Re: [Freeipa-users] How to config automembership for IP or subnet

2015-10-14 Thread Martin Kosek 
On 10/14/2015 03:33 PM, zhiyong xue wrote:
> The document said

Hi,

What document you have in mind?

> we can create automembership rule based by IP or subnet.
> But there's no any sample about it. Anyone know knows how to create them?

If the information/attribute is not in the LDAP entry for the Host, Automember
has no means of applying the rule and adding the membership. The only idea I
have now is that you could create the Host entries before ipa-client-install is
run, and manually set some attribute containing the subnet identification to
description os Host Class attribute that Automember could consume.

> I have two subnets and need to create two host groups for them. And all
> host name were auto generated without any pattern.
> 
> Thanks all.
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to install freeIPA client to many VMs?

2015-10-14 Thread Martin Kosek 
On 10/14/2015 03:43 PM, zhiyong xue wrote:
>   There are lots of VMs created from Openstack in our envrioment. And we
> need to install IPA client on them.  I want to create a base image which
> have installed IPA client, and generate VM from this image.
> 
>   When the VM first boot will auto register to IPA server. But the VM's
> host name has no domain(not a FQDN) and failed to register.

How does the client get the domain then? It is currently needed for the FreeIPA
clients, so you need to either postpone Client registration until domain is
set, or override the hostname in ipa-client-install with static domain, like

# ipa-client-install --hostname `hostname`.mydomain.test

>What's the right approach to install IPA client for VMs which cloned
> from base image?
> 
> Thanks,
> -- Brave
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server-install fails at last leg?

2015-10-14 Thread lejeczek 

On 14/10/15 07:56, Martin Kosek wrote:

On 10/13/2015 12:23 PM, lejeczek wrote:

dear all,

my first try at ipa server, I get this when install fails:

Hi lejeczek,

Can you please start with specifying your IPA version?

http://www.freeipa.org/page/Troubleshooting#Reporting_bugs

it's: ipa-server-4.1.0-18.sl7_1.4.x86_64
and I did file a report before asking the list, also 
attached a log there.
I'm now trying a plain vanilla virtual system and it 
succeeded there.
Where to start troubleshooting it, it seems like that java 
process hangs on while installer tries to restart httpd.



   [15/16]: restarting httpd
   [error] CalledProcessError: Command ''/bin/systemctl' 'restart'
'httpd.service'' returned non-zero exit status 1
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service''
returned non-zero exit status 1

then I can see that httpd fails to restart for:

Starting The Apache HTTP Server...
(98)Address already in use: AH00072: make_sock: could not bind to address
[::]:8443
(98)Address already in use: AH00072: make_sock: could not bind to address
0.0.0.0:8443
no listening sockets available, shutting down

and port is bound by:

UIDPID  PPID  CSZ   RSS PSR STIME TTY  TIME CMD
pkiuser   5330 1  1 2128224 494604 5 11:00 ?   00:00:16 java
-agentpath:/usr/lib64/libabrt-java-connector.so=abrt=on
-DRESTEASY_LIB=/usr/share/java/resteasy-base -classpath
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
org.apache.catalina.startup.Bootstrap start

and this is as you can see, the process, the result of the ipa-server-install
itself.
Any suggestions as what is the problem there?

It is expected that Dogtag takes over port 8443. What FreeIPA does is
re-configure installed mod_nss (nss.conf) originally listening on 8443 to
occupy port 443  instead.

So this failure likely means that something else is bound to port 8443, whether
it is other Apache module or other program.

I would start with
# netstat -putna run before the installation to see what's it.

Upstream wise, there should be a check since
https://fedorahosted.org/freeipa/ticket/4564



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to config automembership for IP or subnet

2015-10-14 Thread zhiyong xue 
Thanks Martin.

This is the document link:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automember.html
It says : Dividing hosts based on their IP address or subnet.

After I installed ipa-client-install the host would be registered to server
automatically. I have many clients in two subnets ,it's impossible to add
description manually.

2015-10-14 22:29 GMT+08:00 Martin Kosek :

> On 10/14/2015 03:33 PM, zhiyong xue wrote:
> > The document said
>
> Hi,
>
> What document you have in mind?
>
> > we can create automembership rule based by IP or subnet.
> > But there's no any sample about it. Anyone know knows how to create them?
>
> If the information/attribute is not in the LDAP entry for the Host,
> Automember
> has no means of applying the rule and adding the membership. The only idea
> I
> have now is that you could create the Host entries before
> ipa-client-install is
> run, and manually set some attribute containing the subnet identification
> to
> description os Host Class attribute that Automember could consume.
>
> > I have two subnets and need to create two host groups for them. And all
> > host name were auto generated without any pattern.
> >
> > Thanks all.
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to install freeIPA client to many VMs?

