[Freeipa-users] FW: domain trust linux to AD server not finding user profiles
Thanks very much for the feedback.
RE: how often do we need to lookup unauthenticated users..this is strictly
a test environment used to duplicate customer problems
so in reality we never have to do it but that is the current problem at
hand.customer is unable to consistently authenticate users.
They have implemented additional screening limits for the users, but for now we
are only trying to get the basic functionality to work.
In our case, am unable to authenticate the valid users on the AD server using
ssh on the IdM server;
[root@linux ~]# ssh -l ld...@osn.cxo.cpqcorp.net linux
ld...@osn.cxo.cpqcorp.net@linux's password:
Permission denied, please try again.
ld...@osn.cxo.cpqcorp.net@linux's password:
Received disconnect from 10.20.0.59: 2: Too many authentication failures for
ld...@osn.cxo.cpqcorp.netmailto:ld...@osn.cxo.cpqcorp.net
We know the password that is used for this test user is correct.
The logs and the tcpdump seem to indicate a problem with Kerberos verification
but not being a Kerberos heavy, I'm not sure
just what might be wrong, possibly with the krb5.conf file. This is the
krb5kdc.log entry for the attempted ssh login above:
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH:
host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net, Additional pre-authentication
required
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412773131, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412773131, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
ldap/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd
11
From tcpdump, the error given by Kerberos is STATUS_DOMAIN_TRUST_INCONSISTENT
From the IdM server, this is the trust setup previously between the IdM server
and the AD server;
[root@linux ~]# ipa trust-show osn.cxo.cpqcorp.net
Realm name: osn.cxo.cpqcorp.net
Domain NetBIOS name: OSN
Domain Security Identifier: S-1-5-21-3753757867-1859638558-383537475
Trust direction: Two-way trust
Trust type: Active Directory domain
Further down in this e-mail is the krb5.conf file.
Do we have something defined incorrectly for Kerberos ?
Al
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, October 07, 2014 5:02 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] domain trust linux to AD server not finding user
profiles
On 10/07/2014 05:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
wrote:
[cid:part1.03030509.00090400@redhat.com]
I've been following the steps outlined in section 7.3.5 of the manual entitled
Integrating OpenShift Enterprise
with Identity Management (IdM)
in Red Hat Enterprise Linux
OpenShift Enterprise 2.1
IdM in Red Hat Enterprise Linux 7
Windows Server 2012 - Active Directory Integration
I now have our RHEL V7 running IdM, setup as an IdM Server in a domain, Realm
and subnet
different from our existing AD server running Windows 2008 R2 with a populated
user database
that can be queried using ldapsearch and can authorize users.
I have successfully created a domain trust between the RHEL V7 Server
(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
(win2008.osn.cxo.cpqcorp.net 16.112.240.55).
To simplify the configuration I have no firewall running and so have stopped
both iptables
and firewalld.
All steps in section 7.3.5 have been followed. But when I run the first test
for a user
on the AD system, the system is unable to find anything:
[root@linux ~]# getent group 'OSN\Domain Users'
[root@linux ~]#
[root@linux ~]#
[root@linux ~]# getent passwd 'OSN\ldap25'
[root@linux ~]#
The users and related information are not fetched until you authenticate as
this user.
The ability to fetch users and groups that are not yet authenticated is tracked
by the ticket https://fedorahosted.org/sssd/ticket/2159 and will be addressed
in the next version of SSSD.
How frequently do you really need to lookup unauthenticated AD users and AD
groups on linux systems? What is the use case?
The ticket above is for the cases when there is an application that needs to
fetch the user so that admin of the application can assign privileges to this
user. But this is a pretty corner case.
I find this in the krb5kdc.log file:
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH:
host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.netmailto:host
[Freeipa-users] FW: IdM failing to install after reconfiguring server.
