On 12/08/2014 08:44 AM, Matthew Herzog wrote:
Petr said, "You can run ipa-server-install *without* --setup-dns option and at the end of
installation it will produce DNS records which you have to manually add to
your existing DNS database."

I can't see how this would be useful or which machines I would need to add to our DNS.

Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. We have an Oracle dsee7 server doing LDAP for our Linux servers and accounts. We want to migrate to IPA so we don't have to maintain a Linux/LDAP account for every user who needs access to Linux servers. All of our users start with an account in AD and since none of my predecessors knew about Winbind, they set up dsee7.

So I'm thinking we'll need to import all our dsee7 accounts AND make it possible for AD users to access the Linux systems without needing to create them in IPA.


So the approach would be:

1) Install IPA (do not migrate users)
2) Establish trust with AD
3) Start switching client configuration from using LDAP with dsee7 to SSSD pointing to IPA

You do not need to migrate users.


On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek <pspa...@redhat.com <mailto:pspa...@redhat.com>> wrote:

    On 8.12.2014 05:02, Dmitri Pal wrote:
    > On 12/07/2014 10:10 PM, Matthew Herzog wrote:
    >> So should the FreeIPA server be authoritative for the Kerb.
    realm/DNS domain
    >> or can it/should it be a slave DNS server instead? Or caching only?
    >
    > IPA DNS can't be a slave so you either delegate a whole zone to
    it or manage
    > IPA DNS domain via your own DNS server.

    Generally, "slave" is not allowed to do any changes so it is
    useless in your
    scenario.

    You can run ipa-server-install *without* --setup-dns option and at
    the end of
    installation it will produce DNS records which you have to
    manually add to
    your existing DNS database.

    Did you try that?

