[Freeipa-users] Squid proxy digest authentication

2019-03-03 Thread Edward Valley via FreeIPA-users 
Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP backend for user authentication. Everything works fine while using basic authentication. In order to use digest authentication I need users to have an specific password storage scheme (MD5 of user:realm:password combination). Can someone point me in the right direction on how to accomplish it? Coding a new plugin? Extending an already existing one? Configuring something? I've made some research and it seems everybody integrating squid with FreeIPA is using kerberos, but that's something I'll be doing lather. Thank you very much. ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: client cannot authenticate or su

2019-03-03 Thread Albert Szostkiewicz via FreeIPA-users 
ok, issue was with SELinux:

SELinux is preventing sssd_be from read access on the file /etc/hosts.

*  Plugin restorecon (99.5 
confidence) suggests   

If you want to fix the label. 
/etc/hosts default label should be 
net_conf_t.
Then you can run restorecon. The access 
attempt may have been stopped due to insufficient permissions to access a 
parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /etc/hosts

*  Plugin catchall (1.49 
confidence) suggests   **

If you believe that sssd_be should be 
allowed read access on the hosts file by default.
Then you should report this as a bug.
You can generate a local policy module 
to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sssd_be' --raw | 
audit2allow -M my-sssdbe
# semodule -X 300 -i my-sssdbe.pp

After '/sbin/restorecon -v /etc/hosts' I can login without problems
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: client cannot authenticate or su

2019-03-03 Thread Albert Szostkiewicz via FreeIPA-users 
In addition, I see some troubling errors in 
/var/log/sssd/sssd_home.mydomain.com.log
like 'cannot resolve' and 'not working'. While I am able to resolve properly my 
ipaserver and the domain without problems when doing it manually.

http://freetexthost.com/h2gty4nmun
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread Alexander Bokovoy via FreeIPA-users 

On su, 03 maalis 2019, Vivek Aggarwal via FreeIPA-users wrote:

btw, i've created a new machine with following settings , by abandoning the 
".local" TLD

Hostname : testing-infra-01-dal1.testing.stg.avtar.test
realm_name: avtar.test
domain_name: avtar.test

But still getting the same error as below
+++
ipapython.dnsutil: ERRORDNS query for 
testing-infra-01-dal13.testing.stg.avtar.test.1 failed: All nameservers failed 
to answer the query testing-infra-01-dal13.testing.stg.avtar.test. IN A: Server 
127.0.0.1 UDP port 53 answered SERVFAIL
ipaserver.dns_data_management: ERRORunable to resolve host name 
testing-infra-01-dal13.testing.stg.avtar.test. to IP address, ipa-ca DNS record 
will be incomplete


And The entry in resolv.conf is as below
search avtar.test
nameserver 127.0.0.1
+++
But if i give "testing.stg.avtar.test" as my domain & realm name then
things just work fine without any errors. Any comments on this
behaviour , why is it working in this case??


The installer is not accounting for such configurations and for a good
reason. First, if your primary domain and realm avtar.test,
.stg.avtar.test and .testing.stg.avtar.test are two DNS zones nested
within avtar.test. For a DNS zone you need to properly set it up within
the parent domain. There are no such things like multi-dot host names
inside a DNS domain zone. See RFC1034 section 3.5:


The labels must follow the rules for ARPANET host names.  They must
start with a letter, end with a letter or digit, and have as interior
characters only letters, digits, and hyphen.  There are also some
restrictions on the length.  Labels must be 63 characters or less.


Second, for integrated DNS it is IPA master that you are deploying right
now which is authoritative for avtar.test. It doesn't know anything
about any child DNS zone in avtar.test at the time of deployment because
by definition the zone is being created at this point and is empty.

You may create an IPA master outside the primary domain, if the DNS zone
for that master's hostname is handled by something else resolvable at
the moment of deployment via DNS (not /etc/hosts).

I'd suggest you to set up an IPA master in avtar.test. Then you can
create .stg.avtar.test and .staging.stg.avtar.test zones. Finally,
deploy a replica in .staging.stg.avtar.test.

