can you send content of these entries (I need mainly member and memberof
DN: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=com
DN: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=example,dc=com
On 05/11/14 16:17, Rob Verduijn wrote:
I use only a single freeipa server (so no replica to bother)
Internal zones worked before the update
After the update, internal zones no longer worked.
After reverting back the snapshot the internal zones worked again, no
additional actions were needed.
2014-11-05 16:11 GMT+01:00 Petr Spacek <pspa...@redhat.com
Rob V., you did not answered to my question when DNS worked for
you last time. Did it work right after reverting the snapshot?
On 5.11.2014 16:09, Rob Verduijn wrote:
I don't know about foreman upstream, the current version that
I am using
included in the katello installation is 1.6
And the foreman manpage still requires the configuration of the
About the snapshot:
I removed all the katello entries from my current freeipa
installation ( I
peeked in the script to see what it did )
- user (foreman-realm)
- role (Smart Host Proxy Manager)
- privilege (Smart Host Proxy Management)
- 3 custom permissions ( modify host password, write host
modify host userclass )
applied the update to freeipa 4.1.
my local dns zones did not resolv again
running the ipa-ldap-updater did not fix it
So I guess that it is not due to the katello integration or the
2014-11-05 14:39 GMT+01:00 Petr Spacek <pspa...@redhat.com
On 4.11.2014 17:15, Rob Verduijn wrote:
The problem with 'foreman-prepare-realm' and freeipa
was that it claimed
that a few o thef permissions required did not exist
when it tried to add
them to the 'smart proxy host management' privilege.
I think it was because the permissions were all in
lower case without the
'System: ' prefix. This is just an assumption since I
did not get to work
even after adding them manually. So I figured to try
it again after
reverting back to 3.3.5.
After downgrading I learned that it did not work due
to a bug in a ruby
script. (fixed by commenting out line 505-506
in /usr/share/ruby/xmlrpc/client.rb on the katello
After which I tried the upgrade again.
I did look again using the kredentials as mentioned in
step 4. and saw
3 objects (1x idnsConfigObject 2x nsContainer)
When using admin credentials I saw all the dns zone
I can see the zone entries in the ipa gui.
Also when I look at the permissions in ipa there are
no longer any
permissions that have the 'System: ' prefix.
AFAIK the foreman proxy is not necessary (and not
supported) with IPA 4.x
because it was obsoleted by 'native' proxy delivered by
Am I right, Rob (Crittenden)? :-)
Anyway, back to your DNS problem. Did it worked before you
Foreman proxy? Or not? I.e. is it working when you revert
Do you have other replicas in the replication topology?
Please keep in
mind that changes in LDAP (including changes to
permissions) are replicated
so reverting one VM and not others is not necessarily enough.
2014-11-04 15:52 GMT+01:00 Petr Spacek
On 4.11.2014 15:27, Rob Verduijn wrote:
I've managed to integrate my katello
configuration with freeipa.
Now I not only use freeipa authentication in
katello but also when a
is defined in katello it automagically gets
created in the freeipa
certs, otp,dns all working great.
however, to obtain all this integration
greatness I had to downgrade my
freeipa to 3.3.5 again (revert snapshot)
because the katello realm
integration tool (foreman-prepare-realm) is
not capable of dealing with
versions of freeipa.
It would be nice if you could get tell us
more details about the
you had with Katello, AFAIK we are not aware of any.
And now the named-pkcs11 again does not see my
I should contact the freeipa-users list
Do I understand correctly that you did all the
steps 0-4 successfully and
then you found out that you can't see DNS objects
in LDAP (step 5) when
using ldapsearch with DNS principal?
Can you see the objects in IPA web UI or CLI? If
it is the case then we
will need help from LDAP ACI expert (pviktori? :-).
The command 'ipa-ldap-updater
didn't fix it.
and the command 'ipa-ldap-updater' didn't fix
So I am now stuck at freeipa 3.3.5 again (with
a working katello
integration, so I got some mixed emotions
Any ideas anyone ?
2014-10-29 22:14 GMT+01:00 Rob Verduijn
I've tested the update again.
The bind-utils conflict is still there
when I issue "yum update
freeipa-server" ( as indicated on the
freeipa 4.1 download page
'yum update' works fine
My internal zones didn't resolv after the
ipa-ldap-updater did fix the 'access
control instructions' and my
dns zones started to resolv again :-)
2014-10-29 18:14 GMT+01:00 Petr Spacek
On 29.10.2014 16:46, Rob Verduijn wrote:
fixes the problem.
I can resolv my internal dns zones
Since this problem happened every
time I tried to update the freeipa
I could re-run the update with
some debug options if you like so you
pinpoint what goes wrong with the
update script if you like.
I have re-build some packages in
mkosek's CORP so now you should
encounter dependency problems. Simple
'yum upgrade' should give you
We are looking at other problems in
upgrade process right now so there
not much to test except package
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project