Can you send me DNS related ACI in dc=tjako,dc=thuis

On 05/11/14 17:08, Rob Verduijn wrote:
and here is the 4.1 version


cat output-4.1.txt
# extended LDIF
# LDAPv3
# base <cn=DNS Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# DNS Servers, privileges, pbac, tjako.thuis
dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
cn: DNS Servers
description: DNS Servers
memberOf: cn=add dns entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
memberOf: cn=remove dns entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
memberOf: cn=update dns entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
memberOf: cn=Read DNS Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
memberOf: cn=Write DNS Configuration,cn=permissions,cn=pbac,dc=tjako,dc=thuis member: krbprincipalname=DNS/freeipa.tjako.thuis@TJAKO.THUIS,cn=services,cn=ac
member: krbprincipalname=ipa-dnskeysyncd/freeipa.tjako.thuis@TJAKO.THUIS,cn=se

There are missing DNSSEC permissions.

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
# extended LDIF
# LDAPv3
# base < krbprincipalname=DNS/tjako.thuis@TJAKO.THUIS,cn=services,cn=accounts,dc=tjako,dc=thuis> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# search result
search: 4
result: 32 No such object
matchedDN: cn=services,cn=accounts,dc=tjako,dc=thuis

# numResponses: 1
# extended LDIF
# LDAPv3
# base <cn=Read DNS Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# Read DNS Entries, permissions, pbac, tjako.thuis
dn: cn=Read DNS Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Read DNS Entries
description: Read DNS entries
ipaPermissionType: SYSTEM
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=tjako,dc=thuis
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis
member: cn=Smart Proxy Host Management,cn=privileges,cn=pbac,dc=tjako,dc=thuis

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

2014-11-05 16:31 GMT+01:00 Martin Basti < <>>:


    can you send content of these entries (I need mainly member and
    memberof attributes)?:
    DN: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=com
    DN: cn=System: Read DNS

    On 05/11/14 16:17, Rob Verduijn wrote:

    I use only a single freeipa server (so no replica to bother)

    Internal zones worked before the update
    After the update, internal zones no longer worked.
    After reverting back the snapshot the internal zones worked
    again, no additional actions were needed.


    2014-11-05 16:11 GMT+01:00 Petr Spacek <


        Rob V., you did not answered to my question when DNS worked
        for you last time. Did it work right after reverting the

        Petr^2 Spacek

        On 5.11.2014 16:09, Rob Verduijn wrote:

            Hello again,

            I don't know about foreman upstream, the current version
            that I am using
            included in the katello installation is 1.6
            And the foreman manpage still requires the configuration
            of the

            About the snapshot:
            I removed all the katello entries from my current freeipa
            installation ( I
            peeked in the script to see what it did )
               - user (foreman-realm)
               - role (Smart Host Proxy Manager)
               - privilege (Smart Host Proxy Management)
               - 3 custom permissions ( modify host password, write
            host certificate,
            modify host userclass )
            applied the update to freeipa 4.1.
            my local dns zones did not resolv again
            running the ipa-ldap-updater did not fix it

            So I guess that it is not due to the katello integration
            or the
            realm-smart-proxy script.


            2014-11-05 14:39 GMT+01:00 Petr Spacek
            < <>>:

                On 4.11.2014 17:15, Rob Verduijn wrote:

                    The problem with 'foreman-prepare-realm' and
                    freeipa was that it claimed
                    that a few o thef permissions required did not
                    exist when it tried to add
                    them to the 'smart proxy host management' privilege.

                    I think it was because the permissions were all
                    in lower case without the
                    'System: ' prefix. This is just an assumption
                    since I did not get to work
                    even after adding them manually. So I figured to
                    try it again after
                    reverting back to 3.3.5.

                    After downgrading I learned that it did not work
                    due to a bug in a ruby
                    script. (fixed by commenting out line 505-506
                    in /usr/share/ruby/xmlrpc/client.rb on the
                    katello host, see

                    After which I tried the upgrade again.

