[Freeipa-users] FreeNAS Corral integration
Hi, FreeNAS Corral is out and it supports FreeIPA. Isn't that great? Has someone tried it? My first attempt brought the users visible but I wasn't able to give a user admin Status for Corral. I wonder if and how I can set privileges for a user if he may login via SSH/WebGUI. Regarding the user's home Corral set it as <>@<>. I worked this around by symlinking to the actual home which just is <>. Sad thing is e.g. that I give the users a specific shell in FreeIPA. Some shells aren't supported though in Corral, for instance zsh. This leads to not being able to login via ssh. Are there any best practices or workarounds? Thanks for your time in advance. Jochen Demmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-install fails because dirsrv failed to start
Am 27.10.2016 um 10:21 schrieb Martin Basti: > > > > On 27.10.2016 10:02, Jochen Demmer wrote: >> >> >> Am 26.10.2016 um 17:31 schrieb Martin Basti: >>> >>> >>> >>> On 26.10.2016 17:25, Jochen Demmer wrote: >>>> >>>> >>>> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>>>> >>>>> >>>>> >>>>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>>>> >>>>>> >>>>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> my answers also inline. >>>>>>>> >>>>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>>>> >>>>>>>>> Hi, comments inline >>>>>>>>> >>>>>>>>> >>>>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I've been running and using a single FreeIPA server >>>>>>>>>> successfully, i.e.: >>>>>>>>>> Fedora 24 >>>>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>>>> public lPv4 addresses no more. >>>>>>>>>> >>>>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>>>> ipa : ERRORCould not resolve hostname >>>>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>>>> LOG: >>>>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>>>> >>>>>>>>> Can you check with dig or host command if the hostname is >>>>>>>>> really resolvable on that machine? do you have proper resolver >>>>>>>>> in /etc/resolv.conf? >>>>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>>>> <>" I get the right IPv6 back. >>>>>>> That is weird because IPA is doing basically the same. >>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>>>> address of course. >>>>>>>>>> I can continue the installation though by entering "yes". >>>>>>>>>> >>>>>>>>>> I then get asked: >>>>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>>>> >>>>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>>>> >>>>>>>>> Have you pressed enter twice? It should end prompt and >>>>>>>>> continue with installation >>>>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>>>> cannot use IP network address 2a02:1:2
Re: [Freeipa-users] ipa-replica-install fails because of IPv6?
Am 27.10.2016 um 10:02 schrieb Jochen Demmer: > > > Am 26.10.2016 um 17:31 schrieb Martin Basti: >> >> >> >> On 26.10.2016 17:25, Jochen Demmer wrote: >>> >>> >>> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>>> >>>> >>>> >>>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>>> >>>>> >>>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>>> >>>>>> >>>>>> >>>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>>> Hi, >>>>>>> >>>>>>> my answers also inline. >>>>>>> >>>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>>> >>>>>>>> Hi, comments inline >>>>>>>> >>>>>>>> >>>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I've been running and using a single FreeIPA server >>>>>>>>> successfully, i.e.: >>>>>>>>> Fedora 24 >>>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>>> public lPv4 addresses no more. >>>>>>>>> >>>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>>> ipa : ERRORCould not resolve hostname >>>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>>> LOG: >>>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>>> >>>>>>>> Can you check with dig or host command if the hostname is >>>>>>>> really resolvable on that machine? do you have proper resolver >>>>>>>> in /etc/resolv.conf? >>>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>>> <>" I get the right IPv6 back. >>>>>> That is weird because IPA is doing basically the same. >>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>>> address of course. >>>>>>>>> I can continue the installation though by entering "yes". >>>>>>>>> >>>>>>>>> I then get asked: >>>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>>> >>>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>>> >>>>>>>> Have you pressed enter twice? It should end prompt and continue >>>>>>>> with installation >>>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>>> cannot use IP network address 2a02:1:2:3::4 >>>>>> >>>>>> How do you have configured IP address on your interface? Does it >>>>>> have prefix /128? >>>>> Yes, that's right. It's an IP being assigned statefully by a >>>>> DHCPv6 server. >>>>> There is also another dynamic IP within the same prefix havi
Re: [Freeipa-users] ipa-replica-install fails because of IPv6?
