[Freeipa-users] FreeIPA's 'DNS'

Steven Jones Steven.Jones at vuw.ac.nz
Mon Nov 21 19:15:32 UTC 2011 

Hi,

I am trying a few things, after packet sniffing I can see that the Windows AD is refusing to answer the IPA server's queries but just for that particular reverse zone.....so I have a change control / fault ticket into our control system for our MS operations ppl to look at and fix that....

I did consider just putting such a setting in named.conf, but was concerned that it was  not the "right way".  At the moment I have created a reverse zone inside IPA.....when I get the above config/fault issue fixed...moving forward I would like to do as much as possible inside the FreeIPA gui because the thought of letting our Windows ppl near a CLI gives me the shivers....

I have no idea how to do a doc ticket?  but I do think the DNS section of the FreeIPA doc needs expanding.  

Also some use cases, my one could well be typical of the hoops a customer has to jump through to make IPA work with an existing AD setup/site....Im not sure if what I am doing is the best way....



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 22 November 2011 5:50 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA's 'DNS'

On 11/21/2011 05:29 AM, Sigbjorn Lie wrote:
> Hi,
>
> Why not use a forwarders statement in the named.conf? Works for me.
>
>
> zone "11.168.192.in-addr.arpa." in {
>         type forward;
>         forwarders { 192.168.1.1; 192.168.1.2; };
> };
>

Steven,

Can you please confirm that it works for you?
In short term we should document this so if it works can you pleas ope a
doc ticket or BZ?


Long term we should probably extend LDAP driver  and store this
information in the LDAP and allow it to be configured via IPA UI/CLI.
If this makes sense let us open a ticket for that too.

Thanks
Dmitri

>
>
> Rgds,
> Siggi
>
>
>
> On Mon, November 21, 2011 00:56, Steven Jones wrote:
>> nope wont work.....I cant seem to specify the remote AD nameservers....
>>
>>
>> regards
>>
>> Steven Jones
>>
>>
>> Technical Specialist - Linux RHCE
>>
>>
>> Victoria University, Wellington, NZ
>>
>>
>> 0064 4 463 6272
>>
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven
>> Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Monday, 21 November 2011 12:52 p.m.
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] FreeIPA's "DNS"
>>
>>
>> In the DNS tab there is a "add"
>>
>>
>> So if I wanted a slave reverse zone that is in the range 10.2.1.0 but looked after by a remote
>> host
>>
>> I would
>>
>>
>> click on the reverse zone IP network radio button
>>
>> put in the zone name of 0.1.2.10.in-addr-arpa
>>
>> For the authoritative nameserver put in the two remote AD DNS server's IPs  10.2.1.5 10.2.1.6
>> (space delimited? comma delimited? can I put only one?)
>>
>>
>> and hit add?
>>
>> um.....I think the DNS section is a little light on using it.....
>>
>>
>> regards
>>
>> Steven Jones
>>
>>
>> Technical Specialist - Linux RHCE
>>
>>
>> Victoria University, Wellington, NZ
>>
>>
>> 0064 4 463 6272
>>
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven
>> Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Monday, 21 November 2011 12:38 p.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] FreeIPA's "DNS"
>>
>>
>> Hi,
>>
>>
>> I am trying to get my head around making DNS and IPA work in an existing microsft AD / DNS site.
>>
>>
>> Initially I am setting up a proof of concept.......I will be delegating the unix.vuw.ac.nz as a
>> sub-zone from vuw.ac.nz, this will hold all the Linux/unix servers.  IPA's DNS is forwarded to
>> the main DNS servers.    My problem is the reverse zones....the remote AD masters hold the
>> reverse zones so IPA has to query these if it needs to do a reverse lookup....this doesnt seem to
>> be happening ie running "host 10.1.1.5" on the IPA master fails...I assume I need this to
>> work...so whats the best way?
>>
>> Set the IPA DNS service as a slave of the microsoft AD reverse zones? If so how do I set this up?
>> as per normal ie edit the named.conf directly? or do I do that from inside IPA?  (cant see how
>> just yet)
>>
>> or is there a better method?
>>
>> or does it matter if reverse lookups wont work?
>>
>> regards
>>
>> Steven Jones
>>
>>
>> Technical Specialist - Linux RHCE
>>
>>
>> Victoria University, Wellington, NZ
>>
>>
>> 0064 4 463 6272
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list