2015-10-14 Thread zhiyong xue 
Yes, that's my problem. These VMs were created by openstack and generated
host name without domain at all.  Anyway can let the new created VM can
join domain automatically?

Thanks Martin.

2015-10-14 22:40 GMT+08:00 Martin Kosek :

> On 10/14/2015 03:43 PM, zhiyong xue wrote:
> >   There are lots of VMs created from Openstack in our envrioment. And we
> > need to install IPA client on them.  I want to create a base image which
> > have installed IPA client, and generate VM from this image.
> >
> >   When the VM first boot will auto register to IPA server. But the VM's
> > host name has no domain(not a FQDN) and failed to register.
>
> How does the client get the domain then? It is currently needed for the
> FreeIPA
> clients, so you need to either postpone Client registration until domain is
> set, or override the hostname in ipa-client-install with static domain,
> like
>
> # ipa-client-install --hostname `hostname`.mydomain.test
>
> >What's the right approach to install IPA client for VMs which cloned
> > from base image?
> >
> > Thanks,
> > -- Brave
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nsslapd-dbcachesize and database size

2015-10-14 Thread Andrew E. Bruno 
On Wed, Oct 14, 2015 at 07:59:23AM -0600, Rich Megginson wrote:
> On 10/14/2015 07:09 AM, Andrew E. Bruno wrote:
> >The load average on our freeipa replicas started to spike over the
> >last few days and we narrowed it down to a dbcache issue. Following the
> >guidelines here: https://github.com/richm/scripts/wiki/dbmon.sh
> >
> >We saw that the dbcachefree was 2.0% which indicates a lot of page
> >churn. Sure enough our nsslapd-dbcachesize was set to 2G and the size of
> >our database and index files was 3.1G:
> >
> >$ du -sh /var/lib/dirsrv/slapd-[domain]/db/
> >3.1G
> >
> >Once we increased nsslapd-dbcachesize to 6G load average went back to
> >normal and query response times improved. Interestingly, when we
> >restarted the dirsrv process the database size went down to 1.7G
> >
> >$ du -sh /var/lib/dirsrv/slapd-[domain]/db/
> >1.7G
> >
> >When we initially deployed freeipa, the size of our database and indexes
> >was about 400M which is why we set nsslapd-dbcachesize to 2G.
> 
> What about your cachememsize?

We have nsslapd-cachememsize set at 2G for the cn=userRoot. According to
dbmon.sh it looked OK and we didn't think it needed to be increased:

dbcachefree 6123847680 free% 95.055 roevicts 0 hit% 99 pagein 34260 pageout 
308661

   dbname  count  free  free%size
changelog:ent 84158342   30.9  4210.2
changelog:dn   29716580.074.0
 userroot:ent   84462091021433   97.4  6685.1
 userroot:dn8446 523272268   99.8   120.3
ipaca:ent100673516   47.9  7338.6
ipaca:dn 100   1399359   99.480.1


The changelog:dn seems to vary so much not sure how to tune that one. Any
suggestions? It's almost always 0% free.

> 
> >
> >A few questions:
> >
> >1. What causes the increase in size of
> >/var/lib/dirsrv/slapd-[domain]/db/*  and should we periodically clean up?
> 
> Replication metadata accounts for some of this.  Fragmentation accounts for
> some of this.  You can periodically clean up, but you shouldn't have to.
> The growth should eventually hit a plateau.
> 
> >
> >2. How do you tune nsslapd-dbcachesize to account for this growth? The
> >dbmon.sh wiki suggests a 12% overhead but our db files and indexes seem
> >to grow much larger?
> 
> 12% is sort of a starting point.  There isn't a good way to tell how to
> account for replication metadata, fragmentation, etc.  Just monitor
> periodically and adjust as needed.

Great, Thanks Rich!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] shared ip space for iDM and AD

2015-10-14 Thread Craig White 
-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: Tuesday, October 13, 2015 11:57 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] shared ip space for iDM and AD

On 14.10.2015 00:41, Craig White wrote:
> Our environment is mostly Linux servers but we do have some Windows servers 
> running MSSQL. A co-worker spun up Active Directory Domain Controllers 
> without conferring with me and the Windows boxes are all on one of the VLAN 
> private LAN networks used by FreeIPA. Thus we not only have reverse DNS 
> servers in FreeIPA but also in Active Directory. Is it possible to have 
> Active Directory use the reverse DNS servers on iDM/FreeIPA?

