[Freeipa-users] Some high level questions (DNS & CA)
Hello, We have a large Windows environment and around 50 RHEL servers (which will grow to a few hundred in the future). Our goal is to be able to login with our AD credentials and have sudo centrally managed. To be able to manage users and their access/permissions we are looking into IdM combined with a unidirectional non-transitive AD-trust so our existing AD users can authenticate on the RHEL servers. I have a few (high level) questions regarding the setup of IdM: 1) There is an integrated DNS component (BIND). Is this component required? Because we would like to keep DNS managed by Windows (A and CNAME records). I have seen that there's a forward only policy, but what's the point of that? Can't we just directly use the Windows DNS then instead of forwarding, i.e. point the client's nameservers to the Windows nameservers? I'm obviously missing something crucial, sorry :) 2) A Certificate Authority will be installed as well. What's the function of this CA? Is it required? Can we do a CA-less setup? What are the limitations of a CA-less setup? 3) Is IPv6 a requirement or can it be disabled? 4) How could disaster recovery be implemented? Is it easy to backup and restore? 5) Is it correct that we can achieve high availability by setting up a replica IdM server and configure the clients to use both servers? Thank you if you can answer any (or maybe all, who knows!) of the questions above! Regards, Stijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS operation timed out when installing IPA with forwarders
Adding a forward zone like Martin suggested works. I will definitely read the section you linked to get a better understanding of the differences between both. Doing a dig for google.com won't work in our case, because the servers are not internet-facing. Stijn -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday 22 February 2016 11:05 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] DNS operation timed out when installing IPA with forwarders On 19.2.2016 15:09, Martin Basti wrote: > On 19.02.2016 14:57, Geselle Stijn wrote: >> That seems to fail: >> >> [root@ipa ~]# dig @192.168.1.1 . SOA >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> @192.168.1.1 . SOA ; (1 >> server >> found) ;; global options: +cmd ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44900 ;; flags: >> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: >> ;. IN SOA >> >> ;; Query time: 11153 msec >> ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Feb 19 14:42:51 >> CET 2016 ;; MSG SIZE rcvd: 28 >> >> >> But if I add a new record (e.g. CNAME) to DNS in Windows Server and >> try to ping to that CNAME, I get resolved correctly. >> >> -Stijn > Hello, > > global forwarders, specified by --forwarder option during installation > or added via ipa dnsconfig-mod, must be able to resolve root zone > (your forwarder/server 192.168.1.1 is not able to return result for root > zone). > > You probably need to specify forwardzone, for the particular windows > domain you use, instead of specify it as global forwarder. > > ipa dnsforwardzone-add --forwarder 192.168.1.1 Martin could be right, but this depends on your setup. Please read chapter "Managing DNS Forwarding" in our docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html It explains the difference between global and per-zone forwarding (I hope :-) so it will be easier to decide what should be used. BTW does the command $ dig @192.168.1.1 www.google.com. SOA work? (Assuming that neither google.com. nor com. are your AD domains :-)) Petr^2 Spacek >> -Original Message- >> From: freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek >> Sent: Friday 19 February 2016 13:59 >> To: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] DNS operation timed out when installing >> IPA with forwarders >> >> On 19.2.2016 13:50, Geselle Stijn wrote: >>> Hello fellow FreeIPA users, >>> >>> I'm trying to setup FreeIPA in a lab environment (VirtualBox): >>> >>> >>> - ad.example.com (Windows Server 2008 R2) - 192.168.1.1 >>> >>> - ipa.example.com (CentOS 7.2) - 192.168.1.2 >>> Both machines can ping each other, DNS resolving works: >>> >>> [root@ipa ~] nslookup ad >>> Server: 192.168.1.1 >>> Address: 192.168.1.1#53 >>> >>> Name: ad.example.com >>> Address: 192.168.1.1 >>> >>> >>> I executed: >>> >>> yum install -y "*ipa-server*" bind bind-dyndb-ldap >>> ipa-server-install --domain=example.com --realm=EXAMPLE.COM >>> --setup-dns >>> --forwarder=192.168.1.1 >>> >>> But the installation wizard fails at: >>> >>> Checking DNS forwarders, please wait ... >>> ipa: ERROR DNS server 192.168.1.1: query '. SOA': The DNS >>> operation timed out after 10.00124242 seconds >>> ipa.ipapython.install.cli.install_tool(Server): ERROR DNS server >>> 192.168.1.1: query '. SOA': The DNS operation timed out after >>> 10.00124242 seconds >>> >>> >>> Is there some way I can better troubleshoot this? Can I increase the >>> DNS timeout (maybe it's simply slow via VirtualBox). >> Please try command >> $ dig @192.168.1.1 . SOA >> and paste the output here. >> >> Also, please run the installer again with option --debug. >> >> I will have a look. >> >> Thank you. >> >> -- >> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS operation timed out when installing IPA with forwarders
That seems to fail: [root@ipa ~]# dig @192.168.1.1 . SOA ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> @192.168.1.1 . SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44900 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;. IN SOA ;; Query time: 11153 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Feb 19 14:42:51 CET 2016 ;; MSG SIZE rcvd: 28 But if I add a new record (e.g. CNAME) to DNS in Windows Server and try to ping to that CNAME, I get resolved correctly. -Stijn -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Friday 19 February 2016 13:59 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] DNS operation timed out when installing IPA with forwarders On 19.2.2016 13:50, Geselle Stijn wrote: > Hello fellow FreeIPA users, > > I'm trying to setup FreeIPA in a lab environment (VirtualBox): > > > - ad.example.com (Windows Server 2008 R2) - 192.168.1.1 > > - ipa.example.com (CentOS 7.2) - 192.168.1.2 > Both machines can ping each other, DNS resolving works: > > [root@ipa ~] nslookup ad > Server: 192.168.1.1 > Address: 192.168.1.1#53 > > Name: ad.example.com > Address: 192.168.1.1 > > > I executed: > > yum install -y "*ipa-server*" bind bind-dyndb-ldap ipa-server-install > --domain=example.com --realm=EXAMPLE.COM --setup-dns > --forwarder=192.168.1.1 > > But the installation wizard fails at: > > Checking DNS forwarders, please wait ... > ipa: ERROR DNS server 192.168.1.1: query '. SOA': The DNS > operation timed out after 10.00124242 seconds > ipa.ipapython.install.cli.install_tool(Server): ERROR DNS server > 192.168.1.1: query '. SOA': The DNS operation timed out after 10.00124242 > seconds > > > Is there some way I can better troubleshoot this? Can I increase the DNS > timeout (maybe it's simply slow via VirtualBox). Please try command $ dig @192.168.1.1 . SOA and paste the output here. Also, please run the installer again with option --debug. I will have a look. Thank you. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNS operation timed out when installing IPA with forwarders
Hello fellow FreeIPA users, I'm trying to setup FreeIPA in a lab environment (VirtualBox): - ad.example.com (Windows Server 2008 R2) - 192.168.1.1 - ipa.example.com (CentOS 7.2) - 192.168.1.2 Both machines can ping each other, DNS resolving works: [root@ipa ~] nslookup ad Server: 192.168.1.1 Address: 192.168.1.1#53 Name: ad.example.com Address: 192.168.1.1 I executed: yum install -y "*ipa-server*" bind bind-dyndb-ldap ipa-server-install --domain=example.com --realm=EXAMPLE.COM --setup-dns --forwarder=192.168.1.1 But the installation wizard fails at: Checking DNS forwarders, please wait ... ipa: ERROR DNS server 192.168.1.1: query '. SOA': The DNS operation timed out after 10.00124242 seconds ipa.ipapython.install.cli.install_tool(Server): ERROR DNS server 192.168.1.1: query '. SOA': The DNS operation timed out after 10.00124242 seconds Is there some way I can better troubleshoot this? Can I increase the DNS timeout (maybe it's simply slow via VirtualBox). Thank you! -Stijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
