Re: [Freeipa-users] Setting up single domain but with dns subdomains
On 8.1.2013 20:06, Rob Crittenden wrote: Orion Poplawski wrote: I'm looking into migrating our 389ds ldap + kerberos to FreeIPA and I'm wondering how to setup DNS autodiscovery (if possible) in a way to point to different servers in different locations. We have two major offices, one that uses the nwra.com dnsdomain and one that uses the cora.nwra.com dns subdomain. We're planning on using the NWRA.COM domain for IPA/kerberos. I'd like to have the hosts is the cora office use the local servers instead of the one at the main office. Is this possible? While I can have: _ldap._tcp.cora.nwra.com. SRV 0 0 636 ipa.cora.nwra.com. If I have: _kerberos.cora.nwra.com. TXT NWRA.COM it will then automatically look for: _kerberos._udp.nwra.com. SRV Which will hold the servers for the other office. Any suggestions? We don't have a good solution for region-specific enrollment right now. There is ticket open, https://fedorahosted.org/freeipa/ticket/2008 In 3.0 we added better capabilities for bypassing discovery using --server and --fixed-primary in ipa-client-install. You could use BIND views to return different SRV records to each location, but it will work only if you don't use IPA-integrated DNS (bind-dyndb-ldap). Unfortunately there is no good solution with IPA integrated DNS. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3
On 01/08/2013 11:20 PM, Erinn Looney-Triggs wrote: On 01/08/13 12:45, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 01/08/13 11:44, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: HI, I assume RHEL 6.4 is GA shortly just how straigh forward is the upgrade from one IPA version to another please? regards Should just require an rpm upgrade and a restart and nothing else. Simo. If you have multiple servers you'll want to upgrade them one at a time in a short period (days, not weeks). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Is this the release where SELinux mapping in IPA actually starts working? If so that is definitely something to watch out for (I realize this is more of an SSSD thing, but still). If you aren't careful and you have your users mapped to something like guest_u, well the upgrade can be very inconvenient for them. I believe this was fixed. rob Ok I am just going off of this: https://bugzilla.redhat.com/show_bug.cgi?id=887193 which makes it appear like it will be documented but there isn't much you can do about the default being set to guest_u. However, if it is fixed that is great news. -Erinn Hello Erinn, Just to make things clear, it is fixed by means that it is documented and the new default SELinux user is unconfined_u:s0-s0:c0.c1023. But this only applies for new IPA server installations. As for the upgraded installs, you want to check default SELinux user to ensure that it is set to a value that you want (probably unconfined_u:s0-s0:c0.c1023). We could not forcefully change it from guest_u to unconfined_u:s0-s0:c0.c1023 in the upgrade process as we cannot know if some user does not have it set to guest_u on purpose. Thanks for understanding, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] how do i apply patch?
i'm interested on patch https://fedorahosted.org/freeipa/changeset/1eab43d29244f6e0b8d6f3146317624715d84af7/ so i can have user to be able to reset own password do i manually edit each listed files or is there any specific step(s) needed? -- Regards, Umarzuki Mochlis http://debmal.my ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] how do i apply patch?
On 01/09/2013 03:27 PM, Umarzuki Mochlis wrote: i'm interested on patch https://fedorahosted.org/freeipa/changeset/1eab43d29244f6e0b8d6f3146317624715d84af7/ so i can have user to be able to reset own password do i manually edit each listed files or is there any specific step(s) needed? These patches (in a form sent to freeipa-devel-list) are generated by using 'git format-patch' command and are supposed to be applied using 'git am' or 'git apply' command. They can be also applied on source codes using 'patch' utility. http://stackoverflow.com/questions/3418277/how-to-apply-git-diff-patch-without-git-installed If you work with our git repository the easiest way might be 'git cherry-pick'. From your question isn't clear whether you want to patch source codes of some release (ie. 2.2) and then build a custom build or you want to modify already installed server. I suspect the latter. In both cases you might run into a problem that the patch does not apply because it depends on some modifications done by some previous patch. It seems that you want to add password reset functionality to FreeIPA 2.2. If that is the case you should also look at https://fedorahosted.org/freeipa/attachment/ticket/2276/freeipa-mkosek-274-password-change-capability-for-form-based-auth.patch because this one adds the core functionality which the UI page uses. If you manage to incorporate Martin's patch, you should just use install/ui/reset_password.html and install/ui/reset_password.js and the modifications in install/ui/ipa.css from the changeset you linked. In any case I do not recommend to such modifications. They have high potential to break things. HTH -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] how do i apply patch?
