-----Original Message-----
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) 
Sent: Friday, October 03, 2014 6:31 AM
To: 'Jan Pazdziora'
Subject: RE: [Freeipa-users] named and IpA


Jan,

After submitting this request and since these are crash and burn lab systems, I 
reran the ipa-server-install --uninstall and ran the installation script again 
this time without 
allowing a local dns server to be created.    Once we got all of our zone files 
corrected
the system was able to resolve names and addresses but I have rerun the 
configurator again today so I can try to answer your questions.

Just after running the configurator and setting up a new IdM server, the 
resolve.conf contains the following:

search osn.cxo.cpqcorp.net
nameserver 16.112.240.59

This is the domain in which this server resides and this is the servers ip 
address.

By default, the /etc/named.conf file that is created only loads the root 
servers zone       
and the dynamic-db "ipa" data.     It also contains the following forwarder 
information
which includes the two forwarders as requested in the installation script.

        forward first;
        forwarders {
                16.112.240.27;
                16.112.240.40;
        };

These forwarders are the two primary dns servers in the domain.

Given that information, the only host that can be resolved at the moment is the 
local servers name which is linux:

[root@linux named]# nslookup linux
Server:         16.112.240.59
Address:        16.112.240.59#53

Name:   linux.osn.cxo.cpqcorp.net
Address: 16.112.240.59

[root@linux named]#
[root@linux named]#
[root@linux named]#
[root@linux named]# nslookup denali
Server:         16.112.240.59
Address:        16.112.240.59#53

** server can't find denali: NXDOMAIN

[root@linux named]# nslookup denali.osn.cxo.cpqcorp.net
Server:         16.112.240.59
Address:        16.112.240.59#53

** server can't find denali.osn.cxo.cpqcorp.net: NXDOMAIN


[root@linux named]# nslookup 16.112.240.27
Server:         16.112.240.59
Address:        16.112.240.59#53

** server can't find 27.240.112.16.in-addr.arpa.: NXDOMAIN

[root@linux named]# nslookup www.pbs.org
Server:         16.112.240.59
Address:        16.112.240.59#53

Non-authoritative answer:
www.pbs.org     canonical name = r53-vip.pbs.org.
Name:   r53-vip.pbs.org
Address: 54.160.180.54


As you can see from above, only the local host was successfully resolved using 
nslookup.
Attempts to look up any other host within our own address space fails.   We can 
lookup
hosts and addresses that are in the public space from the hints zone in the 
named.conf file.

# dig denali

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> denali ;; global options: +cmd ;; Got 
answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30298 ;; flags: qr rd ra; 
QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;denali.                                IN      A

;; AUTHORITY SECTION:
.                       10564   IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2014100300 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03 09:23:13 EDT 
2014 ;; MSG SIZE  rcvd: 110


As you can see from the dig command, the request is not going past the local 
host.

But now if I stop ipa and then restart named on this host, the forwarders 
appear to work just fine:

[root@linux named]# ipactl stop
Stopping Directory Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
ipa: INFO: The ipactl command was successful [root@linux named]# [root@linux 
named]# [root@linux named]# systemctl start named [root@linux named]# 
[root@linux named]# [root@linux named]# systemctl status named.service 
named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
   Active: active (running) since Fri 2014-10-03 09:24:26 EDT; 8s ago
  Process: 7801 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || 
/bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 7820 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, 
status=0/SUCCESS)
  Process: 7818 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf 
(code=exited, status=0/SUCCESS)  Main PID: 7823 (named)
   CGroup: /system.slice/named.service
           ΓΆΓΆ7823 /usr/sbin/named -u named

Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: managed-keys-zone:...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 0.in-addr.arp...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 1.0.0.127.in-...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 1.0.0.0.0.0.0...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone localhost/IN:...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone localhost.loc...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: all zones loaded Oct 
03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: running Oct 03 09:24:26 
linux.ipa.osn.cxo.cpqcorp.net named[7823]: ldap_psearch_watch...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net systemd[1]: Started Berkeley In...
Hint: Some lines were ellipsized, use -l to show in full.
 

[root@linux named]# dig denali

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> denali ;; global options: +cmd ;; Got 
answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14741 ;; flags: qr rd ra; 
QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;denali.                                IN      A

;; AUTHORITY SECTION:
.                       10473   IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2014100300 1800 900 604800 86400

;; Query time: 4 msec
;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03 09:24:44 EDT 
2014 ;; MSG SIZE  rcvd: 110

[root@linux named]#
[root@linux named]#
[root@linux named]# nslookup denali
Server:         16.112.240.59
Address:        16.112.240.59#53

Non-authoritative answer:
Name:   denali.osn.cxo.cpqcorp.net
Address: 16.112.240.40

[root@linux named]# nslookup dl160a
Server:         16.112.240.59
Address:        16.112.240.59#53

Non-authoritative answer:
Name:   dl160a.osn.cxo.cpqcorp.net
Address: 16.112.240.191
 

So I have to ask what is IdM doing internally that prevents the name service 
from correctly forwarding requests to other local name servers ?

Or....what have I failed to configure to get this to work correctly ?

I did notice the following text displayed toward the end of the 
ipa-server-install script run that states this:

Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' 
command to set global DNS options that would override settings in local 
named.conf files

Could it be that once we use dnsconfig-mod to add some dns information to the 
local
389 directory server that this will repair this problem ?

And if so, what specifically needs to be added ?

Thanks
Al


-----Original Message-----
From: Jan Pazdziora [mailto:jpazdzi...@redhat.com]
Sent: Thursday, October 02, 2014 11:23 PM
To: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] named and IpA

On Thu, Oct 02, 2014 at 05:05:10PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux 
Network Support) wrote:
> 
> >From the IdM server we can only lookup local records.  The name 
> >resolver will not
> attempt to look to another other name servers or domains defined in 
> /etc/resolv.conf

What exactly is in your /etc/resolv.conf? Just the IP address of the IPA server 
(localhost), or some other records?

> If I shutdown IdM using ipactl stop and then restart named, the name 
> resolver works for local and remote hosts, addresses and domains as 
> well as serving up the SRV records defined on the local host.

So if all IdM services are running, you do not seem to have named observing 
forwarders settings but if you only run named on the IdM machine and nothing 
else, it starts to observe them?

Can you show dig output for one of the problematic records to see which DNS 
server is answering the query?

--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
  • Re: [Freeipa-users]... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
    • Re: [Freeipa-u... Dmitri Pal
      • [Freeipa-u... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
    • Re: [Freeipa-u... Jan Pazdziora
      • [Freeipa-u... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
        • Re: [F... Rich Megginson
          • [F... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
            • ... Rich Megginson
              • ... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
      • [Freeipa-u... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
    • Re: [Freeipa-u... Petr Spacek
      • [Freeipa-u... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
        • Re: [F... Dmitri Pal
          • [F... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
            • ... Dmitri Pal
          • [F... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
            • ... Dmitri Pal
              • ... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
        • Re: [F... Petr Spacek
          • [F... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)

Reply via email to