On 12/08/2014 02:10 PM, Matthew Herzog wrote:
Here are some errors I'm seeing on the client.
tail -f sssd_lnx.e-bozo.com.log
(Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0
(Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_message_handler] (0x4000): Received
SBUS method [ping]
(Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_get_sender_id_send] (0x2000): Not a
sysbus message, quit
(Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_handler_got_caller_id] (0x4000):
Received SBUS method [ping]
(Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0
(Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_message_handler] (0x4000): Received
SBUS method [ping]
(Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_get_sender_id_send] (0x2000): Not a
sysbus message, quit
(Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_handler_got_caller_id] (0x4000):
Received SBUS method [ping]
(Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0
(Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com
<http://lnx.e-bozo.com>]]] [sbus_dispatch] (0x4000): Dispatching.
[root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log
(Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010):
sss_process_init() failed
(Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed
to connect to monitor services.
(Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010):
fatal error setting up backend connector
(Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010):
sss_process_init() failed
(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed
to connect to monitor services.
(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010):
fatal error setting up backend connector
(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010):
sss_process_init() failed
(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed
to connect to monitor services.
(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010):
fatal error setting up backend connector
(Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010):
sss_process_init() failed
What is the version of the client?
Please add debug_level=9 to sssd.conf in different sections to rise the
verbosity of the log and see what is really going on there.
https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting
On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog
<matthew.her...@gmail.com <mailto:matthew.her...@gmail.com>> wrote:
I have never seen my IPA servers produce a zone file nor has the
install script ever mentioned the creation of such. In fact, I
just ran ipa-server-install --uninstall && ipa-server-install and
there was no mention of a zone file.
Where should I look in the file system to be sure? I see nothing
in /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's
yum repo. (Not my choice.)
dsee7 is /not /running Kerberos. dsee7 is /not /configured with
SRV records. I guess I'll need to add SRV records for all my Linux
hosts.
On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek <pspa...@redhat.com
<mailto:pspa...@redhat.com>> wrote:
On 8.12.2014 14:44, Matthew Herzog wrote:
> Petr said, "You can run ipa-server-install *without*
--setup-dns option and
> at the end of
> installation it will produce DNS records which you have to
manually add to
> your existing DNS database."
>
> I can't see how this would be useful or which machines I
would need to add
> to our DNS.
>
> Perhaps I should have explained that we are not going to set
up a new DNS
> domain for the ipa-managed servers.
Good.
Now you should run ipa-server-install *without* --setup-dns, using
lnx.e-bozo.com <http://lnx.e-bozo.com> as you IPA domain. It
will install full IPA server and spit out
DNS zone file.
Then you *have to* take this zone file and import it to your
existing DNS
infrastructure - that will give you fully functional IPA
domain lnx.e-bozo.com <http://lnx.e-bozo.com>.
Caveat:
Preceding text assumes that 'dsee7' is nor using either
Kerberos nor DNS SRV
records for LDAP service in domain lnx.e-bozo.com
<http://lnx.e-bozo.com>, i.e. clients connecting to
DSEE7 should be (most likely) statically configured with DSEE7
server name.
Petr^2 Spacek
> We have an Oracle dsee7 server doing
> LDAP for our Linux servers and accounts. We want to migrate
to IPA so we
> don't have to maintain a Linux/LDAP account for every user
who needs access
> to Linux servers. All of our users start with an account in
AD and since
> none of my predecessors knew about Winbind, they set up dsee7.
>
> So I'm thinking we'll need to import all our dsee7 accounts
AND make it
> possible for AD users to access the Linux systems without
needing to create
> them in IPA.
>
> On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek
<pspa...@redhat.com <mailto:pspa...@redhat.com>> wrote:
>
>> On 8.12.2014 05:02, Dmitri Pal wrote:
>>> On 12/07/2014 10:10 PM, Matthew Herzog wrote:
>>>> So should the FreeIPA server be authoritative for the
Kerb. realm/DNS
>> domain
>>>> or can it/should it be a slave DNS server instead? Or
caching only?
>>>
>>> IPA DNS can't be a slave so you either delegate a whole
zone to it or
>> manage
>>> IPA DNS domain via your own DNS server.
>>
>> Generally, "slave" is not allowed to do any changes so it
is useless in
>> your
>> scenario.
>>
>> You can run ipa-server-install *without* --setup-dns option
and at the end
>> of
>> installation it will produce DNS records which you have to
manually add to
>> your existing DNS database.
