date:20161109

[Freeipa-users] guidance and strategies for supporting production use including dev/test IPA systems?

2016-11-09 Thread Chris Dagdigian



Thanks to support from folks on this list I have a 3-node multi-site 
replicating FreeIPA system supporting a number of 1-way trusts to 
various AD Forests. Testing has gone well and it's clear that this "POC" 
will soon transition to production.


Because of the importance of this system to our environment I'm trying 
to flesh out a proper strategy for testing upgrades and updates in a way 
that lets us keep our system highly available and online.


And seeing how rapidly this software is being developed w/ new features 
and how dependent we are on the most recent version (or how badly I want 
to try the version in RHEL-BETA-3) I think this is a system we will 
possibly be upgrading somewhat often ...


I understand that replicas can run newer versions of IPA/IDM than the 
master so that is one path by which we can carefully test updates and 
patches but I don't think that covers all the scenarios ...


Can anyone share strategies or war stories for how testing is done in 
support of production IPA/IDM environments? Especially when Trusts need 
to be set up with many external AD systems?


Do people run discrete standalone dev/test IPA domains/realms to create 
isolated  environments or is there some other good strategy that allows 
testing to be done within the same domain/realm?


Thanks!

-Chris

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-09 Thread lejeczek




On 09/11/16 12:43, Martin Basti wrote:



On 09.11.2016 12:15, lejeczek wrote:



On 08/11/16 19:37, Martin Basti wrote:



On 08.11.2016 19:41, lejeczek wrote:

hi everyone
when I look at my domain I see something which seems 
inconsistent to me (eg. work5 is not part of the 
domain, was --uninstalled)

Do these record need fixing?
I'm asking becuase one of the servers, despite the fact 
the ipa dns related toolkit(on that server) shows zone 
& records, to dig/host/etc. presents nothing, empty 
responses!??


$ ipa dnsrecord-find xx.xx.xx.xx.x.
  Record name: @
  NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
 dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

  Record name: _kerberos
  TXT record: .xx.xx..xx.xx.x

  Record name: 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: 
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kpasswd._tcp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 
464 dzien, 0 100 464 whale


  Record name: _ldap._tcp
  SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 
389 whale, 0 100 389 rider


  Record name: _kerberos._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kerberos-master._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kpasswd._udp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 
464 dzien, 0 100 464 whale


  Record name: _ntp._udp
  SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 
123 whale, 0 100 123 swir


thanks.
L.




Hello,

if server work5 is uninstalled, then work5 SRV records 
should be removed.


Martin


Martin, would you be able suggest a way to troubleshoot 
that problem that one (only) server (rider) seems to 
present no data for the whole domain? Remaining servers 
correctly respond to any queries. One curious thing is 
that I $rndc trace 6; and (I see debug level changed in 
journalctl) I do not see anything in the logs when I query.

Zone allows any to query it.




What dig @rider  command returns for SRV queries?

don't mind SRV records for now, it returns no record at all, 
it forwards and caches but not for the domain itself.
on rider (suffice I point to other member server and records 
are there)


$ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any 
.xx.xx..xx.xx.x. @10.5.6.100

;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, 
ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600


;; Query time: 5 msec
;; SERVER: 10.5.6.100#53(10.5.6.100)
;; WHEN: Wed Nov 09 12:56:16 GMT 2016
;; MSG SIZE  rcvd: 120

I obfuscated FQDNs but it seems like it forwards to a parent 
domain (to which it's supposed, by dnsforwardzone)
And like I mentioned earlier, I do dnszone-find, etc. (on 
rider) it's all there.




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-09 Thread Martin Basti




On 09.11.2016 14:11, lejeczek wrote:



On 09/11/16 12:43, Martin Basti wrote:



On 09.11.2016 12:15, lejeczek wrote:



On 08/11/16 19:37, Martin Basti wrote:



On 08.11.2016 19:41, lejeczek wrote:

hi everyone
when I look at my domain I see something which seems inconsistent 
to me (eg. work5 is not part of the domain, was --uninstalled)

Do these record need fixing?
I'm asking becuase one of the servers, despite the fact the ipa 
dns related toolkit(on that server) shows zone & records, to 
dig/host/etc. presents nothing, empty responses!??


