<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/08/2014 05:58 PM, Matthew Herzog
wrote:<br>
</div>
<blockquote
cite="mid:CABhyZ36nxCA0OeeYt2pm8QbTKQE0XhaYtOHCz0uNnRqik6Kxbg@mail.gmail.com"
type="cite">
<div dir="ltr">Also, I just realized the AD I'm trying to connect
to is of type Windows 2000. Yay!</div>
</blockquote>
<br>
This one would not work...<br>
<br>
<blockquote
cite="mid:CABhyZ36nxCA0OeeYt2pm8QbTKQE0XhaYtOHCz0uNnRqik6Kxbg@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 8, 2014 at 5:54 PM, Matthew
Herzog <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:matthew.herzog@gmail.com" target="_blank">matthew.herzog@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">OK, I deserve a slap. I had forgotten to set
up the two-way trust again since the ipa-server-install
--uninstall && reinstall. That's back in place.
<div><br>
</div>
<div>So I found Sumit Bose's <a moz-do-not-send="true"
href="https://www.youtube.com/watch?v=infot4cmZgM"
target="_blank">https://www.youtube.com/watch?v=infot4cmZgM</a>
and realized I could not add groups to any new, external
user group using the ipa server's web interface.</div>
<div><br>
</div>
<div>Error in the GUI is, <a moz-do-not-send="true"
href="http://E-BOZO.COM" target="_blank">E-BOZO.COM</a>\Domain
Users: invalid 'truster domain object': no trusted
domain matched the specified flat name.</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 8, 2014 at 2:49
PM, Matthew Herzog <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:matthew.herzog@gmail.com"
target="_blank">matthew.herzog@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>sssd_<hostname>.log</div>
<div>(Mon Dec 8 14:46:54 2014) [sssd[be[<a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>]]]
[sysdb_search_groups] (0x2000): No such entry</div>
<div>(Mon Dec 8 14:46:54 2014) [sssd[be[<a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>]]]
[sysdb_delete_user] (0x0400): Error: 2 (No
such file or directory)</div>
<div>(Mon Dec 8 14:46:54 2014) [sssd[be[<a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>]]]
[acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success</div>
<div>(Mon Dec 8 14:46:54 2014) [sssd[be[<a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>]]]
[sdap_process_result] (0x2000): Trace:
sh[0x17b0030], connected[1], ops[(nil)],
ldap[0x17ab240]</div>
<div>(Mon Dec 8 14:46:54 2014) [sssd[be[<a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>]]]
[sdap_process_result] (0x2000): Trace:
ldap_result found nothing!</div>
<div>(Mon Dec 8 14:46:57 2014) [sssd[be[<a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>]]]
[sbus_dispatch] (0x4000): dbus conn: 0x178eb70</div>
<div>(Mon Dec 8 14:46:57 2014) [sssd[be[<a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a>]]]
[sbus_dispatch] (0x4000): Dispatching.</div>
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 8, 2014
at 2:32 PM, Matthew Herzog <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:matthew.herzog@gmail.com"
target="_blank">matthew.herzog@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr">ipa-client-3.0.0-42.el6.x86_64
on OEL 6.5 (server has 3.3.3 IPA)<br>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div>On Mon, Dec 8, 2014 at 2:26
PM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
</div>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>
<div>
<div bgcolor="#FFFFFF"
text="#000000">
<div>
<div>
<div>On 12/08/2014 02:10
PM, Matthew Herzog
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Here are some
errors I'm seeing
on the client.</div>
<div><br>
</div>
<div>tail -f
sssd_lnx.e-bozo.com.log<br>
</div>
<div>(Mon Dec 8
14:03:20 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_dispatch]
(0x4000): dbus
conn: 0x1e72ad0</div>
<div>(Mon Dec 8
