Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Raul Dias]

Ok,

Found the issue.  I believe it is a Fedora (25) issue, but not sure 
yet.  So, registering here for the archives.


My IPA is on a FC25 on a LXC container (2.0.6) on a Jessie host.

The IPA container ethernet is on a private bridge (not attached to any 
real one).


The FC container was configured to do an offloading checksum.  I believe 
it was FC's fault, but could be some other lxc host on the same bridge, 
if possible.


Anyways, this command disabled offloading and it start to work:

# ethtool --offload eth0 rx off tx off gso off

Still, why only the 2k8 r2 complained about this, still have to be verified.

-rsd


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Brian Candler]

On 16/01/2017 16:37, Raul Dias wrote:

Did some testing.

From the windows server, did a port scanner on the IPA server (tcp + 
udp), no blocking between. (tested open).


The IPA has DNSSEC on, but that is for the zones only, right? There is 
no indication of DNSSEC in the datagrams.


You can have a DNSSEC-validating resolver (cache), but you're right 
you'd see things in the packet (EDNS).



The wireshark in the windows server:

Looks like a perfectly good DNS response to me.  Windows is a strange 
beast :-(


Horrible workaround: if you can find a DNS server which Windows likes, 
you can configure that DNS server to forward all the IPA-hosted zones to 
the IPA server.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Raul Dias]

Did some testing.

From the windows server, did a port scanner on the IPA server (tcp + 
udp), no blocking between. (tested open).


The IPA has DNSSEC on, but that is for the zones only, right?  There is 
no indication of DNSSEC in the datagrams.


The wireshark in the windows server:

A - The query packet:
---
Ethernet II, Src: CadmusCo_58:90:cb (08:00:27:58:90:cb), Dst: 
fe:81:54:e3:7b:03 (fe:81:54:e3:7b:03)

Internet Protocol Version 4, Src: 10.10.24.12, Dst: 10.10.24.9
User Datagram Protocol, Src Port: 54680, Dst Port: 53
Domain Name System (query)
Transaction ID: 0x0006
Flags: 0x0100 Standard query
0...    = Response: Message is a query
.000 0...   = Opcode: Standard query (0)
 ..0.   = Truncated: Message is not truncated
 ...1   = Recursion desired: Do query recursively
  .0..  = Z: reserved (0)
  ...0  = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
google.com: type A, class IN
Name: google.com
[Name Length: 10]
[Label Count: 2]
Type: A (Host Address) (1)
Class: IN (0x0001)

B - The response:
-

Frame 10: 222 bytes on wire (1776 bits), 222 bytes captured (1776 bits)
Ethernet II, Src: fe:81:54:e3:7b:03 (fe:81:54:e3:7b:03), Dst: 
CadmusCo_58:90:cb (08:00:27:58:90:cb)

Internet Protocol Version 4, Src: 10.10.24.9, Dst: 10.10.24.12
User Datagram Protocol, Src Port: 53, Dst Port: 54680
Domain Name System (response)
[Time: 0.057623000 seconds]
Transaction ID: 0x0006
Flags: 0x8180 Standard query response, No error
1...    = Response: Message is a response
.000 0...   = Opcode: Standard query (0)
 .0..   = Authoritative: Server is not an authority 
for domain

 ..0.   = Truncated: Message is not truncated
 ...1   = Recursion desired: Do query recursively
  1...  = Recursion available: Server can do 
recursive queries

  .0..  = Z: reserved (0)
  ..0.  = Answer authenticated: Answer/authority 
portion was not authenticated by the server

  ...0  = Non-authenticated data: Unacceptable
    = Reply code: No error (0)
Questions: 1
Answer RRs: 1
Authority RRs: 4
Additional RRs: 4
Queries
google.com: type A, class IN
Name: google.com
[Name Length: 10]
[Label Count: 2]
Type: A (Host Address) (1)
Class: IN (0x0001)
Answers
google.com: type A, class IN, addr 216.58.222.14
Name: google.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 300
Data length: 4
Address: 216.58.222.14
Authoritative nameservers
google.com: type NS, class IN, ns ns4.google.com
Name: google.com
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 172792
Data length: 6
Name Server: ns4.google.com
google.com: type NS, class IN, ns ns1.google.com
Name: google.com
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 172792
Data length: 6
Name Server: ns1.google.com
google.com: type NS, class IN, ns ns3.google.com
Name: google.com
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 172792
Data length: 6
Name Server: ns3.google.com
google.com: type NS, class IN, ns ns2.google.com
Name: google.com
Type: NS (authoritative Name Server) (2)
Class: IN (0x0001)
Time to live: 172792
Data length: 6
Name Server: ns2.google.com
Additional records
ns2.google.com: type A, class IN, addr 216.239.34.10
Name: ns2.google.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 172792
Data length: 4
Address: 216.239.34.10
ns1.google.com: type A, class IN, addr 216.239.32.10
Name: ns1.google.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 172792
Data length: 4
Address: 216.239.32.10
ns3.google.com: type A, class IN, addr 216.239.36.10
Name: ns3.google.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 172792
Data length: 4
Address: 216.239.36.10
ns4.google.com: type A, class IN, addr 216.239.38.10
Na

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Brian Candler]

On 16/01/2017 00:52, Raul Dias wrote:

The  packets are getting back  That has being stablished already.