$ ipa dnsrecord-find xx.xx.xx.xx.x.
  Record name: @
  NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
 dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

  Record name: _kerberos
  TXT record: .xx.xx..xx.xx.x

  Record name: 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: 
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
100 88 swir


  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
100 88 swir


  Record name: _kpasswd._tcp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 
100 464 whale


  Record name: _ldap._tcp
  SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 
100 389 rider


  Record name: _kerberos._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
100 88 swir


  Record name: _kerberos-master._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
100 88 swir


  Record name: _kpasswd._udp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 
100 464 whale


  Record name: _ntp._udp
  SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 
100 123 swir


thanks.
L.




Hello,

if server work5 is uninstalled, then work5 SRV records should be 
removed.


Martin


Martin, would you be able suggest a way to troubleshoot that problem 
that one (only) server (rider) seems to present no data for the 
whole domain? Remaining servers correctly respond to any queries. 
One curious thing is that I $rndc trace 6; and (I see debug level 
changed in journalctl) I do not see anything in the logs when I query.

Zone allows any to query it.




What dig @rider  command returns for SRV queries?

don't mind SRV records for now, it returns no record at all, it 
forwards and caches but not for the domain itself.

on rider (suffice I point to other member server and records are there)

$ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. 
@10.5.6.100

;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 
1478696070 1800 900 604800 3600


;; Query time: 5 msec
;; SERVER: 10.5.6.100#53(10.5.6.100)
;; WHEN: Wed Nov 09 12:56:16 GMT 2016
;; MSG SIZE  rcvd: 120

I obfuscated FQDNs but it seems like it forwards to a parent domain 
(to which it's supposed, by dnsforwardzone)
And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's 
all there.






I'm lost now, I don't understand you, you told me that resolving on 
'rider' server doesn't work, then you write me that it is expected 
because you have fowardzone set, but you cannot have forwardzone and 
master zone for the same domain, IPA doesn't allow it, so I have no idea 
what is not working for you. (You didn't make it easier by obfuscating 
output)


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IDM server doesn't boot after update to RHEL 7.3

2016-11-09 Thread Prasun Gera

It looks like something is messed up in the systemd configuration after
7.3. My system doesn't boot at all. The boot screen would display the
message: "Failed to register match for Disconnected message: Connection
timed out". After some trial and error, I've managed to boot it. Here's
what works right now: 1) Boot into system rescue target with debug shell 2)
start sssd 3) isolate graphical.target

I have a replica which I haven't upgraded to 7.3 yet. So I can compare the
two systems to isolate the problem.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] system to pick up pa user-mod --uid change - how long?

2016-11-09 Thread Lukas Slebodnik

On (08/11/16 15:09), Brian Candler wrote:
>On 08/11/2016 13:57, lejeczek wrote:
>> I've changed an uid of a.user but system: $ id a.user - still shows old
>> id.
>> When is the system supposed to notice that change?
>
>You might want to force the cache to expire early. Try:
>
>sss_cache -U
>
>or
>
>sss_cache -u 
>
>(I'm afraid I don't know what the automatic expiry time is)
>
In worst case, it would be a 1.5 hour by default.
That's the reason why there is an utility sss_cache

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-09 Thread lejeczek




On 09/11/16 13:48, Martin Basti wrote:



On 09.11.2016 14:11, lejeczek wrote:



On 09/11/16 12:43, Martin Basti wrote:



On 09.11.2016 12:15, lejeczek wrote:



On 08/11/16 19:37, Martin Basti wrote:



On 08.11.2016 19:41, lejeczek wrote:

hi everyone
when I look at my domain I see something which seems 
inconsistent to me (eg. work5 is not part of the 
domain, was --uninstalled)

Do these record need fixing?
I'm asking becuase one of the servers, despite the 
fact the ipa dns related toolkit(on that server) 
shows zone & records, to dig/host/etc. presents 
nothing, empty responses!??


$ ipa dnsrecord-find xx.xx.xx.xx.x.
  Record name: @
  NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
 dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

  Record name: _kerberos
  TXT record: .xx.xx..xx.xx.x

  Record name: 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: 
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
88 rider, 0 100 88 swir


  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
88 rider, 0 100 88 swir


  Record name: _kpasswd._tcp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 
464 dzien, 0 100 464 whale


  Record name: _ldap._tcp
  SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 
389 whale, 0 100 389 rider


  Record name: _kerberos._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
88 rider, 0 100 88 swir


  Record name: _kerberos-master._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
88 rider, 0 100 88 swir


  Record name: _kpasswd._udp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 
464 dzien, 0 100 464 whale


  Record name: _ntp._udp
  SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 
123 whale, 0 100 123 swir


thanks.
L.