14:03:20 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_dispatch]
(0x4000):
Dispatching.</div>
<div>(Mon Dec 8
14:03:20 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_message_handler]
(0x4000): Received
SBUS method [ping]</div>
<div>(Mon Dec 8
14:03:20 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_get_sender_id_send]
(0x2000): Not a
sysbus message,
quit</div>
<div>(Mon Dec 8
14:03:20 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_handler_got_caller_id]
(0x4000): Received
SBUS method [ping]</div>
<div>(Mon Dec 8
14:03:30 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_dispatch]
(0x4000): dbus
conn: 0x1e72ad0</div>
<div>(Mon Dec 8
14:03:30 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_dispatch]
(0x4000):
Dispatching.</div>
<div>(Mon Dec 8
14:03:30 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_message_handler]
(0x4000): Received
SBUS method [ping]</div>
<div>(Mon Dec 8
14:03:30 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_get_sender_id_send]
(0x2000): Not a
sysbus message,
quit</div>
<div>(Mon Dec 8
14:03:30 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_handler_got_caller_id]
(0x4000): Received
SBUS method [ping]</div>
<div>(Mon Dec 8
14:03:40 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_dispatch]
(0x4000): dbus
conn: 0x1e72ad0</div>
<div>(Mon Dec 8
14:03:40 2014)
[sssd[be[<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>]]]
[sbus_dispatch]
(0x4000):
Dispatching.</div>
<div><br>
</div>
<div>[root@freeipa-poc-client02
sssd]# tail -f
sssd_ssh.log</div>
<div>(Sun Dec 7
19:32:09 2014)
[sssd[ssh]]
[ssh_process_init]
(0x0010):
sss_process_init()
failed</div>
<div>(Sun Dec 7
19:32:09 2014)
[sssd[ssh]]
[sss_dp_init]
(0x0010): Failed
to connect to
monitor services.</div>
<div>(Sun Dec 7
19:32:09 2014)
[sssd[ssh]]
[sss_process_init]
(0x0010): fatal
error setting up
backend connector</div>
<div>(Sun Dec 7
19:32:09 2014)
[sssd[ssh]]
[ssh_process_init]
(0x0010):
sss_process_init()
failed</div>
<div>(Sun Dec 7
19:32:16 2014)
[sssd[ssh]]
[sss_dp_init]
(0x0010): Failed
to connect to
monitor services.</div>
<div>(Sun Dec 7
19:32:16 2014)
[sssd[ssh]]
[sss_process_init]
(0x0010): fatal
error setting up
backend connector</div>
<div>(Sun Dec 7
19:32:16 2014)
[sssd[ssh]]
[ssh_process_init]
(0x0010):
sss_process_init()
failed</div>
<div>(Sun Dec 7
19:32:16 2014)
[sssd[ssh]]
[sss_dp_init]
(0x0010): Failed
to connect to
monitor services.</div>
<div>(Sun Dec 7
19:32:16 2014)
[sssd[ssh]]
[sss_process_init]
(0x0010): fatal
error setting up
backend connector</div>
<div>(Sun Dec 7
19:32:16 2014)
[sssd[ssh]]
[ssh_process_init]
(0x0010):
sss_process_init()
failed</div>
</div>
</blockquote>
<br>
</div>
</div>
What is the version of the
client?<br>
Please add debug_level=9 to
sssd.conf in different
sections to rise the
verbosity of the log and see
what is really going on
there.<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting"
target="_blank">https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting</a>
<div>
<div><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Mon, Dec 8, 2014
at 11:48 AM,
Matthew Herzog <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:matthew.herzog@gmail.com"
target="_blank">matthew.herzog@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">I
have never
seen my IPA
servers
produce a zone
file nor has
the install
script ever
mentioned the
creation of
such. In fact,
I just ran
ipa-server-install
--uninstall
&& ipa-server-install
and there was
no mention of
a zone file.
<div><br>
</div>
<div>Where
should I look
in the file
system to be
sure? I see
nothing in
/var/named.
I'm using
3.3.3 IPA on
Oracle Linux
from Oracle's
yum repo. (Not
my choice.)
<div><br>
</div>
<div>dsee7 is
<i>not </i>running
Kerberos.
