So should the FreeIPA server be authoritative for the Kerb. realm/DNS domain or can it/should it be a slave DNS server instead? Or caching only?
On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <[email protected]> wrote: > On 12/07/2014 09:51 PM, Matthew Herzog wrote: > > What must be done in or on the ipa server with regard to DNS, if anything? > > Our DNS works. It works well. We have four Linux DNS servers and two AD > domain controllers that also do DNS. > > So if we already have DNS working well in our domain, why do we want to > manage DNS in IPA? > > > Let us keep the discussion on the list. > IPA when used with AD trust presents itself as a separate forest. AD > thinks that it is working with another AD forest. > For that to work we need to follow MSFT rules about relationship between > Kerberos realm and DNS domain. > AD assumes that for every trusted forest Kerberos realm = DNS domain. IPA > makes it easy to do because it has integrated tools to manage IPA DNS > domain. > If you want to manage it yourself through your DNS you can do it, just > more manual operations for you. > > HTH > > Thanks > Dmitri > > > > On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <[email protected]> wrote: > >> On 12/07/2014 06:44 PM, Matthew Herzog wrote: >> >> Thanks guys. I'm sorry for my delay in responding. >> >> Firstly, I was under the impression (from reading the docs) that having >> named running on IPA server was critical. >> >> >> Properly configured DNS is critical. >> How you accomplish it is up to you. >> IPA allows you to have a DNS server that would simplify DNS management >> but it can be done manually too. This is why DNS is optional. >> >> >> Also, the first question the ipa-server-install script asks is, "Do you >> want to configure integrated DNS (BIND)? ." While it's true the default >> answer is no, it leads one to believe that DNS is central to IPA. Also the >> ipa-client-install script says, >> >> [root@freeipa-poc-client02 ~]# ipa-client-install >> DNS discovery failed to determine your DNS domain >> Provide the domain name of your IPA server (ex: example.com): >> >> I can resolve -anything- from the machine using dig or whatever. >> >> Ultimately, the reason I started to be concerned about my IPA server's >> DNS config was because I was not able to authenticate AD accounts to a >> client machine. I saw a bunch of errors in the client's sssd logs which of >> course I can't find now. >> >> Perhaps it was these . . . >> >> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service nss >> replied to ping >> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service sudo >> replied to ping >> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pam >> replied to ping >> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service ssh >> replied to ping >> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pac >> replied to ping >> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service >> bo3.e-bozo.com replied to ping >> >> I'm not allowed onto the AD domain controllers to examine log files or >> I'd be checking those first. >> >> So ultimately the goal is to authenticate AD users and users that exist >> in our ldap schema. We need to set up groups of users that can run sudo >> commands on specific groups of hosts. >> >> >> Did you setup trusts as explained on the following page? >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >> >> >> >> >> >> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek <[email protected]> wrote: >> >>> On 3.12.2014 04:35, Dmitri Pal wrote: >>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote: >>> >> Any other ideas? I just spun up a new VM and took the defaults on >>> everything >>> >> while running ipa-server-install (the defaults did make sense) and my >>> new VM >>> >> can't resolve -anything- in the domain in which it lives. The "old" VM >>> >> (running the same versions of everything on the same OS) can't even >>> resolve >>> >> the clients I have registered with it! >>> >> >>> >> So I'm pretty frustrated and am wondering, what _exactly_ is the role >>> of >>> >> bind in the IPA server and how is it expected to know anything about >>> the >>> >> local DNS domain without becoming a bind slave server? >>> > >>> > I am not sure I am 100% with you but... >>> > If you use the defaults and nothing else you get to the scenario when >>> IPA has >>> > its DNS but it is a self contained environment. It seems that this is >>> what you >>> > observe. >>> > It is expected that you decide in advance what you want to do with >>> DNS. There >>> > are several options: >>> > 1) You can delegate a zone to IPA to manage, then you