Re: [Freeipa-users] PTR record not adding to IPA DNS
Forward zone: initd.int Reverse: 32.16.172.in-addr.arpa. https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.in/www.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PTR record not adding to IPA DNS
On 08/14/2015 12:57 PM, Yogesh Sharma wrote: Forward zone: initd.int http://initd.int Reverse: 32.16.172.in-addr.arpa. https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 http://172.16.32.0/20 Please paste here output of following commands: ipa dnszone-show initd.int http://initd.int --all ipa dnszone-show 32.16.172.in-addr.arpa --all https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PTR record not adding to IPA DNS
Please find the output: ipa dnszone-show initd.int --all dn: idnsname=initd.int.,cn=dns,dc=initd,dc=int Zone name: initd.int. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439547047 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-self * A; grant initd.INT krb5-self * ; grant initd.INT krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int Zone name: 32.16.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439543674 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-subdomain 32.16.172.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 12:57 PM, Yogesh Sharma wrote: Forward zone: initd.int Reverse: 32.16.172.in-addr.arpa. https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 Please paste here output of following commands: ipa dnszone-show initd.int --all ipa dnszone-show 32.16.172.in-addr.arpa --all https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.in/www.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PTR record not adding to IPA DNS
On 08/14/2015 01:13 PM, Yogesh Sharma wrote: Please find the output: ipa dnszone-show initd.int http://initd.int/ --all dn: idnsname=initd.int http://initd.int.,cn=dns,dc=initd,dc=int Zone name: initd.int http://initd.int. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int http://ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int http://hostmaster.initd.int. SOA serial: 1439547047 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-self * A; grant initd.INT krb5-self * ; grant initd.INT krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int http://ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord I don't see this line in output of initd.int http://initd.int/ Allow PTR sync: TRUE Didi you enabled synchronization of ptr records? ipa dnszone-mod initd.int --allow-sync-ptr=TRUE http://initd.int/ Martin http://initd.int/ dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int Zone name: 32.16.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int http://ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int http://hostmaster.initd.int. SOA serial: 1439543674 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-subdomain 32.16.172.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int http://ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 08/14/2015 12:57 PM, Yogesh Sharma wrote: Forward zone: initd.int http://initd.int Reverse: 32.16.172.in-addr.arpa. https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 http://172.16.32.0/20 Please paste here output of following commands: ipa dnszone-show initd.int http://initd.int --all ipa dnszone-show 32.16.172.in-addr.arpa --all https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] first time web UI access?
I am curious if anyone else ever sees a problem with first time IPA WEB UI access and the full screen not loading. It requires a reload sometimes once or twice to get it to load properly. Has anyone seen this before? thank you Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo Rule Not working with UserGroup
On Fri, Aug 14, 2015 at 07:05:48PM +0530, Yogesh Sharma wrote: Hi, We have moved to next step and working to configuring the Sudo Rule. When we add individual users to sudo rules, it works perfectly. However as soon as we add usergroup to sudo rules, It stop working. I'm sorry, but it's not possible to help without seeing the logs. In this case, the sudo logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Server Replication Info
On Fri, Aug 14, 2015 at 02:11:10PM +0530, Yogesh Sharma wrote: Thanks Jakub. From your answer 2, would both DNS will work as Master if we use IPA DNS. Well, you need to configure /etc/resolv.conf to point to the replica as well. btw resolv.conf typically supports up to three nameservers. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Sudo Rule Not working with UserGroup
Hi, We have moved to next step and working to configuring the Sudo Rule. When we add individual users to sudo rules, it works perfectly. However as soon as we add usergroup to sudo rules, It stop working. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Client Unattended Registration Issue
Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: *ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended* However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse DNS lookup does not work