Dmitri, Thanks very much.that did it. I'm making a special note of this one and not storing it in the Outlook folders. RE: looking through the various log files didn't seem to help as they are someone confusing to the IM novice like myself. Al From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Monday, October 06, 2014 4:08 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IdM failing to install after reconfiguring server. On 10/06/2014 04:55 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: [cid:part1.06090004.06000305@redhat.com] My appologies if this is a repeat but for some reason Outlook has seen fit to delete or possibly hide the folder in which have saved my entries from this subject. I have reconfigured a RHEL V7 system so as to exist in a different subnet and domain from our AD server to allow us to create trust domains between a linux and a windows domain. I have rebooted the system and now when I try to run a fresh install using ipa-system-install --uninstall followed by ipa-system-install I get the following error: Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpMmhbtg' returned non-zero exit status 1 Configuration of CA failed Can anyone suggest what is failing and how we can go about fixing this ? I think you hit this before in the other mail thread and it was recommended to do: pkidestroy -s CA -i pki-tomcat rm -rf /var/log/pki/pki-tomcat rm -rf /etc/sysconfig/pki-tomcat rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat rm -rf /var/lib/pki/pki-tomcat rm -rf /etc/pki/pki-tomcat Thanks Al Al Licause CSC Americas BCS Technical Specialist HP Customer Support Center Hours 5am-2pm Pacific time USA Manager: mark.bai...@hp.commailto:mark.bai...@hp.com -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] domain trust linux to AD server not finding user profiles
I've been following the steps outlined in section 7.3.5 of the manual entitled
Integrating OpenShift Enterprise
with Identity Management (IdM)
in Red Hat Enterprise Linux
OpenShift Enterprise 2.1
IdM in Red Hat Enterprise Linux 7
Windows Server 2012 - Active Directory Integration
I now have our RHEL V7 running IdM, setup as an IdM Server in a domain, Realm
and subnet
different from our existing AD server running Windows 2008 R2 with a populated
user database
that can be queried using ldapsearch and can authorize users.
I have successfully created a domain trust between the RHEL V7 Server
(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
(win2008.osn.cxo.cpqcorp.net 16.112.240.55).
To simplify the configuration I have no firewall running and so have stopped
both iptables
and firewalld.
All steps in section 7.3.5 have been followed. But when I run the first test
for a user
on the AD system, the system is unable to find anything:
[root@linux ~]# getent group 'OSN\Domain Users'
[root@linux ~]#
[root@linux ~]#
[root@linux ~]# getent passwd 'OSN\ldap25'
[root@linux ~]#
I find this in the krb5kdc.log file:
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH:
host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net, Additional pre-authentication
required
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
ldap/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd
11
I'm not quite sure what else I'm missing or have not understood in order to
query the
AD server from the linux IdM server...but it would appear that something is not
correctly
defined in the krb5.conf file found below:
[root@linux ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.CXO.CPQCORP.NET
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.CXO.CPQCORP.NET = {
kdc = linux.ipa.cxo.cpqcorp.net:88
master_kdc = linux.ipa.cxo.cpqcorp.net:88
admin_server = linux.ipa.cxo.cpqcorp.net:749
default_domain = ipa.cxo.cpqcorp.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local =
RULE:[1:$1@$0](^.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/
auth_to_local = DEFAULT
}
OSN.CXO.CPQCORP.NET = {
kdc = win2008.osn.cxo.cpqcorp.net
master_kdc = win2008.osn.cxo.cpqcorp.net
admin_sever = win2008.osn.cxo.cpqcorp.net
}
[domain_realm]
.ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
.osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
[dbmodules]
IPA.CXO.CPQCORP.NET = {
db_library = ipadb.so
}
Any help greatly appreciated.
