If you've decided freeipa's DNS and/or DNSsec isn't part of your future,
here's a way to migrate to another solution without disrupting the rest
of freeipa's capabilities. I couldn't find any documentation about how
to do this in an automated way, this worked for me. (Watch someone
answer
What's the correct way to correct the cause of this error message?
There is no guidance online I can find. I first saw it a few years ago,
it's back. ipa-ods-exporter emits this assertion, then quits.
ipk11id length should not be 0
This system hosts the dnssec master db. There is one
Hi!
What changes are necessary to avoid hundreds of log entries like this?
named[1511]: File.cpp(94): Could not open the file (Permission denied):
/var/lib/ipa/dnssec/tokens/95614bbc-437b-e1dc-3cd9-dac6fb2dafa2/abf57d53-0b7b-e8d2-d402-3b385005955d.object
Harry Coin
--
I've had the same experience. Adding memory and processing power seems
to have avoided the bug. Before I did that I found I had to restart
bind9/named. And yes the logs are entirely silent about the cause, the
system reported free memory available even before I added it. My guess
is some
Update:
This same core dump pattern appears across all freeipa masters running
dns in this sandbox, ruling out hardware causes. Ideas?
On Mon, Mar 4, 2024 at 10:54 PM Harry G Coin via FreeIPA-users
wrote:
FYI. El9, latest stable.
Mar 04 22:46:05registry1.1.quietfountain.com
FYI. El9, latest stable.
Mar 04 22:46:05 registry1.1.quietfountain.com ipa-dnskeysyncd[75834]:
ipaserver.dnssec.bindmgr: INFO attrs:
Mar 04 22:46:05 registry1.1.quietfountain.com named[1463]: client
@0x7fd61803ae68 10.12.112.3#49016: received notify for zone
On 2/17/24 00:54, Natxo Asenjo via FreeIPA-users wrote:
hi,
a bit late, but you should check the forwarding logs (maybe enable
them, bit unsure if it is enabled per default on named).
Without any proof, my gut feeling is on dnssec :-), I have had to turn
it off a few times.
Regards,
On the latest stable freeipa on v9, in a two-master setup: after a
period of normal operations, I need to reboot one of them. When that
happens, each boot, nslookup times out on the newly rebooted one, even
after named has been running for minutes.
The logs are filled with such as (signed)
On 1/17/24 12:55, Rob Crittenden wrote:
Harry G Coin wrote:
On 1/15/24 13:26, Rob Crittenden wrote:
Harry G Coin via FreeIPA-users wrote:
Hi! This is meant for the good future of freeipa, a package I've
appreciated for some years, so across the user cultures and languages
please understand
On 1/15/24 13:26, Rob Crittenden wrote:
Harry G Coin via FreeIPA-users wrote:
Hi! This is meant for the good future of freeipa, a package I've
appreciated for some years, so across the user cultures and languages
please understand it as supportive and not a complaint!
For all freeipa's
Hi! This is meant for the good future of freeipa, a package I've
appreciated for some years, so across the user cultures and languages
please understand it as supportive and not a complaint!
For all freeipa's 'master-master' replica technology, there remain
'some instances more primary
Under opendnssec processing load, bind9 segfaults under v 4.10.2. The
only mitigation was to add systemd restart override.
Details here: https://gitlab.isc.org/isc-projects/bind9/-/issues/4533
Coredumps available.
The ISC devs closed the issue with this comment:
"Yeah, SoftHSM2 is pretty
On 9/25/23 13:56, Charles Hedrick via FreeIPA-users wrote:
We did most of this, and have been using it for a few years. However
it depends upon the ISC DHCP server, which is now EOL. The
replacement, KEA, does not support LDAP, and there are no plans for it to.
