On 24.11.2016 06:08, TomK wrote: > On 11/23/2016 3:28 AM, Martin Basti wrote: >> >> >> On 23.11.2016 03:48, TomK wrote: >>> On 11/22/2016 10:22 AM, Martin Basti wrote: >>>> >>>> >>>> On 22.11.2016 13:57, TomK wrote: >>>>> On 11/22/2016 2:59 AM, Martin Basti wrote: >>>>>> Hey, >>>>>> >>>>>> >>>>>> On 22.11.2016 06:33, TomK wrote: >>>>>>> Hey Guy's, >>>>>>> >>>>>>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012 >>>>>>> over to >>>>>>> my dual Free IPA server. The Free IPA servers are authoritative for >>>>>>> this subdomain. The Windows Server 2012 DNS is resolves on abc.xyz >>>>>>> and forwards dom.abc.xyz. >>>>>> Do you have configured proper zone delegation for subdomain >>>>>> dom.abc.xyz? >>>>>> Proper NS and glue records >>>>>> http://www.zytrax.com/books/dns/ch9/delegate.html >>>>>> >>>>>>> >>>>>>> I cannot ping dom.abc.xyz. Everything else, including client >>>>>>> registrations, work fine. If Free IPA is authoritative on >>>>>>> dom.abc.xyz, should it not create DNS entries so the sub domain >>>>>>> can be >>>>>>> pinged as well? >>>>>> >>>>>> What do you mean by "ping"? >>>>>> >>>>>>> >>>>>>> /etc/resolv.conf also get's regenerated on reboot on the IPA Servers >>>>>>> and wanted to ask if you can point me to some materials online to >>>>>>> determine where can I permanently adjust the search to add >>>>>>> dom.abc.xyz >>>>>>> to the already present abc.xyz . I wasn't able to locate what I >>>>>>> needed in my searches. >>>>>>> >>>>>>> I'm using the latest v4. >>>>>> >>>>>> It depends on what are you using, probably you have NetworkManager >>>>>> there >>>>>> that is editing /etc/resolv.conf >>>>>> >>>>>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/ >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Martin >>>>> >>>>> >>>>> I Uninstalled NetworkManager. Still changes. >>>>> ping dom.abc.com results in "ping: unknown host" >>>>> >>>>> I'll have a look at the first link, ty. >>>>> >>>> >>>> ping (ICMP protocol) and DNS system are different things, do you have >>>> hostname dom.abc.com with A record or it is a zone? >>>> >>>> with ping command hostname "dom.abc.com" is resolved to IP address >>>> first, do you have A record set for dom.abc.com in zone apex or what are >>>> you trying to achieve with ping command? >>>> >>>> for testing DNS try to use commands: dig, host, nslookup >>>> >>>> Martin >>>> >>> >>> Apologize for the long reply but it should give some background on >>> what it is that I'm doing. >>> >>> 1) dom.abc.com is a zone. There is no A record for dom.abc.com in >>> FreeIPA (Confirmed by Petr). I get the point Petr Spacek pointed out >>> in his comment as well. What should it really point too? ( I kind of >>> answer this question below so please read on. ) Where I'm getting >>> this from is that in Windows Server 2012 abc.com returns the IP of any >>> of the participating AD / DNS servers within the cluster (The two >>> Windows Server 2012 are a combined clustered AD + DNS servers.). >>> Being able to resolve abc.xyz is handy. During a lookup, I can get a >>> list of all the IP's associated with that domain which would indicate >>> all the DNS + AD servers online under that domain or serving that domain: >>> >>> >>> # nslookup abc.xyz >>> Server: 192.168.0.3 >>> Address: 192.168.0.3#53 >>> >>> Name: abc.xyz >>> Address: 192.168.0.3 >>> Name: abc.xyz >>> Address: 192.168.0.1 >>> Name: abc.xyz >>> Address: 192.168.0.2 >>> # >>> >>> Again, where this is handy is when configuring sssd.conf for example >>> or other apps for that matter. I can just point the app to >>> authenticate against the domain and I have my redundancy solved. >>> Windows Server 2012 does it, but FreeIPA didn't, so I threw the >>> question out there. >> >> IPA uses SRV records heavily, all IPA related services have SRV records, >> SSSD uses SRV records of IPA, client should use SRV record to connect to >> the right service (or URI record - will be in next IPA). SRV records >> work for IPA locations mechanism, we cannot achieve this with pure A >> records. >> >>> >>> Delegation from this Windows DNS works as expected. Any lookup from >>> dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested >>> this out. No issue with this. >>> >>> I did see earlier that there is no A record for dom.abc.xyz in >>> FreeIPA. My reasons for asking if there was an IP on the subdomain in >>> FreeIPA were above but the missing IP on the subdomain isn't a major >>> issue for me. Things are working without dom.abc.xyz resolving to an >>> IP. What I was hoping for is to have a VIP for the IPA servers and >>> one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf. (I >>> have the VIP for the windows server). One forwarding to the other for >>> a given domain. This is all for testing a) redundancy, b) forwarding, >>> a) authentication . >>> >>> IE: >>> >>> # cat /etc/resolv.conf >>> search dom.abc.xyz abc.xyz >>> nameserver 192.168.0.3 <------------ Win Cluster DNS VIP >>> nameserver 192.168.0.4 <------------ IPA Cluster DNS VIP >>> >>> * Just what I want to achieve above. VIP 192.168.0.4 doesn't exist on >>> my cluster yet. I'm looking to integrate ucarp with the above IPA >>> servers. >>> >>> >>> 2) More to the topic of my second question however, is that >>> /etc/resolv.conf, on the IPA servers themselves, get's rewritten on >>> restart. Would like to know by what if I already uninstalled >>> NetworkManager? When I configured the FreeIPA server, I used: >>> >>> ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a >>> "Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz >>> >>> Notice I used the VIP of the Windows Server 2012 Cluster when >>> installing FreeIPA. This is nice for redundancy. So the resolv.conf >>> ends up being: >>> >>> # cat /etc/resolv.conf >>> # Generated by NetworkManager >>> search abc.xyz >>> nameserver 192.168.0.3 >>> nameserver 123.123.123.1 >>> nameserver 123.123.123.2 >>> >>> Then I add: >>> >>> search dom.abc.xyz abc.xyz >>> >>> but it changes back to search abc.xyz (the Windows Server 2012 DNS). >>> This all works, except for the above minor items, and I can resolve >>> anything over this network. ( Thinking this is fine because the >>> forward is on the subdomain. I haven't had issues with forwarding >>> through this setup. ) >>> >>> # cat /etc/resolv.conf >>> # Generated by NetworkManager >>> search abc.xyz >>> nameserver 192.168.0.3 >>> nameserver 123.123.123.1 >>> nameserver 123.123.123.2 >>> >>> But NetworkManager is not installed on these IPA servers. I've >>> removed it earlier: >>> >>> # rpm -aq|grep -i NetworkManager >>> # >>> >>> Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere? >> >> On servers with DNS /etc/resolv.conf should point to 127.0.0.1 and ::1, >> and global or per server dns forwarders should be configured instead >> >> Have you properly stopped NetworkManager using systemctl stop and >> systemctl disable ? In case you just removed rpm files service can still >> work. >> I recommend to update network manager config, not to remove it :) >> >> As last resort way, you can set immutable bit to resolv.conf if >> something is still changing your resolv.conf file >> >>> >>> 3) After running: >>> >>> ipa-client-install --mkhomedir --enable-dns-updates >>> >>> on a new host, the hostname of the new host doesn't resolve for a few >>> minutes. How do I make this instantaneous? (Other then that, >>> autodiscovery of the IPA servers is excellent!). Before installing >>> the IPA Client, the new hosts /etc/resolv.conf file looks like this: >>> >>> # cat /etc/resolv.conf >>> search abc.xyz >>> nameserver 192.168.0.3 >>> nameserver 123.123.123.1 >>> nameserver 123.123.123.2 >>> >>> I did dig, host, nslookup earlier. Verified all except for the items >>> I'm inquiring about. >>> >> >> That weird, because ipa-client-install creates A records directly to DNS >> server using nsupdate, so it should be accessible instantly. Do you have >> any caching DNS servers? >> >> Martin >> > > No caching DNS servers. > > On the topic of NetworkManager. It's completely gone yet still the > /etc/resolv.conf