>>
>> Did you try that?
>>
>> Petr^2 Spacek
>>
>>>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal
<d...@redhat.com <mailto:d...@redhat.com>
>>>> <mailto:d...@redhat.com <mailto:d...@redhat.com>>> wrote:
>>>>
>>>> On 12/07/2014 09:51 PM, Matthew Herzog wrote:
>>>>> What must be done in or on the ipa server with
regard to DNS, if
>>>>> anything?
>>>>>
>>>>> Our DNS works. It works well. We have four Linux DNS
servers and
>>>>> two AD domain controllers that also do DNS.
>>>>>
>>>>> So if we already have DNS working well in our
domain, why do we
>>>>> want to manage DNS in IPA?
>>>>
>>>> Let us keep the discussion on the list.
>>>> IPA when used with AD trust presents itself as a
separate forest.
>>>> AD thinks that it is working with another AD forest.
>>>> For that to work we need to follow MSFT rules about
relationship
>>>> between Kerberos realm and DNS domain.
>>>> AD assumes that for every trusted forest Kerberos
realm = DNS
>>>> domain. IPA makes it easy to do because it has
integrated tools to
>>>> manage IPA DNS domain.
>>>> If you want to manage it yourself through your DNS
you can do it,
>>>> just more manual operations for you.
>>>>
>>>> HTH
>>>>
>>>> Thanks
>>>> Dmitri
>>>>
>>>>
>>>>>
>>>>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal
<d...@redhat.com <mailto:d...@redhat.com>
>>>>> <mailto:d...@redhat.com <mailto:d...@redhat.com>>>
wrote:
>>>>>
>>>>> On 12/07/2014 06:44 PM, Matthew Herzog wrote:
>>>>>> Thanks guys. I'm sorry for my delay in responding.
>>>>>>
>>>>>> Firstly, I was under the impression (from
reading the docs)
>>>>>> that having named running on IPA server was
critical.
>>>>>
>>>>> Properly configured DNS is critical.
>>>>> How you accomplish it is up to you.
>>>>> IPA allows you to have a DNS server that would
simplify DNS
>>>>> management but it can be done manually too. This
is why DNS
>>>>> is optional.
>>>>>
>>>>>
>>>>>> Also, the first question the ipa-server-install
script asks
>>>>>> is, "Do you want to configure integrated DNS
(BIND)? ."
>>>>>> While it's true the default answer is no, it
leads one to
>>>>>> believe that DNS is central to IPA. Also the
>>>>>> ipa-client-install script says,
>>>>>>
>>>>>> [root@freeipa-poc-client02 ~]# ipa-client-install
>>>>>> DNS discovery failed to determine your DNS domain
>>>>>> Provide the domain name of your IPA server (ex:
example.com <http://example.com>
>>>>>> <http://example.com>):
>>>>>>
>>>>>> I can resolve -anything- from the machine using
dig or
>> whatever.
>>>>>>
>>>>>> Ultimately, the reason I started to be
concerned about my
>>>>>> IPA server's DNS config was because I was not
able to
>>>>>> authenticate AD accounts to a client machine. I
saw a bunch
>>>>>> of errors in the client's sssd logs which of
course I can't
>>>>>> find now.
>>>>>>
>>>>>> Perhaps it was these . . .
>>>>>>
>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
(0x0100):
>>>>>> Service nss replied to ping
>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
(0x0100):
>>>>>> Service sudo replied to ping
>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
(0x0100):
>>>>>> Service pam replied to ping
>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
(0x0100):
>>>>>> Service ssh replied to ping
>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
(0x0100):
>>>>>> Service pac replied to ping
>>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check]
(0x0100):
>>>>>> Service bo3.e-bozo.com <http://bo3.e-bozo.com>
<http://bo3.e-bozo.com> replied to
>> ping
>>>>>>
>>>>>> I'm not allowed onto the AD domain controllers
to examine
>>>>>> log files or I'd be checking those first.
>>>>>>
>>>>>> So ultimately the goal is to authenticate AD
users and users
>>>>>> that exist in our ldap schema. We need to set
up groups of
>>>>>> users that can run sudo commands on specific
groups of hosts.
>>>>>
>>>>> Did you setup trusts as explained on the
following page?
