On 8.12.2014 20:27, Matthew Herzog wrote: > OK, I found the generated zoe file in /tmp and it looks sane. > Should I add those lines of config to our DNS servers?
Yes, exactly. After that you can proceed with AD trust establishment. BTW ipa-server-install tells you where the file with message: "Sample zone file for bind has been created in ..." I just checked IPA 3.3.x and the message is really there :-) Have a nice day! Petr^2 Spacek > > On Mon, Dec 8, 2014 at 2:10 PM, Matthew Herzog <matthew.her...@gmail.com> > wrote: > >> Here are some errors I'm seeing on the client. >> >> tail -f sssd_lnx.e-bozo.com.log >> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >> (0x4000): dbus conn: 0x1e72ad0 >> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >> (0x4000): Dispatching. >> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] >> [sbus_message_handler] (0x4000): Received SBUS method [ping] >> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] >> [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] >> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >> (0x4000): dbus conn: 0x1e72ad0 >> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >> (0x4000): Dispatching. >> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] >> [sbus_message_handler] (0x4000): Received SBUS method [ping] >> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] >> [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] >> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >> (0x4000): dbus conn: 0x1e72ad0 >> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >> (0x4000): Dispatching. >> >> [root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log >> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >> sss_process_init() failed >> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to >> connect to monitor services. >> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal >> error setting up backend connector >> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >> sss_process_init() failed >> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to >> connect to monitor services. >> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal >> error setting up backend connector >> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >> sss_process_init() failed >> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to >> connect to monitor services. >> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal >> error setting up backend connector >> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >> sss_process_init() failed >> >> >> On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog <matthew.her...@gmail.com> >> wrote: >> >>> I have never seen my IPA servers produce a zone file nor has the install >>> script ever mentioned the creation of such. In fact, I just ran >>> ipa-server-install --uninstall && ipa-server-install and there was no >>> mention of a zone file. >>> >>> Where should I look in the file system to be sure? I see nothing in >>> /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's yum repo. >>> (Not my choice.) >>> >>> dsee7 is *not *running Kerberos. dsee7 is *not *configured with SRV >>> records. I guess I'll need to add SRV records for all my Linux hosts. >>> >>> >>> >>> >>> >>> >>> On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek <pspa...