If you need different environments for avtar.test and stg.avtar.test
(looks like stg is staging deployment?), I'd suggest to deploy
stg.avtar.test as the main staging environment separately from
avtar.test. You can make sure avtar.test properly delegates
.stg.avtar.test to your staging environment 


See also DNS autodiscovery section in ipa-client-install manual page.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] client cannot authenticate or su

2019-03-03 Thread Albert Szostkiewicz via FreeIPA-users 
Hi, 

I've installed ipa-client on my laptop without issues, it did found domain 
properly.
kinit connects to ipa but I am unable to su any user or even login:

(root)$ su my_user
su: user my_user does not exist

(root)$ cat /var/log/sssd/sssd_nss.log
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR 
#219: Setting "User by ID" plugin
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_send] (0x0400): CR #219: New 
request 'User by ID'
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_select_domains] (0x0400): CR 
#219: Performing a multi-domain search
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_search_domains] (0x0400): CR 
#219: Search will check the cache and check the data provider
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): 
Checking negative cache for [NCE/DOM_LOCATE_TYPE/implicit_files/User by ID]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): 
Checking negative cache for [NCE/DOM_LOCATE_TYPE/home.mydomain.com/User by ID]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_validate_domain_type] 
(0x2000): Request type POSIX-only for domain implicit_files type POSIX is valid
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_set_domain] (0x0400): CR 
#219: Using domain [implicit_files]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR 
#219: Looking up UID:0@implicit_files
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR 
#219: Checking negative cache for [UID:0@implicit_files]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): 
Checking negative cache for [NCE/UID/implicit_files/0]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): 
Checking negative cache for [NCE/UID/0]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR 
#219: [UID:0@implicit_files] does not exist (negative cache)
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_validate_domain_type] 
(0x2000): Request type POSIX-only for domain home.mydomain.com type POSIX is 
valid
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_set_domain] (0x0400): CR 
#219: Using domain [home.mydomain.com]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR 
#219: Looking up UID:0...@home.mydomain.com
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR 
#219: Checking negative cache for [UID:0...@home.mydomain.com]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): 
Checking negative cache for [NCE/UID/home.mydomain.com/0]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): 
Checking negative cache for [NCE/UID/0]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR 
#219: [UID:0...@home.mydomain.com] does not exist (negative cache)
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [cache_req_process_result] (0x0400): CR 
#219: Finished: Not found
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [client_recv] (0x0200): Client 
disconnected!
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [client_close_fn] (0x2000): Terminated 
client [0x5565caddc630][31]
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [client_recv] (0x0200): Client 
disconnected!
(Sun Mar  3 09:54:41 2019) [sssd[nss]] [client_close_fn] (0x2000): Terminated 
client [0x5565cadddc60][30]

(root)$ id $my_user
uid=0(root) gid=0(root) groups=0(root) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

(root)$ kinit my_user
Password for my_u...@home.mydomain.com: 
(root)$ ipa user-find my_user
--
1 user matched
--
  User login: my_user
  First name: MyUserName
  Last name: MyUserSurname
  Home directory: /home/my_user
  Login shell: /bin/sh
  Principal name: my_u...@home.mydomain.com
  Principal alias: my_u...@home.mydomain.com
  Email address: my_u...@mydomain.com, my.u...@gmail.com
  UID: 190744
  GID: 190743
  SSH public key fingerprint: 
SHA256:# my_u...@mydomain.com 
(ssh-rsa)
  Account disabled: False

Number of entries returned 1


I've cleared /var/lib/sss/db/*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread Vivek Aggarwal via FreeIPA-users 
btw, i've created a new machine with following settings , by abandoning the 
".local" TLD 

Hostname : testing-infra-01-dal1.testing.stg.avtar.test
realm_name: avtar.test
domain_name: avtar.test

But still getting the same error as below 
+++
ipapython.dnsutil: ERRORDNS query for 
testing-infra-01-dal13.testing.stg.avtar.test.1 failed: All nameservers failed 
to answer the query testing-infra-01-dal13.testing.stg.avtar.test. IN A: Server 
127.0.0.1 UDP port 53 answered SERVFAIL
ipaserver.dns_data_management: ERRORunable to resolve host name 
testing-infra-01-dal13.testing.stg.avtar.test. to IP address, ipa-ca DNS record 
will be incomplete


And The entry in resolv.conf is as below
search avtar.test
nameserver 127.0.0.1
+++
But if i give "testing.stg.avtar.test" as my domain & realm name then things 
just work fine without any errors. Any comments on this behaviour , why is it 
working in this case??
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread Vivek Aggarwal via FreeIPA-users 
Thanks John , its means a lot of help.

