[Freeipa-users] Re: DNS problems

Wed, 22 May 2019 08:51:59 -0700 

On 5/22/19 3:55 PM, Kristian Petersen via FreeIPA-users wrote:
When I say it won't resolve, I am getting NXDOMAIN as the result of the query like this: 

[root@ipa3 /]# nslookup ipa1 ipa3
Server:         ipa3
Address:        xxx.xxx.xxx.xxx#53

** server can't find ipa1: NXDOMAIN

Running journalctl -u named-pkcs11 shows a ton of lines like the following:

May 21 12:22:25 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: network unreachable resolving 'udmserve.net/A/IN 
<http://udmserve.net/A/IN>': 2600:9000:5306:3100::1#53



There is also some error messages that appear in the log, but only 
sporadically (this was the largest contiguous block of them):



May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: bug in ldap_entry_reconstruct(): protocol 
violation: attempt to reconstruct non-existing entry
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: bug in ldap_entry_reconstruct(): protocol 
violation: attempt to reconstruct non-existing entry
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: syncrepl_update failed for resource record DN 
'idnsName=250,idnsname=105.168.192.in-addr.arpa.,cn=dns,dc=chem,dc=byu,dc=edu'
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: bug in ldap_entry_reconstruct(): protocol 
violation: attempt to reconstruct non-existing entry
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: ldap_sync_search_entry failed: not found
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: syncrepl_update failed for resource record DN 
'idnsName=136,idnsname=105.168.192.in-addr.arpa.,cn=dns,dc=chem,dc=byu,dc=edu'
May 21 12:58:58 ipa3.chem.byu.edu <http://ipa3.chem.byu.edu> 
named-pkcs11[19021]: ldap_sync_search_entry failed: not found


The messages log has a number of messages like this one:

May 19 03:11:53 ipa3 ns-slapd: [19/May/2019:03:11:53.896464579 -0600] - 
ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=caToipa1.chem.byu.edu <http://caToipa1.chem.byu.edu>" 
(ipa1:389): Unable to acqui
re replica: permission denied. The bind dn "" does not have permission 
to supply replication updates to the replica. Will retry later.
May 19 03:13:10 ipa3 ns-slapd: [19/May/2019:03:13:10.967375303 -0600] - 
ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=ipa3.chem.byu.edu-to-ipa2.chem.byu.edu 
<http://ipa3.chem.byu.edu-to-ipa2.chem.byu.edu>" (ipa2:389)
: Unable to acquire replica: permission denied. The bind dn "" does not 
have permission to supply replication updates to the replica. Will retry 
later.




Hi,

It looks like a replication issue. Can you check the content of the entry
cn=replication managers,cn=sysaccounts,cn=etc,dc=chem,dc=byu,dc=com

on your servers? It should contain a "member" attribute for the replica 
and the master like the following:
member: 
krbprincipalname=ldap/replica.chem.byu....@chem.byu.com,cn=services,cn=accounts,dc=chem,dc=buy,dc=com



Then check that that the replica bind dn group is properly defined for 
IPA domain:

dn: cn=replica,cn=dc\3Dchem\2Cdc\3Dbyu\2Cdc\3Dcom,cn=mapping tree,cn=config

nsds5replicabinddngroup: cn=replication 
managers,cn=sysaccounts,cn=etc,dc=chem,dc=byu,dc=com

nsds5replicabinddngroupcheckinterval: 60

and for the CA domain:
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config

nsds5replicabinddngroup: cn=replication 
managers,cn=sysaccounts,cn=etc,dc=chem,dc=byu,dc=com

nsds5replicabinddngroupcheckinterval: 60

HTH,
flo




On Tue, May 21, 2019 at 1:26 PM Rob Crittenden <rcrit...@redhat.com 
<mailto:rcrit...@redhat.com>> wrote:


    Kristian Petersen via FreeIPA-users wrote:
     > Hey all,
     >

     > I am using IPA for my DNS and have 3 total servers in the group. 
    2 of

     > them are responding to queries just fine, but the 3rd (which is bare
     > metal, not a VM like the others) is not resolving the queries
    issued to
     > it.  Running ipactl status returns all services running:
     >
     > [root@ipa3 /]# ipactl status
     > Directory Service: RUNNING
     > krb5kdc Service: RUNNING
     > kadmin Service: RUNNING
     > *named Service: RUNNING *
     > httpd Service: RUNNING
     > ipa-custodia Service: RUNNING
     > ntpd Service: RUNNING
     > pki-tomcatd Service: RUNNING
     > ipa-otpd Service: RUNNING
     > ipa-dnskeysyncd Service: RUNNING
     > ipa: INFO: The ipactl command was successful
     >
     > We tried restarting the services but didn't change anything. Next we
     > tries to do a forced sync of the server with one of its working
    replicas:
     >
     > ipa-replica-manage force-sync --from ipa1.example.com
    <http://ipa1.example.com>
     > <http://ipa1.example.com>
     >
     > We also tried re-initializing the non-working replica:
     >
     > ipa-replica-manage re-initialize --from ipa1.example.com
    <http://ipa1.example.com>
     > <http://ipa1.example.com>
     >
     > However, it still won't resolve any queries directed to it.  Any
    ideas
     > of what to try next?

    Can you clarify what doesn't resolve means?

    Is dig timing out, returning the wrong data, etc? Is that on the same
    host or another host? What do the bind logs show? journalctl?

    rob



--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to