>>Hi, Hello, >>Is the zone not transferring at all, or is it just the updates that's >>not transferred to the AD slave server? It's not transferring at all. >>If the zone is not transferring at all: Did yo modify the "Allow >>transfer" property of the zone ? yes, I change the parameter to allow zone transfers from the AD >>If the updates is not transferring: I believe automatic increment of the >>zone serial number will be supported in IPA 3.0. The IPA developers will >>have to confirm that. However you can manually change the serial number >>under Zone Settings. Yes, I also read this information but I was hoping there was some other solution to the issue. And I've done manually change the serial number of the zone but without success >>Hope this helps. Thanks
>>Regards, >>Siggi 2012/8/20 <freeipa-users-requ...@redhat.com> > Send Freeipa-users mailing list submissions to > freeipa-users@redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-requ...@redhat.com > > You can reach the person managing the list at > freeipa-users-ow...@redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: Active Directory slave zone in FreeIPA DNS (Sigbjorn Lie) > 2. Re: sssd client cache timer and merging IPA domains > (Rob Crittenden) > 3. Re: Question about migration and scripts variables > (Rob Crittenden) > 4. Specifying load balancing to SSSD clients (Innes, Duncan) > 5. Re: Specifying load balancing to SSSD clients (Mark St. Laurent) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 19 Aug 2012 18:23:20 +0200 > From: Sigbjorn Lie <sigbj...@nixtra.com> > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Active Directory slave zone in FreeIPA > DNS > Message-ID: <503112f8.8000...@nixtra.com> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > On 08/19/2012 04:39 PM, Franklin Catoni wrote: > > Greetings community. > > > > I do not speak English so I will do my best. > > > > I have two environments in my company, a domain "ejemplo.com > > <http://ejemplo.com>" with Windows Active Directory running on Windows > > Server 2003 Enterprise Edition SP2 and domain "ejemplo.gob.ve > > <http://ejemplo.gob.ve>" with FreeIPA v2.2. mounted on Centos 6.3 x64. > > This is because we are in the middle of a platform migration process > > (a very slow process) from proprietary solutions to open source. > > > > DNS and DHCP service for my two environments is offered by the server > > Centos 6.3 which is mounted FreeIPA directory, clients are Windows > > computers Active Directory domain and linux computers in the domain Ipa. > > > > Currently the zone "ejemplo.gob.ve <http://ejemplo.gob.ve>" is > > administered by the FreeIPA DNS using the plugin > > (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone using > > bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain > > "ejemplo.com <http://ejemplo.com>" Active Directory > > > > Name resolution works perfectly for both Linux and Windows clients. > > > > Now here comes the tricky part > > > > In order to find a more centralized management of my services, I try > > to configure a slave zone to Active Directory through FreeIPA with > > dyndb bind-plugin-ldap and so to eliminate configuration through bind, > > but the transfers zone does not work, causing this many problems on > > both platforms. > > > > The log shows me the following error: > > > > ServidorIPA named[3706]: zone ejemplo.com/IN/local > > <http://ejemplo.com/IN/local>: zone serial (2012081801) unchanged. > > zone may fail to transfer to slaves > > > > I've spent enough time looking at Super Google information that can > > help me but it has not been easy, because it seems to be a rare > situation. > > > > I ask. You can set this up under these circumstances? > > Someone has accomplished? > > Some information that horiente me to get a solution? > > > > Thanks for your time. > > > Hi, > > Is the zone not transferring at all, or is it just the updates that's > not transferred to the AD slave server? > > If the zone is not transferring at all: Did yo modify the "Allow > transfer" property of the zone ? > > If the updates is not transferring: I believe automatic increment of the > zone serial number will be supported in IPA 3.0. The IPA developers will > have to confirm that. However you can manually change the serial number > under Zone Settings. > > Hope this helps. > > > Regards, > Siggi > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20120819/73825288/attachment.html > > > > ------------------------------ > > Message: 2 > Date: Mon, 20 Aug 2012 08:44:32 -0400 > From: Rob Crittenden <rcrit...@redhat.com> > To: Lucas Yamanishi <lyamani...@sesda2.com> > Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] sssd client cache timer and merging IPA > domains > Message-ID: <50323130.6030...@redhat.com> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Lucas Yamanishi wrote: > > > > On 08/17/2012 08:38 AM, Rob Crittenden wrote: > >> Lucas Yamanishi wrote: > >>> > >>> On 08/16/2012 05:39 PM, Rob Crittenden wrote: > >>>> Lucas Yamanishi wrote: > >>>>> > >>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: > >>>>>> Lucas Yamanishi wrote: > >>>>>>> I just migrated my IPA instance from one to another a couple days > >>>>>>> ago to > >>>>>>> recover after a lost CA and failed yum upgrade. The "ipa > migrate-ds" > >>>>>>> tool works very well, though I am having a few very minor issues. > On > >>>>>>> the upside, as far as I can tell, you can skip the steps about > >>>>>>> Kerberos > >>>>>>> key generation as outlined in the documentation. I've been able to > >>>>>>> kinit just fine with my migrated users. > >>>>>>> > >>>>>>> > >>>>>>> Below are the few errors I've noticed. > >>>>>>> > >>>>>>> * When I ssh into an enrolled host using a migrated user's > >>>>>>> credentials I > >>>>>>> get this error: > >>>>>>> > >>>>>>> id: cannot find name for group ID 104600003\ > >>>>>> > >>>>>> Does a group exist with that GID? You can try something like: > >>>>>> > >>>>>> $ ipa group-find --gid=104600003 > >>>>>> > >>>>> > >>>>> The group doesn't exist. The GID is the counterpart to my UID. > >>>> > >>>> Try adding --private. > >>>> > >>>> rob > >>>> > >>> > >>> Nope. It doesn't exist. > >>> > >>> Other groups migrated. Why would the private groups fail? > >> > >> I don't know, what have you done to date, including versions? > >> > >> rob > > I've been following the stable Scientific Linux releases since 6.1. > > Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The > > version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just > > upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now > > 2.2.0-16.el6.x86_64. > > > > So... > > 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ----> > > 2.2.0-16.el6.x86_64 > > > > > > Can you verify that managed entries are configured: > > # ipa-managed-entries -l > > It should return: > > UPG Definition > NGP Definition > > This enables user-private groups and netgroup-private groups. > > rob > > > > ------------------------------ > > Message: 3 > Date: Mon, 20 Aug 2012 08:56:51 -0400 > From: Rob Crittenden <rcrit...