@redhat.com> wrote: >>> >>>> On 8.12.2014 14:44, Matthew Herzog wrote: >>>>> Petr said, "You can run ipa-server-install *without* --setup-dns >>>> option and >>>>> at the end of >>>>> installation it will produce DNS records which you have to manually >>>> add to >>>>> your existing DNS database." >>>>> >>>>> I can't see how this would be useful or which machines I would need to >>>> add >>>>> to our DNS. >>>>> >>>>> Perhaps I should have explained that we are not going to set up a new >>>> DNS >>>>> domain for the ipa-managed servers. >>>> Good. >>>> >>>> Now you should run ipa-server-install *without* --setup-dns, using >>>> lnx.e-bozo.com as you IPA domain. It will install full IPA server and >>>> spit out >>>> DNS zone file. >>>> >>>> Then you *have to* take this zone file and import it to your existing DNS >>>> infrastructure - that will give you fully functional IPA domain >>>> lnx.e-bozo.com. >>>> >>>> Caveat: >>>> Preceding text assumes that 'dsee7' is nor using either Kerberos nor DNS >>>> SRV >>>> records for LDAP service in domain lnx.e-bozo.com, i.e. clients >>>> connecting to >>>> DSEE7 should be (most likely) statically configured with DSEE7 server >>>> name. >>>> >>>> Petr^2 Spacek >>>> >>>>> We have an Oracle dsee7 server doing >>>>> LDAP for our Linux servers and accounts. We want to migrate to IPA so >>>> we >>>>> don't have to maintain a Linux/LDAP account for every user who needs >>>> access >>>>> to Linux servers. All of our users start with an account in AD and >>>> since >>>>> none of my predecessors knew about Winbind, they set up dsee7. >>>>> >>>>> So I'm thinking we'll need to import all our dsee7 accounts AND make it >>>>> possible for AD users to access the Linux systems without needing to >>>> create >>>>> them in IPA. >>>>> >>>>> On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek <pspa...@redhat.com> >>>> wrote: >>>>> >>>>>> On 8.12.2014 05:02, Dmitri Pal wrote: >>>>>>> On 12/07/2014 10:10 PM, Matthew Herzog wrote: >>>>>>>> So should the FreeIPA server be authoritative for the Kerb. >>>> realm/DNS >>>>>> domain >>>>>>>> or can it/should it be a slave DNS server instead? Or caching only? >>>>>>> >>>>>>> IPA DNS can't be a slave so you either delegate a whole zone to it or >>>>>> manage >>>>>>> IPA DNS domain via your own DNS server. >>>>>> >>>>>> Generally, "slave" is not allowed to do any changes so it is useless >>>> in >>>>>> your >>>>>> scenario. >>>>>> >>>>>> You can run ipa-server-install *without* --setup-dns option and at >>>> the end >>>>>> of >>>>>> installation it will produce DNS records which you have to manually >>>> add to >>>>>> your existing DNS database. >>>>>> >>>>>> Did you try that? >>>>>> >>>>>> Petr^2 Spacek >>>>>> >>>>>>>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <d...@redhat.com >>>>>>>> <mailto:d...@redhat.com>> wrote: >>>>>>>> >>>>>>>> On 12/07/2014 09:51 PM, Matthew Herzog wrote: >>>>>>>>> What must be done in or on the ipa server with regard to DNS, >>>> if >>>>>>>>> anything? >>>>>>>>> >>>>>>>>> Our DNS works. It works well. We have four Linux DNS servers >>>> and >>>>>>>>> two AD domain controllers that also do DNS. >>>>>>>>> >>>>>>>>> So if we already have DNS working well in our domain, why do we >>>>>>>>> want to manage DNS in IPA? >>>>>>>> >>>>>>>> Let us keep the discussion on the list. >>>>>>>> IPA when used with AD trust presents itself as a separate >>>> forest. >>>>>>>> AD thinks that it is working with another AD forest. >>>>>>>> For that to work we need to follow MSFT rules about relationship >>>>>>>> between Kerberos realm and DNS domain. >>>>>>>> AD assumes that for every trusted forest Kerberos realm = DNS >>>>>>>> domain. IPA makes it easy to do because it has integrated tools >>>> to >>>>>>>> manage IPA DNS domain. >>>>>>>> If you want to manage it yourself through your DNS you can do >>>> it, >>>>>>>> just more manual operations for you. >>>>>>>> >>>>>>>> HTH >>>>>>>> >>>>>>>> Thanks >>>>>>>> Dmitri >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <d...