On 06.01.2017 18:14, TomK wrote:
On 1/5/2017 2:17 PM, Martin Basti wrote:

On 05.01.2017 20:03, TomK wrote:
Hey All,


Should the DNS forwarders be updated in /etc/named.conf? Until I
manually change /etc/named.conf, can't ping the windows AD cluster:
mds.xyz.  Nor can I get dig to resolve the SRV records (dig SRV


IPA command below indicates that it's set to 'first' but that's not
what's in /etc/named.conf file when I check.  Again, it works if I
change /etc/named.conf manually.

Forwarder settings has priority:

named.conf < global forwarders (ipa dnsconfig-mod) < local dns server
config (ipa dnsserver-*) < forwardzones (applied per query, not as
global forwarder)

so what is in named.conf is usually always overwritten

How did you edited the named.conf?

Does dig @ SRV _ldap._tcp.mds.xyz. works?
Do you have any errors in journalctl -u named-pkcs11 ??


Thanks Martin.

Yes, with the manual update of /etc/named.conf this command works, as I posted earlier (It doesn't work without the manual update of /etc/named.conf to forward first; ):

dig @ SRV _ldap._tcp.mds.xyz.

_ldap._tcp.mds.xyz. 3600 IN SRV 0 100 389 winad02.mds.xyz. _ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad01.mds.xyz.

Yes I stumbled on the journalctl command but really haven't seen anything applicable to my scenario AFAIKT. Nontheless, logs available below:


I'm still going over them. The only message that seamed to make sense was:

ignoring inherited 'forward first;' for zone '.' - did you want 'forward only;' to override automatic empty zone

but it appears in both the working and non-working situations so isn't looking significant ATM and nothing I found applied to this scenario. Btw:

[root@idmipa01 log]# cat /etc/resolv.conf
search nix.mds.xyz mds.xyz
You have new mail in /var/spool/mail/root
[root@idmipa01 log]#

And based on earlier chats, that's how it should stay. Resolution of AD ID's does work from clients though (When I have forward first; in /etc/named.conf)

For me it looks like some DNSSEC validation issue, could you temporarily disable DNSSEC validation in /etc/named.conf on IPA server and then try again with forward only?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to