Re: [Freeipa-users] DNSSEC NSEC3 Parameter
Hello, Thanks for answer, Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > On 05/12/2016 04:41 PM, Günther J. Niederwimmer wrote: > > Hello, > > I have the Problem to find the correct way for NSEC3PARAM ? > > > > With your Help I have this found > > > > ipa dnszone-mod example.com. --nsec3param-rec " > > " > > > > But it dos not work correct ? > > > > Now the question, is this the correct way > > > > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > > > > to insert the NSEC3PARAMETER ?? > > This should be right, there were related fixes by > https://fedorahosted.org/freeipa/ticket/4413 > > Your second command works in my test environment: > # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > # dig -t nsec3param example.com. +short > 1 7 100 F9BA6264232B7283 The question is now, I mean the Parameter is wrong ? I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE and a dig -t nsec3param example.com. +short the relult is 1 0 10 1 is sha1 so I mean (?) "0" is the correct parameter ?. "10" is the default for Bind so I hope this is working now correct Thanks for testing and answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] After successful ipa-client-install, sssd not used?
Hola, We successfully installed ipa-server, and then successfully joined an AD in a one way trust. All in IPA are Centos 7.2 latest updates. I can successfully get info from AD by using: $id username on the server. I can successfully *join* the new ipa server with a client using ipa-client-install. (both on stdout and /var/log/ipaclient-install look good). I have followed these instructions to add an external mapped group, an internal group and a HBAC. http://www.freeipa.org/page/Active_Directory_trust_setup But, for some reason I can't then login to that client using AD credentials. In fact, on the client in question, all indicators are that the username being used is "unknown". I see little to nothing in /var/log/sssd/*, a few lines, late, in /var/log/dirsrv/slapd/. Most of the live logging of auth seems to be in /var/log/secure. My feeling is that the client successfully joins, but then isn't using sssd as it's authentication system. Where should I start looking? The logs aren't showing me anything of note. What should I test? How can I test? I have had this working previously on a test domain, but it's hard to know what I've done differently due to time and how long it took to get it working last time. Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
