[Freeipa-users] Wildcard DNS record supported ?
Hi All, Is a wildcard DNS record supported at the moment ? If so, how to accomplish this ? Thanks! Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
Sumit, Thank you so much for helping me in fixing the problem. About the issue: NetBIOS was disabled in Windows AD, I think this is the default behavior for Windows 2008 R2 instances. After setting 'client max protocol' and 'client min protocol' winbind was able to resolve the AD users. net conf setparm global 'client min protocol' CORE net conf setparm global 'client max protocol' SMB2_02 You may close this case since now. On Tue, May 20, 2014 at 2:27 PM, Supratik Goswami supratiksek...@gmail.comwrote: Yes, you are correct log level was set to 1. I have changed the log level value to 10 and collected the log files again, PFA. [root@ipaserver samba]# net conf setparm global 'log level' 10 [root@ipaserver samba]# net conf list [global] workgroup = IPADOMAIN realm = IPADOMAIN.EXAMPLE.COM kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 10 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPADOMAIN-EXAMPLE-COM.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=ipadomain,dc=example,dc=com ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork client min protocol = smb2_02 client max protocol = smb2_02 log level = 10 [share] comment = Trust test share read only = no valid users = S-1-5-21-2212595442-2951398754-4232868618 path = /share On Tue, May 20, 2014 at 1:38 PM, Sumit Bose sb...@redhat.com wrote: On Tue, May 20, 2014 at 01:17:42PM +0530, Supratik Goswami wrote: PFA somewhat switched the log level back to 1 doing parameter log level = 1 can you check that 'net conf list' shows 'log level 10', if not please set it with net conf setparm 'log level' 10 bye, Sumit On Tue, May 20, 2014 at 12:38 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: Initially after configuring the setup I rebooted once and I was thinking that it worked before the reboot but unfortunately it didn't work the first time itself. Still failing after running the commands. [root@ipaserver ~]# net conf setparm global client min protocol smb2_02 [root@ipaserver ~]# net conf setparm global client max protocol smb2_02 [root@ipaserver ~]# service winbind restart Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root@ipaserver ~]# wbinfo -u [root@ipaserver ~]# The issue is reproducible every time if anyone follows the steps as I have done. It would be nice if you can send a second round of log files. Please stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, make sure 'log level' is 10 or higher, start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, put all *winbind* and *wb* log files in a tar/zip archive and send the archive. If you think the archive is too large for a mailing-list fell free to send them to me directly. bye, Sumit On Mon, May 19, 2014 at 4:45 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: Hi Let me start from the beginning once again. Let me explain you what steps I followed during the setup. I am setting up the environment in Amazon AWS, both Windows AD server and Linux IPA configured in EC2. For configuring Windows 2008 I selected Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release Media (ami-8997afe0). I followed the steps from http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the domain names similar as in the example. IPA server hostname: ipaserver IPA domain: ipadomain.example.com IPA NetBIOS: IPADOMAIN AD DC hostname: adserver AD domain: addomain.example.com AD NetBIOS: ADDOMAIN 1. Updated the system and install the packages. # yum update -y # yum install -y *ipa-server *ipa-server-trust-ad samba4-winbind-clients
Re: [Freeipa-users] Export user and host list to a csv or text file
Yes, though it might be a bit more data than you're expecting.
Here's what we did to get the details out of a server (and import them
into another). I'm sure there's a more elegant solution, but this worked
for us. Also note that we didn't use all the data this export script
generated, but felt it was better to have it than to not.
EXPORT:
