[Freeipa-users] One kerberos realm, two dns zones and SSHFP records
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Everyone, I'm using a fully updated CentOS 7.3 environment for two IPA servers. I have one kerberos realm, one dns zone with the same name as the kerberos realm and another dns zone with a different name. DNS is managed by IPA. For the sake of this message: realm: REALM.IPA dnszone1: realm.ipa dnszone2: random.ipa When I join a server that's going into the realm.ipa dns zone to the IPA domain, SSHFP records for that server get automatically created in realm.ipa. But, when I do the same for a server going into the random.ipa dns zone, the SSHFP aren't automatically created. I have to do add the SSHFP records manually after the client install completes. Why are SSHFP records not added automatically for the second dns zone and I how can I fix this situation? Thanks in advance. Ranbir - -- Ranbir -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJY0tCCAAoJEN7T/ly5z1dik3cP/0Xx0Vk0cIfbloYJuVb1ffMH mJzKg3BaSEasWL3mJSsgPQS7CZWFi6PgBZLc79nwJhve1tAZC5+pMwVZwY9F7U9a liZdK1l7a0agpDwnupISdih5PG6TGNEfVjHezKKwnDgjUWMOqak7BM3KIffjhNzc SpuZHUDuY8QD2DeyO8iuuJjt+BUiWJ+Weh1OJq4UKWT68wALc/TbdtLi5OWlFtnV rClTbOhPvm8I4Md3DT0vDdhKqPiUvBGPKgse7HZIN9G4W6/wpM3hU1+ETYgXWqIX yRSK0rjjxfrWKIqRUB1sCKLlkdd+wMaRa/uCnRgvRhYjYUrwyPaH11N41lvE7zUz ccJnaZXkDcIWW9wkAQxx3XXx5vHR33VTS13nkZv4QsHSoJOXcqrsr+Q1r28WmLcZ wb3osINWIEmFCX6knZVRZLDhAefHz+FVsJwzsh6iCdqar+LzFvR0hRUJ0Fepxs8M bkKEZ3LztTtDssX+AO7CqkMZSQ5DHiT9Yo1gHXr2zTEt3qzxyuE0GjMyXzBWyMV4 TpOXoRVQMUvEEV2ecpEATBEKghqXOMqhSeGAObfdlEKADTt11u8ONxwutFYPxybD Sxfd6yvg2/QvB8GYgLMkENuJWdwbFYrlb3GQ04TKjcW6TklcRyjsI8x/Wg3LjofQ AEtlIGyrGau9jPaeHYwd =mJn4 -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA domains and sub-domains
Hi Everyone! If I have two networks, say A and B, and I want both to use the same FreeIPA server, should I have one Freeipa domain for network A and a sub-domain for network B, (domain.local and b.domain.local), or should I create two top level domains (a.local and b.local)? What's the recommended way to do this? -- Ranbir -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Mon, 2015-12-14 at 13:51 -0500, Simo Sorce wrote: > There are a few ways to go about it. > > another way is to use a custom subtree + schema to store these emails > only. > > It really depends on what kind of tools you want to use to manage the > information too. I ended up creating normal users, set passwords for those that needed them (some are public shared IMAP folders and so don't need passwords) and set all of their shells to /sbin/nologin. None of them have the right to ssh, gdm, etc. The thought of creating a custom schema, OIDs and whatnot sent me into fits. freeipa is supposed to make my life easier, not harder, so I took the simpler route. In a different setting a custom schema would be warranted. -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Sun, 2015-12-13 at 21:56 +0100, Natxo Asenjo wrote: > so what have you tried? A number of things. However, I've been able to get past the SASL GSSAPI error I was seeing in Postfix. Now I've run into another issue though I don't think it's related to freeipa. I'm going to post what I did once I have a working setup. In the meantime, I have other questions. How would one handle an email only user in freeipa? I have mail accounts that aren't attached to a real person and yet I need the "user" to exist in freeipa. -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Mon, 2015-12-14 at 11:30 -0500, Ranbir wrote: > How would one handle an email only user in freeipa? I have mail > accounts that aren't attached to a real person and yet I need the > "user" to exist in freeipa. Should I just create a normal user account, set the password and mail and disable logins? -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote: > what exactly do you want to achieve? 'Integrate' could mean a couple > of things, so please specify. Ya, that was lame. Let me elaborate. I have a postfix server and a dovecot server: both are running in separate KVMs. They're on different subnets and they have a firewall in between. I've opened up ports to allow them to talk to each other because the postfix server is using dovecot for smtp auth and lmtp for mail delivery. The dovecot users are in a password file. At the moment, my mail setup is working perfectly. I have a master IPA server on the same network as the dovecot box. There's a replica IPA server on the postfix server's network. Both servers are joined to the IPA domain although they are in different DNS domains (which doesn't really matter here, I guess). I would like to move postfix and dovecot to use IPA for sasl auth and for managing the virtual mailboxes. I have a good idea of how this is all supposed to work together. What I need are the actual steps to get it done. -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Any recent guides for Postfix and IPA integration?
