Re: [Freeipa-users] FreeIPA + /etc/named.conf
On 06.01.2017 18:14, TomK wrote: On 1/5/2017 2:17 PM, Martin Basti wrote: On 05.01.2017 20:03, TomK wrote: Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._tcp.mds.xyz). sssd-ipa-1.14.0-43.el7_3.4.x86_64 ipa-client-4.4.0-14.el7.centos.x86_64 IPA command below indicates that it's set to 'first' but that's not what's in /etc/named.conf file when I check. Again, it works if I change /etc/named.conf manually. Forwarder settings has priority: named.conf < global forwarders (ipa dnsconfig-mod) < local dns server config (ipa dnsserver-*) < forwardzones (applied per query, not as global forwarder) so what is in named.conf is usually always overwritten How did you edited the named.conf? Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works? Do you have any errors in journalctl -u named-pkcs11 ?? Martin Thanks Martin. Yes, with the manual update of /etc/named.conf this command works, as I posted earlier (It doesn't work without the manual update of /etc/named.conf to forward first; ): dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. ;; ANSWER SECTION: _ldap._tcp.mds.xyz. 3600IN SRV 0 100 389 winad02.mds.xyz. _ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad01.mds.xyz. Yes I stumbled on the journalctl command but really haven't seen anything applicable to my scenario AFAIKT. Nontheless, logs available below: http://microdevsys.com/freeipa/named-pkcs11-working.log http://microdevsys.com/freeipa/named-pkcs11-non-working.log http://microdevsys.com/freeipa/named-pkcs11-working-again.log I'm still going over them. The only message that seamed to make sense was: ignoring inherited 'forward first;' for zone '.' - did you want 'forward only;' to override automatic empty zone but it appears in both the working and non-working situations so isn't looking significant ATM and nothing I found applied to this scenario. Btw: [root@idmipa01 log]# cat /etc/resolv.conf search nix.mds.xyz mds.xyz nameserver 127.0.0.1 You have new mail in /var/spool/mail/root [root@idmipa01 log]# And based on earlier chats, that's how it should stay. Resolution of AD ID's does work from clients though (When I have forward first; in /etc/named.conf) For me it looks like some DNSSEC validation issue, could you temporarily disable DNSSEC validation in /etc/named.conf on IPA server and then try again with forward only? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + /etc/named.conf
On 1/5/2017 2:17 PM, Martin Basti wrote: On 05.01.2017 20:03, TomK wrote: Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._tcp.mds.xyz). sssd-ipa-1.14.0-43.el7_3.4.x86_64 ipa-client-4.4.0-14.el7.centos.x86_64 IPA command below indicates that it's set to 'first' but that's not what's in /etc/named.conf file when I check. Again, it works if I change /etc/named.conf manually. Forwarder settings has priority: named.conf < global forwarders (ipa dnsconfig-mod) < local dns server config (ipa dnsserver-*) < forwardzones (applied per query, not as global forwarder) so what is in named.conf is usually always overwritten How did you edited the named.conf? Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works? Do you have any errors in journalctl -u named-pkcs11 ?? Martin Thanks Martin. Yes, with the manual update of /etc/named.conf this command works, as I posted earlier (It doesn't work without the manual update of /etc/named.conf to forward first; ): dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. ;; ANSWER SECTION: _ldap._tcp.mds.xyz. 3600IN SRV 0 100 389 winad02.mds.xyz. _ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad01.mds.xyz. Yes I stumbled on the journalctl command but really haven't seen anything applicable to my scenario AFAIKT. Nontheless, logs available below: http://microdevsys.com/freeipa/named-pkcs11-working.log http://microdevsys.com/freeipa/named-pkcs11-non-working.log http://microdevsys.com/freeipa/named-pkcs11-working-again.log I'm still going over them. The only message