@redhat.com >>>>>>>>> <mailto:d...@redhat.com>> wrote: >>>>>>>>> >>>>>>>>> On 12/07/2014 06:44 PM, Matthew Herzog wrote: >>>>>>>>>> Thanks guys. I'm sorry for my delay in responding. >>>>>>>>>> >>>>>>>>>> Firstly, I was under the impression (from reading the >>>> docs) >>>>>>>>>> that having named running on IPA server was critical. >>>>>>>>> >>>>>>>>> Properly configured DNS is critical. >>>>>>>>> How you accomplish it is up to you. >>>>>>>>> IPA allows you to have a DNS server that would simplify DNS >>>>>>>>> management but it can be done manually too. This is why DNS >>>>>>>>> is optional. >>>>>>>>> >>>>>>>>> >>>>>>>>>> Also, the first question the ipa-server-install script >>>> asks >>>>>>>>>> is, "Do you want to configure integrated DNS (BIND)? ." >>>>>>>>>> While it's true the default answer is no, it leads one to >>>>>>>>>> believe that DNS is central to IPA. Also the >>>>>>>>>> ipa-client-install script says, >>>>>>>>>> >>>>>>>>>> [root@freeipa-poc-client02 ~]# ipa-client-install >>>>>>>>>> DNS discovery failed to determine your DNS domain >>>>>>>>>> Provide the domain name of your IPA server (ex: >>>> example.com >>>>>>>>>> <http://example.com>): >>>>>>>>>> >>>>>>>>>> I can resolve -anything- from the machine using dig or >>>>>> whatever. >>>>>>>>>> >>>>>>>>>> Ultimately, the reason I started to be concerned about my >>>>>>>>>> IPA server's DNS config was because I was not able to >>>>>>>>>> authenticate AD accounts to a client machine. I saw a >>>> bunch >>>>>>>>>> of errors in the client's sssd logs which of course I >>>> can't >>>>>>>>>> find now. >>>>>>>>>> >>>>>>>>>> Perhaps it was these . . . >>>>>>>>>> >>>>>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>>>>>>> Service nss replied to ping >>>>>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>>>>>>> Service sudo replied to ping >>>>>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>>>>>>> Service pam replied to ping >>>>>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>>>>>>> Service ssh replied to ping >>>>>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>>>>>>> Service pac replied to ping >>>>>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>>>>>>> Service bo3.e-bozo.com <http://bo3.e-bozo.com> replied to >>>>>> ping >>>>>>>>>> >>>>>>>>>> I'm not allowed onto the AD domain controllers to examine >>>>>>>>>> log files or I'd be checking those first. >>>>>>>>>> >>>>>>>>>> So ultimately the goal is to authenticate AD users and >>>> users >>>>>>>>>> that exist in our ldap schema. We need to set up groups of >>>>>>>>>> users that can run sudo commands on specific groups of >>>> hosts. >>>>>>>>> >>>>>>>>> Did you setup trusts as explained on the following page? >>>>>>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek >>>>>>>>>> <pspa...@redhat.com <mailto:pspa...