Al
Al Licause
CSC Americas BCS Technical Specialist
HP Customer Support Center
Hours 5am-2pm Pacific time USA
Manager: mark.bai...@hp.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: FW: named and IpA
Thanks very much for the additional input. The configuration as you describe it is correct with a minor detail correction that I didn't notice earlier.16.112.240.27 is the master for the osn.cxo.cpqcorp.net zone while 16.112.240.40 is a slave for that zone.But as you have said, both are authoritative for that zone. I won't belabor the point and will move on to try a different configuration as my ultimate goal here is to create trust domains between a linux and an AD domain. To that end I will reconfigure the current IdM server such that it is in a different subnet and domain. I just find it odd that when ipa is shutdown and named is restarted on the system designated as the IdM server, that dns works and the forwarders are not ignored as they are when ipa is running. Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday, October 06, 2014 12:57 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: named and IpA Hello, let me summarize the environment so we can be sure that I understood it correctly: - there are (at least) two non-IPA DNS servers 16.112.240.27 and 16.112.240.40 - non-IPA servers are authoritative for DNS zone osn.cxo.cpqcorp.net - IPA server is *also* configured to be authoritative for DNS zone osn.cxo.cpqcorp.net (as shown by ipa dnszone-find command). I hope that this summary is correct, please let me know if it doesn't. This configuration cannot reliably work because there is a clash between sets of authoritative servers. IPA server claim authority over domain osn.cxo.cpqcorp.net (set 1) and at the same time non-IPA servers (set 2) deem themselves to be authoritative for domain osn.cxo.cpqcorp.net. Unfortunately IPA installer is not clever enough to detect this situation and warn you at the right time. We have a ticket for adding this check to new versions of IPA. https://fedorahosted.org/freeipa/ticket/3681 The solution is to decide which set of servers (IPA or non-IPA) should be really authoritative and change configuration appropriately. If you want to use non-IPA servers as authoritative: - Install IPA *without* DNS component - Add required DNS records generated by IPA installed to non-IPA servers. If you want to use IPA server as authoritative: - Install IPA with DNS component - Remove DNS zones from non-IPA servers or change configuration so non-IPA servers are *slaves* of IPA - Change NS records in parent zone (presumably cxo.cpqcorp.net) so they point to IPA. Don't hesitate to ask if you have further questions. Petr^2 Spacek On 3.10.2014 17:13, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Friday, October 03, 2014 1:26 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We have IdM running on a RHEL V7 system and have configured a local DNS server in our test lab. We have loaded the various SRV and TXT records needed by the IdM server. PROBLEM: From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. Am I correct in assuming that while IdM is up and running, the only other systems it will communicate with at least with regard to name services is another host also running IdM defined either as a server or a client ? If this is case, is there anyone to better integrate some of these common services such as named into an existing network such that you are not limited by the IdM components ? I would like to get additional information about your environment: - Is the IPA server is installed with DNS or not? Did you use option --setup-dns during ipa-server-install? I have tried it both ways, but the most current in which we see this behavior I ran ipa-server-install with no arguments and said yes to the question about installing DNS. I then replied with two valid forwarders. In a previous installation, we added two of our local zones from one of the other dns server and then added the sample zone provided by the installation which contained the various SRV and TXT records. But for current reporting of this problem, we did not add/load the other zone files. - Which DNS zones do you have defined on IPA server? You can use command ipa dnszone-find to list all zones. [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications
[Freeipa-users] FW: FW: FW: named and IpA
Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possibly be a weakness in the IdM model ? Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday, October 06, 2014 7:35 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: FW: named and IpA On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks very much for the additional input. The configuration as you describe it is correct with a minor detail correction that I didn't notice earlier.16.112.240.27 is the master for the osn.cxo.cpqcorp.net zone while 16.112.240.40 is a slave for that zone.But as you have said, both are authoritative for that zone. I won't belabor the point and will move on to try a different configuration as my ultimate goal here is to create trust domains between a linux and an AD domain. To that end I will reconfigure the current IdM server such that it is in a different subnet and domain. I just find it odd that when ipa is shutdown and named is restarted on the system designated as the IdM server, that dns works and the forwarders are not ignored as they are when ipa is running. The reason is that authoritative data are stored in LDAP but global forwarding configuration (specified on ipa-server-install command line) is stored in /etc/named.conf. LDAP server is not reachable when IPA is down so BIND cannot see zones in LDAP and global forwarding in named.conf causes that it accidentally works for you. Forwarding is evil :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: FW: FW: FW: named and IpA
I'm sure my doubts from from my lack of experience with IM at this time. Perhaps with a bit more driving time I'll come to appreciate the package a bit more. Thanks again for your patience and explainations. Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday, October 06, 2014 9:39 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: FW: FW: named and IpA On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possibly be a weakness in the IdM model ? Well, define a weakness :-) Whole IPA server is built around LDAP database so LDAP is single point of failure *for one particular* IPA server. IPA offers a solution called replicas. You can have multiple IPA servers with (two-way) replicated LDAP database so outage on N-1 servers will not affect your clients as long as clients are able to fail-over to the last functional server. I hope I understood you question :-) Petr^2 Spacek Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday, October 06, 2014 7:35 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: FW: named and IpA On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks very much for the additional input. The configuration as you describe it is correct with a minor detail correction that I didn't notice earlier.16.112.240.27 is the master for the osn.cxo.cpqcorp.net zone while 16.112.240.40 is a slave for that zone.But as you have said, both are authoritative for that zone. I won't belabor the point and will move on to try a different configuration as my ultimate goal here is to create trust domains between a linux and an AD domain. To that end I will reconfigure the current IdM server such that it is in a different subnet and domain. I just find it odd that when ipa is shutdown and named is restarted on the system designated as the IdM server, that dns works and the forwarders are not ignored as they are when ipa is running. The reason is that authoritative data are stored in LDAP but global forwarding configuration (specified on ipa-server-install command line) is stored in /etc/named.conf. LDAP server is not reachable when IPA is down so BIND cannot see zones in LDAP and global forwarding in named.conf causes that it accidentally works for you. Forwarding is evil :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IdM failing to install after reconfiguring server.