With Wireshark at the 2008R2 end?

I am looking for possible reasons it would disregard the answer, but 
accept when using a non-freeipa bind9 one.


Look at wireshark detail on both sets of responses; check for any 
differences including the flags. You're sure one of the servers isn't 
answering with a REFUSED answer for example? (That is, one of the bind 
servers might not allow queries from the source address of the 2008R2 
server)


Also compare the bind configs. For example, is DNSSEC enabled in one but 
not the other?


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Raul Dias]

On 15/01/2017 19:15, Brian Candler wrote:

On FreeIPA host:  tcpdump -i eth0 -nnv -s0 port 53 and host x.x.x.x

where x.x.x.x is IP address of the 2008R2 server, and assuming eth0 is 
the NIC.


See if any DNS queries arrive at the FreeIPA server. If no: then the 
problem is with the 2008R2 server, or the network in between. If yes: 
then see if FreeIPA is answering the queries or not.




The  packets are getting back  That has being stablished already.

I am looking for possible reasons it would disregard the answer, but 
accept when using a non-freeipa bind9 one.


-rsd

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Brian Candler]

On 14/01/2017 20:01, Raul Dias wrote:


I am migrating a network to FreeIPA. LDAP, NFS, no Active Directory.

A Windows Server 2008 R2, cannot use FreeIPAs bind to resolve DNS query.
This server works fine with my old bind server, google's dns server 
(8.8.8.8), but not FreeIPA's.
Using wireshark, I can see the the response gets to this host, but is 
simply ignored.  Clocks are in sync.


Not sure if the problem is in the FreeIPA's side, probably not.

Any ideas?


On FreeIPA host:  tcpdump -i eth0 -nnv -s0 port 53 and host x.x.x.x

where x.x.x.x is IP address of the 2008R2 server, and assuming eth0 is 
the NIC.


See if any DNS queries arrive at the FreeIPA server. If no: then the 
problem is with the 2008R2 server, or the network in between. If yes: 
then see if FreeIPA is answering the queries or not.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Raul Dias]

On 14/01/2017 22:08, Fil Di Noto wrote:
Sounds more like a client problem (firewall, hosts file, network 
settings/routes)

Unfortunally not that I have found.


Other clients are able to resolve against the IPA server?

yes.
You are seeing the response come back on a packet capture taken from 
the windows server?

yes.


If yes to both of those, maybe the windows server thinks the IPA 
server is not who it says it is.
How does windows verifies this?  Note that there is no active directory 
in place or domain/remote authentication from the windows point of 
view.  Windows is using it only as an plain DNS server.


Note that there is another windows server (2008) that works fine. This 
one is 2008 r2 (if it matters).


Is the IPA server hostname/domain name the same as a previous windows 
host? If so that is probably not good.


On Sat, Jan 14, 2017 at 12:01 PM, Raul Dias > wrote:


Hello,

I am migrating a network to FreeIPA. LDAP, NFS, no Active Directory.

A Windows Server 2008 R2, cannot use FreeIPAs bind to resolve DNS
query.
This server works fine with my old bind server, google's dns
server (8.8.8.8), but not FreeIPA's.
Using wireshark, I can see the the response gets to this host, but
is simply ignored.  Clocks are in sync.

Not sure if the problem is in the FreeIPA's side, probably not.

Any ideas?

-rsd

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project




--
Att. Raul Dias

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Fil Di Noto]

Sounds more like a client problem (firewall, hosts file, network
settings/routes)

Other clients are able to resolve against the IPA server? You are seeing
the response come back on a packet capture taken from the windows server?

If yes to both of those, maybe the windows server thinks the IPA server is
not who it says it is. Is the IPA server hostname/domain name the same as a
previous windows host? If so that is probably not good.

On Sat, Jan 14, 2017 at 12:01 PM, Raul Dias  wrote:

> Hello,
>
> I am migrating a network to FreeIPA. LDAP, NFS, no Active Directory.
>
> A Windows Server 2008 R2, cannot use FreeIPAs bind to resolve DNS query.
> This server works fine with my old bind server, google's dns server
> (8.8.8.8), but not FreeIPA's.
> Using wireshark, I can see the the response gets to this host, but is
> simply ignored.  Clocks are in sync.
>
> Not sure if the problem is in the FreeIPA's side, probably not.
>
> Any ideas?
> -rsd
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Raul Dias]

Hello,

I am migrating a network to FreeIPA. LDAP, NFS, no Active Directory.

A Windows Server 2008 R2, cannot use FreeIPAs bind to resolve DNS query.
This server works fine with my old bind server, google's dns server 
(8.8.8.8), but not FreeIPA's.
Using wireshark, I can see the the response gets to this host, but is 
simply ignored.  Clocks are in sync.


Not sure if the problem is in the FreeIPA's side, probably not.

Any ideas?

-rsd
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project