Re: [Freeipa-users] 6.1 beta
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/05/2011 09:54 AM, Sigbjorn Lie wrote: >> >> On 04/05/2011 08:16 AM, Sigbjorn Lie wrote: >> On 04/04/2011 05:17 PM, Sigbjorn Lie wrote: > The first dig is taken on the ipa server, using it's own IPA configured > test DNS. However I have a F14 client successfully connected using my > prod DNS (my DHCP > default). Prod DNS is serving the same _ldap._tcp > records for the same IPA server. My prod dns is serving TTL 1 second for > the same records. > > I presume what happened was that I started the SSSD on the IPA server > while it was still being served by the PROD dns. Then I changed the > nameserver entries > after. > > What gets to me is that I've used the prod DNS setup for testing with > F14 for months now, without any issue. This first became an issue when I > reinstalled the IPA server with RHEL 6.1 beta. > > Was that really it? Too low TTL on the DNS entries? > > > If I remember correctly, the change that added _srv_ by default to sssd.conf went in during one of the later release candidates for FreeIPA. So it's likely that for most of your time testing it, you only had the explicit server address in the config file. I do encourage you to keep the _srv_ entry, as it really does make life a lot easier later on (if you want to add a replica or move the FreeIPA server) since you only have to update DNS instead of every client. >>> >>> I see your point. I'll increase the TTL of my production zone and see what >>> happends then. What >>> do you think of having only the _srv_ entry, no named hosts at all in >>> sssd.conf ? >> >> >> The reason the install script sets one named host is just to be extra >> cautious. If DNS is not resolving for some reason (BIND crashed, or someone >> accidentally blocked >> port 53, etc.) then SSSD will still attempt to reach the named host before >> giving up and going >> offline. >> >> It's not strictly necessary, but neither should it ever be harmful. >> Obviously if DNS is resolving correctly at all times the named host will >> never be used. >> > > > Ok. I see. > > Why is the _srv_ records not used in the domain/default as well? And what > exactly is the > difference between domain/ix.nixtra.com and domain/default? [domain/default] is not in use. It's put there by authconfig (which we use to bootstrap the SSSD setup process) but we disable that domain. Only domains listed in the domains = , , ... line of the [sssd] section are active. We leave it in there to be a good citizen (in case it actually was configured previously). That way we don't wipe out any settings that the user may have had in it. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2bIJIACgkQeiVVYja6o6NR6ACdFp0PHQ3vz4G+KC850mn2+fL2 QaUAnA6W3hfNokCtOqlwTpriZfN/yK1n =kDvn -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RC3 Install fails with " Unable to connect to LDAP server "
On 04/05/2011 05:28 AM, tomasz.napier...@allegro.pl wrote: > On 2011-03-14, at 13:25, Dmitri Pal wrote: > >> On 03/14/2011 04:57 AM, tomasz.napier...@allegro.pl wrote: >>> On 2011-03-13, at 17:36, Sigbjorn Lie wrote: >>> On 03/12/2011 09:58 PM, tomasz.napier...@allegro.pl wrote: > On 2011-03-12, at 20:06, tomasz.napier...@allegro.pl wrote: > >> Hi, >> I'm trying to install FreeIPA 2.0. RC3 on fresh, minimal F14 box, but it >> fails for some reason: > Looks like the problem is that my realm is different than domain name > (QXLTEST vs. DC2). After accepting defaults installation was completed > succesfully. Can anybody confirm? > > Regards, Hi, I reinstalled and found the same to be the problem for me. >>> Filled bug 684690 >>> >>> Regards, >> Thanks! > > One quick question: is there a package with this bug fixed available for > Fedora 15? Seems to be fixed in RHEL , but I'm not sure if it's fixed in > freeipa-server.2.0.0.1.fc15 > Should be in the GA bits. > Regards, > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/05/2011 08:16 AM, Sigbjorn Lie wrote: >> >> On 04/04/2011 05:17 PM, Sigbjorn Lie wrote: >> >>> The first dig is taken on the ipa server, using it's own IPA configured >>> test DNS. However I have a F14 client successfully connected using my prod >>> DNS (my DHCP default). >>> Prod DNS is serving the same _ldap._tcp >>> records for the same IPA server. My prod dns is serving TTL 1 second for >>> the same records. >>> >>> I presume what happened was that I started the SSSD on the IPA server >>> while it was still being served by the PROD