#!/bin/sh
#
# Generate latest ipa config files for possible re-import later.
#
# (C) 2014, The Damascus Group
#
CONFIGDIR=/opt/ipa_config
[ ! -d $CONFIGDIR ] mkdir $CONFIGDIR
pushd $CONFIGDIR
ipa dnszone-find --all dnszone.txt
grep 'Zone name' dnszone.txt | awk '{print $3}' | sed 's/\r//' zones.txt
for line in $(cat zones.txt); do
fn=$(echo $line | sed 's/\.in-addr\.arpa\.//')
echo For zone $line - dnsrecord-$fn.txt
ipa dnsrecord-find $line --sizelimit=9 --all --structured
dnsrecord-${fn}.txt
done
ipa user-find --all users.txt
ipa host-find --sizelimit=9 --all hosts.txt
ipa policy-find --all policy.txt
ipa sudorule-find --all sudorule.txt
ipa sudocmdgroup-find --all sudocmdgroup.txt
ipa sudocmd-find --all sudocmd.txt
ipa role-find --all roles.txt
ipa pwpolicy-find --all pwpolicy.txt
ipa privilege-find --all privilege.txt
ipa permission-find --all permission.txt
ipa netgroup-find --all netgroup.txt
ipa usergroup-find --all usergroup.txt
ipa idrange-find --all idrange.txt
ipa hostgroup-find --all hostgroup.txt
ipahbacrule-find --all hbacrule.txt
ipa hbacsvc-find --all hbacsvc.txt
ipa group-find --all group.txt
ipa cert-find --all cert.txt
ipa automember-find --type=group --all automember-group.txt
ipa automember-find --type=hostgroup --all automember-hostgroup.txt
popd
--cut---
Then, for example, you can import these into a new IPA server using
something like these:
#!/bin/bash
#
# parse_hosts
#
# (C) 2014, The Damascus Group
#
FN=$1
OTP=MyOnetimePassword
RE_HOSTNAME=Host name:\s+(.*)$
name=
while read line; do
if [[ $line =~ $name ]]; then
if [[ -n $name ]]; then
echo Adding $name
ipa host-add $name --password $OTP --force
fi
name=${BASH_REMATCH[1]}
fi
done $FN
echo Adding $name
ipa host-add $name --password $OTP --force
---cut--
And this for users:
#!/bin/bash
#
# parse_users
#
# (C) 2014, The Damascus Group
FN=$1
RE_DN=dn:\s+(.*)$
RE_LOGIN=User login:\s+(.*)$
RE_LAST=Last name:\s+(.*)$
RE_FIRST=First name:\s+(.*)$
RE_CN=Full name:\s+(.*)$
RE_DISPLAYNAME=Display name:\s+(.*)$
RE_INITIALS=Initials:\s+(.*)$
RE_SHELL=Login shell:\s+(.*)$
RE_HOMEDIR=Home directory:\s+(.*)$
RE_PRINCIPAL=Kerberos principal:\s+(.*)$
RE_EMAIL=Email address:\s+(.*)$
RE_SSHPUBKEY=SSH public key:\s+(.*)$
RE_UID=UID:\s+(.*)$
RE_GID=GID:\s+(.*)$
login=
last=
first=
cn=
displayname=
initials=
shell=
homedir=
prinicpal=
email=
sshpubkey=
uid=
gid=
while read line; do
if [[ $line =~ $RE_DN ]]; then
ipa user-add $login \
--last=$last \
--first=$first \
--cn=$cn \
--displayname=$displayname \
--initials=$initials \
--shell=$shell \
--homedir=$homedir \
--principal=$principal \
--email=$email \
--sshpubkey=$sshpubkey \
--uid=$uid \
--gid=$gid
login=
last=
first=
cn=
displayname=
initials=
shell=
homedir=
prinicpal=
email=
sshpubkey=
uid=
gid=
fi
if [[ $line =~ $RE_LOGIN ]]; then
login=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_LAST ]]; then
last=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_FIRST ]]; then
first=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_CN ]]; then
cn=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_DISPLAYNAME ]]; then
displayname=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_INITIALS ]]; then
initials=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_SHELL ]]; then
shell=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_HOMEDIR ]]; then
homedir=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_PRINCIPAL ]]; then
principal=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_EMAIL ]]; then
email=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_SSHPUBKEY ]]; then
sshpubkey1=${BASH_REMATCH[1]}
read sshpubkey2
read sshpubkey3
sshpubkey=$sshpubkey1 $sshpubkey2 $sshpubkey3
fi
if [[ $line =~ $RE_UID ]]; then
uid=${BASH_REMATCH[1]}
fi
if [[ $line =~ $RE_GID ]]; then
gid=${BASH_REMATCH[1]}
fi
done $FN
ipa user-add $login \
--last=$last \
--first=$first \
--cn=$cn \
--displayname=$displayname \
--initials=$initials \
--shell=$shell \
--homedir=$homedir \
--principal=$principal \
--email=$email \
--sshpubkey=$sshpubkey \
--uid=$uid \
--gid=$gid
-cut--
If
Re: [Freeipa-users] Export user and host list to a csv or text file
On 05/23/2014 06:42 AM, Sanju A wrote: Dear All, Is there any command to export the user and host list to a csv or text format There is no such command out of the shelf, I would personally just write a short Python script to export the hosts (or anything else) in a format I need. Example for host: ~ #!/usr/bin/python2 from ipalib import api api.bootstrap(context='exporter', debug=False) api.finalize() api.Backend.xmlclient.connect() hosts = api.Command['host_find']()['result'] for host in hosts: print host['fqdn'][0] ~ This will print one host for each new line. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Wildcard DNS record supported ?
On 05/23/2014 12:15 PM, Matt . wrote: Hi All, Is a wildcard DNS record supported at the moment ? If so, how to accomplish this ? Thanks! Matt It is not supported at the moment, but it will be supported from FreeIPA 4.0 (currently planned to be released at the end of June) Upstream ticket: https://fedorahosted.org/freeipa/ticket/3148 Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Wildcard DNS record supported ?
Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? Cheers, Mattt 2014-05-23 13:57 GMT+02:00 Martin Kosek mko...@redhat.com: On 05/23/2014 12:15 PM, Matt . wrote: Hi All, Is a wildcard DNS record supported at the moment ? If so, how to accomplish this ? Thanks! Matt It is not supported at the moment, but it will be supported from FreeIPA 4.0 (currently planned to be released at the end of June) Upstream ticket: https://fedorahosted.org/freeipa/ticket/3148 Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export user and host list to a csv or text file
Is the Python API documented anywhere? I've looked around without success. On 05/23/2014 07:54 AM, Martin Kosek wrote: On 05/23/2014 06:42 AM, Sanju A wrote: Dear All, Is there any command to export the user and host list to a csv or text format There is no such command out of the shelf, I would personally just write a short Python script to export the hosts (or anything else) in a format I need. Example for host: ~ #!/usr/bin/python2 from ipalib import api api.bootstrap(context='exporter', debug=False) api.finalize() api.Backend.xmlclient.connect() hosts = api.Command['host_find']()['result'] for host in hosts: print host['fqdn'][0] ~ This will print one host for each new line. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] LDAP/SSSD/IPA performance
Collecting my various threads together under one big issue and adding this new data point: Our web UI on our slow network is exhibiting some strange behavior as well. When selecting, for example, the Users, it can take up to 5 seconds to fetch 20 out of our 56 entries. When switching to Hosts, it took 4 seconds for the footer to show that there would be 47 pages in total, then after 10 seconds total, the page loaded 20 of 939 entries. When I select a host, the previously-selected host will actually be displayed for upwards of 8-10 seconds (while the spinning cursor spins near the word Logout) until the host actually loads. Is it just me, or does this, plus everything else, start to sound like LDAP is struggling? I ran a test using ldapsearch in authenticated and unauthenticated mode from my workstation and here's what I found, which may tell us nothing: # time ldapsearch -x -H -ldap://zsipa.foo.net base=uid=bretw,cn=users,cn=accounts,dc=foo,dc=net : real0m2.047s user 0m0.000s sys 0m0.001s # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net base=uid=bretw,cn=users,cn=accounts,dc=foo,dc=net : real0m2.816s user 0m0.004s sys 0m0.002s When I did this locally on the ipa master: # ssh zsipa.foo.net # time ldapsearch -Y GSSAPI base=uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net : real0m0.847s user 0m0.007s sys 0m0.006s # -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export user and host list to a csv or text file
Another alternative is to use Apache Directory Studio; it can dump most objects out into a CSV, and you should be able to filter out only the data you want. On May 23, 2014, at 7:33 AM, Petr Vobornik pvobo...@redhat.com wrote: On 23.5.2014 14:02, Bret Wortman wrote: Is the Python API documented anywhere? I've looked around without success. Not yet. For now, you can use IPA CLI for inspection: CLI commands are basically API commands, where `_` is replaced by `-`. List objects: `ipa help topics` List object commands: `ipa help $object`, e.g., `ipa help user` List command CLI options and parameters: `ipa $command --help`, e.g., `ipa user-mod --help` Map command params and options names to API option names: `ipa show-mappings $command`, e.g., `ipa show-mappings user-add` More can be read from code or by observing Web UI communication in browser developer tools - network tab. Then the python syntax is ~ args = ['arg1', 'arg2'] options = dict(option1=foo, option2=bar) api.Command['command_name'](*args, **options) HTH On 05/23/2014 07:54 AM, Martin Kosek wrote: On 05/23/2014 06:42 AM, Sanju A wrote: Dear All, Is there any command to export the user and host list to a csv or text format There is no such command out of the shelf, I would personally just write a short Python script to export the hosts (or anything else) in a format I need. Example for host: ~ #!/usr/bin/python2 from ipalib import api api.bootstrap(context='exporter', debug=False) api.finalize() api.Backend.xmlclient.connect() hosts = api.Command['host_find']()['result'] for host in hosts: print host['fqdn'][0] ~ This will print one host for each new line. Martin -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Wildcard DNS record supported ?
On 23.5.2014 13:59, Matt . wrote: Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? In theory yes, but nobody tested that. Please note that new bind-dyndb-ldap will allow you to use wildcards but you will have to use use LDAP editor to add wildcard records manually. Old FreeIPA will refuse to add wildcard records (because the validator is not inside bind-dyndb-ldap but inside FreeIPA). Anyway, feel free to download http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm and rebuild it on CentOS 6.5. You will have to lower required version of BIND in SPEC file. Please note that it is completely untested. Let me know if you have any further questions. Petr Spacek Cheers, Mattt 2014-05-23 13:57 GMT+02:00 Martin Kosek mko...@redhat.com: On 05/23/2014 12:15 PM, Matt . wrote: Hi All, Is a wildcard DNS record supported at the moment ? If so, how to accomplish this ? Thanks! Matt It is not supported at the moment, but it will be supported from FreeIPA 4.0 (currently planned to be released at the end of June) Upstream ticket: https://fedorahosted.org/freeipa/ticket/3148 Martin -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Wildcard DNS record supported ?
