Can you send me DNS related ACI in dc=tjako,dc=thuis
On 05/11/14 17:08, Rob Verduijn wrote:
and here is the 4.1 version
Rob
cat output-4.1.txt
# extended LDIF
#
# LDAPv3
# base <cn=DNS Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# DNS Servers, privileges, pbac, tjako.thuis
dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: DNS Servers
description: DNS Servers
memberOf: cn=add dns entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
memberOf: cn=remove dns entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
memberOf: cn=update dns entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
memberOf: cn=Read DNS Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
memberOf: cn=Write DNS
Configuration,cn=permissions,cn=pbac,dc=tjako,dc=thuis
member:
krbprincipalname=DNS/freeipa.tjako.thuis@TJAKO.THUIS,cn=services,cn=ac
counts,dc=tjako,dc=thuis
member:
krbprincipalname=ipa-dnskeysyncd/freeipa.tjako.thuis@TJAKO.THUIS,cn=se
rvices,cn=accounts,dc=tjako,dc=thuis
There are missing DNSSEC permissions.
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
# extended LDIF
#
# LDAPv3
# base <
krbprincipalname=DNS/tjako.thuis@TJAKO.THUIS,cn=services,cn=accounts,dc=tjako,dc=thuis>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
matchedDN: cn=services,cn=accounts,dc=tjako,dc=thuis
# numResponses: 1
# extended LDIF
#
# LDAPv3
# base <cn=Read DNS Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Read DNS Entries, permissions, pbac, tjako.thuis
dn: cn=Read DNS Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Read DNS Entries
description: Read DNS entries
ipaPermissionType: SYSTEM
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=tjako,dc=thuis
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis
member: cn=Smart Proxy Host
Management,cn=privileges,cn=pbac,dc=tjako,dc=thuis
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
2014-11-05 16:31 GMT+01:00 Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>>:
Hello,
can you send content of these entries (I need mainly member and
memberof attributes)?:
DN: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=com
DN:
krbprincipalname=DNS/example....@example.com,cn=services,cn=accounts,dc=example,dc=com
<mailto:krbprincipalname=DNS/example....@example.com,cn=services,cn=accounts,dc=example,dc=com>
DN: cn=System: Read DNS
Entries,cn=permissions,cn=pbac,dc=example,dc=com
On 05/11/14 16:17, Rob Verduijn wrote:
Hello,
I use only a single freeipa server (so no replica to bother)
Internal zones worked before the update
After the update, internal zones no longer worked.
After reverting back the snapshot the internal zones worked
again, no additional actions were needed.
Rob
2014-11-05 16:11 GMT+01:00 Petr Spacek <pspa...@redhat.com
<mailto:pspa...@redhat.com>>:
Hello,
Rob V., you did not answered to my question when DNS worked
for you last time. Did it work right after reverting the
snapshot?
Petr^2 Spacek
On 5.11.2014 16:09, Rob Verduijn wrote:
Hello again,
I don't know about foreman upstream, the current version
that I am using
included in the katello installation is 1.6
And the foreman manpage still requires the configuration
of the
realm-smart-proxy.
http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm
About the snapshot:
I removed all the katello entries from my current freeipa
installation ( I
peeked in the script to see what it did )
- user (foreman-realm)
- role (Smart Host Proxy Manager)
- privilege (Smart Host Proxy Management)
- 3 custom permissions ( modify host password, write
host certificate,
modify host userclass )
applied the update to freeipa 4.1.
my local dns zones did not resolv again
running the ipa-ldap-updater did not fix it
So I guess that it is not due to the katello integration
or the
realm-smart-proxy script.
Rob
2014-11-05 14:39 GMT+01:00 Petr Spacek
<pspa...@redhat.com <mailto:pspa...@redhat.com>>:
On 4.11.2014 17:15, Rob Verduijn wrote:
The problem with 'foreman-prepare-realm' and
freeipa was that it claimed
that a few o thef permissions required did not
exist when it tried to add
them to the 'smart proxy host management' privilege.
I think it was because the permissions were all
in lower case without the
'System: ' prefix. This is just an assumption
since I did not get to work
even after adding them manually. So I figured to
try it again after
reverting back to 3.3.5.
