Also, I just realized the AD I'm trying to connect to is of type Windows 2000. Yay!
On Mon, Dec 8, 2014 at 5:54 PM, Matthew Herzog <[email protected]> wrote: > OK, I deserve a slap. I had forgotten to set up the two-way trust again > since the ipa-server-install --uninstall && reinstall. That's back in place. > > So I found Sumit Bose's https://www.youtube.com/watch?v=infot4cmZgM and > realized I could not add groups to any new, external user group using the > ipa server's web interface. > > Error in the GUI is, E-BOZO.COM\Domain Users: invalid 'truster domain > object': no trusted domain matched the specified flat name. > > > > On Mon, Dec 8, 2014 at 2:49 PM, Matthew Herzog <[email protected]> > wrote: > >> sssd_<hostname>.log >> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] >> [sysdb_search_groups] (0x2000): No such entry >> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] >> [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) >> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] >> [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success >> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] >> [sdap_process_result] (0x2000): Trace: sh[0x17b0030], connected[1], >> ops[(nil)], ldap[0x17ab240] >> (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] >> [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch] >> (0x4000): dbus conn: 0x178eb70 >> (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch] >> (0x4000): Dispatching. >> >> >> On Mon, Dec 8, 2014 at 2:32 PM, Matthew Herzog <[email protected]> >> wrote: >> >>> ipa-client-3.0.0-42.el6.x86_64 on OEL 6.5 (server has 3.3.3 IPA) >>> >>> >>> On Mon, Dec 8, 2014 at 2:26 PM, Dmitri Pal <[email protected]> wrote: >>> >>>> On 12/08/2014 02:10 PM, Matthew Herzog wrote: >>>> >>>> Here are some errors I'm seeing on the client. >>>> >>>> tail -f sssd_lnx.e-bozo.com.log >>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>>> (0x4000): dbus conn: 0x1e72ad0 >>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>>> (0x4000): Dispatching. >>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] >>>> [sbus_message_handler] (0x4000): Received SBUS method [ping] >>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] >>>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >>>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] >>>> [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] >>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>>> (0x4000): dbus conn: 0x1e72ad0 >>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>>> (0x4000): Dispatching. >>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] >>>> [sbus_message_handler] (0x4000): Received SBUS method [ping] >>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] >>>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >>>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] >>>> [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] >>>> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>>> (0x4000): dbus conn: 0x1e72ad0 >>>> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>>> (0x4000): Dispatching. >>>> >>>> [root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log >>>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >>>> sss_process_init() failed >>>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed >>>> to connect to monitor services. >>>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010): >>>> fatal error setting up backend connector >>>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >>>> sss_process_init() failed >>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed >>>> to connect to monitor services. >>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): >>>> fatal error setting up backend connector >>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >>>> sss_process_init() failed >>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed >>>> to connect to monitor services. >>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): >>>> fatal error setting up backend connector >>>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >>>> sss_process_init() failed >>>> >>>> >>>> What is the version of the client? >>>> Please add debug_level=9 to sssd.conf in different sections to rise the >>>> verbosity of the log