@redhat.com>> wrote: >>>>>>>>>> >>>>>>>>>> On 3.12.2014 04:35, Dmitri Pal wrote: >>>>>>>>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote: >>>>>>>>>> >> Any other ideas? I just spun up a new VM and took >>>> the >>>>>>>>>> defaults on everything >>>>>>>>>> >> while running ipa-server-install (the defaults did >>>>>>>>>> make sense) and my new VM >>>>>>>>>> >> can't resolve -anything- in the domain in which it >>>>>>>>>> lives. The "old" VM >>>>>>>>>> >> (running the same versions of everything on the >>>> same >>>>>>>>>> OS) can't even resolve >>>>>>>>>> >> the clients I have registered with it! >>>>>>>>>> >> >>>>>>>>>> >> So I'm pretty frustrated and am wondering, what >>>>>>>>>> _exactly_ is the role of >>>>>>>>>> >> bind in the IPA server and how is it expected to >>>> know >>>>>>>>>> anything about the >>>>>>>>>> >> local DNS domain without becoming a bind slave >>>> server? >>>>>>>>>> > >>>>>>>>>> > I am not sure I am 100% with you but... >>>>>>>>>> > If you use the defaults and nothing else you get to >>>>>>>>>> the scenario when IPA has >>>>>>>>>> > its DNS but it is a self contained environment. It >>>>>>>>>> seems that this is what you >>>>>>>>>> > observe. >>>>>>>>>> > It is expected that you decide in advance what you >>>>>>>>>> want to do with DNS. There >>>>>>>>>> > are several options: >>>>>>>>>> > 1) You can delegate a zone to IPA to manage, then >>>> you >>>>>>>>>> need to connect your IPA >>>>>>>>>> > DNS to your existing DNS during install or after. >>>>>>>>>> > In this case the systems joined to IPA will be a >>>> part >>>>>>>>>> of IPA domain/zone and >>>>>>>>>> > would also be able to resolve other systems around >>>>>>>>>> > 2) Not use IPA DNS if you do not want to take >>>>>>>>>> advantage of it >>>>>>>>>> > 3) Have a self contained demo/lab environment that >>>> you >>>>>>>>>> currently observe. >>>>>>>>>> > >>>>>>>>>> > What is the intent? >>>>>>>>>> >>>>>>>>>> I agree with Dmitri, we need more information from >>>> you: >>>>>>>>>> - You said "my new VM can't resolve -anything- in the >>>>>>>>>> domain in which it >>>>>>>>>> lives." - Which domain do you mean? >>>>>>>>>> >>>>>>>>>> - Apparently you have configured FreeIPA to serve zone >>>>>>>>>> e-bozo.com <http://e-bozo.com>. Do you have >>>>>>>>>> this zone configured on some other DNS server at the >>>>>>>>>> same time? >>>>>>>>>> >>>>>>>>>> Please keep in mind that authoritative servers should >>>>>>>>>> share the database. You >>>>>>>>>> will get naming collisions if e-bozo.com >>>>>>>>>> <http://e-bozo.com> is served by FreeIPA DNS servers >>>> and >>>>>>>>>> some other servers at the same time. Maybe that is the >>>>>>>>>> problem you see right now. >>>>>>>>>> >>>>>>>>>> As Dmitri said, the architecturally correct solution >>>> is >>>>>>>>>> to decide if you want >>>>>>>>>> to use FreeIPA DNS or not. You have option to either >>>>>>>>>> remove non-FreeIPA DNS >>>>>>>>>> servers and import data to FreeIPA or to add >>>>>>>>>> FreeIPA-specific DNS records to >>>>>>>>>> existing DNS servers and do not configure FreeIPA to >>>> act >>>>>>>>>> as DNS server. >>>>>>>>>> >>>>>>>>>> Petr^2 Spacek >>>>>>>>>> >>>>>>>>>> >> Thanks. >>>>>>>>>> >> >>>>>>>>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek >>>>>>>>>> <pspa...@redhat.com <mailto:pspa...@redhat.com> >>>>>>>>>> >> <mailto:pspa...@redhat.com >>>>>>>>>> <mailto:pspa...