My appologies if this is a repeat but for some reason Outlook has seen fit to delete or possibly hide the folder in which have saved my entries from this subject. I have reconfigured a RHEL V7 system so as to exist in a different subnet and domain from our AD server to allow us to create trust domains between a linux and a windows domain. I have rebooted the system and now when I try to run a fresh install using ipa-system-install --uninstall followed by ipa-system-install I get the following error: Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpMmhbtg' returned non-zero exit status 1 Configuration of CA failed Can anyone suggest what is failing and how we can go about fixing this ? Thanks Al Al Licause CSC Americas BCS Technical Specialist HP Customer Support Center Hours 5am-2pm Pacific time USA Manager: mark.bai...@hp.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: named and IpA
-Original Message- From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Friday, October 03, 2014 7:11 AM To: 'Jan Pazdziora' Subject: RE: [Freeipa-users] named and IpA Jan, Just for kicks, I tried to use the ipa dnsconfig-mod command to add information about the local name server. I was able to set the forwarding policy but I was only able to set a single forwarder. If I issued a second forwarder, the previous entry was replaced by the new one and only one forwarder shows as active: [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.40 Forward policy: first [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27 Global forwarders: 16.112.240.27 Forward policy: first [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.27 Forward policy: first If I attempt to place more than one forwarder in the arguments, I get an error: [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... The Fedora documentation only gives examples for adding a single forwarder.so this seems to be a shortcoming in the current implementation. However, having performed these steps, it still did not allow the local name server to look at anything past the local database or use the designated forwarders. Al -Original Message- From: Jan Pazdziora [mailto:jpazdzi...@redhat.com] Sent: Thursday, October 02, 2014 11:23 PM To: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On Thu, Oct 02, 2014 at 05:05:10PM +, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf What exactly is in your /etc/resolv.conf? Just the IP address of the IPA server (localhost), or some other records? If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. So if all IdM services are running, you do not seem to have named observing forwarders settings but if you only run named on the IdM machine and nothing else, it starts to observe them? Can you show dig output for one of the problematic records to see which DNS server is answering the query? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: named and IpA
-Original Message-
From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
Sent: Friday, October 03, 2014 6:31 AM
To: 'Jan Pazdziora'
Subject: RE: [Freeipa-users] named and IpA
Jan,
After submitting this request and since these are crash and burn lab systems, I
reran the ipa-server-install --uninstall and ran the installation script again
this time without
allowing a local dns server to be created.Once we got all of our zone files
corrected
the system was able to resolve names and addresses but I have rerun the
configurator again today so I can try to answer your questions.
Just after running the configurator and setting up a new IdM server, the
resolve.conf contains the following:
search osn.cxo.cpqcorp.net
nameserver 16.112.240.59
This is the domain in which this server resides and this is the servers ip
address.
By default, the /etc/named.conf file that is created only loads the root
servers zone
and the dynamic-db ipa data. It also contains the following forwarder
information
which includes the two forwarders as requested in the installation script.
forward first;
forwarders {
16.112.240.27;
16.112.240.40;
};
These forwarders are the two primary dns servers in the domain.