If you decide to manually configure/add records to reverse zones then yes, it 
will work :-)

If you want to use dynamic updates from IPA and Windows clients, then you need 
to establish trust between AD and IPA domains and modify DNS update policy on 
IPA server to accept updates from Windows clients.

Please note that I did not test this, but it should work.


# this allows updates to A//SSHFP records $ ipa dnszone-mod 
your.domain.example. --dynamic-updates=TRUE $ ipa dnszone-mod 
your.domain.example. --update-policy='
grant IPA.REALM.EXAMPLE krb5-self * A;
grant IPA.REALM.EXAMPLE krb5-self * ; grant IPA.REALM.EXAMPLE krb5-self * 
SSHFP; grant AD.REALM.EXAMPLE ms-self * A; grant AD.REALM.EXAMPLE ms-self * 
; grant AD.REALM.EXAMPLE ms-self * SSHFP; '

# this instructs IPA server to update PTR records when updating A/ records 
$ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE $ ipa dnszone-mod 
2.0.192.in-addr.arpa. --dynamic-update=TRUE


Alternatively, you can allow unauthenticated updates to reverse zones, so 
SyncPTR feature is not needed for Windows clients (because the clients would do 
updates themselves):
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE $ ipa dnszone-mod 
2.0.192.in-addr.arpa. --update-policy='
grant * tcp-self * PTR;'


Please let me know if it works for you.

Will do. My co-worker wants to be the one to join the domains together but he 
is procrastinating on it so I don't know when it will be done. 

Thanks for the great help.

Craig

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to install freeIPA client to many VMs?

2015-10-14 Thread Rich Megginson 

On 10/14/2015 09:58 AM, zhiyong xue wrote:
Yes, that's my problem. These VMs were created by openstack and 
generated host name without domain at all.  Anyway can let the new 
created VM can join domain automatically?


I am working on such a feature: 
https://github.com/richm/rdo-vm-factory/tree/master/rdo-ipa-nova


This is not a product yet, just a PoC.

This allows you to:
* automatically register VMs created by Nova with IPA
* automatically assign DNS A records in IPA when you assign a floating 
IP address to a VM




Thanks Martin.

2015-10-14 22:40 GMT+08:00 Martin Kosek >:


On 10/14/2015 03:43 PM, zhiyong xue wrote:
>   There are lots of VMs created from Openstack in our
envrioment. And we
> need to install IPA client on them.  I want to create a base
image which
> have installed IPA client, and generate VM from this image.
>
>   When the VM first boot will auto register to IPA server. But
the VM's
> host name has no domain(not a FQDN) and failed to register.

How does the client get the domain then? It is currently needed
for the FreeIPA
clients, so you need to either postpone Client registration until
domain is
set, or override the hostname in ipa-client-install with static
domain, like

# ipa-client-install --hostname `hostname`.mydomain.test

>What's the right approach to install IPA client for VMs which
cloned
> from base image?
>
> Thanks,
> -- Brave
>
>
>






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] substitute local system groups by ipa groups

2015-10-14 Thread Rob Crittenden 
Natxo Asenjo wrote:
> hi,
> 
> can you do something like this?
> 
> ipa group-add wheel --gid=10
> 
> to substitute the local group wheel? Of course nsswitch.conf indicates
> local groups get found first ( group: files sss) but, would it work and
> is it supported?

What is it you expect or desire to happen in this case?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nsslapd-dbcachesize and database size

2015-10-14 Thread Rich Megginson 

On 10/14/2015 08:35 AM, Andrew E. Bruno wrote:

On Wed, Oct 14, 2015 at 07:59:23AM -0600, Rich Megginson wrote:

On 10/14/2015 07:09 AM, Andrew E. Bruno wrote:

The load average on our freeipa replicas started to spike over the
last few days and we narrowed it down to a dbcache issue. Following the
guidelines here: https://github.com/richm/scripts/wiki/dbmon.sh

We saw that the dbcachefree was 2.0% which indicates a lot of page
churn. Sure enough our nsslapd-dbcachesize was set to 2G and the size of
our database and index files was 3.1G:

$ du -sh /var/lib/dirsrv/slapd-[domain]/db/
3.1G

Once we increased nsslapd-dbcachesize to 6G load average went back to
normal and query response times improved. Interestingly, when we
restarted the dirsrv process the database size went down to 1.7G

$ du -sh /var/lib/dirsrv/slapd-[domain]/db/
1.7G

When we initially deployed freeipa, the size of our database and indexes
was about 400M which is why we set nsslapd-dbcachesize to 2G.