>>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek
>>>>>> <pspa...@redhat.com <mailto:pspa...@redhat.com>
<mailto:pspa...@redhat.com <mailto:pspa...@redhat.com>>> wrote:
>>>>>>
>>>>>> On 3.12.2014 04:35, Dmitri Pal wrote:
>>>>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote:
>>>>>> >> Any other ideas? I just spun up a new VM
and took the
>>>>>> defaults on everything
>>>>>> >> while running ipa-server-install (the
defaults did
>>>>>> make sense) and my new VM
>>>>>> >> can't resolve -anything- in the domain
in which it
>>>>>> lives. The "old" VM
>>>>>> >> (running the same versions of everything
on the same
>>>>>> OS) can't even resolve
>>>>>> >> the clients I have registered with it!
>>>>>> >>
>>>>>> >> So I'm pretty frustrated and am
wondering, what
>>>>>> _exactly_ is the role of
>>>>>> >> bind in the IPA server and how is it
expected to know
>>>>>> anything about the
>>>>>> >> local DNS domain without becoming a bind
slave server?
>>>>>> >
>>>>>> > I am not sure I am 100% with you but...
>>>>>> > If you use the defaults and nothing else
you get to
>>>>>> the scenario when IPA has
>>>>>> > its DNS but it is a self contained
environment. It
>>>>>> seems that this is what you
>>>>>> > observe.
>>>>>> > It is expected that you decide in advance
what you
>>>>>> want to do with DNS. There
>>>>>> > are several options:
>>>>>> > 1) You can delegate a zone to IPA to
manage, then you
>>>>>> need to connect your IPA
>>>>>> > DNS to your existing DNS during install
or after.
>>>>>> > In this case the systems joined to IPA
will be a part
>>>>>> of IPA domain/zone and
>>>>>> > would also be able to resolve other
systems around
>>>>>> > 2) Not use IPA DNS if you do not want to take
>>>>>> advantage of it
>>>>>> > 3) Have a self contained demo/lab
environment that you
>>>>>> currently observe.
>>>>>> >
>>>>>> > What is the intent?
>>>>>>
>>>>>> I agree with Dmitri, we need more
information from you:
>>>>>> - You said "my new VM can't resolve
-anything- in the
>>>>>> domain in which it
>>>>>> lives." - Which domain do you mean?
>>>>>>
>>>>>> - Apparently you have configured FreeIPA to
serve zone
>>>>>> e-bozo.com <http://e-bozo.com> <http://e-bozo.com>. Do
you have
>>>>>> this zone configured on some other DNS
server at the
>>>>>> same time?
>>>>>>
>>>>>> Please keep in mind that authoritative
servers should
>>>>>> share the database. You
>>>>>> will get naming collisions if e-bozo.com
<http://e-bozo.com>
>>>>>> <http://e-bozo.com> is served by FreeIPA
DNS servers and
>>>>>> some other servers at the same time. Maybe
that is the
>>>>>> problem you see right now.
>>>>>>
>>>>>> As Dmitri said, the architecturally correct
solution is
>>>>>> to decide if you want
>>>>>> to use FreeIPA DNS or not. You have option
to either
>>>>>> remove non-FreeIPA DNS
>>>>>> servers and import data to FreeIPA or to add
>>>>>> FreeIPA-specific DNS records to
>>>>>> existing DNS servers and do not configure
FreeIPA to act
>>>>>> as DNS server.
>>>>>>
>>>>>> Petr^2 Spacek
>>>>>>
>>>>>> >> Thanks.
>>>>>> >>
>>>>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek
>>>>>> <pspa...@redhat.com
<mailto:pspa...@redhat.com> <mailto:pspa...@redhat.com
<mailto:pspa...@redhat.com>>
>>>>>> >> <mailto:pspa...@redhat.com
<mailto:pspa...@redhat.com>
>>>>>> <mailto:pspa...@redhat.com
<mailto:pspa...@redhat.com>>>> wrote:
>>>>>> >>
>>>>>> >> On 2.12.2014 17:36, Martin Basti wrote:
>>>>>> >> > On 02/12/14 17:28, Matthew Herzog
wrote:
>>>>>> >> >> I just realized that my IPA
servers cannot
>>>>>> resolve ANY servers
>>>>>> >> in my domain.
>>>>>> >> >> What do I need to do to fix this?
Below is my
>>>>>> named.conf.