On 08/11/2015 04:47 PM, Nikola Kržalić wrote: reverse DNS lookup stopped working after I broke some replication agreements (perhaps unrelated, but worth mentioning). Regular A records resolve fine. The records can be seen in LDAP (using ldapsearch with GSSAPI after kinit -t /etc/named.keytab): the zone: # 0.63.10.in-addr.arpa., dns, ipa.example.net dn: idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net idnsUpdatePolicy: grant IPA.example.NET krb5-self * PTR; grant IPA.example.NET krb5-self * SSHFP; idnsAllowDynUpdate: TRUE idnsForwarders: 172.23.1.5 idnsAllowSyncPTR: TRUE idnsSOAserial: 1439302482 idnsSOArName: hostmaster.ipa.example.net. idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: ldap1.example.lan. idnsSOAminimum: 3600 objectClass: idnszone objectClass: top objectClass: idnsrecord idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOArefresh: 3600 idnsAllowQuery: any; idnsName: 0.63.10.in-addr.arpa. idnsSOAmName: ldap1.example.lan. the entry: # 68, 0.63.10.in-addr.arpa., dns, ipa.example.net dn: idnsname=68,idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net objectClass: top objectClass: idnsrecord cNAMERecord: ds02.example.lan. idnsName: 68 but the reverse dns lookup fails anyway: [root@ldap1 ~]# dig -x 10.63.0.68 ; DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 -x 10.63.0.68 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 59911 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;68.0.63.10.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 10.in-addr.arpa. 86400 IN SOA 10.in-addr.arpa. . 0 28800 7200 604800 86400 ;; Query time: 4 msec ;; SERVER: 172.23.1.5#53(172.23.1.5) ;; WHEN: Tue Aug 11 14:40:08 UTC 2015 ;; MSG SIZE rcvd: 87 [root@ldap1 ~]# Any thoughts? Hello, It seems that DNS delegation doesn't work or you asked non IPA DNS server. Do you have the right server in resolv.conf? (dig sent query to 172.23.1.5) Do you have reverse zone 10.in-addr.arpa. configured on IPA DNS, does it have proper delegation to 0.63.10.in-addr.arpa zone. Do you use IPA 3.x or IPA 4.x? If 3.x there might be issue with forwarding, because the zone 0.63.10.in-addr.arpa works as forward zone and forwards queries to server 172.23.1.5, that return NXDOMAIN for that zone. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client Unattended Registration Issue
On 08/14/2015 10:54 AM, Martin Basti wrote: On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: /ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended/ However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. Hello, please add --principal option probably --principal admin --pasword without --principal option requires bulk password (ipa-client-install -h) HTH Martin Or if you want to use bulk password, you must add host with bulk password before [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword [client.initd.int]$ ipa-client-install --password=bulkpassword HTH Martin /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com | Web: www.initd.in / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Server Replication Info
Thanks Jakub. From your answer 2, would both DNS will work as Master if we use IPA DNS. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 1:54 PM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Aug 13, 2015 at 09:46:42PM +0530, Yogesh Sharma wrote: Hi, I am working to setup a IPA Env in our Infra. 1 . I would like to how IPA handles failover if Master Node goes down. Is sssd manage it? Yes. See man sssd-ipa, section failover. 2. While the Master Node is down, can I register a client to replica server i.e. via AutoDiscovery as IPA does. Maybe the IPA developers would answer the other questions better, but my understanding is that since all IPA servers are masters, then this should be fine as long as you prevent replication conflicts. 3. What if my Master Node does not came up ever due to system crash. In this case, if I create a new node , can I make it as master, if so what would happen to client which were already registered. The data is replicated..so yes, the clients are also replicated to other IPA servers.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Server Replication Info
On Thu, Aug 13, 2015 at 09:46:42PM +0530, Yogesh Sharma wrote: Hi, I am working to setup a IPA Env in our Infra. 1 . I would like to how IPA handles failover if Master Node goes down. Is sssd manage it? Yes. See man sssd-ipa, section failover. 2. While the Master Node is down, can I register a client to replica server i.e. via AutoDiscovery as IPA does. Maybe the IPA developers would answer the other questions better, but my understanding is that since all IPA servers are masters, then this should be fine as long as you prevent replication conflicts. 3. What if my Master Node does not came up ever due to system crash. In this case, if I create a new node , can I make it as master, if so what would happen to client which were already registered. The data is replicated..so yes, the clients are also replicated to other IPA servers.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client Unattended Registration Issue