What about your cachememsize?

We have nsslapd-cachememsize set at 2G for the cn=userRoot. According to
dbmon.sh it looked OK and we didn't think it needed to be increased:

dbcachefree 6123847680 free% 95.055 roevicts 0 hit% 99 pagein 34260 pageout 
308661

dbname  count  free  free%size
changelog:ent 84158342   30.9  4210.2
changelog:dn   29716580.074.0
  userroot:ent   84462091021433   97.4  6685.1
  userroot:dn8446 523272268   99.8   120.3
 ipaca:ent100673516   47.9  7338.6
 ipaca:dn 100   1399359   99.480.1


Yes, looks good.




The changelog:dn seems to vary so much not sure how to tune that one. Any
suggestions? It's almost always 0% free.


I wouldn't worry about it, for now.




A few questions:

1. What causes the increase in size of
/var/lib/dirsrv/slapd-[domain]/db/*  and should we periodically clean up?

Replication metadata accounts for some of this.  Fragmentation accounts for
some of this.  You can periodically clean up, but you shouldn't have to.
The growth should eventually hit a plateau.


2. How do you tune nsslapd-dbcachesize to account for this growth? The
dbmon.sh wiki suggests a 12% overhead but our db files and indexes seem
to grow much larger?

12% is sort of a starting point.  There isn't a good way to tell how to
account for replication metadata, fragmentation, etc.  Just monitor
periodically and adjust as needed.

Great, Thanks Rich!


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] shared ip space for iDM and AD

2015-10-14 Thread Craig White 
-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: Tuesday, October 13, 2015 11:57 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] shared ip space for iDM and AD

On 14.10.2015 00:41, Craig White wrote:
> Our environment is mostly Linux servers but we do have some Windows servers 
> running MSSQL. A co-worker spun up Active Directory Domain Controllers 
> without conferring with me and the Windows boxes are all on one of the VLAN 
> private LAN networks used by FreeIPA. Thus we not only have reverse DNS 
> servers in FreeIPA but also in Active Directory. Is it possible to have 
> Active Directory use the reverse DNS servers on iDM/FreeIPA?

If you decide to manually configure/add records to reverse zones then yes, it 
will work :-)

If you want to use dynamic updates from IPA and Windows clients, then you need 
to establish trust between AD and IPA domains and modify DNS update policy on 
IPA server to accept updates from Windows clients.

Please note that I did not test this, but it should work.


# this allows updates to A//SSHFP records $ ipa dnszone-mod 
your.domain.example. --dynamic-updates=TRUE $ ipa dnszone-mod 
your.domain.example. --update-policy='
grant IPA.REALM.EXAMPLE krb5-self * A;
grant IPA.REALM.EXAMPLE krb5-self * ; grant IPA.REALM.EXAMPLE krb5-self * 
SSHFP; grant AD.REALM.EXAMPLE ms-self * A; grant AD.REALM.EXAMPLE ms-self * 
; grant AD.REALM.EXAMPLE ms-self * SSHFP; '

# this instructs IPA server to update PTR records when updating A/ records 
$ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE $ ipa dnszone-mod 
2.0.192.in-addr.arpa. --dynamic-update=TRUE


Alternatively, you can allow unauthenticated updates to reverse zones, so 
SyncPTR feature is not needed for Windows clients (because the clients would do 
updates themselves):
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE $ ipa dnszone-mod 
2.0.192.in-addr.arpa. --update-policy='
grant * tcp-self * PTR;'


Please let me know if it works for you.

Nitpicking...

$ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE
s/b
$ ipa dnszone-mod your.domain.example. --dynamic-update=TRUE   #update not 
updates


ipa dnszone-mod your.domain.example. --sync-ptr=TRUE
s/b
ipa dnszone-mod your.domain.example. --allow-sync-ptr=TRUE #allow is required


Still waiting for AD to be joined to IPA for the first set of mods. 

You're awesome, thanks.

Craig

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server-install fails at last leg?

