On 8.12.2014 05:02, Dmitri Pal wrote: > On 12/07/2014 10:10 PM, Matthew Herzog wrote: >> So should the FreeIPA server be authoritative for the Kerb. realm/DNS domain >> or can it/should it be a slave DNS server instead? Or caching only? > > IPA DNS can't be a slave so you either delegate a whole zone to it or manage > IPA DNS domain via your own DNS server.
Generally, "slave" is not allowed to do any changes so it is useless in your scenario. You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. Did you try that? Petr^2 Spacek >> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 12/07/2014 09:51 PM, Matthew Herzog wrote: >>> What must be done in or on the ipa server with regard to DNS, if >>> anything? >>> >>> Our DNS works. It works well. We have four Linux DNS servers and >>> two AD domain controllers that also do DNS. >>> >>> So if we already have DNS working well in our domain, why do we >>> want to manage DNS in IPA? >> >> Let us keep the discussion on the list. >> IPA when used with AD trust presents itself as a separate forest. >> AD thinks that it is working with another AD forest. >> For that to work we need to follow MSFT rules about relationship >> between Kerberos realm and DNS domain. >> AD assumes that for every trusted forest Kerberos realm = DNS >> domain. IPA makes it easy to do because it has integrated tools to >> manage IPA DNS domain. >> If you want to manage it yourself through your DNS you can do it, >> just more manual operations for you. >> >> HTH >> >> Thanks >> Dmitri >> >> >>> >>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> On 12/07/2014 06:44 PM, Matthew Herzog wrote: >>>> Thanks guys. I'm sorry for my delay in responding. >>>> >>>> Firstly, I was under the impression (from reading the docs) >>>> that having named running on IPA server was critical. >>> >>> Properly configured DNS is critical. >>> How you accomplish it is up to you. >>> IPA allows you to have a DNS server that would simplify DNS >>> management but it can be done manually too. This is why DNS >>> is optional. >>> >>> >>>> Also, the first question the ipa-server-install script asks >>>> is, "Do you want to configure integrated DNS (BIND)? ." >>>> While it's true the default answer is no, it leads one to >>>> believe that DNS is central to IPA. Also the >>>> ipa-client-install script says, >>>> >>>> [root@freeipa-poc-client02 ~]# ipa-client-install >>>> DNS discovery failed to determine your DNS domain >>>> Provide the domain name of your IPA server (ex: example.com >>>> <http://example.com>): >>>> >>>> I can resolve -anything- from the machine using dig or whatever. >>>> >>>> Ultimately, the reason I started to be concerned about my >>>> IPA server's DNS config was because I was not able to >>>> authenticate AD accounts to a client machine. I saw a bunch >>>> of errors in the client's sssd logs which of course I can't >>>> find now. >>>> >>>> Perhaps it was these . . . >>>> >>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>> Service nss replied to ping >>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>> Service sudo replied to ping >>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>> Service pam replied to ping >>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>> Service ssh replied to ping >>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>> Service pac replied to ping >>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>> Service bo3.e-bozo.com <http://bo3.e-bozo.com> replied to ping >>>> >>>> I'm not allowed onto the AD domain controllers to examine >>>> log files or I'd be checking those first. >>>> >>>> So ultimately the goal is to authenticate AD users and users >>>> that exist in our ldap schema. We need to set up groups of >>>> users that can run sudo commands on specific groups of hosts. >>> >>> Did you setup trusts as explained on the following page? >>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >>> >>> >>>> >>>> >>>> >>>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek >>>> <[email protected] <mailto:[email protected]>> wrote: >>>> >>>> On 3.12.2014 04:35, Dmitri Pal wrote: >>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote: >>>> >> Any other ideas? I just spun up a new VM and took the >>>> defaults on everything >>>> >> while running ipa-server-install (the defaults did >>>> make sense) and my new VM >>>> >> can't resolve -anything- in the domain in which it >>>> lives. The "old" VM >>>> >> (running the same versions of everything on the same >>>> OS) can't even resolve >>>> >> the clients I have registered with it! >>>> >> >>>> >> So I'm pretty frustrated and am wondering, what >>>> _exactly_ is the role of >>>> >> bind in the IPA server and how is it expected to know >>>> anything about the >>>> >> local DNS domain without becoming a bind slave server? >>>> > >>>> > I am not sure I am 100% with you but... >>>> > If you use the defaults and nothing else you get to >>>> the scenario when IPA has >>>> > its DNS but it is a self contained