Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/12/2015 01:46 PM, Martin Kosek wrote: > On 03/12/2015 07:24 PM, Erinn Looney-Triggs wrote: >> On 03/12/2015 02:10 AM, Jan Cholasta wrote: >>> Dne 12.3.2015 v 08:25 Martin Kosek napsal(a): On 03/11/2015 09:05 PM, Dmitri Pal wrote: > On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: ... >> Third, there appears to be a behavior change from in ipalib. >> I cleaned up a little inventory script for ansible, you can >> take a look at it here: >> https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py >> >> >> >> >> >> Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] >> on line 30 worked, now it fails: >> >> Traceback (most recent call last): File "./freeipa.py", line >> 133, in list_groups(api) File "./freeipa.py", line >> 71, in list_groups result = >> api.Command.host_find()['result'] File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line >> 439, in __call__ ret = self.run(*args, **options) File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line >> 755, in run return self.forward(*args, **options) File >> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line >> 776, in forward return >> self.Backend.rpcclient.forward(self.name, *args, **kw) File >> "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, >> in forward command = getattr(self.conn, name) File >> "/usr/lib/python2.7/site-packages/ipalib/backend.py", line >> 97, in __get_conn self.id, >> threading.currentThread().getName()) AttributeError: no >> context.rpcclient in thread 'MainThread' >> >> Is this expected? Is this a regression? > > Some things changed. I would leave for developers to take a > look and provide more guidance. Erinn, it may help us if you share the whole sequence how you bootstrap and authenticatoin the API. Honza, was there any related change causing ^^^? >>> >>> https://fedorahosted.org/freeipa/ticket/3299 >>> >>> There is api.Backend.xmlclient.connect() in the code, but JSON-RPC >>> is now used by default. This can be fixed by calling >>> api.Backend.rpcclient.connect() instead. >>> >> >> Thanks, is this backwards compatible? Or will I need to run a check >> for the IPA version? > > Unfortunately, I do not think this is backwards compatible. I would > suggest compatibility code like: > > try: > client = api.Backend.rpcclient > except AttributeError: > # Compatibility with FreeIPA < 4.0 > client = api.Backend.xmlclient > > client.connect() > > Sorry for inconvenience. > > Martin That's fine, it happens, thanks for all the information. -Erinn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/12/2015 07:24 PM, Erinn Looney-Triggs wrote: On 03/12/2015 02:10 AM, Jan Cholasta wrote: Dne 12.3.2015 v 08:25 Martin Kosek napsal(a): On 03/11/2015 09:05 PM, Dmitri Pal wrote: On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: ... Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File "./freeipa.py", line 133, in list_groups(api) File "./freeipa.py", line 71, in list_groups result = api.Command.host_find()['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward command = getattr(self.conn, name) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Some things changed. I would leave for developers to take a look and provide more guidance. Erinn, it may help us if you share the whole sequence how you bootstrap and authenticatoin the API. Honza, was there any related change causing ^^^? https://fedorahosted.org/freeipa/ticket/3299 There is api.Backend.xmlclient.connect() in the code, but JSON-RPC is now used by default. This can be fixed by calling api.Backend.rpcclient.connect() instead. Thanks, is this backwards compatible? Or will I need to run a check for the IPA version? Unfortunately, I do not think this is backwards compatible. I would suggest compatibility code like: try: client = api.Backend.rpcclient except AttributeError: # Compatibility with FreeIPA < 4.0 client = api.Backend.xmlclient client.connect() Sorry for inconvenience. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/12/2015 02:10 AM, Jan Cholasta wrote: > Dne 12.3.2015 v 08:25 Martin Kosek napsal(a): >> On 03/11/2015 09:05 PM, Dmitri Pal wrote: >>> On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: >> ... Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File "./freeipa.py", line 133, in list_groups(api) File "./freeipa.py", line 71, in list_groups result = api.Command.host_find()['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward command = getattr(self.conn, name) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? >>> >>> Some things changed. I would leave for developers to take a >>> look and provide more guidance. >> >> Erinn, it may help us if you share the whole sequence how you >> bootstrap and authenticatoin the API. Honza, was there any >> related change causing ^^^? >> > > https://fedorahosted.org/freeipa/ticket/3299 > > There is api.Backend.xmlclient.connect() in the code, but JSON-RPC > is now used by default. This can be fixed by calling > api.Backend.rpcclient.connect() instead. > Thanks, is this backwards compatible? Or will I need to run a check for the IPA version? -Erinn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 12/03/15 08:30, Martin Kosek wrote: On 03/12/2015 12:17 AM, Dmitri Pal wrote: On 03/11/2015 04:37 PM, Steven Jones wrote: == [root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled == The AD server is a win2k12r2. Thanks, I will follow up. As Dmitri said, all automatic DNSSEC key handling did not make the cut in RHEL-7.1. If you want to test DNSSEC, you are very welcome, but you would be left with manual configuration as described in upstream article: http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support We, however, still left this error message to make users and customers aware that their name server is not ready even for manual DNSSEC. However, I did a short research, and win2k12r2 should already support DNSSEC. Maybe the support needs to be enabled. What DNS server do you have in /etc/resolv.conf? IPA DNS server + configured DNS forward zone or do you have there AD IP address directly? Martin Basti (CCed) recently found an issue with this check and DNS forwarders IIRC. Hello, IPA tests forwarders, if they are able to return signed root zone. It is not issue with test itself, we always found a misconfiguration on a forwarder side. The issue is warning message, because problems reported as DNSSEC failure usually have different root cause (which also prevent to use DNSSEC). We plan to make this validation more specific, to report correct issues. This check happens only for global forwarders. IPA automatically disable DNSSEC validation during installation, if any of configured global forwarders are not DNSSEC capable. With enabled DNSSEC validation, DNS server may drop unsigned responses from forwarder. Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
