On 12/02/2014 08:54 PM, Matthew Herzog wrote:
Any other ideas? I just spun up a new VM and took the defaults on everything while running ipa-server-install (the defaults did make sense) and my new VM can't resolve -anything- in the domain in which it lives. The "old" VM (running the same versions of everything on the same OS) can't even resolve the clients I have registered with it!


So I'm pretty frustrated and am wondering, what _exactly_ is the role of bind in the IPA server and how is it expected to know anything about the local DNS domain without becoming a bind slave server?

I am not sure I am 100% with you but...
If you use the defaults and nothing else you get to the scenario when IPA has its DNS but it is a self contained environment. It seems that this is what you observe. It is expected that you decide in advance what you want to do with DNS. There are several options: 1) You can delegate a zone to IPA to manage, then you need to connect your IPA DNS to your existing DNS during install or after. In this case the systems joined to IPA will be a part of IPA domain/zone and would also be able to resolve other systems around
2) Not use IPA DNS if you do not want to take advantage of it
3) Have a self contained demo/lab environment that you currently observe.

What is the intent?


Thanks.

On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek <pspa...@redhat.com <mailto:pspa...@redhat.com>> wrote:

    On 2.12.2014 17:36, Martin Basti wrote:
    > On 02/12/14 17:28, Matthew Herzog wrote:
    >> I just realized that my IPA servers cannot resolve ANY servers
    in my domain.
    >> What do I need to do to fix this? Below is my named.conf.
    >>
    >>
    >> options {
    >>         // turns on IPv6 for port 53, IPv4 is on by default for
    all ifaces
    >>         listen-on-v6 {any;};
    >>
    >>         // Put files that named is allowed to write in the
    data/ directory:
    >>         directory "/var/named"; // the default
    >>         dump-file  "data/cache_dump.db";
    >>         statistics-file  "data/named_stats.txt";
    >>         memstatistics-file "data/named_mem_stats.txt";
    >>
    >>         forward first;
    >>         forwarders {
    >>                 10.100.8.41;
    >>                 10.100.8.40;
    >>                 10.100.4.13;
    >>                 10.100.4.14;
    >>                 10.100.4.19;
    >>                 10.100.4.44;
    >>         };
    >>
    >>         // Any host is permitted to issue recursive queries
    >>         allow-recursion { any; };
    >>
    >>         tkey-gssapi-keytab "/etc/named.keytab";
    >>         pid-file "/run/named/named.pid";
    >> };
    >>
    >> /* If you want to enable debugging, eg. using the 'rndc trace'
    command,
    >>  * By default, SELinux policy does not allow named to modify
    the /var/named
    >> directory,
    >>  * so put the default debug log file in data/ :
    >>  */
    >> logging {
    >>         channel default_debug {
    >>                 file "data/named.run";
    >>                 severity dynamic;
    >>                 print-time yes;
    >>         };
    >>         };
    >> };
    >>
    >> zone "." IN {
    >>         type hint;
    >>         file "named.ca <http://named.ca> <http://named.ca>";
    >> };
    >>
    >> include "/etc/named.rfc1912.zones";
    >>
    >> dynamic-db "ipa" {
    >>         library "ldap.so";
    >>         arg "uri
    ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
    >>         arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com";
    >>         arg "fake_mname freeipa-poc01.bo3.e-bozo.com
    <http://freeipa-poc01.bo3.e-bozo.com>
    >> <http://freeipa-poc01.bo3.e-bozo.com>.";
    >>         arg "auth_method sasl";
    >>         arg "sasl_mech GSSAPI";
    >>         arg "sasl_user DNS/freeipa-poc01.bo3.e-bozo.com
    <http://freeipa-poc01.bo3.e-bozo.com>
    >> <http://freeipa-poc01.bo3.e-bozo.com>";
    >>         arg "serial_autoincrement yes";
    >> };
    >>
    >>
    >>
    >>
    > Hello,
    >
    > which version ipa do you use? which platform? Which version
    bind-dyndb-ldap?
    >
    > Can you run these commands, and check if there any errors?
    > ipactl status
    > systemctl status named  (respectively journalctl -u named)

    We also may want to see information listed on page
    https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting

    --
    Petr^2 Spacek

    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project




--
If life gives you melons, you may be dyslexic.




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to