dsee7 is <i>not
</i>configured
with SRV
records. I
guess I'll
need to add
SRV records
for all my
Linux hosts.<br>
<div><br>
<div><br>
</div>
<div><br>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
<div
class="gmail_extra">
<div>
<div><br>
<div
class="gmail_quote">On
Mon, Dec 8,
2014 at 10:41
AM, Petr
Spacek <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex"><span>On
8.12.2014
14:44, Matthew
Herzog wrote:<br>
> Petr
said, "You can
run
ipa-server-install
*without*
--setup-dns
option and<br>
> at the
end of<br>
>
installation
it will
produce DNS
records which
you have to
manually add
to<br>
> your
existing DNS
database."<br>
><br>
> I can't
see how this
would be
useful or
which machines
I would need
to add<br>
> to our
DNS.<br>
><br>
> Perhaps I
should have
explained that
we are not
going to set
up a new DNS<br>
> domain
for the
ipa-managed
servers.<br>
</span>Good.<br>
<br>
Now you should
run
ipa-server-install
*without*
--setup-dns,
using<br>
<a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a> as you
IPA domain. It
will install
full IPA
server and
spit out<br>
DNS zone file.<br>
<br>
Then you *have
to* take this
zone file and
import it to
your existing
DNS<br>
infrastructure
- that will
give you fully
functional IPA
domain <a
moz-do-not-send="true"
href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>.<br>
<br>
Caveat:<br>
Preceding text
assumes that
'dsee7' is nor
using either
Kerberos nor
DNS SRV<br>
records for
LDAP service
in domain <a
moz-do-not-send="true" href="http://lnx.e-bozo.com" target="_blank">lnx.e-bozo.com</a>,
i.e. clients
connecting to<br>
DSEE7 should
be (most
likely)
statically
configured
with DSEE7
server name.<br>
<br>
Petr^2 Spacek<br>
<div>
<div><br>
> We have
an Oracle
dsee7 server
doing<br>
> LDAP for
our Linux
servers and
accounts. We
want to
migrate to IPA
so we<br>
> don't
have to
maintain a
Linux/LDAP
account for
every user who
needs access<br>
> to Linux
servers. All
of our users
start with an
account in AD
and since<br>
> none of
my
predecessors
knew about
Winbind, they
set up dsee7.<br>
><br>
> So I'm
thinking we'll
need to import
all our dsee7
accounts AND
make it<br>
> possible
for AD users
to access the
Linux systems
without
needing to
create<br>
> them in
IPA.<br>
><br>
> On Mon,
Dec 8, 2014 at
2:56 AM, Petr
Spacek <<a
moz-do-not-send="true" href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>>
wrote:<br>
><br>
>> On
8.12.2014
05:02, Dmitri
Pal wrote:<br>
>>>
On 12/07/2014
10:10 PM,
Matthew Herzog
wrote:<br>
>>>>
So should the
FreeIPA server
be
authoritative
for the Kerb.
realm/DNS<br>
>>
domain<br>
>>>>
or can
it/should it
be a slave DNS
server
instead? Or
caching only?<br>
>>><br>
>>>
IPA DNS can't
be a slave so
you either
delegate a
whole zone to
it or<br>
>>
manage<br>
>>>
IPA DNS domain
via your own
DNS server.<br>
>><br>
>>
Generally,
"slave" is not
allowed to do
any changes so
it is useless
in<br>
>> your<br>
>>
scenario.<br>
>><br>
>> You
can run
ipa-server-install
*without*
--setup-dns
option and at
the end<br>
>> of<br>
>>
installation
it will
produce DNS
records which
you have to
manually add
to<br>
>> your
existing DNS
database.<br>
>><br>
>> Did
you try that?<br>
>><br>
>>
Petr^2 Spacek<br>
>><br>
>>>>
On Sun, Dec 7,
2014 at 9:57
PM, Dmitri Pal
<<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a><br>
>>>>
<mailto:<a
moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>>>
wrote:<br>
>>>><br>
>>>>
On
12/07/2014
09:51 PM,
Matthew Herzog
wrote:<br>
>>>>>
What must
be done in or
on the ipa
server with
regard to DNS,
if<br>
>>>>>
anything?<br>
>>>>><br>
>>>>>
Our DNS
works. It
works well. We
have four
Linux DNS
servers and<br>
>>>>>
two AD
domain
controllers
that also do
DNS.<br>
>>>>><br>
>>>>>
So if we
