When I say it won't resolve, I am getting NXDOMAIN as the result of the query like this:
[root@ipa3 /]# nslookup ipa1 ipa3 Server: ipa3 Address: xxx.xxx.xxx.xxx#53 ** server can't find ipa1: NXDOMAIN Running journalctl -u named-pkcs11 shows a ton of lines like the following: May 21 12:22:25 ipa3.chem.byu.edu named-pkcs11[19021]: network unreachable resolving 'udmserve.net/A/IN': 2600:9000:5306:3100::1#53 There is also some error messages that appear in the log, but only sporadically (this was the largest contiguous block of them): May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: ldap_sync_search_entry failed: not found May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: bug in ldap_entry_reconstruct(): protocol violation: attempt to reconstruct non-existing entry May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: ldap_sync_search_entry failed: not found May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: bug in ldap_entry_reconstruct(): protocol violation: attempt to reconstruct non-existing entry May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: ldap_sync_search_entry failed: not found May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: syncrepl_update failed for resource record DN 'idnsName=250,idnsname=105.168.192.in-addr.arpa.,cn=dns,dc=chem,dc=byu,dc=edu' May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: ldap_sync_search_entry failed: not found May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: bug in ldap_entry_reconstruct(): protocol violation: attempt to reconstruct non-existing entry May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: ldap_sync_search_entry failed: not found May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: syncrepl_update failed for resource record DN 'idnsName=136,idnsname=105.168.192.in-addr.arpa.,cn=dns,dc=chem,dc=byu,dc=edu' May 21 12:58:58 ipa3.chem.byu.edu named-pkcs11[19021]: ldap_sync_search_entry failed: not found The messages log has a number of messages like this one: May 19 03:11:53 ipa3 ns-slapd: [19/May/2019:03:11:53.896464579 -0600] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=caToipa1.chem.byu.edu" (ipa1:389): Unable to acqui re replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. May 19 03:13:10 ipa3 ns-slapd: [19/May/2019:03:13:10.967375303 -0600] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn= ipa3.chem.byu.edu-to-ipa2.chem.byu.edu" (ipa2:389) : Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. On Tue, May 21, 2019 at 1:26 PM Rob Crittenden <[email protected]> wrote: > Kristian Petersen via FreeIPA-users wrote: > > Hey all, > > > > I am using IPA for my DNS and have 3 total servers in the group. 2 of > > them are responding to queries just fine, but the 3rd (which is bare > > metal, not a VM like the others) is not resolving the queries issued to > > it. Running ipactl status returns all services running: > > > > [root@ipa3 /]# ipactl status > > Directory Service: RUNNING > > krb5kdc Service: RUNNING > > kadmin Service: RUNNING > > *named Service: RUNNING * > > httpd Service: RUNNING > > ipa-custodia Service: RUNNING > > ntpd Service: RUNNING > > pki-tomcatd Service: RUNNING > > ipa-otpd Service: RUNNING > > ipa-dnskeysyncd Service: RUNNING > > ipa: INFO: The ipactl command was successful > > > > We tried restarting the services but didn't change anything. Next we > > tries to do a forced sync of the server with one of its working replicas: > > > > ipa-replica-manage force-sync --from ipa1.example.com > > <http://ipa1.example.com> > > > > We also tried re-initializing the non-working replica: > > > > ipa-replica-manage re-initialize --from ipa1.example.com > > <http://ipa1.example.com> > > > > However, it still won't resolve any queries directed to it. Any ideas > > of what to try next? > > Can you clarify what doesn't resolve means? > > Is dig timing out, returning the wrong data, etc? Is that on the same > host or another host? What do the bind logs show? journalctl? > > rob > -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
