On 11/23/2016 3:28 AM, Martin Basti wrote:
On 23.11.2016 03:48, TomK wrote:
On 11/22/2016 10:22 AM, Martin Basti wrote:
On 22.11.2016 13:57, TomK wrote:
On 11/22/2016 2:59 AM, Martin Basti wrote:
Hey,
On 22.11.2016 06:33, TomK wrote:
Hey Guy's,
I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
over to
my dual Free IPA server. The Free IPA servers are authoritative for
this subdomain. The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.
Do you have configured proper zone delegation for subdomain
dom.abc.xyz?
Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html
I cannot ping dom.abc.xyz. Everything else, including client
registrations, work fine. If Free IPA is authoritative on
dom.abc.xyz, should it not create DNS entries so the sub domain
can be
pinged as well?
What do you mean by "ping"?
/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add
dom.abc.xyz
to the already present abc.xyz . I wasn't able to locate what I
needed in my searches.
I'm using the latest v4.
It depends on what are you using, probably you have NetworkManager
there
that is editing /etc/resolv.conf
https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/
Martin
I Uninstalled NetworkManager. Still changes.
ping dom.abc.com results in "ping: unknown host"
I'll have a look at the first link, ty.
ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?
with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?
for testing DNS try to use commands: dig, host, nslookup
Martin
Apologize for the long reply but it should give some background on
what it is that I'm doing.
1) dom.abc.com is a zone. There is no A record for dom.abc.com in
FreeIPA (Confirmed by Petr). I get the point Petr Spacek pointed out
in his comment as well. What should it really point too? ( I kind of
answer this question below so please read on. ) Where I'm getting
this from is that in Windows Server 2012 abc.com returns the IP of any
of the participating AD / DNS servers within the cluster (The two
Windows Server 2012 are a combined clustered AD + DNS servers.).
Being able to resolve abc.xyz is handy. During a lookup, I can get a
list of all the IP's associated with that domain which would indicate
all the DNS + AD servers online under that domain or serving that domain:
# nslookup abc.xyz
Server: 192.168.0.3
Address: 192.168.0.3#53
Name: abc.xyz
Address: 192.168.0.3
Name: abc.xyz
Address: 192.168.0.1
Name: abc.xyz
Address: 192.168.0.2
#
Again, where this is handy is when configuring sssd.conf for example
or other apps for that matter. I can just point the app to
authenticate against the domain and I have my redundancy solved.
Windows Server 2012 does it, but FreeIPA didn't, so I threw the
question out there.
IPA uses SRV records heavily, all IPA related services have SRV records,
SSSD uses SRV records of IPA, client should use SRV record to connect to
the right service (or URI record - will be in next IPA). SRV records
work for IPA locations mechanism, we cannot achieve this with pure A
records.
Delegation from this Windows DNS works as expected. Any lookup from
dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
this out. No issue with this.
I did see earlier that there is no A record for dom.abc.xyz in
FreeIPA. My reasons for asking if there was an IP on the subdomain in
FreeIPA were above but the missing IP on the subdomain isn't a major
issue for me. Things are working without dom.abc.xyz resolving to an
IP. What I was hoping for is to have a VIP for the IPA servers and
one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf. (I
have the VIP for the windows server). One forwarding to the other for
a given domain. This is all for testing a) redundancy, b) forwarding,
a) authentication .
IE:
# cat /etc/resolv.conf
search dom.abc.xyz abc.xyz
nameserver 192.168.0.3 <------------ Win Cluster DNS VIP
nameserver 192.168.0.4 <------------ IPA Cluster DNS VIP
* Just what I want to achieve above. VIP 192.168.0.4 doesn't exist on
my cluster yet. I'm looking to integrate ucarp with the above IPA
servers.
2) More to the topic of my second question however, is that
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on
restart. Would like to know by what if I already uninstalled
NetworkManager? When I configured the FreeIPA server, I used:
ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a
"Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz
Notice I used the VIP of the Windows Server 2012 Cluster when
installing FreeIPA. This is nice for redundancy. So the resolv.conf
ends up being:
# cat /etc/resolv.conf
# Generated by NetworkManager
search abc.xyz
nameserver 192.168.0.3
nameserver 123.123.123.1
nameserver 123.123.123.2
Then I add:
search dom.abc.xyz abc.xyz
but it changes back to search abc.xyz (the Windows Server 2012 DNS).