Am 26.10.2016 um 17:31 schrieb Martin Basti: > > > > On 26.10.2016 17:25, Jochen Demmer wrote: >> >> >> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>> >>> >>> >>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>> >>>> >>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>> >>>>> >>>>> >>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>> Hi, >>>>>> >>>>>> my answers also inline. >>>>>> >>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>> >>>>>>> Hi, comments inline >>>>>>> >>>>>>> >>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I've been running and using a single FreeIPA server >>>>>>>> successfully, i.e.: >>>>>>>> Fedora 24 >>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>> public lPv4 addresses no more. >>>>>>>> >>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>> ipa : ERRORCould not resolve hostname >>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>> LOG: >>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>> >>>>>>> Can you check with dig or host command if the hostname is really >>>>>>> resolvable on that machine? do you have proper resolver in >>>>>>> /etc/resolv.conf? >>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>> <>" I get the right IPv6 back. >>>>> That is weird because IPA is doing basically the same. >>>>> >>>>>>> >>>>>>>> >>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>> address of course. >>>>>>>> I can continue the installation though by entering "yes". >>>>>>>> >>>>>>>> I then get asked: >>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>> >>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>> >>>>>>> Have you pressed enter twice? It should end prompt and continue >>>>>>> with installation >>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>> cannot use IP network address 2a02:1:2:3::4 >>>>> >>>>> How do you have configured IP address on your interface? Does it >>>>> have prefix /128? >>>> Yes, that's right. It's an IP being assigned statefully by a DHCPv6 >>>> server. >>>> There is also another dynamic IP within the same prefix having /64. >>>> I don't want to use this one of course, because its IID changes. >>>> >>> Could you set (temporarily) prefix for that address to /64 and >>> re-run installer? IPA 4.3 has check that prevents you to use /128 prefix >> Well now I don't even get asked for the IP. The setup wizard >> continues, but I now get this error: >> >
Re: [Freeipa-users] ipa-replica-install fails because of IPv6?
Am 26.10.2016 um 16:27 schrieb Martin Basti: > > > > On 26.10.2016 16:10, Jochen Demmer wrote: >> Hi, >> >> my answers also inline. >> >> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>> >>> Hi, comments inline >>> >>> >>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>> Hi, >>>> >>>> I've been running and using a single FreeIPA server successfully, i.e.: >>>> Fedora 24 >>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>> This server is only available via IPv6, because I can't get public >>>> lPv4 addresses no more. >>>> >>>> Now I want to setup a FreeIPA replica at another site also running >>>> IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>> First I run "ipa-client-install" which succeeds without an error. >>>> When I invoke "ipa-replica-install" I get this error: >>>> ipa : ERRORCould not resolve hostname >>>> *hostname.mydoma.in* using DNS. Clients may not function properly. >>>> Please check your DNS setup. (Note that this check queries IPA DNS >>>> directly and ignores /etc/hosts.) >>>> LOG: >>>> 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* >>>> (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for >>>> *hostname.mydoma.in* >>> >>> Can you check with dig or host command if the hostname is really >>> resolvable on that machine? do you have proper resolver in >>> /etc/resolv.conf? >> There is a resolver given in /etc/resolv.conf. When I do "host >> <>" I get the right IPv6 back. > That is weird because IPA is doing basically the same. > >>> >>>> >>>> *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA >>>> server, which actually resolves, but only to an IPv6 address of course. >>>> I can continue the installation though by entering "yes". >>>> >>>> I then get asked: >>>> Enter the IP address to use, or press Enter to finish. >>>> Please provide the IP address to be used for this host name: >>>> >>>> When I enter the IPv6 address of the new replica host it doesn't >>>> accept but infinitely asks this question instead. >>> >>> Have you pressed enter twice? It should end prompt and continue with >>> installation >> Enter without an IP -> No usable IP address provided nor resolved. >> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot >> use IP network address 2a02:1:2:3::4 > > How do you have configured IP address on your interface? Does it have > prefix /128? Yes, that's right. It's an IP being assigned statefully by a DHCPv6 server. There is also another dynamic IP within the same prefix having /64. I don't want to use this one of course, because its IID changes. > >>> >>>> >>>> Honestly, I can't see what I might have done wrong. >>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>> New FreeIPA host as well has hostname that symmetrically resolves, >>>> even though the hostname is using another second level domain. >>>> >>>> Any hints? >>>> Jochen Demmer >>>> >>>> >>> >>> Martin >> Jochen >> > 0x54A5283E.asc Description: application/pgp-keys -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-install fails because of IPv6?
