On 08/27/2012 07:53 AM, Petr Spacek wrote:
> Hello,
>
> On 08/23/2012 07:00 AM, Franklin Catoni wrote:
>>  >>Hi,
>> Hello,
>>  >>Is the zone not transferring at all, or is it just the updates that's
>>  >>not transferred to the AD slave server?
>> It's not transferring at all.
>>  >>If the zone is not transferring at all: Did yo modify the "Allow
>>  >>transfer" property of the zone ?
>> yes, I change the parameter to allow zone transfers from the AD
>>  >>If the updates is not transferring: I believe automatic increment
>> of the
>>  >>zone serial number will be supported in IPA 3.0. The IPA
>> developers will
>>  >>have to confirm that. However you can manually change the serial
>> number
>>  >>under Zone Settings.
>> Yes, I also read this information but I was hoping there was some other
>> solution to the issue. And I've done manually change the serial
>> number of the
>> zone but without success
>>  >>Hope this helps.
>> Thanks
>>
>>  >>Regards,
>>  >>Siggi
>
> I'm a bit confused, so I tried to summarize your configuration. Please
> correct me if I'm wrong:
>
> zone "ejemplo.com" = hosted on AD server
> zone "ejemplo.gob.ve" = hosted on FreeIPA server
>
> What is your target? Do you want to have both zones on each server?
> I.e. one server will be master for one zone and slave for the other
> zone (at the same time)?
>
> Zone transfers are supported from IPA 3.0. IPA can host only master
> zones, slave zones have to be set in /etc/named.conf manually. There
> is no centralized management of slave zones.
>
>
> Generally, you can test zone-transfers with dig:
>
> slave$ dig @master_IP -t AXFR zone.name
>
> It should print something like:
>
> zone.example.        86400    IN    SOA   
> unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123
> 123 666 1
> zone.example.        86400    IN    NS    unused-4-107.brq.redhat.com.
> zone.example.        86400    IN    TXT    "zone.example"
> ...
> zone.example.        86400    IN    SOA   
> unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123
> 123 666 1
>
> This way you can test ACL and other settings on master.
>
> Does transfer with dig it work for both master servers?
>
> Petr^2 Spacek
>

I can find any updates on this thread.
Has the issue been resolved?

>
>>
>> 2012/8/20 <freeipa-users-requ...@redhat.com
>> <mailto:freeipa-users-requ...@redhat.com>>
>>
>>     Send Freeipa-users mailing list submissions to
>>     freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
>>
>>     To subscribe or unsubscribe via the World Wide Web, visit
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>     or, via email, send a message with subject or body 'help' to
>>     freeipa-users-requ...@redhat.com
>> <mailto:freeipa-users-requ...@redhat.com>
>>
>>     You can reach the person managing the list at
>>     freeipa-users-ow...@redhat.com
>> <mailto:freeipa-users-ow...@redhat.com>
>>
>>     When replying, please edit your Subject line so it is more specific
>>     than "Re: Contents of Freeipa-users digest..."
>>
>>
>>     Today's Topics:
>>
>>         1. Re: Active Directory slave zone in FreeIPA DNS (Sigbjorn Lie)
>>         2. Re: sssd client cache timer and merging IPA domains
>>            (Rob Crittenden)
>>         3. Re: Question about migration and scripts variables
>>            (Rob Crittenden)
>>         4. Specifying load balancing to SSSD clients (Innes, Duncan)
>>         5. Re: Specifying load balancing to SSSD clients (Mark St.
>> Laurent)
>>
>>
>>    
>> ----------------------------------------------------------------------
>>
>>     Message: 1
>>     Date: Sun, 19 Aug 2012 18:23:20 +0200
>>     From: Sigbjorn Lie <sigbj...@nixtra.com
>> <mailto:sigbj...@nixtra.com>>
>>     To: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
>>     Subject: Re: [Freeipa-users] Active Directory slave zone in FreeIPA
>>              DNS
>>     Message-ID: <503112f8.8000...@nixtra.com
>> <mailto:503112f8.8000...@nixtra.com>>
>>     Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>>
>>     On 08/19/2012 04:39 PM, Franklin Catoni wrote:
>>      > Greetings community.
>>      >
>>      > I do not speak English so I will do my best.
>>      >
>>      > I have two environments in my company, a domain "ejemplo.com
>>     <http://ejemplo.com>
>>      > <http://ejemplo.com>" with Windows Active Directory running on
>> Windows
>>      > Server 2003 Enterprise Edition SP2 and domain  "ejemplo.gob.ve
>>     <http://ejemplo.gob.ve>
>>      > <http://ejemplo.gob.ve>" with FreeIPA v2.2. mounted on Centos
>> 6.3 x64.