This all works, except for the above minor items, and I can resolve
anything over this network. ( Thinking this is fine because the
forward is on the subdomain. I haven't had issues with forwarding
through this setup. )
# cat /etc/resolv.conf
# Generated by NetworkManager
search abc.xyz
nameserver 192.168.0.3
nameserver 123.123.123.1
nameserver 123.123.123.2
But NetworkManager is not installed on these IPA servers. I've
removed it earlier:
# rpm -aq|grep -i NetworkManager
#
Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere?
On servers with DNS /etc/resolv.conf should point to 127.0.0.1 and ::1,
and global or per server dns forwarders should be configured instead
Have you properly stopped NetworkManager using systemctl stop and
systemctl disable ? In case you just removed rpm files service can still
work.
I recommend to update network manager config, not to remove it :)
As last resort way, you can set immutable bit to resolv.conf if
something is still changing your resolv.conf file
3) After running:
ipa-client-install --mkhomedir --enable-dns-updates
on a new host, the hostname of the new host doesn't resolve for a few
minutes. How do I make this instantaneous? (Other then that,
autodiscovery of the IPA servers is excellent!). Before installing
the IPA Client, the new hosts /etc/resolv.conf file looks like this:
# cat /etc/resolv.conf
search abc.xyz
nameserver 192.168.0.3
nameserver 123.123.123.1
nameserver 123.123.123.2
I did dig, host, nslookup earlier. Verified all except for the items
I'm inquiring about.
That weird, because ipa-client-install creates A records directly to DNS
server using nsupdate, so it should be accessible instantly. Do you have
any caching DNS servers?
Martin
No caching DNS servers.
On the topic of NetworkManager. It's completely gone yet still the
/etc/resolv.conf file is being replaced with the text # Generated by
NetworkManager.
# systemctl show NetworkManager.service --property=Id,Names,Description
Id=NetworkManager.service
Names=NetworkManager.service
Description=NetworkManager.service
#
# systemctl list-units --type service --all|grep -i network
network.service loaded active exited
LSB: Bring up/down networking
â NetworkManager-wait-online.service not-found inactive dead
NetworkManager-wait-online.service
â NetworkManager.service not-found inactive dead
NetworkManager.service
ntpd.service loaded active running
Network Time Service
rhel-domainname.service loaded active exited
Read and set NIS domainname from /etc/sysconfig/network
rhel-import-state.service loaded active exited
Import network configuration from initramfs
#
The only thing that is left of the NetworkManager service is the above.
Nothing I type from systemd removed it completely. So I've reverted to
the last resort:
# lsattr /etc/resolv.conf
----i----------- /etc/resolv.conf
#
With the above, I'm trying to see what's writing to the file by using
this auditctl and found that postfix seems to be doing this:
----
time->Wed Nov 23 23:14:47 2016
type=PATH msg=audit(1479960887.978:293): item=0 name="/etc/resolv.conf"
inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1479960887.978:293): cwd="/"
type=SYSCALL msg=audit(1479960887.978:293): arch=c000003e syscall=2
success=yes exit=4 a0=7ffb36b6f43a a1=80000 a2=1b6 a3=24 items=1 ppid=1
pid=5527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix"
subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
----
time->Wed Nov 23 23:14:48 2016
type=PATH msg=audit(1479960888.013:301): item=0 name="/etc/resolv.conf"
inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1479960888.013:301): cwd="/var/spool/postfix"
type=SYSCALL msg=audit(1479960888.013:301): arch=c000003e syscall=2
success=yes exit=3 a0=7f32c163043a a1=80000 a2=1b6 a3=24 items=1
ppid=5545 pid=5546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="postconf"
exe="/usr/sbin/postconf" subj=system_u:system_r:postfix_master_t:s0
key="/root/resolv.conf-file"
This in turn appears to be called by started by:
# grep postfix access|tail -n 1
[23/Nov/2016:23:42:04 -0500] conn=34 op=5 SRCH
base="cn=accounts,dc=dom,dc=abc,dc=xyz" scope=2
filter="(&(uid=postfix)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
attrs="objectClass uid userPassword uidNumber gidNumber gecos
homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID
ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange
shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag
krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService
accountexpires useraccountcontrol nsAccountLock host logindisabled
loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType
usercertificate;binary"
# pwd
/var/log/dirsrv/slapd-DOM-ABC-XYZ
#
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
