Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
Hello! On 5.5.2015 00:24, nat...@nathanpeters.com wrote: bind.x86_6432:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-dyndb-ldap.x86_64 6.1-1.el7.centos This version works for me (tested on Fedora 21). And for reference here are the relevant A and NS records from my domain @ NS dc1.mydomain.net. @ NS dc2.mydomain.net. @ NS dns1.mydomain.net. dns1 A 10.21.0.14 I would recommend you to double check if commands $ dig @IPA server dc1.mydomain.net. A $ dig @IPA server dc2.mydomain.net. A $ dig @IPA server dns1.mydomain.net. A actually return an IP addresses or not. Unfortunately BIND does not report an error if it is unable to resolve the name and silently ignores the name when notifications are sent. For testing purposes I use these commands (on server): $ tcpdump -i any 'port 53' $ rndc notify mydomain.net. Look for a line from tcpdump with note 'notify' in it. I can see the notify packet as soon as BIND prints 'sending notifies' message to the journal. I hope this helps. Petr^2 Spacek Hello! On 2.5.2015 17:12, Nathan Peters wrote: The last 3 sentences of my original post refer to me adding the NS records for the slave. Is that what you mean? I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. Which version of FreeIPA and bind-dyndb-ldap are you using? I will look into it. Petr^2 Spacek -Original Message- From: Baird, Josh Sent: Saturday, May 02, 2015 7:33 AM To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely, bind-dyndb-ldap does not support 'also-notify' which would allow us to send notifies each time a zone update occurs to slave servers that are not in the RRSet [1]. To compensate for this in my environment, I had to lower the 'refresh' timer on the IPA zone. [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of nat...@nathanpeters.com Sent: Friday, May 1, 2015 8:20 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. I also have another host running PowerDNS serving as a slave. The FreeIPA servers are setup to allow transfers to the slave by IP. When adding the zone, the slave transfered it properly. However, when I update the zone in FreeIPA, although the serial number changes, in the /var/log/messages I only see an attempt to transfer to the second IPA server, and not the slave. This is the only log entry : May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client 10.178.0.99#29832: received notify for zone 'mydomain.net' I have restarted all services using ipactl restart several times. I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. According to the FreeIPA manual, once that NS entry is added, any zone updates should trigger a notify, but still the only notifications go out to FreeIPA servers and nothing else. Any idea how to fix this so FreeIPA notifies non IPA servers? I'm pretty sure I've followed all the instructions to the letter on this one... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
I did notice the same behavior. This is my setup: [root@ipa-idm]# yum list installed ipa-* Installed Packages ipa-admintools.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases ipa-client.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases ipa-python.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases ipa-server.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases [root@ipa-idm]# yum list installed bind* Installed Packages bind.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-dyndb-ldap.x86_64 6.0-2.el7 @rhui-REGION-rhel-server-releases bind-libs.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-libs-lite.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-license.noarch 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-utils.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases In my setup slaves are various DNS servers including Win2k3, Win2k8 and Bind that I don’t have access to, but according to IPA server logs they don’t receive “NOTIFY” messages OR IPA server does not send them to slaves. Regards, Andrey On 5/4/15, 10:24 PM, nat...@nathanpeters.com nat...@nathanpeters.com wrote: freeipa-admintools.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-client.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-python.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-server.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-server-trust-ad.x86_64 4.1.4-1.el7.centos @mkosek-freeipa bind.x86_6432:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-dyndb-ldap.x86_64 6.1-1.el7.centos @mkosek-freeipa bind-libs.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-libs-lite.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-license.noarch32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-pkcs11.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-pkcs11-libs.x86_6432:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-pkcs11-utils.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa And for reference here are the relevant A and NS records from my domain @ NS dc1.mydomain.net. @ NS dc2.mydomain.net. @ NS dns1.mydomain.net. dns1 A 10.21.0.14 Hello! On 2.5.2015 17:12, Nathan Peters wrote: The last 3 sentences of my original post refer to me adding the NS records for the slave. Is that what you mean? I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. Which version of FreeIPA and bind-dyndb-ldap are you using? I will look into it. Petr^2 Spacek -Original Message- From: Baird, Josh Sent: Saturday, May 02, 2015 7:33 AM To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely, bind-dyndb-ldap does not support 'also-notify' which would allow us to send notifies each time a zone update occurs to slave servers
Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
Hello! On 2.5.2015 17:12, Nathan Peters wrote: The last 3 sentences of my original post refer to me adding the NS records for the slave. Is that what you mean? I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. Which version of FreeIPA and bind-dyndb-ldap are you using? I will look into it. Petr^2 Spacek -Original Message- From: Baird, Josh Sent: Saturday, May 02, 2015 7:33 AM To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely, bind-dyndb-ldap does not support 'also-notify' which would allow us to send notifies each time a zone update occurs to slave servers that are not in the RRSet [1]. To compensate for this in my environment, I had to lower the 'refresh' timer on the IPA zone. [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of nat...@nathanpeters.com Sent: Friday, May 1, 2015 8:20 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. I also have another host running PowerDNS serving as a slave. The FreeIPA servers are setup to allow transfers to the slave by IP. When adding the zone, the slave transfered it properly. However, when I update the zone in FreeIPA, although the serial number changes, in the /var/log/messages I only see an attempt to transfer to the second IPA server, and not the slave. This is the only log entry : May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client 10.178.0.99#29832: received notify for zone 'mydomain.net' I have restarted all services using ipactl restart several times. I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. According to the FreeIPA manual, once that NS entry is added, any zone updates should trigger a notify, but still the only notifications go out to FreeIPA servers and nothing else. Any idea how to fix this so FreeIPA notifies non IPA servers? I'm pretty sure I've followed all the instructions to the letter on this one... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
freeipa-admintools.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-client.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-python.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-server.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-server-trust-ad.x86_64 4.1.4-1.el7.centos @mkosek-freeipa bind.x86_6432:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-dyndb-ldap.x86_64 6.1-1.el7.centos @mkosek-freeipa bind-libs.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-libs-lite.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-license.noarch32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-pkcs11.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-pkcs11-libs.x86_6432:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-pkcs11-utils.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa And for reference here are the relevant A and NS records from my domain @ NS dc1.mydomain.net. @ NS dc2.mydomain.net. @ NS dns1.mydomain.net. dns1 A 10.21.0.14 Hello! On 2.5.2015 17:12, Nathan Peters wrote: The last 3 sentences of my original post refer to me adding the NS records for the slave. Is that what you mean? I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. Which version of FreeIPA and bind-dyndb-ldap are you using? I will look into it. Petr^2 Spacek -Original Message- From: Baird, Josh Sent: Saturday, May 02, 2015 7:33 AM To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely, bind-dyndb-ldap does not support 'also-notify' which would allow us to send notifies each time a zone update occurs to slave servers that are not in the RRSet [1]. To compensate for this in my environment, I had to lower the 'refresh' timer on the IPA zone. [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of nat...@nathanpeters.com Sent: Friday, May 1, 2015 8:20 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. I also have another host running PowerDNS serving as a slave. The FreeIPA servers are setup to allow transfers to the slave by IP. When adding the zone, the slave transfered it properly. However, when I update the zone in FreeIPA, although the serial number changes, in the /var/log/messages I only see an attempt to transfer to the second IPA server, and not the slave. This is the only log entry : May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client 10.178.0.99#29832: received notify for zone 'mydomain.net' I have restarted all services using ipactl restart several times. I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. According to the FreeIPA manual, once that NS entry is added, any zone updates should trigger a notify, but still the only notifications go out to FreeIPA servers and nothing else. Any idea how to fix this so FreeIPA notifies non IPA servers? I'm pretty sure I've followed all the instructions to the letter on this one... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely, bind-dyndb-ldap does not support 'also-notify' which would allow us to send notifies each time a zone update occurs to slave servers that are not in the RRSet [1]. To compensate for this in my environment, I had to lower the 'refresh' timer on the IPA zone. [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of nat...