OK, I found the generated zoe file in /tmp and it looks sane. Should I add those lines of config to our DNS servers?
On Mon, Dec 8, 2014 at 2:10 PM, Matthew Herzog <matthew.her...@gmail.com> wrote: > Here are some errors I'm seeing on the client. > > tail -f sssd_lnx.e-bozo.com.log > (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] > (0x4000): dbus conn: 0x1e72ad0 > (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] > (0x4000): Dispatching. > (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] > [sbus_message_handler] (0x4000): Received SBUS method [ping] > (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] > [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] > (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] > (0x4000): dbus conn: 0x1e72ad0 > (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] > (0x4000): Dispatching. > (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] > [sbus_message_handler] (0x4000): Received SBUS method [ping] > (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] > [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] > [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] > (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] > (0x4000): dbus conn: 0x1e72ad0 > (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] > (0x4000): Dispatching. > > [root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log > (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): > sss_process_init() failed > (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to > connect to monitor services. > (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal > error setting up backend connector > (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): > sss_process_init() failed > (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to > connect to monitor services. > (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal > error setting up backend connector > (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): > sss_process_init() failed > (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to > connect to monitor services. > (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal > error setting up backend connector > (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): > sss_process_init() failed > > > On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog <matthew.her...@gmail.com> > wrote: > >> I have never seen my IPA servers produce a zone file nor has the install >> script ever mentioned the creation of such. In fact, I just ran >> ipa-server-install --uninstall && ipa-server-install and there was no >> mention of a zone file. >> >> Where should I look in the file system to be sure? I see nothing in >> /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's yum repo. >> (Not my choice.) >> >> dsee7 is *not *running Kerberos. dsee7 is *not *configured with SRV >> records. I guess I'll need to add SRV records for all my Linux hosts. >> >> >> >> >> >> >> On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek <pspa...@redhat.com> wrote: >> >>> On 8.12.2014 14:44, Matthew Herzog wrote: >>> > Petr said, "You can run ipa-server-install *without* --setup-dns >>> option and >>> > at the end of >>> > installation it will produce DNS records which you have to manually >>> add to >>> > your existing DNS database." >>> > >>> > I can't see how this would be useful or which machines I would need to >>> add >>> > to our DNS. >>> > >>> > Perhaps I should have explained that we are not going to set up a new >>> DNS >>> > domain for the ipa-managed servers. >>> Good. >>> >>> Now you should run ipa-server-install *without* --setup-dns, using >>> lnx.e-bozo.com as you IPA domain. It will install full IPA server and >>> spit out >>> DNS zone file. >>> >>> Then you *have to* take this zone file and import it to your existing DNS >>> infrastructure - that will give you fully functional IPA domain >>> lnx.e-bozo.com. >>> >>> Caveat: >>> Preceding text assumes that 'dsee7' is nor using either Kerberos nor DNS >>> SRV >>> records for LDAP service in domain lnx.e-bozo.com, i.e. clients >>> connecting to >>> DSEE7 should be (most likely) statically configured with DSEE7 server >>> name. >>> >>> Petr^2 Spacek >>> >>> > We have an Oracle dsee7 server doing >>> > LDAP for our Linux servers and accounts. We want to migrate to IPA so >>> we >>> > don't have to maintain a Linux/LDAP account for every user who needs >>> access >>> > to Linux servers. All of our users start with an account in AD and >>> since >>> > none of my predecessors knew about Winbind, they set up dsee7. >>> > >>> > So I'm thinking we'll need to import all our dsee7 accounts AND make it >>> > possible for AD users to access the Linux systems without needing to >>> create >>> > them in IPA. >>> > >>> > On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek <pspa...