already have
DNS working
well in our
domain, why do
we<br>
>>>>>
want to
manage DNS in
IPA?<br>
>>>><br>
>>>>
Let us keep
the discussion
on the list.<br>
>>>>
IPA when
used with AD
trust presents
itself as a
separate
forest.<br>
>>>>
AD thinks
that it is
working with
another AD
forest.<br>
>>>>
For that to
work we need
to follow MSFT
rules about
relationship<br>
>>>>
between
Kerberos realm
and DNS
domain.<br>
>>>>
AD assumes
that for every
trusted forest
Kerberos realm
= DNS<br>
>>>>
domain. IPA
makes it easy
to do because
it has
integrated
tools to<br>
>>>>
manage IPA
DNS domain.<br>
>>>>
If you want
to manage it
yourself
through your
DNS you can do
it,<br>
>>>>
just more
manual
operations for
you.<br>
>>>><br>
>>>>
HTH<br>
>>>><br>
>>>>
Thanks<br>
>>>>
Dmitri<br>
>>>><br>
>>>><br>
>>>>><br>
>>>>>
On Sun, Dec
7, 2014 at
9:44 PM,
Dmitri Pal
<<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a><br>
>>>>>
<mailto:<a
moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>>>
wrote:<br>
>>>>><br>
>>>>>
On
12/07/2014
06:44 PM,
Matthew Herzog
wrote:<br>
>>>>>>
Thanks
guys. I'm
sorry for my
delay in
responding.<br>
>>>>>><br>
>>>>>>
Firstly, I
was under the
impression
(from reading
the docs)<br>
>>>>>>
that
having named
running on IPA
server was
critical.<br>
>>>>><br>
>>>>>
Properly
configured DNS
is critical.<br>
>>>>>
How you
accomplish it
is up to you.<br>
>>>>>
IPA
allows you to
have a DNS
server that
would simplify
DNS<br>
>>>>>
management
but it can be
done manually
too. This is
why DNS<br>
>>>>>
is
optional.<br>
>>>>><br>
>>>>><br>
>>>>>>
Also,
the first
question the
ipa-server-install
script asks<br>
>>>>>>
is, "Do
you want to
configure
integrated DNS
(BIND)? ."<br>
>>>>>>
While
it's true the
default answer
is no, it
leads one to<br>
>>>>>>
believe
that DNS is
central to
IPA. Also the<br>
>>>>>>
ipa-client-install
script says,<br>
>>>>>><br>
>>>>>>
[root@freeipa-poc-client02
~]#
ipa-client-install<br>
>>>>>>
DNS
discovery
failed to
determine your
DNS domain<br>
>>>>>>
Provide
the domain
name of your
IPA server
(ex: <a
moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a><br>
>>>>>>
<<a
moz-do-not-send="true" href="http://example.com" target="_blank">http://example.com</a>>):<br>
>>>>>><br>
>>>>>>
I can
resolve
-anything-
from the
machine using
dig or<br>
>>
whatever.<br>
>>>>>><br>
>>>>>>
Ultimately,
the reason I
started to be
concerned
about my<br>
>>>>>>
IPA
server's DNS
config was
because I was
not able to<br>
>>>>>>
authenticate
AD accounts to
a client
machine. I saw
a bunch<br>
>>>>>>
of
errors in the
client's sssd
logs which of
course I can't<br>
>>>>>>
find
now.<br>
>>>>>><br>
>>>>>>
Perhaps
it was these .
. .<br>
>>>>>><br>
>>>>>>
(Thu
Dec 4
13:45:23 2014)
[sssd]
[ping_check]
(0x0100):<br>
>>>>>>
Service
nss replied to
ping<br>
>>>>>>
(Thu
Dec 4
13:45:23 2014)
[sssd]
[ping_check]
(0x0100):<br>
>>>>>>
Service
sudo replied
to ping<br>
>>>>>>
(Thu
Dec 4
13:45:23 2014)
[sssd]
[ping_check]
(0x0100):<br>
>>>>>>
Service
pam replied to
ping<br>
>>>>>>
(Thu
Dec 4
13:45:23 2014)
[sssd]
[ping_check]
(0x0100):<br>
>>>>>>
Service
ssh replied to
ping<br>
>>>>>>
(Thu
Dec 4
13:45:23 2014)
[sssd]
[ping_check]
(0x0100):<br>
>>>>>>
Service
pac replied to
ping<br>
>>>>>>
(Thu
Dec 4
13:45:23 2014)
[sssd]
[ping_check]
(0x0100):<br>
>>>>>>
Service
<a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">bo3.e-bozo.com</a> <<a
moz-do-not-send="true"
href="http://bo3.e-bozo.com" target="_blank">http://bo3.e-bozo.com</a>>
replied to<br>
>> ping<br>
>>>>>><br>
>>>>>>
I'm not
allowed onto
the AD domain
controllers to
examine<br>
>>>>>>
log
files or I'd
be checking
those first.<br>
>>>>>><br>
>>>>>>
So
ultimately the
goal is to
authenticate
AD users and
users<br>
>>>>>>
that
exist in our
ldap schema.
