-----Original Message-----
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) 
Sent: Friday, October 03, 2014 10:30 AM
To: 'freeipa-users@redhat.com'
Subject: FW: [Freeipa-users] FW: named and IpA

I am not a specialist but can it be that when you run just named it uses files 
and when you start IPA it uses LDAP database and the issue that the forwarders 
are correctly recorded in files (manually?) but not in the LDAP database?

>>  This certainly makes sense.....but then having entered the forwarders using 
>> ipa dnsconfig-mod --forwarders=......
>>   didn't seem to make a difference.      I assume the ipa dnsconfig-mod 
>> command places those forwarders
>>   in the ldap database ?    

>>  But having done so, does anything have to be restarted to get this to work 
>> or is the effect immediate  ?

>>>  Actually I just tried ipactl restart which should restart all components 
>>> including named and I am still unable
>>>  to resolve any hostnames or ip addresses off this system other than 
>>> something from the root servers.....so
>>>  I supposed it could be a named configuration issue....but then why does 
>>> that issue resolve itself when
>>>  the IdM components are removed from the picture ?

Al


-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Friday, October 03, 2014 10:16 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FW: named and IpA

On 10/03/2014 11:13 AM, Licause, Al (CSC AMS BCS - UNIX/Linux Network
Support) wrote:
>
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
> Sent: Friday, October 03, 2014 1:26 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] named and IpA
>
> On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) 
> wrote:
>> We have IdM running on a RHEL V7 system and have configured a local 
>> DNS server in our test lab.
>>
>> We have loaded the various SRV and TXT records needed by the IdM server.
>>
>>
>> PROBLEM:
>>
>> >From the IdM server we can only lookup local records.  The name
>>> resolver will not
>> attempt to look to another other name servers or domains defined in 
>> /etc/resolv.conf
>>
>> If I shutdown IdM using ipactl stop and then restart named, the name 
>> resolver works for local and remote hosts, addresses and domains as 
>> well as serving up the SRV records defined on the local host.
>>
>> Am I correct in assuming that while IdM is up and running, the only 
>> other systems it will communicate with at least with regard to name 
>> services is another host also running IdM defined either as a server or a 
>> client ?
>>
>> If this is case, is there anyone to better integrate some of these 
>> common services such as named into an existing network such that you are not 
>> limited by the IdM components ?
> I would like to get additional information about your environment:
> - Is the IPA server is installed with DNS or not? Did you use option 
> --setup-dns during ipa-server-install?
>
>>>    I have tried it both ways, but the most current in which we see this 
>>> behavior I ran ipa-server-install with
>>>    no arguments and said yes to the question about installing DNS.     I 
>>> then replied with two valid forwarders.
>>>    In a previous installation,  we added two of our local zones from one of 
>>> the other dns server
>>>    and then added the sample zone provided by the installation which 
>>> contained the various SRV and TXT
>>>    records.       But for current reporting of this problem, we did not 
>>> add/load the other zone files.
> - Which DNS zones do you have defined on IPA server? You can use command "ipa 
> dnszone-find" to list all zones.
>
> [root@linux named]# ipa dnsconfig-mod
> --forwarder=16.112.240.27;16.112.240.40
> ipa: ERROR: no modifications to be performed
> bash: 16.112.240.40: command not found...
> [root@linux named]# ipa dnszone-find
>    Zone name: 240.112.16.in-addr.arpa.
>    Authoritative nameserver: linux.osn.cxo.cpqcorp.net.
>    Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net.
>    SOA serial: 1412344406
>    SOA refresh: 3600
>    SOA retry: 900
>    SOA expire: 1209600
>    SOA minimum: 3600
>    Active zone: TRUE
>    Allow query: any;
>    Allow transfer: none;
>
>    Zone name: osn.cxo.cpqcorp.net
>    Authoritative nameserver: linux.osn.cxo.cpqcorp.net.
>    Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net.
>    SOA serial: 1412344406
>    SOA refresh: 3600
>    SOA retry: 900
>    SOA expire: 1209600
>    SOA minimum: 3600
>    Active zone: TRUE
>    Allow query: any;
>    Allow transfer: none;
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
> - Is there any other DNS servers serving same DNS zones?
>
>>>   Yes....we left the other two existing DNS servers in place as they are 
>>> our primary name servers for this lab segment.
