On 25.11.2016 14:48, TomK wrote: > On 11/25/2016 4:00 AM, Petr Spacek wrote: >> On 25.11.2016 05:57, TomK wrote: >>> On 11/24/2016 4:49 AM, Petr Spacek wrote: >>>> On 24.11.2016 06:08, TomK wrote: >>>>> On 11/23/2016 3:28 AM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 23.11.2016 03:48, TomK wrote: >>>>>>> On 11/22/2016 10:22 AM, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 22.11.2016 13:57, TomK wrote: >>>>>>>>> On 11/22/2016 2:59 AM, Martin Basti wrote: >>>>>>>>>> Hey, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 22.11.2016 06:33, TomK wrote: >>>>>>>>>>> Hey Guy's, >>>>>>>>>>> >>>>>>>>>>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012 >>>>>>>>>>> over to >>>>>>>>>>> my dual Free IPA server. The Free IPA servers are authoritative for >>>>>>>>>>> this subdomain. The Windows Server 2012 DNS is resolves on abc.xyz >>>>>>>>>>> and forwards dom.abc.xyz. >>>>>>>>>> Do you have configured proper zone delegation for subdomain >>>>>>>>>> dom.abc.xyz? >>>>>>>>>> Proper NS and glue records >>>>>>>>>> http://www.zytrax.com/books/dns/ch9/delegate.html >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I cannot ping dom.abc.xyz. Everything else, including client >>>>>>>>>>> registrations, work fine. If Free IPA is authoritative on >>>>>>>>>>> dom.abc.xyz, should it not create DNS entries so the sub domain >>>>>>>>>>> can be >>>>>>>>>>> pinged as well? >>>>>>>>>> >>>>>>>>>> What do you mean by "ping"? >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> /etc/resolv.conf also get's regenerated on reboot on the IPA Servers >>>>>>>>>>> and wanted to ask if you can point me to some materials online to >>>>>>>>>>> determine where can I permanently adjust the search to add >>>>>>>>>>> dom.abc.xyz >>>>>>>>>>> to the already present abc.xyz . I wasn't able to locate what I >>>>>>>>>>> needed in my searches. >>>>>>>>>>> >>>>>>>>>>> I'm using the latest v4. >>>>>>>>>> >>>>>>>>>> It depends on what are you using, probably you have NetworkManager >>>>>>>>>> there >>>>>>>>>> that is editing /etc/resolv.conf >>>>>>>>>> >>>>>>>>>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Martin >>>>>>>>> >>>>>>>>> >>>>>>>>> I Uninstalled NetworkManager. Still changes. >>>>>>>>> ping dom.abc.com results in "ping: unknown host" >>>>>>>>> >>>>>>>>> I'll have a look at the first link, ty. >>>>>>>>> >>>>>>>> >>>>>>>> ping (ICMP protocol) and DNS system are different things, do you have >>>>>>>> hostname dom.abc.com with A record or it is a zone? >>>>>>>> >>>>>>>> with ping command hostname "dom.abc.com" is resolved to IP address >>>>>>>> first, do you have A record set for dom.abc.com in zone apex or what >>>>>>>> are >>>>>>>> you trying to achieve with ping command? >>>>>>>> >>>>>>>> for testing DNS try to use commands: dig, host, nslookup >>>>>>>> >>>>>>>> Martin >>>>>>>> >>>>>>> >>>>>>> Apologize for the long reply but it should give some background on >>>>>>> what it is that I'm doing. >>>>>>> >>>>>>> 1) dom.abc.com is a zone. There is no A record for dom.abc.com in >>>>>>> FreeIPA (Confirmed by Petr). I get the point Petr Spacek pointed out >>>>>>> in his comment as well. What should it really point too? ( I kind of >>>>>>> answer this question below so please read on. ) Where I'm getting >>>>>>> this from is that in Windows Server 2012 abc.com returns the IP of any >>>>>>> of the participating AD / DNS servers within the cluster (The two >>>>>>> Windows Server 2012 are a combined clustered AD + DNS servers.). >>>>>>> Being able to resolve abc.xyz is handy. During a lookup, I can get a >>>>>>> list of all the IP's associated with that domain which would indicate >>>>>>> all the DNS + AD servers online under that domain or serving that >>>>>>> domain: >>>>>>> >>>>>>> >>>>>>> # nslookup abc.xyz >>>>>>> Server: 192.168.0.3 >>>>>>> Address: 192.168.0.3#53 >>>>>>> >>>>>>> Name: abc.xyz >>>>>>> Address: 192.168.0.3 >>>>>>> Name: abc.xyz >>>>>>> Address: 192.168.0.1 >>>>>>> Name: abc.xyz >>>>>>> Address: 192.168.0.2 >>>>>>> # >>>>>>> >>>>>>> Again, where this is handy