We need to set
up groups of<br>
>>>>>>
users
that can run
sudo commands
on specific
groups of
hosts.<br>
>>>>><br>
>>>>>
Did you
setup trusts
as explained
on the
following
page?<br>
>>>>>
<a
moz-do-not-send="true"
href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup"
target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup</a><br>
>>>>><br>
>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>>
On Wed,
Dec 3, 2014 at
3:46 AM, Petr
Spacek<br>
>>>>>>
<<a
moz-do-not-send="true" href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>
<mailto:<a
moz-do-not-send="true" href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>>>
wrote:<br>
>>>>>><br>
>>>>>>
On
3.12.2014
04:35, Dmitri
Pal wrote:<br>
>>>>>>
> On
12/02/2014
08:54 PM,
Matthew Herzog
wrote:<br>
>>>>>>
>> Any
other ideas? I
just spun up a
new VM and
took the<br>
>>>>>>
defaults on
everything<br>
>>>>>>
>>
while running
ipa-server-install
(the defaults
did<br>
>>>>>>
make sense)
and my new VM<br>
>>>>>>
>>
can't resolve
-anything- in
the domain in
which it<br>
>>>>>>
lives. The
"old" VM<br>
>>>>>>
>>
(running the
same versions
of everything
on the same<br>
>>>>>>
OS)
can't even
resolve<br>
>>>>>>
>> the
clients I have
registered
with it!<br>
>>>>>>
>><br>
>>>>>>
>> So
I'm pretty
frustrated and
am wondering,
what<br>
>>>>>>
_exactly_ is
the role of<br>
>>>>>>
>> bind
in the IPA
server and how
is it expected
to know<br>
>>>>>>
anything
about the<br>
>>>>>>
>>
local DNS
domain without
becoming a
bind slave
server?<br>
>>>>>>
><br>
>>>>>>
> I am not
sure I am 100%
with you
but...<br>
>>>>>>
> If you
use the
defaults and
nothing else
you get to<br>
>>>>>>
the
scenario when
IPA has<br>
>>>>>>
> its DNS
but it is a
self contained
environment.
It<br>
>>>>>>
seems that
this is what
you<br>
>>>>>>
> observe.<br>
>>>>>>
> It is
expected that
you decide in
advance what
you<br>
>>>>>>
want to do
with DNS.
There<br>
>>>>>>
> are
several
options:<br>
>>>>>>
> 1) You
can delegate a
zone to IPA to
manage, then
you<br>
>>>>>>
need to
connect your
IPA<br>
>>>>>>
> DNS to
your existing
DNS during
install or
after.<br>
>>>>>>
> In this
case the
systems joined
to IPA will be
a part<br>
>>>>>>
of
IPA
domain/zone
and<br>
>>>>>>
> would
also be able
to resolve
other systems
around<br>
>>>>>>
> 2) Not
use IPA DNS if
you do not
want to take<br>
>>>>>>
advantage of
it<br>
>>>>>>
> 3) Have
a self
contained
demo/lab
environment
that you<br>
>>>>>>
currently
observe.<br>
>>>>>>
><br>
>>>>>>
> What is
the intent?<br>
>>>>>><br>
>>>>>>
I
agree with
Dmitri, we
need more
information
from you:<br>
>>>>>>
-
You said "my
new VM can't
resolve
-anything- in
the<br>
>>>>>>
domain in
which it<br>
>>>>>>
lives." -
Which domain
do you mean?<br>
>>>>>><br>
>>>>>>
-
Apparently you
have
configured
FreeIPA to
serve zone<br>
>>>>>>
<a
moz-do-not-send="true" href="http://e-bozo.com" target="_blank">e-bozo.com</a>
<<a
moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">http://e-bozo.com</a>>. Do
you have<br>
>>>>>>
this zone
configured on
some other DNS
server at the<br>
>>>>>>
same time?<br>
>>>>>><br>
>>>>>>
Please keep
in mind that
authoritative
servers should<br>
>>>>>>
share the
database. You<br>
>>>>>>
will get
naming
collisions if
<a
moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">e-bozo.com</a><br>
>>>>>>
<<a
moz-do-not-send="true"
href="http://e-bozo.com" target="_blank">http://e-bozo.com</a>> is
served by
FreeIPA DNS
servers and<br>
>>>>>>
some other
servers at the
same time.
