Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
Thanks for the clarification. Regards 2016-10-20 14:23 GMT-04:00 Alexander Bokovoy: > On to, 20 loka 2016, Carlos Raúl Laguna wrote: > >> Hi Alexander, >> I do belive is a DNS problem, the command failing are >> >> host -t srv _ldap._tcp.ad_domain >> or >> dig SRV _ldap._tcp.ad_domain >> after checkig the logs a see this error >> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" >> >> so i disable the dnssec validation on IPA and it work as expected, i will >> setup dnssec on the windows side and enable dns validation once more on >> IPA >> to see if can get the same outcome. >> > When you use DNSSEC validation, your DNS infrastructure should all be > using DNSSEC. This does not depend on whether you are deploying trust to > AD or not. > > In fact, when installing FreeIPA server, you have option to disable > DNSSEC validation (ipa-server-install --no-dnssec-validation). The same > option exists in ipa-dns-install. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i disable the dnssec validation on IPA and it work as expected, i will setup dnssec on the windows side and enable dns validation once more on IPA to see if can get the same outcome. When you use DNSSEC validation, your DNS infrastructure should all be using DNSSEC. This does not depend on whether you are deploying trust to AD or not. In fact, when installing FreeIPA server, you have option to disable DNSSEC validation (ipa-server-install --no-dnssec-validation). The same option exists in ipa-dns-install. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i disable the dnssec validation on IPA and it work as expected, i will setup dnssec on the windows side and enable dns validation once more on IPA to see if can get the same outcome. Thanks for you answer 2016-10-20 10:10 GMT-04:00 Alexander Bokovoy: > On to, 20 loka 2016, Carlos Raúl Laguna wrote: > >> Hello everyone, >> >> Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as >> documentation explain in >> http://www.freeipa.org/page/Active_Directory_trust_setup#If_ >> AD_is_subdomain_of_IPA >> >> however the server is unable to resolve any record from my child domain, i >> found >> this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if >> this >> version of IPA is affected by it. >> >> The procedure in the documentation is still valid ?. >> > Given that you have literally provided no logs that would help to help > you, let's start from it. > > Show what's your problem is through the logs. What exact commands are > failing? If you suspect DNS issues, show your named-pkcs11's logs. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain
On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any record from my child domain, i found this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this version of IPA is affected by it. The procedure in the documentation is still valid ?. Given that you have literally provided no logs that would help to help you, let's start from it. Show what's your problem is through the logs. What exact commands are failing? If you suspect DNS issues, show your named-pkcs11's logs. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA-AD Trust unable to resolve child domain
Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any record from my child domain, i found this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this version of IPA is affected by it. The procedure in the documentation is still valid ?. Thanks in advance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project