is when configuring sssd.conf for example >>>>>>> or other apps for that matter. I can just point the app to >>>>>>> authenticate against the domain and I have my redundancy solved. >>>>>>> Windows Server 2012 does it, but FreeIPA didn't, so I threw the >>>>>>> question out there. >>>>>> >>>>>> IPA uses SRV records heavily, all IPA related services have SRV records, >>>>>> SSSD uses SRV records of IPA, client should use SRV record to connect to >>>>>> the right service (or URI record - will be in next IPA). SRV records >>>>>> work for IPA locations mechanism, we cannot achieve this with pure A >>>>>> records. >>>>>> >>>>>>> >>>>>>> Delegation from this Windows DNS works as expected. Any lookup from >>>>>>> dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested >>>>>>> this out. No issue with this. >>>>>>> >>>>>>> I did see earlier that there is no A record for dom.abc.xyz in >>>>>>> FreeIPA. My reasons for asking if there was an IP on the subdomain in >>>>>>> FreeIPA were above but the missing IP on the subdomain isn't a major >>>>>>> issue for me. Things are working without dom.abc.xyz resolving to an >>>>>>> IP. What I was hoping for is to have a VIP for the IPA servers and >>>>>>> one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf. (I >>>>>>> have the VIP for the windows server). One forwarding to the other for >>>>>>> a given domain. This is all for testing a) redundancy, b) forwarding, >>>>>>> a) authentication . >>>>>>> >>>>>>> IE: >>>>>>> >>>>>>> # cat /etc/resolv.conf >>>>>>> search dom.abc.xyz abc.xyz >>>>>>> nameserver 192.168.0.3 <------------ Win Cluster DNS VIP >>>>>>> nameserver 192.168.0.4 <------------ IPA Cluster DNS VIP >>>>>>> >>>>>>> * Just what I want to achieve above. VIP 192.168.0.4 doesn't exist on >>>>>>> my cluster yet. I'm looking to integrate ucarp with the above IPA >>>>>>> servers. >>>>>>> >>>>>>> >>>>>>> 2) More to the topic of my second question however, is that >>>>>>> /etc/resolv.conf, on the IPA servers themselves, get's rewritten on >>>>>>> restart. Would like to know by what if I already uninstalled >>>>>>> NetworkManager? When I configured the FreeIPA server, I used: >>>>>>> >>>>>>> ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a >>>>>>> "Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz >>>>>>> >>>>>>> Notice I used the VIP of the Windows Server 2012 Cluster when >>>>>>> installing FreeIPA. This is nice for redundancy. So the resolv.conf >>>>>>> ends up being: >>>>>>> >>>>>>> # cat /etc/resolv.conf >>>>>>> # Generated by NetworkManager >>>>>>> search abc.xyz >>>>>>> nameserver 192.168.0.3 >>>>>>> nameserver 123.123.123.1 >>>>>>> nameserver 123.123.123.2 >>>>>>> >>>>>>> Then I add: >>>>>>> >>>>>>> search dom.abc.xyz abc.xyz >>>>>>> >>>>>>> but it changes back to search abc.xyz (the Windows Server 2012 DNS). >>>>>>> This all works, except for the above minor items, and I can resolve >>>>>>> anything over this network. ( Thinking this is fine because the >>>>>>> forward is on the subdomain. I haven't had issues with forwarding >>>>>>> through this setup. ) >>>>>>> >>>>>>> # cat /etc/resolv.conf >>>>>>> # Generated by NetworkManager >>>>>>> search abc.xyz >>>>>>> nameserver 192.168.0.3 >>>>>>> nameserver 123.123.123.1 >>>>>>> nameserver 123.123.123.2 >>>>>>> >>>>>>> But NetworkManager is not installed on these IPA servers. I've >>>>>>> removed it earlier: >>>>>>> >>>>>>> # rpm -aq|grep -i NetworkManager >>>>>>> # >>>>>>> >>>>>>> Is FreeIPA replacing /etc/resolv.conf with a copy it keeps elsewhere? >>>>>> >>>>>> On servers with DNS /etc/resolv.conf should point to 127.0.0.1 and ::1, >>>>>> and global or per server dns forwarders should be configured instead >>>>>> >>>>>> Have you properly stopped NetworkManager using systemctl stop and >>>>>> systemctl disable ? In case you just removed rpm files service can still >>>>>> work. >>>>>> I recommend to update network manager config, not to remove it :) >>>>>> >>>>>> As last resort way, you can set immutable bit to resolv.conf if >>>>>> something is still