Maybe that is
the<br>
>>>>>>
problem you
see right now.<br>
>>>>>><br>
>>>>>>
As
Dmitri said,
the
architecturally
correct
solution is<br>
>>>>>>
to
decide if you
want<br>
>>>>>>
to
use FreeIPA
DNS or not.
You have
option to
either<br>
>>>>>>
remove
non-FreeIPA
DNS<br>
>>>>>>
servers and
import data to
FreeIPA or to
add<br>
>>>>>>
FreeIPA-specific
DNS records to<br>
>>>>>>
existing DNS
servers and do
not configure
FreeIPA to act<br>
>>>>>>
as
DNS server.<br>
>>>>>><br>
>>>>>>
Petr^2 Spacek<br>
>>>>>><br>
>>>>>>
>>
Thanks.<br>
>>>>>>
>><br>
>>>>>>
>> On
Tue, Dec 2,
2014 at 11:58
AM, Petr
Spacek<br>
>>>>>>
<<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>
<mailto:<a
moz-do-not-send="true" href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>><br>
>>>>>>
>>
<mailto:<a
moz-do-not-send="true" href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a><br>
>>>>>>
<mailto:<a
moz-do-not-send="true" href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>>>>
wrote:<br>
>>>>>>
>><br>
>>>>>>
>>
On 2.12.2014
17:36, Martin
Basti wrote:<br>
>>>>>>
>>
> On
02/12/14
17:28, Matthew
Herzog wrote:<br>
>>>>>>
>>
>> I
just realized
that my IPA
servers cannot<br>
>>>>>>
resolve ANY
servers<br>
>>>>>>
>>
in my domain.<br>
>>>>>>
>>
>> What
do I need to
do to fix
this? Below is
my<br>
>>>>>>
named.conf.<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>><br>
>>>>>>
>>
>>
options {<br>
>>>>>>
>>
>> //
turns on IPv6
for port 53,
IPv4 is on by<br>
>>>>>>
default for<br>
>>>>>>
>>
all ifaces<br>
>>>>>>
>>
>>
listen-on-v6
{any;};<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>> //
Put files that
named is
allowed to
write<br>
>>>>>>
in
the<br>
>>>>>>
>>
data/
directory:<br>
>>>>>>
>>
>>
directory
"/var/named";
// the default<br>
>>>>>>
>>
>>
dump-file
"data/cache_dump.db";<br>
>>>>>>
>>
>>
statistics-file
"data/named_stats.txt";<br>
>>>>>>
>>
>>
memstatistics-file
"data/named_mem_stats.txt";<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>>
forward first;<br>
>>>>>>
>>
>>
forwarders {<br>
>>>>>>
>>
>>
10.100.8.41;<br>
>>>>>>
>>
>>
10.100.8.40;<br>
>>>>>>
>>
>>
10.100.4.13;<br>
>>>>>>
>>
>>
10.100.4.14;<br>
>>>>>>
>>
>>
10.100.4.19;<br>
>>>>>>
>>
>>
10.100.4.44;<br>
>>>>>>
>>
>> };<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>> //
Any host is
permitted to
issue
recursive<br>
>>>>>>
queries<br>
>>>>>>
>>
>>
allow-recursion
{ any; };<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>>
tkey-gssapi-keytab
"/etc/named.keytab";<br>
>>>>>>
>>
>>
pid-file
"/run/named/named.pid";<br>
>>>>>>
>>
>> };<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>> /*
If you want to
enable
debugging, eg.
