forwarders {<br>
>> >> 10.100.8.41;<br>
>> >> 10.100.8.40;<br>
>> >> 10.100.4.13;<br>
>> >> 10.100.4.14;<br>
>> >> 10.100.4.19;<br>
>> >> 10.100.4.44;<br>
>> >> };<br>
>> >><br>
>> >> // Any host is permitted
to issue recursive queries<br>
>> >> allow-recursion { any; };<br>
>> >><br>
>> >> tkey-gssapi-keytab
"/etc/named.keytab";<br>
>> >> pid-file
"/run/named/named.pid";<br>
>> >> };<br>
>> >><br>
>> >> /* If you want to enable
debugging, eg. using the 'rndc trace'<br>
>> command,<br>
>> >> * By default, SELinux policy does
not allow named to modify<br>
>> the /var/named<br>
>> >> directory,<br>
>> >> * so put the default debug log
file in data/ :<br>
>> >> */<br>
>> >> logging {<br>
>> >> channel default_debug {<br>
>> >> file
"data/named.run";<br>
>> >> severity dynamic;<br>
>> >> print-time yes;<br>
>> >> };<br>
>> >> };<br>
>> >> };<br>
>> >><br>
>> >> zone "." IN {<br>
>> >> type hint;<br>
</div>
</div>
>> >> file "<a
moz-do-not-send="true" href="http://named.ca"
target="_blank">named.ca</a> <<a moz-do-not-send="true"
href="http://named.ca" target="_blank">http://named.ca</a>>
<<a moz-do-not-send="true" href="http://named.ca"
target="_blank">http://named.ca</a>>";<br>
<span class="im HOEnZb">>> >> };<br>
>> >><br>
>> >> include "/etc/named.rfc1912.zones";<br>
>> >><br>
>> >> dynamic-db "ipa" {<br>
>> >> library "ldap.so";<br>
>> >> arg "uri<br>
>>
ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";<br>
>> >> arg "base cn=dns,
dc=bo3,dc=e-bozo,dc=com";<br>
>> >> arg "fake_mname <a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>> <<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>> >> <<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>.";<br>
>> >> arg "auth_method sasl";<br>
>> >> arg "sasl_mech GSSAPI";<br>
>> >> arg "sasl_user DNS/<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>> <<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>> >> <<a moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>";<br>
>> >> arg "serial_autoincrement
yes";<br>
>> >> };<br>
>> >><br>
>> >><br>
>> >><br>
>> >><br>
>> > Hello,<br>
>> ><br>
>> > which version ipa do you use? which
platform? Which version<br>
>> bind-dyndb-ldap?<br>
>> ><br>
>> > Can you run these commands, and check if
there any errors?<br>
>> > ipactl status<br>
>> > systemctl status named (respectively
journalctl -u named)<br>
>><br>
>> We also may want to see information listed on
page<br>
>> <a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting</a><br>
<br>
--<br>
</span>
<div class="HOEnZb">
<div class="h5">Manage your subscription for the
Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">If life gives you melons, you may be dyslexic.
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>