@redhat.com> >>> wrote: >>> > >>> >> On 8.12.2014 05:02, Dmitri Pal wrote: >>> >>> On 12/07/2014 10:10 PM, Matthew Herzog wrote: >>> >>>> So should the FreeIPA server be authoritative for the Kerb. >>> realm/DNS >>> >> domain >>> >>>> or can it/should it be a slave DNS server instead? Or caching only? >>> >>> >>> >>> IPA DNS can't be a slave so you either delegate a whole zone to it or >>> >> manage >>> >>> IPA DNS domain via your own DNS server. >>> >> >>> >> Generally, "slave" is not allowed to do any changes so it is useless >>> in >>> >> your >>> >> scenario. >>> >> >>> >> You can run ipa-server-install *without* --setup-dns option and at >>> the end >>> >> of >>> >> installation it will produce DNS records which you have to manually >>> add to >>> >> your existing DNS database. >>> >> >>> >> Did you try that? >>> >> >>> >> Petr^2 Spacek >>> >> >>> >>>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <d...@redhat.com >>> >>>> <mailto:d...@redhat.com>> wrote: >>> >>>> >>> >>>> On 12/07/2014 09:51 PM, Matthew Herzog wrote: >>> >>>>> What must be done in or on the ipa server with regard to DNS, >>> if >>> >>>>> anything? >>> >>>>> >>> >>>>> Our DNS works. It works well. We have four Linux DNS servers >>> and >>> >>>>> two AD domain controllers that also do DNS. >>> >>>>> >>> >>>>> So if we already have DNS working well in our domain, why do we >>> >>>>> want to manage DNS in IPA? >>> >>>> >>> >>>> Let us keep the discussion on the list. >>> >>>> IPA when used with AD trust presents itself as a separate >>> forest. >>> >>>> AD thinks that it is working with another AD forest. >>> >>>> For that to work we need to follow MSFT rules about relationship >>> >>>> between Kerberos realm and DNS domain. >>> >>>> AD assumes that for every trusted forest Kerberos realm = DNS >>> >>>> domain. IPA makes it easy to do because it has integrated tools >>> to >>> >>>> manage IPA DNS domain. >>> >>>> If you want to manage it yourself through your DNS you can do >>> it, >>> >>>> just more manual operations for you. >>> >>>> >>> >>>> HTH >>> >>>> >>> >>>> Thanks >>> >>>> Dmitri >>> >>>> >>> >>>> >>> >>>>> >>> >>>>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <d...@redhat.com >>> >>>>> <mailto:d...@redhat.com>> wrote: >>> >>>>> >>> >>>>> On 12/07/2014 06:44 PM, Matthew Herzog wrote: >>> >>>>>> Thanks guys. I'm sorry for my delay in responding. >>> >>>>>> >>> >>>>>> Firstly, I was under the impression (from reading the >>> docs) >>> >>>>>> that having named running on IPA server was critical. >>> >>>>> >>> >>>>> Properly configured DNS is critical. >>> >>>>> How you accomplish it is up to you. >>> >>>>> IPA allows you to have a DNS server that would simplify DNS >>> >>>>> management but it can be done manually too. This is why DNS >>> >>>>> is optional. >>> >>>>> >>> >>>>> >>> >>>>>> Also, the first question the ipa-server-install script >>> asks >>> >>>>>> is, "Do you want to configure integrated DNS (BIND)? ." >>> >>>>>> While it's true the default answer is no, it leads one to >>> >>>>>> believe that DNS is central to IPA. Also the >>> >>>>>> ipa-client-install script says, >>> >>>>>> >>> >>>>>> [root@freeipa-poc-client02 ~]# ipa-client-install >>> >>>>>> DNS discovery failed to determine your DNS domain >>> >>>>>> Provide the domain name of your IPA server (ex: >>> example.com >>> >>>>>> <http://example.com>): >>> >>>>>> >>> >>>>>> I can resolve -anything- from the machine using dig or >>> >> whatever. >>> >>>>>> >>> >>>>>> Ultimately, the reason I started to be concerned about my >>> >>>>>> IPA server's DNS config was because I was not able to >>> >>>>>> authenticate AD accounts to a client machine. I saw a >>> bunch >>> >>>>>> of errors in the client's sssd logs which of course I >>> can't >>> >>>>>> find now. >>> >>>>>> >>> >>>>>> Perhaps it was these . . . >>> >>>>>> >>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>> >>>>>> Service nss replied to ping >>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>> >>>>>> Service sudo replied to ping >>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>> >>>>>> Service pam replied to ping >>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>> >>>>>> Service ssh replied to ping >>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>> >>>>>> Service pac replied to ping >>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>> >>>>>> Service bo3.e-bozo.com <http://bo3.e-bozo.com> replied to >>> >> ping >>> >>>>>> >>> >>>>>> I'm not allowed onto the AD domain controllers to examine >>> >>>>>> log files or I'd be checking those first. >>> >>>>>> >>> >>>>>> So ultimately the goal is to authenticate AD users and >>> users >>> >>>>>> that exist in our ldap schema. We need to set up groups of >>> >>>>>> users that can run sudo commands on specific groups of >>> hosts. >>> >>>>> >>> >>>>> Did you setup trusts as explained on the following page? >>> >>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >>> >>>>> >>> >>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek >>> >>>>>> <pspa...@redhat.com <mailto:pspa...@redhat.com>> wrote: >>> >>>>>> >>> >>>>>> On 3.12.2014 04:35, Dmitri Pal wrote: >>> >>>>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote: >>> >>>>>> >> Any other ideas? I just spun up a new VM and took >>> the >>> >>>>>> defaults on everything >>> >>>>>> >> while running ipa-server-install (the defaults did >>> >>>>>> make sense) and my new VM >>> >>>>>> >> can't resolve -anything- in the domain in which it >>> >>>>>> lives. The "old" VM >>> >>>>>> >> (running the same versions of everything on the >>> same >>> >>>>>> OS) can't even resolve >>> >>>>>> >> the clients I have registered with it! >>> >>>>>> >> >>> >>>>>> >> So I'm pretty frustrated and am wondering, what >>> >>>>>> _exactly_ is the role of >>> >>>>>> >> bind in the IPA server and how is it expected to >>> know >>> >>>>>> anything about the >>> >>>>>> >> local DNS domain without becoming a bind slave >>> server? >>> >>>>>> > >>> >>>>>> > I am not sure I am 100% with you but... >>> >>>>>> > If you use the defaults and nothing else you get to >>> >>>>>> the scenario when IPA has >>> >>>>>> > its DNS but it is a self contained environment. It >>> >>>>>> seems that this is what you >>> >>>>>> > observe. >>> >>>>>> > It is expected that you decide in advance what you >>> >>>>>> want to do with DNS. There >>> >>>>>> > are several options: >>> >>>>>> > 1) You can delegate a zone to IPA to manage, then >>> you >>> >>>>>> need to connect your IPA >>> >>>>>> > DNS to your existing DNS during install or after. >>> >>>>>> > In this case the systems joined to IPA will be a >>> part >>> >>>>>> of IPA domain/zone and >>> >>>>>> > would also be able to resolve other systems around >>> >>>>>> > 2) Not use IPA DNS if you do not want to take >>> >>>>>> advantage of it >>> >>>>>> > 3) Have a self contained demo/lab environment that >>> you >>> >>>>>> currently observe. >>> >>>>>> > >>> >>>>>> > What is the intent? >>> >>>>>> >>> >>>>>> I agree with Dmitri, we need more information from >>> you: >>> >>>>>> - You said "my new VM can't resolve -anything- in the >>> >>>>>> domain in which it >>> >>>>>> lives." - Which domain do you mean? >>> >>>>>> >>> >>>>>> - Apparently you have configured FreeIPA to serve zone >>> >>>>>> e-bozo.com <http://e-bozo.com>. Do you have >>> >>>>>> this zone configured on some other DNS server at the >>> >>>>>> same time? >>> >>>>>> >>> >>>>>> Please keep in mind that authoritative servers should >>> >>>>>> share the database. You >>> >>>>>> will get naming collisions if e-bozo.com >>> >>>>>> <http://e-bozo.com> is served by FreeIPA DNS servers >>> and >>> >>>>>> some other servers at the same time. Maybe that is the >>> >>>>>> problem you see right now. >>> >>>>>> >>> >>>>>> As Dmitri said, the architecturally correct solution >>> is >>> >>>>>> to decide if you want >>> >>>>>> to use FreeIPA DNS or not. You have option to either >>> >>>>>> remove non-FreeIPA DNS >>> >>>>>> servers and import data to FreeIPA or to add >>> >>>>>> FreeIPA-specific DNS records to >>> >>>>>> existing DNS servers and do not configure FreeIPA to >>> act >>> >>>>>> as DNS server. >>> >>>>>> >>> >>>>>> Petr^2 Spacek >>> >>>>>> >>> >>>>>> >> Thanks. >>> >>>>>> >> >>> >>>>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek >>> >>>>>> <pspa...