using<br>
>>>>>>
the
'rndc trace'<br>
>>>>>>
>>
command,<br>
>>>>>>
>>
>> *
By default,
SELinux policy
does not allow<br>
>>>>>>
named to
modify<br>
>>>>>>
>>
the
/var/named<br>
>>>>>>
>>
>>
directory,<br>
>>>>>>
>>
>> *
so put the
default debug
log file in
data/ :<br>
>>>>>>
>>
>> */<br>
>>>>>>
>>
>>
logging {<br>
>>>>>>
>>
>>
channel
default_debug
{<br>
>>>>>>
>>
>>
file
"data/named.run";<br>
>>>>>>
>>
>>
severity
dynamic;<br>
>>>>>>
>>
>>
print-time
yes;<br>
>>>>>>
>>
>> };<br>
>>>>>>
>>
>> };<br>
>>>>>>
>>
>> };<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>> zone
"." IN {<br>
>>>>>>
>>
>>
type hint;<br>
>>>>>>
>>
>>
file "<a
moz-do-not-send="true"
href="http://named.ca" target="_blank">named.ca</a> <<a
moz-do-not-send="true"
href="http://named.ca" target="_blank">http://named.ca</a>><br>
>>>>>>
<<a
moz-do-not-send="true"
href="http://named.ca" target="_blank">http://named.ca</a>> <<a
moz-do-not-send="true"
href="http://named.ca" target="_blank">http://named.ca</a>>";<br>
>>>>>>
>>
>> };<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>>
include
"/etc/named.rfc1912.zones";<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>>
dynamic-db
"ipa" {<br>
>>>>>>
>>
>>
library
"ldap.so";<br>
>>>>>>
>>
>> arg
"uri<br>
>>>>>>
>>
ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";<br>
>>>>>>
>>
>> arg
"base cn=dns,
dc=bo3,dc=e-bozo,dc=com";<br>
>>>>>>
>>
>> arg
"fake_mname <a
moz-do-not-send="true" href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>>>>>>
<<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com" target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>>>>
>>
<<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com" target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>>>>
>>
>> <<a
moz-do-not-send="true" href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>.";<br>
>>>>>>
>>
>> arg
"auth_method
sasl";<br>
>>>>>>
>>
>> arg
"sasl_mech
GSSAPI";<br>
>>>>>>
>>
>> arg
"sasl_user<br>
>>>>>>
DNS/<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com" target="_blank">freeipa-poc01.bo3.e-bozo.com</a><br>
>>>>>>
<<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com" target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>>>>
>>
<<a
moz-do-not-send="true"
href="http://freeipa-poc01.bo3.e-bozo.com" target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>><br>
>>>>>>
>>
>> <<a
moz-do-not-send="true" href="http://freeipa-poc01.bo3.e-bozo.com"
target="_blank">http://freeipa-poc01.bo3.e-bozo.com</a>>";<br>
>>>>>>
>>
>> arg
"serial_autoincrement
yes";<br>
>>>>>>
>>
>> };<br>
>>>>>>
>>
>><br>
>>>>>>
>>
>><br>
>>>>>>
>>
>><br>
>>>>>>
>>
>><br>
>>>>>>
>>
> Hello,<br>
>>>>>>
>>
><br>
>>>>>>
>>
> which
version ipa do
you use? which
platform?<br>
>>>>>>
Which version<br>
>>>>>>
>>
bind-dyndb-ldap?<br>
>>>>>>
>>
><br>
>>>>>>
>>
> Can you
run these
commands, and
check if there<br>
>>>>>>
any
errors?<br>
>>>>>>
>>
> ipactl
status<br>
>>>>>>
>>
>
systemctl
status named
(respectively<br>
>>>>>>
journalctl -u
named)<br>
>>>>>>
>><br>
>>>>>>
>>
We also may
want to see
information
listed on page<br>
>>>>>>
>><br>
>>>>>><br>
>> <a
moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting</a><br>
<br>
--<br>
</div>
</div>
Petr^2 Spacek<br>
</blockquote>
</div>
<br>
<br
clear="all">
<div><br>
</div>
</div>
</div>
<span>-- <br>
<div>
<div dir="ltr">If
life gives you
melons, you
may be
dyslexic. </div>
</div>
</span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">If
life gives you
melons, you may
be dyslexic. </div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
<span>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</span></div>
<br>
</div>
</div>
<span>--<br>
Manage your subscription for the
Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org"
target="_blank">http://freeipa.org</a>
for more info on the project<br>
</span></blockquote>
</div>
<br>
<br clear="all">
<span>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">If life gives you
melons, you may be dyslexic. </div>
</div>
</span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">If life gives you melons,
you may be dyslexic. </div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">If life gives you melons, you may be
dyslexic. </div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">If life gives you melons, you may be dyslexic.
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>