file is being replaced with the text # Generated by > NetworkManager. > > # systemctl show NetworkManager.service --property=Id,Names,Description > Id=NetworkManager.service > Names=NetworkManager.service > Description=NetworkManager.service > # > > # systemctl list-units --type service --all|grep -i network > network.service loaded active exited LSB: Bring > up/down networking > â NetworkManager-wait-online.service not-found inactive dead > NetworkManager-wait-online.service > â NetworkManager.service not-found inactive dead > NetworkManager.service > ntpd.service loaded active running Network > Time Service > rhel-domainname.service loaded active exited Read and > set NIS domainname from /etc/sysconfig/network > rhel-import-state.service loaded active exited Import > network configuration from initramfs > # > > > The only thing that is left of the NetworkManager service is the above. > Nothing I type from systemd removed it completely. So I've reverted to the > last resort: > > # lsattr /etc/resolv.conf > ----i----------- /etc/resolv.conf > # > > With the above, I'm trying to see what's writing to the file by using this > auditctl and found that postfix seems to be doing this: > > ---- > time->Wed Nov 23 23:14:47 2016 > type=PATH msg=audit(1479960887.978:293): item=0 name="/etc/resolv.conf" > inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 > obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL > type=CWD msg=audit(1479960887.978:293): cwd="/" > type=SYSCALL msg=audit(1479960887.978:293): arch=c000003e syscall=2 > success=yes exit=4 a0=7ffb36b6f43a a1=80000 a2=1b6 a3=24 items=1 ppid=1 > pid=5527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix" > subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file" > ---- > time->Wed Nov 23 23:14:48 2016 > type=PATH msg=audit(1479960888.013:301): item=0 name="/etc/resolv.conf" > inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 > obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL > type=CWD msg=audit(1479960888.013:301): cwd="/var/spool/postfix" > type=SYSCALL msg=audit(1479960888.013:301): arch=c000003e syscall=2 > success=yes exit=3 a0=7f32c163043a a1=80000 a2=1b6 a3=24 items=1 ppid=5545 > pid=5546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" > subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file"
It usually helps to run ausearch -i, it translates numberic codes to names. Assuming you are running Linux on x86_64, it would be interpreted like this: ---- type=SYSCALL msg=audit(24.11.2016 05:14:47.978:293) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0 key=/root/resolv.conf-file type=CWD msg=audit(24.11.2016 05:14:47.978:293) : cwd=/ type=PATH msg=audit(24.11.2016 05:14:47.978:293) : item=0 name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL ---- type=SYSCALL msg=audit(24.11.2016 05:14:48.013:301) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0 key=/root/resolv.conf-file type=CWD msg=audit(24.11.2016 05:14:48.013:301) : cwd=/var/spool/postfix type=PATH msg=audit(24.11.2016 05:14:48.013:301) : item=0 name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL In other words, /root/resolv.conf-file is open for reading. It is interesting ... What does the file contain? Petr^2 Spacek > > This in turn appears to be called by started by: > > # grep postfix access|tail -n 1 > [23/Nov/2016:23:42:04 -0500] conn=34 op=5 SRCH > base="cn=accounts,dc=dom,dc=abc,dc=xyz" scope=2 > filter="(&(uid=postfix)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" > attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory > loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier > modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning > shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration > pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock > host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey > ipaUserAuthType usercertificate;binary" > # pwd > /var/log/dirsrv/slapd-DOM-ABC-XYZ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
