On Tue, 2012-01-24 at 19:30 -0600, ~Stack~ wrote:
> Hello everyone!
> Short update for those who have been helping me along both on and off
> the list.
> For the last week or so I have had problems getting IPA to integrate
> into my network setup. It has been frustrating but I have learned so
> much doing it. Today, I finally had that moment where things just
> clicked and I realized I was trying to force IPA and BIND (named) to do
> things that it was already trying to do. That was the source of all my
> problems. By managing my DNS system *through* the IPA interface
> *instead* of named.conf the vast majority of my problems went away. I
> don't know why it took me so long to realize that IPA was /managing/
> BIND and not just /adding to/ BIND but it did.
> Current questions that have me stumped at the moment.
> 1) Where are the BIND configurations for IPA?

They are stored in the LDAP server.

> The problems I have been having stemmed from the fact that IPA adds just
> a small blurb at the end of a very vanilla named.conf. Even though IPA
> is managing my DNS zone and reverse zone, there is nothing in
> named.conf. Therefore, when I tried to force-cram add my zones to BIND I
> got lots of errors. As long as I manage my zones from the CLI or web
> interface, things work, but when I tinker around with the vanilla
> named.conf file (which does *not* list my IPA configured zones) things
> break.
> I poked around but couldn't figure out where this information was
> stored. This was particularly confusing to me (I am not a named/dhcpd
> expert by any means) since named.conf didn't include the zone
> information and I was under the impression I had to include it so that I
> could share my rndc-key between dhcpd and named (next question). This
> very frustrating misunderstanding led to all my problems.
> Back to the point of this question, where does IPA store its zone
> information for named? I never found any good information in the docs on
> this subject and would like to know for future reference.
> 2) How do I get dhcpd to update DNS?

The first question is: why do you need DHCP to do that, why don't you
let clients securely do it ?
We do register a client in the DNS in ipa-client-install.

> Since I can't find the place to add rndc-keys to BIND, right now I have
> to add every host manually in the web interface because dhcpd isn't
> updating named. This is time consuming and a pain when dealing with
> large amounts of systems. If I could figure out where the named zones
> are stored in IPA I should be able to add my rndc-key and be OK, but
> that gets back into question 1.
> My /etc/dhcp/dhcpd.conf file is pretty basic but all the PXE clients
> have host entries to match their MAC with the group that allows PXE
> booting (ex: host pxe001.project.local{hardware ethernet
> 00:16:17:AB:E9:88; fixed-address}).  Unless I mange both
> this file and the IPA interface, the nodes have issues figuring out
> their name. One or the other and the node has issues; both and it works.
> I would really prefer not to manage two locations for all these nodes.
> The normal way for dhcpd to talk to BIND(named) is by having a rndc-key.
> However, me fighting with named.conf was the big part of my problems
> before so I am hoping there is a simple way of doing this inside IPA.
> Any ideas?
> I did see an email in the list a few months back saying that adding
> dhcpd to IPA was probably not going to happen because IPA isn't a
> network manager, but I am pretty sure if you ask most people dhcp and
> dns kinda go hand-in-hand. It should at least be easier to work with the
> two if IPA is going to completely manage DNS. I found very little in my
> search of the answer. Maybe I am still just too dumb in these matters to
> figure it out right now. :-) At least I am learning new stuff!
> 3) The very first time when I PXEBoot/tftp/kickstart a machine and it
> auto installs, everything works great. The ipa-client-install runs with
> all my parameters and it just works. However, the second time the node
> boots and installs, I get complaints that the system is already registered.

Install is a one time thing, it creates a record in IPA and gices the
machine a keytab. this is data that needs to be preserved across

> (fresh install)
> # ipa-client-install --mkhomedir
> ...[snip]...
> Joining realm failed: Host is already joined.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
> If I try to -f force it, I get errors and nothing seems to work.
> # ipa-client-install --mkhomedir -f
> ...[snip]...
> Joining realm failed: Host is already joined.
> Use ipa-getkeytab to obtain a host principle for this server.
> ...[snip]...
> Unable to find 'admin' user with 'getent passwd admin'!

I would say this is expected.

> For PXEboot nodes that may/will end up with a fresh install, how do I
> best configure them in IPA? Automatically would be best.

You have to keep some configuration, ipa-client-install is not
compatible with a machine that loses all state at each reboot.

You can manage to have machines still fetch data from IPA, but they
can't be full fledged clients if you can't preserve the keytab and some
other configuration.

Note: You could reset the machine account from the IPA interface before
a reboot, but requiring admin credentials at each reboot to re-enroll
machines is not something I can recommend.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to