On 05/23/2014 03:44 PM, Petr Spacek wrote: On 23.5.2014 13:59, Matt . wrote: Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? In theory yes, but nobody tested that. Please note that new bind-dyndb-ldap will allow you to use wildcards but you will have to use use LDAP editor to add wildcard records manually. Old FreeIPA will refuse to add wildcard records (because the validator is not inside bind-dyndb-ldap but inside FreeIPA). Anyway, feel free to download http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm and rebuild it on CentOS 6.5. You will have to lower required version of BIND in SPEC file. Please note that it is completely untested. Let me know if you have any further questions. Petr Spacek Wouldn't Matt also need to rebuild BIND and it's libraries? bind-dyndb-ldap and BIND are pretty bound together. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP/SSSD/IPA performance
More soft/anecdotal: When executing sudo -i or sudo -iu the first time, we can expect a several second delay before the command completes. If we then exit the session and re-execute the command, it will complete almost instantly. So whatever cache is holding this information, if we could increase its duration, that would certainly make our pain less. Is this a settable value? Entering a password into a screensaver is particularly painful. 10+ seconds before the screensaver will exit. We are looking at environmental possibilities, like interfaces and such. This machine is running on a VMware VM, but we've had success deploying IPA on VMs in the past, and our faster network is running VMs as well (with one physical box). Bret On 05/23/2014 08:15 AM, Bret Wortman wrote: Collecting my various threads together under one big issue and adding this new data point: Our web UI on our slow network is exhibiting some strange behavior as well. When selecting, for example, the Users, it can take up to 5 seconds to fetch 20 out of our 56 entries. When switching to Hosts, it took 4 seconds for the footer to show that there would be 47 pages in total, then after 10 seconds total, the page loaded 20 of 939 entries. When I select a host, the previously-selected host will actually be displayed for upwards of 8-10 seconds (while the spinning cursor spins near the word Logout) until the host actually loads. Is it just me, or does this, plus everything else, start to sound like LDAP is struggling? I ran a test using ldapsearch in authenticated and unauthenticated mode from my workstation and here's what I found, which may tell us nothing: # time ldapsearch -x -H -ldap://zsipa.foo.net base=uid=bretw,cn=users,cn=accounts,dc=foo,dc=net : real0m2.047s user 0m0.000s sys 0m0.001s # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net base=uid=bretw,cn=users,cn=accounts,dc=foo,dc=net : real0m2.816s user 0m0.004s sys 0m0.002s When I did this locally on the ipa master: # ssh zsipa.foo.net # time ldapsearch -Y GSSAPI base=uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net : real0m0.847s user 0m0.007s sys 0m0.006s # -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export user and host list to a csv or text file
Right, that's a good suggestion and should work in many use cases. You will just miss attributes or modifications done inside FreeIPA server framework plugins (e.g. conversion of DNS IDN name from punycode to unicode). Martin On 05/23/2014 02:39 PM, Chris Swingler wrote: Another alternative is to use Apache Directory Studio; it can dump most objects out into a CSV, and you should be able to filter out only the data you want. On May 23, 2014, at 7:33 AM, Petr Vobornik pvobo...@redhat.com wrote: On 23.5.2014 14:02, Bret Wortman wrote: Is the Python API documented anywhere? I've looked around without success. Not yet. For now, you can use IPA CLI for inspection: CLI commands are basically API commands, where `_` is replaced by `-`. List objects: `ipa help topics` List object commands: `ipa help $object`, e.g., `ipa help user` List command CLI options and parameters: `ipa $command --help`, e.g., `ipa user-mod --help` Map command params and options names to API option names: `ipa show-mappings $command`, e.g., `ipa show-mappings user-add` More can be read from code or by observing Web UI communication in browser developer tools - network tab. Then the python syntax is ~ args = ['arg1', 'arg2'] options = dict(option1=foo, option2=bar) api.Command['command_name'](*args, **options) HTH On 05/23/2014 07:54 AM, Martin Kosek wrote: On 05/23/2014 06:42 AM, Sanju A wrote: Dear All, Is there any command to export the user and host list to a csv or text format There is no such command out of the shelf, I would personally just write a short Python script to export the hosts (or anything else) in a format I need. Example for host: ~ #!/usr/bin/python2 from ipalib import api api.bootstrap(context='exporter', debug=False) api.finalize() api.Backend.xmlclient.connect() hosts = api.Command['host_find']()['result'] for host in hosts: print host['fqdn'][0] ~ This will print one host for each new line. Martin -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Wildcard DNS record supported ?
On 23.5.2014 15:46, Martin Kosek wrote: On 05/23/2014 03:44 PM, Petr Spacek wrote: On 23.5.2014 13:59, Matt . wrote: Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? In theory yes, but nobody tested that. Please note that new bind-dyndb-ldap will allow you to use wildcards but you will have to use use LDAP editor to add wildcard records manually. Old FreeIPA will refuse to add wildcard records (because the validator is not inside bind-dyndb-ldap but inside FreeIPA). Anyway, feel free to download http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm and rebuild it on CentOS 6.5. You will have to lower required version of BIND in SPEC file. Please note that it is completely untested. Let me know if you have any further questions. Petr Spacek Wouldn't Matt also need to rebuild BIND and it's libraries? bind-dyndb-ldap and BIND are pretty bound together. AFAIK rebuilding bind-dyndb-ldap should be enough. Bind-dyndb-ldap 4.x is not tested with BIND 9.9.x but it could work , in theory... -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Wildcard DNS record supported ?