On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: /ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended/ However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. Hello, please add --principal option probably --principal admin --pasword without --principal option requires bulk password (ipa-client-install -h) HTH Martin /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo Rule Not working with UserGroup
It has started working. Not sure what happened, but seems to be issue with cache time out again. Thanks Jakub. I will update more if I am able to replicate the issue again. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 7:12 PM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Aug 14, 2015 at 07:05:48PM +0530, Yogesh Sharma wrote: Hi, We have moved to next step and working to configuring the Sudo Rule. When we add individual users to sudo rules, it works perfectly. However as soon as we add usergroup to sudo rules, It stop working. I'm sorry, but it's not possible to help without seeing the logs. In this case, the sudo logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Server Replication Info
Okay. So both the DNS is Master. Thanks Jakub, this can be closed. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 7:17 PM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Aug 14, 2015 at 02:11:10PM +0530, Yogesh Sharma wrote: Thanks Jakub. From your answer 2, would both DNS will work as Master if we use IPA DNS. Well, you need to configure /etc/resolv.conf to point to the replica as well. btw resolv.conf typically supports up to three nameservers. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] users- ssh keys self service
Did you try the */ipa/migration/* url for migrated users ? On Fri, Aug 14, 2015 at 3:38 AM, Petr Vobornik pvobo...@redhat.com wrote: On 08/13/2015 09:25 PM, Janelle wrote: AHA!!! The problem is found, but the solution eludes me. Any user migrated in compat mode has the problem. NEW users do not. Thoughts? Ideas? troubleshooting? What do I need to make visible for users to edit their settings? How does the migrated user and a new user differ in your environment? E.g. do they have different object classes? ~J On 8/13/15 9:58 AM, Janelle wrote: Hi, So I still have been unable to find the problem with blank screens for users when they login to the gui and can not manage anything other than OTP. Out of the box, vanilla install of FreeOTP on RHEL 7.x and using IPA 4.1.4, a user logs in, you see ALL the fields for a split second, before they go blank and there is no way to bring them back. This is over course frustrating since users can not add their SSH keys. They can change there PW, since that is on the ACTION button, which remains visible. Are there any troubleshooting suggestions for this? I have not customized anything. Thank you ~J -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] users- ssh keys self service
On 08/13/2015 09:25 PM, Janelle wrote: AHA!!! The problem is found, but the solution eludes me. Any user migrated in compat mode has the problem. NEW users do not. Thoughts? Ideas? troubleshooting? What do I need to make visible for users to edit their settings? How does the migrated user and a new user differ in your environment? E.g. do they have different object classes? ~J On 8/13/15 9:58 AM, Janelle wrote: Hi, So I still have been unable to find the problem with blank screens for users when they login to the gui and can not manage anything other than OTP. Out of the box, vanilla install of FreeOTP on RHEL 7.x and using IPA 4.1.4, a user logs in, you see ALL the fields for a split second, before they go blank and there is no way to bring them back. This is over course frustrating since users can not add their SSH keys. They can change there PW, since that is on the ACTION button, which remains visible. Are there any troubleshooting suggestions for this? I have not customized anything. Thank you ~J -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Windows users, Samba Shares - FreeIPA
Hi People, In reference to my earlier thread about Samba Shares - IPA Auth for whatever user I'm kinda confused what out options are now (for Windows users) I have tried all kinds of things and can't get teh right feeling about how to auth shares for mixed environments. So to start a fresh discussion about what's best, What's best ? The ksetup as known on the IPA pages doesn't let me login on Windows 10, so if people can share their working ways for the current version with would be great! Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PTR record not adding to IPA DNS