that seamed to make sense was: ignoring inherited 'forward first;' for zone '.' - did you want 'forward only;' to override automatic empty zone but it appears in both the working and non-working situations so isn't looking significant ATM and nothing I found applied to this scenario. Btw: [root@idmipa01 log]# cat /etc/resolv.conf search nix.mds.xyz mds.xyz nameserver 127.0.0.1 You have new mail in /var/spool/mail/root [root@idmipa01 log]# And based on earlier chats, that's how it should stay. Resolution of AD ID's does work from clients though (When I have forward first; in /etc/named.conf) -- Cheers, Tom K. - Living on earth is expensive, but it includes a free trip around the sun. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + /etc/named.conf
On 05.01.2017 20:03, TomK wrote: Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._tcp.mds.xyz). sssd-ipa-1.14.0-43.el7_3.4.x86_64 ipa-client-4.4.0-14.el7.centos.x86_64 IPA command below indicates that it's set to 'first' but that's not what's in /etc/named.conf file when I check. Again, it works if I change /etc/named.conf manually. Forwarder settings has priority: named.conf < global forwarders (ipa dnsconfig-mod) < local dns server config (ipa dnsserver-*) < forwardzones (applied per query, not as global forwarder) so what is in named.conf is usually always overwritten How did you edited the named.conf? Does dig @192.168.0.224 SRV _ldap._tcp.mds.xyz. works? Do you have any errors in journalctl -u named-pkcs11 ?? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA + /etc/named.conf
Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._tcp.mds.xyz). sssd-ipa-1.14.0-43.el7_3.4.x86_64 ipa-client-4.4.0-14.el7.centos.x86_64 IPA command below indicates that it's set to 'first' but that's not what's in /etc/named.conf file when I check. Again, it works if I change /etc/named.conf manually. -- Cheers, Tom K. - Living on earth is expensive, but it includes a free trip around the sun. [root@idmipa02 network-scripts]# ipa dnsforwardzone-find mds.xyz Zone name: mds.xyz. Active zone: TRUE Zone forwarders: 192.168.0.224 Forward policy: first Number of entries returned 1 [root@idmipa02 network-scripts]# grep -i forward /etc/named.conf forward only; forwarders { [root@idmipa02 network-scripts]# vi /etc/named.conf [root@idmipa02 network-scripts]# [root@idmipa02 network-scripts]# [root@idmipa02 network-scripts]# ipactl restart Stopping pki-tomcatd Service Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@idmipa02 network-scripts]# [root@idmipa02 network-scripts]# [root@idmipa02 network-scripts]# [root@idmipa02 network-scripts]# ping mds.xyz PING mds.xyz (192.168.0.224) 56(84) bytes of data. 64 bytes from 192.168.0.224: icmp_seq=1 ttl=128 time=0.515 ms 64 bytes from 192.168.0.224: icmp_seq=2 ttl=128 time=0.447 ms ^C --- mds.xyz ping statistics --- 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.447/83.695/333.339/144.132 ms [root@idmipa02 network-scripts]# grep -i forward /etc/named.conf forward first; forwarders { [root@idmipa02 network-scripts]# dig SRV _ldap._tcp.mds.xyz ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> SRV _ldap._tcp.mds.xyz ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5407 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.mds.xyz.IN SRV ;; ANSWER SECTION: _ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad01.mds.xyz. _ldap._tcp.mds.xyz. 600 IN SRV 0 100 389 winad02.mds.xyz. ;; AUTHORITY SECTION: xyz.10876 IN NS generationxyz.nic.xyz. xyz.10876 IN NS z.nic.xyz. xyz.10876 IN NS y.nic.xyz. xyz.10876 IN NS x.nic.xyz. ;; ADDITIONAL SECTION: winad02.mds.xyz.497 IN A 192.168.0.221 winad02.mds.xyz.497 IN A 192.168.0.223 winad01.mds.xyz.2902IN A 192.168.0.224 winad01.mds.xyz.2902IN A 192.168.0.220 winad01.mds.xyz.2902IN A 192.168.0.222 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jan 05 13:55:51 EST 2017 ;; MSG SIZE rcvd: 277 [root@idmipa02 network-scripts]# -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project