Re: [Freeipa-users] FreeIPA + /etc/named.conf
On 06.01.2017 18:14, TomK wrote: On 1/5/2017 2:17 PM, Martin Basti wrote: On 05.01.2017 20:03, TomK wrote: Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._tcp.mds.xyz). sssd-ipa-1.14.0-43.el7_3.4.x86_64 ipa-client-4.4.0-14.el7.centos.x86_64 IPA command below indicates that it's set to 'first' but that's not what's in /etc/named.conf file when I check. Again, it works if I change /etc/named.conf manually. Forwarder settings has priority: named.conf < global forwarders (ipa dnsconfig-mod) < local dns server config (ipa dnsserver-*) < forwardzones (applied per query, not as global forwarder) so what is in named.conf is usually always overwritten How did you edited the named.conf? Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works? Do you have any errors in journalctl -u named-pkcs11 ?? Martin Thanks Martin. Yes, with the manual update of /etc/named.conf this command works, as I posted earlier (It doesn't work without the manual update of /etc/named.conf to forward first; ): dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. ;; ANSWER SECTION: _ldap._tcp.mds.xyz. 3600IN SRV 0 100 389 winad02.mds.xyz. _ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad01.mds.xyz. Yes I stumbled on the journalctl command but really haven't seen anything applicable to my scenario AFAIKT. Nontheless, logs available below: http://microdevsys.com/freeipa/named-pkcs11-working.log http://microdevsys.com/freeipa/named-pkcs11-non-working.log http://microdevsys.com/freeipa/named-pkcs11-working-again.log I'm still going over them. The only message that seamed to make sense was: ignoring inherited 'forward first;' for zone '.' - did you want 'forward only;' to override automatic empty zone but it appears in both the working and non-working situations so isn't looking significant ATM and nothing I found applied to this scenario. Btw: [root@idmipa01 log]# cat /etc/resolv.conf search nix.mds.xyz mds.xyz nameserver 127.0.0.1 You have new mail in /var/spool/mail/root [root@idmipa01 log]# And based on earlier chats, that's how it should stay. Resolution of AD ID's does work from clients though (When I have forward first; in /etc/named.conf) For me it looks like some DNSSEC validation issue, could you temporarily disable DNSSEC validation in /etc/named.conf on IPA server and then try again with forward only? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + /etc/named.conf
On 1/5/2017 2:17 PM, Martin Basti wrote: On 05.01.2017 20:03, TomK wrote: Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._tcp.mds.xyz). sssd-ipa-1.14.0-43.el7_3.4.x86_64 ipa-client-4.4.0-14.el7.centos.x86_64 IPA command below indicates that it's set to 'first' but that's not what's in /etc/named.conf file when I check. Again, it works if I change /etc/named.conf manually. Forwarder settings has priority: named.conf < global forwarders (ipa dnsconfig-mod) < local dns server config (ipa dnsserver-*) < forwardzones (applied per query, not as global forwarder) so what is in named.conf is usually always overwritten How did you edited the named.conf? Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works? Do you have any errors in journalctl -u named-pkcs11 ?? Martin Thanks Martin. Yes, with the manual update of /etc/named.conf this command works, as I posted earlier (It doesn't work without the manual update of /etc/named.conf to forward first; ): dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. ;; ANSWER SECTION: _ldap._tcp.mds.xyz. 3600IN SRV 0 100 389 winad02.mds.xyz. _ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad01.mds.xyz. Yes I stumbled on the journalctl command but really haven't seen anything applicable to my scenario AFAIKT. Nontheless, logs available below: http://microdevsys.com/freeipa/named-pkcs11-working.log http://microdevsys.com/freeipa/named-pkcs11-non-working.log http://microdevsys.com/freeipa/named-pkcs11-working-again.log I'm still going over