Thanks Martin. Redhat Rock :) *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 4:52 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 01:13 PM, Yogesh Sharma wrote: Please find the output: ipa dnszone-show initd.int --all dn: idnsname=initd.int.,cn=dns,dc=initd,dc=int Zone name: initd.int. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439547047 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-self * A; grant initd.INT krb5-self * ; grant initd.INT krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord I don't see this line in output of initd.int Allow PTR sync: TRUE Didi you enabled synchronization of ptr records? ipa dnszone-mod initd.int --allow-sync-ptr=TRUE http://initd.int/ Martin http://initd.int/ dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int Zone name: 32.16.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439543674 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-subdomain 32.16.172.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.in/www.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 12:57 PM, Yogesh Sharma wrote: Forward zone: initd.int Reverse: 32.16.172.in-addr.arpa. https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 Please paste here output of following commands: ipa dnszone-show initd.int --all ipa dnszone-show 32.16.172.in-addr.arpa --all https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti mba...@redhat.com mba...@redhat.com wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client Unattended Registration Issue
Thanks Martin, This works and apologies for not confirming the solution. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 5:20 PM, Martin Basti mba...@redhat.com wrote: Please provide feedback if this (and which) solution works for you, this may help for other users too. Martin On 08/14/2015 11:02 AM, Martin Basti wrote: On 08/14/2015 10:54 AM, Martin Basti wrote: On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: *ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended* However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. Hello, please add --principal option probably --principal admin --pasword without --principal option requires bulk password (ipa-client-install -h) HTH Martin Or if you want to use bulk password, you must add host with bulk password before [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword [client.initd.int]$ ipa-client-install --password=bulkpassword HTH Martin *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client Unattended Registration Issue
Please provide feedback if this (and which) solution works for you, this may help for other users too. Martin On 08/14/2015 11:02 AM, Martin Basti wrote: On 08/14/2015 10:54 AM, Martin Basti wrote: On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: /ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended/ However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. Hello, please add --principal option probably --principal admin --pasword without --principal option requires bulk password (ipa-client-install -h) HTH Martin Or if you want to use bulk password, you must add host with bulk password before [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword [client.initd.int]$ ipa-client-install --password=bulkpassword HTH Martin /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com | Web: www.initd.in / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client Unattended Registration Issue [SOLVED]
On 08/14/2015 02:01 PM, Yogesh Sharma wrote: Thanks Martin, This works and apologies for not confirming the solution. You are welcome! /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 5:20 PM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: Please provide feedback if this (and which) solution works for you, this may help for other users too. Martin On 08/14/2015 11:02 AM, Martin Basti wrote: On 08/14/2015 10:54 AM, Martin Basti wrote: On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: /ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended/ However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. Hello, please add --principal option probably --principal admin --pasword without --principal option requires bulk password (ipa-client-install -h) HTH Martin Or if you want to use bulk password, you must add host with bulk password before [ipaserver]$ ipa host-add client.initd.int http://client.initd.int --password=bulkpassword [client.initd.int http://client.initd.int]$ ipa-client-install --password=bulkpassword HTH Martin /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PTR record not adding to IPA DNS [SOLVED]
On 08/14/2015 01:46 PM, Yogesh Sharma wrote: Thanks Martin. Redhat Rock :) You are welcome! /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 4:52 PM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 08/14/2015 01:13 PM, Yogesh Sharma wrote: Please find the output: ipa dnszone-show initd.int http://initd.int/ --all dn: idnsname=initd.int http://initd.int.,cn=dns,dc=initd,dc=int Zone name: initd.int http://initd.int. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int http://ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int http://hostmaster.initd.int. SOA serial: 1439547047 tel:1439547047 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-self * A; grant initd.INT krb5-self * ; grant initd.INT krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int http://ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord I don't see this line in output of initd.int http://initd.int/ Allow PTR sync: TRUE Didi you enabled synchronization of ptr records? ipa dnszone-mod initd.int --allow-sync-ptr=TRUE http://initd.int/ Martin dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int Zone name: 32.16.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int http://ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int http://hostmaster.initd.int. SOA serial: 1439543674 tel:1439543674 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-subdomain 32.16.172.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int http://ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 08/14/2015 12:57 PM, Yogesh Sharma wrote: Forward zone: initd.int http://initd.int Reverse: 32.16.172.in-addr.arpa. https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 http://172.16.32.0/20 Please paste here output of following commands: ipa dnszone-show initd.int http://initd.int --all ipa dnszone-show 32.16.172.in-addr.arpa --all https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. --