dns. Then I changed the >>> nameserver entries after. >>> >>> What gets to me is that I've used the prod DNS setup for testing with >>> F14 for months now, without any issue. This first became an issue when I >>> reinstalled the IPA server with RHEL 6.1 beta. >>> >>> Was that really it? Too low TTL on the DNS entries? >>> >>> >> >> >> If I remember correctly, the change that added _srv_ by default to >> sssd.conf went in during one of the later release candidates for FreeIPA. So >> it's likely that for >> most of your time testing it, you only had the explicit server address in >> the config file. >> >> I do encourage you to keep the _srv_ entry, as it really does make life >> a lot easier later on (if you want to add a replica or move the FreeIPA >> server) since you only have >> to update DNS instead of every client. >> > > I see your point. I'll increase the TTL of my production zone and see what > happends then. What do > you think of having only the _srv_ entry, no named hosts at all in sssd.conf ? The reason the install script sets one named host is just to be extra cautious. If DNS is not resolving for some reason (BIND crashed, or someone accidentally blocked port 53, etc.) then SSSD will still attempt to reach the named host before giving up and going offline. It's not strictly necessary, but neither should it ever be harmful. Obviously if DNS is resolving correctly at all times the named host will never be used. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2bCPsACgkQeiVVYja6o6O0ogCghoLoQ7d8NajVD3p7bgfgfIxH RDAAoJx6JXaijE7etQF2faP4g3xm6fC6 =bej9 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/04/2011 05:17 PM, Sigbjorn Lie wrote: > The first dig is taken on the ipa server, using it's own IPA configured > test DNS. However I have a F14 client successfully connected using my > prod DNS (my DHCP default). Prod DNS is serving the same _ldap._tcp > records for the same IPA server. My prod dns is serving TTL 1 second for > the same records. > > I presume what happened was that I started the SSSD on the IPA server > while it was still being served by the PROD dns. Then I changed the > nameserver entries after. > > What gets to me is that I've used the prod DNS setup for testing with > F14 for months now, without any issue. This first became an issue when I > reinstalled the IPA server with RHEL 6.1 beta. > > Was that really it? Too low TTL on the DNS entries? > If I remember correctly, the change that added _srv_ by default to sssd.conf went in during one of the later release candidates for FreeIPA. So it's likely that for most of your time testing it, you only had the explicit server address in the config file. I do encourage you to keep the _srv_ entry, as it really does make life a lot easier later on (if you want to add a replica or move the FreeIPA server) since you only have to update DNS instead of every client. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2bA1sACgkQeiVVYja6o6NYZgCfcA514qCLAJbM4LtK07CPtQpX ahcAoIbO/X0+LuQYPz9emtOajlwej+1B =0uQY -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RC3 Install fails with " Unable to connect to LDAP server "
On 2011-03-14, at 13:25, Dmitri Pal wrote: > On 03/14/2011 04:57 AM, tomasz.napier...@allegro.pl wrote: >> On 2011-03-13, at 17:36, Sigbjorn Lie wrote: >> >>> On 03/12/2011 09:58 PM, tomasz.napier...@allegro.pl wrote: On 2011-03-12, at 20:06, tomasz.napier...@allegro.pl wrote: > Hi, > I'm trying to install FreeIPA 2.0. RC3 on fresh, minimal F14 box, but it > fails for some reason: Looks like the problem is that my realm is different than domain name (QXLTEST vs. DC2). After accepting defaults installation was completed succesfully. Can anybody confirm? Regards, >>> Hi, >>> >>> I reinstalled and found the same to be the problem for me. >> Filled bug 684690 >> >> Regards, > Thanks! One quick question: is there a package with this bug fixed available for Fedora 15? Seems to be fixed in RHEL , but I'm not sure if it's fixed in freeipa-server.2.0.0.1.fc15 Regards, -- Tomasz Z. Napierała Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzibą w Poznaniu, 60-324 Poznań, przy ul. Marcelińskiej 90, wpisana do rejestru przedsiębiorców prowadzonego przez Sąd Rejonowy Poznań - Nowe Miasto i Wilda, Wydział VIII Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 268796, o kapitale zakładowym w wysokości 33 474 500 zł, posiadająca numer identyfikacji podatkowej NIP: 5272525995. smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users