I think the reason is that
On 10/18/23 10:33, Christian Heimes wrote:
On 18/10/2023 16.57, Harry G Coin wrote:
On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users
wrote:
On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote:
'security' and 'other' seemingly 'unrelated' 'upgrades
On 10/19/23 10:45, Rob Crittenden wrote:
Harry G Coin via FreeIPA-users wrote:
On 10/18/23 07:30, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
this guide explains the possible strategies for disaster recovery:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8
On 10/18/23 15:55, Rob Crittenden wrote:
Harry G Coin via FreeIPA-users wrote:
On 10/18/23 10:33, Christian Heimes wrote:
On 18/10/2023 16.57, Harry G Coin wrote:
On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users
wrote:
On 17/10/2023 19.32, Harry G Coin via FreeIPA
On 10/18/23 10:33, Christian Heimes wrote:
On 18/10/2023 16.57, Harry G Coin wrote:
On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users
wrote:
On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote:
'security' and 'other' seemingly 'unrelated' 'upgrades
On 10/18/23 07:30, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
this guide explains the possible strategies for disaster recovery:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/preparing_for_disaster_recovery_with_identity_management/index
And that one
On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users
wrote:
On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote:
'security' and 'other' seemingly 'unrelated' 'upgrades' to
packages n levels deep but whose previously un-noticed freeipa
killing race
On 10/17/23 12:50, Christian Heimes via FreeIPA-users wrote:
On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote:
'security' and 'other' seemingly 'unrelated' 'upgrades' to packages
n levels deep but whose previously un-noticed freeipa killing
race-condition or other bug manifests
Thanks Rob
Replies to questions interposed below.
On 10/17/23 11:53, Rob Crittenden wrote:
Harry G Coin via FreeIPA-users wrote:
What's the 'current best practice' for what you might call a 'fully
deployed' freeipa install (meaning one that uses DNSSEC and all the
documented capability
What's the 'current best practice' for what you might call a 'fully
deployed' freeipa install (meaning one that uses DNSSEC and all the
documented capability subsections)?
From what I can tell, there are two approaches:
Approach 1: Run it in a VM, then from time to time shut it down,
On 8/9/23 12:05, Thierry Bordaz wrote:
On 8/9/23 18:55, Harry G Coin wrote:
Theirry asked for a recap summary below, so forgive the 'top post'.
Here it is:
4.9.10 default install on two systems call them primary (with
kasp.db) and secondary but otherwise multi-master, 1g link between
Theirry asked for a recap summary below, so forgive the 'top post'.
Here it is:
4.9.10 default install on two systems call them primary (with kasp.db)
and secondary but otherwise multi-master, 1g link between them,
modest/old cpu, drives, 5Gmemory, with dns/dnssec and adtrust (aimed at
On 8/9/23 01:00, Alexander Bokovoy wrote:
On Аўт, 08 жні 2023, Harry G Coin wrote:
Thanks for your help. Details below. The problem 'moved' in I hope
a diagnositcally useful way, but the system remains broken.
On 8/8/23 08:54, Alexander Bokovoy wrote:
On Аўт, 08 жні 2023, Harry G Coin
Thanks for your help. Details below. The problem 'moved' in I hope a
diagnositcally useful way, but the system remains broken.
On 8/8/23 08:54, Alexander Bokovoy wrote:
On Аўт, 08 жні 2023, Harry G Coin wrote:
On 8/8/23 02:43, Alexander Bokovoy wrote:
pstack $(pgrep ns-slapd) > ns-slapd
On 8/8/23 02:43, Alexander Bokovoy wrote:
pstack $(pgrep ns-slapd) > ns-slapd log
Tried an upgrade from 4.9.10 to 4.9.11, the "writeback to ldap failed"
error moved from the primary instance (on which the dns records were
being added) to the replica which hung in the same fashion. Here's
This January, Mark Potter first experienced what is now killing my new
freeipa setup as well. Once the primary server on which dns records
are being programatically added sees named-pcks11 putting "writeback to
ldap failed" in the log: 'systemctl' reports nothing amiss yet ns-slapd
becomes
In a 'standard' freeipa setup with two freeipa masters that provide
authoritative DNS for a zone (in this instance using the named-pkcs11
bind version) and no other DNS slaves:
When an IP address is changed in freeipa DNS for a host:
Question 1: Does the 'notify' feature of bind9/named from
Alexander Bokovoy asked for a note on the use of Unbound as a slave
resolver to freeipa's bind9+dnssec because of the issues discussed under
Re: [Freeipa-users] Re: Dnssec rejected by Cloudflair, Google, accepted
by Verizon, AT
Summarizing: Unbound is just a lot faster than bind9+dnssec,
On 8/2/22 03:08, Alexander Bokovoy wrote:
On ma, 01 elo 2022, Harry G. Coin via FreeIPA-users wrote:
TL;Dr: Freeipa's DNS (especially with dnssec enabled) can appear to
be working well and pass accuracy tests, yet generate failures
depending on the client's dns provider's response timeout
TL;Dr: Freeipa's DNS (especially with dnssec enabled) can appear to be
working well and pass accuracy tests, yet generate failures depending on
the client's dns provider's response timeout settings. You can tell
whether you're as 'online as you think you are' using this tool:
For the benefit of others: DNSSec takes longer per query and
transaction. I don't know whether this is the whole answer or a
partial one, but I found one freeipa dnssec enabled website that
sometimes passed, sometimes failed dig @1.1.1.1 (the failures look like
this:
; EDE: 9 (DNSKEY
Anybody know what can I do to prevent freeipa/dnssec's bind from
providing a DS record not just for sub-domains, but for the domain itself?