Dne 12.3.2015 v 08:25 Martin Kosek napsal(a): On 03/11/2015 09:05 PM, Dmitri Pal wrote: On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: ... Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File "./freeipa.py", line 133, in list_groups(api) File "./freeipa.py", line 71, in list_groups result = api.Command.host_find()['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward command = getattr(self.conn, name) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Some things changed. I would leave for developers to take a look and provide more guidance. Erinn, it may help us if you share the whole sequence how you bootstrap and authenticatoin the API. Honza, was there any related change causing ^^^? https://fedorahosted.org/freeipa/ticket/3299 There is api.Backend.xmlclient.connect() in the code, but JSON-RPC is now used by default. This can be fixed by calling api.Backend.rpcclient.connect() instead. -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/12/2015 12:17 AM, Dmitri Pal wrote: > On 03/11/2015 04:37 PM, Steven Jones wrote: >> == >> [root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns >> --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg >> --skip-conncheck >> Checking forwarders, please wait ... >> WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in >> answers >> Please fix forwarder configuration to enable DNSSEC support. >> (For BIND 9 add directive "dnssec-enable yes;" to "options {}") >> WARNING: DNSSEC validation will be disabled >> == >> >> The AD server is a win2k12r2. > > Thanks, I will follow up. As Dmitri said, all automatic DNSSEC key handling did not make the cut in RHEL-7.1. If you want to test DNSSEC, you are very welcome, but you would be left with manual configuration as described in upstream article: http://www.freeipa.org/page/Releases/4.0.0#Experimental_DNSSEC_Support We, however, still left this error message to make users and customers aware that their name server is not ready even for manual DNSSEC. However, I did a short research, and win2k12r2 should already support DNSSEC. Maybe the support needs to be enabled. What DNS server do you have in /etc/resolv.conf? IPA DNS server + configured DNS forward zone or do you have there AD IP address directly? Martin Basti (CCed) recently found an issue with this check and DNS forwarders IIRC. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 09:05 PM, Dmitri Pal wrote: > On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: ... >> Third, there appears to be a behavior change from in ipalib. I cleaned up a >> little inventory script for ansible, you can take a look at it here: >> https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py >> >> Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 >> worked, now it fails: >> >> Traceback (most recent call last): >>File "./freeipa.py", line 133, in >> list_groups(api) >>File "./freeipa.py", line 71, in list_groups >> result = api.Command.host_find()['result'] >>File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in >> __call__ >> ret = self.run(*args, **options) >>File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in >> run >> return self.forward(*args, **options) >>File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in >> forward >> return self.Backend.rpcclient.forward(self.name, *args, **kw) >>File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in >> forward >> command = getattr(self.conn, name) >>File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in >> __get_conn >> self.id, threading.currentThread().getName()) >> AttributeError: no context.rpcclient in thread 'MainThread' >> >> Is this expected? Is this a regression? > > Some things changed. I would leave for developers to take a look and provide > more guidance. Erinn, it may help us if you share the whole sequence how you bootstrap and authenticatoin the API. Honza, was there any related change causing ^^^? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 04:37 PM, Steven Jones wrote: == [root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled == The AD server is a win2k12r2. Thanks, I will follow up. regards Steven From: freeipa-users-boun...@redhat.com on behalf of Dmitri Pal Sent: Thursday, 12 March 2015 9:07 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1 On 03/11/2015 03:49 PM, Steven Jones wrote: Hi, When I try to join a 7.1 based replica to an existing setup and use an AD forwarder the command complains that the AD box isnt doing DNSSEC suggesting to me it is present in 7.1? Can you share the message that you get and what steps you take to get to that message? At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA cluster. Or a 7.1 client to IPA, to 6.6 for that matter, 7.0 works fine though. regards Steven From: freeipa-users-boun...@redhat.com on behalf of Erinn Looney-Triggs Sent: Thursday, 12 March 2015 8:15 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA 4.1.0 in RHEL 7.1 First off congratulations on getting this out. Love the new UI, all pretty and integrates well with the access.redhat.com UI. Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was included in the 4.1.0 release, but near as I can tell it is not part of IPA 4.1.0 in RHEL 7.1. Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File "./freeipa.py", line 133, in list_groups(api) File "./freeipa.py", line 71, in list_groups result = api.Command.host_find()['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward command = getattr(self.conn, name) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Thanks again for your work. -Erinn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