Hi, my answers also inline. Am 26.10.2016 um 15:38 schrieb Martin Basti: > > Hi, comments inline > > > On 26.10.2016 14:28, Jochen Demmer wrote: >> Hi, >> >> I've been running and using a single FreeIPA server successfully, i.e.: >> Fedora 24 >> freeipa-server-4.3.2-2.fc24.x86_64 >> This server is only available via IPv6, because I can't get public >> lPv4 addresses no more. >> >> Now I want to setup a FreeIPA replica at another site also running >> IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >> First I run "ipa-client-install" which succeeds without an error. >> When I invoke "ipa-replica-install" I get this error: >> ipa : ERRORCould not resolve hostname >> *hostname.mydoma.in* using DNS. Clients may not function properly. >> Please check your DNS setup. (Note that this check queries IPA DNS >> directly and ignores /etc/hosts.) >> LOG: >> 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* >> (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for >> *hostname.mydoma.in* > > Can you check with dig or host command if the hostname is really > resolvable on that machine? do you have proper resolver in > /etc/resolv.conf? There is a resolver given in /etc/resolv.conf. When I do "host <>" I get the right IPv6 back. > >> >> *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA >> server, which actually resolves, but only to an IPv6 address of course. >> I can continue the installation though by entering "yes". >> >> I then get asked: >> Enter the IP address to use, or press Enter to finish. >> Please provide the IP address to be used for this host name: >> >> When I enter the IPv6 address of the new replica host it doesn't >> accept but infinitely asks this question instead. > > Have you pressed enter twice? It should end prompt and continue with > installation Enter without an IP -> No usable IP address provided nor resolved. Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot use IP network address 2a02:1:2:3::4 > >> >> Honestly, I can't see what I might have done wrong. >> Old FreeIPA has hostname is in sync forward and reverse record. >> New FreeIPA host as well has hostname that symmetrically resolves, >> even though the hostname is using another second level domain. >> >> Any hints? >> Jochen Demmer >> >> > > Martin Jochen 0x54A5283E.asc Description: application/pgp-keys -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-replica-install fails because of IPv6?
Hi, I've been running and using a single FreeIPA server successfully, i.e.: Fedora 24 freeipa-server-4.3.2-2.fc24.x86_64 This server is only available via IPv6, because I can't get public lPv4 addresses no more. Now I want to setup a FreeIPA replica at another site also running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 First I run "ipa-client-install" which succeeds without an error. When I invoke "ipa-replica-install" I get this error: ipa : ERRORCould not resolve hostname *hostname.mydoma.in* using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) LOG: 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for *hostname.mydoma.in* *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA server, which actually resolves, but only to an IPv6 address of course. I can continue the installation though by entering "yes". I then get asked: Enter the IP address to use, or press Enter to finish. Please provide the IP address to be used for this host name: When I enter the IPv6 address of the new replica host it doesn't accept but infinitely asks this question instead. Honestly, I can't see what I might have done wrong. Old FreeIPA has hostname is in sync forward and reverse record. New FreeIPA host as well has hostname that symmetrically resolves, even though the hostname is using another second level domain. Any hints? Jochen Demmer 0x54A5283E.asc Description: application/pgp-keys -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] bind crashes on rndc reload
Hi, I have a major issue with my setup: Fedora 24 freeipa-common-4.3.2-2.fc24.noarch freeipa-admintools-4.3.2-2.fc24.noarch freeipa-server-dns-4.3.2-2.fc24.noarch freeipa-client-common-4.3.2-2.fc24.noarch freeipa-server-4.3.2-2.fc24.x86_64 freeipa-server-common-4.3.2-2.fc24.noarch freeipa-client-4.3.2-2.fc24.x86_64 bind-dyndb-ldap-9.0-3.fc24.x86_64 bind-libs-lite-9.10.4-1.P2.fc24.x86_64 bind-pkcs11-libs-9.10.4-1.P2.fc24.x86_64 bind99-libs-9.9.9-1.P2.fc24.x86_64 bind-utils-9.10.4-1.P2.fc24.x86_64 rpcbind-0.2.3-11.rc1.fc24.x86_64 bind-license-9.10.4-1.P2.fc24.noarch bind-pkcs11-9.10.4-1.P2.fc24.x86_64 bind-9.10.4-1.P2.fc24.x86_64 bind-libs-9.10.4-1.P2.fc24.x86_64 bind99-license-9.9.9-1.P2.fc24.noarch bind-pkcs11-utils-9.10.4-1.P2.fc24.x86_64 It seems that there is a regular but not daily "rndc reload" sent to the nameserver that leads to a crash of it. I sent a SIGHUP to the named process, but that didn't lead to a crash. Only "rndc reload" does. It does not crash EVERY time, but most of the times. I need to do an "ipactl restart" in order to get the nameserver up and running again. I found this thread, but this doesn't give me any clues: https://www.redhat.com/archives/freeipa-users/2012-May/msg00340.html This is what the log says: http://paste.debian.net/818354/ Please understand that I obfuscated my IP addresses and domain names This is the strace: http://paste.debian.net/818365/ This is my named.conf: http://paste.debian.net/818368/ Hope someone can help. Jochen -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project