Given that information, the only host that can be resolved at the moment is the
local servers name which is linux:
[root@linux named]# nslookup linux
Server: 16.112.240.59
Address:16.112.240.59#53
Name: linux.osn.cxo.cpqcorp.net
Address: 16.112.240.59
[root@linux named]#
[root@linux named]#
[root@linux named]#
[root@linux named]# nslookup denali
Server: 16.112.240.59
Address:16.112.240.59#53
** server can't find denali: NXDOMAIN
[root@linux named]# nslookup denali.osn.cxo.cpqcorp.net
Server: 16.112.240.59
Address:16.112.240.59#53
** server can't find denali.osn.cxo.cpqcorp.net: NXDOMAIN
[root@linux named]# nslookup 16.112.240.27
Server: 16.112.240.59
Address:16.112.240.59#53
** server can't find 27.240.112.16.in-addr.arpa.: NXDOMAIN
[root@linux named]# nslookup www.pbs.org
Server: 16.112.240.59
Address:16.112.240.59#53
Non-authoritative answer:
www.pbs.org canonical name = r53-vip.pbs.org.
Name: r53-vip.pbs.org
Address: 54.160.180.54
As you can see from above, only the local host was successfully resolved using
nslookup.
Attempts to look up any other host within our own address space fails. We can
lookup
hosts and addresses that are in the public space from the hints zone in the
named.conf file.
# dig denali
; DiG 9.9.4-RedHat-9.9.4-14.el7 denali ;; global options: +cmd ;; Got
answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 30298 ;; flags: qr rd ra;
QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;denali.IN A
;; AUTHORITY SECTION:
. 10564 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2014100300 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 16.112.240.59#53(16.112.240.59) ;; WHEN: Fri Oct 03 09:23:13 EDT
2014 ;; MSG SIZE rcvd: 110
As you can see from the dig command, the request is not going past the local
host.
But now if I stop ipa and then restart named on this host, the forwarders
appear to work just fine:
[root@linux named]# ipactl stop
Stopping Directory Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
ipa: INFO: The ipactl command was successful [root@linux named]# [root@linux
named]# [root@linux named]# systemctl start named [root@linux named]#
[root@linux named]# [root@linux named]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since Fri 2014-10-03 09:24:26 EDT; 8s ago
Process: 7801 ExecStop=/bin/sh -c /usr/sbin/rndc stop /dev/null 21 ||
/bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 7820 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited,
status=0/SUCCESS)
Process: 7818 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf
(code=exited, status=0/SUCCESS) Main PID: 7823 (named)
CGroup: /system.slice/named.service
ΓΆΓΆ7823 /usr/sbin/named -u named
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: managed-keys-zone:...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 0.in-addr.arp...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 1.0.0.127.in-...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone 1.0.0.0.0.0.0...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823]: zone localhost/IN:...
Oct 03 09:24:26 linux.ipa.osn.cxo.cpqcorp.net named[7823
[Freeipa-users] FW: named and IpA
Dmitri, Thanks for the input, but I tend to think the problem is further down within IM.If it were a pure name misconfiguration why would it work when IM is shut down and named restarted, with no change to the dns records ? I'll keep monitoring this discussion for further input. Al From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, October 02, 2014 5:24 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On 10/02/2014 01:05 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: [cid:part1.05000104.02080200@redhat.com] We have IdM running on a RHEL V7 system and have configured a local DNS server in our test lab. We have loaded the various SRV and TXT records needed by the IdM server. PROBLEM: From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. Am I correct in assuming that while IdM is up and running, the only other systems it will communicate with at least with regard to name services is another host also running IdM defined either as a server or a client ? If this is case, is there anyone to better integrate some of these common services such as named into an existing network such that you are not limited by the IdM components ? Al Licause If DNS is running on IdM the DNS lookups might be forwarded to different DNS servers depending on your DNS cofiguration. Based on what you describe it seems that there is some sort of DNS misconfiguration. I would leave to gurus to help you with that. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: Problems and questions installing Identity Manager on RHEL V7