@redhat.com>>> wrote: >>>>>>>>>> >> >>>>>>>>>> >> On 2.12.2014 17:36, Martin Basti wrote: >>>>>>>>>> >> > On 02/12/14 17:28, Matthew Herzog wrote: >>>>>>>>>> >> >> I just realized that my IPA servers cannot >>>>>>>>>> resolve ANY servers >>>>>>>>>> >> in my domain. >>>>>>>>>> >> >> What do I need to do to fix this? Below is >>>> my >>>>>>>>>> named.conf. >>>>>>>>>> >> >> >>>>>>>>>> >> >> >>>>>>>>>> >> >> options { >>>>>>>>>> >> >> // turns on IPv6 for port 53, IPv4 is on by >>>>>>>>>> default for >>>>>>>>>> >> all ifaces >>>>>>>>>> >> >> listen-on-v6 {any;}; >>>>>>>>>> >> >> >>>>>>>>>> >> >> // Put files that named is allowed to write >>>>>>>>>> in the >>>>>>>>>> >> data/ directory: >>>>>>>>>> >> >> directory "/var/named"; // the default >>>>>>>>>> >> >> dump-file "data/cache_dump.db"; >>>>>>>>>> >> >> statistics-file "data/named_stats.txt"; >>>>>>>>>> >> >> memstatistics-file >>>> "data/named_mem_stats.txt"; >>>>>>>>>> >> >> >>>>>>>>>> >> >> forward first; >>>>>>>>>> >> >> forwarders { >>>>>>>>>> >> >> 10.100.8.41; >>>>>>>>>> >> >> 10.100.8.40; >>>>>>>>>> >> >> 10.100.4.13; >>>>>>>>>> >> >> 10.100.4.14; >>>>>>>>>> >> >> 10.100.4.19; >>>>>>>>>> >> >> 10.100.4.44; >>>>>>>>>> >> >> }; >>>>>>>>>> >> >> >>>>>>>>>> >> >> // Any host is permitted to issue recursive >>>>>>>>>> queries >>>>>>>>>> >> >> allow-recursion { any; }; >>>>>>>>>> >> >> >>>>>>>>>> >> >> tkey-gssapi-keytab "/etc/named.keytab"; >>>>>>>>>> >> >> pid-file "/run/named/named.pid"; >>>>>>>>>> >> >> }; >>>>>>>>>> >> >> >>>>>>>>>> >> >> /* If you want to enable debugging, eg. >>>> using >>>>>>>>>> the 'rndc trace' >>>>>>>>>> >> command, >>>>>>>>>> >> >> * By default, SELinux policy does not allow >>>>>>>>>> named to modify >>>>>>>>>> >> the /var/named >>>>>>>>>> >> >> directory, >>>>>>>>>> >> >> * so put the default debug log file in >>>> data/ : >>>>>>>>>> >> >> */ >>>>>>>>>> >> >> logging { >>>>>>>>>> >> >> channel default_debug { >>>>>>>>>> >> >> file "data/named.run"; >>>>>>>>>> >> >> severity dynamic; >>>>>>>>>> >> >> print-time yes; >>>>>>>>>> >> >> }; >>>>>>>>>> >> >> }; >>>>>>>>>> >> >> }; >>>>>>>>>> >> >> >>>>>>>>>> >> >> zone "." IN { >>>>>>>>>> >> >> type hint; >>>>>>>>>> >> >> file "named.ca <http://named.ca> >>>>>>>>>> <http://named.ca> <http://named.ca>"; >>>>>>>>>> >> >> }; >>>>>>>>>> >> >> >>>>>>>>>> >> >> include "/etc/named.rfc1912.zones"; >>>>>>>>>> >> >> >>>>>>>>>> >> >> dynamic-db "ipa" { >>>>>>>>>> >> >> library "ldap.so"; >>>>>>>>>> >> >> arg "uri >>>>>>>>>> >> >>>> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket"; >>>>>>>>>> >> >> arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com"; >>>>>>>>>> >> >> arg "fake_mname >>>> freeipa-poc01.bo3.e-bozo.com >>>>>>>>>> <http://freeipa-poc01.bo3.e-bozo.com> >>>>>>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>>>>>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>."; >>>>>>>>>> >> >> arg "auth_method sasl"; >>>>>>>>>> >> >> arg "sasl_mech GSSAPI"; >>>>>>>>>> >> >> arg "sasl_user >>>>>>>>>> DNS/freeipa-poc01.bo3.e-bozo.com >>>>>>>>>> <http://freeipa-poc01.bo3.e-bozo.com> >>>>>>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>>>>>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>"; >>>>>>>>>> >> >> arg "serial_autoincrement yes"; >>>>>>>>>> >> >> }; >>>>>>>>>> >> >> >>>>>>>>>> >> >> >>>>>>>>>> >> >> >>>>>>>>>> >> >> >>>>>>>>>> >> > Hello, >>>>>>>>>> >> > >>>>>>>>>> >> > which version ipa do you use? which platform? >>>>>>>>>> Which version >>>>>>>>>> >> bind-dyndb-ldap? >>>>>>>>>> >> > >>>>>>>>>> >> > Can you run these commands, and check if >>>> there >>>>>>>>>> any errors? >>>>>>>>>> >> > ipactl status >>>>>>>>>> >> > systemctl status named (respectively >>>>>>>>>> journalctl -u named) >>>>>>>>>> >> >>>>>>>>>> >> We also may want to see information listed on >>>> page >>>>>>>>>> >> >>>>>>>>>> >>>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project