>>>   Those are the two systems we have entered as forwarders.
> - Did you configure forwarders in /etc/named.conf or via ipa command line 
> tools (ipa dnsconfig-mod or --forwarder option during ipa-server-install)?
>
>>>   The forwarders were placed in the /etc/named.conf file by the 
>>> ipa-server-install script or one of its subordinate scripts
>>>   I  did try entering the forward policy and forwarders using ipa 
>>> dnsconfig-mod but they didn't seem to change the behavior.
>>>    One thing I did notice was that ipa dnsconfig-mod  --forwarder=      
>>> only allowed one forwarder to be entered.....adding
>>>    a second entry on the line resulted in an error.    If entered with a 
>>> second --forwarders command, the previous forwarder
>>>    was replaced by the new one.      So if there is a particular syntax 
>>> that would allow more than one entry, can you please
>>>    post same ?
> - Please attach result of DNS lookups using "dig" command: One output when it 
> doesn't work (i.e. with IPA running) and the other when it works as you 
> expect (i.e. after "ipactl stop" and "service named restart").
>
>>> with ipa running:
> [root@linux named]# nslookup dl160a.osn.cxo.cpqcorp.net
> Server:         16.112.240.59
> Address:        16.112.240.59#53
>
> ** server can't find dl160a.osn.cxo.cpqcorp.net: NXDOMAIN
>
> [root@linux named]# dig dl160a.osn.cxo.cpqcorp.net
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net 
> ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6571 ;; flags: qr 
> aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;dl160a.osn.cxo.cpqcorp.net.    IN      A
>
> ;; AUTHORITY SECTION:
> osn.cxo.cpqcorp.net.    3600    IN      SOA     linux.osn.cxo.cpqcorp.net. 
> hostmaster.osn.cxo.cpqcorp.net. 1412344406 3600 900 1209600 3600
>
> ;; Query time: 1 msec
> ;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03
> 11:08:35 EDT 2014 ;; MSG SIZE  rcvd: 108
>
>   
> [root@linux named]# ipactl stop
> Stopping Directory Service
> Stopping ipa-otpd Service
> Stopping pki-tomcatd Service
> Stopping httpd Service
> Stopping ipa_memcached Service
> Stopping named Service
> Stopping kadmin Service
> Stopping krb5kdc Service
> ipa: INFO: The ipactl command was successful
>   
> [root@linux named]# systemctl start named [root@linux named]# 
> [root@linux named]# [root@linux named]# dig dl160a.osn.cxo.cpqcorp.net
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net 
> ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28446 ;; flags: qr 
> rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;dl160a.osn.cxo.cpqcorp.net.    IN      A
>
> ;; ANSWER SECTION:
> dl160a.osn.cxo.cpqcorp.net. 43200 IN    A       16.112.240.191
>
> ;; AUTHORITY SECTION:
> osn.cxo.cpqcorp.net.    43200   IN      NS      cluster.osn.cxo.cpqcorp.net.
> osn.cxo.cpqcorp.net.    43200   IN      NS      win2008.osn.cxo.cpqcorp.net.
> osn.cxo.cpqcorp.net.    43200   IN      NS      denali.osn.cxo.cpqcorp.net.
>
> ;; ADDITIONAL SECTION:
> win2008.osn.cxo.cpqcorp.net. 43200 IN   A       16.112.240.55
> cluster.osn.cxo.cpqcorp.net. 43200 IN   A       16.112.240.27
> denali.osn.cxo.cpqcorp.net. 43200 IN    A       16.112.240.40
>
> ;; Query time: 4 msec
> ;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03
> 11:10:54 EDT 2014 ;; MSG SIZE  rcvd: 184
>
>
> Thank you.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
I am not a specialist but can it be that when you run just named it uses files 
and when you start IPA it uses LDAP database and the issue that the forwarders 
are correctly recorded in files (manually?) but not in the LDAP database?

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
      • Re: [Freei... Rich Megginson
        • [Freei... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
          • Re... Rich Megginson
            • ... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
    • [Freeipa-users... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
  • Re: [Freeipa-users]... Petr Spacek
    • [Freeipa-users... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
      • Re: [Freei... Dmitri Pal
        • [Freei... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
        • [Freei... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
          • Re... Dmitri Pal
            • ... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
      • Re: [Freei... Petr Spacek
        • [Freei... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
          • Re... Petr Spacek
            • ... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
              • ... Petr Spacek
              • ... Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
              • ... Jan Pazdziora
              • ... Petr Spacek

Reply via email to