Re: [Freeipa-users] FW: FW: FW: named and IpA
On 10.10.2014 10:32, Jan Pazdziora wrote: On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote: On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possibly be a weakness in the IdM model ? Well, define a weakness :-) Whole IPA server is built around LDAP database so LDAP is single point of failure *for one particular* IPA server. IPA offers a solution called replicas. You can have multiple IPA servers with (two-way) replicated LDAP database so outage on N-1 servers will not affect your clients as long as clients are able to fail-over to the last functional server. The question is, what should happen when no LDAP server can be used? Should the forwarding suddenly kick in for all zones which will cause completely different data to be served? Or should the DNS server refuse to serve anything at that point (even the forwarding) because it has no way to know what should be forwarded and what not (I assume bind does not keep around list of zones that were LDAP-backed the last time LDAP worked). There probably should be at least an option (if not default) for bind to serve nothing if LDAP is not accessible. In the past, named refused to start when LDAP was not available. Later it was flagged as bug and current behavior was implemented: https://bugzilla.redhat.com/show_bug.cgi?id=662930 Feel free to open RFE. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FW: FW: FW: named and IpA
On Mon, Oct 13, 2014 at 01:02:38PM +0200, Petr Spacek wrote: There probably should be at least an option (if not default) for bind to serve nothing if LDAP is not accessible. In the past, named refused to start when LDAP was not available. Later it was flagged as bug and current behavior was implemented: https://bugzilla.redhat.com/show_bug.cgi?id=662930 Feel free to open RFE. Done: https://fedorahosted.org/bind-dyndb-ldap/ticket/140 Thank you, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FW: FW: FW: named and IpA
On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote: On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possibly be a weakness in the IdM model ? Well, define a weakness :-) Whole IPA server is built around LDAP database so LDAP is single point of failure *for one particular* IPA server. IPA offers a solution called replicas. You can have multiple IPA servers with (two-way) replicated LDAP database so outage on N-1 servers will not affect your clients as long as clients are able to fail-over to the last functional server. The question is, what should happen when no LDAP server can be used? Should the forwarding suddenly kick in for all zones which will cause completely different data to be served? Or should the DNS server refuse to serve anything at that point (even the forwarding) because it has no way to know what should be forwarded and what not (I assume bind does not keep around list of zones that were LDAP-backed the last time LDAP worked). There probably should be at least an option (if not default) for bind to serve nothing if LDAP is not accessible. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: FW: FW: named and IpA
Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possibly be a weakness in the IdM model ? Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday, October 06, 2014 7:35 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: FW: named and IpA On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks very much for the additional input. The configuration as you describe it is correct with a minor detail correction that I didn't notice earlier.16.112.240.27 is the master for the osn.cxo.cpqcorp.net zone while 16.112.240.40 is a slave for that zone.But as you have said, both are authoritative for that zone. I won't belabor the point and will move on to try a different configuration as my ultimate goal here is to create trust domains between a linux and an AD domain. To that end I will reconfigure the current IdM server such that it is in a different subnet and domain. I just find it odd that when ipa is shutdown and named is restarted on the system designated as the IdM server, that dns works and the forwarders are not ignored as they are when ipa is running. The reason is that authoritative data are stored in LDAP but global forwarding configuration (specified on ipa-server-install command line) is stored in /etc/named.conf. LDAP server is not reachable when IPA is down so BIND cannot see zones in LDAP and global forwarding in named.conf causes that it accidentally works for you. Forwarding is evil :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FW: FW: FW: named and IpA
