-----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Friday, October 03, 2014 2:01 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: FW: named and IpA
On 10/03/2014 03:43 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: > > -----Original Message----- > From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) > Sent: Friday, October 03, 2014 10:30 AM > To: 'freeipa-users@redhat.com' > Subject: FW: [Freeipa-users] FW: named and IpA > > I am not a specialist but can it be that when you run just named it uses > files and when you start IPA it uses LDAP database and the issue that the > forwarders are correctly recorded in files (manually?) but not in the LDAP > database? > >>> This certainly makes sense.....but then having entered the forwarders >>> using ipa dnsconfig-mod --forwarders=...... >>> didn't seem to make a difference. I assume the ipa dnsconfig-mod >>> command places those forwarders >>> in the ldap database ? >>> But having done so, does anything have to be restarted to get this to >>> work or is the effect immediate ? >>>> Actually I just tried ipactl restart which should restart all components >>>> including named and I am still unable >>>> to resolve any hostnames or ip addresses off this system other than >>>> something from the root servers.....so >>>> I supposed it could be a named configuration issue....but then why does >>>> that issue resolve itself when >>>> the IdM components are removed from the picture ? is there one named.conf? >>> yes...from all I can tell: >>> [root@linux named]# ls -l /etc/named.conf >>> -rw-r----- 1 root named 1317 Oct 3 09:07 /etc/named.conf May be there some env variable that redirects it or there is symlink and in one case it uses one and in another case another. I am just speculating. I do not know for sure. >>> did a printenv and found nothing related to named. Something is strange and may be differen in this setup. >>> I would agree.....but I wish I could figure out what it is. Have you tried a different machine or VM and a clean install there? >>> Unfortunately we have a limited number of test systems and this is our only >>> RHEL V7 system at the moment. >>> Should another one become available, I'll try to install the IdM sets on >>> that and see if we get the same results. Al > Al > > > -----Original Message----- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal > Sent: Friday, October 03, 2014 10:16 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FW: named and IpA > > On 10/03/2014 11:13 AM, Licause, Al (CSC AMS BCS - UNIX/Linux Network > Support) wrote: >> -----Original Message----- >> From: freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek >> Sent: Friday, October 03, 2014 1:26 AM >> To: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] named and IpA >> >> On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) >> wrote: >>> We have IdM running on a RHEL V7 system and have configured a local >>> DNS server in our test lab. >>> >>> We have loaded the various SRV and TXT records needed by the IdM server. >>> >>> >>> PROBLEM: >>> >>> >From the IdM server we can only lookup local records. The name >>>> resolver will not >>> attempt to look to another other name servers or domains defined in >>> /etc/resolv.conf >>> >>> If I shutdown IdM using ipactl stop and then restart named, the name >>> resolver works for local and remote hosts, addresses and domains as >>> well as serving up the SRV records defined on the local host. >>> >>> Am I correct in assuming that while IdM is up and running, the only >>> other systems it will communicate with at least with regard to name >>> services is another host also running IdM defined either as a server or a >>> client ? >>> >>> If this is case, is there anyone to better integrate some of these >>> common services such as named into an existing network such that you are >>> not limited by the IdM components ? >> I would like to get additional information about your environment: >> - Is the IPA server is installed with DNS or not? Did you use option >> --setup-dns during ipa-server-install? >> >>>> I have tried it both ways, but the most current in which we see this >>>> behavior I ran ipa-server-install with >>>> no arguments and said yes to the question about installing DNS. I >>>> then replied with two valid forwarders. >>>> In a previous installation, we added two of our local zones from one >>>> of the other dns server >>>> and then added the sample zone provided by the installation which >>>> contained the various SRV and TXT >>>> records. But for current reporting of this problem, we did not >>>> add/load the other zone files. >> - Which DNS zones do you have defined on IPA server? You can use command >> "ipa dnszone-find" to list