OK, but I wonder where I can remove that * check in IPA... it must be somewhere in a template I think. 2014-05-23 15:50 GMT+02:00 Petr Spacek pspa...@redhat.com: On 23.5.2014 15:46, Martin Kosek wrote: On 05/23/2014 03:44 PM, Petr Spacek wrote: On 23.5.2014 13:59, Matt . wrote: Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? In theory yes, but nobody tested that. Please note that new bind-dyndb-ldap will allow you to use wildcards but you will have to use use LDAP editor to add wildcard records manually. Old FreeIPA will refuse to add wildcard records (because the validator is not inside bind-dyndb-ldap but inside FreeIPA). Anyway, feel free to download http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/ 4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm and rebuild it on CentOS 6.5. You will have to lower required version of BIND in SPEC file. Please note that it is completely untested. Let me know if you have any further questions. Petr Spacek Wouldn't Matt also need to rebuild BIND and it's libraries? bind-dyndb-ldap and BIND are pretty bound together. AFAIK rebuilding bind-dyndb-ldap should be enough. Bind-dyndb-ldap 4.x is not tested with BIND 9.9.x but it could work , in theory... -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP/SSSD/IPA performance
On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: More soft/anecdotal: When executing sudo -i or sudo -iu the first time, we can expect a several second delay before the command completes. If we then exit the session and re-execute the command, it will complete almost instantly. So whatever cache is holding this information, if we could increase its duration, that would certainly make our pain less. Is this a settable value? Entering a password into a screensaver is particularly painful. 10+ seconds before the screensaver will exit. We are looking at environmental possibilities, like interfaces and such. This machine is running on a VMware VM, but we've had success deploying IPA on VMs in the past, and our faster network is running VMs as well (with one physical box). Can you try increasing this option: pam_id_timeout (integer) For any PAM request while SSSD is online, the SSSD will attempt to immediately update the cached identity information for the user in order to ensure that authentication takes place with the latest information. A complete PAM conversation may perform multiple PAM requests, such as account management and session opening. This option controls (on a per-client-application basis) how long (in seconds) we can cache the identity information to avoid excessive round-trips to the identity provider. Default: 5 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP/SSSD/IPA performance
On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote: On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: More soft/anecdotal: When executing sudo -i or sudo -iu the first time, we can expect a several second delay before the command completes. If we then exit the session and re-execute the command, it will complete almost instantly. So whatever cache is holding this information, if we could increase its duration, that would certainly make our pain less. Is this a settable value? Entering a password into a screensaver is particularly painful. 10+ seconds before the screensaver will exit. We are looking at environmental possibilities, like interfaces and such. This machine is running on a VMware VM, but we've had success deploying IPA on VMs in the past, and our faster network is running VMs as well (with one physical box). Can you try increasing this option: pam_id_timeout (integer) For any PAM request while SSSD is online, the SSSD will attempt to immediately update the cached identity information for the user in order to ensure that authentication takes place with the latest information. A complete PAM conversation may perform multiple PAM requests, such as account management and session opening. This option controls (on a per-client-application basis) how long (in seconds) we can cache the identity information to avoid excessive round-trips to the identity provider. Default: 5 I should also have explicitly said that the option belongs to the [pam] section. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP/SSSD/IPA performance
I assumed. It obviously hasn't helped our sudo situation, but I wouldn't expect it to. I'll let you know how it plays against screensavers and such. On 05/23/2014 10:05 AM, Jakub Hrozek wrote: On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote: On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: More soft/anecdotal: When executing sudo -i or sudo -iu the first time, we can expect a several second delay before the command completes. If we then exit the session and re-execute the command, it will complete almost instantly. So whatever cache is holding this information, if we could increase its duration, that would certainly make our pain less. Is this a settable value? Entering a password into a screensaver is particularly painful. 10+ seconds before the screensaver will exit. We are looking at environmental possibilities, like interfaces and such. This machine is running on a VMware VM, but we've had success deploying IPA on VMs in the past, and our faster network is running VMs as well (with one physical box). Can you try increasing this option: pam_id_timeout (integer) For any PAM request while SSSD is online, the SSSD will attempt to immediately update the cached identity information for the user in order to ensure that authentication takes place with the latest information. A complete PAM conversation may perform multiple PAM requests, such as account management and session opening. This option controls (on a per-client-application basis) how long (in seconds) we can cache the identity information to avoid excessive round-trips to the identity provider. Default: 5 I should also have explicitly said that the option belongs to the [pam] section. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together
