On 06.01.2017 18:14, TomK wrote:
On 1/5/2017 2:17 PM, Martin Basti wrote:
On 05.01.2017 20:03, TomK wrote:
Should the DNS forwarders be updated in /etc/named.conf? Until I
manually change /etc/named.conf, can't ping the windows AD cluster:
mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV
IPA command below indicates that it's set to 'first' but that's not
what's in /etc/named.conf file when I check. Again, it works if I
change /etc/named.conf manually.
Forwarder settings has priority:
named.conf < global forwarders (ipa dnsconfig-mod) < local dns server
config (ipa dnsserver-*) < forwardzones (applied per query, not as
so what is in named.conf is usually always overwritten
How did you edited the named.conf?
Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works?
Do you have any errors in journalctl -u named-pkcs11 ??
Yes, with the manual update of /etc/named.conf this command works, as
I posted earlier (It doesn't work without the manual update of
/etc/named.conf to forward first; ):
dig @192.168.0.224 SRV _ldap._tcp.mds.xyz.
;; ANSWER SECTION:
_ldap._tcp.mds.xyz. 3600 IN SRV 0 100 389
_ldap._tcp.mds.xyz. 600 IN SRV 0 100 389
Yes I stumbled on the journalctl command but really haven't seen
anything applicable to my scenario AFAIKT. Nontheless, logs available
I'm still going over them. The only message that seamed to make sense
ignoring inherited 'forward first;' for zone '.' - did you want
'forward only;' to override automatic empty zone
but it appears in both the working and non-working situations so isn't
looking significant ATM and nothing I found applied to this scenario.
[root@idmipa01 log]# cat /etc/resolv.conf
search nix.mds.xyz mds.xyz
You have new mail in /var/spool/mail/root
And based on earlier chats, that's how it should stay. Resolution of
AD ID's does work from clients though (When I have forward first; in
For me it looks like some DNSSEC validation issue, could you temporarily
disable DNSSEC validation in /etc/named.conf on IPA server and then try
again with forward only?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project