>>      >  This is because we are in the middle of a platform migration
>> process
>>      > (a very slow process) from proprietary solutions to open source.
>>      >
>>      > DNS and DHCP service for my two environments is offered by the
>> server
>>      > Centos 6.3 which is mounted FreeIPA directory, clients are
>> Windows
>>      > computers Active Directory domain and linux computers in the
>> domain Ipa.
>>      >
>>      > Currently the zone "ejemplo.gob.ve <http://ejemplo.gob.ve>
>>     <http://ejemplo.gob.ve>" is
>>      > administered by the FreeIPA DNS using the plugin
>>      > (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone
>> using
>>      > bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain
>>      > "ejemplo.com <http://ejemplo.com> <http://ejemplo.com>" Active
>> Directory
>>      >
>>      > Name resolution works perfectly for both Linux and Windows
>> clients.
>>      >
>>      > Now here comes the tricky part
>>      >
>>      > In order to find a more centralized management of my services,
>> I try
>>      > to configure a slave zone to Active Directory through FreeIPA
>> with
>>      > dyndb bind-plugin-ldap and so to eliminate configuration
>> through bind,
>>      > but the transfers zone does not work, causing this many
>> problems on
>>      > both platforms.
>>      >
>>      > The log shows me the following error:
>>      >
>>      > ServidorIPA named[3706]: zone ejemplo.com/IN/local
>>     <http://ejemplo.com/IN/local>
>>      > <http://ejemplo.com/IN/local>: zone serial (2012081801)
>> unchanged.
>>      > zone may fail to transfer to slaves
>>      >
>>      > I've spent enough time looking at Super Google information
>> that can
>>      > help me but it has not been easy, because it seems to be a
>> rare situation.
>>      >
>>      > I ask. You can set this up under these circumstances?
>>      > Someone has accomplished?
>>      > Some information that horiente me to get a solution?
>>      >
>>      > Thanks for your time.
>>      >
>>     Hi,
>>
>>     Is the zone not transferring at all, or is it just the updates
>> that's
>>     not transferred to the AD slave server?
>>
>>     If the zone is not transferring at all: Did yo modify the "Allow
>>     transfer" property of the zone ?
>>
>>     If the updates is not transferring: I believe automatic increment
>> of the
>>     zone serial number will be supported in IPA 3.0. The IPA
>> developers will
>>     have to confirm that. However you can manually change the serial
>> number
>>     under Zone Settings.
>>
>>     Hope this helps.
>>
>>
>>     Regards,
>>     Siggi
>>
>>     -------------- next part --------------
>>     An HTML attachment was scrubbed...
>>     URL:
>>    
>> <https://www.redhat.com/archives/freeipa-users/attachments/20120819/73825288/attachment.html>
>>
>>     ------------------------------
>>
>>     Message: 2
>>     Date: Mon, 20 Aug 2012 08:44:32 -0400
>>     From: Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>>
>>     To: Lucas Yamanishi <lyamani...@sesda2.com
>> <mailto:lyamani...@sesda2.com>>
>>     Cc: "freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>"
>>     <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
>>     Subject: Re: [Freeipa-users] sssd client cache timer and merging IPA
>>              domains
>>     Message-ID: <50323130.6030...@redhat.com
>> <mailto:50323130.6030...@redhat.com>>
>>     Content-Type: text/plain; charset=UTF-8; format=flowed
>>
>>     Lucas Yamanishi wrote:
>>      >
>>      > On 08/17/2012 08:38 AM, Rob Crittenden wrote:
>>      >> Lucas Yamanishi wrote:
>>      >>>
>>      >>> On 08/16/2012 05:39 PM, Rob Crittenden wrote:
>>      >>>> Lucas Yamanishi wrote:
>>      >>>>>
>>      >>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote:
>>      >>>>>> Lucas Yamanishi wrote:
>>      >>>>>>> I just migrated my IPA instance from one to another a
>> couple days
>>      >>>>>>> ago to
>>      >>>>>>> recover after a lost CA and failed yum upgrade.  The
>> "ipa migrate-ds"
>>      >>>>>>> tool works very well, though I am having a few very
>> minor issues.  On
>>      >>>>>>> the upside, as far as I can tell, you can skip the steps
>> about
>>      >>>>>>> Kerberos
>>      >>>>>>> key generation as outlined in the documentation.  I've
>> been able to
>>      >>>>>>> kinit just fine with my migrated users.
>>      >>>>>>>
>>      >>>>>>>
>>      >>>>>>> Below are the few errors I've noticed.