Some dnssec resolvers, like google and cloudflair, fail if, as freeipa
dnssec does, the domain publishes a DS record for itself.
see
I have a dnssec enabled domain that passes all the verisign and related
dnssec tests (all green, no errors) and dns sources like AT and
Verizon. But it fails at some popular dns servers like google and
cloudflair. I'd appreciate what anyone can make of that, there are no
obvious debugging
, or you 'color
within the lines that's there standard' and provide what's missing using
other packages and avenues.
Keep us posted on your progress!
Harry
On 4/20/22 13:04, Francis Augusto Medeiros-Logeay wrote:
=
On 2022-04-20 16:39, Harry G. Coin via FreeIPA-users wrote:
Hi Francis
Hi
Hi Francis
I integrated freeipa with postfix/dovecot, and many other anti-spam /
address validation capabilities. I can tell you -- it's quite a bumpy
ride. A 'good plan' has more to do with your model of how 'real people'
would expect to map onto domains, accounts and the like. To do it
On 2/2/22 08:22, Rob Crittenden wrote:
Harry G. Coin via FreeIPA-users wrote:
When 'upgrading' using Rawhide, (instead of a fresh install), you might
notice ns-slapd / dirsrv fails to start. Do this to work around it:
#mkdir /dev/shm/slapd-
#chown dirsrv:dirsrv /dev/shm/slapd-
#systemctl
When 'upgrading' using Rawhide, (instead of a fresh install), you might
notice ns-slapd / dirsrv fails to start. Do this to work around it:
#mkdir /dev/shm/slapd-
#chown dirsrv:dirsrv /dev/shm/slapd-of .>
#systemctl restart ipa
___
FreeIPA-users
On 1/17/22 11:08, lejeczek via FreeIPA-users wrote:
On 17/01/2022 16:06, Harry G. Coin via FreeIPA-users wrote:
On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:
On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
Hi guys.
I have an old - set up ~2 yrs ago - IPA domain which "sur
On 1/17/22 10:26, Alexander Bokovoy wrote:
On ma, 17 tammi 2022, Harry G. Coin via FreeIPA-users wrote:
On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:
On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
Hi guys.
I have an old - set up ~2 yrs ago - IPA domain which "sur
On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:
On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
Hi guys.
I have an old - set up ~2 yrs ago - IPA domain which "survived"
updates/upgrades till this day in such a way that integrated Samba
serves up under different hostname/domain
On 1/7/22 09:17, Rob Crittenden wrote:
Harry G. Coin via FreeIPA-users wrote:
For the last few months, shutdown/poweroff of freeipa server systems
hangs until systemd forcibly terminates freeipa. During that time I see
ns-slapd at nearly full CPU consumption. I see log entries such as:
ipa
For the last few months, shutdown/poweroff of freeipa server systems
hangs until systemd forcibly terminates freeipa. During that time I see
ns-slapd at nearly full CPU consumption. I see log entries such as:
ipa-dnskeysyncd[1578]: ipaserver.dnssec.syncrepl
even though there are no domains
Angus,
There are two 'happy medium' approaches you can try with FreeIPA to
resolve the private/public issues you mention.