On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possibly be a weakness in the IdM model ? Well, define a weakness :-) Whole IPA server is built around LDAP database so LDAP is single point of failure *for one particular* IPA server. IPA offers a solution called replicas. You can have multiple IPA servers with (two-way) replicated LDAP database so outage on N-1 servers will not affect your clients as long as clients are able to fail-over to the last functional server. I hope I understood you question :-) Petr^2 Spacek Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday, October 06, 2014 7:35 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: FW: named and IpA On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks very much for the additional input. The configuration as you describe it is correct with a minor detail correction that I didn't notice earlier.16.112.240.27 is the master for the osn.cxo.cpqcorp.net zone while 16.112.240.40 is a slave for that zone.But as you have said, both are authoritative for that zone. I won't belabor the point and will move on to try a different configuration as my ultimate goal here is to create trust domains between a linux and an AD domain. To that end I will reconfigure the current IdM server such that it is in a different subnet and domain. I just find it odd that when ipa is shutdown and named is restarted on the system designated as the IdM server, that dns works and the forwarders are not ignored as they are when ipa is running. The reason is that authoritative data are stored in LDAP but global forwarding configuration (specified on ipa-server-install command line) is stored in /etc/named.conf. LDAP server is not reachable when IPA is down so BIND cannot see zones in LDAP and global forwarding in named.conf causes that it accidentally works for you. Forwarding is evil :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FW: FW: FW: named and IpA
Ahexcellent suggestion ! Thanks very much that worked. [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27 --forwarder=16.112.240.40 Global forwarders: 16.112.240.27, 16.112.240.40 Forward policy: first Unfortunately it didn't fix the problem..while IdM is running the local name server still can't resolve any hosts or addresses out unknown to the local name server. Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson Sent: Friday, October 03, 2014 9:44 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: FW: named and IpA On 10/03/2014 09:22 AM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson Sent: Friday, October 03, 2014 8:03 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FW: named and IpA On 10/03/2014 08:32 AM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: -Original Message- From: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Sent: Friday, October 03, 2014 7:11 AM To: 'Jan Pazdziora' Subject: RE: [Freeipa-users] named and IpA Jan, Just for kicks, I tried to use the ipa dnsconfig-mod command to add information about the local name server. I was able to set the forwarding policy but I was only able to set a single forwarder. If I issued a second forwarder, the previous entry was replaced by the new one and only one forwarder shows as active: [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.40 Forward policy: first [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27 Global forwarders: 16.112.240.27 Forward policy: first [root@linux named]# ipa dnsconfig-show Global forwarders: 16.112.240.27 Forward policy: first If I attempt to place more than one forwarder in the arguments, I get an error: [root@linux named]# ipa dnsconfig-mod --forwarder=16.112.240.27;16.112.240.40 ipa: ERROR: no modifications to be performed bash: 16.112.240.40: command not found... You cannot use an unescaped semicolon $ man bash ... DEFINITIONS ... metacharacter A character that, when unquoted, separates words. One of the following: | ; ( ) space tab Thanks for the reply.If it is possible to enter more than one forwarder with the ipa dnsconfig-mod command, can you show an example ?I have tried variations with no luck. Al Have you tried multiple --forwarder flags? e.g. # ipa dnsconfig-mod --forwarder=16.112.240.27 --forwarder=16.112.240.40 ... The Fedora documentation only gives examples for adding a single forwarder.so this seems to be a shortcoming in the current implementation. However, having performed these steps, it still did not allow the local name server to look at anything past the local database or use the designated forwarders. Al -Original Message- From: Jan Pazdziora [mailto:jpazdzi...@redhat.com] Sent: Thursday, October 02, 2014 11:23 PM To: Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On Thu, Oct 02, 2014 at 05:05:10PM +, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: From the IdM server we can only lookup local records. The name resolver will not attempt to look to another other name servers or domains defined in /etc/resolv.conf What exactly is in your /etc/resolv.conf? Just the IP address of the IPA server (localhost), or some other records? If I shutdown IdM using ipactl stop and then restart named, the name resolver works for local and remote hosts, addresses and domains as well as serving up the SRV records defined on the local host. So if all IdM services are running, you do not seem to have named observing forwarders settings but if you only run named on the IdM machine and nothing else, it starts to observe them? Can you show dig output for one of the problematic records to see which DNS server is answering the query? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project