-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: Friday, October 03, 2014 1:26 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] named and IpA
On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
wrote:
We have IdM running on a RHEL V7 system and have configured a local
DNS server in our test lab.
We have loaded the various SRV and TXT records needed by the IdM server.
PROBLEM:
>From the IdM server we can only lookup local records. The name
resolver will not
attempt to look to another other name servers or domains defined in
/etc/resolv.conf
If I shutdown IdM using ipactl stop and then restart named, the name
resolver works for local and remote hosts, addresses and domains as
well as serving up the SRV records defined on the local host.
Am I correct in assuming that while IdM is up and running, the only
other systems it will communicate with at least with regard to name
services is another host also running IdM defined either as a server or a
client ?
If this is case, is there anyone to better integrate some of these
common services such as named into an existing network such that you are not
limited by the IdM components ?
I would like to get additional information about your environment:
- Is the IPA server is installed with DNS or not? Did you use option
--setup-dns during ipa-server-install?
I have tried it both ways, but the most current in which we see this
behavior I ran ipa-server-install with
no arguments and said yes to the question about installing DNS. I then
replied with two valid forwarders.
In a previous installation, we added two of our local zones from one of
the other dns server
and then added the sample zone provided by the installation which contained
the various SRV and TXT
records. But for current reporting of this problem, we did not
add/load the other zone files.
- Which DNS zones do you have defined on IPA server? You can use command "ipa
dnszone-find" to list all zones.
[root@linux named]# ipa dnsconfig-mod
--forwarder=16.112.240.27;16.112.240.40
ipa: ERROR: no modifications to be performed
bash: 16.112.240.40: command not found...
[root@linux named]# ipa dnszone-find
Zone name: 240.112.16.in-addr.arpa.
Authoritative nameserver: linux.osn.cxo.cpqcorp.net.
Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net.
SOA serial: 1412344406
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Allow query: any;
Allow transfer: none;
Zone name: osn.cxo.cpqcorp.net
Authoritative nameserver: linux.osn.cxo.cpqcorp.net.
Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net.
SOA serial: 1412344406
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Active zone: TRUE
Allow query: any;
Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------
- Is there any other DNS servers serving same DNS zones?
Yes....we left the other two existing DNS servers in place as they are our
primary name servers for this lab segment.
Those are the two systems we have entered as forwarders.
- Did you configure forwarders in /etc/named.conf or via ipa command line tools
(ipa dnsconfig-mod or --forwarder option during ipa-server-install)?
The forwarders were placed in the /etc/named.conf file by the
ipa-server-install script or one of its subordinate scripts
I did try entering the forward policy and forwarders using ipa
dnsconfig-mod but they didn't seem to change the behavior.
One thing I did notice was that ipa dnsconfig-mod --forwarder= only
allowed one forwarder to be entered.....adding
a second entry on the line resulted in an error. If entered with a
second --forwarders command, the previous forwarder
was replaced by the new one. So if there is a particular syntax that
would allow more than one entry, can you please
post same ?
- Please attach result of DNS lookups using "dig" command: One output when it doesn't work (i.e.
with IPA running) and the other when it works as you expect (i.e. after "ipactl stop" and
"service named restart").
with ipa running:
[root@linux named]# nslookup dl160a.osn.cxo.cpqcorp.net
Server: 16.112.240.59
Address: 16.112.240.59#53
** server can't find dl160a.osn.cxo.cpqcorp.net: NXDOMAIN
[root@linux named]# dig dl160a.osn.cxo.cpqcorp.net
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net
;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6571 ;; flags: qr
aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dl160a.osn.cxo.cpqcorp.net. IN A
;; AUTHORITY SECTION:
osn.cxo.cpqcorp.net. 3600 IN SOA linux.osn.cxo.cpqcorp.net.
hostmaster.osn.cxo.cpqcorp.net. 1412344406 3600 900 1209600 3600
;; Query time: 1 msec
;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03
11:08:35 EDT 2014 ;; MSG SIZE rcvd: 108
[root@linux named]# ipactl stop
Stopping Directory Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
ipa: INFO: The ipactl command was successful
[root@linux named]# systemctl start named [root@linux named]#
[root@linux named]# [root@linux named]# dig dl160a.osn.cxo.cpqcorp.net
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net
;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28446 ;; flags: qr
rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dl160a.osn.cxo.cpqcorp.net. IN A
;; ANSWER SECTION:
dl160a.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.191
;; AUTHORITY SECTION:
osn.cxo.cpqcorp.net. 43200 IN NS cluster.osn.cxo.cpqcorp.net.
osn.cxo.cpqcorp.net. 43200 IN NS win2008.osn.cxo.cpqcorp.net.
osn.cxo.cpqcorp.net. 43200 IN NS denali.osn.cxo.cpqcorp.net.
;; ADDITIONAL SECTION:
win2008.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.55
cluster.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.27
denali.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.40
;; Query time: 4 msec
;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03
11:10:54 EDT 2014 ;; MSG SIZE rcvd: 184
Thank you.
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