The steps recommended by Alexander did work for me, but should it happen again, is there anything that can be gathered/submitted to help debug this ? Al -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, October 03, 2014 12:30 AM To: Endi Sukma Dewata Cc: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support); freeipa-users@redhat.com Subject: Re: [Freeipa-users] Problems and questions installing Identity Manager on RHEL V7 On Thu, 02 Oct 2014, Endi Sukma Dewata wrote: On 10/1/2014 12:46 PM, Alexander Bokovoy wrote: On Wed, 01 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: I have tried to deinstall and reinstall the ipa server but the installation is now failing. The ipa-server-install is failing with the following: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit status 1 Configuration of CA failed This happens each time I try to uninstall and reinstall the ipa server on RHEL V7. Looking at the latest log in /var/log/pki, I see this at the end of the log: 2014-10-01 11:53:10 pkispawn: INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . 2014-10-01 11:53:10 pkispawn: INFO ... initializing 'pki.deployment.initialization' 2014-10-01 11:53:10 pkispawn: ERROR... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-10-01 11:53:10 pkispawn: DEBUG... Error Type: SystemExit 2014-10-01 11:53:10 pkispawn: DEBUG... Error Message: 1 2014-10-01 11:53:10 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/initialization.py, line 56, in spawn util.instance.verify_subsystem_does_not_exist() File /usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py, line 990, in verify_subsystem_does_not_exist sys.exit(1) I am no python expert by any means and I'm not sure what this is telling us so any help would be greatly appreciated. This issue is known -- when CA install fails, we rollback but since CA isn't installed, we miss rolling it back. There is a ticket for eventually fixing this issue. Which ticket is this? The rollback was actually disabled to allow troubleshooting the failed installation: https://fedorahosted.org/freeipa/ticket/3990 I think this ticket is unrelated -- its solution only affects ipa-client-install --on-master, not what ipa-server-install does when it rolls back configuration for dirsrv and other servers. I can't find the exact ticket though. Following sequence should clean up all the bits: pkidestroy -s CA -i pki-tomcat rm -rf /var/log/pki/pki-tomcat rm -rf /etc/sysconfig/pki-tomcat rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat rm -rf /var/lib/pki/pki-tomcat rm -rf /etc/pki/pki-tomcat It's not official, but we call this step pki-nuke. It also helps to reboot between multiple reinstalls on a single machine. Rather than rolling back the installation automatically (and delete all files needed to troubleshoot the problem), it would be better to provide an option to the uninstall command to forcibly remove all installed files regardless whether the installation was successful or not, just like the pki-nuke above. We simply have no information about the fact what pkicreate did before it failed. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: named and IpA
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Friday, October 03, 2014 1:26 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We have IdM running on a RHEL V7 system and have configured a local DNS server in our test lab. We have loaded the various SRV and TXT records needed by the IdM server. PROBLEM: From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. Am I correct in assuming that while IdM is up and running, the only other systems it will communicate with at least with regard to name services is another host also running IdM defined either as a server or a client ? If this is case, is there anyone to better integrate some of these common services such as named into an existing network such that you are not limited by the IdM components ? I would like to get additional information about your environment: - Is the IPA server is installed with DNS or not? Did you use option --setup-dns during ipa-server-install? I have tried it both ways, but the most current in which we see this behavior I ran ipa-server-install with no arguments and said yes to the question about installing DNS. I then replied with two valid forwarders. In a previous installation, we added two of our local zones from one of the other dns server and then added the sample zone provided by the installation which contained the various SRV and TXT records. But for current reporting of this problem, we did not add/load the other zone files. - Which DNS zones do you have defined on IPA server? You can use command ipa dnszone-find to list all zones. [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... [root@linux named]# ipa dnszone-find Zone name: 240.112.16.in-addr.arpa. Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: osn.cxo.cpqcorp.net Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Number of entries returned 2 - Is there any other DNS servers serving same DNS zones? Yeswe left the other two existing DNS servers in place as they are our primary name servers for this lab segment. Those are the two systems we have entered as forwarders. - Did you configure forwarders in /etc/named.conf or via ipa command line tools (ipa dnsconfig-mod or --forwarder option during ipa-server-install)? The forwarders were placed in the /etc/named.conf file by the ipa-server-install script or one of its subordinate scripts I did try entering the forward policy and forwarders using ipa dnsconfig-mod but they didn't seem to change the behavior. One thing I did notice was that ipa dnsconfig-mod --forwarder= only allowed