environment. It >>>> seems that this is what you >>>> > observe. >>>> > It is expected that you decide in advance what you >>>> want to do with DNS. There >>>> > are several options: >>>> > 1) You can delegate a zone to IPA to manage, then you >>>> need to connect your IPA >>>> > DNS to your existing DNS during install or after. >>>> > In this case the systems joined to IPA will be a part >>>> of IPA domain/zone and >>>> > would also be able to resolve other systems around >>>> > 2) Not use IPA DNS if you do not want to take >>>> advantage of it >>>> > 3) Have a self contained demo/lab environment that you >>>> currently observe. >>>> > >>>> > What is the intent? >>>> >>>> I agree with Dmitri, we need more information from you: >>>> - You said "my new VM can't resolve -anything- in the >>>> domain in which it >>>> lives." - Which domain do you mean? >>>> >>>> - Apparently you have configured FreeIPA to serve zone >>>> e-bozo.com <http://e-bozo.com>. Do you have >>>> this zone configured on some other DNS server at the >>>> same time? >>>> >>>> Please keep in mind that authoritative servers should >>>> share the database. You >>>> will get naming collisions if e-bozo.com >>>> <http://e-bozo.com> is served by FreeIPA DNS servers and >>>> some other servers at the same time. Maybe that is the >>>> problem you see right now. >>>> >>>> As Dmitri said, the architecturally correct solution is >>>> to decide if you want >>>> to use FreeIPA DNS or not. You have option to either >>>> remove non-FreeIPA DNS >>>> servers and import data to FreeIPA or to add >>>> FreeIPA-specific DNS records to >>>> existing DNS servers and do not configure FreeIPA to act >>>> as DNS server. >>>> >>>> Petr^2 Spacek >>>> >>>> >> Thanks. >>>> >> >>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek >>>> <[email protected] <mailto:[email protected]> >>>> >> <mailto:[email protected] >>>> <mailto:[email protected]>>> wrote: >>>> >> >>>> >> On 2.12.2014 17:36, Martin Basti wrote: >>>> >> > On 02/12/14 17:28, Matthew Herzog wrote: >>>> >> >> I just realized that my IPA servers cannot >>>> resolve ANY servers >>>> >> in my domain. >>>> >> >> What do I need to do to fix this? Below is my >>>> named.conf. >>>> >> >> >>>> >> >> >>>> >> >> options { >>>> >> >> // turns on IPv6 for port 53, IPv4 is on by >>>> default for >>>> >> all ifaces >>>> >> >> listen-on-v6 {any;}; >>>> >> >> >>>> >> >> // Put files that named is allowed to write >>>> in the >>>> >> data/ directory: >>>> >> >> directory "/var/named"; // the default >>>> >> >> dump-file "data/cache_dump.db"; >>>> >> >> statistics-file "data/named_stats.txt"; >>>> >> >> memstatistics-file "data/named_mem_stats.txt"; >>>> >> >> >>>> >> >> forward first; >>>> >> >> forwarders { >>>> >> >> 10.100.8.41; >>>> >> >> 10.100.8.40; >>>> >> >> 10.100.4.13; >>>> >> >> 10.100.4.14; >>>> >> >> 10.100.4.19; >>>> >> >> 10.100.4.44; >>>> >> >> }; >>>> >> >> >>>> >> >> // Any host is permitted to issue recursive >>>> queries >>>> >> >> allow-recursion { any; }; >>>> >> >> >>>> >> >> tkey-gssapi-keytab "/etc/named.keytab"; >>>> >> >> pid-file "/run/named/named.pid"; >>>> >> >> }; >>>> >> >> >>>> >> >> /* If you want to enable debugging, eg. using >>>> the 'rndc trace' >>>> >> command, >>>> >> >> * By default, SELinux policy does not allow >>>> named to modify >>>> >> the /var/named >>>> >> >> directory, >>>> >> >> * so put the default debug log file in data/ : >>>> >> >> */ >>>> >> >> logging { >>>> >> >> channel default_debug { >>>> >> >> file "data/named.run"; >>>> >> >> severity dynamic; >>>> >> >> print-time yes; >>>> >> >> }; >>>> >> >> }; >>>> >> >> }; >>>> >> >> >>>> >> >> zone "." IN { >>>> >> >> type hint; >>>> >> >> file "named.ca <http://named.ca> >>>> <http://named.ca> <http://named.ca>"; >>>> >> >> }; >>>> >> >> >>>> >> >> include "/etc/named.rfc1912.zones"; >>>> >> >> >>>> >> >> dynamic-db "ipa" { >>>> >> >> library "ldap.so"; >>>> >> >> arg "uri >>>> >> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket"; >>>> >> >> arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com"; >>>> >> >> arg "fake_mname freeipa-poc01.bo3.e-bozo.com >>>> <http://freeipa-poc01.bo3.e-bozo.com> >>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>."; >>>> >> >> arg "auth_method sasl"; >>>> >> >> arg "sasl_mech GSSAPI"; >>>> >> >> arg "sasl_user >>>> DNS/freeipa-poc01.bo3.e-bozo.com >>>> <http://freeipa-poc01.bo3.e-bozo.com> >>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>"; >>>> >> >> arg "serial_autoincrement yes"; >>>> >> >> }; >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> > Hello, >>>> >> > >>>> >> > which version ipa do you use? which platform? >>>> Which version >>>> >> bind-dyndb-ldap? >>>> >> > >>>> >> > Can you run these commands, and check if there >>>> any errors? >>>> >> > ipactl status >>>> >> > systemctl status named (respectively >>>> journalctl -u named) >>>> >> >>>> >> We also may want to see information listed on page >>>> >> >>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
