On 12/07/2014 10:10 PM, Matthew Herzog wrote:
So should the FreeIPA server be authoritative for the Kerb. realm/DNS domain or can it/should it be a slave DNS server instead? Or caching only?


IPA DNS can't be a slave so you either delegate a whole zone to it or manage IPA DNS domain via your own DNS server.


On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 12/07/2014 09:51 PM, Matthew Herzog wrote:
    What must be done in or on the ipa server with regard to DNS, if
    anything?

    Our DNS works. It works well. We have four Linux DNS servers and
    two AD domain controllers that also do DNS.

    So if we already have DNS working well in our domain, why do we
    want to manage DNS in IPA?

    Let us keep the discussion on the list.
    IPA when used with AD trust presents itself as a separate forest.
    AD thinks that it is working with another AD forest.
    For that to work we need to follow MSFT rules about relationship
    between Kerberos realm and DNS domain.
    AD assumes that for every trusted forest Kerberos realm = DNS
    domain. IPA makes it easy to do because it has integrated tools to
    manage IPA DNS domain.
    If you want to manage it yourself through your DNS you can do it,
    just more manual operations for you.

    HTH

    Thanks
    Dmitri



    On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <d...@redhat.com
    <mailto:d...@redhat.com>> wrote:

        On 12/07/2014 06:44 PM, Matthew Herzog wrote:
        Thanks guys. I'm sorry for my delay in responding.

        Firstly, I was under the impression (from reading the docs)
        that having named running on IPA server was critical.

        Properly configured DNS is critical.
        How you accomplish it is up to you.
        IPA allows you to have a DNS server that would simplify DNS
        management but it can be done manually too. This is why DNS
        is optional.


        Also, the first question the ipa-server-install script asks
        is, "Do you want to configure integrated DNS (BIND)? ."
        While it's true the default answer is no, it leads one to
        believe that DNS is central to IPA. Also the
        ipa-client-install script says,

        [root@freeipa-poc-client02 ~]# ipa-client-install
        DNS discovery failed to determine your DNS domain
        Provide the domain name of your IPA server (ex: example.com
        <http://example.com>):

        I can resolve -anything- from the machine using dig or whatever.

        Ultimately, the reason I started to be concerned about my
        IPA server's DNS config was because I was not able to
        authenticate AD accounts to a client machine. I saw a bunch
        of errors in the client's sssd logs which of course I can't
        find now.

        Perhaps it was these . . .

        (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
        Service nss replied to ping
        (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
        Service sudo replied to ping
        (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
        Service pam replied to ping
        (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
        Service ssh replied to ping
        (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
        Service pac replied to ping
        (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
        Service bo3.e-bozo.com <http://bo3.e-bozo.com> replied to ping

        I'm not allowed onto the AD domain controllers to examine
        log files or I'd be checking those first.

        So ultimately the goal is to authenticate AD users and users
        that exist in our ldap schema. We need to set up groups of
        users that can run sudo commands on specific groups of hosts.

        Did you setup trusts as explained on the following page?
        http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup





        On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek
        <pspa...@redhat.com <mailto:pspa...@redhat.com>> wrote:

            On 3.12.2014 04:35, Dmitri Pal wrote:
            > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
            >> Any other ideas? I just spun up a new VM and took the
            defaults on everything
            >> while running ipa-server-install (the defaults did
            make sense) and my new VM
            >> can't resolve -anything- in the domain in which it
            lives. The "old" VM
            >> (running the same versions of everything on the same
            OS) can't even resolve
            >> the clients I have registered with it!
            >>
            >> So I'm pretty frustrated and am wondering, what
            _exactly_ is the role of
            >> bind in the IPA server and how is it expected to know
            anything about the
            >> local DNS domain without becoming a bind slave server?
            >
            > I am not sure I am 100% with you but...
            > If you use the defaults and nothing else you get to
            the scenario when IPA has
            > its DNS but it is a self contained environment. It
            seems that this is what you
            > observe.
            > It is expected that you decide in advance what you
            want to do with DNS. There
            > are several options:
            > 1) You can delegate a zone to IPA to manage, then you
            need to connect your IPA
            > DNS to your existing DNS during install or after.
            > In this case the systems joined to IPA will be a part
            of IPA domain/zone and
            > would also be able to resolve other systems around
            > 2) Not use IPA DNS if you do not want to take
            advantage of it
            > 3) Have a self contained demo/lab environment that you
            currently observe.
            >
            > What is the intent?

            I agree with Dmitri, we need more information from you:
            - You said "my new VM can't resolve -anything- in the
            domain in which it
            lives." - Which domain do you mean?

            - Apparently you have configured FreeIPA to serve zone
            e-bozo.com <http://e-bozo.com>. Do you have
            this zone configured on some other DNS server at the
            same time?

            Please keep in mind that authoritative servers should
            share the database. You
            will get naming collisions if e-bozo.com
            <http://e-bozo.com> is served by FreeIPA DNS servers and
            some other servers at the same time. Maybe that is the
            problem you see right now.