2015-10-14 Thread Martin Kosek 
On 10/13/2015 12:23 PM, lejeczek wrote:
> dear all,
> 
> my first try at ipa server, I get this when install fails:

Hi lejeczek,

Can you please start with specifying your IPA version?

http://www.freeipa.org/page/Troubleshooting#Reporting_bugs

>   [15/16]: restarting httpd
>   [error] CalledProcessError: Command ''/bin/systemctl' 'restart'
> 'httpd.service'' returned non-zero exit status 1
> Unexpected error - see /var/log/ipaserver-install.log for details:
> CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service''
> returned non-zero exit status 1
> 
> then I can see that httpd fails to restart for:
> 
> Starting The Apache HTTP Server...
> (98)Address already in use: AH00072: make_sock: could not bind to address
> [::]:8443
> (98)Address already in use: AH00072: make_sock: could not bind to address
> 0.0.0.0:8443
> no listening sockets available, shutting down
> 
> and port is bound by:
> 
> UIDPID  PPID  CSZ   RSS PSR STIME TTY  TIME CMD
> pkiuser   5330 1  1 2128224 494604 5 11:00 ?   00:00:16 java
> -agentpath:/usr/lib64/libabrt-java-connector.so=abrt=on
> -DRESTEASY_LIB=/usr/share/java/resteasy-base -classpath
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
> -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
> -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
> -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djava.security.manager
> -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
> org.apache.catalina.startup.Bootstrap start
> 
> and this is as you can see, the process, the result of the ipa-server-install
> itself.
> Any suggestions as what is the problem there?

It is expected that Dogtag takes over port 8443. What FreeIPA does is
re-configure installed mod_nss (nss.conf) originally listening on 8443 to
occupy port 443  instead.

So this failure likely means that something else is bound to port 8443, whether
it is other Apache module or other program.

I would start with
# netstat -putna run before the installation to see what's it.

Upstream wise, there should be a check since
https://fedorahosted.org/freeipa/ticket/4564

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] shared ip space for iDM and AD

2015-10-14 Thread Petr Spacek 
On 14.10.2015 00:41, Craig White wrote:
> Our environment is mostly Linux servers but we do have some Windows servers 
> running MSSQL. A co-worker spun up Active Directory Domain Controllers 
> without conferring with me and the Windows boxes are all on one of the VLAN 
> private LAN networks used by FreeIPA. Thus we not only have reverse DNS 
> servers in FreeIPA but also in Active Directory. Is it possible to have 
> Active Directory use the reverse DNS servers on iDM/FreeIPA?

If you decide to manually configure/add records to reverse zones then yes, it
will work :-)

If you want to use dynamic updates from IPA and Windows clients, then you need
to establish trust between AD and IPA domains and modify DNS update policy on
IPA server to accept updates from Windows clients.

Please note that I did not test this, but it should work.


# this allows updates to A//SSHFP records
$ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE
$ ipa dnszone-mod your.domain.example. --update-policy='
grant IPA.REALM.EXAMPLE krb5-self * A;
grant IPA.REALM.EXAMPLE krb5-self * ;
grant IPA.REALM.EXAMPLE krb5-self * SSHFP;
grant AD.REALM.EXAMPLE ms-self * A;
grant AD.REALM.EXAMPLE ms-self * ;
grant AD.REALM.EXAMPLE ms-self * SSHFP;
'

# this instructs IPA server to update PTR records when updating A/ records
$ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE


Alternatively, you can allow unauthenticated updates to reverse zones, so
SyncPTR feature is not needed for Windows clients (because the clients would
do updates themselves):
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='
grant * tcp-self * PTR;'


Please let me know if it works for you.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cleanly removing replication agreement

2015-10-14 Thread Dominik Korittki 
I was able to remove the replication, but when I try to readd ipa02 in 
replication agreement i get errors in 
/var/log/dirsrv/slapd-INTERNAL/errors on ipa02:


[11/Oct/2015:17:17:48 +0200] - 389-Directory/1.3.1.6 B2014.219.1825 
starting up
[11/Oct/2015:17:17:48 +0200] - WARNING: userRoot: entry cache size 
10485760B is less than db size 86450176B; We recommend to increase the 
entry cache size nsslapd-cachememsize.
[11/Oct/2015:17:17:48 +0200] schema-compat-plugin - warning: no entries 
set up under cn=computers, cn=compat,dc=internal
[11/Oct/2015:17:17:53 +0200] set_krb5_creds - Could not get initial 
credentials for principal [ldap/ipa02.internal@INTERNAL] in keytab 
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[11/Oct/2015:17:17:53 +0200] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[11/Oct/2015:17:17:53 +0200] - Listening on All Interfaces port 636 for 
LDAPS requests
[11/Oct/2015:17:17:53 +0200] - Listening on 
/var/run/slapd-INTERNAL.socket for LDAPI requests
[11/Oct/2015:17:17:53 +0200] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available)) errno 0 (Success)
[11/Oct/2015:17:17:53 +0200] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 
(Local error)
[11/Oct/2015:17:17:53 +0200] NSMMReplicationPlugin - 
agmt="cn=meToipa01.internal" (ipa01:389): Replication bind with GSSAPI 
auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (No Kerberos credentials available))
[11/Oct/2015:17:17:56 +0200] NSMMReplicationPlugin - 
agmt="cn=meToipa01.internal" (ipa01:389): Replication bind with GSSAPI 
auth resumed