    Petr^2 Spacek

    >> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <d...@redhat.com
    <mailto:d...@redhat.com>
    >> <mailto:d...@redhat.com <mailto:d...@redhat.com>>> wrote:
    >>
    >>     On 12/07/2014 09:51 PM, Matthew Herzog wrote:
    >>>     What must be done in or on the ipa server with regard to
    DNS, if
    >>>     anything?
    >>>
    >>>     Our DNS works. It works well. We have four Linux DNS
    servers and
    >>>     two AD domain controllers that also do DNS.
    >>>
    >>>     So if we already have DNS working well in our domain, why
    do we
    >>>     want to manage DNS in IPA?
    >>
    >>     Let us keep the discussion on the list.
    >>     IPA when used with AD trust presents itself as a separate
    forest.
    >>     AD thinks that it is working with another AD forest.
    >>     For that to work we need to follow MSFT rules about
    relationship
    >>     between Kerberos realm and DNS domain.
    >>     AD assumes that for every trusted forest Kerberos realm = DNS
    >>     domain. IPA makes it easy to do because it has integrated
    tools to
    >>     manage IPA DNS domain.
    >>     If you want to manage it yourself through your DNS you can
    do it,
    >>     just more manual operations for you.
    >>
    >>     HTH
    >>
    >>     Thanks
    >>     Dmitri
    >>
    >>
    >>>
    >>>     On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal
    <d...@redhat.com <mailto:d...@redhat.com>
    >>>     <mailto:d...@redhat.com <mailto:d...@redhat.com>>> wrote:
    >>>
    >>>         On 12/07/2014 06:44 PM, Matthew Herzog wrote:
    >>>>         Thanks guys. I'm sorry for my delay in responding.
    >>>>
    >>>>         Firstly, I was under the impression (from reading the
    docs)
    >>>>         that having named running on IPA server was critical.
    >>>
    >>>         Properly configured DNS is critical.
    >>>         How you accomplish it is up to you.
    >>>         IPA allows you to have a DNS server that would
    simplify DNS
    >>>         management but it can be done manually too. This is
    why DNS
    >>>         is optional.
    >>>
    >>>
    >>>>         Also, the first question the ipa-server-install
    script asks
    >>>>         is, "Do you want to configure integrated DNS (BIND)? ."
    >>>>         While it's true the default answer is no, it leads one to
    >>>>         believe that DNS is central to IPA. Also the
    >>>>         ipa-client-install script says,
    >>>>
    >>>>         [root@freeipa-poc-client02 ~]# ipa-client-install
    >>>>         DNS discovery failed to determine your DNS domain
    >>>>         Provide the domain name of your IPA server (ex:
    example.com <http://example.com>
    >>>>         <http://example.com>):
    >>>>
    >>>>         I can resolve -anything- from the machine using dig
    or whatever.
    >>>>
    >>>>         Ultimately, the reason I started to be concerned about my
    >>>>         IPA server's DNS config was because I was not able to
    >>>>         authenticate AD accounts to a client machine. I saw a
    bunch
    >>>>         of errors in the client's sssd logs which of course I
    can't
    >>>>         find now.
    >>>>
    >>>>         Perhaps it was these . . .
    >>>>
    >>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
    >>>>         Service nss replied to ping
    >>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
    >>>>         Service sudo replied to ping
    >>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
    >>>>         Service pam replied to ping
    >>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
    >>>>         Service ssh replied to ping
    >>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
    >>>>         Service pac replied to ping
    >>>>         (Thu Dec  4 13:45:23 2014) [sssd] [ping_check] (0x0100):
    >>>>         Service bo3.e-bozo.com <http://bo3.e-bozo.com>
    <http://bo3.e-bozo.com> replied to ping
    >>>>
    >>>>         I'm not allowed onto the AD domain controllers to examine
    >>>>         log files or I'd be checking those first.
    >>>>
    >>>>         So ultimately the goal is to authenticate AD users
    and users
    >>>>         that exist in our ldap schema. We need to set up
    groups of
    >>>>         users that can run sudo commands on specific groups
    of hosts.
    >>>
    >>>         Did you setup trusts as explained on the following page?
    >>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
    >>>
    >>>
    >>>>
    >>>>
    >>>>
    >>>>         On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek
    >>>>         <pspa...@redhat.com <mailto:pspa...@redhat.com>
    <mailto:pspa...@redhat.com <mailto:pspa...@redhat.com>>> wrote:
    >>>>
    >>>>             On 3.12.2014 04:35, Dmitri Pal wrote:
    >>>>             > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
    >>>>             >> Any other ideas? I just spun up a new VM and
    took the
    >>>>             defaults on everything
    >>>>             >> while running ipa-server-install (the defaults did
    >>>>             make sense) and my new VM
    >>>>             >> can't resolve -anything- in the domain in which it
    >>>>             lives. The "old" VM
    >>>>             >> (running the same versions of everything on
    the same
    >>>>             OS) can't even resolve
    >>>>             >> the clients I have registered with it!
    >>>>             >>
    >>>>             >> So I'm pretty frustrated and am wondering, what
    >>>>             _exactly_ is the role of
    >>>>             >> bind in the IPA server and how is it expected
    to know
    >>>>             anything about the
    >>>>             >> local DNS domain without becoming a bind slave
    server?
    >>>>             >
    >>>>             > I am not sure I am 100% with you but...
    >>>>             > If you use the defaults and nothing else you get to
    >>>>             the scenario when IPA has
    >>>>             > its DNS but it is a self contained environment. It
    >>>>             seems that this is what you
    >>>>             > observe.
    >>>>             > It is expected that you decide in advance what you
    >>>>             want to do with DNS. There
    >>>>             > are several options:
    >>>>             > 1) You can delegate a zone to IPA to manage,
    then you
    >>>>             need to connect your IPA
    >>>>             > DNS to your existing DNS during install or after.
    >>>>             > In this case the systems joined to IPA will be
    a part
    >>>>             of IPA domain/zone and
    >>>>             > would also be able to resolve other systems around
    >>>>             > 2) Not use IPA DNS if you do not want to take
    >>>>             advantage of it
    >>>>             > 3) Have a self contained demo/lab environment
    that you
    >>>>             currently observe.
    >>>>             >
    >>>>             > What is the intent?
    >>>>
    >>>>             I agree with Dmitri, we need more information
    from you:
    >>>>             - You said "my new VM can't resolve -anything- in the
    >>>>             domain in which it