Hi Sumit and Petr, Thanks both of you for your replies, I've now got to go and try to implement all your suggestions but I have some more questions, sorry! The guide at techslaves was fine, I just got stuck with the changes in the JavaScript packages and the Samba server questions. 1. Petr, I put your samba.js plugin into /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack of JS knowledge, anything more than simple Bash scripts tends to leave me confused! Do I need to do anything else apart from restart the IPA service? I read your info at http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the plugins have to be registered, but I couldn't work out if it's a manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py for the CLI as well. 2. Sumit, thanks for the info on Samba, I'll have to leave that now and try it next week. BTW, the version of Samba I'm testing against is 3.6.9-168 on CentOS 6.5. Thanks again for your information and patience, Dylan. On 22 May 2014 14:19, Petr Vobornik pvobo...@redhat.com wrote: On 22.5.2014 14:19, Sumit Bose wrote: On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: Hello, I need some help with getting Samba and FreeIPA working together. I’ve been following the guide at http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but that seems quite out of date for IPAv3 and I need some help: yes, it is a bit outdated but still useful. Please note that we are currently working on making the integration of samba more easy. Recently I send a patch to the samba-technical mailing list with a library which would allow samba to use SSSD instead of winbind to look up users and SID-to-name mapping. Alexander is planning to go through the ipasam modules to see how to make integration with Samba file-servers more easy. But coming back to your questions. 1. The guide deals with setting a Samba server SID for one Samba server, but as we have multiple stand-alone Samba3 servers, which SID do I use to create the DNA plugin? Can I enter more than 1 SID? Can I have more than 1 plugin (seems unlikely)? 'net getlocalsid' returns the domain SID and since all you Samba file-servers are member of the IPA domain you can use a common SID here. With IPAv3 SID generation for users and groups is even more easy because you can get it for free by running ipa-adtrust-install (please use the option --add-sids) if you already have users and groups in your IPA server. This prepares the IPA server to be able to create trust relationships to Active Directory and one requirement here is that all users and groups have SID. 'ipa-adtrust-install' will also create a domain SID. 'ipa trustconfig-show' will show the domain SID together with the DNS domain name and the NetBIOS domain name. On your Samba server you should set 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA server after running ipa-adtrust-install for a config example). Additionally on your Samba servers you have to set the domain SID in /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 keys with the same SID SECRETS/SID/DOMNETBIOS - NetBIOS domain name, workgroup in smb.conf SECRETS/SID/DNS.DOMAIN.NAME - DNS domain name, will match realm in smb.conf SECRETS/SID/CLINETBIOS - NetBIOS name of the client, 'netbios name' in smb.conf The SID has to be given in a special binary format. The easiest way to get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the IPA server after running ipa-adtrust-install. The domain SID will always start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence as data for the insert command of tdbtool. Now everything should be done with respect to SID handling. 2. There’s no “/usr/share/ipa/ui/group.js” file to patch in IPAv3. What do I need to patch instead? I’ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which shows the need is there but I could do with getting it working ASAP. group.js is compliend with the other UI files in /usr/share/ipa/ui/js/freeipa/app.js (see install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources for details). For your convenience I copied some section here: The compiled Web UI layer is located in `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from source git repository in `install/ui/src/freeipa/` directory to the `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` file). By doing that, next reload of Web UI will use source files (clearing browser cache may be required). After that all JavaScript errors will contain proper source code name and line number. Better approach is to create a custom UI plugin which would add those fields. Since it's only 3 fields, I create an example
Re: [Freeipa-users] Wildcard DNS record supported ?
On 05/23/2014 09:52 AM, Matt . wrote: OK, but I wonder where I can remove that * check in IPA... it must be somewhere in a template I think. You mean you want to contribute to the IPA code to change the validator to allow wildcard support and looking for a pointer to a code? 2014-05-23 15:50 GMT+02:00 Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com: On 23.5.2014 15:46, Martin Kosek wrote: On 05/23/2014 03:44 PM, Petr Spacek wrote: On 23.5.2014 13:59, Matt . wrote: Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? In theory yes, but nobody tested that. Please note that new bind-dyndb-ldap will allow you to use wildcards but you will have to use use LDAP editor to add wildcard records manually. Old FreeIPA will refuse to add wildcard records (because the validator is not inside bind-dyndb-ldap but inside FreeIPA). Anyway, feel free to download http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm and rebuild it on CentOS 6.5. You will have to lower required version of BIND in SPEC file. Please note that it is completely untested. Let me know if you have any further questions. Petr Spacek Wouldn't Matt also need to rebuild BIND and it's libraries? bind-dyndb-ldap and BIND are pretty bound together. AFAIK rebuilding bind-dyndb-ldap should be enough. Bind-dyndb-ldap 4.x is not tested with BIND 9.9.x but it could work , in theory... -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP/SSSD/IPA performance
