On 08/27/2012 07:53 AM, Petr Spacek wrote: > Hello, > > On 08/23/2012 07:00 AM, Franklin Catoni wrote: >> >>Hi, >> Hello, >> >>Is the zone not transferring at all, or is it just the updates that's >> >>not transferred to the AD slave server? >> It's not transferring at all. >> >>If the zone is not transferring at all: Did yo modify the "Allow >> >>transfer" property of the zone ? >> yes, I change the parameter to allow zone transfers from the AD >> >>If the updates is not transferring: I believe automatic increment >> of the >> >>zone serial number will be supported in IPA 3.0. The IPA >> developers will >> >>have to confirm that. However you can manually change the serial >> number >> >>under Zone Settings. >> Yes, I also read this information but I was hoping there was some other >> solution to the issue. And I've done manually change the serial >> number of the >> zone but without success >> >>Hope this helps. >> Thanks >> >> >>Regards, >> >>Siggi > > I'm a bit confused, so I tried to summarize your configuration. Please > correct me if I'm wrong: > > zone "ejemplo.com" = hosted on AD server > zone "ejemplo.gob.ve" = hosted on FreeIPA server > > What is your target? Do you want to have both zones on each server? > I.e. one server will be master for one zone and slave for the other > zone (at the same time)? > > Zone transfers are supported from IPA 3.0. IPA can host only master > zones, slave zones have to be set in /etc/named.conf manually. There > is no centralized management of slave zones. > > > Generally, you can test zone-transfers with dig: > > slave$ dig @master_IP -t AXFR zone.name > > It should print something like: > > zone.example. 86400 IN SOA > unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123 > 123 666 1 > zone.example. 86400 IN NS unused-4-107.brq.redhat.com. > zone.example. 86400 IN TXT "zone.example" > ... > zone.example. 86400 IN SOA > unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123 > 123 666 1 > > This way you can test ACL and other settings on master. > > Does transfer with dig it work for both master servers? > > Petr^2 Spacek >
I can find any updates on this thread. Has the issue been resolved? > >> >> 2012/8/20 <[email protected] >> <mailto:[email protected]>> >> >> Send Freeipa-users mailing list submissions to >> [email protected] <mailto:[email protected]> >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/freeipa-users >> or, via email, send a message with subject or body 'help' to >> [email protected] >> <mailto:[email protected]> >> >> You can reach the person managing the list at >> [email protected] >> <mailto:[email protected]> >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Freeipa-users digest..." >> >> >> Today's Topics: >> >> 1. Re: Active Directory slave zone in FreeIPA DNS (Sigbjorn Lie) >> 2. Re: sssd client cache timer and merging IPA domains >> (Rob Crittenden) >> 3. Re: Question about migration and scripts variables >> (Rob Crittenden) >> 4. Specifying load balancing to SSSD clients (Innes, Duncan) >> 5. Re: Specifying load balancing to SSSD clients (Mark St. >> Laurent) >> >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Sun, 19 Aug 2012 18:23:20 +0200 >> From: Sigbjorn Lie <[email protected] >> <mailto:[email protected]>> >> To: [email protected] <mailto:[email protected]> >> Subject: Re: [Freeipa-users] Active Directory slave zone in FreeIPA >> DNS >> Message-ID: <[email protected] >> <mailto:[email protected]>> >> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" >> >> On 08/19/2012 04:39 PM, Franklin Catoni wrote: >> > Greetings community. >> > >> > I do not speak English so I will do my best. >> > >> > I have two environments in my company, a domain "ejemplo.com >> <http://ejemplo.com> >> > <http://ejemplo.com>" with Windows Active Directory running on >> Windows >> > Server 2003 Enterprise Edition SP2 and domain "ejemplo.gob.ve >> <http://ejemplo.gob.ve> >> > <http://ejemplo.gob.ve>" with FreeIPA v2.2. mounted on Centos >> 6.3 x64. >> > This is because we are in the middle of a platform migration >> process >> > (a very slow process) from proprietary solutions to open source. >> > >> > DNS and DHCP service for my two environments is offered by the >> server >> > Centos 6.3 which is mounted FreeIPA directory, clients are >> Windows >> > computers Active Directory domain and linux computers in the >> domain Ipa. >> > >> > Currently the zone "ejemplo.gob.ve <http://ejemplo.gob.ve> >> <http://ejemplo.gob.ve>" is >> > administered by the FreeIPA DNS using the plugin >> > (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone >> using >> > bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain >> > "ejemplo.com <http://ejemplo.com> <http://ejemplo.com>" Active >> Directory >> > >> > Name resolution works perfectly for both Linux and Windows >> clients. >> > >> > Now here comes the tricky part >> > >> > In order to find a more centralized management of my services, >> I try >> > to configure a slave zone to Active Directory through FreeIPA >> with >> > dyndb bind-plugin-ldap and so to eliminate configuration >> through bind, >> > but the transfers zone does not work, causing this many >> problems on >> > both platforms. >> > >> > The log shows me the following error: >> > >> > ServidorIPA named[3706]: zone ejemplo.com/IN/local >> <http://ejemplo.com/IN/local> >> > <http://ejemplo.com/IN/local>: zone serial (2012081801) >> unchanged. >> > zone may fail to transfer to slaves >> > >> > I've spent enough time looking at Super Google information >> that can >> > help me but it has not been easy, because it seems to be a >> rare situation. >> > >> > I ask. You can set this up under these circumstances? >> > Someone has accomplished? >> > Some information that horiente me to get a solution? >> > >> > Thanks for your time. >> > >> Hi, >> >> Is the zone not transferring at all, or is it just the updates >> that's >> not transferred to the AD slave server? >> >> If the zone is not transferring at all: Did yo modify the "Allow >> transfer" property of the zone ? >> >> If the updates is not transferring: I believe automatic increment >> of the >> zone serial number will be supported in IPA 3.0. The IPA >> developers will >> have to confirm that. However you can manually change the serial >> number >> under Zone Settings. >> >> Hope this helps. >> >> >> Regards, >> Siggi >> >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> >> <https://www.redhat.com/archives/freeipa-users/attachments/20120819/73825288/attachment.html> >> >> ------------------------------ >> >> Message: 2 >> Date: Mon, 20 Aug 2012 08:44:32 -0400 >> From: Rob Crittenden <[email protected] >> <mailto:[email protected]>> >> To: Lucas Yamanishi <[email protected] >> <mailto:[email protected]>> >> Cc: "[email protected] <mailto:[email protected]>" >> <[email protected] <mailto:[email protected]>> >> Subject: Re: [Freeipa-users] sssd client cache timer and merging IPA >> domains >> Message-ID: <[email protected] >> <mailto:[email protected]>> >> Content-Type: text/plain; charset=UTF-8; format=flowed >> >> Lucas Yamanishi wrote: >> > >> > On 08/17/2012 08:38 AM, Rob Crittenden wrote: >> >> Lucas Yamanishi wrote: >> >>> >> >>> On 08/16/2012 05:39 PM, Rob Crittenden wrote: >> >>>> Lucas Yamanishi wrote: >> >>>>> >> >>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >> >>>>>> Lucas Yamanishi wrote: >> >>>>>>> I just migrated my IPA instance from one to another a >> couple days >> >>>>>>> ago to >> >>>>>>> recover after a lost CA and failed yum upgrade. The >> "ipa migrate-ds" >> >>>>>>> tool works very well, though I am having a few very >> minor issues. On >> >>>>>>> the upside, as far as I can tell, you can skip the steps >> about >> >>>>>>> Kerberos >> >>>>>>> key generation as