Great news about the script. I will as soon as I get the upgrade to 4.1 to work with internal dns support.
yup 12 default permissions + 3 custom permissions in the smart-host-proxy-management privilege I guessed I leave those 12 default permissions since I expect it might break things when I remove those :P Rob 2014-11-05 16:20 GMT+01:00 Stephen Benjamin <step...@redhat.com>: > On Wed, Nov 05, 2014 at 04:09:18PM +0100, Rob Verduijn wrote: > > Hello again, > > > > I don't know about foreman upstream, the current version that I am using > > included in the katello installation is 1.6 > > And the foreman manpage still requires the configuration of the > > realm-smart-proxy. > > http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm > > > > About the snapshot: > > I removed all the katello entries from my current freeipa installation ( > I > > peeked in the script to see what it did ) > > - user (foreman-realm) > > - role (Smart Host Proxy Manager) > > - privilege (Smart Host Proxy Management) > > - 3 custom permissions ( modify host password, write host certificate, > > modify host userclass ) > > applied the update to freeipa 4.1. > > my local dns zones did not resolv again > > running the ipa-ldap-updater did not fix it > > It's more like 12 permissions for that privilege, the complaints of > missing permissions you saw is because they've changed names in FreeIPA > 4, you can try this script instead: > > https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/sbin/foreman-prepare-realm > > > > So I guess that it is not due to the katello integration or the > > realm-smart-proxy script. > > > > Rob > > > > 2014-11-05 14:39 GMT+01:00 Petr Spacek <pspa...@redhat.com>: > > > > > On 4.11.2014 17:15, Rob Verduijn wrote: > > > > > >> The problem with 'foreman-prepare-realm' and freeipa was that it > claimed > > >> that a few o thef permissions required did not exist when it tried to > add > > >> them to the 'smart proxy host management' privilege. > > >> > > >> I think it was because the permissions were all in lower case without > the > > >> 'System: ' prefix. This is just an assumption since I did not get to > work > > >> even after adding them manually. So I figured to try it again after > > >> reverting back to 3.3.5. > > >> > > >> After downgrading I learned that it did not work due to a bug in a > ruby > > >> script. (fixed by commenting out line 505-506 > > >> in /usr/share/ruby/xmlrpc/client.rb on the katello host, see > > >> https://bugs.ruby-lang.org/issues/8182 and > > >> https://bugzilla.redhat.com/show_bug.cgi?id=1071187 ) > > >> > > >> After which I tried the upgrade again. > > >> > > >> regarding > > >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart > > >> I did look again using the kredentials as mentioned in step 4. and saw > > >> only > > >> 3 objects (1x idnsConfigObject 2x nsContainer) > > >> When using admin credentials I saw all the dns zone entries. > > >> > > >> I can see the zone entries in the ipa gui. > > >> > > >> Also when I look at the permissions in ipa there are no longer any > > >> permissions that have the 'System: ' prefix. > > >> > > > > > > AFAIK the foreman proxy is not necessary (and not supported) with IPA > 4.x > > > because it was obsoleted by 'native' proxy delivered by Foreman > upstream. > > > > > > Am I right, Rob (Crittenden)? :-) > > > > > > Anyway, back to your DNS problem. Did it worked before you installed > > > Foreman proxy? Or not? I.e. is it working when you revert the snapshot? > > > > > > Do you have other replicas in the replication topology? Please keep in > > > mind that changes in LDAP (including changes to permissions) are > replicated > > > so reverting one VM and not others is not necessarily enough. > > > > > > Petr^2 Spacek > > > > > > > > > 2014-11-04 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>: > > >> > > >> On 4.11.2014 15:27, Rob Verduijn wrote: > > >>> > > >>> Hello again, > > >>>> > > >>>> I've managed to integrate my katello configuration with freeipa. > > >>>> Now I not only use freeipa authentication