On 8.12.2014 05:02, Dmitri Pal wrote:
> On 12/07/2014 10:10 PM, Matthew Herzog wrote:
>> So should the FreeIPA server be authoritative for the Kerb. realm/DNS domain
>> or can it/should it be a slave DNS server instead? Or caching only?
> 
> IPA DNS can't be a slave so you either delegate a whole zone to it or manage
> IPA DNS domain via your own DNS server.

Generally, "slave" is not allowed to do any changes so it is useless in your
scenario.

You can run ipa-server-install *without* --setup-dns option and at the end of
installation it will produce DNS records which you have to manually add to
your existing DNS database.

Did you try that?

Petr^2 Spacek

>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <d...@redhat.com
>> <mailto:d...@redhat.com>> wrote:
>>
>>     On 12/07/2014 09:51 PM, Matthew Herzog wrote:
>>>     What must be done in or on the ipa server with regard to DNS, if
>>>     anything?
>>>
>>>     Our DNS works. It works well. We have four Linux DNS servers and
>>>     two AD domain controllers that also do DNS.
>>>
>>>     So if we already have DNS working well in our domain, why do we
>>>     want to manage DNS in IPA?
>>
>>     Let us keep the discussion on the list.
>>     IPA when used with AD trust presents itself as a separate forest.
>>     AD thinks that it is working with another AD forest.
>>     For that to work we need to follow MSFT rules about relationship
>>     between Kerberos realm and DNS domain.
>>     AD assumes that for every trusted forest Kerberos realm = DNS
>>     domain. IPA makes it easy to do because it has integrated tools to
>>     manage IPA DNS domain.
>>     If you want to manage it yourself through your DNS you can do it,
>>     just more manual operations for you.
>>
>>     HTH
>>
>>     Thanks
>>     Dmitri
>>
>>
>>>
>>>     On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <d...@redhat.com
>>>     <mailto:d...@redhat.com>> wrote:
>>>
>>>         On 12/07/2014 06:44 PM, Matthew Herzog wrote:
>>>>         Thanks guys. I'm sorry for my delay in responding.
>>>>
>>>>         Firstly, I was under the impression (from reading the docs)
>>>>         that having named running on IPA server was critical.
>>>
>>>         Properly configured DNS is critical.
>>>         How you accomplish it is up to you.
>>>         IPA allows you to have a DNS server that would simplify DNS
>>>         management but it can be done manually too. This is why DNS
>>>         is optional.
>>>
>>>
>>>>         Also, the first question the ipa-server-install script asks
>>>>         is, "Do you want to configure integrated DNS (BIND)? ."
>>>>         While it's true the default answer is no, it leads one to
>>>>         believe that DNS is central to IPA. Also the
>>>>         ipa-client-install script says,
>>>>
>>>>         [root@freeipa-poc-client02 ~]# ipa-client-install
>>>>         DNS discovery failed to determine your DNS domain
>>>>         Provide the domain name of your IPA server (ex: example.com
>>>>         <http://example.com>):
>>>>
>>>>         I can resolve -anything- from the machine using dig or whatever.
>>>>
>>>>         Ultimately, the reason I started to be concerned about my
>>>>         IPA server's DNS config was because I was not able to
>>>>         authenticate AD accounts to a client machine. I saw a bunch
>>>>         of errors in the client's sssd logs which of course I can't
>>>>         find now.
>>>>
>>>>         Perhaps it was these . . .
>>>>
>>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>>         Service nss replied to ping
>>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>>         Service sudo replied to ping
>>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>>         Service pam replied to ping
>>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>>         Service ssh replied to ping
>>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>>         Service pac replied to ping
>>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
>>>>         Service bo3.e-bozo.com <http://bo3.e-bozo.com> replied to ping
>>>>
>>>>         I'm not allowed onto the AD domain controllers to examine
>>>>         log files or I'd be checking those first.
>>>>
>>>>         So ultimately the goal is to authenticate AD users and users
>>>>         that exist in our ldap schema. We need to set up groups of
>>>>         users that can run sudo commands on specific groups of hosts.