== [root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Checking forwarders, please wait ... WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled == The AD server is a win2k12r2. regards Steven From: freeipa-users-boun...@redhat.com on behalf of Dmitri Pal Sent: Thursday, 12 March 2015 9:07 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1 On 03/11/2015 03:49 PM, Steven Jones wrote: > Hi, > > When I try to join a 7.1 based replica to an existing setup and use an AD > forwarder the command complains that the AD box isnt doing DNSSEC suggesting > to me it is present in 7.1? Can you share the message that you get and what steps you take to get to that message? > > At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA > cluster. Or a 7.1 client to IPA, to 6.6 for that matter, 7.0 works fine > though. > > > regards > > Steven > > > From: freeipa-users-boun...@redhat.com on > behalf of Erinn Looney-Triggs > Sent: Thursday, 12 March 2015 8:15 a.m. > To: freeipa-users@redhat.com > Subject: [Freeipa-users] IPA 4.1.0 in RHEL 7.1 > > First off congratulations on getting this out. Love the new UI, all pretty and > integrates well with the access.redhat.com UI. > > Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was > included in the 4.1.0 release, but near as I can tell it is not part of IPA > 4.1.0 in RHEL 7.1. > > Third, there appears to be a behavior change from in ipalib. I cleaned up a > little inventory script for ansible, you can take a look at it here: > https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py > > Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 > worked, now it fails: > > Traceback (most recent call last): >File "./freeipa.py", line 133, in > list_groups(api) >File "./freeipa.py", line 71, in list_groups > result = api.Command.host_find()['result'] >File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in > __call__ > ret = self.run(*args, **options) >File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in > run > return self.forward(*args, **options) >File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in > forward > return self.Backend.rpcclient.forward(self.name, *args, **kw) >File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward > command = getattr(self.conn, name) >File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in > __get_conn > self.id, threading.currentThread().getName()) > AttributeError: no context.rpcclient in thread 'MainThread' > > Is this expected? Is this a regression? > > Thanks again for your work. > > -Erinn > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: First off congratulations on getting this out. Love the new UI, all pretty and integrates well with the access.redhat.com UI. Thanks! Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was included in the 4.1.0 release, but near as I can tell it is not part of IPA 4.1.0 in RHEL 7.1. It did not make the cut. The DNSSEC feature is not in RHEL7 yet. But we are working on making this happen. Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File "./freeipa.py", line 133, in list_groups(api) File "./freeipa.py", line 71, in list_groups result = api.Command.host_find()['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward command = getattr(self.conn, name) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Some things changed. I would leave for developers to take a look and provide more guidance. Thanks again for your work. -Erinn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 03:49 PM, Steven Jones wrote: Hi, When I try to join a 7.1 based replica to an existing setup and use an AD forwarder the command complains that the AD box isnt doing DNSSEC suggesting to me it is present in 7.1? Can you share the message that you get and what steps you take to get to that message? At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA cluster. Or a 7.1 client to IPA, to 6.6 for that matter, 7.0 works fine though. regards Steven From: freeipa-users-boun...@redhat.com on behalf of Erinn Looney-Triggs Sent: Thursday, 12 March 2015 8:15 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA 4.1.0 in RHEL 7.1 First off congratulations on getting this out. Love the new UI, all pretty and integrates well with the access.redhat.com UI. Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was included in the 4.1.0 release, but near as I can tell it is not part of IPA 4.1.0 in RHEL 7.1. Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File "./freeipa.py", line 133, in list_groups(api) File "./freeipa.py", line 71, in list_groups result = api.Command.host_find()['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward command = getattr(self.conn, name) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Thanks again for your work. -Erinn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
Hi, When I try to join a 7.1 based replica to an existing setup and use an AD forwarder the command complains that the AD box isnt doing DNSSEC suggesting to me it is present in 7.1? At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA cluster. Or a 7.1 client to IPA, to 6.6 for that matter, 7.0 works fine though. regards Steven From: freeipa-users-boun...@redhat.com on behalf of Erinn Looney-Triggs Sent: Thursday, 12 March 2015 8:15 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA 4.1.0 in RHEL 7.1 First off congratulations on getting this out. Love the new UI, all pretty and integrates well with the access.redhat.com UI. Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was included in the 4.1.0 release, but near as I can tell it is not part of IPA 4.1.0 in RHEL 7.1. Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File "./freeipa.py", line 133, in list_groups(api) File "./freeipa.py", line 71, in list_groups result = api.Command.host_find()['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward command = getattr(self.conn, name) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Thanks again for your work. -Erinn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA 4.1.0 in RHEL 7.1
First off congratulations on getting this out. Love the new UI, all pretty and integrates well with the access.redhat.com UI. Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was included in the 4.1.0 release, but near as I can tell it is not part of IPA 4.1.0 in RHEL 7.1. Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File "./freeipa.py", line 133, in list_groups(api) File "./freeipa.py", line 71, in list_groups result = api.Command.host_find()['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward command = getattr(self.conn, name) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Thanks again for your work. -Erinn signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project