            As Dmitri said, the architecturally correct solution is
            to decide if you want
            to use FreeIPA DNS or not. You have option to either
            remove non-FreeIPA DNS
            servers and import data to FreeIPA or to add
            FreeIPA-specific DNS records to
            existing DNS servers and do not configure FreeIPA to act
            as DNS server.

            Petr^2 Spacek

            >> Thanks.
            >>
            >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek
            <pspa...@redhat.com <mailto:pspa...@redhat.com>
            >> <mailto:pspa...@redhat.com
            <mailto:pspa...@redhat.com>>> wrote:
            >>
            >>     On 2.12.2014 17:36, Martin Basti wrote:
            >>     > On 02/12/14 17:28, Matthew Herzog wrote:
            >>     >> I just realized that my IPA servers cannot
            resolve ANY servers
            >>     in my domain.
            >>     >> What do I need to do to fix this? Below is my
            named.conf.
            >>     >>
            >>     >>
            >>     >> options {
            >>     >>  // turns on IPv6 for port 53, IPv4 is on by
            default for
            >>     all ifaces
            >>     >>  listen-on-v6 {any;};
            >>     >>
            >>     >>  // Put files that named is allowed to write
            in the
            >>     data/ directory:
            >>     >>  directory "/var/named"; // the default
            >>     >>  dump-file "data/cache_dump.db";
            >>     >>  statistics-file "data/named_stats.txt";
            >>     >>  memstatistics-file "data/named_mem_stats.txt";
            >>     >>
            >>     >>  forward first;
            >>     >>  forwarders {
            >>     >>          10.100.8.41;
            >>     >>          10.100.8.40;
            >>     >>          10.100.4.13;
            >>     >>          10.100.4.14;
            >>     >>          10.100.4.19;
            >>     >>          10.100.4.44;
            >>     >>  };
            >>     >>
            >>     >>  // Any host is permitted to issue recursive
            queries
            >>     >>  allow-recursion { any; };
            >>     >>
            >>     >>  tkey-gssapi-keytab "/etc/named.keytab";
            >>     >>  pid-file "/run/named/named.pid";
            >>     >> };
            >>     >>
            >>     >> /* If you want to enable debugging, eg. using
            the 'rndc trace'
            >>     command,
            >>     >>  * By default, SELinux policy does not allow
            named to modify
            >>     the /var/named
            >>     >> directory,
            >>     >>  * so put the default debug log file in data/ :
            >>     >>  */
            >>     >> logging {
            >>     >>  channel default_debug {
            >>     >>          file "data/named.run";
            >>     >>          severity dynamic;
            >>     >>          print-time yes;
            >>     >>  };
            >>     >>  };
            >>     >> };
            >>     >>
            >>     >> zone "." IN {
            >>     >>  type hint;
            >>     >>  file "named.ca <http://named.ca>
            <http://named.ca> <http://named.ca>";
            >>     >> };
            >>     >>
            >>     >> include "/etc/named.rfc1912.zones";
            >>     >>
            >>     >> dynamic-db "ipa" {
            >>     >>  library "ldap.so";
            >>     >>  arg "uri
            >>  ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
            >>     >>  arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com";
            >>     >>  arg "fake_mname freeipa-poc01.bo3.e-bozo.com
            <http://freeipa-poc01.bo3.e-bozo.com>
            >>     <http://freeipa-poc01.bo3.e-bozo.com>
            >>     >> <http://freeipa-poc01.bo3.e-bozo.com>.";
            >>     >>  arg "auth_method sasl";
            >>     >>  arg "sasl_mech GSSAPI";
            >>     >>  arg "sasl_user
            DNS/freeipa-poc01.bo3.e-bozo.com
            <http://freeipa-poc01.bo3.e-bozo.com>
            >>     <http://freeipa-poc01.bo3.e-bozo.com>
            >>     >> <http://freeipa-poc01.bo3.e-bozo.com>";
            >>     >>  arg "serial_autoincrement yes";
            >>     >> };
            >>     >>
            >>     >>
            >>     >>
            >>     >>
            >>     > Hello,
            >>     >
            >>     > which version ipa do you use? which platform?
            Which version
            >>     bind-dyndb-ldap?
            >>     >
            >>     > Can you run these commands, and check if there
            any errors?
            >>     > ipactl status
            >>     > systemctl status named  (respectively
            journalctl -u named)
            >>
            >>     We also may want to see information listed on page
            >>
            https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting

            --
            Manage your subscription for the Freeipa-users mailing list:
            https://www.redhat.com/mailman/listinfo/freeipa-users
            Go To http://freeipa.org for more info on the project




-- If life gives you melons, you may be dyslexic.




-- Thank you,
        Dmitri Pal

        Sr. Engineering Manager IdM portfolio
        Red Hat, Inc.


        --
        Manage your subscription for the Freeipa-users mailing list:
        https://www.redhat.com/mailman/listinfo/freeipa-users
        Go To http://freeipa.org for more info on the project




-- If life gives you melons, you may be dyslexic.


-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.




--
If life gives you melons, you may be dyslexic.




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to