On 10/11/16 06:51, Petr Spacek wrote:
On 9.11.2016 16:57, lejeczek wrote:

On 09/11/16 14:35, Martin Basti wrote:

On 09.11.2016 15:33, lejeczek wrote:

On 09/11/16 13:48, Martin Basti wrote:

On 09.11.2016 14:11, lejeczek wrote:

On 09/11/16 12:43, Martin Basti wrote:

On 09.11.2016 12:15, lejeczek wrote:

On 08/11/16 19:37, Martin Basti wrote:

On 08.11.2016 19:41, lejeczek wrote:
hi everyone
when I look at my domain I see something which seems inconsistent to
me (eg. work5 is not part of the domain, was --uninstalled)
Do these record need fixing?
I'm asking becuase one of the servers, despite the fact the ipa dns
related toolkit(on that server) shows zone & records, to
dig/host/etc. presents nothing, empty responses!??

$ ipa dnsrecord-find xx.xx.xx.xx.x.
   Record name: @
   NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
              dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

   Record name: _kerberos
   TXT record: .xx.xx..xx.xx.x

   Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
   SRV record: 0 100 88 rider, 0 100 88 work5

   Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
   SRV record: 0 100 389 rider, 0 100 389 work5

   Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
   SRV record: 0 100 88 rider, 0 100 88 work5

   Record name: _kerberos._tcp.dc._msdcs
   SRV record: 0 100 88 rider, 0 100 88 work5

   Record name: _ldap._tcp.dc._msdcs
   SRV record: 0 100 389 rider, 0 100 389 work5

   Record name: _kerberos._udp.dc._msdcs
   SRV record: 0 100 88 rider, 0 100 88 work5

   Record name: _kerberos._tcp
   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir

   Record name: _kerberos-master._tcp
   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir

   Record name: _kpasswd._tcp
   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
464 whale

   Record name: _ldap._tcp
   SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100
389 rider

   Record name: _kerberos._udp
   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir

   Record name: _kerberos-master._udp
   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir

   Record name: _kpasswd._udp
   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
464 whale

   Record name: _ntp._udp
   SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0
100 123 swir

thanks.
L.


Hello,

if server work5 is uninstalled, then work5 SRV records should be removed.

Martin
Martin, would you be able suggest a way to troubleshoot that problem
that one (only) server (rider) seems to present no data for the whole
domain? Remaining servers correctly respond to any queries. One curious
thing is that I $rndc trace 6; and (I see debug level changed in
journalctl) I do not see anything in the logs when I query.
Zone allows any to query it.


What dig @rider  command returns for SRV queries?

don't mind SRV records for now, it returns no record at all, it forwards
and caches but not for the domain itself.
on rider (suffice I point to other member server and records are there)

$ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x.
@10.5.6.100
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x.
1478696070 1800 900 604800 3600

;; Query time: 5 msec
;; SERVER: 10.5.6.100#53(10.5.6.100)
;; WHEN: Wed Nov 09 12:56:16 GMT 2016
;; MSG SIZE  rcvd: 120

I obfuscated FQDNs but it seems like it forwards to a parent domain (to
which it's supposed, by dnsforwardzone)
And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all
there.



I'm lost now, I don't understand you, you told me that resolving on
'rider' server doesn't work, then you write me that it is expected because
you have fowardzone set, but you cannot have forwardzone and master zone
for the same domain, IPA doesn't allow it, so I have no idea what is not
working for you. (You didn't make it easier by obfuscating output)

Martin
no no, sorry, I mean - it forwards whereas is should be authoritative for
it's own FQDN.
I realize it is not obvious after I obfuscated the output, but here:

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070
1800 900 604800 3600

this looks like the only domain with is dnsforwardzone, everything else is
dnszone

parent.xx.xx. - is the only forward
private.my.parent.xx.xx - it is IPA domain & dnszone

I query private.my.parent.xx.xx and I get response as above.
Do you have proper zone delegation from parent zone? NS and A glue records?
no, I don't have any dealings with "parent" domain, I forward to there so only
those queries could go directly to NSes instead of to ROOTs.
I do not really on that "parent" - I call it parent for only
"logistically/visually" it appears as parent.
How your named.conf looks?
Exactly the same as on the other three servers(IPA generated), I diffed it,
only these are (respectively) different: fake_mname, sasl_user
I think that one server simply forwards (to that dnsforwardzone) as if it had
not any own zones, but why?? Would it be in the LDAP?
Do you have 'forwarders' statement in your named.conf?
  forward first;
  forwarders { };


If you have it, we might see a situation where LDAP plugin does not
load/connect to LDAP for whatever reason and only the global forwarding works.

Alternatively it might be a problem described in
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.NozonesfromLDAPareloaded
it's a freaking bingo!

0 master zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) 0 master zones is suspicious number, please check access control instructions on LDAP server

now, well.. how to fix it?

$ ipa privilege-show 'DNS Servers' --all --raw
dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
  cn: DNS Servers
  description: DNS Servers
member: krbprincipalname=DNS/swir..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x member: krbprincipalname=ipa-dnskeysyncd/swir..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x member: krbprincipalname=DNS/whale..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x member: krbprincipalname=ipa-dnskeysyncd/whale..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x member: krbprincipalname=DNS/dzien..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x member: krbprincipalname=ipa-dnskeysyncd/dzien..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x memberof: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x memberof: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x memberof: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x memberof: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x memberof: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x memberof: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
  objectClass: top
  objectClass: groupofnames
  objectClass: nestedgroup




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to