one forwarder to be entered.adding a second entry on the line resulted in an error.If entered with a second --forwarders command, the previous forwarder was replaced by the new one. So if there is a particular syntax that would allow more than one entry, can you please post same ? - Please attach result of DNS lookups using dig command: One output when it doesn't work (i.e. with IPA running) and the other when it works as you expect (i.e. after ipactl stop and service named restart). with ipa running: [root@linux named]# nslookup dl160a.osn.cxo.cpqcorp.net Server: 16.112.240.59 Address:16.112.240.59#53 ** server can't find dl160a.osn.cxo.cpqcorp.net: NXDOMAIN [root@linux named]# dig dl160a.osn.cxo.cpqcorp.net ; DiG 9.9.4-RedHat-9.9.4-14.el7 dl160a.osn.cxo.cpqcorp.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 6571 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dl160a.osn.cxo.cpqcorp.net.IN A ;; AUTHORITY SECTION: osn.cxo.cpqcorp.net.3600IN SOA
[Freeipa-users] FW: FW: FW: named and IpA
Ahexcellent suggestion ! Thanks very much that worked. [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27 --forwarder=16.112.240.40 Global forwarders: 16.112.240.27, 16.112.240.40 Forward policy: first Unfortunately it didn't fix the problem..while IdM is running the local name server still can't resolve any hosts or addresses out unknown to the local name server. Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson Sent: Friday, October 03, 2014 9:44 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: FW: named and IpA On 10/03/2014 09:22 AM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson Sent: Friday, October 03, 2014 8:03 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: named and IpA On 10/03/2014 08:32 AM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: -Original Message- From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Friday, October 03, 2014 7:11 AM To: 'Jan Pazdziora' Subject: RE: [Freeipa-users] named and IpA Jan, Just for kicks, I tried to use the ipa dnsconfig-mod command to add information about the local name server. I was able to set the forwarding policy but I was only able to set a single forwarder. If I issued a second forwarder, the previous entry was replaced by the new one and only one forwarder shows as active: [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.40 Forward policy: first [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27 Global forwarders: 16.112.240.27 Forward policy: first [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.27 Forward policy: first If I attempt to place more than one forwarder in the arguments, I get an error: [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... You cannot use an unescaped semicolon $ man bash ... DEFINITIONS ... metacharacter A character that, when unquoted, separates words. One of the following: | ; ( ) space tab Thanks for the reply.If it is possible to enter more than one forwarder with the ipa dnsconfig-mod command, can you show an example ?I have tried variations with no luck. Al Have you tried multiple --forwarder flags? e.g. # ipa dnsconfig-mod --forwarder=16.112.240.27 --forwarder=16.112.240.40 ... The Fedora documentation only gives examples for adding a single forwarder.so this seems to be a shortcoming in the current implementation. However, having performed these steps, it still did not allow the local name server to look at anything past the local database or use the designated forwarders. Al -Original Message- From: Jan Pazdziora [mailto:jpazdzi...@redhat.com] Sent: Thursday, October 02, 2014 11:23 PM To: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On Thu, Oct 02, 2014 at 05:05:10PM +, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf What exactly is in your /etc/resolv.conf? Just the IP address of the IPA server (localhost), or some other records? If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. So if all IdM services are running, you do not seem to have named observing forwarders settings but if you only run named on the IdM machine and nothing else, it starts to observe them? Can you show dig output for one of the problematic records to see which DNS server is answering the query? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: FW: named and IpA
I am not a specialist but can it be that when you run just named it uses files and when you start IPA it uses LDAP database and the issue that the forwarders are correctly recorded in files (manually?) but not in the LDAP database? This certainly makes sense.but then having entered the forwarders using ipa dnsconfig-mod --forwarders=.. didn't seem to make a difference. I assume the ipa dnsconfig-mod command places those forwarders in the ldap database ? But having done so, does anything have to be restarted to get this to work or is the effect immediate ? Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Friday, October 03, 2014 10:16 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: named and IpA On 10/03/2014 11:13 AM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Friday, October 03, 2014 1:26 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We have IdM running on a RHEL V7 system and have configured a local DNS server in our test lab. We have loaded the various SRV and TXT records needed by the IdM server. PROBLEM: From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. Am I correct in assuming that while IdM is up and running, the only other systems it will communicate with at least with regard to name services is another host also running IdM defined either as a server or a client ? If this is case, is there anyone to better integrate some of these common services such as named into an existing network such that you are not limited by the IdM components ? I would like to get additional information about your environment: - Is the IPA server is installed with DNS or not? Did you use option --setup-dns during ipa-server-install? I have tried it both ways, but the most current in which we see this behavior I ran ipa-server-install with no arguments and said yes to the question about installing DNS. I then replied with two valid forwarders. In a previous installation, we added two of our local zones from one of the other dns server and then added the sample zone provided by the installation which contained the various SRV and TXT records. But for current reporting of this problem, we did not add/load the other zone files. - Which DNS zones do you have defined on IPA server? You can use command ipa dnszone-find to list all zones. [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... [root@linux named]# ipa dnszone-find Zone name: 240.112.16.in-addr.arpa. Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone name: osn.cxo.cpqcorp.net Authoritative nameserver: linux.osn.cxo.cpqcorp.net. Administrator e-mail address: hostmaster.osn.cxo.cpqcorp.net. SOA serial: 1412344406 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Number of entries returned 2 - Is there any other DNS servers serving same DNS zones? Yeswe left the other two existing DNS servers in place as they are our primary name servers for this lab segment. Those are the two systems we have entered as forwarders. - Did you configure forwarders in /etc/named.conf or via ipa command line tools (ipa dnsconfig-mod or --forwarder option during ipa-server-install)? The forwarders were placed in the /etc/named.conf file by the ipa-server-install script or one of its subordinate scripts I did try entering the forward policy and forwarders using ipa dnsconfig-mod but they didn't seem to change the behavior. One thing I did notice was that ipa dnsconfig-mod --forwarder= only allowed one forwarder to be entered.adding a second entry on the line resulted in an error.If entered with a second --forwarders command, the previous forwarder was replaced
[Freeipa-users] Problems and questions installing Identity Manager on RHEL V7
We are trying to install Identity Manager for testing and learning purposes in a test lab environment.We have successfully installed the base product but have run into problems when trying to setup a domain trust to an AD server. We are somewhat limited as to how we can change these systems and since they must function for replication of many different problems, we need to be cautious as to what we change. But they are crash and burn systems. Both the RHEL V7 IdM server system and the W2008 R2 AD server are in the same subnet and the same dns zone. So that is the first questioncan we create a domain trust between these two systems without placing one or the other in a different address subnet or changing the domain name ? I have tried changing the realm name for the linux server from lab.us.com for example to ipa.lab.us.com and then leaving the AD server in lab.us.com. That gets us a bit further but then we run into problems with what I believe is the kerberos configuration. I have tried to deinstall and reinstall the ipa server but the installation is now failing. The ipa-server-install is failing with the following: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpLb1CmI' returned non-zero exit status 1 Configuration of CA failed This happens each time I try to uninstall and reinstall the ipa server on RHEL V7. Looking at the latest log in /var/log/pki, I see this at the end of the log: 2014-10-01 11:53:10 pkispawn: INFO BEGIN spawning subsystem 'CA' of instance 'pki-tomcat' . . . 2014-10-01 11:53:10 pkispawn: INFO ... initializing 'pki.deployment.initialization' 2014-10-01 11:53:10 pkispawn: ERROR... PKI subsystem 'CA' for instance 'pki-tomcat' already exists! 2014-10-01 11:53:10 pkispawn: DEBUG... Error Type: SystemExit 2014-10-01 11:53:10 pkispawn: DEBUG... Error Message: 1 2014-10-01 11:53:10 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/initialization.py, line 56, in spawn util.instance.verify_subsystem_does_not_exist() File /usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py, line 990, in verify_subsystem_does_not_exist sys.exit(1) I am no python expert by any means and I'm not sure what this is telling us so any help would be greatly appreciated. Al Licause CSC Americas BCS Technical Specialist HP Customer Support Center Hours 5am-2pm Pacific time USA Manager: mark.bai...@hp.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
