Re: [Freeipa-users] Split Horizon DNS on IPA?
On 10.9.2013 05:28, Andrew Lau wrote: On Mon, Sep 9, 2013 at 9:30 PM, Andrew Lau and...@andrewklau.com wrote: On Mon, Sep 9, 2013 at 8:26 PM, Petr Spacek pspa...@redhat.com wrote: On 8.9.2013 05:54, Andrew Lau wrote: Hi all, I wasn't able to find much, but is it possible to configure FreeIPA to serve as a split horizon DNS server? I would like the local network to be able to enroll and authenticate locally, but at the same time bridge remote clients as well. Suggestions? Could you give us more details? We can try to find some solution for you particular situation. In general, FreeIPA doesn't support so-called views from BIND9 directly, but you can use e.g. FreeIPA integrated DNS for internal network (the internal view) and expose flat zone file for external view. Example configuration (/etc/named.conf): view internal { /* This view will contain zones you want to serve only to internal clients that connect via your directly attached LAN interfaces - localnets . */ match-clients { localnets; }; recursion yes; dynamic-db ipa { library ldap.so; arg uri ldapi://%2fvar%2frun%2fslapd-**IPA-TEST.socket; arg base cn=dns, dc=ipa,dc=test; }; }; view external { /* This view will contain zones you want to serve only to external clients * that have addresses that are not match any above view: */ match-clients { any; }; recursion no; zone my.external.zone { type master; file my.external.zone.db; }; }; Have a nice day. Hi Petr, Thanks - I ended up running a slave DNS server with bind9 views. It's just a bit of a pain having to now manage two DNS configs but it'll have to do. Thanks, Andrew. I spoke too soon.. My scenario I have is internal clients enrolled into FreeIPA, all the IPs registered on internal.domain.com are internal IPs. I want to use the FreeIPA server to also serve the DNS for domain.com but because it's hidden in a private network I had setup slave DNS servers but they don't seem to use the authoritative nameserver setting, So eg. ipa01.internal.domain.com (private IP Address) -- dns01.domain.com (public IP adddress) The records that get served to dns01.domain.com are: domain.com IN SOA ipa02.internal.domain.com. hostmaster.domain.com. ( Any suggestions? It is most probably caused by 'fake_mname' setting in /etc/named.conf. Named will respect the value in SOA record if you comment this value out, but will lose the ability to load balance DNS dynamic updates between FreeIPA replicas. The point is that clients use this name to find the server responsible for zone updates (and nothing else). In FreeIPA's case, any server can update the zone so all servers report itself as zone 'masters'. This allows to spread the load among all replicas and there is no single point of failure. The question is - do you need it for external zone? Do you use dynamic update for domain.com? I would ignore the internal hostname in the zone if you don't use DNS updates (if you are okay with such information leak). Side note: Don't forget that internal host names normally leak in e-mail headers; from mis-configured clients in internal network; via roaming clients trying to access internal resources while they are not on VPN; etc. etc. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Split Horizon DNS on IPA?