Seems like he can't get his tickets from the kdc. This is the krb5kdc.log:
Okt 11 17:17:53 ipa02.internal krb5kdc[5766](info): AS_REQ (6 etypes {18 
17 16 23 25 26}) 172.16.0.42: LOOKING_UP_CLIENT: 
ldap/ipa02.internal@INTERNAL for krbtgt/INTERNAL@INTERNAL, Server error
Okt 11 17:17:56 ipa02.internal krb5kdc[5767](info): AS_REQ (6 etypes {18 
17 16 23 25 26}) 172.16.0.42: NEEDED_PREAUTH: 
ldap/ipa02.internal@INTERNAL for krbtgt/INTERNAL@INTERNAL, Additional 
pre-authentication required
Okt 11 17:17:56 ipa02.internal krb5kdc[5766](info): AS_REQ (6 etypes {18 
17 16 23 25 26}) 172.16.0.42: ISSUE: authtime 1444576676, etypes {rep=18 
tkt=18 ses=18}, ldap/ipa02.internal@INTERNAL for krbtgt/INTERNAL@INTERNAL
Okt 11 17:17:56 ipa02.internal krb5kdc[5767](info): TGS_REQ (6 etypes 
{18 17 16 23 25 26}) 172.16.0.42: ISSUE: authtime 1444576676, etypes 
{rep=18 tkt=18 ses=18}, ldap/ipa02.internal@INTERNAL for 
ldap/ipa01.internal@INTERNAL


Strangely everything works fine, when trying to manually get the ticket:
root@ipa02:~ > kinit ldap/ipa02.internal@INTERNAL -kt /etc/dirsrv/ds.keytab
root@ipa02:~ > klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ldap/ipa02.internal@INTERNAL

Valid starting   Expires  Service principal
11.10.2015 17:27:43  12.10.2015 17:27:43  krbtgt/INTERNAL@INTERNAL

This is the log from the kinit command, everything seems normal:
Okt 11 17:27:43 ipa02.internal krb5kdc[5767](info): AS_REQ (6 etypes {18 
17 16 23 25 26}) 172.16.0.42: NEEDED_PREAUTH: 
ldap/ipa02.internal@INTERNAL for krbtgt/INTERNAL@INTERNAL, Additional 
pre-authentication required
Okt 11 17:27:43 ipa02.internal krb5kdc[5767](info): AS_REQ (6 etypes {18 
17 16 23 25 26}) 172.16.0.42: ISSUE: authtime 1444577263, etypes {rep=18 
tkt=18 ses=18}, ldap/ipa02.internal@INTERNAL for krbtgt/INTERNAL@INTERNAL


Any suggestions on how to resolve this issue?
Many thanks!


- Dominik



Am 08.10.2015 um 17:47 schrieb Dominik Korittki:

Hello folks,

i have two FreeIPA 3.3 Machines running on CentOS7: ipa01.internal and
ipa02.internal. Both have a CA installed.
Initially ipa02 is a replication from ipa01. Recently ipa01 had some
trouble while ipa02 was running fine (see "FreeIPA 3.3 performance
issues with many hosts" on this maillinglist).

So what i did was to uninstall ipa01 via "ipa-server-install
--uninstall" and recreated ipa01 as a replica of ipa02 via
"ipa-replica-install --setup-ca". Since then I was having trouble with
replication. It seems to be there is still some RUV information about
the old ipa01 in the database.

Well long story short: I want to completely delete ipa02 from the
replication agreement on host ipa01 to be able to re-add ipa02 later.