                    I did look again using the kredentials as
                    mentioned in step 4. and saw
                    3 objects (1x idnsConfigObject 2x nsContainer)
                    When using admin credentials I saw all the dns
                    zone entries.

                    I can see the zone entries in the ipa gui.

                    Also when I look at the permissions in ipa there
                    are no longer any
                    permissions that have the 'System: ' prefix.

                AFAIK the foreman proxy is not necessary (and not
                supported) with IPA 4.x
                because it was obsoleted by 'native' proxy delivered
                by Foreman upstream.

                Am I right, Rob (Crittenden)? :-)

                Anyway, back to your DNS problem. Did it worked
                before you installed
                Foreman proxy? Or not? I.e. is it working when you
                revert the snapshot?

                Do you have other replicas in the replication
                topology? Please keep in
                mind that changes in LDAP (including changes to
                permissions) are replicated
                so reverting one VM and not others is not necessarily

                Petr^2 Spacek

                  2014-11-04 15:52 GMT+01:00 Petr Spacek
                < <>>:

                      On 4.11.2014 15:27, Rob Verduijn wrote:

                          Hello again,

                            I've managed to integrate my katello
                            configuration with freeipa.
                            Now I not only use freeipa authentication
                            in katello but also when a
                            is defined in katello it automagically
                            gets created in the freeipa
                            realm ,
                            certs, otp,dns all working great.

                            however, to obtain all this integration
                            greatness I had to downgrade my
                            freeipa to 3.3.5 again (revert snapshot)
                            because the katello realm
                            integration tool (foreman-prepare-realm)
                            is not capable of dealing with
                            versions of freeipa.

                              It would be nice if you could get tell
                            us more details about the

                        you had with Katello, AFAIK we are not aware
                        of any.

                           And now the named-pkcs11 again does not
                        see my internal zones.

                            This page
                            I should contact the freeipa-users list

                        Do I understand correctly that you did all
                        the steps 0-4 successfully and
                        then you found out that you can't see DNS
                        objects in LDAP (step 5) when
                        using ldapsearch with DNS principal?

                        Can you see the objects in IPA web UI or CLI?
                        If it is the case then we
                        will need help from LDAP ACI expert
                        (pviktori? :-).

                        Petr^2 Spacek

                           The command 'ipa-ldap-updater

                            didn't fix it.
                            and the command 'ipa-ldap-updater' didn't
                            fix it either.

                            So I am now stuck at freeipa 3.3.5 again
                            (with a working katello
                            integration, so I got some mixed emotions
                            about it)
                            Any ideas anyone ?

                            2014-10-29 22:14 GMT+01:00 Rob Verduijn


                                I've tested the update again.

                                The bind-utils conflict is still
                                there when I issue "yum update
                                freeipa-server" ( as indicated on the
                                freeipa 4.1 download page

                                'yum update' works fine

                                My internal zones didn't resolv after
                                the update
                                ipa-ldap-updater did fix the 'access
                                control instructions' and my
                                dns zones started to resolv again :-)


                                2014-10-29 18:14 GMT+01:00 Petr
                                Spacek <

                                   On 29.10.2014 16:46, Rob Verduijn


                                        # ipa-ldap-updater
                                             fixes the problem.

                                        I can resolv my internal dns
                                        zones again:-)

                                        Many thanx.

                                        Since this problem happened
                                        every time I tried to update
                                        the freeipa
                                        I could re-run the update
                                        with some debug options if
                                        you like so you
                                        pinpoint what goes wrong with
                                        the update script if you like.

                                          I have re-build some
                                        packages in mkosek's CORP so
                                        now you should

                                    not see
                                    encounter dependency problems.
                                    Simple 'yum upgrade' should give you
                                    required packages.

                                    We are looking at other problems
                                    in upgrade process right now so there
                                    not much to test except package

-- Martin Basti

Martin Basti

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to