On Tue, Sep 10, 2013 at 5:54 PM, Petr Spacek pspa...@redhat.com wrote: On 10.9.2013 05:28, Andrew Lau wrote: On Mon, Sep 9, 2013 at 9:30 PM, Andrew Lau and...@andrewklau.com wrote: On Mon, Sep 9, 2013 at 8:26 PM, Petr Spacek pspa...@redhat.com wrote: On 8.9.2013 05:54, Andrew Lau wrote: Hi all, I wasn't able to find much, but is it possible to configure FreeIPA to serve as a split horizon DNS server? I would like the local network to be able to enroll and authenticate locally, but at the same time bridge remote clients as well. Suggestions? Could you give us more details? We can try to find some solution for you particular situation. In general, FreeIPA doesn't support so-called views from BIND9 directly, but you can use e.g. FreeIPA integrated DNS for internal network (the internal view) and expose flat zone file for external view. Example configuration (/etc/named.conf): view internal { /* This view will contain zones you want to serve only to internal clients that connect via your directly attached LAN interfaces - localnets . */ match-clients { localnets; }; recursion yes; dynamic-db ipa { library ldap.so; arg uri ldapi://%2fvar%2frun%2fslapd-*** *IPA-TEST.socket; arg base cn=dns, dc=ipa,dc=test; }; }; view external { /* This view will contain zones you want to serve only to external clients * that have addresses that are not match any above view: */ match-clients { any; }; recursion no; zone my.external.zone { type master; file my.external.zone.db; }; }; Have a nice day. Hi Petr, Thanks - I ended up running a slave DNS server with bind9 views. It's just a bit of a pain having to now manage two DNS configs but it'll have to do. Thanks, Andrew. I spoke too soon.. My scenario I have is internal clients enrolled into FreeIPA, all the IPs registered on internal.domain.com are internal IPs. I want to use the FreeIPA server to also serve the DNS for domain.com but because it's hidden in a private network I had setup slave DNS servers but they don't seem to use the authoritative nameserver setting, So eg. ipa01.internal.domain.com (private IP Address) -- dns01.domain.com(public IP adddress) The records that get served to dns01.domain.com are: domain.com IN SOA ipa02.internal.domain.com. hostmaster.domain.com. ( Any suggestions? It is most probably caused by 'fake_mname' setting in /etc/named.conf. Named will respect the value in SOA record if you comment this value out, but will lose the ability to load balance DNS dynamic updates between FreeIPA replicas. The point is that clients use this name to find the server responsible for zone updates (and nothing else). In FreeIPA's case, any server can update the zone so all servers report itself as zone 'masters'. This allows to spread the load among all replicas and there is no single point of failure. The question is - do you need it for external zone? Do you use dynamic update for domain.com? I would ignore the internal hostname in the zone if you don't use DNS updates (if you are okay with such information leak). Side note: Don't forget that internal host names normally leak in e-mail headers; from mis-configured clients in internal network; via roaming clients trying to access internal resources while they are not on VPN; etc. etc. -- Petr^2 Spacek I would like to keep the dynamic updates for domain.com so users can modify DNS zones without requiring direct access. My concern was, from what people have been telling me is that the SOA mname resolution is important, on the other hand many have said it's not. What I've been reading has been leaning towards the later. The internal hostnames aren't really hiding anything, it's only because they resolve to internal IPs ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Split Horizon DNS on IPA?
On 10.9.2013 10:33, Andrew Lau wrote: On Tue, Sep 10, 2013 at 5:54 PM, Petr Spacek pspa...@redhat.com wrote: On 10.9.2013 05:28, Andrew Lau wrote: On Mon, Sep 9, 2013 at 9:30 PM, Andrew Lau and...@andrewklau.com wrote: On Mon, Sep 9, 2013 at 8:26 PM, Petr Spacek pspa...@redhat.com wrote: On 8.9.2013 05:54, Andrew Lau wrote: Hi all, I wasn't able to find much, but is it possible to configure FreeIPA to serve as a split horizon DNS server? I would like the local network to be able to enroll and authenticate locally, but at the same time bridge remote clients as well. Suggestions? Could you give us more details? We can try to find some solution for you particular situation. In general, FreeIPA doesn't support so-called views from BIND9 directly, but you can use e.g. FreeIPA integrated DNS for internal network (the internal view) and expose flat zone file for external view. Example configuration (/etc/named.conf): view internal { /* This view will contain zones you want to serve only to internal clients that connect via your directly attached LAN interfaces - localnets . */ match-clients { localnets; }; recursion yes; dynamic-db ipa { library ldap.so; arg uri ldapi://%2fvar%2frun%2fslapd-*** *IPA-TEST.socket; arg base cn=dns, dc=ipa,dc=test; }; }; view external { /* This view will contain zones you want to serve only to external clients * that have addresses that are not match any above view: */ match-clients { any; }; recursion no; zone my.external.zone { type master; file my.external.zone.db; }; }; Have a nice day. Hi Petr, Thanks - I ended up running a slave DNS server with bind9 views. It's just a bit of a pain having to now manage two DNS configs but it'll have to do. Thanks, Andrew. I