Hi, On Tue, Mar 28, 2023 at 12:23 PM Anonymous via FreeIPA-users <[email protected]> wrote: > > So for the last week I'm having trouble with my DNS. It is not working as > expected and is giving me all sort of headaches. I have 4 ipa servers and 4 > clients. This is test env for evaluation purposes and I wan't to move to > production later on. My problem however is DNS. I'm on rhel9.1 and my freeipa > version is 4.10.0 > > [lessfoobar@mserver001p ~]$ ipa dns-update-system-records > IPA DNS records: > _kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88 > mserver001p.test.domain.com. > _kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88 > rserver001p.test.domain.com. > _kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88 > rserver002p.test.domain.com. > _kerberos-master._tcp.test.domain.com. 3600 IN SRV 0 100 88 > rserver003p.test.domain.com. > _kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88 > mserver001p.test.domain.com. > _kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88 > rserver001p.test.domain.com. > _kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88 > rserver002p.test.domain.com. > _kerberos-master._udp.test.domain.com. 3600 IN SRV 0 100 88 > rserver003p.test.domain.com. > _kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88 > mserver001p.test.domain.com. > _kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88 > rserver001p.test.domain.com. > _kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88 > rserver002p.test.domain.com. > _kerberos._tcp.test.domain.com. 3600 IN SRV 0 100 88 > rserver003p.test.domain.com. > _kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88 > mserver001p.test.domain.com. > _kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88 > rserver001p.test.domain.com. > _kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88 > rserver002p.test.domain.com. > _kerberos._udp.test.domain.com. 3600 IN SRV 0 100 88 > rserver003p.test.domain.com. > _kerberos.test.domain.com. 3600 IN TXT "TEST.DOMAIN.COM" > _kerberos.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:tcp:mserver001p.test.domain.com." > _kerberos.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:tcp:rserver001p.test.domain.com." > _kerberos.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:tcp:rserver002p.test.domain.com." > _kerberos.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:tcp:rserver003p.test.domain.com." > _kerberos.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:udp:mserver001p.test.domain.com." > _kerberos.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:udp:rserver001p.test.domain.com." > _kerberos.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:udp:rserver002p.test.domain.com." > _kerberos.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:udp:rserver003p.test.domain.com." > _kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464 > mserver001p.test.domain.com. > _kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464 > rserver001p.test.domain.com. > _kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464 > rserver002p.test.domain.com. > _kpasswd._tcp.test.domain.com. 3600 IN SRV 0 100 464 > rserver003p.test.domain.com. > _kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464 > mserver001p.test.domain.com. > _kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464 > rserver001p.test.domain.com. > _kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464 > rserver002p.test.domain.com. > _kpasswd._udp.test.domain.com. 3600 IN SRV 0 100 464 > rserver003p.test.domain.com. > _kpasswd.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:tcp:mserver001p.test.domain.com." > _kpasswd.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:tcp:rserver001p.test.domain.com." > _kpasswd.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:tcp:rserver002p.test.domain.com." > _kpasswd.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:tcp:rserver003p.test.domain.com." > _kpasswd.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:udp:mserver001p.test.domain.com." > _kpasswd.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:udp:rserver001p.test.domain.com." > _kpasswd.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:udp:rserver002p.test.domain.com." > _kpasswd.test.domain.com. 3600 IN URI 0 100 > "krb5srv:m:udp:rserver003p.test.domain.com." > _ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389 > mserver001p.test.domain.com. > _ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389 > rserver001p.test.domain.com. > _ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389 > rserver002p.test.domain.com. > _ldap._tcp.test.domain.com. 3600 IN SRV 0 100 389 > rserver003p.test.domain.com. > ipa-ca.test.domain.com. 3600 IN A 192.168.0.21 > > [lessfoobar@mserver001p ~]$ sudo ipa dnsconfig-show > [sudo] password for lessfoobar: > --------------------------------- > Global DNS configuration is empty > --------------------------------- > IPA DNS servers: mserver001p.test.domain.com, rserver001p.test.domain.com, > rserver002p.test.domain.com, rserver003p.test.domain.com > [lessfoobar@mserver001p ~]$ sudo ipa dns-server-show > ipa: ERROR: unknown command 'dns-server-show' > [lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show > Server name: mserver001p.test.domain.com > Server name: mserver001p.test.domain.com > SOA mname override: mserver001p.test.domain.com. > Forward policy: none > [lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show > rserver001p.test.domain.com > Server name: rserver001p.test.domain.com > SOA mname override: rserver001p.test.domain.com. > Forwarders: 192.168.0.21 > Forward policy: first > [lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show > rserver003p.test.domain.com > Server name: rserver003p.test.domain.com > SOA mname override: rserver003p.test.domain.com. > Forwarders: 192.168.0.21 > Forward policy: first > [lessfoobar@mserver001p ~]$ sudo ipa dnsserver-show > rserver002p.test.domain.com > Server name: rserver002p.test.domain.com > SOA mname override: rserver002p.test.domain.com. > Forwarders: 192.168.0.21 > Forward policy: first
Up to this point, everything you show points to zone 'test.domain.com'. > > [lessfoobar@mserver001p ~]$ sudo ipa dnsrecord-show int.domain.com > Record name: rserver001p > Record name: rserver001p > A record: 192.168.0.22 > SSHFP record: REDACTED This is listing records for zone 'int.domain.com'. > [lessfoobar@mserver001p ~]$ host 192.168.0.22 > Host 22.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN) Do you have reverse records (PTR) in place? What are the records for zone '0.168.192.in-addr.arpa.'? > [lessfoobar@mserver001p ~]$ host rserver001p.test.domain.com > Host rserver001p.test.domain.com not found: 2(SERVFAIL) > Maybe someone may guess something here, but I don't know why this error is occurring. Some more information like dns resolution configuration or bind logs might add some light. Rafael > I'd be more than appreciative if someone lets me know what I'm doing wrong. > > PS something else that I've noticed is that selinux is complaining because of > ns-slapd > > SELinux access control errors > SELinux is preventing /usr/bin/pk12util from getattr access on the sock_file > /run/pcscd/pcscd.comm. 96 > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory > /var/crash. 8 > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory > /sys/fs/fuse/connections. 22 > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory > /sys/kernel/config. 22 > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory > /boot/efi. 22 > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory > /sys/fs/pstore. 22 > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory > /sys/firmware/efi/efivars. 22 > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory > /sys/fs/bpf. 22 > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory > /sys/kernel/tracing. 22 > SELinux is preventing /usr/bin/qemu-ga from read access on the directory > /var/crash. 18 > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