Hi All, I want to integrate my Postfix server with IPA. I've found a couple of documents on how this can be done, but they don't accomplish the feat the same way (they're also not discussing the exact same end goal). I'm left wondering how exactly to integrate IPA and Postfix. For reference: https://www.dalemacartney.com/2013/03/14/deploying -postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ http://www.freeipa.org/page/%28DRAFT%29_HA_mail_services_with_FreeIPA,_ postfix,_dovecot,_amavisd-new,_clamd_and_PLAIN/GSSAPI_SSO Is there anything more recent out there or are the above two docs still good enough/applicable to IPA and postfix servers running on CentOS 7? Thanks in advance. -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Add "mkhomedir" after install
Hello Everyone, I installed a replica without passing the "mkhomedir" option to the install command. Sure enough, when I login to the replica, my home dir isn't created. I _could_ create it manually, but it would be nice if the first login triggered the creation. I've been trying to find an answer to this on my own, but so far I've had no luck. Thanks in advance! -- Ranbir -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Add "mkhomedir" after install
On 2015-12-09 14:01, Craig White wrote: You can enable it at any time... authconfig --enablemkhomedir --update Crap! I didn't even consider doing it that way. For some reason I thought there was some ipa command I had to run. The ipa install does this too, I guess. :) Thanks for the pointer and for jogging my memory. -- Ranbir -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IP error when creating a replica
Hello Everyone, I'm using IPA on a CentOS 7 box at home (because why not?). I'm running into a problem which so far has stumped me. The host running the IPA master is on the protected LAN subnet (let's call it 1.1.1.1). The replica I'm now trying to setup is running in the "dmz" subnet (this one can be 2.2.2.2). I've opened the required ports between them so they can communicate. When I do the replica install, everything appears to run along smoothly until this happens: [snip] Connection from master to replica is OK. ipa : DEBUGProcess finished, return code=0 Connection check OK ipa : DEBUGStarting external process ipa : DEBUGargs='/sbin/ip' '-family' 'inet' '-oneline' 'address' 'show' ipa : DEBUGProcess finished, return code=0 ipa : DEBUGstdout=1: loinet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 2: eth0inet 2.2.2.2/32 brd 2.2.2.2 scope global eth0\ valid_lft forever preferred_lft forever ipa : DEBUGstderr= ipa : WARNING Invalid IP address 2.2.2.2 for ipa02.thedmzsubnet.dmz: cannot use IP network address Enter the IP address to use, or press Enter to finish. Please provide the IP address to be used for this host name: [snip] Why is this happening? DNS appears to be ok. The replica has the hostname and IP pair in /etc/hosts. The replica is also using the master as its DNS server. Any help is appreciated. -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IP error when creating a replica
On Mon, 2015-12-07 at 19:39 +0100, Martin Basti wrote: > IMO 2.2.2.2/32 is why installation is failing, it should be something > 2.2.2.2/24, please try to reconfigure your network interface. Wow - I can't believe I missed the /32. I don't know _why_ the netmask was set to /32, but after changing it to /24 (which is what I thought it was), the replica install completed successfully. Thanks for pointing it out, Martin! -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Can I change an IPA client's IPA without re-enrolling it?
Hi Everyone, The subject says it all. I'm using IPA in CentOS 6. I know for a hostname change on a client, I'd have to uninstall the IPA client, change the hostname, and then reinstall it. But, I don't know if that holds true for IPs. Would a simple IP change require the uninstall/change/install steps? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 3.7.9-101.fc17.x86_64 x86_64 GNU/Linux 16:38:17 up 1 day, 22:46, 5 users, load average: 0.67, 0.42, 0.34 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users