them. The only message that seamed to make sense was: ignoring inherited 'forward first;' for zone '.' - did you want 'forward only;' to override automatic empty zone but it appears in both the working and non-working situations so isn't looking significant ATM and nothing I found applied to this scenario. Btw: [root@idmipa01 log]# cat /etc/resolv.conf search nix.mds.xyz mds.xyz nameserver 127.0.0.1 You have new mail in /var/spool/mail/root [root@idmipa01 log]# And based on earlier chats, that's how it should stay. Resolution of AD ID's does work from clients though (When I have forward first; in /etc/named.conf) -- Cheers, Tom K. - Living on earth is expensive, but it includes a free trip around the sun. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + /etc/named.conf
On 05.01.2017 20:03, TomK wrote: Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._tcp.mds.xyz). sssd-ipa-1.14.0-43.el7_3.4.x86_64 ipa-client-4.4.0-14.el7.centos.x86_64 IPA command below indicates that it's set to 'first' but that's not what's in /etc/named.conf file when I check. Again, it works if I change /etc/named.conf manually. Forwarder settings has priority: named.conf < global forwarders (ipa dnsconfig-mod) < local dns server config (ipa dnsserver-*) < forwardzones (applied per query, not as global forwarder) so what is in named.conf is usually always overwritten How did you edited the named.conf? Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works? Do you have any errors in journalctl -u named-pkcs11 ?? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA + /etc/named.conf
Hey All,
QQ.
Should the DNS forwarders be updated in /etc/named.conf? Until I
manually change /etc/named.conf, can't ping the windows AD cluster:
mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV
_ldap._tcp.mds.xyz).
sssd-ipa-1.14.0-43.el7_3.4.x86_64
ipa-client-4.4.0-14.el7.centos.x86_64
IPA command below indicates that it's set to 'first' but that's not
what's in /etc/named.conf file when I check. Again, it works if I
change /etc/named.conf manually.
--
Cheers,
Tom K.
-
Living on earth is expensive, but it includes a free trip around the sun.
[root@idmipa02 network-scripts]# ipa dnsforwardzone-find mds.xyz
Zone name: mds.xyz.
Active zone: TRUE
Zone forwarders: 192.168.0.224
Forward policy: first
Number of entries returned 1
[root@idmipa02 network-scripts]# grep -i forward /etc/named.conf
forward only;
forwarders {
[root@idmipa02 network-scripts]# vi /etc/named.conf
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]#
[root@idmipa02 network-scripts]# ping mds.xyz
PING mds.xyz (192.168.0.224) 56(84) bytes of data.
64 bytes from 192.168.0.224: icmp_seq=1 ttl=128 time=0.515 ms
64 bytes from 192.168.0.224: icmp_seq=2 ttl=128 time=0.447 ms
^C
--- mds.xyz ping statistics ---
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time
1000ms
rtt min/avg/max/mdev = 0.447/83.695/333.339/144.132 ms
[root@idmipa02 network-scripts]# grep -i forward /etc/named.conf
forward first;
forwarders {
[root@idmipa02 network-scripts]# dig SRV _ldap._tcp.mds.xyz
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> SRV _ldap._tcp.mds.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5407
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.mds.xyz.IN SRV
;; ANSWER SECTION:
_ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad01.mds.xyz.
_ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad02.mds.xyz.
;; AUTHORITY SECTION:
xyz.10876 IN NS generationxyz.nic.xyz.
xyz.10876 IN NS z.nic.xyz.
xyz.10876 IN NS y.nic.xyz.
xyz.10876 IN NS x.nic.xyz.
;; ADDITIONAL SECTION:
winad02.mds.xyz.497 IN A 192.168.0.221
winad02.mds.xyz.497 IN A 192.168.0.223
winad01.mds.xyz.2902IN A 192.168.0.224
winad01.mds.xyz.2902IN A 192.168.0.220
winad01.mds.xyz.2902IN A 192.168.0.222
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 05 13:55:51 EST 2017
;; MSG SIZE rcvd: 277
[root@idmipa02 network-scripts]#
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
