The problem with 'foreman-prepare-realm' and freeipa was that it claimed that a few o thef permissions required did not exist when it tried to add them to the 'smart proxy host management' privilege.
I think it was because the permissions were all in lower case without the 'System: ' prefix. This is just an assumption since I did not get to work even after adding them manually. So I figured to try it again after reverting back to 3.3.5. After downgrading I learned that it did not work due to a bug in a ruby script. (fixed by commenting out line 505-506 in /usr/share/ruby/xmlrpc/client.rb on the katello host, see https://bugs.ruby-lang.org/issues/8182 and https://bugzilla.redhat.com/show_bug.cgi?id=1071187 ) After which I tried the upgrade again. regarding https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart I did look again using the kredentials as mentioned in step 4. and saw only 3 objects (1x idnsConfigObject 2x nsContainer) When using admin credentials I saw all the dns zone entries. I can see the zone entries in the ipa gui. Also when I look at the permissions in ipa there are no longer any permissions that have the 'System: ' prefix. Rob 2014-11-04 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>: > On 4.11.2014 15:27, Rob Verduijn wrote: > >> Hello again, >> >> I've managed to integrate my katello configuration with freeipa. >> Now I not only use freeipa authentication in katello but also when a host >> is defined in katello it automagically gets created in the freeipa realm , >> certs, otp,dns all working great. >> >> however, to obtain all this integration greatness I had to downgrade my >> freeipa to 3.3.5 again (revert snapshot) because the katello realm >> integration tool (foreman-prepare-realm) is not capable of dealing with >> 4.X >> versions of freeipa. >> > It would be nice if you could get tell us more details about the problem > you had with Katello, AFAIK we are not aware of any. > > And now the named-pkcs11 again does not see my internal zones. >> >> This page >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart >> thinks >> I should contact the freeipa-users list >> > > Do I understand correctly that you did all the steps 0-4 successfully and > then you found out that you can't see DNS objects in LDAP (step 5) when > using ldapsearch with DNS principal? > > Can you see the objects in IPA web UI or CLI? If it is the case then we > will need help from LDAP ACI expert (pviktori? :-). > > Petr^2 Spacek > > > The command 'ipa-ldap-updater >> /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it. >> and the command 'ipa-ldap-updater' didn't fix it either. >> >> So I am now stuck at freeipa 3.3.5 again (with a working katello >> integration, so I got some mixed emotions about it) >> Any ideas anyone ? >> Rob >> >> >> >> >> >> >> 2014-10-29 22:14 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>: >> >> Hello, >>> >>> I've tested the update again. >>> >>> The bind-utils conflict is still there when I issue "yum update >>> freeipa-server" ( as indicated on the freeipa 4.1 download page >>> http://www.freeipa.org/page/Downloads#Upgrading ) >>> >>> 'yum update' works fine >>> >>> My internal zones didn't resolv after the update >>> ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't >>> fix >>> it >>> ipa-ldap-updater did fix the 'access control instructions' and my >>> internal >>> dns zones started to resolv again :-) >>> >>> Cheers >>> Rob >>> >>> >>> 2014-10-29 18:14 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>> >>> On 29.10.2014 16:46, Rob Verduijn wrote: >>>> >>>> Hello, >>>>> >>>>> # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update >>>>> fixes the problem. >>>>> >>>>> I can resolv my internal dns zones again:-) >>>>> >>>>> Many thanx. >>>>> >>>>> Since this problem happened every time I tried to update the freeipa >>>>> server. >>>>> I could re-run the update with some debug options if you like so you >>>>> can >>>>> pinpoint what goes wrong with the update script if you like. >>>>> >>>>> >>>> I have re-build some packages in mkosek's CORP so now you should not see >>>> encounter dependency problems. Simple 'yum upgrade' should give you all >>>> the >>>> required packages. >>>> >>>> We are looking at other problems in upgrade process right now so there >>>> is >>>> not much to test except package dependencies. >>>> >>>> -- >>>> Petr^2 Spacek >>>> >>>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project