Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Carlos Raúl Laguna 
Thanks for the clarification. Regards

2016-10-20 14:23 GMT-04:00 Alexander Bokovoy :

> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>
>> Hi Alexander,
>> I do belive is a DNS problem, the command failing are
>>
>> host -t srv _ldap._tcp.ad_domain
>> or
>> dig SRV _ldap._tcp.ad_domain
>> after checkig the logs a see this error
>> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"
>>
>> so i disable the dnssec validation on IPA and it work as expected, i will
>> setup dnssec on the windows side and enable dns validation once more on
>> IPA
>> to see if can get the same outcome.
>>
> When you use DNSSEC validation, your DNS infrastructure should all be
> using DNSSEC. This does not depend on whether you are deploying trust to
> AD or not.
>
> In fact, when installing FreeIPA server, you have option to disable
> DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
> option exists in ipa-dns-install.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Alexander Bokovoy 

On to, 20 loka 2016, Carlos Raúl Laguna wrote:

Hi Alexander,
I do belive is a DNS problem, the command failing are

host -t srv _ldap._tcp.ad_domain
or
dig SRV _ldap._tcp.ad_domain
after checkig the logs a see this error
"no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"

so i disable the dnssec validation on IPA and it work as expected, i will
setup dnssec on the windows side and enable dns validation once more on IPA
to see if can get the same outcome.

When you use DNSSEC validation, your DNS infrastructure should all be
using DNSSEC. This does not depend on whether you are deploying trust to
AD or not.

In fact, when installing FreeIPA server, you have option to disable
DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
option exists in ipa-dns-install.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Carlos Raúl Laguna 
Hi Alexander,
I do belive is a DNS problem, the command failing are

host -t srv _ldap._tcp.ad_domain
or
dig SRV _ldap._tcp.ad_domain
after checkig the logs a see this error
"no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"

so i disable the dnssec validation on IPA and it work as expected, i will
setup dnssec on the windows side and enable dns validation once more on IPA
to see if can get the same outcome.

Thanks for you answer


2016-10-20 10:10 GMT-04:00 Alexander Bokovoy :

> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>
>> Hello everyone,
>>
>> Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
>> documentation explain in
>> http://www.freeipa.org/page/Active_Directory_trust_setup#If_
>> AD_is_subdomain_of_IPA
>>
>> however the server is unable to resolve any record from my child domain, i
>> found
>> this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if
>> this
>> version of IPA is affected by it.
>>
>> The procedure in the documentation is still valid ?.
>>
> Given that you have literally provided no logs that would help to help
> you, let's start from it.
>
> Show what's your problem is through the logs. What exact commands are
> failing? If you suspect DNS issues, show your named-pkcs11's logs.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Alexander Bokovoy 

On to, 20 loka 2016, Carlos Raúl Laguna wrote:

Hello everyone,

Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
documentation explain in
http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA

however the server is unable to resolve any record from my child domain, i
found
this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this
version of IPA is affected by it.

The procedure in the documentation is still valid ?.

Given that you have literally provided no logs that would help to help
you, let's start from it.

Show what's your problem is through the logs. What exact commands are
failing? If you suspect DNS issues, show your named-pkcs11's logs.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Carlos Raúl Laguna 
Hello everyone,

Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
documentation explain in
http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA

however the server is unable to resolve any record from my child domain, i
found
this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this
version of IPA is affected by it.

The procedure in the documentation is still valid ?.

Thanks in advance.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project