On 01/09/2013 04:39 PM, Petr Vobornik wrote: On 01/09/2013 03:27 PM, Umarzuki Mochlis wrote: i'm interested on patch https://fedorahosted.org/freeipa/changeset/1eab43d29244f6e0b8d6f3146317624715d84af7/ so i can have user to be able to reset own password do i manually edit each listed files or is there any specific step(s) needed? These patches (in a form sent to freeipa-devel-list) are generated by using 'git format-patch' command and are supposed to be applied using 'git am' or 'git apply' command. They can be also applied on source codes using 'patch' utility. http://stackoverflow.com/questions/3418277/how-to-apply-git-diff-patch-without-git-installed If you work with our git repository the easiest way might be 'git cherry-pick'. From your question isn't clear whether you want to patch source codes of some release (ie. 2.2) and then build a custom build or you want to modify already installed server. I suspect the latter. In both cases you might run into a problem that the patch does not apply because it depends on some modifications done by some previous patch. It seems that you want to add password reset functionality to FreeIPA 2.2. If that is the case you should also look at https://fedorahosted.org/freeipa/attachment/ticket/2276/freeipa-mkosek-274-password-change-capability-for-form-based-auth.patch because this one adds the core functionality which the UI page uses. If you manage to incorporate Martin's patch, you should just use install/ui/reset_password.html and install/ui/reset_password.js and the modifications in install/ui/ipa.css from the changeset you linked. In any case I do not recommend to such modifications. They have high potential to break things. HTH Hello Umarzuki, You can use the steps that Petr suggested. Just please be cautious about my patch 274 that Petr sent an URL to. This was a first proposal of the patch, the resulting patch crafted after the review process is much different. This is the correct link: https://fedorahosted.org/freeipa/changeset/d1e695b5d0323167d37eee340718eb5e65138716/ If you want to do a custom build, you can either use a fedpkg and create a scratch build of IPA with the patches applied or do a custom build from git tree. Using the fedpkg tool + build in koji may be the safest way to build such rpm that contain only the official build + chosen patches. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3
On 01/09/13 00:02, Martin Kosek wrote: On 01/08/2013 11:20 PM, Erinn Looney-Triggs wrote: On 01/08/13 12:45, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 01/08/13 11:44, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: HI, I assume RHEL 6.4 is GA shortly just how straigh forward is the upgrade from one IPA version to another please? regards Should just require an rpm upgrade and a restart and nothing else. Simo. If you have multiple servers you'll want to upgrade them one at a time in a short period (days, not weeks). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Is this the release where SELinux mapping in IPA actually starts working? If so that is definitely something to watch out for (I realize this is more of an SSSD thing, but still). If you aren't careful and you have your users mapped to something like guest_u, well the upgrade can be very inconvenient for them. I believe this was fixed. rob Ok I am just going off of this: https://bugzilla.redhat.com/show_bug.cgi?id=887193 which makes it appear like it will be documented but there isn't much you can do about the default being set to guest_u. However, if it is fixed that is great news. -Erinn Hello Erinn, Just to make things clear, it is fixed by means that it is documented and the new default SELinux user is unconfined_u:s0-s0:c0.c1023. But this only applies for new IPA server installations. As for the upgraded installs, you want to check default SELinux user to ensure that it is set to a value that you want (probably unconfined_u:s0-s0:c0.c1023). We could not forcefully change it from guest_u to unconfined_u:s0-s0:c0.c1023 in the upgrade process as we cannot know if some user does not have it set to guest_u on purpose. Thanks for understanding, Martin Yep I understood all that and the reasoning behind it. The only thing I was trying to say was that while documenting it in the release notes is a nice and necessary step, if there are other channels to let folks know about this, like say an e-mail list, it might be worthwhile as well. This is just a suggestion. Not all folks read the release notes, which of course they all should, and this change can lead to some rather surprising results for those of us who ended up with guest_u by default. As I said I just got lucky in some ways by running Fedora 18 against my IPA servers I was able to only cause issues for myself. -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users