changing your resolv.conf file >>>>>> >>>>>>> >>>>>>> 3) After running: >>>>>>> >>>>>>> ipa-client-install --mkhomedir --enable-dns-updates >>>>>>> >>>>>>> on a new host, the hostname of the new host doesn't resolve for a few >>>>>>> minutes. How do I make this instantaneous? (Other then that, >>>>>>> autodiscovery of the IPA servers is excellent!). Before installing >>>>>>> the IPA Client, the new hosts /etc/resolv.conf file looks like this: >>>>>>> >>>>>>> # cat /etc/resolv.conf >>>>>>> search abc.xyz >>>>>>> nameserver 192.168.0.3 >>>>>>> nameserver 123.123.123.1 >>>>>>> nameserver 123.123.123.2 >>>>>>> >>>>>>> I did dig, host, nslookup earlier. Verified all except for the items >>>>>>> I'm inquiring about. >>>>>>> >>>>>> >>>>>> That weird, because ipa-client-install creates A records directly to DNS >>>>>> server using nsupdate, so it should be accessible instantly. Do you have >>>>>> any caching DNS servers? >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> No caching DNS servers. >>>>> >>>>> On the topic of NetworkManager. It's completely gone yet still the >>>>> /etc/resolv.conf file is being replaced with the text # Generated by >>>>> NetworkManager. >>>>> >>>>> # systemctl show NetworkManager.service --property=Id,Names,Description >>>>> Id=NetworkManager.service >>>>> Names=NetworkManager.service >>>>> Description=NetworkManager.service >>>>> # >>>>> >>>>> # systemctl list-units --type service --all|grep -i network >>>>> network.service loaded active exited LSB: >>>>> Bring >>>>> up/down networking >>>>> â NetworkManager-wait-online.service not-found inactive dead >>>>> NetworkManager-wait-online.service >>>>> â NetworkManager.service not-found inactive dead >>>>> NetworkManager.service >>>>> ntpd.service loaded active running >>>>> Network >>>>> Time Service >>>>> rhel-domainname.service loaded active exited Read >>>>> and >>>>> set NIS domainname from /etc/sysconfig/network >>>>> rhel-import-state.service loaded active exited Import >>>>> network configuration from initramfs >>>>> # >>>>> >>>>> >>>>> The only thing that is left of the NetworkManager service is the above. >>>>> Nothing I type from systemd removed it completely. So I've reverted to >>>>> the >>>>> last resort: >>>>> >>>>> # lsattr /etc/resolv.conf >>>>> ----i----------- /etc/resolv.conf >>>>> # >>>>> >>>>> With the above, I'm trying to see what's writing to the file by using this >>>>> auditctl and found that postfix seems to be doing this: >>>>> >>>>> ---- >>>>> time->Wed Nov 23 23:14:47 2016 >>>>> type=PATH msg=audit(1479960887.978:293): item=0 name="/etc/resolv.conf" >>>>> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 >>>>> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>>>> type=CWD msg=audit(1479960887.978:293): cwd="/" >>>>> type=SYSCALL msg=audit(1479960887.978:293): arch=c000003e syscall=2 >>>>> success=yes exit=4 a0=7ffb36b6f43a a1=80000 a2=1b6 a3=24 items=1 ppid=1 >>>>> pid=5527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >>>>> fsgid=0 tty=(none) ses=4294967295 comm="postfix" exe="/usr/sbin/postfix" >>>>> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file" >>>>> ---- >>>>> time->Wed Nov 23 23:14:48 2016 >>>>> type=PATH msg=audit(1479960888.013:301): item=0 name="/etc/resolv.conf" >>>>> inode=135699633 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 >>>>> obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>>>> type=CWD msg=audit(1479960888.013:301): cwd="/var/spool/postfix" >>>>> type=SYSCALL msg=audit(1479960888.013:301): arch=c000003e syscall=2 >>>>> success=yes exit=3 a0=7f32c163043a a1=80000 a2=1b6 a3=24 items=1 ppid=5545 >>>>> pid=5546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >>>>> fsgid=0 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" >>>>> subj=system_u:system_r:postfix_master_t:s0 key="/root/resolv.conf-file" >>>> >>>> It usually helps to run ausearch -i, it translates numberic codes to names. >>>> >>>> Assuming you are running Linux on x86_64, it would be interpreted like >>>> this: >>>> >>>> ---- >>>> type=SYSCALL