Re: [Freeipa-users] IPA Client Unattended Registration Issue
Thanks Martin, It worked. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 2:32 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 10:54 AM, Martin Basti wrote: On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: *ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended* However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. Hello, please add --principal option probably --principal admin --pasword without --principal option requires bulk password (ipa-client-install -h) HTH Martin Or if you want to use bulk password, you must add host with bulk password before [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword [client.initd.int]$ ipa-client-install --password=bulkpassword HTH Martin *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Additional subject for self-signed CA (E, OU, L, ST)
Hallo, I know I already read about it already in this list but can't find it any more. How can I set additional subject fields like OU, Country, email and others for a new created self-signed CA (new IPA server 4.1 on centos7) and all following service certificates? C. Schulze -- Christof Schulze Institute of Materials Simulation (WW8) Department of Materials Science Friedrich-Alexander-University Erlangen-Nürnberg Dr.-Mack-Str. 77, 90762 Fürth, Germany Tel: 0911/65078-65069 Email: christof.schu...@fau.de -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PTR record not adding to IPA DNS
On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberized NFS and home automount issues
Hi, I didn't know it was only possible to create home on the home nfs server :) I changed my implementation on home nfs server to make a flat /home directory (not mounted with autofs from an other directory of the same server) 2) is now solved: I disabled autofs on the home nfs server, moved files and mkhomedir now works perfectly. 1) the issue seems to be solved after this, but not instantaneously. I still see errors on NFS server logs: WARNING: can't create tcp rpc_clnt to server ipa-server for user with uid 0: RPC: Remote system error - No route to host but it seems to be working. After creating a new user, I had to wait a few seconds/minutes for home to be fetchable by autofs. Thanks a lot. -- Youenn Piolet piole...@gmail.com 2015-08-14 7:14 GMT+02:00 Prasun Gera prasun.g...@gmail.com: Where are you trying to create the home directories ? Is your NFS server the same as the IPA server ? You can only create home directories on the NFS home server unless the nfs-client sees the export option no_root_squash. That is not recommended though. On Thu, Aug 13, 2015 at 9:49 AM, Youenn PIOLET piole...@gmail.com wrote: Hi, I'm currently trying to configure automount for home directories with Kerberized NFSv4. I'm struggling with two issues that may or may not be related: 1) Can't read my home directory. I have to type kinit manually first on each integrated client for this to work. I think it is related to the latest versions of sssd on Centos 7 / Fedora 21 (1.12.2-58), ipa of maybe nss, a 1 or 2 months outdate centos was working first and got broken after an update. 2) Can't create home directories for new users : Permission denied for oddjob-mkhomedir script. I can also experience this as root : can't mkdir /home/someuser, permission denied (see my mount chain in freeipa below). Related to NFSv4? Here is my setup and various information: - I'm not using selinux - Exports : /home.shared *(rw,sec=krb5:krb5i:krb5p) - Mount chain : * -fstype=nfs4,sec=krb5i,rw,proto=tcp,port=2049,rsize=8192,wsize=8192 home01.net:/home.shared/ - Experienced on Centos 7 and Fedora 21 - FreeIPA server 4.1.4 - I used ipa-client-automount on clients and server. - Same behavior with/without a dedicated service principal on client - Some errors in NFS server logs : rpc.gssd - WARNING: can't create tcp rpc_clnt to server ipa-server for user with uid 0: RPC: Remote system error - No route to host -- at different times oddjobd: Error org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not determine security context for '1:###' -- before oddjob-mkhomedir on new user Have you got the same problems and did you manage to fix them? Thanks by advance, -- Youenn Piolet piole...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] PTR record not adding to IPA DNS
Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