>>>>>> >> >>
>>>>>> >> >>
>>>>>> >> >> options {
>>>>>> >> >> // turns on IPv6 for port 53,
IPv4 is on by
>>>>>> default for
>>>>>> >> all ifaces
>>>>>> >> >> listen-on-v6 {any;};
>>>>>> >> >>
>>>>>> >> >> // Put files that named is
allowed to write
>>>>>> in the
>>>>>> >> data/ directory:
>>>>>> >> >> directory "/var/named"; // the
default
>>>>>> >> >> dump-file "data/cache_dump.db";
>>>>>> >> >> statistics-file
"data/named_stats.txt";
>>>>>> >> >> memstatistics-file
"data/named_mem_stats.txt";
>>>>>> >> >>
>>>>>> >> >> forward first;
>>>>>> >> >> forwarders {
>>>>>> >> >> 10.100.8.41;
>>>>>> >> >> 10.100.8.40;
>>>>>> >> >> 10.100.4.13;
>>>>>> >> >> 10.100.4.14;
>>>>>> >> >> 10.100.4.19;
>>>>>> >> >> 10.100.4.44;
>>>>>> >> >> };
>>>>>> >> >>
>>>>>> >> >> // Any host is permitted to issue
recursive
>>>>>> queries
>>>>>> >> >> allow-recursion { any; };
>>>>>> >> >>
>>>>>> >> >> tkey-gssapi-keytab
"/etc/named.keytab";
>>>>>> >> >> pid-file "/run/named/named.pid";
>>>>>> >> >> };
>>>>>> >> >>
>>>>>> >> >> /* If you want to enable
debugging, eg. using
>>>>>> the 'rndc trace'
>>>>>> >> command,
>>>>>> >> >> * By default, SELinux policy does
not allow
>>>>>> named to modify
>>>>>> >> the /var/named
>>>>>> >> >> directory,
>>>>>> >> >> * so put the default debug log
file in data/ :
>>>>>> >> >> */
>>>>>> >> >> logging {
>>>>>> >> >> channel default_debug {
>>>>>> >> >> file "data/named.run";
>>>>>> >> >> severity dynamic;
>>>>>> >> >> print-time yes;
>>>>>> >> >> };
>>>>>> >> >> };
>>>>>> >> >> };
>>>>>> >> >>
>>>>>> >> >> zone "." IN {
>>>>>> >> >> type hint;
>>>>>> >> >> file "named.ca <http://named.ca>
<http://named.ca>
>>>>>> <http://named.ca> <http://named.ca>";
>>>>>> >> >> };
>>>>>> >> >>
>>>>>> >> >> include "/etc/named.rfc1912.zones";
>>>>>> >> >>
>>>>>> >> >> dynamic-db "ipa" {
>>>>>> >> >> library "ldap.so";
>>>>>> >> >> arg "uri
>>>>>> >>
ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket";
>>>>>> >> >> arg "base cn=dns,
dc=bo3,dc=e-bozo,dc=com";
>>>>>> >> >> arg "fake_mname
freeipa-poc01.bo3.e-bozo.com <http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> <http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> >> >>
<http://freeipa-poc01.bo3.e-bozo.com>.";
>>>>>> >> >> arg "auth_method sasl";
>>>>>> >> >> arg "sasl_mech GSSAPI";
>>>>>> >> >> arg "sasl_user
>>>>>> DNS/freeipa-poc01.bo3.e-bozo.com
<http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> <http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com>
>>>>>> >> >>
<http://freeipa-poc01.bo3.e-bozo.com>";
>>>>>> >> >> arg "serial_autoincrement yes";
>>>>>> >> >> };
>>>>>> >> >>
>>>>>> >> >>
>>>>>> >> >>
>>>>>> >> >>
>>>>>> >> > Hello,
>>>>>> >> >
>>>>>> >> > which version ipa do you use? which
platform?
>>>>>> Which version
>>>>>> >> bind-dyndb-ldap?
>>>>>> >> >
>>>>>> >> > Can you run these commands, and
check if there
>>>>>> any errors?
>>>>>> >> > ipactl status
>>>>>> >> > systemctl status named (respectively
>>>>>> journalctl -u named)
>>>>>> >>
>>>>>> >> We also may want to see information
listed on page
>>>>>> >>
>>>>>>
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting
--
Petr^2 Spacek
--
If life gives you melons, you may be dyslexic.
--
If life gives you melons, you may be dyslexic.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