>>>
>>>         Did you setup trusts as explained on the following page?
>>>         http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>
>>>
>>>>
>>>>
>>>>
>>>>         On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek
>>>>         <pspa...@redhat.com <mailto:pspa...@redhat.com>> wrote:
>>>>
>>>>             On 3.12.2014 04:35, Dmitri Pal wrote:
>>>>             > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
>>>>             >> Any other ideas? I just spun up a new VM and took the
>>>>             defaults on everything
>>>>             >> while running ipa-server-install (the defaults did
>>>>             make sense) and my new VM
>>>>             >> can't resolve -anything- in the domain in which it
>>>>             lives. The "old" VM
>>>>             >> (running the same versions of everything on the same
>>>>             OS) can't even resolve
>>>>             >> the clients I have registered with it!
>>>>             >>
>>>>             >> So I'm pretty frustrated and am wondering, what
>>>>             _exactly_ is the role of
>>>>             >> bind in the IPA server and how is it expected to know
>>>>             anything about the
>>>>             >> local DNS domain without becoming a bind slave server?
>>>>             >
>>>>             > I am not sure I am 100% with you but...
>>>>             > If you use the defaults and nothing else you get to
>>>>             the scenario when IPA has
>>>>             > its DNS but it is a self contained environment. It
>>>>             seems that this is what you
>>>>             > observe.
>>>>             > It is expected that you decide in advance what you
>>>>             want to do with DNS. There
>>>>             > are several options:
>>>>             > 1) You can delegate a zone to IPA to manage, then you
>>>>             need to connect your IPA
>>>>             > DNS to your existing DNS during install or after.
>>>>             > In this case the systems joined to IPA will be a part
>>>>             of IPA domain/zone and
>>>>             > would also be able to resolve other systems around
>>>>             > 2) Not use IPA DNS if you do not want to take
>>>>             advantage of it
>>>>             > 3) Have a self contained demo/lab environment that you
>>>>             currently observe.
>>>>             >
>>>>             > What is the intent?
>>>>
>>>>             I agree with Dmitri, we need more information from you:
>>>>             - You said "my new VM can't resolve -anything- in the
>>>>             domain in which it
>>>>             lives." - Which domain do you mean?
>>>>
>>>>             - Apparently you have configured FreeIPA to serve zone
>>>>             e-bozo.com <http://e-bozo.com>. Do you have
>>>>             this zone configured on some other DNS server at the
>>>>             same time?
>>>>
>>>>             Please keep in mind that authoritative servers should
>>>>             share the database. You
>>>>             will get naming collisions if e-bozo.com
>>>>             <http://e-bozo.com> is served by FreeIPA DNS servers and
>>>>             some other servers at the same time. Maybe that is the
>>>>             problem you see right now.
>>>>
>>>>             As Dmitri said, the architecturally correct solution is
>>>>             to decide if you want
>>>>             to use FreeIPA DNS or not. You have option to either
>>>>             remove non-FreeIPA DNS
>>>>             servers and import data to FreeIPA or to add
>>>>             FreeIPA-specific DNS records to
>>>>             existing DNS servers and do not configure FreeIPA to act
>>>>             as DNS server.
>>>>
>>>>             Petr^2 Spacek
>>>>
>>>>             >> Thanks.
>>>>             >>
>>>>             >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek
>>>>             <pspa...@redhat.com <mailto:pspa...@redhat.com>
>>>>             >> <mailto:pspa...@redhat.com
>>>>             <mailto:pspa...@redhat.com>>> wrote:
>>>>             >>
>>>>             >>     On 2.12.2014 17:36, Martin Basti wrote:
>>>>             >>     > On 02/12/14 17:28, Matthew Herzog wrote:
>>>>             >>     >> I just realized that my IPA servers cannot
>>>>             resolve ANY servers
>>>>             >>     in my domain.
>>>>             >>     >> What do I need to do to fix this? Below is my
>>>>             named.conf.
>>>>             >>     >>
>>>>             >>     >>