On 05/23/2014 10:03 AM, Bret Wortman wrote: On 05/23/2014 09:53 AM, Mauricio Tavares wrote: On Fri, May 23, 2014 at 9:48 AM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: More soft/anecdotal: When executing sudo -i or sudo -iu the first time, we can expect a several second delay before the command completes. If we then exit the session and re-execute the command, it will complete almost instantly. So whatever cache is holding this information, if we could increase its duration, that would certainly make our pain less. Is this a settable value? Entering a password into a screensaver is particularly painful. 10+ seconds before the screensaver will exit. We are looking at environmental possibilities, like interfaces and such. This machine is running on a VMware VM, but we've had success deploying IPA on VMs in the past, and our faster network is running VMs as well (with one physical box). Bret Did running sudo in debugging mode (SUDOERS_DEBUG 2 in ldap.conf) give you any more clues? No. I compared the output on both networks and there's no real difference once I accounted for HBAC on one (which produced 2 entries on the slower network that got filtered down to 1 user match and 1 host match). But the debug output was nearly identical. Did you see any gaps in time in the logs that are different? The flow can be the same but some operations can take longer so there would be hint to us on what to look for. On 05/23/2014 08:15 AM, Bret Wortman wrote: Collecting my various threads together under one big issue and adding this new data point: Our web UI on our slow network is exhibiting some strange behavior as well. When selecting, for example, the Users, it can take up to 5 seconds to fetch 20 out of our 56 entries. When switching to Hosts, it took 4 seconds for the footer to show that there would be 47 pages in total, then after 10 seconds total, the page loaded 20 of 939 entries. When I select a host, the previously-selected host will actually be displayed for upwards of 8-10 seconds (while the spinning cursor spins near the word Logout) until the host actually loads. Is it just me, or does this, plus everything else, start to sound like LDAP is struggling? I ran a test using ldapsearch in authenticated and unauthenticated mode from my workstation and here's what I found, which may tell us nothing: # time ldapsearch -x -H -ldap://zsipa.foo.net http://zsipa.foo.net base=uid=bretw,cn=users,cn=accounts,dc=foo,dc=net : real0m2.047s user 0m0.000s sys 0m0.001s # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net base=uid=bretw,cn=users,cn=accounts,dc=foo,dc=net : real0m2.816s user 0m0.004s sys 0m0.002s When I did this locally on the ipa master: # ssh zsipa.foo.net http://zsipa.foo.net # time ldapsearch -Y GSSAPI base=uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net : real0m0.847s user 0m0.007s sys 0m0.006s # -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP/SSSD/IPA performance
All I saw was additional output when I ran the command. On the slower system, there was a one second lag, then a burst of activity, then a one second lag, then completion. I’ll do it again Monday and see what the logs show. On May 23, 2014, at 2:44 PM, Dmitri Pal d...@redhat.com wrote: On 05/23/2014 10:03 AM, Bret Wortman wrote: On 05/23/2014 09:53 AM, Mauricio Tavares wrote: On Fri, May 23, 2014 at 9:48 AM, Bret Wortman bret.wort...@damascusgrp.com wrote: More soft/anecdotal: When executing sudo -i or sudo -iu the first time, we can expect a several second delay before the command completes. If we then exit the session and re-execute the command, it will complete almost instantly. So whatever cache is holding this information, if we could increase its duration, that would certainly make our pain less. Is this a settable value? Entering a password into a screensaver is particularly painful. 10+ seconds before the screensaver will exit. We are looking at environmental possibilities, like interfaces and such. This machine is running on a VMware VM, but we've had success deploying IPA on VMs in the past, and our faster network is running VMs as well (with one physical box). Bret Did running sudo in debugging mode (SUDOERS_DEBUG 2 in ldap.conf) give you any more clues? No. I compared the output on both networks and there's no real difference once I accounted for HBAC on one (which produced 2 entries on the slower network that got filtered down to 1 user match and 1 host match). But the debug output was nearly identical. Did you see any gaps in time in the logs that are different? The flow can be the same but some operations can take longer so there would be hint to us on what to look for. On 05/23/2014 08:15 AM, Bret Wortman wrote: Collecting my various threads together under one big issue and adding this new data point: Our web UI on our slow network is exhibiting some strange behavior as well. When selecting, for example, the Users, it can take up to 5 seconds to fetch 20 out of our 56 entries. When switching to Hosts, it took 4 seconds for the footer to show that there would be 47 pages in total, then after 10 seconds total, the page loaded 20 of 939 entries. When I select a host, the previously-selected host will actually be displayed for upwards of 8-10 seconds (while the spinning cursor spins near the word Logout) until the host actually loads. Is it just me, or does this, plus everything else, start to sound like LDAP is struggling? I ran a test using ldapsearch in authenticated and unauthenticated mode from my workstation and here's what I found, which may tell us nothing: # time ldapsearch -x -H -ldap://zsipa.foo.net base=uid=bretw,cn=users,cn=accounts,dc=foo,dc=net : real0m2.047s user 0m0.000s sys 0m0.001s # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net base=uid=bretw,cn=users,cn=accounts,dc=foo,dc=net : real0m2.816s user 0m0.004s sys 0m0.002s When I did this locally on the ipa master: # ssh zsipa.foo.net # time ldapsearch -Y GSSAPI base=uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net : real0m0.847s user 0m0.007s sys 0m0.006s # -- Bret Wortman Mail Attachment.png http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] weird behavior on centos 6
