On Пят, 26 кра 2024, slek kus via FreeIPA-users wrote:
Hi Alexander, according to /etc/resolv.conf it is integrated and points to
localhost, but nmcli says DNS is set to idm01.
A bit strange, since resolv.conf is generated by networkmanager.
----
[root@idm02 ~]# nmcli dev show | grep DNS
IP4.DNS[1]: 172.16.27.10 <---- this is idm01
[root@idm02 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search linux.redacted.domain
nameserver 127.0.0.1
----
Both servers are in the same nertwork.
On idm02, I can resolve the ipa domain it is the AD domains that fail:
----
[root@idm02 ~]# host -t SRV _ldap._tcp.linux.redacted.domain
_ldap._tcp.linux.redacted.domain has SRV record 0 200 389
idm02.linux.redacted.domain.
_ldap._tcp.linux.redacted.domain has SRV record 0 100 389
idm01.linux.redacted.domain.
Do you have DNSSEC validation enforced on BIND side?
# grep dnssec /etc/named/ipa-options-ext.conf
/* dnssec-enable is obsolete and 'yes' by default */
dnssec-validation no;
If dnssec-validation is set to yes, that would explain because your AD
DNS server most likely is not using DNSSEC at all.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