Just out of curiosity , how you're able to search & share the specific RFC so 
quickly, is this something i also should also follow in terms of referring RFC 
docs to get clarity ?

Is there any RFC's website/links which you can share & will be of help for me 
as well , any guidance on this as well be appreciated ..

just learning ...
many thanks.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread John Keates via FreeIPA-users 
Your specific issue might not be because the .local TLD, but .local is a 
special ‘reserved’ name for multicast DNS. You can use any other (including 
fake) TLD that is not registered.
There are some other TLDs that are ’special’, like the one used for reverse-IP 
records in APIPA. Best to avoid such things as not all network software takes 
care of those special names the way they should.

Some hosts might treat .local special and ignore DNS servers or DNS query 
responses that are not from mDNS. Some hosts might first query DNS and then 
mDNS, some might do it the other way around. Some systems disable mDNS or 
.local mDNS if a static .local zone is detected which breaks Bonjour and 
ZeroConf in most configurations.

In my experience, mixing mDNS and DNS by introducing a .local is just going to 
create more problems.

I would suggest registering a DNS name but not using it externally, just 
internally. For example, you could take something like my-internal-domain.net 
 but simply not host anything externally and 
remove all records, maybe even disable name servers. There probably are better 
conventions for this, but using a ‘real’ (but dead to the outside) has served 
me well.

Multiple subdomains shouldn’t be a problem, but there probably are limits to 
the depth of subzones. For my setups, I usually don’t go deeper than 2 levels, 
i.e. sub1.sub0.ipa.net .
I do tend to make dedicated subzones with NS delegations when I go deeper than 
1 level, but in theory, if you only have 1 sublevel, you can leave it as-is and 
IPA will register your hosts with a dot in the name in the record effectively 
creating a virtual subzone. There is nothing bad about that, but depending on 
the management functionaliteit you are trying to create your needs may call for 
a different setup.

One of the important parts of domain naming isn’t as much about IPA’s idea on 
domains, but very much depends on how kerberos likes names.
So if you can’t provide a strong enough guideline in the IPA community or 
documentation, try the ones for Kerberos (which IPA uses): 
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html 
 The same 
can be (partially) said about Microsof’s AD naming suggestions, as their system 
also depends on correct naming, uses Kerberos and uses SRV records to find the 
correct servers for services: 
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx
 


One of the quotes from the above sources:

> In the past, lots of people chose to use a dummy, unofficial TLD 
> (top-level-domain) for their internal network, like domain.lan, domain.local 
> of domain.internal (and also domain.internalhost)
> 
> But this can get you in serious trouble. Because these names are not 
> supported by internet standards, the most important RFC on this is: RFC 2606  
>   (http://tools.ietf.org/html/rfc2606   
>  ) This RFC standard is very explicit on 
> choosing domain names for private testing and documentation
> 


Other sources condense the suggestions into:

> Option 1: Use a valid TLD (Top Level Domain, also known as routable domain) 
> registered to your company. Some examples of this are company.ca or 
> company.com;
> Option 2: Use a subdomain of a valid TLD that is registered to your company
> Option 3: Use non-TLD name (or non-routable domain). (But not an RFC reserved 
> name!)

John

> On 3 Mar 2019, at 19:08, Vivek Aggarwal via FreeIPA-users 
>  wrote:
> 
> Thanks John,
> 
> It would be nice if you can elaborate bit more & share your advise  on:-
> 
> i) Whats wrong in the current hostname convention as still i dont have clear 
> understanding what is that which is causing a problem in the current setup? 
> .. any links/thoughts which can explain this will be of great help . 
> 
> ii) Is ".local" is a problem or can i use any other TLD like ".int" ?
> 
> iii) Thirdly what is the recommendation for naming Hostname FQDN , does it 
> shouldnot have multiple sub domains ??
> 
> Please bear with my questions in case these look bit naive. Thanks a lot for 
> sparing time in answering my concerns.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

___
FreeIPA-users

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread John Keates via FreeIPA-users 
In that case I don’t know how to help (but someone else might). As per 
https://tools.ietf.org/html/rfc6762 .local isn’t supposed to be used the way 
you are using it at this time, and it will conflict with pretty much any 
standard system. I don’t know how to patch/override that without breaking a 
whole lot of other systems.