>>      >>>>>>>
>>      >>>>>>> * When I ssh into an enrolled host using a migrated user's
>>      >>>>>>> credentials I
>>      >>>>>>> get this error:
>>      >>>>>>>
>>      >>>>>>>       id: cannot find name for group ID 104600003\
>>      >>>>>>
>>      >>>>>> Does a group exist with that GID? You can try something
>> like:
>>      >>>>>>
>>      >>>>>> $ ipa group-find --gid=104600003
>>      >>>>>>
>>      >>>>>
>>      >>>>> The group doesn't exist.  The GID is the counterpart to my
>> UID.
>>      >>>>
>>      >>>> Try adding --private.
>>      >>>>
>>      >>>> rob
>>      >>>>
>>      >>>
>>      >>> Nope. It doesn't exist.
>>      >>>
>>      >>> Other groups migrated.  Why would the private groups fail?
>>      >>
>>      >> I don't know, what have you done to date, including versions?
>>      >>
>>      >> rob
>>      > I've been following the stable Scientific Linux releases since
>> 6.1.
>>      > Based on repo archives, I guess that would be
>> 2.0.0-23.el6.x86_64.  The
>>      > version was at 2.2.0-16.el6.x86_64 when I migrated, which I
>> had just
>>      > upgraded from 2.1.3-9.el6.x86_64.  I migrated to and use now
>>      > 2.2.0-16.el6.x86_64.
>>      >
>>      > So...
>>      > 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 ->
>> 2.2.0-16.el6.x86_64 ---->
>>      > 2.2.0-16.el6.x86_64
>>      >
>>      >
>>
>>     Can you verify that managed entries are configured:
>>
>>     # ipa-managed-entries -l
>>
>>     It should return:
>>
>>     UPG Definition
>>     NGP Definition
>>
>>     This enables user-private groups and netgroup-private groups.
>>
>>     rob
>>
>>
>>
>>     ------------------------------
>>
>>     Message: 3
>>     Date: Mon, 20 Aug 2012 08:56:51 -0400
>>     From: Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>>
>>     To: James James <jre...@gmail.com <mailto:jre...@gmail.com>>
>>     Cc: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
>>     Subject: Re: [Freeipa-users] Question about migration and scripts
>>              variables
>>     Message-ID: <50323413.4090...@redhat.com
>> <mailto:50323413.4090...@redhat.com>>
>>     Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>>     James James wrote:
>>      > Hi,
>>      >
>>      > my first question is about the migrate process. Is it possible to
>>      > renumber the users during the migrate process (ipa migrate-ds)
>> in a way
>>      > that all imported users will have a new UID ?
>>
>>     I haven't tested this but you might try
>>     --user-ignore-attribute=uidnumber,gidnumber.
>>
>>      > my second question is about ipalib. I wanted to make a hook on
>> the user
>>      > creation. The hook works fine. I just want to know if there is
>> a way to
>>      > have the value of variables like the username, the name of the
>> creator,
>>      > the e-mail of the creator and stuff like that.
>>
>>     The current user is available via: principal = getattr(context,
>> 'principal')
>>
>>     Using this you can look up that user:
>>
>>     (binddn, bindattrs) = find_entry_by_attr("krbprincipalname",
>> principal,
>>     "krbPrincipalAux")
>>
>>     rob
>>
>>
>>
>>     ------------------------------
>>
>>     Message: 4
>>     Date: Mon, 20 Aug 2012 14:48:30 +0100
>>     From: "Innes, Duncan" <duncan.in...@virginmoney.com
>>     <mailto:duncan.in...@virginmoney.com>>
>>     To: <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
>>     Subject: [Freeipa-users] Specifying load balancing to SSSD clients
>>     Message-ID:
>>             
>> <56343345B145C043AE990701E3D193952B5511@EXVS2.nrplc.localnet>
>>     Content-Type: text/plain;       charset="us-ascii"
>>
>>     Folks,
>>
>>     Hopefully this isn't a dumb question, but I'm constrained by a few
>>     things on my estate and would be looking to deploy something like
>> the
>>     following:
>>
>>     2 Datacentres
>>     2 IPA servers at each datacentre
>>
>>     ipa1.domain.com <http://ipa1.domain.com> \_ datacentre A
>>     ipa2.domain.com <http://ipa2.domain.com> /
>>
>>     ipa3.domain.com <http://ipa3.domain.com> \_ datacentre B
>>     ipa4.domain.com <http://ipa4.domain.com> /
>>
>>     The datacentres are linekd, but bandwidth not great.