Currently the situation on ipa01 is as follows:

root@ipa01:~ > ipa-replica-manage list
Directory Manager password:

ipa01.internal: master
ipa02.internal: master

root@ipa01:~ > ipa-replica-manage list-ruv
Directory Manager password:

ipa01.internal:389: 6
ipa02.internal:389: 5

root@ipa01:~ > ipa-csreplica-manage

Re: [Freeipa-users] substitute local system groups by ipa groups

2015-10-14 Thread Simo Sorce 
- Original Message -
> From: "Rob Crittenden" 
> To: "Natxo Asenjo" , freeipa-users@redhat.com
> Sent: Wednesday, October 14, 2015 3:08:29 PM
> Subject: Re: [Freeipa-users] substitute local system groups by ipa groups
> 
> Natxo Asenjo wrote:
> > hi,
> > 
> > On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden  > > wrote:
> > 
> > Natxo Asenjo wrote:
> > > hi,
> > >
> > > can you do something like this?
> > >
> > > ipa group-add wheel --gid=10
> > >
> > > to substitute the local group wheel? Of course nsswitch.conf
> > > indicates
> > > local groups get found first ( group: files sss) but, would it work
> > > and
> > > is it supported?
> > 
> > What is it you expect or desire to happen in this case?
> > 
> > 
> > sorry, I thought it was obvious. To create a wheel ipa group. Members of
> > this group are automatically 'root'  in sudoers in plenty of
> > distributions ( centos 7, just tested):
> > 
> > ## Allows people in group wheel to run all commands
> > %wheel  ALL=(ALL)   ALL
> > 
> > and in policykit I see this as well:
> > 
> > # cat 50-default.rules
> > /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
> > 
> > // DO NOT EDIT THIS FILE, it will be overwritten on update
> > //
> > // Default rules for polkit
> > //
> > // See the polkit(8) man page for more information
> > // about configuring polkit.
> > 
> > polkit.addAdminRule(function(action, subject) {
> > return ["unix-group:wheel"];
> > });
> > 
> > 
> > So there is already an existing infrastructure for the wheel group that
> > is waiting to be used ;-)
> > 
> > Hopefully this makes it clear.
> 
> Ok, that's what I thought, didn't want to assume. It is my understanding
> that nss returns the first match it finds, in this case the system-local
> wheel group. There is no merging in SSSD AFAIK.

FYI: we are working on this problem:
https://sourceware.org/glibc/wiki/Proposals/GroupMerging

Stephen has patches for glibc, not sure what is th status of the submission yet 
though.

Simo.


-- 
Simo Sorce * Red Hat, Inc. * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] substitute local system groups by ipa groups

2015-10-14 Thread Rob Crittenden 
Natxo Asenjo wrote:
> hi,
> 
> On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden  > wrote:
> 
> Natxo Asenjo wrote:
> > hi,
> >
> > can you do something like this?
> >
> > ipa group-add wheel --gid=10
> >
> > to substitute the local group wheel? Of course nsswitch.conf indicates
> > local groups get found first ( group: files sss) but, would it work and
> > is it supported?
> 
> What is it you expect or desire to happen in this case?
> 
> 
> sorry, I thought it was obvious. To create a wheel ipa group. Members of
> this group are automatically 'root'  in sudoers in plenty of
> distributions ( centos 7, just tested):
> 
> ## Allows people in group wheel to run all commands
> %wheel  ALL=(ALL)   ALL
> 
> and in policykit I see this as well:
> 
> # cat 50-default.rules
> /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
> 
> // DO NOT EDIT THIS FILE, it will be overwritten on update
> //
> // Default rules for polkit
> //
> // See the polkit(8) man page for more information
> // about configuring polkit.
> 
> polkit.addAdminRule(function(action, subject) {
> return ["unix-group:wheel"];
> });
> 
> 
> So there is already an existing infrastructure for the wheel group that
> is waiting to be used ;-)
> 
> Hopefully this makes it clear.

Ok, that's what I thought, didn't want to assume. It is my understanding
that nss returns the first match it finds, in this case the system-local
wheel group. There is no merging in SSSD AFAIK.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] substitute local system groups by ipa groups

2015-10-14 Thread Natxo Asenjo 
hi,

On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
> > hi,
> >
> > can you do something like this?
> >
> > ipa group-add wheel --gid=10
> >
> > to substitute the local group wheel? Of course nsswitch.conf indicates
> > local groups get found first ( group: files sss) but, would it work and
> > is it supported?
>
> What is it you expect or desire to happen in this case?
>

sorry, I thought it was obvious. To create a wheel ipa group. Members of
this group are automatically 'root'  in sudoers in plenty of distributions
( centos 7, just tested):

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)   ALL

and in policykit I see this as well:

# cat 50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */

// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.

polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});


So there is already an existing infrastructure for the wheel group that is
waiting to be used ;-)

Hopefully this makes it clear.

-- 
regards,
natxo


-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to config automembership for IP or subnet

2015-10-14 Thread zhiyong xue 
The document said we can create automembership rule based by IP or subnet.
But there's no any sample about it. Anyone know knows how to create them?