If you have just one or two addresses you want the public to see, get
one or two 'static ips' from your ISP, set them in your registrar's
setup for your name, do the
On 12/16/21 11:10 PM, Alexander Bokovoy wrote:
On to, 16 joulu 2021, Harry G. Coin via FreeIPA-users wrote:
Alexander and others who care about dnssec:
Given the ongoing problems with opendnssec/libp11 and the many
freeipa routines and resources dedicated to working around it, has
bind9's
Alexander and others who care about dnssec:
Given the ongoing problems with opendnssec/libp11 and the many freeipa
routines and resources dedicated to working around it, has bind9's
native dnssec implementation improved to the point we can greatly reduce
the freeipa package count by just
In a master/replica freeipa setup with DNSSEC -- is it normal the
"sending notifies" happens forever?
It would appear the master sends a notify for a zone, the replica gets
it, sees an updated SOA, updates itself, sends a notify to the master,
which sees a higher SOA, updates itself, sends a
On 11/12/21 8:34 AM, Rob Crittenden wrote:
Harry G. Coin via FreeIPA-users wrote:
On 11/9/21 1:18 PM, Rob Crittenden wrote:
Harry G. Coin via FreeIPA-users wrote:
I think freeipa represents something of a research opportunity.
Among all the 'functional subsystem packages' out there, freeipa
On 11/9/21 1:18 PM, Rob Crittenden wrote:
Harry G. Coin via FreeIPA-users wrote:
I think freeipa represents something of a research opportunity.
Among all the 'functional subsystem packages' out there, freeipa is the
'tallest pyramid with the widest base' I'm aware of. By that I mean it
has
I think freeipa represents something of a research opportunity.
Among all the 'functional subsystem packages' out there, freeipa is the
'tallest pyramid with the widest base' I'm aware of. By that I mean it
has the largest number of dependencies which themselves are also
subsystems (over
I've had that challenge as well, with users who are not assigned one
system but might freely move among proprietary and open source os
systems, along with the need to isolate all admin functions for both
Windows and Linux sides within one UI (freeipa in this case). It's
quite a ride. It
Does the 'sending notifies' feature bind offers between a freeipa master
and replica serve any purpose whatever assuming there are no other dns
servers involved in the freeipa dns managed zones?
I'd like to put an option in the ext to turn off notifies, but I do want
the SOA serial numbers to
I was going to ask for help for a very perplexing problem. The symptoms
seemed to have very little to do with the solution, so searching online
led nowhere. Hopefully, by posting this the next person to hit this
will find this answer.
In short, the answer is, on the replica:
dsconf -D
At replica install time: it might be better to add replica NS records
using the domain of the master NS record and not the domain in the
replica's /etc/hosts (assuming the replica has a host entry in the
master NS record domain). Presently I think you get the domain in
/etc/hostname whether or
y also degrade
>> performances (please refer to Improving Search Performance
>> through Resource Limits
>>
>> <https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/ldapsearch-ex-complex-range>
>> for more detail
through Resource Limits
> <https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/ldapsearch-ex-complex-range>
> for more details)
>
> flo
>
> On Thu, Aug 19, 2021 at 12:31 AM Harry G. Coin via FreeIPA-users
> <mailto:freei
On 8/18/21 5:20 PM, Rob Crittenden wrote:
> Harry G. Coin via FreeIPA-users wrote:
>> What causes "IPA Error 4301: CertificateOperationError" / "Certificate
>> operation cannot be completed: Unable to communicate with CMS (500)"
>>
>> on latest
What causes "IPA Error 4301: CertificateOperationError" / "Certificate
operation cannot be completed: Unable to communicate with CMS (500)"
on latest fedora 34 freeipa, running on two hosts, master/master?