Hello,

if server work5 is uninstalled, then work5 SRV records 
should be removed.


Martin


Martin, would you be able suggest a way to troubleshoot 
that problem that one (only) server (rider) seems to 
present no data for the whole domain? Remaining servers 
correctly respond to any queries. One curious thing is 
that I $rndc trace 6; and (I see debug level changed in 
journalctl) I do not see anything in the logs when I 
query.

Zone allows any to query it.




What dig @rider  command returns for SRV queries?

don't mind SRV records for now, it returns no record at 
all, it forwards and caches but not for the domain itself.
on rider (suffice I point to other member server and 
records are there)


$ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any 
.xx.xx..xx.xx.x. @10.5.6.100

;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, 
ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600


;; Query time: 5 msec
;; SERVER: 10.5.6.100#53(10.5.6.100)
;; WHEN: Wed Nov 09 12:56:16 GMT 2016
;; MSG SIZE  rcvd: 120

I obfuscated FQDNs but it seems like it forwards to a 
parent domain (to which it's supposed, by dnsforwardzone)
And like I mentioned earlier, I do dnszone-find, etc. (on 
rider) it's all there.






I'm lost now, I don't understand you, you told me that 
resolving on 'rider' server doesn't work, then you write 
me that it is expected because you have fowardzone set, 
but you cannot have forwardzone and master zone for the 
same domain, IPA doesn't allow it, so I have no idea what 
is not working for you. (You didn't make it easier by 
obfuscating output)


Martin


no no, sorry, I mean - it forwards whereas is should be 
authoritative for it's own FQDN.
I realize it is not obvious after I obfuscated the output, 
but here:


;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600


this looks like the only domain with is dnsforwardzone, 
everything else is dnszone


parent.xx.xx. - is the only forward
private.my.parent.xx.xx - it is IPA domain & dnszone

I query

Re: [Freeipa-users] SRV (mixed?) records

2016-11-09 Thread Martin Basti




On 09.11.2016 15:33, lejeczek wrote:



On 09/11/16 13:48, Martin Basti wrote:



On 09.11.2016 14:11, lejeczek wrote:



On 09/11/16 12:43, Martin Basti wrote:



On 09.11.2016 12:15, lejeczek wrote:



On 08/11/16 19:37, Martin Basti wrote:



On 08.11.2016 19:41, lejeczek wrote:

hi everyone
when I look at my domain I see something which seems 
inconsistent to me (eg. work5 is not part of the domain, was 
--uninstalled)

Do these record need fixing?
I'm asking becuase one of the servers, despite the fact the ipa 
dns related toolkit(on that server) shows zone & records, to 
dig/host/etc. presents nothing, empty responses!??


$ ipa dnsrecord-find xx.xx.xx.xx.x.
  Record name: @
  NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
 dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

  Record name: _kerberos
  TXT record: .xx.xx..xx.xx.x

  Record name: 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: 
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
100 88 swir


  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
100 88 swir


  Record name: _kpasswd._tcp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 
0 100 464 whale


  Record name: _ldap._tcp
  SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 
0 100 389 rider


  Record name: _kerberos._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
100 88 swir


  Record name: _kerberos-master._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 
100 88 swir


  Record name: _kpasswd._udp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 
0 100 464 whale


  Record name: _ntp._udp
  SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 
0 100 123 swir


thanks.
L.




Hello,

if server work5 is uninstalled, then work5 SRV records should be 
removed.


Martin


Martin, would you be able suggest a way to troubleshoot that 
problem that one (only) server (rider) seems to present no data 
for the whole domain? Remaining servers correctly respond to any 
queries. One curious thing is that I $rndc trace 6; and (I see 
debug level changed in journalctl) I do not see anything in the 
logs when I query.

Zone allows any to query it.




What dig @rider  command returns for SRV queries?

don't mind SRV records for now, it returns no record at all, it 
forwards and caches but not for the domain itself.

on rider (suffice I point to other member server and records are there)

$ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any 
.xx.xx..xx.xx.x. @10.5.6.100

;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 
1478696070 1800 900 604800 3600


;; Query time: 5 msec
;; SERVER: 10.5.6.100#53(10.5.6.100)
;; WHEN: Wed Nov 09 12:56:16 GMT 2016
;; MSG SIZE  rcvd: 120

I obfuscated FQDNs but it seems like it forwards to a parent domain 
(to which it's supposed, by dnsforwardzone)
And like I mentioned earlier, I do dnszone-find, etc. (on rider) 
it's all there.