msg=audit(24.11.2016 05:14:47.978:293) : arch=x86_64 >>>> syscall=open >>>> success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 >>>> items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root >>>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix >>>> exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0 >>>> key=/root/resolv.conf-file >>>> type=CWD msg=audit(24.11.2016 05:14:47.978:293) : cwd=/ >>>> type=PATH msg=audit(24.11.2016 05:14:47.978:293) : item=0 >>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root >>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>>> ---- >>>> type=SYSCALL msg=audit(24.11.2016 05:14:48.013:301) : arch=x86_64 >>>> syscall=open >>>> success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 >>>> items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root >>>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset >>>> comm=postconf >>>> exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0 >>>> key=/root/resolv.conf-file >>>> type=CWD msg=audit(24.11.2016 05:14:48.013:301) : cwd=/var/spool/postfix >>>> type=PATH msg=audit(24.11.2016 05:14:48.013:301) : item=0 >>>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root >>>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>>> >>>> >>>> In other words, /root/resolv.conf-file is open for reading. >>>> >>>> It is interesting ... What does the file contain? >>>> >>>> Petr^2 Spacek >>>> >>>> >>>>> >>>>> This in turn appears to be called by started by: >>>>> >>>>> # grep postfix access|tail -n 1 >>>>> [23/Nov/2016:23:42:04 -0500] conn=34 op=5 SRCH >>>>> base="cn=accounts,dc=dom,dc=abc,dc=xyz" scope=2 >>>>> filter="(&(uid=postfix)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" >>>>> >>>>> >>>>> attrs="objectClass uid userPassword uidNumber gidNumber gecos >>>>> homeDirectory >>>>> loginShell krbPrincipalName cn memberOf ipaUniqueID >>>>> ipaNTSecurityIdentifier >>>>> modifyTimestamp entryusn shadowLastChange shadowMin shadowMax >>>>> shadowWarning >>>>> shadowInactive shadowExpire shadowFlag krbLastPwdChange >>>>> krbPasswordExpiration >>>>> pwdattribute authorizedService accountexpires useraccountcontrol >>>>> nsAccountLock >>>>> host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey >>>>> ipaUserAuthType usercertificate;binary" >>>>> # pwd >>>>> /var/log/dirsrv/slapd-DOM-ABC-XYZ >>> >>> root/resolv.conf-file is only a identifier (key) by which auditctl marked >>> events that occurred on /etc/resolv.conf. In other words, it was just a >>> custom assigned identifier I used that read / write requests got tagged >>> with. >>> I really should have called it 'resolv-conf-identifier' or similar to avoid >>> confusion. It's not a file. >>> >>> The commands I used to watch the file are: >>> >>> /sbin/ausearch -f /etc/resolv.conf -key=/root/resolv.conf-file >>> >>> Then to get events: >>> >>> /sbin/ausearch -f /etc/resolv.conf --key "/root/resolv.conf-file" >>> >>> Adding the -i as per your note, I get this: >>> >>> >>> [root@idmipa01 ~]# /sbin/ausearch -f /etc/resolv.conf --key >>> "/root/resolv.conf-file" -i >>> ---- >>> type=PATH msg=audit(11/23/2016 23:14:04.708:287) : item=0 >>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root >>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>> type=CWD msg=audit(11/23/2016 23:14:04.708:287) : >>> cwd=/var/log/dirsrv/slapd-NIX-MDS-XYZ >>> type=SYSCALL msg=audit(11/23/2016 23:14:04.708:287) : arch=x86_64 >>> syscall=open >>> success=yes exit=53 a0=0x7f66d82c243a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 >>> items=1 ppid=1 pid=5080 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv >>> suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) >>> ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd >>> subj=system_u:system_r:dirsrv_t:s0 key=/root/resolv.conf-file >>> ---- >>> type=PATH msg=audit(11/23/2016 23:14:32.182:288) : item=0 >>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root >>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>> type=CWD msg=audit(11/23/2016 