spoke too soon.. My scenario I have is internal clients enrolled into FreeIPA, all the IPs registered on internal.domain.com are internal IPs. I want to use the FreeIPA server to also serve the DNS for domain.com but because it's hidden in a private network I had setup slave DNS servers but they don't seem to use the authoritative nameserver setting, So eg. ipa01.internal.domain.com (private IP Address) -- dns01.domain.com(public IP adddress) The records that get served to dns01.domain.com are: domain.com IN SOA ipa02.internal.domain.com. hostmaster.domain.com. ( Any suggestions? It is most probably caused by 'fake_mname' setting in /etc/named.conf. Named will respect the value in SOA record if you comment this value out, but will lose the ability to load balance DNS dynamic updates between FreeIPA replicas. The point is that clients use this name to find the server responsible for zone updates (and nothing else). In FreeIPA's case, any server can update the zone so all servers report itself as zone 'masters'. This allows to spread the load among all replicas and there is no single point of failure. The question is - do you need it for external zone? Do you use dynamic update for domain.com? I would ignore the internal hostname in the zone if you don't use DNS updates (if you are okay with such information leak). Side note: Don't forget that internal host names normally leak in e-mail headers; from mis-configured clients in internal network; via roaming clients trying to access internal resources while they are not on VPN; etc. etc. -- Petr^2 Spacek I would like to keep the dynamic updates for domain.com so users can modify DNS zones without requiring direct access. My concern was, from what people have been telling me is that the SOA mname resolution is important, on the other hand many have said it's not. What I've been reading has been leaning towards the later. The internal hostnames aren't really hiding anything, it's only because they resolve to internal IPs If you want to use real master name to support dynamic updates, then comment out 'fake_mname' setting in /etc/named.conf and make sure that internal.domain.com and domain.com have proper values in their SOA records. You will have to bump SOA serial to enforce new zone transfer, but it should work. In theory, you can disable 'fake_mname' only on the FreeIPA replica from which you do zone transfers and let it enabled on all other replicas. Does it solve your problem? -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Incorrect user information
On Wed, Sep 04, 2013 at 11:14:50AM -0500, cbul...@gmail.com wrote: Hi Jakub, Thanks for your time and tips about sssd cache! I'm sorry about the late response, I didn't flag your response when it came back.. I did the test and let me explain what I got: - After step 4 I can see dataExpireTimestamp to 1 for the user. OK, this is expected. - After step 7 dataExpireTimestamp is back to 0 but the user data have not changed. This is really strange because if the dataExpireTimestamp was reset after the lookup, then the backend has updated the entry...and it should have updated the entry with the up-to-date data.. Can you put debug_level=8 into the [nss] and [domain] sections and paste or attach the contents of /var/log/sssd/sssd_nss.log and /var/log/sssd/sssd_$domain.log after the request that follows the sss_cache run? Also in the logs you should see the server the SSSD connects to, can you check if there is maybe some replica that is out of sync? Unfortunately I can't reproduce the bug here.. The first line after the command ldbsearch is: asq: Unable to register control with rootdse! No, that's an internal info, ignore this message. Is it a problem? We are not using nscd service. Please let me know if you need to do some other tests. Thanks in advance! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Permission Denied
How do I determine the cause of this problem? [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ rpm -q freeipa-client freeipa-client-3.1.5-1.fc18.x86_64 -bash-4.2$ I can log in as dean on desktop2 using gdm without a problem. But when I try to log in using ssh then I am denied access to the user's home directory. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
Hi Dean, On Tue, 10 Sep 2013, Dean Hunter wrote: How do I determine the cause of this problem? [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ rpm -q freeipa-client freeipa-client-3.1.5-1.fc18.x86_64 -bash-4.2$ I can log in as dean on desktop2 using gdm without a problem. But when I try to log in using ssh then I am denied access to the user's home directory. Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home) -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA AD Trust issue
Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? Thanks all Kevin Tang ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? We do not support this mode yet, it requires implementation of Global Catalog service on IPA side which is not done yet. Plans for doing that are in Fedora 20-21 time frame. 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? No. Only users from the domain Windows PC is joined to could be logged without explicit domain name. Since IPA domain belongs to a separate forest, you cannot log in without explicit domain prefix. Please note, even that will only be possible when we implement Global Catalog service on IPA side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users