    >>>>             lives." - Which domain do you mean?
    >>>>
    >>>>             - Apparently you have configured FreeIPA to serve
    zone
    >>>> e-bozo.com <http://e-bozo.com> <http://e-bozo.com>. Do you have
    >>>>             this zone configured on some other DNS server at the
    >>>>             same time?
    >>>>
    >>>>             Please keep in mind that authoritative servers should
    >>>>             share the database. You
    >>>>             will get naming collisions if e-bozo.com
    <http://e-bozo.com>
    >>>>             <http://e-bozo.com> is served by FreeIPA DNS
    servers and
    >>>>             some other servers at the same time. Maybe that is the
    >>>>             problem you see right now.
    >>>>
    >>>>             As Dmitri said, the architecturally correct
    solution is
    >>>>             to decide if you want
    >>>>             to use FreeIPA DNS or not. You have option to either
    >>>>             remove non-FreeIPA DNS
    >>>>             servers and import data to FreeIPA or to add
    >>>>             FreeIPA-specific DNS records to
    >>>>             existing DNS servers and do not configure FreeIPA
    to act
    >>>>             as DNS server.
    >>>>
    >>>>             Petr^2 Spacek
    >>>>
    >>>>             >> Thanks.
    >>>>             >>
    >>>>             >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek
    >>>>             <pspa...@redhat.com <mailto:pspa...@redhat.com>
    <mailto:pspa...@redhat.com <mailto:pspa...@redhat.com>>
    >>>>             >> <mailto:pspa...@redhat.com
    <mailto:pspa...@redhat.com>
    >>>>             <mailto:pspa...@redhat.com
    <mailto:pspa...@redhat.com>>>> wrote:
    >>>>             >>
    >>>>             >>     On 2.12.2014 17:36, Martin Basti wrote:
    >>>>             >>     > On 02/12/14 17:28, Matthew Herzog wrote:
    >>>>             >>     >> I just realized that my IPA servers cannot
    >>>>             resolve ANY servers
    >>>>             >>     in my domain.
    >>>>             >>     >> What do I need to do to fix this? Below
    is my
    >>>>             named.conf.
    >>>>             >>     >>
    >>>>             >>     >>
    >>>>             >>     >> options {
    >>>>             >>     >>  // turns on IPv6 for port 53, IPv4 is
    on by
    >>>>             default for
    >>>>             >>     all ifaces
    >>>>             >>     >> listen-on-v6 {any;};
    >>>>             >>     >>
    >>>>             >>     >>  // Put files that named is allowed to
    write
    >>>>             in the
    >>>>             >>     data/ directory:
    >>>>             >>     >> directory "/var/named"; // the default
    >>>>             >>     >> dump-file "data/cache_dump.db";
    >>>>             >>     >> statistics-file "data/named_stats.txt";
    >>>>             >>     >> memstatistics-file
    "data/named_mem_stats.txt";
    >>>>             >>     >>
    >>>>             >>     >> forward first;
    >>>>             >>     >> forwarders {
    >>>>             >>     >>     10.100.8.41;
    >>>>             >>     >>     10.100.8.40;
    >>>>             >>     >>     10.100.4.13;
    >>>>             >>     >>     10.100.4.14;
    >>>>             >>     >>     10.100.4.19;
    >>>>             >>     >>     10.100.4.44;
    >>>>             >>     >>  };
    >>>>             >>     >>
    >>>>             >>     >>  // Any host is permitted to issue
    recursive
    >>>>             queries
    >>>>             >>     >> allow-recursion { any; };
    >>>>             >>     >>
    >>>>             >>     >> tkey-gssapi-keytab "/etc/named.keytab";
    >>>>             >>     >> pid-file "/run/named/named.pid";
    >>>>             >>     >> };
    >>>>             >>     >>
    >>>>             >>     >> /* If you want to enable debugging, eg.
    using
    >>>>             the 'rndc trace'
    >>>>             >>     command,
    >>>>             >>     >>  * By default, SELinux policy does not
    allow
    >>>>             named to modify
    >>>>             >>     the /var/named
    >>>>             >>     >> directory,
    >>>>             >>     >>  * so put the default debug log file in
    data/ :
    >>>>             >>     >>  */
    >>>>             >>     >> logging {
    >>>>             >>     >> channel default_debug {
    >>>>             >>     >>     file "data/named.run";
    >>>>             >>     >>     severity dynamic;
    >>>>             >>     >>     print-time yes;
    >>>>             >>     >>  };
    >>>>             >>     >>  };
    >>>>             >>     >> };
    >>>>             >>     >>
    >>>>             >>     >> zone "." IN {
    >>>>             >>     >>  type hint;
    >>>>             >>     >>  file "named.ca <http://named.ca>
    <http://named.ca>
    >>>>             <http://named.ca> <http://named.ca>";
    >>>>             >>     >> };
    >>>>             >>     >>
    >>>>             >>     >> include "/etc/named.rfc1912.zones";
    >>>>             >>     >>
    >>>>             >>     >> dynamic-db "ipa" {
    >>>>             >>     >> library "ldap.so";
    >>>>             >>     >>  arg "uri
    >>>>             >>
    ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
    >>>>             >>     >>  arg "base cn=dns,
    dc=bo3,dc=e-bozo,dc=com";
    >>>>             >>     >>  arg "fake_mname
    freeipa-poc01.bo3.e-bozo.com <http://freeipa-poc01.bo3.e-bozo.com>
    >>>>             <http://freeipa-poc01.bo3.e-bozo.com>
    >>>>             >>     <http://freeipa-poc01.bo3.e-bozo.com>
    >>>>             >>     >> <http://freeipa-poc01.bo3.e-bozo.com>.";
    >>>>             >>     >>  arg "auth_method sasl";
    >>>>             >>     >>  arg "sasl_mech GSSAPI";
    >>>>             >>     >>  arg "sasl_user
    >>>>             DNS/freeipa-poc01.bo3.e-bozo.com
    <http://freeipa-poc01.bo3.e-bozo.com>
    >>>>             <http://freeipa-poc01.bo3.e-bozo.com>
    >>>>             >>     <http://freeipa-poc01.bo3.e-bozo.com>
    >>>>             >>     >> <http://freeipa-poc01.bo3.e-bozo.com>";
    >>>>             >>     >>  arg "serial_autoincrement yes";
    >>>>             >>     >> };
    >>>>             >>     >>
    >>>>             >>     >>
    >>>>             >>     >>
    >>>>             >>     >>
    >>>>             >>     > Hello,
    >>>>             >>     >
    >>>>             >>     > which version ipa do you use? which
    platform?
    >>>>             Which version
    >>>>             >>  bind-dyndb-ldap?
    >>>>             >>     >
    >>>>             >>     > Can you run these commands, and check if
    there
    >>>>             any errors?
    >>>>             >>     > ipactl status
    >>>>             >>     > systemctl status named  (respectively
    >>>>             journalctl -u named)
    >>>>             >>
    >>>>             >>     We also may want to see information listed
    on page
    >>>>             >>
    >>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting

    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project




--
If life gives you melons, you may be dyslexic.




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to