>>>>             >>     >> options {
>>>>             >>     >>  // turns on IPv6 for port 53, IPv4 is on by
>>>>             default for
>>>>             >>     all ifaces
>>>>             >>     >>  listen-on-v6 {any;};
>>>>             >>     >>
>>>>             >>     >>  // Put files that named is allowed to write
>>>>             in the
>>>>             >>     data/ directory:
>>>>             >>     >>  directory "/var/named"; // the default
>>>>             >>     >>  dump-file "data/cache_dump.db";
>>>>             >>     >>  statistics-file "data/named_stats.txt";
>>>>             >>     >>  memstatistics-file "data/named_mem_stats.txt";
>>>>             >>     >>
>>>>             >>     >>  forward first;
>>>>             >>     >>  forwarders {
>>>>             >>     >>          10.100.8.41;
>>>>             >>     >>          10.100.8.40;
>>>>             >>     >>          10.100.4.13;
>>>>             >>     >>          10.100.4.14;
>>>>             >>     >>          10.100.4.19;
>>>>             >>     >>          10.100.4.44;
>>>>             >>     >>  };
>>>>             >>     >>
>>>>             >>     >>  // Any host is permitted to issue recursive
>>>>             queries
>>>>             >>     >>  allow-recursion { any; };
>>>>             >>     >>
>>>>             >>     >>  tkey-gssapi-keytab "/etc/named.keytab";
>>>>             >>     >>  pid-file "/run/named/named.pid";
>>>>             >>     >> };
>>>>             >>     >>
>>>>             >>     >> /* If you want to enable debugging, eg. using
>>>>             the 'rndc trace'
>>>>             >>     command,
>>>>             >>     >>  * By default, SELinux policy does not allow
>>>>             named to modify
>>>>             >>     the /var/named
>>>>             >>     >> directory,
>>>>             >>     >>  * so put the default debug log file in data/ :
>>>>             >>     >>  */
>>>>             >>     >> logging {
>>>>             >>     >>  channel default_debug {
>>>>             >>     >>          file "data/named.run";
>>>>             >>     >>          severity dynamic;
>>>>             >>     >>          print-time yes;
>>>>             >>     >>  };
>>>>             >>     >>  };
>>>>             >>     >> };
>>>>             >>     >>
>>>>             >>     >> zone "." IN {
>>>>             >>     >>  type hint;
>>>>             >>     >>  file "named.ca <http://named.ca>
>>>>             <http://named.ca> <http://named.ca>";
>>>>             >>     >> };
>>>>             >>     >>
>>>>             >>     >> include "/etc/named.rfc1912.zones";
>>>>             >>     >>
>>>>             >>     >> dynamic-db "ipa" {
>>>>             >>     >>  library "ldap.so";
>>>>             >>     >>  arg "uri
>>>>             >>  ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
>>>>             >>     >>  arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com";
>>>>             >>     >>  arg "fake_mname freeipa-poc01.bo3.e-bozo.com
>>>>             <http://freeipa-poc01.bo3.e-bozo.com>
>>>>             >>     <http://freeipa-poc01.bo3.e-bozo.com>
>>>>             >>     >> <http://freeipa-poc01.bo3.e-bozo.com>.";
>>>>             >>     >>  arg "auth_method sasl";
>>>>             >>     >>  arg "sasl_mech GSSAPI";
>>>>             >>     >>  arg "sasl_user
>>>>             DNS/freeipa-poc01.bo3.e-bozo.com
>>>>             <http://freeipa-poc01.bo3.e-bozo.com>
>>>>             >>     <http://freeipa-poc01.bo3.e-bozo.com>
>>>>             >>     >> <http://freeipa-poc01.bo3.e-bozo.com>";
>>>>             >>     >>  arg "serial_autoincrement yes";
>>>>             >>     >> };
>>>>             >>     >>
>>>>             >>     >>
>>>>             >>     >>
>>>>             >>     >>
>>>>             >>     > Hello,
>>>>             >>     >
>>>>             >>     > which version ipa do you use? which platform?
>>>>             Which version
>>>>             >>     bind-dyndb-ldap?
>>>>             >>     >
>>>>             >>     > Can you run these commands, and check if there
>>>>             any errors?
>>>>             >>     > ipactl status
>>>>             >>     > systemctl status named  (respectively
>>>>             journalctl -u named)
>>>>             >>
>>>>             >>     We also may want to see information listed on page
>>>>             >>
>>>>             https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to