I have two subnets and need to create two host groups for them. And all
host name were auto generated without any pattern.

Thanks all.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cleanly removing replication agreement

2015-10-14 Thread Mark Reynolds 



On 10/14/2015 04:55 AM, Dominik Korittki wrote:
[11/Oct/2015:17:17:53 +0200] NSMMReplicationPlugin - 
agmt="cn=meToipa01.internal" (ipa01:389): Replication bind with GSSAPI 
auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (No Kerberos credentials available))
[11/Oct/2015:17:17:56 +0200] NSMMReplicationPlugin - 
agmt="cn=meToipa01.internal" (ipa01:389): *Replication bind with 
GSSAPI auth resumed* 
This last line implies that replication authentication finally did 
succeed - so replication should be working.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to install freeIPA client to many VMs?

2015-10-14 Thread zhiyong xue 
  There are lots of VMs created from Openstack in our envrioment. And we
need to install IPA client on them.  I want to create a base image which
have installed IPA client, and generate VM from this image.

  When the VM first boot will auto register to IPA server. But the VM's
host name has no domain(not a FQDN) and failed to register.

   What's the right approach to install IPA client for VMs which cloned
from base image?

Thanks,
-- Brave
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] nsslapd-dbcachesize and database size

2015-10-14 Thread Andrew E. Bruno 
The load average on our freeipa replicas started to spike over the
last few days and we narrowed it down to a dbcache issue. Following the
guidelines here: https://github.com/richm/scripts/wiki/dbmon.sh

We saw that the dbcachefree was 2.0% which indicates a lot of page
churn. Sure enough our nsslapd-dbcachesize was set to 2G and the size of
our database and index files was 3.1G: 

$ du -sh /var/lib/dirsrv/slapd-[domain]/db/
3.1G

Once we increased nsslapd-dbcachesize to 6G load average went back to
normal and query response times improved. Interestingly, when we
restarted the dirsrv process the database size went down to 1.7G

$ du -sh /var/lib/dirsrv/slapd-[domain]/db/
1.7G

When we initially deployed freeipa, the size of our database and indexes
was about 400M which is why we set nsslapd-dbcachesize to 2G. 

A few questions:

1. What causes the increase in size of
/var/lib/dirsrv/slapd-[domain]/db/*  and should we periodically clean up?

2. How do you tune nsslapd-dbcachesize to account for this growth? The
dbmon.sh wiki suggests a 12% overhead but our db files and indexes seem
to grow much larger? 

We're running: 
- ipa-server-4.1.0-18.el7.centos.4.x86_64 and
- 389-ds-base-1.3.3.1-20.el7_1.x86_64

Thanks,

--Andrew

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] nsslapd-dbcachesize and database size

2015-10-14 Thread Rich Megginson 

On 10/14/2015 07:09 AM, Andrew E. Bruno wrote:

The load average on our freeipa replicas started to spike over the
last few days and we narrowed it down to a dbcache issue. Following the
guidelines here: https://github.com/richm/scripts/wiki/dbmon.sh

We saw that the dbcachefree was 2.0% which indicates a lot of page
churn. Sure enough our nsslapd-dbcachesize was set to 2G and the size of
our database and index files was 3.1G:

$ du -sh /var/lib/dirsrv/slapd-[domain]/db/
3.1G

Once we increased nsslapd-dbcachesize to 6G load average went back to
normal and query response times improved. Interestingly, when we
restarted the dirsrv process the database size went down to 1.7G

$ du -sh /var/lib/dirsrv/slapd-[domain]/db/
1.7G

When we initially deployed freeipa, the size of our database and indexes
was about 400M which is why we set nsslapd-dbcachesize to 2G.


What about your cachememsize?



A few questions:

1. What causes the increase in size of
/var/lib/dirsrv/slapd-[domain]/db/*  and should we periodically clean up?


Replication metadata accounts for some of this.  Fragmentation accounts 
for some of this.  You can periodically clean up, but you shouldn't have 
to.  The growth should eventually hit a plateau.




2. How do you tune nsslapd-dbcachesize to account for this growth? The
dbmon.sh wiki suggests a 12% overhead but our db files and indexes seem
to grow much larger?


12% is sort of a starting point.  There isn't a good way to tell how to 
account for replication metadata, fragmentation, etc.  Just monitor 
periodically and adjust as needed.




We're running:
- ipa-server-4.1.0-18.el7.centos.4.x86_64 and
- 389-ds-base-1.3.3.1-20.el7_1.x86_64

Thanks,

--Andrew



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project