Bug 872372
| Summary: | IPA server DNS forwarding broken with bind-dyndb-ldap-2.2-1.el6.x86_64 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
| Component: | bind-dyndb-ldap | Assignee: | Adam Tkac <atkac> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | atkac, jgalipea, ovasik, pspacek, rcritten, syeghiay |
| Target Milestone: | rc | Keywords: | Regression, TestBlocker |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bind-dyndb-ldap-2.3-1.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:58:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 2
Petr Spacek
2012-11-02 08:46:31 UTC
workaround by mkosek in IRC: "ipa dnsconfig-mod --forwarder=10.0.0.1,10.0.0.2 " should do the trick Verified.
Version ::
bind-dyndb-ldap-2.3-1.el6.x86_64
Manual Test Results ::
[root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW -U
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Warning: skipping DNS resolution of host rhel6-1.testrelm2.com
Using reverse zone 122.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: rhel6-1.testrelm2.com
IP address: 192.168.122.61
Domain name: testrelm2.com
Realm name: TESTRELM2.COM
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.122.1
Reverse zone: 122.168.192.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
[1/21]: creating certificate server user
[2/21]: creating pki-ca instance
[3/21]: configuring certificate server instance
[4/21]: disabling nonces
[5/21]: creating CA agent PKCS#12 file in /root
[6/21]: creating RA agent certificate database
[7/21]: importing CA chain to RA certificate database
[8/21]: fixing RA database permissions
[9/21]: setting up signing cert profile
[10/21]: set up CRL publishing
[11/21]: set certificate subject base
[12/21]: enabling Subject Key Identifier
[13/21]: setting audit signing renewal to 2 years
[14/21]: configuring certificate server to start on boot
[15/21]: restarting certificate server
[16/21]: requesting RA certificate from CA
[17/21]: issuing RA agent certificate
[18/21]: adding RA agent as a trusted user
[19/21]: configure certificate renewals
[20/21]: configure Server-Cert certificate renewal
[21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/37]: creating directory server user
[2/37]: creating directory server instance
[3/37]: adding default schema
[4/37]: enabling memberof plugin
[5/37]: enabling winsync plugin
[6/37]: configuring replication version plugin
[7/37]: enabling IPA enrollment plugin
[8/37]: enabling ldapi
[9/37]: disabling betxn plugins
[10/37]: configuring uniqueness plugin
[11/37]: configuring uuid plugin
[12/37]: configuring modrdn plugin
[13/37]: enabling entryUSN plugin
[14/37]: configuring lockout plugin
[15/37]: creating indices
[16/37]: enabling referential integrity plugin
[17/37]: configuring ssl for ds instance
[18/37]: configuring certmap.conf
[19/37]: configure autobind for root
[20/37]: configure new location for managed entries
[21/37]: restarting directory server
[22/37]: adding default layout
[23/37]: adding delegation layout
[24/37]: adding replication acis
[25/37]: creating container for managed entries
[26/37]: configuring user private groups
[27/37]: configuring netgroups from hostgroups
[28/37]: creating default Sudo bind user
[29/37]: creating default Auto Member layout
[30/37]: adding range check plugin
[31/37]: creating default HBAC rule allow_all
[32/37]: initializing group membership
[33/37]: adding master entry
[34/37]: configuring Posix uid/gid generation
[35/37]: enabling compatibility plugin
[36/37]: tuning directory server
[37/37]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
[1/10]: adding sasl mappings to the directory
[2/10]: adding kerberos container to the directory
[3/10]: configuring KDC
[4/10]: initialize kerberos container
[5/10]: adding default ACIs
[6/10]: creating a keytab for the directory
[7/10]: creating a keytab for the machine
[8/10]: adding the password extension to the directory
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
[1/14]: disabling mod_ssl in httpd
[2/14]: setting mod_nss port to 443
[3/14]: setting mod_nss password file
[4/14]: enabling mod_nss renegotiate
[5/14]: adding URL rewriting rules
[6/14]: configuring httpd
[7/14]: setting up ssl
[8/14]: setting up browser autoconfig
[9/14]: publish CA cert
[10/14]: creating a keytab for httpd
[11/14]: clean up any existing httpd ccache
[12/14]: configuring SELinux for httpd
[13/14]: restarting httpd
[14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
[1/9]: adding DNS container
[2/9]: setting up our zone
[3/9]: setting up reverse zone
[4/9]: setting up our own record
[5/9]: setting up kerberos principal
[6/9]: setting up named.conf
[7/9]: restarting named
[8/9]: configuring named to start on boot
[9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@rhel6-1 ~]# less /etc/named.conf
...
forward first;
forwarders {
192.168.122.1;
};
...
[root@rhel6-1 ~]# ipa dnsconfig-mod --forwarder=$DNSFORWARDER
ipa: ERROR: no modifications to be performed
[root@rhel6-1 ~]# dig +short download.devel.redhat.com | grep $DOWNLOAD_DEVEL_IP | wc -l
1
So, without using a workaround, I can resolve outside of my own IPA domain now. Looks good.
FYI, had to mark comment 0 private. This is FYI only, not an issue since the 2.3-1 release. Here's an edited version of comment 0: Description of problem: IPA servers with DNS enabled and a forwarder specified are seeing forwarding not work with bind-dyndb-ldap-2.2-1.el6.x86_64. Before this (version 2.0) it seemed to work fine. [root@rhel6-1 ~]# dig download.devel.redhat.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.16.rc1.el6 <<>> download.devel.redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11008 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;download.devel.redhat.com. IN A ;; AUTHORITY SECTION: redhat.com. 600 IN SOA ns1.redhat.com. noc.redhat.com. 2012102900 300 180 604800 14400 ;; Query time: 1641 msec ;; SERVER: 192.168.122.61#53(192.168.122.61) ;; WHEN: Thu Nov 1 18:07:24 2012 ;; MSG SIZE rcvd: 87 Is there something new that needs to be done to enable this properly now? Version-Release number of selected component (if applicable): bind-dyndb-ldap-2.2-1.el6 How reproducible: Very...we're seeing problems with fresh installs and upgrades Steps to Reproduce: 1. Install IPA Master server specifying a forwarder 2. Lookup a hostname outside of the IPA DNS domain. 3. Actual results: fails. Expected results: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0359.html |