I'm lost now, I don't understand you, you told me that resolving on 
'rider' server doesn't work, then you write me that it is expected 
because you have fowardzone set, but you cannot have forwardzone and 
master zone for the same domain, IPA doesn't allow it, so I have no 
idea what is not working for you. (You didn't make it easier by 
obfuscating output)


Martin


no no, sorry, I mean - it forwards whereas is should be authoritative 
for it's own FQDN.

I realize it is not obvious after I obfuscated the output, but here:

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 
1478696070 1800 900 604800 3600


this looks like the only domain with is dnsforwardzone, everything 
else is dnszone


parent.xx.xx. - is the only forward
private.my.parent.xx.xx - it is IPA domain &

Re: [Freeipa-users] SRV (mixed?) records

2016-11-09 Thread Martin Basti




On 09.11.2016 12:15, lejeczek wrote:



On 08/11/16 19:37, Martin Basti wrote:



On 08.11.2016 19:41, lejeczek wrote:

hi everyone
when I look at my domain I see something which seems inconsistent to 
me (eg. work5 is not part of the domain, was --uninstalled)

Do these record need fixing?
I'm asking becuase one of the servers, despite the fact the ipa dns 
related toolkit(on that server) shows zone & records, to 
dig/host/etc. presents nothing, empty responses!??


$ ipa dnsrecord-find xx.xx.xx.xx.x.
  Record name: @
  NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
 dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

  Record name: _kerberos
  TXT record: .xx.xx..xx.xx.x

  Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 
88 swir


  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 
88 swir


  Record name: _kpasswd._tcp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 
100 464 whale


  Record name: _ldap._tcp
  SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 
100 389 rider


  Record name: _kerberos._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 
88 swir


  Record name: _kerberos-master._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 
88 swir


  Record name: _kpasswd._udp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 
100 464 whale


  Record name: _ntp._udp
  SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 
100 123 swir


thanks.
L.




Hello,

if server work5 is uninstalled, then work5 SRV records should be 
removed.


Martin


Martin, would you be able suggest a way to troubleshoot that problem 
that one (only) server (rider) seems to present no data for the whole 
domain? Remaining servers correctly respond to any queries. One 
curious thing is that I $rndc trace 6; and (I see debug level changed 
in journalctl) I do not see anything in the logs when I query.

Zone allows any to query it.




What dig @rider  command returns for SRV queries?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Package naming conflicts with update to RHEL 7.3

2016-11-09 Thread Prasun Gera

Thanks Martin. That bug report is private. I take it that it's not very
serious ?

On Mon, Nov 7, 2016 at 3:12 AM, Martin Babinsky  wrote:

> On 11/07/2016 01:31 AM, Prasun Gera wrote:
>
>> Getting this in yum check all after update to 7.3
>>
>> ipa-client-4.4.0-12.el7.x86_64 has installed conflicts freeipa-client:
>> ipa-client-4.4.0-12.el7.x86_64
>> ipa-client-common-4.4.0-12.el7.noarch has installed conflicts
>> freeipa-client-common: ipa-client-common-4.4.0-12.el7.noarch
>> ipa-common-4.4.0-12.el7.noarch has installed conflicts freeipa-common:
>> ipa-common-4.4.0-12.el7.noarch
>> ipa-python-compat-4.4.0-12.el7.noarch has installed conflicts
>> freeipa-python-compat: ipa-python-compat-4.4.0-12.el7.noarch
>>
>>
>>
>>
> Hi Prasun,
>
> That is a false positive caused by a bug in yum, see
> https://bugzilla.redhat.com/show_bug.cgi?id=1370134
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the use of /etc/krb5.conf?

2016-11-09 Thread Ask Stack

Thanks Martin, and I always forget I can man a conf file.  

On Tuesday, November 8, 2016 12:09 PM, Martin Babinsky 
 wrote:

 On 11/08/2016 05:13 PM, Ask Stack wrote:
> I thought /etc/krb5.conf controls which kerberos server the clients talk
> to.
>
> As a test, I removed /etc/krb5.conf and rebooted the client. After
> reboot, I can still log in and "kinit user" .
> Removing /etc/krb5.keytab, however would stop user from logging in and
> sssd to start.
>
>
>

/etc/krb5.conf configures Kerberos client library: it instructs the 
client about which realm it should use, whether to use dns discovery or 
use static list of KDC and mapping between DNS domains and realms.

