On 11/23/2016 3:28 AM, Martin Basti wrote:

On 23.11.2016 03:48, TomK wrote:
On 11/22/2016 10:22 AM, Martin Basti wrote:

On 22.11.2016 13:57, TomK wrote:
On 11/22/2016 2:59 AM, Martin Basti wrote:

On 22.11.2016 06:33, TomK wrote:
Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
over to
my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.
Do you have configured proper zone delegation for subdomain
Proper NS and glue records

I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative on
dom.abc.xyz, should it not create DNS entries so the sub domain
can be
pinged as well?

What do you mean by "ping"?

/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add
to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.

It depends on what are you using, probably you have NetworkManager
that is editing /etc/resolv.conf



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.

ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?

with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?

for testing DNS try to use commands: dig, host, nslookup


Apologize for the long reply but it should give some background on
what it is that I'm doing.

1) dom.abc.com is a zone.  There is no A record for dom.abc.com in
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out
in his comment as well.  What should it really point too? ( I kind of
answer this question below so please read on. )  Where I'm getting
this from is that in Windows Server 2012 abc.com returns the IP of any
of the participating AD / DNS servers within the cluster (The two
Windows Server 2012 are a combined clustered AD + DNS servers.).
Being able to resolve abc.xyz is handy.  During a lookup, I can get a
list of all the IP's associated with that domain which would indicate
all the DNS + AD servers online under that domain or serving that domain:

# nslookup abc.xyz

Name:   abc.xyz
Name:   abc.xyz
Name:   abc.xyz

Again, where this is handy is when configuring sssd.conf for example
or other apps for that matter.  I can just point the app to
authenticate against the domain and I have my redundancy solved.
Windows Server 2012 does it, but FreeIPA didn't, so I threw the
question out there.

IPA uses SRV records heavily, all IPA related services have SRV records,
SSSD uses SRV records of IPA, client should use SRV record to connect to
the right service (or URI record - will be in next IPA). SRV records
work for IPA locations mechanism, we cannot achieve this with pure A

Delegation from this Windows DNS works as expected.  Any lookup from
dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
this out. No issue with this.

I did see earlier that there is no A record for dom.abc.xyz in
FreeIPA. My reasons for asking if there was an IP on the subdomain in
FreeIPA were above but the missing IP on the subdomain isn't a major
issue for me.  Things are working without dom.abc.xyz resolving to an
IP.  What I was hoping for is to have a VIP for the IPA servers and
one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I
have the VIP for the windows server).  One forwarding to the other for
a given domain.  This is all for testing a) redundancy, b) forwarding,
a) authentication .


# cat /etc/resolv.conf
search dom.abc.xyz abc.xyz
nameserver            <------------ Win Cluster DNS VIP
nameserver            <------------ IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP doesn't exist on
my cluster yet.  I'm looking to integrate ucarp with the above IPA

2) More to the topic of my second question however, is that
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on
restart.  Would like to know by what if I already uninstalled
NetworkManager?  When I configured the FreeIPA server, I used:

ipa-server-install --setup-dns --forwarder= -p "Hush!" -a
"Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz

Notice I used the VIP of the Windows Server 2012 Cluster when
installing FreeIPA.  This is nice for redundancy.  So the resolv.conf
ends up being:

# cat /etc/resolv.conf
# Generated by NetworkManager
search abc.xyz

Then I add:

search dom.abc.xyz abc.xyz

but it changes back to search abc.xyz (the Windows Server 2012 DNS).
This all works, except for the above minor items, and I can resolve
anything over this network.  (  Thinking this is fine because the
forward is on the subdomain.  I haven't had issues with forwarding
through this setup.  )

# cat /etc/resolv.conf
# Generated by NetworkManager
search abc.xyz

But NetworkManager is not installed on these IPA servers.  I've
removed it earlier:

# rpm -aq|grep -i NetworkManager

Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere?

On servers with DNS /etc/resolv.conf should point to and ::1,
and global or per server dns forwarders should be configured instead

Have you properly stopped NetworkManager using systemctl stop and
systemctl disable ? In case you just removed rpm files service can still
I recommend to update network manager config, not to remove it :)

As last resort way, you can set immutable bit to resolv.conf if
something is still changing your resolv.conf file

3) After running:

ipa-client-install --mkhomedir --enable-dns-updates

on a new host, the hostname of the new host doesn't resolve for a few
minutes.  How do I make this instantaneous?  (Other then that,
autodiscovery of the IPA servers is excellent!).  Before installing
the IPA Client, the new hosts /etc/resolv.conf file looks like this:

# cat /etc/resolv.conf
search abc.xyz

I did dig, host, nslookup earlier.  Verified all except for the items
I'm inquiring about.

That weird, because ipa-client-install creates A records directly to DNS
server using nsupdate, so it should be accessible instantly. Do you have
any caching DNS servers?


No caching DNS servers.

On the topic of NetworkManager. It's completely gone yet still the /etc/resolv.conf file is being replaced with the text # Generated by NetworkManager.

# systemctl show NetworkManager.service --property=Id,Names,Description

# systemctl list-units --type service --all|grep -i network
network.service loaded active exited LSB: Bring up/down networking â NetworkManager-wait-online.service not-found inactive dead NetworkManager-wait-online.service â NetworkManager.service not-found inactive dead NetworkManager.service ntpd.service loaded active running Network Time Service rhel-domainname.service loaded active exited Read and set NIS domainname from /etc/sysconfig/network rhel-import-state.service loaded active exited Import network configuration from initramfs

The only thing that is left of the NetworkManager service is the above. Nothing I type from systemd removed it completely. So I've reverted to the last resort:

# lsattr /etc/resolv.conf
----i----------- /etc/resolv.conf

With the above, I'm trying to see what's writing to the file by using this auditctl and found that postfix seems to be doing this:

time->Wed Nov 23 23:14:47 2016
type=PATH msg=audit(1479960887.978:293): item=0 name="/etc/resolv.conf" inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1479960887.978:293):  cwd="/"
type=SYSCALL msg=audit(1479960887.978:293): arch=c000003e syscall=2 success=yes exit=4 a0=7ffb36b6f43a a1=80000 a2=1b6 a3=24 items=1 ppid=1 pid=5527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix" subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
time->Wed Nov 23 23:14:48 2016
type=PATH msg=audit(1479960888.013:301): item=0 name="/etc/resolv.conf" inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1479960888.013:301):  cwd="/var/spool/postfix"
type=SYSCALL msg=audit(1479960888.013:301): arch=c000003e syscall=2 success=yes exit=3 a0=7f32c163043a a1=80000 a2=1b6 a3=24 items=1 ppid=5545 pid=5546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"

This in turn appears to be called by started by:

# grep postfix access|tail -n 1
[23/Nov/2016:23:42:04 -0500] conn=34 op=5 SRCH base="cn=accounts,dc=dom,dc=abc,dc=xyz" scope=2 filter="(&(uid=postfix)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType usercertificate;binary"
# pwd

Tom K.

Living on earth is expensive, but it includes a free trip around the sun.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to