Usually I'd expect 'ipa cert-show 1' to fail, but it works, and
'systemctl' reports
Might the 'edition' (server, desktop, iot, whatnot) of the distribution
used in testing freeipa-server* be explicitly stated in the 'getting
started' docs as being 'approved' for freeipa-server use? The better
to avoid interactions with un-interaction-tested packages / security
libraries
On 6/3/21 1:56 AM, Alexander Bokovoy wrote:
> On to, 03 kesä 2021, Fraser Tweedale via FreeIPA-users wrote:
>> On Wed, Jun 02, 2021 at 01:55:36PM -0500, Harry G. Coin via
>> FreeIPA-users wrote:
>>> Long time freeipa users have faced a certain 'fragility' freeipa h
Long time freeipa users have faced a certain 'fragility' freeipa has
inherited, mostly as a result of freeipa being the 'band director' over
a number of distinct subsystems maintained by various groups across the
world.
This or that 'little upgrade' in a seemingly small sub-part of freeipa
While you're at it, you will catch further bugs (including likely named
crashing) if your tests enable dnssec on several domains at the same
time, then test them all. It's not enough to just turn on dnssec on one
domain and test it then call it 'ok'.
HC
On 5/19/21 11:50 AM, Ernedin Zajko via
On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote:
> In a completely fresh install of freeipa-server, f34, my logs are filled with
>
> certmonger[5754]: usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
I get similar messages from certutil, certmonger and pk12util
On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote:
> In a completely fresh install of freeipa-server, f34, my logs are filled with
>
> certmonger[5754]: usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> ___
Just now:
on a clean install on f34 of freeipa server with dns:
After enabling dnssec on a zone, to avoid thousands of lines appear in
the logs like:
May 10 12:12:45 registry1.1.quietfountain.com named[11774]:
File.cpp(94): Could not open the file (Permission denied):
>>>>> On ma, 10 touko 2021, Harry G. Coin wrote:
>>>>>>
>>>>>> On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
>>>>>>> On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
>>>>>>>> On f34
On 5/10/21 10:30 AM, Alexander Bokovoy wrote:
> On ma, 10 touko 2021, Harry G. Coin wrote:
>>
>> On 5/10/21 9:55 AM, Alexander Bokovoy wrote:
>>> On ma, 10 touko 2021, Harry G. Coin wrote:
>>>>
>>>> On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
>&
On 5/10/21 9:55 AM, Alexander Bokovoy wrote:
> On ma, 10 touko 2021, Harry G. Coin wrote:
>>
>> On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
>>> On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
>>>> On f34, freeipa-server 4.9.3-2: Upon choosing
On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
> On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
>> On f34, freeipa-server 4.9.3-2: Upon choosing any action using a
>> logged-in UI that has been left idle for some hours, browsers lock a
>> display 'internal se
On f34, freeipa-server 4.9.3-2: Upon choosing any action using a
logged-in UI that has been left idle for some hours, browsers lock a
display 'internal server error' (at least on firefox) instead of a
log-in page, or the desired page. No actions on the server side will
clear it. The only
On 4/27/21 1:24 PM, Alexander Bokovoy wrote:
> On ti, 27 huhti 2021, Harry G. Coin via FreeIPA-users wrote:
>> After the recent freeipa upgrades on fedora, the reported "Server Error"
>> blocking even the login screen.
>>
>> The logs were filled with such as:
After the recent freeipa upgrades on fedora, the reported "Server Error"
blocking even the login screen.
The logs were filled with such as:
gssproxy {oid ...} Unspecified GSS failure. Minor code may provide
more information, No credentials cache found
Searches report the solution involved
Unless you want to commit resources to attain 'dev level' on over a
dozen packages, you have to think of Freeipa as having an 'everything
depends on everything' component config file inter-relationship (one
that can change without a lot of warning between upgrades). Before
taking on the burden
On 3/18/21 9:37 AM, Alexander Bokovoy via FreeIPA-users wrote:
> On to, 18 maalis 2021, Kees Bakker via FreeIPA-users wrote:
>> Hi,
>>
>> We have FreeIPA with three masters. To get to the LDAP server
>> we can use either of the three. To configure a service you must
>> come up with a FQDN for the
Notice the two pages regarding DNSSEC (the 'howto' and the
'troubleshooting') discuss a requirement to give a command ( ... ds-seen
... ), requiring many arguments. The docs call for this command to
occur for each domain after the DS key has been uploaded to the parent
domain, and required for
76 matches
Mail list logo
