[Freeipa-users] SRV (mixed?) records
lejeczek
peljasz at yahoo.co.uk
Thu Nov 10 10:32:14 UTC 2016
On 10/11/16 06:51, Petr Spacek wrote:
> On 9.11.2016 16:57, lejeczek wrote:
>>
>> On 09/11/16 14:35, Martin Basti wrote:
>>>
>>> On 09.11.2016 15:33, lejeczek wrote:
>>>>
>>>> On 09/11/16 13:48, Martin Basti wrote:
>>>>>
>>>>> On 09.11.2016 14:11, lejeczek wrote:
>>>>>>
>>>>>> On 09/11/16 12:43, Martin Basti wrote:
>>>>>>>
>>>>>>> On 09.11.2016 12:15, lejeczek wrote:
>>>>>>>>
>>>>>>>> On 08/11/16 19:37, Martin Basti wrote:
>>>>>>>>>
>>>>>>>>> On 08.11.2016 19:41, lejeczek wrote:
>>>>>>>>>> hi everyone
>>>>>>>>>> when I look at my domain I see something which seems inconsistent to
>>>>>>>>>> me (eg. work5 is not part of the domain, was --uninstalled)
>>>>>>>>>> Do these record need fixing?
>>>>>>>>>> I'm asking becuase one of the servers, despite the fact the ipa dns
>>>>>>>>>> related toolkit(on that server) shows zone & records, to
>>>>>>>>>> dig/host/etc. presents nothing, empty responses!??
>>>>>>>>>>
>>>>>>>>>> $ ipa dnsrecord-find xx.xx.xx.xx.x.
>>>>>>>>>> Record name: @
>>>>>>>>>> NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
>>>>>>>>>> dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.
>>>>>>>>>>
>>>>>>>>>> Record name: _kerberos
>>>>>>>>>> TXT record: .xx.xx..xx.xx.x
>>>>>>>>>>
>>>>>>>>>> Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>>> SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>>
>>>>>>>>>> Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>>> SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>>>>
>>>>>>>>>> Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
>>>>>>>>>> SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>>
>>>>>>>>>> Record name: _kerberos._tcp.dc._msdcs
>>>>>>>>>> SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>>
>>>>>>>>>> Record name: _ldap._tcp.dc._msdcs
>>>>>>>>>> SRV record: 0 100 389 rider, 0 100 389 work5
>>>>>>>>>>
>>>>>>>>>> Record name: _kerberos._udp.dc._msdcs
>>>>>>>>>> SRV record: 0 100 88 rider, 0 100 88 work5
>>>>>>>>>>
>>>>>>>>>> Record name: _kerberos._tcp
>>>>>>>>>> SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>>> 88 swir
>>>>>>>>>>
>>>>>>>>>> Record name: _kerberos-master._tcp
>>>>>>>>>> SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>>> 88 swir
>>>>>>>>>>
>>>>>>>>>> Record name: _kpasswd._tcp
>>>>>>>>>> SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
>>>>>>>>>> 464 whale
>>>>>>>>>>
>>>>>>>>>> Record name: _ldap._tcp
>>>>>>>>>> SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100
>>>>>>>>>> 389 rider
>>>>>>>>>>
>>>>>>>>>> Record name: _kerberos._udp
>>>>>>>>>> SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>>> 88 swir
>>>>>>>>>>
>>>>>>>>>> Record name: _kerberos-master._udp
>>>>>>>>>> SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>>>>>>>>> 88 swir
>>>>>>>>>>
>>>>>>>>>> Record name: _kpasswd._udp
>>>>>>>>>> SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
>>>>>>>>>> 464 whale
>>>>>>>>>>
>>>>>>>>>> Record name: _ntp._udp
>>>>>>>>>> SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0
>>>>>>>>>> 100 123 swir
>>>>>>>>>>
>>>>>>>>>> thanks.
>>>>>>>>>> L.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> if server work5 is uninstalled, then work5 SRV records should be removed.
>>>>>>>>>
>>>>>>>>> Martin
>>>>>>>> Martin, would you be able suggest a way to troubleshoot that problem
>>>>>>>> that one (only) server (rider) seems to present no data for the whole
>>>>>>>> domain? Remaining servers correctly respond to any queries. One curious
>>>>>>>> thing is that I $rndc trace 6; and (I see debug level changed in
>>>>>>>> journalctl) I do not see anything in the logs when I query.
>>>>>>>> Zone allows any to query it.
>>>>>>>>
>>>>>>>>
>>>>>>> What dig @rider command returns for SRV queries?