23:14:32.182:288) : cwd=/var/log/audit >>> type=SYSCALL msg=audit(11/23/2016 23:14:32.182:288) : arch=x86_64 >>> syscall=open >>> success=yes exit=3 a0=0x7fffd2fa47ff a1=O_RDONLY|O_NONBLOCK >>> a2=0x7fffd2fa2f00 >>> a3=0x7fffd2fa2c70 items=1 ppid=2389 pid=5511 auid=root uid=root gid=root >>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 >>> comm=chattr exe=/usr/bin/chattr >>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> key=/root/resolv.conf-file >>> ---- >>> type=PATH msg=audit(11/23/2016 23:14:32.182:289) : item=0 >>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root >>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>> type=CWD msg=audit(11/23/2016 23:14:32.182:289) : cwd=/var/log/audit >>> type=SYSCALL msg=audit(11/23/2016 23:14:32.182:289) : arch=x86_64 >>> syscall=open >>> success=yes exit=3 a0=0x7fffd2fa47ff a1=O_RDONLY|O_NONBLOCK >>> a2=0x7fffd2fa2f00 >>> a3=0x7fffd2fa2d50 items=1 ppid=2389 pid=5511 auid=root uid=root gid=root >>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 >>> comm=chattr exe=/usr/bin/chattr >>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> key=/root/resolv.conf-file >>> ---- >>> type=PATH msg=audit(11/23/2016 23:14:36.847:290) : item=0 >>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root >>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>> type=CWD msg=audit(11/23/2016 23:14:36.847:290) : cwd=/var/log/audit >>> type=SYSCALL msg=audit(11/23/2016 23:14:36.847:290) : arch=x86_64 >>> syscall=open >>> success=yes exit=3 a0=0x7fff791a17ff a1=O_RDONLY|O_NONBLOCK >>> a2=0x7fff791a0180 >>> a3=0x7fff7919fef0 items=1 ppid=2389 pid=5512 auid=root uid=root gid=root >>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 >>> comm=lsattr exe=/usr/bin/lsattr >>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> key=/root/resolv.conf-file >>> ---- >>> type=PATH msg=audit(11/23/2016 23:14:47.978:293) : item=0 >>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root >>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>> type=CWD msg=audit(11/23/2016 23:14:47.978:293) : cwd=/ >>> type=SYSCALL msg=audit(11/23/2016 23:14:47.978:293) : arch=x86_64 >>> syscall=open >>> success=yes exit=4 a0=0x7ffb36b6f43a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 >>> items=1 ppid=1 pid=5527 auid=unset uid=root gid=root euid=root suid=root >>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postfix >>> exe=/usr/sbin/postfix subj=system_u:system_r:postfix_master_t:s0 >>> key=/root/resolv.conf-file >>> ---- >>> type=PATH msg=audit(11/23/2016 23:14:48.013:301) : item=0 >>> name=/etc/resolv.conf inode=135699633 dev=fd:00 mode=file,644 ouid=root >>> ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL >>> type=CWD msg=audit(11/23/2016 23:14:48.013:301) : cwd=/var/spool/postfix >>> type=SYSCALL msg=audit(11/23/2016 23:14:48.013:301) : arch=x86_64 >>> syscall=open >>> success=yes exit=3 a0=0x7f32c163043a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 >>> items=1 ppid=5545 pid=5546 auid=unset uid=root gid=root euid=root suid=root >>> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=postconf >>> exe=/usr/sbin/postconf subj=system_u:system_r:postfix_master_t:s0 >>> key=/root/resolv.conf-file >>> [root@idmipa01 ~]# >> >> Okay, the important part is that all open() syscalls have parameter O_RDONLY >> so there is nothing writing to the file. >> >> The wrong value must have get into resolv.conf by some other means. >> > > So the only way for me to find out what's modifying that file is to step > through the boot process since auditctl might not be loading yet or simply has > to be loaded manually each time to capture anything of value. > > The command I ran is: > > /sbin/auditctl -w /etc/resolv.conf -p war -k /root/resolv.conf-file > > Can't find a convenient way to capture this at boot. I know /etc/resolv.conf > changes through run level changes.
Maybe this is a stupid question, but ... did you try to put the rules into /etc/audit/rules.d/audit.rules ? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