need to connect >>> your IPA >>> > DNS to your existing DNS during install or after. >>> > In this case the systems joined to IPA will be a part of IPA >>> domain/zone and >>> > would also be able to resolve other systems around >>> > 2) Not use IPA DNS if you do not want to take advantage of it >>> > 3) Have a self contained demo/lab environment that you currently >>> observe. >>> > >>> > What is the intent? >>> >>> I agree with Dmitri, we need more information from you: >>> - You said "my new VM can't resolve -anything- in the domain in which it >>> lives." - Which domain do you mean? >>> >>> - Apparently you have configured FreeIPA to serve zone e-bozo.com. Do >>> you have >>> this zone configured on some other DNS server at the same time? >>> >>> Please keep in mind that authoritative servers should share the >>> database. You >>> will get naming collisions if e-bozo.com is served by FreeIPA DNS >>> servers and >>> some other servers at the same time. Maybe that is the problem you see >>> right now. >>> >>> As Dmitri said, the architecturally correct solution is to decide if you >>> want >>> to use FreeIPA DNS or not. You have option to either remove non-FreeIPA >>> DNS >>> servers and import data to FreeIPA or to add FreeIPA-specific DNS >>> records to >>> existing DNS servers and do not configure FreeIPA to act as DNS server. >>> >>> Petr^2 Spacek >>> >>> >> Thanks. >>> >> >>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek <[email protected] >>> >> <mailto:[email protected]>> wrote: >>> >> >>> >> On 2.12.2014 17:36, Martin Basti wrote: >>> >> > On 02/12/14 17:28, Matthew Herzog wrote: >>> >> >> I just realized that my IPA servers cannot resolve ANY servers >>> >> in my domain. >>> >> >> What do I need to do to fix this? Below is my named.conf. >>> >> >> >>> >> >> >>> >> >> options { >>> >> >> // turns on IPv6 for port 53, IPv4 is on by default for >>> >> all ifaces >>> >> >> listen-on-v6 {any;}; >>> >> >> >>> >> >> // Put files that named is allowed to write in the >>> >> data/ directory: >>> >> >> directory "/var/named"; // the default >>> >> >> dump-file "data/cache_dump.db"; >>> >> >> statistics-file "data/named_stats.txt"; >>> >> >> memstatistics-file "data/named_mem_stats.txt"; >>> >> >> >>> >> >> forward first; >>> >> >> forwarders { >>> >> >> 10.100.8.41; >>> >> >> 10.100.8.40; >>> >> >> 10.100.4.13; >>> >> >> 10.100.4.14; >>> >> >> 10.100.4.19; >>> >> >> 10.100.4.44; >>> >> >> }; >>> >> >> >>> >> >> // Any host is permitted to issue recursive queries >>> >> >> allow-recursion { any; }; >>> >> >> >>> >> >> tkey-gssapi-keytab "/etc/named.keytab"; >>> >> >> pid-file "/run/named/named.pid"; >>> >> >> }; >>> >> >> >>> >> >> /* If you want to enable debugging, eg. using the 'rndc trace' >>> >> command, >>> >> >> * By default, SELinux policy does not allow named to modify >>> >> the /var/named >>> >> >> directory, >>> >> >> * so put the default debug log file in data/ : >>> >> >> */ >>> >> >> logging { >>> >> >> channel default_debug { >>> >> >> file "data/named.run"; >>> >> >> severity dynamic; >>> >> >> print-time yes; >>> >> >> }; >>> >> >> }; >>> >> >> }; >>> >> >> >>> >> >> zone "." IN { >>> >> >> type hint; >>> >> >> file "named.ca <http://named.ca> <http://named.ca>"; >>> >> >> }; >>> >> >> >>> >> >> include "/etc/named.rfc1912.zones"; >>> >> >> >>> >> >> dynamic-db "ipa" { >>> >> >> library "ldap.so"; >>> >> >> arg "uri >>> >> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket"; >>> >> >> arg "base cn=dns, dc=bo3,dc=e-bozo,dc=com"; >>> >> >> arg "fake_mname freeipa-poc01.bo3.e-bozo.com >>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>."; >>> >> >> arg "auth_method sasl"; >>> >> >> arg "sasl_mech GSSAPI"; >>> >> >> arg "sasl_user DNS/freeipa-poc01.bo3.e-bozo.com >>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>"; >>> >> >> arg "serial_autoincrement yes"; >>> >> >> }; >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> > Hello, >>> >> > >>> >> > which version ipa do you use? which platform? Which version >>> >> bind-dyndb-ldap? >>> >> > >>> >> > Can you run these commands, and check if there any errors? >>> >> > ipactl status >>> >> > systemctl status named (respectively journalctl -u named) >>> >> >>> >> We also may want to see information listed on page >>> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project >>> >> >> >> >> -- >> If life gives you melons, you may be dyslexic. >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > > -- > If life gives you melons, you may be dyslexic. > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- If life gives you melons, you may be dyslexic.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