@redhat.com <mailto:pspa...@redhat.com> >>> >>>>>> >> <mailto:pspa...@redhat.com >>> >>>>>> <mailto:pspa...@redhat.com>>> wrote: >>> >>>>>> >> >>> >>>>>> >> On 2.12.2014 17:36, Martin Basti wrote: >>> >>>>>> >> > On 02/12/14 17:28, Matthew Herzog wrote: >>> >>>>>> >> >> I just realized that my IPA servers cannot >>> >>>>>> resolve ANY servers >>> >>>>>> >> in my domain. >>> >>>>>> >> >> What do I need to do to fix this? Below is >>> my >>> >>>>>> named.conf. >>> >>>>>> >> >> >>> >>>>>> >> >> >>> >>>>>> >> >> options { >>> >>>>>> >> >> // turns on IPv6 for port 53, IPv4 is on by >>> >>>>>> default for >>> >>>>>> >> all ifaces >>> >>>>>> >> >> listen-on-v6 {any;}; >>> >>>>>> >> >> >>> >>>>>> >> >> // Put files that named is allowed to write >>> >>>>>> in the >>> >>>>>> >> data/ directory: >>> >>>>>> >> >> directory "/var/named"; // the default >>> >>>>>> >> >> dump-file "data/cache_dump.db"; >>> >>>>>> >> >> statistics-file "data/named_stats.txt"; >>> >>>>>> >> >> memstatistics-file >>> "data/named_mem_stats.txt"; >>> >>>>>> >> >> >>> >>>>>> >> >> forward first; >>> >>>>>> >> >> forwarders { >>> >>>>>> >> >> 10.100.8.41; >>> >>>>>> >> >> 10.100.8.40; >>> >>>>>> >> >> 10.100.4.13; >>> >>>>>> >> >> 10.100.4.14; >>> >>>>>> >> >> 10.100.4.19; >>> >>>>>> >> >> 10.100.4.44; >>> >>>>>> >> >> }; >>> >>>>>> >> >> >>> >>>>>> >> >> // Any host is permitted to issue recursive >>> >>>>>> queries >>> >>>>>> >> >> allow-recursion { any; }; >>> >>>>>> >> >> >>> >>>>>> >> >> tkey-gssapi-keytab "/etc/named.keytab"; >>> >>>>>> >> >> pid-file "/run/named/named.pid"; >>> >>>>>> >> >> }; >>> >>>>>> >> >> >>> >>>>>> >> >> /* If you want to enable debugging, eg. >>> using >>> >>>>>> the 'rndc trace' >>> >>>>>> >> command, >>> >>>>>> >> >> * By default, SELinux policy does not allow >>> >>>>>> named to modify >>> >>>>>> >> the /var/named >>> >>>>>> >> >> directory, >>> >>>>>> >> >> * so put the default debug log file in >>> data/ : >>> >>>>>> >> >> */ >>> >>>>>> >> >> logging { >>> >>>>>> >> >> channel default_debug { >>> >>>>>> >> >> file "data/named.run"; >>> >>>>>> >> >> severity dynamic; >>> >>>>>> >> >> print-time yes; >>> >>>>>> >> >> }; >>> >>>>>> >> >> }; >>> >>>>>> >> >> }; >>> >>>>>> >> >> >>> >>>>>> >> >> zone "." IN { >>> >>>>>> >> >> type hint; >>> >>>>>> >> >> file "named.ca <http://named.ca> >>> >>>>>> <http://named.ca> <http://named.ca>"; >>> >>>>>> >> >> }; >>> >>>>>> >> >> >>> >>>>>> >> >> include "/etc/named.rfc1912.zones"; >>> >>>>>> >> >> >>> >>>>>> >> >> dynamic-db "ipa" { >>> >>>>>> >> >> library "ldap.so"; >>> >>>>>> >> >> arg "uri >>> >>>>>> >> >>> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket"; >>> >>>>>> >> >> arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com"; >>> >>>>>> >> >> arg "fake_mname >>> freeipa-poc01.bo3.e-bozo.com >>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com> >>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>> >>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>."; >>> >>>>>> >> >> arg "auth_method sasl"; >>> >>>>>> >> >> arg "sasl_mech GSSAPI"; >>> >>>>>> >> >> arg "sasl_user >>> >>>>>> DNS/freeipa-poc01.bo3.e-bozo.com >>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com> >>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>> >>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>"; >>> >>>>>> >> >> arg "serial_autoincrement yes"; >>> >>>>>> >> >> }; >>> >>>>>> >> >> >>> >>>>>> >> >> >>> >>>>>> >> >> >>> >>>>>> >> >> >>> >>>>>> >> > Hello, >>> >>>>>> >> > >>> >>>>>> >> > which version ipa do you use? which platform? >>> >>>>>> Which version >>> >>>>>> >> bind-dyndb-ldap? >>> >>>>>> >> > >>> >>>>>> >> > Can you run these commands, and check if >>> there >>> >>>>>> any errors? >>> >>>>>> >> > ipactl status >>> >>>>>> >> > systemctl status named (respectively >>> >>>>>> journalctl -u named) >>> >>>>>> >> >>> >>>>>> >> We also may want to see information listed on >>> page >>> >>>>>> >> >>> >>>>>> >>> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting >>> >>> -- >>> Petr^2 Spacek >>> >> >> >> >> -- >> If life gives you melons, you may be dyslexic. >> > > > > -- > If life gives you melons, you may be dyslexic. > -- If life gives you melons, you may be dyslexic.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