>>>>>>>
>>>>>> don't mind SRV records for now, it returns no record at all, it forwards
>>>>>> and caches but not for the domain itself.
>>>>>> on rider (suffice I point to other member server and records are there)
>>>>>>
>>>>>> $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100
>>>>>>
>>>>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x.
>>>>>> @10.5.6.100
>>>>>> ;; global options: +cmd
>>>>>> ;; Sending:
>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
>>>>>> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>>>>
>>>>>> ;; OPT PSEUDOSECTION:
>>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>>> ;; QUESTION SECTION:
>>>>>> ;.xx.xx..xx.xx.x. IN ANY
>>>>>>
>>>>>> ;; Got answer:
>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
>>>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>>>>>
>>>>>> ;; OPT PSEUDOSECTION:
>>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>>> ;; QUESTION SECTION:
>>>>>> ;.xx.xx..xx.xx.x. IN ANY
>>>>>>
>>>>>> ;; AUTHORITY SECTION:
>>>>>> .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x.
>>>>>> 1478696070 1800 900 604800 3600
>>>>>>
>>>>>> ;; Query time: 5 msec
>>>>>> ;; SERVER: 10.5.6.100#53(10.5.6.100)
>>>>>> ;; WHEN: Wed Nov 09 12:56:16 GMT 2016
>>>>>> ;; MSG SIZE rcvd: 120
>>>>>>
>>>>>> I obfuscated FQDNs but it seems like it forwards to a parent domain (to
>>>>>> which it's supposed, by dnsforwardzone)
>>>>>> And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all
>>>>>> there.
>>>>>>
>>>>>>
>>>>>>
>>>>> I'm lost now, I don't understand you, you told me that resolving on
>>>>> 'rider' server doesn't work, then you write me that it is expected because
>>>>> you have fowardzone set, but you cannot have forwardzone and master zone
>>>>> for the same domain, IPA doesn't allow it, so I have no idea what is not
>>>>> working for you. (You didn't make it easier by obfuscating output)
>>>>>
>>>>> Martin
>>>> no no, sorry, I mean - it forwards whereas is should be authoritative for
>>>> it's own FQDN.
>>>> I realize it is not obvious after I obfuscated the output, but here:
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070
>>>> 1800 900 604800 3600
>>>>
>>>> this looks like the only domain with is dnsforwardzone, everything else is
>>>> dnszone
>>>>
>>>> parent.xx.xx. - is the only forward
>>>> private.my.parent.xx.xx - it is IPA domain & dnszone
>>>>
>>>> I query private.my.parent.xx.xx and I get response as above.
>>> Do you have proper zone delegation from parent zone? NS and A glue records?
>> no, I don't have any dealings with "parent" domain, I forward to there so only
>> those queries could go directly to NSes instead of to ROOTs.
>> I do not really on that "parent" - I call it parent for only
>> "logistically/visually" it appears as parent.
>>> How your named.conf looks?
>> Exactly the same as on the other three servers(IPA generated), I diffed it,
>> only these are (respectively) different: fake_mname, sasl_user
>> I think that one server simply forwards (to that dnsforwardzone) as if it had
>> not any own zones, but why?? Would it be in the LDAP?
> Do you have 'forwarders' statement in your named.conf?
forward first;
forwarders { };
>
> If you have it, we might see a situation where LDAP plugin does not
> load/connect to LDAP for whatever reason and only the global forwarding works.
>
> Alternatively it might be a problem described in
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.NozonesfromLDAPareloaded
it's a freaking bingo!
0 master zones from LDAP instance 'ipa' loaded (0 zones
defined, 0 inactive, 0 failed to load)
0 master zones is suspicious number, please check access
control instructions on LDAP server
now, well.. how to fix it?
$ ipa privilege-show 'DNS Servers' --all --raw
dn: cn=DNS
Servers,cn=privileges,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
cn: DNS Servers
description: DNS Servers
member:
krbprincipalname=DNS/swir..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=ipa-dnskeysyncd/swir..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=DNS/whale..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=ipa-dnskeysyncd/whale..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=DNS/dzien..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
member:
krbprincipalname=ipa-dnskeysyncd/dzien..xx.xx..xx.xx.x at .xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Read DNS
Configuration,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Write DNS
Configuration,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Add DNS
Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Manage DNSSEC
keys,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Manage DNSSEC
metadata,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Read DNS
Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Remove DNS
Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
memberof: cn=System: Update DNS
Entries,cn=permissions,cn=pbac,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
More information about the Freeipa-users
mailing list