@redhat.com> > To: James James <jre...@gmail.com> > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Question about migration and scripts > variables > Message-ID: <50323413.4090...@redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > James James wrote: > > Hi, > > > > my first question is about the migrate process. Is it possible to > > renumber the users during the migrate process (ipa migrate-ds) in a way > > that all imported users will have a new UID ? > > I haven't tested this but you might try > --user-ignore-attribute=uidnumber,gidnumber. > > > my second question is about ipalib. I wanted to make a hook on the user > > creation. The hook works fine. I just want to know if there is a way to > > have the value of variables like the username, the name of the creator, > > the e-mail of the creator and stuff like that. > > The current user is available via: principal = getattr(context, > 'principal') > > Using this you can look up that user: > > (binddn, bindattrs) = find_entry_by_attr("krbprincipalname", principal, > "krbPrincipalAux") > > rob > > > > ------------------------------ > > Message: 4 > Date: Mon, 20 Aug 2012 14:48:30 +0100 > From: "Innes, Duncan" <duncan.in...@virginmoney.com> > To: <freeipa-users@redhat.com> > Subject: [Freeipa-users] Specifying load balancing to SSSD clients > Message-ID: > <56343345B145C043AE990701E3D193952B5511@EXVS2.nrplc.localnet> > Content-Type: text/plain; charset="us-ascii" > > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a few > things on my estate and would be looking to deploy something like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com and > ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 > when both 1 & 2 are out of action. Clients would revert to using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > > I don't have the ability to use the _srv_ records in DNS as that's set > up for the AD servers on our network. I also can't create separate DNS > servers for the Linux estate (not that I'd particularly want to). > > Is there any current configuration that I can use to force load > balancing between ipa1/ipa2 under ideal conditions. Falling back to > ipa2 when ipa1 is out of action. Falling back to (load balanced > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > Hope the description is reasonable. > > Thanks > > Duncan Innes | Linux Architect > > > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete this > message. > > Virgin Money Personal Financial Service Limited is authorised and > regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and regulated by > the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative only of > Virgin Money Personal Financial Service Limited. Company no. 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and has its > registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial Services > Authority. Registered in England and Wales (Company no. 6952311) with its > registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 > 4PL. > > The above companies use the trading name Virgin Money. > > > > > ------------------------------ > > Message: 5 > Date: Mon, 20 Aug 2012 10:15:08 -0400 (EDT) > From: "Mark St. Laurent" <mstla...@redhat.com> > To: Duncan Innes <duncan.in...@virginmoney.com> > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients > Message-ID: > <290044214.13057699.1345472108805.javamail.r...@redhat.com> > Content-Type: text/plain; charset="utf-8" > > http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ > > > Norman "Mark" St. Laurent > Federal Team: Senior Solutions Architect > Red Hat > 8260 Greensboro Drive, Suite 300 > McLean VA, 22102 > Email: m...@redhat.com > Cell: 703.772.1434 > > Check this Link out!!! Cool Stuff: http://mil-oss.org/ > > ----- Original Message ----- > > From: "Duncan Innes" <duncan.in...@virginmoney.com> > To: freeipa-users@redhat.com > Sent: Monday, August 20, 2012 9:48:30 AM > Subject: [Freeipa-users] Specifying load balancing to SSSD clients > > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a few > things on my estate and would be looking to deploy something like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com and > ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 > when both 1 & 2 are out of action. Clients would revert to using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > > I don't have the ability to use the _srv_ records in DNS as that's set > up for the AD servers on our network. I also can't create separate DNS > servers for the Linux estate (not that I'd particularly want to). > > Is there any current configuration that I can use to force load > balancing between ipa1/ipa2 under ideal conditions. Falling back to > ipa2 when ipa1 is out of action. Falling back to (load balanced > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > Hope the description is reasonable. > > Thanks > > Duncan Innes | Linux Architect > > > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete this > message. > > Virgin Money Personal Financial Service Limited is authorised and > regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and regulated by > the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative only of > Virgin Money Personal Financial Service Limited. Company no. 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and has its > registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial Services > Authority. Registered in England and Wales (Company no. 6952311) with its > registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 > 4PL. > > The above companies use the trading name Virgin Money. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20120820/30f4d804/attachment.html > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 49, Issue 34 > ********************************************* >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users