On 10/11/16 06:51, Petr Spacek wrote:
On 9.11.2016 16:57, lejeczek wrote:
On 09/11/16 14:35, Martin Basti wrote:
On 09.11.2016 15:33, lejeczek wrote:
On 09/11/16 13:48, Martin Basti wrote:
On 09.11.2016 14:11, lejeczek wrote:
On 09/11/16 12:43, Martin Basti wrote:
On 09.11.2016 12:15, lejeczek wrote:
On 08/11/16 19:37, Martin Basti wrote:
On 08.11.2016 19:41, lejeczek wrote:
hi everyone
when I look at my domain I see something which seems inconsistent to
me (eg. work5 is not part of the domain, was --uninstalled)
Do these record need fixing?
I'm asking becuase one of the servers, despite the fact the ipa dns
related toolkit(on that server) shows zone & records, to
dig/host/etc. presents nothing, empty responses!??
$ ipa dnsrecord-find xx.xx.xx.xx.x.
Record name: @
NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.
Record name: _kerberos
TXT record: .xx.xx..xx.xx.x
Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
SRV record: 0 100 88 rider, 0 100 88 work5
Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
SRV record: 0 100 389 rider, 0 100 389 work5
Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
SRV record: 0 100 88 rider, 0 100 88 work5
Record name: _kerberos._tcp.dc._msdcs
SRV record: 0 100 88 rider, 0 100 88 work5
Record name: _ldap._tcp.dc._msdcs
SRV record: 0 100 389 rider, 0 100 389 work5
Record name: _kerberos._udp.dc._msdcs
SRV record: 0 100 88 rider, 0 100 88 work5
Record name: _kerberos._tcp
SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir
Record name: _kerberos-master._tcp
SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir
Record name: _kpasswd._tcp
SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
464 whale
Record name: _ldap._tcp
SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100
389 rider
Record name: _kerberos._udp
SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir
Record name: _kerberos-master._udp
SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir
Record name: _kpasswd._udp
SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
464 whale
Record name: _ntp._udp
SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0
100 123 swir
thanks.
L.
Hello,
if server work5 is uninstalled, then work5 SRV records should be removed.
Martin
Martin, would you be able suggest a way to troubleshoot that problem
that one (only) server (rider) seems to present no data for the whole
domain? Remaining servers correctly respond to any queries. One curious
thing is that I $rndc trace 6; and (I see debug level changed in
journalctl) I do not see anything in the logs when I query.
Zone allows any to query it.
What dig @rider command returns for SRV queries?
don't mind SRV records for now, it returns no record at all, it forwards
and caches but not for the domain itself.
on rider (suffice I point to other member server and records are there)
$ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x.
@10.5.6.100
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY
;; AUTHORITY SECTION:
.xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x.
1478696070 1800 900 604800 3600
;; Query time: 5 msec
;; SERVER: 10.5.6.100#53(10.5.6.100)
;; WHEN: Wed Nov 09 12:56:16 GMT 2016
;; MSG SIZE rcvd: 120
I obfuscated FQDNs but it seems like it forwards to a parent domain (to
which it's supposed, by dnsforwardzone)
And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all
there.
I'm lost now, I don't understand you, you told me that resolving on
'rider' server doesn't work, then you write me that it is expected because
you have fowardzone set, but you cannot have forwardzone and master zone
for the same domain, IPA doesn't allow it, so I have no idea what is not
working for you. (You didn't make it easier by obfuscating output)
Martin
no no, sorry, I mean - it forwards whereas is should be authoritative for
it's own FQDN.
I realize it is not obvious after I obfuscated the output, but here:
;; AUTHORITY SECTION:
.xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070
1800 900 604800 3600
this looks like the only domain with is dnsforwardzone, everything else is
dnszone
parent.xx.xx. - is the only forward
private.my.parent.xx.xx - it is IPA domain & dnszone
I query private.my.parent.xx.xx and I get response as above.
Do you have proper zone delegation from parent zone? NS and A glue records?
no, I don't have any dealings with "parent" domain, I forward to there so only
those queries could go directly to NSes instead of to ROOTs.
I do not really on that "parent" - I call it parent for only
"logistically/visually" it appears as parent.
How your named.conf looks?
Exactly the same as on the other three servers(IPA generated), I diffed it,
only these are (respectively) different: fake_mname, sasl_user
I think that one server simply forwards (to that dnsforwardzone) as if it had
not any own zones, but why?? Would it be in the LDAP?
Do you have 'forwarders' statement in your named.conf?
forward first;
forwarders { };
If you have it, we might see a situation where LDAP plugin does not
load/connect to LDAP for whatever reason and only the global forwarding works.
Alternatively it might be a problem described in
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.NozonesfromLDAPareloaded
it's a freaking bingo!
0 master zones from LDAP instance 'ipa' loaded (0 zones
defined, 0 inactive, 0 failed to load)
0 master zones is suspicious number, please check access
control instructions on LDAP server
now, well.. how to fix it?
$ ipa privilege-show 'DNS Servers' --all --raw
dn: cn=DNS
Servers,cn=privileges,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
cn: DNS Servers
description: DNS Servers
member:
krbprincipalname=DNS/[email protected],cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=ipa-dnskeysyncd/[email protected],cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=DNS/[email protected],cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=ipa-dnskeysyncd/[email protected],cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=DNS/[email protected],cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=ipa-dnskeysyncd/[email protected],cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Read DNS
Configuration,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Write DNS
Configuration,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Add DNS
Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Manage DNSSEC
keys,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Manage DNSSEC
metadata,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Read DNS
Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Remove DNS
Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Update DNS
Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