Read `man krb5.conf' for more info.

sssd stores plenty of information about Kerberos realm in its own 
configuration (realm, DNS discovery etc.) so it can authenticate the 
user even without valid krb5.conf (as you observed).

However, to pull in user info from authoritative source (IPA LDAP), sssd 
authenticates against IPA as the host principal using /etc/krb5.keytab, 
that's why it stopped working and refused to start after you removed it.

-- 
Martin^3 Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-09 Thread lejeczek




On 09/11/16 14:35, Martin Basti wrote:



On 09.11.2016 15:33, lejeczek wrote:



On 09/11/16 13:48, Martin Basti wrote:



On 09.11.2016 14:11, lejeczek wrote:



On 09/11/16 12:43, Martin Basti wrote:



On 09.11.2016 12:15, lejeczek wrote:



On 08/11/16 19:37, Martin Basti wrote:



On 08.11.2016 19:41, lejeczek wrote:

hi everyone
when I look at my domain I see something which 
seems inconsistent to me (eg. work5 is not part of 
the domain, was --uninstalled)

Do these record need fixing?
I'm asking becuase one of the servers, despite the 
fact the ipa dns related toolkit(on that server) 
shows zone & records, to dig/host/etc. presents 
nothing, empty responses!??


$ ipa dnsrecord-find xx.xx.xx.xx.x.
  Record name: @
  NS record: swir.xx.xx.xx.xx.x., 
rider.xx.xx.xx.xx.x.,
 dzien.xx.xx.xx.xx.x., 
whale.xx.xx.xx.xx.x.


  Record name: _kerberos
  TXT record: .xx.xx..xx.xx.x

  Record name: 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs 


  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: 
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs 


  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
88 rider, 0 100 88 swir


  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
88 rider, 0 100 88 swir


  Record name: _kpasswd._tcp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 
100 464 dzien, 0 100 464 whale


  Record name: _ldap._tcp
  SRV record: 0 100 389 swir, 0 100 389 dzien, 0 
100 389 whale, 0 100 389 rider


  Record name: _kerberos._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
88 rider, 0 100 88 swir


  Record name: _kerberos-master._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 
88 rider, 0 100 88 swir


  Record name: _kpasswd._udp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 
100 464 dzien, 0 100 464 whale


  Record name: _ntp._udp
  SRV record: 0 100 123 dzien, 0 100 123 rider, 0 
100 123 whale, 0 100 123 swir


thanks.
L.




Hello,

if server work5 is uninstalled, then work5 SRV 
records should be removed.


Martin


Martin, would you be able suggest a way to 
troubleshoot that problem that one (only) server 
(rider) seems to present no data for the whole 
domain? Remaining servers correctly respond to any 
queries. One curious thing is that I $rndc trace 6; 
and (I see debug level changed in journalctl) I do 
not see anything in the logs when I query.

Zone allows any to query it.




What dig @rider  command returns for SRV queries?

don't mind SRV records for now, it returns no record at 
all, it forwards and caches but not for the domain itself.
on rider (suffice I point to other member server and 
records are there)


$ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any 
.xx.xx..xx.xx.x. @10.5.6.100

;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, 
ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600


;; Query time: 5 msec
;; SERVER: 10.5.6.100#53(10.5.6.100)
;; WHEN: Wed Nov 09 12:56:16 GMT 2016
;; MSG SIZE  rcvd: 120

I obfuscated FQDNs but it seems like it forwards to a 
parent domain (to which it's supposed, by dnsforwardzone)
And like I mentioned earlier, I do dnszone-find, etc. 
(on rider) it's all there.






I'm lost now, I don't understand you, you told me that 
resolving on 'rider' server doesn't work, then you write 
me that it is expected because you have fowardzone set, 
but you cannot have forwardzone and master zone for the 
same domain, IPA doesn't allow it, so I have no idea 
what is not working for you. (You didn't make it easier 
by obfuscating output)


Martin


no no, sorry, I mean - it forwards whereas is should be 
authoritative for it's own FQDN.
I realize it is not obvious after I obfuscated the 
output, but here:


;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. 
hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600


this looks like the only domain with is dnsforwardzone, 
everything else is dnszone


parent.xx.xx. - is

Re: [Freeipa-users] Setting "preserve" as default action when deleting in webUI

2016-11-09 Thread Sébastien Julliot

Hello Pavel,


Yes I did. "PRESERVE.JS WAS EXECUTED" is printed in my browser's
console, and yet "delete" ("supprimer", in French)  is still the
default. (as you can see in linked image)