After downgrading I learned that it did not work
due to a bug in a ruby
script. (fixed by commenting out line 505-506
in /usr/share/ruby/xmlrpc/client.rb on the
katello host, see
https://bugs.ruby-lang.org/issues/8182 and
https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )
After which I tried the upgrade again.
regarding
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
I did look again using the kredentials as
mentioned in step 4. and saw
only
3 objects (1x idnsConfigObject 2x nsContainer)
When using admin credentials I saw all the dns
zone entries.
I can see the zone entries in the ipa gui.
Also when I look at the permissions in ipa there
are no longer any
permissions that have the 'System: ' prefix.
AFAIK the foreman proxy is not necessary (and not
supported) with IPA 4.x
because it was obsoleted by 'native' proxy delivered
by Foreman upstream.
Am I right, Rob (Crittenden)? :-)
Anyway, back to your DNS problem. Did it worked
before you installed
Foreman proxy? Or not? I.e. is it working when you
revert the snapshot?
Do you have other replicas in the replication
topology? Please keep in
mind that changes in LDAP (including changes to
permissions) are replicated
so reverting one VM and not others is not necessarily
enough.
Petr^2 Spacek
2014-11-04 15:52 GMT+01:00 Petr Spacek
<pspa...@redhat.com <mailto:pspa...@redhat.com>>:
On 4.11.2014 15:27, Rob Verduijn wrote:
Hello again,
I've managed to integrate my katello
configuration with freeipa.
Now I not only use freeipa authentication
in katello but also when a
host
is defined in katello it automagically
gets created in the freeipa
realm ,
certs, otp,dns all working great.
however, to obtain all this integration
greatness I had to downgrade my
freeipa to 3.3.5 again (revert snapshot)
because the katello realm
integration tool (foreman-prepare-realm)
is not capable of dealing with
4.X
versions of freeipa.
It would be nice if you could get tell
us more details about the
problem
you had with Katello, AFAIK we are not aware
of any.
And now the named-pkcs11 again does not
see my internal zones.
This page
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
thinks
I should contact the freeipa-users list
Do I understand correctly that you did all
the steps 0-4 successfully and
then you found out that you can't see DNS
objects in LDAP (step 5) when
using ldapsearch with DNS principal?
Can you see the objects in IPA web UI or CLI?
If it is the case then we
will need help from LDAP ACI expert
(pviktori? :-).
Petr^2 Spacek
The command 'ipa-ldap-updater
/usr/share/ipa/updates/55-pbacmemberof.update'
didn't fix it.
and the command 'ipa-ldap-updater' didn't
fix it either.
So I am now stuck at freeipa 3.3.5 again
(with a working katello
integration, so I got some mixed emotions
about it)
Any ideas anyone ?
Rob
2014-10-29 22:14 GMT+01:00 Rob Verduijn
<rob.verdu...@gmail.com
<mailto:rob.verdu...@gmail.com>>:
Hello,
I've tested the update again.
The bind-utils conflict is still
there when I issue "yum update
freeipa-server" ( as indicated on the
freeipa 4.1 download page
http://www.freeipa.org/page/Downloads#Upgrading
)
'yum update' works fine
My internal zones didn't resolv after
the update
ipa-ldap-updater
/usr/share/ipa/updates/55-pbacmemberof.update
didn't
fix
it
ipa-ldap-updater did fix the 'access
control instructions' and my
internal
dns zones started to resolv again :-)
Cheers
Rob
2014-10-29 18:14 GMT+01:00 Petr
Spacek <pspa...@redhat.com
<mailto:pspa...@redhat.com>>:
On 29.10.2014 16:46, Rob Verduijn
wrote:
Hello,
# ipa-ldap-updater
/usr/share/ipa/updates/55-pbacmemberof.update
fixes the problem.
I can resolv my internal dns
zones again:-)
Many thanx.
Since this problem happened
every time I tried to update
the freeipa
server.
I could re-run the update
with some debug options if
you like so you
can
pinpoint what goes wrong with
the update script if you like.
I have re-build some
packages in mkosek's CORP so
now you should
not see
encounter dependency problems.
Simple 'yum upgrade' should give you
all
the
required packages.
We are looking at other problems
in upgrade process right now so there
is
not much to test except package
dependencies.
--
Martin Basti
--
Martin Basti
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