and see what is really going on there. >>>> https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog < >>>> [email protected]> wrote: >>>> >>>>> I have never seen my IPA servers produce a zone file nor has the >>>>> install script ever mentioned the creation of such. In fact, I just ran >>>>> ipa-server-install --uninstall && ipa-server-install and there was no >>>>> mention of a zone file. >>>>> >>>>> Where should I look in the file system to be sure? I see nothing in >>>>> /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's yum repo. >>>>> (Not my choice.) >>>>> >>>>> dsee7 is *not *running Kerberos. dsee7 is *not *configured with SRV >>>>> records. I guess I'll need to add SRV records for all my Linux hosts. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek <[email protected]> >>>>> wrote: >>>>> >>>>>> On 8.12.2014 14:44, Matthew Herzog wrote: >>>>>> > Petr said, "You can run ipa-server-install *without* --setup-dns >>>>>> option and >>>>>> > at the end of >>>>>> > installation it will produce DNS records which you have to manually >>>>>> add to >>>>>> > your existing DNS database." >>>>>> > >>>>>> > I can't see how this would be useful or which machines I would need >>>>>> to add >>>>>> > to our DNS. >>>>>> > >>>>>> > Perhaps I should have explained that we are not going to set up a >>>>>> new DNS >>>>>> > domain for the ipa-managed servers. >>>>>> Good. >>>>>> >>>>>> Now you should run ipa-server-install *without* --setup-dns, using >>>>>> lnx.e-bozo.com as you IPA domain. It will install full IPA server >>>>>> and spit out >>>>>> DNS zone file. >>>>>> >>>>>> Then you *have to* take this zone file and import it to your existing >>>>>> DNS >>>>>> infrastructure - that will give you fully functional IPA domain >>>>>> lnx.e-bozo.com. >>>>>> >>>>>> Caveat: >>>>>> Preceding text assumes that 'dsee7' is nor using either Kerberos nor >>>>>> DNS SRV >>>>>> records for LDAP service in domain lnx.e-bozo.com, i.e. clients >>>>>> connecting to >>>>>> DSEE7 should be (most likely) statically configured with DSEE7 server >>>>>> name. >>>>>> >>>>>> Petr^2 Spacek >>>>>> >>>>>> > We have an Oracle dsee7 server doing >>>>>> > LDAP for our Linux servers and accounts. We want to migrate to IPA >>>>>> so we >>>>>> > don't have to maintain a Linux/LDAP account for every user who >>>>>> needs access >>>>>> > to Linux servers. All of our users start with an account in AD and >>>>>> since >>>>>> > none of my predecessors knew about Winbind, they set up dsee7. >>>>>> > >>>>>> > So I'm thinking we'll need to import all our dsee7 accounts AND >>>>>> make it >>>>>> > possible for AD users to access the Linux systems without needing >>>>>> to create >>>>>> > them in IPA. >>>>>> > >>>>>> > On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek <[email protected]> >>>>>> wrote: >>>>>> > >>>>>> >> On 8.12.2014 05:02, Dmitri Pal wrote: >>>>>> >>> On 12/07/2014 10:10 PM, Matthew Herzog wrote: >>>>>> >>>> So should the FreeIPA server be authoritative for the Kerb. >>>>>> realm/DNS >>>>>> >> domain >>>>>> >>>> or can it/should it be a slave DNS server instead? Or caching >>>>>> only? >>>>>> >>> >>>>>> >>> IPA DNS can't be a slave so you either delegate a whole zone to >>>>>> it or >>>>>> >> manage >>>>>> >>> IPA DNS domain via your own DNS server. >>>>>> >> >>>>>> >> Generally, "slave" is not allowed to do any changes so it is >>>>>> useless in >>>>>> >> your >>>>>> >> scenario. >>>>>> >> >>>>>> >> You can run ipa-server-install *without* --setup-dns option and at >>>>>> the end >>>>>> >> of >>>>>> >> installation it will produce DNS records which you have to >>>>>> manually add to >>>>>> >> your existing DNS database. >>>>>> >> >>>>>> >> Did you try that? >>>>>> >> >>>>>> >> Petr^2 Spacek >>>>>> >> >>>>>> >>>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <[email protected] >>>>>> >>>> <mailto:[email protected]>> wrote: >>>>>> >>>> >>>>>> >>>> On 12/07/2014 09:51 PM, Matthew Herzog wrote: >>>>>> >>>>> What must be done in or on the ipa server with regard to >>>>>> DNS, if >>>>>> >>>>> anything? >>>>>> >>>>> >>>>>> >>>>> Our DNS works. It works well. We have four Linux DNS >>>>>> servers and >>>>>> >>>>> two AD domain controllers that also do DNS. >>>>>> >>>>> >>>>>> >>>>> So if we already have DNS working well