>>
>>     Client's in datacentre A should therefore use ipa1.domain.com
>>     <http://ipa1.domain.com> and
>>     ipa2.domain.com <http://ipa2.domain.com> as primary servers and
>> only fail
>>     over to ipa3 & ipa4
>>     when both 1 & 2 are out of action.  Clients would revert to using
>>     ipa1/ipa2 whenever either of them came back online.
>>
>>     I understand this configuration has already been done as part of
>>     https://fedorahosted.org/freeipa/ticket/2282
>>
>>     What I'm wondering is if I can force my clients to load balance
>>     communication between ipa1 & ipa2.
>>
>>     I don't have the ability to use the _srv_ records in DNS as
>> that's set
>>     up for the AD servers on our network.  I also can't create
>> separate DNS
>>     servers for the Linux estate (not that I'd particularly want to).
>>
>>     Is there any current configuration that I can use to force load
>>     balancing between ipa1/ipa2 under ideal conditions.  Falling back to
>>     ipa2 when ipa1 is out of action.  Falling back to (load balanced
>>     perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action.
>>
>>     Hope the description is reasonable.
>>
>>     Thanks
>>
>>     Duncan Innes | Linux Architect
>>
>>     ------------------------------
>>
>>     Message: 5
>>     Date: Mon, 20 Aug 2012 10:15:08 -0400 (EDT)
>>     From: "Mark St. Laurent" <mstla...@redhat.com
>> <mailto:mstla...@redhat.com>>
>>     To: Duncan Innes <duncan.in...@virginmoney.com
>>     <mailto:duncan.in...@virginmoney.com>>
>>     Cc: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
>>     Subject: Re: [Freeipa-users] Specifying load balancing to SSSD
>> clients
>>     Message-ID:
>>              <290044214.13057699.1345472108805.javamail.r...@redhat.com
>>     <mailto:290044214.13057699.1345472108805.javamail.r...@redhat.com>>
>>     Content-Type: text/plain; charset="utf-8"
>>
>>    
>> http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/
>>
>>
>>     Norman "Mark" St. Laurent
>>     Federal Team: Senior Solutions Architect
>>     Red Hat
>>     8260 Greensboro Drive, Suite 300
>>     McLean VA, 22102
>>     Email: m...@redhat.com <mailto:m...@redhat.com>
>>     Cell: 703.772.1434
>>
>>     Check this Link out!!! Cool Stuff: http://mil-oss.org/
>>
>>     ----- Original Message -----
>>
>>     From: "Duncan Innes" <duncan.in...@virginmoney.com
>>     <mailto:duncan.in...@virginmoney.com>>
>>     To: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
>>     Sent: Monday, August 20, 2012 9:48:30 AM
>>     Subject: [Freeipa-users] Specifying load balancing to SSSD clients
>>
>>     Folks,
>>
>>     Hopefully this isn't a dumb question, but I'm constrained by a few
>>     things on my estate and would be looking to deploy something like
>> the
>>     following:
>>
>>     2 Datacentres
>>     2 IPA servers at each datacentre
>>
>>     ipa1.domain.com <http://ipa1.domain.com> \_ datacentre A
>>     ipa2.domain.com <http://ipa2.domain.com> /
>>
>>     ipa3.domain.com <http://ipa3.domain.com> \_ datacentre B
>>     ipa4.domain.com <http://ipa4.domain.com> /
>>
>>     The datacentres are linekd, but bandwidth not great.
>>
>>     Client's in datacentre A should therefore use ipa1.domain.com
>>     <http://ipa1.domain.com> and
>>     ipa2.domain.com <http://ipa2.domain.com> as primary servers and
>> only fail
>>     over to ipa3 & ipa4
>>     when both 1 & 2 are out of action. Clients would revert to using
>>     ipa1/ipa2 whenever either of them came back online.
>>
>>     I understand this configuration has already been done as part of
>>     https://fedorahosted.org/freeipa/ticket/2282
>>
>>     What I'm wondering is if I can force my clients to load balance
>>     communication between ipa1 & ipa2.
>>
>>     I don't have the ability to use the _srv_ records in DNS as
>> that's set
>>     up for the AD servers on our network. I also can't create
>> separate DNS
>>     servers for the Linux estate (not that I'd particularly want to).
>>
>>     Is there any current configuration that I can use to force load
>>     balancing between ipa1/ipa2 under ideal conditions. Falling back to
>>     ipa2 when ipa1 is out of action. Falling back to (load balanced
>>     perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action.
>>
>>     Hope the description is reasonable.
>>
>>     Thanks
>>
>>     Duncan Innes | Linux Architect
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to