all zones. >> >> [root@linux named]# ipa dnsconfig-mod >> --forwarder=16.112.240.27;16.112.240.40 >> ipa: ERROR: no modifications to be performed >> bash: 16.112.240.40: command not found... >> [root@linux named]# ipa dnszone-find >> Zone name: 240.112.16.in-addr.arpa. >> Authoritative nameserver: linux.osn.cxo.cpqcorp.net. >> Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. >> SOA serial: 1412344406 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> Active zone: TRUE >> Allow query: any; >> Allow transfer: none; >> >> Zone name: osn.cxo.cpqcorp.net >> Authoritative nameserver: linux.osn.cxo.cpqcorp.net. >> Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. >> SOA serial: 1412344406 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> Active zone: TRUE >> Allow query: any; >> Allow transfer: none; >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >> - Is there any other DNS servers serving same DNS zones? >> >>>> Yes....we left the other two existing DNS servers in place as they are >>>> our primary name servers for this lab segment. >>>> Those are the two systems we have entered as forwarders. >> - Did you configure forwarders in /etc/named.conf or via ipa command line >> tools (ipa dnsconfig-mod or --forwarder option during ipa-server-install)? >> >>>> The forwarders were placed in the /etc/named.conf file by the >>>> ipa-server-install script or one of its subordinate scripts >>>> I did try entering the forward policy and forwarders using ipa >>>> dnsconfig-mod but they didn't seem to change the behavior. >>>> One thing I did notice was that ipa dnsconfig-mod --forwarder= >>>> only allowed one forwarder to be entered.....adding >>>> a second entry on the line resulted in an error. If entered with a >>>> second --forwarders command, the previous forwarder >>>> was replaced by the new one. So if there is a particular syntax >>>> that would allow more than one entry, can you please >>>> post same ? >> - Please attach result of DNS lookups using "dig" command: One output when >> it doesn't work (i.e. with IPA running) and the other when it works as you >> expect (i.e. after "ipactl stop" and "service named restart"). >> >>>> with ipa running: >> [root@linux named]# nslookup dl160a.osn.cxo.cpqcorp.net >> Server: 16.112.240.59 >> Address: 16.112.240.59#53 >> >> ** server can't find dl160a.osn.cxo.cpqcorp.net: NXDOMAIN >> >> [root@linux named]# dig dl160a.osn.cxo.cpqcorp.net >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net >> ;; global options: +cmd ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6571 ;; flags: >> qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: >> ;dl160a.osn.cxo.cpqcorp.net. IN A >> >> ;; AUTHORITY SECTION: >> osn.cxo.cpqcorp.net. 3600 IN SOA linux.osn.cxo.cpqcorp.net. >> hostmaster.osn.cxo.cpqcorp.net. 1412344406 3600 900 1209600 3600 >> >> ;; Query time: 1 msec >> ;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03 >> 11:08:35 EDT 2014 ;; MSG SIZE rcvd: 108 >> >> >> [root@linux named]# ipactl stop >> Stopping Directory Service >> Stopping ipa-otpd Service >> Stopping pki-tomcatd Service >> Stopping httpd Service >> Stopping ipa_memcached Service >> Stopping named Service >> Stopping kadmin Service >> Stopping krb5kdc Service >> ipa: INFO: The ipactl command was successful >> >> [root@linux named]# systemctl start named [root@linux named]# >> [root@linux named]# [root@linux named]# dig >> dl160a.osn.cxo.cpqcorp.net >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> dl160a.osn.cxo.cpqcorp.net >> ;; global options: +cmd ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28446 ;; flags: >> qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: >> ;dl160a.osn.cxo.cpqcorp.net. IN A >> >> ;; ANSWER SECTION: >> dl160a.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.191 >> >> ;; AUTHORITY SECTION: >> osn.cxo.cpqcorp.net. 43200 IN NS cluster.osn.cxo.cpqcorp.net. >> osn.cxo.cpqcorp.net. 43200 IN NS win2008.osn.cxo.cpqcorp.net. >> osn.cxo.cpqcorp.net. 43200 IN NS denali.osn.cxo.cpqcorp.net. >> >> ;; ADDITIONAL SECTION: >> win2008.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.55 >> cluster.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.27 >> denali.osn.cxo.cpqcorp.net. 43200 IN A 16.112.240.40 >> >> ;; Query time: 4 msec >> ;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03 >> 11:10:54 EDT 2014 ;; MSG SIZE rcvd: 184 >> >> >> Thank you. >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > I am not a specialist but can it be that when you run just named it uses > files and when you start IPA it uses LDAP database and the issue that the > forwarders are correctly recorded in files (manually?) but not in the LDAP > database? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project