On 06.01.2017 18:14, TomK wrote:
On 1/5/2017 2:17 PM, Martin Basti wrote:


On 05.01.2017 20:03, TomK wrote:
Hey All,

QQ.

Should the DNS forwarders be updated in /etc/named.conf? Until I
manually change /etc/named.conf, can't ping the windows AD cluster:
mds.xyz.  Nor can I get dig to resolve the SRV records (dig SRV
_ldap._tcp.mds.xyz).

sssd-ipa-1.14.0-43.el7_3.4.x86_64
ipa-client-4.4.0-14.el7.centos.x86_64

IPA command below indicates that it's set to 'first' but that's not
what's in /etc/named.conf file when I check.  Again, it works if I
change /etc/named.conf manually.


Forwarder settings has priority:

named.conf < global forwarders (ipa dnsconfig-mod) < local dns server
config (ipa dnsserver-*) < forwardzones (applied per query, not as
global forwarder)

so what is in named.conf is usually always overwritten


How did you edited the named.conf?

Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works?
Do you have any errors in journalctl -u named-pkcs11 ??

Martin

Thanks Martin.

Yes, with the manual update of /etc/named.conf this command works, as I posted earlier (It doesn't work without the manual update of /etc/named.conf to forward first; ):

dig @192.168.0.224 SRV _ldap._tcp.mds.xyz.

;; ANSWER SECTION:
_ldap._tcp.mds.xyz. 3600 IN SRV 0 100 389 winad02.mds.xyz. _ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad01.mds.xyz.

Yes I stumbled on the journalctl command but really haven't seen anything applicable to my scenario AFAIKT. Nontheless, logs available below:

http://microdevsys.com/freeipa/named-pkcs11-working.log
http://microdevsys.com/freeipa/named-pkcs11-non-working.log
http://microdevsys.com/freeipa/named-pkcs11-working-again.log

I'm still going over them. The only message that seamed to make sense was:

ignoring inherited 'forward first;' for zone '.' - did you want 'forward only;' to override automatic empty zone

but it appears in both the working and non-working situations so isn't looking significant ATM and nothing I found applied to this scenario. Btw:

[root@idmipa01 log]# cat /etc/resolv.conf
search nix.mds.xyz mds.xyz
nameserver 127.0.0.1
You have new mail in /var/spool/mail/root
[root@idmipa01 log]#

And based on earlier chats, that's how it should stay. Resolution of AD ID's does work from clients though (When I have forward first; in /etc/named.conf)





For me it looks like some DNSSEC validation issue, could you temporarily disable DNSSEC validation in /etc/named.conf on IPA server and then try again with forward only?

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to