> On 3 Mar 2019, at 17:43, Vivek Aggarwal via FreeIPA-users 
>  wrote:
> 
> Yes its inheritance & it was done on purpose to generate TLS certificates as 
> per hostnames.
> 
> Hence kindly suggest how to configure IPA to accommodate this mDNS’s TLD. 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPAM that integrates well with FreeIPA

2019-03-03 Thread John Keates via FreeIPA-users 
I used to look for the same thing, but it didn’t make sense in the end: IPA 
isn’t authoritative on what IP adressen are used, and why. That is where 
infrastructure configuration management is for, i.e. your DHCP servers and 
tooling used to static configuration (like Salt and Ansible).

John

> On 3 Mar 2019, at 16:53, TomK via FreeIPA-users 
>  wrote:
> 
> Hey Guy's,
> 
> I'm looking for an IPAM (IP Address Management) tool that will integrate with 
> FreeIPA to provide:
> 
> 1) IP Management
> 2) Provides DHCP
> 3) *Integrates well with FreeIPA*
> 
> Many of the tools I saw provide conflicting capabilities.  Would be great if 
> the IPAM tool checked FreeIPA to see if the IP is already used.
> 
> Has anyone come across such a tool and tried it with FreeIPA?
> 
> -- 
> Cheers,
> Tom K.
> -
> 
> Living on earth is expensive, but it includes a free trip around the sun.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread Vivek Aggarwal via FreeIPA-users 
Yes its inheritance & it was done on purpose to generate TLS certificates as 
per hostnames.

Hence kindly suggest how to configure IPA to accommodate this mDNS’s TLD. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] IPAM that integrates well with FreeIPA

2019-03-03 Thread TomK via FreeIPA-users 

Hey Guy's,

I'm looking for an IPAM (IP Address Management) tool that will integrate 
with FreeIPA to provide:


1) IP Management
2) Provides DHCP
3) *Integrates well with FreeIPA*

Many of the tools I saw provide conflicting capabilities.  Would be 
great if the IPAM tool checked FreeIPA to see if the IP is already used.


Has anyone come across such a tool and tried it with FreeIPA?

--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multiple dot in hostname - DNS error

2019-03-03 Thread John Keates via FreeIPA-users 
Did you select mDNS’s TLD .local on purpose? Or was this an inheritance.


> On 3 Mar 2019, at 14:49, Vivek Aggarwal via FreeIPA-users 
>  wrote:
> 
> Our current implementation has multiple dots(.) names in the hostname 
> ,details mentioned below  & we're using below setting while configuring the 
> IPA/Redhat IDM server with integrated DNS.
> 
> Hostname : testing-infra-01-dal1.testing.stg.avtar.local
> realm_name: avtar.local
> domain_name: avtar.local
> 
> Once the setup completes ., we're getting below error . We're suspecting its 
> related to multiple dots in the hostname. 
> Considering the fact we cannot rename these hostname , please suggest how to 
> resolve it . Is there a possibility to resolve it or we have to 
> install/configure BIND DNS separately. 
> 
> Does this error really prevents us from registering other machines within our 
> environment having similar multi dot pattern in hostnames ?
> +
> ipapython.dnsutil: DEBUGThe DNS query name does not exist: 
> testing-infra-01-dal1.testing.stg.avtar.local.
> ipaserver.dns_data_management: ERRORunable to resolve host name 
> testing-infra-01-dal1.testing.stg.avtar.local. to IP address, ipa-ca DNS 
> record will be incomplete
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Multiple dot in hostname - DNS error

2019-03-03 Thread Vivek Aggarwal via FreeIPA-users 
Our current implementation has multiple dots(.) names in the hostname ,details 
mentioned below  & we're using below setting while configuring the IPA/Redhat 
IDM server with integrated DNS.

Hostname : testing-infra-01-dal1.testing.stg.avtar.local
realm_name: avtar.local
domain_name: avtar.local

Once the setup completes ., we're getting below error . We're suspecting its 
related to multiple dots in the hostname. 
Considering the fact we cannot rename these hostname , please suggest how to 
resolve it . Is there a possibility to resolve it or we have to 
install/configure BIND DNS separately. 

Does this error really prevents us from registering other machines within our 
environment having similar multi dot pattern in hostnames ?
+
ipapython.dnsutil: DEBUGThe DNS query name does not exist: 
testing-infra-01-dal1.testing.stg.avtar.local.
ipaserver.dns_data_management: ERRORunable to resolve host name 
testing-infra-01-dal1.testing.stg.avtar.local. to IP address, ipa-ca DNS record 
will be incomplete

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org