Thanks for all your responses! Yes, the GSS proxy is not available on RHEL-6. For the time being, we can live with krb5_renewable_lifetime = 365d. For my own curiosity, what kind of debugging tips or recommendations included in BZ - https://bugzilla.redhat.com/show_bug.cgi?id=846109, which I can't access with regular Redhat Bugzilla account? Thanks a lot, carl From: Rob Crittenden rcritten redhat com To: dpal redhat com, freeipa-users redhat com Subject: Re: [Freeipa-users] weird behavior on centos 6 Date: Thu, 15 May 2014 09:46:28 -0400 Dmitri Pal wrote: On 05/14/2014 06:12 PM, Carl E. Ma wrote: Hello, Recently I realized our centos 6 freeipa clients hangs randomly. With some research, the issue is related to autofs bug, which was mentioned year ago - Automount fails for IPA user when kerberos ticket is expired, ssh hangs (https://fedorahosted.org/freeipa/ticket/2980). This ticket was closed with comment - closed defect: invalid. My workaround is extending ticket_lifetime to 24h and renew_lifetime to 365d. I wonder whether there is better solution or some insights of this bug. Thanks, carl Read about GSS proxy. I don't believe gss-proxy is available for RHEL-6 and backporting is unlikely. The ticket is closed but the associated BZ is still open, https://bugzilla.redhat.com/show_bug.cgi?id=846109 and has some debugging tips and other recommendations. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] weird behavior on centos 6
Carl E. Ma wrote: Thanks for all your responses! Yes, the GSS proxy is not available on RHEL-6. For the time being, we can live with krb5_renewable_lifetime = 365d. For my own curiosity, what kind of debugging tips or recommendations included in BZ - https://bugzilla.redhat.com/show_bug.cgi?id=846109, which I can't access with regular Redhat Bugzilla account? Thanks a lot, Probably the easiest way to get more information about where the problem is occurring is to get an autofs debug log during the test procedure. I see you already have LOGGING=debug in your autofs configuration so all that needs to be done is ensure syslog is sending deamon level log messages to the log. I usually just add a line like: *.daemon /var/log/daemon to the syslog configuration. I always touch /var/log/daemon before restarting syslog as a matter of habit. I don't know if rsyslog will create the log file if it doesn't already exist. Basically, if we don't see a second mount request in the log at all then the issue is occuring before the login process is attempting to access the home directory. If we do see such a request then we may be able to see where autofs blocks (if it does block) such as when calling mount(8) (although more likley mount.nfs(8)). rob carl From: Rob Crittenden rcritten redhat com To: dpal redhat com, freeipa-users redhat com Subject: Re: [Freeipa-users] weird behavior on centos 6 Date: Thu, 15 May 2014 09:46:28 -0400 Dmitri Pal wrote: On 05/14/2014 06:12 PM, Carl E. Ma wrote: Hello, Recently I realized our centos 6 freeipa clients hangs randomly. With some research, the issue is related to autofs bug, which was mentioned year ago - Automount fails for IPA user when kerberos ticket is expired, ssh hangs (https://fedorahosted.org/freeipa/ticket/2980). This ticket was closed with comment - closed defect: invalid. My workaround is extending ticket_lifetime to 24h and renew_lifetime to 365d. I wonder whether there is better solution or some insights of this bug. Thanks, carl Read about GSS proxy. I don't believe gss-proxy is available for RHEL-6 and backporting is unlikely. The ticket is closed but the associated BZ is still open, https://bugzilla.redhat.com/show_bug.cgi?id=846109 and has some debugging tips and other recommendations. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Wildcard DNS record supported ?
Indeed! 2014-05-23 20:33 GMT+02:00 Dmitri Pal d...@redhat.com: On 05/23/2014 09:52 AM, Matt . wrote: OK, but I wonder where I can remove that * check in IPA... it must be somewhere in a template I think. You mean you want to contribute to the IPA code to change the validator to allow wildcard support and looking for a pointer to a code? 2014-05-23 15:50 GMT+02:00 Petr Spacek pspa...@redhat.com: On 23.5.2014 15:46, Martin Kosek wrote: On 05/23/2014 03:44 PM, Petr Spacek wrote: On 23.5.2014 13:59, Matt . wrote: Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? In theory yes, but nobody tested that. Please note that new bind-dyndb-ldap will allow you to use wildcards but you will have to use use LDAP editor to add wildcard records manually. Old FreeIPA will refuse to add wildcard records (because the validator is not inside bind-dyndb-ldap but inside FreeIPA). Anyway, feel free to download http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm and rebuild it on CentOS 6.5. You will have to lower required version of BIND in SPEC file. Please note that it is completely untested. Let me know if you have any further questions. Petr Spacek Wouldn't Matt also need to rebuild BIND and it's libraries? bind-dyndb-ldap and BIND are pretty bound together. AFAIK rebuilding bind-dyndb-ldap should be enough. Bind-dyndb-ldap 4.x is not tested with BIND 9.9.x but it could work , in theory... -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