in katello but also when a > > >>>> host > > >>>> is defined in katello it automagically gets created in the freeipa > > >>>> realm , > > >>>> certs, otp,dns all working great. > > >>>> > > >>>> however, to obtain all this integration greatness I had to > downgrade my > > >>>> freeipa to 3.3.5 again (revert snapshot) because the katello realm > > >>>> integration tool (foreman-prepare-realm) is not capable of dealing > with > > >>>> 4.X > > >>>> versions of freeipa. > > >>>> > > >>>> It would be nice if you could get tell us more details about the > > >>> problem > > >>> you had with Katello, AFAIK we are not aware of any. > > >>> > > >>> And now the named-pkcs11 again does not see my internal zones. > > >>> > > >>>> > > >>>> This page > > >>>> > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart > > >>>> thinks > > >>>> I should contact the freeipa-users list > > >>>> > > >>>> > > >>> Do I understand correctly that you did all the steps 0-4 > successfully and > > >>> then you found out that you can't see DNS objects in LDAP (step 5) > when > > >>> using ldapsearch with DNS principal? > > >>> > > >>> Can you see the objects in IPA web UI or CLI? If it is the case then > we > > >>> will need help from LDAP ACI expert (pviktori? :-). > > >>> > > >>> Petr^2 Spacek > > >>> > > >>> > > >>> The command 'ipa-ldap-updater > > >>> > > >>>> /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it. > > >>>> and the command 'ipa-ldap-updater' didn't fix it either. > > >>>> > > >>>> So I am now stuck at freeipa 3.3.5 again (with a working katello > > >>>> integration, so I got some mixed emotions about it) > > >>>> Any ideas anyone ? > > >>>> Rob > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> 2014-10-29 22:14 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>: > > >>>> > > >>>> Hello, > > >>>> > > >>>>> > > >>>>> I've tested the update again. > > >>>>> > > >>>>> The bind-utils conflict is still there when I issue "yum update > > >>>>> freeipa-server" ( as indicated on the freeipa 4.1 download page > > >>>>> http://www.freeipa.org/page/Downloads#Upgrading ) > > >>>>> > > >>>>> 'yum update' works fine > > >>>>> > > >>>>> My internal zones didn't resolv after the update > > >>>>> ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update > didn't > > >>>>> fix > > >>>>> it > > >>>>> ipa-ldap-updater did fix the 'access control instructions' and my > > >>>>> internal > > >>>>> dns zones started to resolv again :-) > > >>>>> > > >>>>> Cheers > > >>>>> Rob > > >>>>> > > >>>>> > > >>>>> 2014-10-29 18:14 GMT+01:00 Petr Spacek <pspa...@redhat.com>: > > >>>>> > > >>>>> On 29.10.2014 16:46, Rob Verduijn wrote: > > >>>>> > > >>>>>> > > >>>>>> Hello, > > >>>>>> > > >>>>>>> > > >>>>>>> # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update > > >>>>>>> fixes the problem. > > >>>>>>> > > >>>>>>> I can resolv my internal dns zones again:-) > > >>>>>>> > > >>>>>>> Many thanx. > > >>>>>>> > > >>>>>>> Since this problem happened every time I tried to update the > freeipa > > >>>>>>> server. > > >>>>>>> I could re-run the update with some debug options if you like so > you > > >>>>>>> can > > >>>>>>> pinpoint what goes wrong with the update script if you like. > > >>>>>>> > > >>>>>>> > > >>>>>>> I have re-build some packages in mkosek's CORP so now you should > > >>>>>> not see > > >>>>>> encounter dependency problems. Simple 'yum upgrade' should give > you > > >>>>>> all > > >>>>>> the > > >>>>>> required packages. > > >>>>>> > > >>>>>> We are looking at other problems in upgrade process right now so > there > > >>>>>> is > > >>>>>> not much to test except package dependencies. > > >>>>>> > > >>>>> > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > > -- > Stephen Benjamin > > ______________________________________________________ > Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn > Handelsregister: Amtsgericht München, HRB 153243 > Geschäftsführer: Charles Cachera, Michael Cunningham, > Michael O'Neill, Charles Peters > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project