outlined in the documentation. I've >> been able to >> >>>>>>> kinit just fine with my migrated users. >> >>>>>>> >> >>>>>>> >> >>>>>>> Below are the few errors I've noticed. >> >>>>>>> >> >>>>>>> * When I ssh into an enrolled host using a migrated user's >> >>>>>>> credentials I >> >>>>>>> get this error: >> >>>>>>> >> >>>>>>> id: cannot find name for group ID 104600003\ >> >>>>>> >> >>>>>> Does a group exist with that GID? You can try something >> like: >> >>>>>> >> >>>>>> $ ipa group-find --gid=104600003 >> >>>>>> >> >>>>> >> >>>>> The group doesn't exist. The GID is the counterpart to my >> UID. >> >>>> >> >>>> Try adding --private. >> >>>> >> >>>> rob >> >>>> >> >>> >> >>> Nope. It doesn't exist. >> >>> >> >>> Other groups migrated. Why would the private groups fail? >> >> >> >> I don't know, what have you done to date, including versions? >> >> >> >> rob >> > I've been following the stable Scientific Linux releases since >> 6.1. >> > Based on repo archives, I guess that would be >> 2.0.0-23.el6.x86_64. The >> > version was at 2.2.0-16.el6.x86_64 when I migrated, which I >> had just >> > upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now >> > 2.2.0-16.el6.x86_64. >> > >> > So... >> > 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> >> 2.2.0-16.el6.x86_64 ----> >> > 2.2.0-16.el6.x86_64 >> > >> > >> >> Can you verify that managed entries are configured: >> >> # ipa-managed-entries -l >> >> It should return: >> >> UPG Definition >> NGP Definition >> >> This enables user-private groups and netgroup-private groups. >> >> rob >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Mon, 20 Aug 2012 08:56:51 -0400 >> From: Rob Crittenden <[email protected] >> <mailto:[email protected]>> >> To: James James <[email protected] <mailto:[email protected]>> >> Cc: [email protected] <mailto:[email protected]> >> Subject: Re: [Freeipa-users] Question about migration and scripts >> variables >> Message-ID: <[email protected] >> <mailto:[email protected]>> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> James James wrote: >> > Hi, >> > >> > my first question is about the migrate process. Is it possible to >> > renumber the users during the migrate process (ipa migrate-ds) >> in a way >> > that all imported users will have a new UID ? >> >> I haven't tested this but you might try >> --user-ignore-attribute=uidnumber,gidnumber. >> >> > my second question is about ipalib. I wanted to make a hook on >> the user >> > creation. The hook works fine. I just want to know if there is >> a way to >> > have the value of variables like the username, the name of the >> creator, >> > the e-mail of the creator and stuff like that. >> >> The current user is available via: principal = getattr(context, >> 'principal') >> >> Using this you can look up that user: >> >> (binddn, bindattrs) = find_entry_by_attr("krbprincipalname", >> principal, >> "krbPrincipalAux") >> >> rob >> >> >> >> ------------------------------ >> >> Message: 4 >> Date: Mon, 20 Aug 2012 14:48:30 +0100 >> From: "Innes, Duncan" <[email protected] >> <mailto:[email protected]>> >> To: <[email protected] <mailto:[email protected]>> >> Subject: [Freeipa-users] Specifying load balancing to SSSD clients >> Message-ID: >> >> <[email protected]> >> Content-Type: text/plain; charset="us-ascii" >> >> Folks, >> >> Hopefully this isn't a dumb question, but I'm constrained by a few >> things on my estate and would be looking to deploy something like >> the >> following: >> >> 2 Datacentres >> 2 IPA servers at each datacentre >> >> ipa1.domain.com <http://ipa1.domain.com> \_ datacentre A >> ipa2.domain.com <http://ipa2.domain.com> / >> >> ipa3.domain.com <http://ipa3.domain.com> \_ datacentre B >> ipa4.domain.com <http://ipa4.domain.com> / >> >> The datacentres are linekd, but bandwidth not great. >> >> Client's in datacentre A should therefore use ipa1.domain.com >> <http://ipa1.domain.com> and >> ipa2.domain.com <http://ipa2.domain.com> as primary servers and >> only fail >> over to ipa3 & ipa4 >> when both 1 & 2 are out of action. Clients would revert to using >> ipa1/ipa2 whenever either of them came back online. >> >> I understand this configuration has already been done as part of >> https://fedorahosted.org/freeipa/ticket/2282 >> >> What I'm wondering is if I can force my clients to load balance >> communication between ipa1 & ipa2. >> >> I don't have the ability to use the _srv_ records in DNS as >> that's set >> up for the AD servers on our network. I also can't create >> separate DNS >> servers for the Linux estate (not that I'd particularly want to). >> >> Is there any current configuration that I can use to force load >> balancing between ipa1/ipa2 under ideal conditions. Falling back to >> ipa2 when ipa1 is out of action. Falling back to (load balanced >> perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. >> >> Hope the description is reasonable. >> >> Thanks >> >> Duncan Innes | Linux Architect >> >> ------------------------------ >> >> Message: 5 >> Date: Mon, 20 Aug 2012 10:15:08 -0400 (EDT) >> From: "Mark St. Laurent" <[email protected] >> <mailto:[email protected]>> >> To: Duncan Innes <[email protected] >> <mailto:[email protected]>> >> Cc: [email protected] <mailto:[email protected]> >> Subject: Re: [Freeipa-users] Specifying load balancing to SSSD >> clients >> Message-ID: >> <[email protected] >> <mailto:[email protected]>> >> Content-Type: text/plain; charset="utf-8" >> >> >> http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ >> >> >> Norman "Mark" St. Laurent >> Federal Team: Senior Solutions Architect >> Red Hat >> 8260 Greensboro Drive, Suite 300 >> McLean VA, 22102 >> Email: [email protected] <mailto:[email protected]> >> Cell: 703.772.1434 >> >> Check this Link out!!! Cool Stuff: http://mil-oss.org/ >> >> ----- Original Message ----- >> >> From: "Duncan Innes" <[email protected] >> <mailto:[email protected]>> >> To: [email protected] <mailto:[email protected]> >> Sent: Monday, August 20, 2012 9:48:30 AM >> Subject: [Freeipa-users] Specifying load balancing to SSSD clients >> >> Folks, >> >> Hopefully this isn't a dumb question, but I'm constrained by a few >> things on my estate and would be looking to deploy something like >> the >> following: >> >> 2 Datacentres >> 2 IPA servers at each datacentre >> >> ipa1.domain.com <http://ipa1.domain.com> \_ datacentre A >> ipa2.domain.com <http://ipa2.domain.com> / >> >> ipa3.domain.com <http://ipa3.domain.com> \_ datacentre B >> ipa4.domain.com <http://ipa4.domain.com> / >> >> The datacentres are linekd, but bandwidth not great. >> >> Client's in datacentre A should therefore use ipa1.domain.com >> <http://ipa1.domain.com> and >> ipa2.domain.com <http://ipa2.domain.com> as primary servers and >> only fail >> over to ipa3 & ipa4 >> when both 1 & 2 are out of action. Clients would revert to using >> ipa1/ipa2 whenever either of them came back online. >> >> I understand this configuration has already been done as part of >> https://fedorahosted.org/freeipa/ticket/2282 >> >> What I'm wondering is if I can force my clients to load balance >> communication between ipa1 & ipa2. >> >> I don't have the ability to use the _srv_ records in DNS as >> that's set >> up for the AD servers on our network. I also can't create >> separate DNS >> servers for the Linux estate (not that I'd particularly want to). >> >> Is there any current configuration that I can use to force load >> balancing between ipa1/ipa2 under ideal conditions. Falling back to >> ipa2 when ipa1 is out of action. Falling back to (load balanced >> perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. >> >> Hope the description is reasonable. >> >> Thanks >> >> Duncan Innes | Linux Architect >> > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