in our domain, why >>>>>> do we >>>>>> >>>>> want to manage DNS in IPA? >>>>>> >>>> >>>>>> >>>> Let us keep the discussion on the list. >>>>>> >>>> IPA when used with AD trust presents itself as a separate >>>>>> forest. >>>>>> >>>> AD thinks that it is working with another AD forest. >>>>>> >>>> For that to work we need to follow MSFT rules about >>>>>> relationship >>>>>> >>>> between Kerberos realm and DNS domain. >>>>>> >>>> AD assumes that for every trusted forest Kerberos realm = DNS >>>>>> >>>> domain. IPA makes it easy to do because it has integrated >>>>>> tools to >>>>>> >>>> manage IPA DNS domain. >>>>>> >>>> If you want to manage it yourself through your DNS you can >>>>>> do it, >>>>>> >>>> just more manual operations for you. >>>>>> >>>> >>>>>> >>>> HTH >>>>>> >>>> >>>>>> >>>> Thanks >>>>>> >>>> Dmitri >>>>>> >>>> >>>>>> >>>> >>>>>> >>>>> >>>>>> >>>>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <[email protected] >>>>>> >>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>> >>>>>> >>>>> On 12/07/2014 06:44 PM, Matthew Herzog wrote: >>>>>> >>>>>> Thanks guys. I'm sorry for my delay in responding. >>>>>> >>>>>> >>>>>> >>>>>> Firstly, I was under the impression (from reading the >>>>>> docs) >>>>>> >>>>>> that having named running on IPA server was critical. >>>>>> >>>>> >>>>>> >>>>> Properly configured DNS is critical. >>>>>> >>>>> How you accomplish it is up to you. >>>>>> >>>>> IPA allows you to have a DNS server that would simplify >>>>>> DNS >>>>>> >>>>> management but it can be done manually too. This is why >>>>>> DNS >>>>>> >>>>> is optional. >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>>> Also, the first question the ipa-server-install script >>>>>> asks >>>>>> >>>>>> is, "Do you want to configure integrated DNS (BIND)? ." >>>>>> >>>>>> While it's true the default answer is no, it leads one >>>>>> to >>>>>> >>>>>> believe that DNS is central to IPA. Also the >>>>>> >>>>>> ipa-client-install script says, >>>>>> >>>>>> >>>>>> >>>>>> [root@freeipa-poc-client02 ~]# ipa-client-install >>>>>> >>>>>> DNS discovery failed to determine your DNS domain >>>>>> >>>>>> Provide the domain name of your IPA server (ex: >>>>>> example.com >>>>>> >>>>>> <http://example.com>): >>>>>> >>>>>> >>>>>> >>>>>> I can resolve -anything- from the machine using dig or >>>>>> >> whatever. >>>>>> >>>>>> >>>>>> >>>>>> Ultimately, the reason I started to be concerned about >>>>>> my >>>>>> >>>>>> IPA server's DNS config was because I was not able to >>>>>> >>>>>> authenticate AD accounts to a client machine. I saw a >>>>>> bunch >>>>>> >>>>>> of errors in the client's sssd logs which of course I >>>>>> can't >>>>>> >>>>>> find now. >>>>>> >>>>>> >>>>>> >>>>>> Perhaps it was these . . . >>>>>> >>>>>> >>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] >>>>>> (0x0100): >>>>>> >>>>>> Service nss replied to ping >>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] >>>>>> (0x0100): >>>>>> >>>>>> Service sudo replied to ping >>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] >>>>>> (0x0100): >>>>>> >>>>>> Service pam replied to ping >>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] >>>>>> (0x0100): >>>>>> >>>>>> Service ssh replied to ping >>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] >>>>>> (0x0100): >>>>>> >>>>>> Service pac replied to ping >>>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] >>>>>> (0x0100): >>>>>> >>>>>> Service bo3.e-bozo.com <http://bo3.e-bozo.com> >>>>>> replied to >>>>>> >> ping >>>>>> >>>>>> >>>>>> >>>>>> I'm not allowed onto the AD domain controllers to >>>>>> examine >>>>>> >>>>>> log files or I'd be checking those first. >>>>>> >>>>>> >>>>>> >>>>>> So ultimately the goal is to authenticate AD users and >>>>>> users >>>>>> >>>>>> that exist in our ldap schema. We need to set up >>>>>> groups of >>>>>> >>>>>> users that can run sudo commands on specific groups of >>>>>> hosts. >>>>>> >>>>> >>>>>> >>>>> Did you setup trusts as explained on the following page? >>>>>> >>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek >>>>>> >>>>>> <[email protected] <mailto:[email protected]>> >>>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 3.12.2014 04:35, Dmitri Pal wrote: >>>>>> >>>>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote: >>>>>> >>>>>> >> Any other ideas? I just spun up a new VM and >>>>>> took the >>>>>> >>>>>> defaults on everything >>>>>> >>>>>> >> while running ipa-server-install (the defaults >>>>>> did >>>>>> >>>>>> make sense) and my new VM >>>>>> >>>>>> >> can't resolve -anything- in the domain in which >>>>>> it >>>>>> >>>>>> lives. The "old" VM >>>>>> >>>>>> >> (running the same versions of everything on the >>>>>> same >>>>>> >>>>>> OS) can't even resolve >>>>>> >>>>>> >> the clients I have registered with it! >>>>>> >>>>>> >> >>>>>> >>>>>> >> So I'm pretty frustrated and am wondering, what >>>>>> >>>>>> _exactly_ is the role of >>>>>> >>>>>> >> bind in the IPA server and how is it expected >>>>>> to know >>>>>> >>>>>> anything about the >>>>>> >>>>>> >> local DNS domain without becoming a bind slave >>>>>> server? >>>>>> >>>>>> > >>>>>> >>>>>> > I am not sure I am 100% with you but... >>>>>> >>>>>> > If you use the defaults and nothing else you get >>>>>> to >>>>>> >>>>>> the scenario when IPA has >>>>>> >>>>>> > its DNS but it is a self contained environment. >>>>>> It >>>>>> >>>>>> seems that this is what you >>>>>> >>>>>> > observe. >>>>>> >>>>>> > It is expected that you decide in advance what >>>>>> you >>>>>> >>>>>> want to do with DNS. There >>>>>> >>>>>> > are several options: >>>>>> >>>>>> > 1) You can delegate a zone to IPA to manage, >>>>>> then you >>>>>> >>>>>> need to connect your IPA >>>>>> >>>>>> > DNS to your existing DNS during install or after. >>>>>> >>>>>> > In this case the systems joined to IPA will be a >>>>>> part >>>>>> >>>>>> of IPA domain/zone and >>>>>> >>>>>> > would also be able to resolve other systems >>>>>> around >>>>>> >>>>>> > 2) Not use IPA DNS if you do not want to take >>>>>> >>>>>> advantage of it >>>>>> >>>>>> > 3) Have a self contained demo/lab environment >>>>>> that you >>>>>> >>>>>> currently observe. >>>>>> >>>>>> > >>>>>> >>>>>> > What is the intent? >>>>>> >>>>>> >>>>>> >>>>>> I agree with Dmitri, we need more information from >>>>>> you: >>>>>> >>>>>> - You said "my new VM can't resolve -anything- in >>>>>> the >>>>>> >>>>>> domain in which it >>>>>> >>>>>> lives." - Which domain do you mean? >>>>>> >>>>>> >>>>>> >>>>>> - Apparently you have configured FreeIPA to serve >>>>>> zone >>>>>> >>>>>> e-bozo.com <http://e-bozo.com>. Do you have >>>>>> >>>>>> this zone configured on some other DNS server at >>>>>> the >>>>>> >>>>>> same time? >>>>>> >>>>>> >>>>>> >>>>>> Please keep in mind that authoritative servers >>>>>> should >>>>>> >>>>>> share the database. You >>>>>> >>>>>> will get naming collisions if e-bozo.com >>>>>> >>>>>> <http://e-bozo.com> is served by FreeIPA DNS >>>>>> servers and >>>>>> >>>>>> some other servers at the same time. Maybe that is >>>>>> the >>>>>> >>>>>> problem you see right now. >>>>>> >>>>>> >>>>>> >>>>>> As Dmitri said, the architecturally correct >>>>>> solution is >>>>>> >>>>>> to decide if you want >>>>>> >>>>>> to use FreeIPA DNS or not. You have option to >>>>>> either >>>>>> >>>>>> remove non-FreeIPA DNS >>>>>> >>>>>> servers and import data to FreeIPA or to add >>>>>> >>>>>> FreeIPA-specific DNS records to >>>>>> >>>>>> existing DNS servers and do not configure FreeIPA >>>>>> to act >>>>>> >>>>>> as DNS server. >>>>>> >>>>>> >>>>>> >>>>>> Petr^2 Spacek >>>>>> >>>>>> >>>>>> >>>>>> >> Thanks. >>>>>> >>>>>> >> >>>>>> >>>>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek >>>>>> >>>>>> <[email protected] <mailto:[email protected]> >>>>>> >>>>>> >> <mailto:[email protected] >>>>>> >>>>>> <mailto:[email protected]>>> wrote: >>>>>> >>>>>> >> >>>>>> >>>>>> >> On 2.12.2014 17:36, Martin Basti wrote: >>>>>> >>>>>> >> > On 02/12/14 17:28, Matthew Herzog wrote: >>>>>> >>>>>> >> >> I just realized that my IPA servers >>>>>> cannot >>>>>> >>>>>> resolve ANY servers >>>>>> >>>>>> >> in my domain. >>>>>> >>>>>> >> >> What do I need to do to fix this? Below >>>>>> is my >>>>>> >>>>>> named.conf. >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> options { >>>>>> >>>>>> >> >> // turns on IPv6 for port 53, IPv4 is >>>>>> on by >>>>>> >>>>>> default for >>>>>> >>>>>> >> all ifaces >>>>>> >>>>>> >> >> listen-on-v6 {any;}; >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> // Put files that named is allowed to >>>>>> write >>>>>> >>>>>> in the >>>>>> >>>>>> >> data/ directory: >>>>>> >>>>>> >> >> directory "/var/named"; // the default >>>>>> >>>>>> >> >> dump-file "data/cache_dump.db"; >>>>>> >>>>>> >> >> statistics-file "data/named_stats.txt"; >>>>>> >>>>>> >> >> memstatistics-file >>>>>> "data/named_mem_stats.txt"; >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> forward first; >>>>>> >>>>>> >> >> forwarders { >>>>>> >>>>>> >> >> 10.100.8.41; >>>>>> >>>>>> >> >> 10.100.8.40; >>>>>> >>>>>> >> >> 10.100.4.13; >>>>>> >>>>>> >> >> 10.100.4.14; >>>>>> >>>>>> >> >> 10.100.4.19; >>>>>> >>>>>> >> >> 10.100.4.44; >>>>>> >>>>>> >> >> }; >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> // Any host is permitted to issue >>>>>> recursive >>>>>> >>>>>> queries >>>>>> >>>>>> >> >> allow-recursion { any; }; >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> tkey-gssapi-keytab "/etc/named.keytab"; >>>>>> >>>>>> >> >> pid-file "/run/named/named.pid"; >>>>>> >>>>>> >> >> }; >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> /* If you want to enable debugging, eg. >>>>>> using >>>>>> >>>>>> the 'rndc trace' >>>>>> >>>>>> >> command, >>>>>> >>>>>> >> >> * By default, SELinux policy does not >>>>>> allow >>>>>> >>>>>> named to modify >>>>>> >>>>>> >> the /var/named >>>>>> >>>>>> >> >> directory, >>>>>> >>>>>> >> >> * so put the default debug log file in >>>>>> data/ : >>>>>> >>>>>> >> >> */ >>>>>> >>>>>> >> >> logging { >>>>>> >>>>>> >> >> channel default_debug { >>>>>> >>>>>> >> >> file "data/named.run"; >>>>>> >>>>>> >> >> severity dynamic; >>>>>> >>>>>> >> >> print-time yes; >>>>>> >>>>>> >> >> }; >>>>>> >>>>>> >> >> }; >>>>>> >>>>>> >> >> }; >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> zone "." IN { >>>>>> >>>>>> >> >> type hint; >>>>>> >>>>>> >> >> file "named.ca <http://named.ca> >>>>>> >>>>>> <http://named.ca> <http://named.ca>"; >>>>>> >>>>>> >> >> }; >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> include "/etc/named.rfc1912.zones"; >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> dynamic-db "ipa" { >>>>>> >>>>>> >> >> library "ldap.so"; >>>>>> >>>>>> >> >> arg "uri >>>>>> >>>>>> >> >>>>>> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket"; >>>>>> >>>>>> >> >> arg "base cn=dns, >>>>>> dc=bo3,dc=e-bozo,dc=com"; >>>>>> >>>>>> >> >> arg "fake_mname >>>>>> freeipa-poc01.bo3.e-bozo.com >>>>>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com> >>>>>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>>>>> >>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>."; >>>>>> >>>>>> >> >> arg "auth_method sasl"; >>>>>> >>>>>> >> >> arg "sasl_mech GSSAPI"; >>>>>> >>>>>> >> >> arg "sasl_user >>>>>> >>>>>> DNS/freeipa-poc01.bo3.e-bozo.com >>>>>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com> >>>>>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>>>>> >>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>"; >>>>>> >>>>>> >> >> arg "serial_autoincrement yes"; >>>>>> >>>>>> >> >> }; >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> >> >>>>>> >>>>>> >> > Hello, >>>>>> >>>>>> >> > >>>>>> >>>>>> >> > which version ipa do you use? which >>>>>> platform? >>>>>> >>>>>> Which version >>>>>> >>>>>> >> bind-dyndb-ldap? >>>>>> >>>>>> >> > >>>>>> >>>>>> >> > Can you run these commands, and check if >>>>>> there >>>>>> >>>>>> any errors? >>>>>> >>>>>> >> > ipactl status >>>>>> >>>>>> >> > systemctl status named (respectively >>>>>> >>>>>> journalctl -u named) >>>>>> >>>>>> >> >>>>>> >>>>>> >> We also may want to see information listed >>>>>> on page >>>>>> >>>>>> >> >>>>>> >>>>>> >>>>>> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting >>>>>> >>>>>> -- >>>>>> Petr^2 Spacek >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> If life gives you melons, you may be dyslexic. >>>>> >>>> >>>> >>>> >>>> -- >>>> If life gives you melons, you may be dyslexic. >>>> >>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go To http://freeipa.org for more info on the project >>>> >>> >>> >>> >>> -- >>> If life gives you melons, you may be dyslexic. >>> >> >> >> >> -- >> If life gives you melons, you may be dyslexic. >> > > > > -- > If life gives you melons, you may be dyslexic. > -- If life gives you melons, you may be dyslexic.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