@nathanpeters.com Sent: Friday, May 1, 2015 8:20 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. I also have another host running PowerDNS serving as a slave. The FreeIPA servers are setup to allow transfers to the slave by IP. When adding the zone, the slave transfered it properly. However, when I update the zone in FreeIPA, although the serial number changes, in the /var/log/messages I only see an attempt to transfer to the second IPA server, and not the slave. This is the only log entry : May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client 10.178.0.99#29832: received notify for zone 'mydomain.net' I have restarted all services using ipactl restart several times. I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. According to the FreeIPA manual, once that NS entry is added, any zone updates should trigger a notify, but still the only notifications go out to FreeIPA servers and nothing else. Any idea how to fix this so FreeIPA notifies non IPA servers? I'm pretty sure I've followed all the instructions to the letter on this one... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
The last 3 sentences of my original post refer to me adding the NS records for the slave. Is that what you mean? I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. -Original Message- From: Baird, Josh Sent: Saturday, May 02, 2015 7:33 AM To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely, bind-dyndb-ldap does not support 'also-notify' which would allow us to send notifies each time a zone update occurs to slave servers that are not in the RRSet [1]. To compensate for this in my environment, I had to lower the 'refresh' timer on the IPA zone. [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of nat...@nathanpeters.com Sent: Friday, May 1, 2015 8:20 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. I also have another host running PowerDNS serving as a slave. The FreeIPA servers are setup to allow transfers to the slave by IP. When adding the zone, the slave transfered it properly. However, when I update the zone in FreeIPA, although the serial number changes, in the /var/log/messages I only see an attempt to transfer to the second IPA server, and not the slave. This is the only log entry : May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client 10.178.0.99#29832: received notify for zone 'mydomain.net' I have restarted all services using ipactl restart several times. I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. According to the FreeIPA manual, once that NS entry is added, any zone updates should trigger a notify, but still the only notifications go out to FreeIPA servers and nothing else. Any idea how to fix this so FreeIPA notifies non IPA servers? I'm pretty sure I've followed all the instructions to the letter on this one... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. I also have another host running PowerDNS serving as a slave. The FreeIPA servers are setup to allow transfers to the slave by IP. When adding the zone, the slave transfered it properly. However, when I update the zone in FreeIPA, although the serial number changes, in the /var/log/messages I only see an attempt to transfer to the second IPA server, and not the slave. This is the only log entry : May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client 10.178.0.99#29832: received notify for zone 'mydomain.net' I have restarted all services using ipactl restart several times. I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. According to the FreeIPA manual, once that NS entry is added, any zone updates should trigger a notify, but still the only notifications go out to FreeIPA servers and nothing else. Any idea how to fix this so FreeIPA notifies non IPA servers? I'm pretty sure I've followed all the instructions to the letter on this one... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and dns
On Fri, Mar 06, 2015 at 09:15:44AM +0100, Andrew Holway wrote: For now the work around would be to have an explicit set of servers configured on the clients. You will loose a bit of agility if you plan to deploy replicas dynamically but if you do not plan to do that static server list might be a work around for now. That's actually not too much trouble with our configuration management system. Then ipa_server = local-geo-replica.example.com, _srv_ in sssd.conf is probably the best approach. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and dns
On 03/05/2015 12:41 PM, Andrew Holway wrote: Hello, We're working on a plan to spin up a bunch of private networks around the globe and we would like to use freeipa as our domain controller. I'm trying to work out how we do DNS. Actually, more specifically, making sure that hosts are authenticating against its local freeipa. Each regional domain controller should be replicating with the other regional domain controllers however how do we tell machines in the US to auth against the US freeipa and the EU machines to auth against the EU freeipa. If we point the DNS in our machines to the US freeipa will that freeipa respond with SRV records for itself? FreeIPA does not support DNS sites yet. https://fedorahosted.org/freeipa/ticket/2008 https://fedorahosted.org/bind-dyndb-ldap/ticket/126 https://fedorahosted.org/bind-dyndb-ldap/ticket/126# It is in plans for the next release but as a stretch goal. For now the work around would be to have an explicit set of servers configured on the clients. You will loose a bit of agility if you plan to deploy replicas dynamically but if you do not plan to do that static server list might be a work around for now. Thanks, Andrew -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