Le 31/10/2016 à 16:18, Pavel Vomacka a écrit :
> Hello Sebastien,
>
> I tried your plugin and it works correctly. Default value is Preserve
> with your plugin. Did you copy your plugin into
> /var/share/ipa/ui/js/plugins/plugin_name/plugin_name.js ? That should
> be enough.
>
>
> On 10/28/2016 12:14 AM, Sebastien Julliot wrote:
>> Hello guys,
>>
>>
>> Thank you for your answers. First, I was able to modify the minified js
>> to change the default. Ugly solution, but it works for now.
>>
>> I am trying to write a plugin but it seems that I missed something here
>> since, despite being executed, the default is not changed ..
>>
>> Here is my code, freely inspired of what I think I understood of your
>> 'association_search_fix.js' example:
>>
>> define([
>>
>>  'freeipa/ipa',
>>
>>  'freeipa/user',
>>
>> ],
>>
>>  function(IPA, user) {
>>
>> exp = {};
>>
>>  
>> exp.orig_create_active_user_del_dialog =
>> IPA.user.create_active_user_del_dialog;
>>
>> IPA.user.create_active_user_del_dialog = function(dialog) {
>>
>>  dialog.deleter_dialog_create_content();
>>
>>  dialog.option_layout = IPA.fluid_layout({
>>
>>  label_cls: 'col-sm-3',
>>
>>  widget_cls: 'col-sm-9'
>>
>>  });
>>
>>  dialog.option_radio = IPA.radio_widget({
>>
>>  name: 'preserve',
>>
>>  label: '@i18n:objects.user.delete_mode',
>>
>>  options: [
>>
>>  { label: '@i18n:objects.user.mode_delete', value:
>> 'false' },
>>
>>  { label: '@i18n:objects.user.mode_preserve', value:
>> 'true' }
>>
>>  ],
>>
>>  default_value: 'true'
>>
>>  });
>>
>>  var html = dialog.option_layout.create([dialog.option_radio]);
>>
>>  dialog.container.append(html);
>>
>>  dialog.option_radio.set_value(['']);
>>
>>  return dialog;
>>
>> };
>>
>> //exp.orig_create_active_user_del_dialog =
>> IPA.user.create_active_user_del_dialog;
>>
>> console.log('PRESERVE.JS WAS EXECUTED');
>>
>> return exp;
>>
>> });
>>
>> I checked that disabling the comment or not does not change anything.
>>
>>
>> Can you see what I missed here ?
>>
>>
>> Thanks a lot,
>>
>> Sebastien Julliot.
>>
>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken

2016-11-09 Thread Raul Dias




Do you mean that dhcpd on Ubuntu is configured against the very same FreeIPA
server?

yes.  Testing both on VMs with a private network.

Are you sure that dhcpd is using the same credentials to BIND to LDAP? There
might be an access control issue if different hosts use different credentials
or so. It would help if you described how you bound to LDAP using ldapsearch.

Yes.

To make sure, I using the ipa admin credentials.

On both hosts I can do a
$ ldapsearch -x

and retrieve the ldif info.

running on both:
$ strace -e trace=network dhcpd -d

I get this line on the Ubuntu host:
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 5
setsockopt(5, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(5, SOL_TCP, TCP_NODELAY, [1], 4) = 0
connect(5, {sa_family=AF_INET, sin_port=htons(389),
sin_addr=inet_addr("192.168.1.138")}, 16) = 0

On the Fedora host (FreeIPA server), there is no try to connect to.
I thought that it might be trying to use a socket, but still no try even
with an outside IP as host.

There is one difference between Fedora and Ubuntu dhcpds.  On Ubuntu,
there is a separated ldap package to dhcp-server
(isc-dhcp-server-ldap).  On Fedora it is supposedly merged on the same
binary on dhcp-server (dhcp-server-4.3.4-3.fc24.x86_64).

That's why it would be a good start for me to know that someone else
uses dhcpd with ldap on Fedora.

-rsd



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] bind-dyndb-ldap and replication requirements

2016-11-09 Thread Brendan Kearney

i am asking this for a friend who is trying to figure out how to get 
bind-dyndb-ldap working against openldap on ubuntu.  she does not have 
replication between two or more ldap instances, and needs to figure out 
the minimum requirements for bind-dyndb-ldap.  i have been trying to 
help her, but i am unsure about what is needed, as i have n-way multi 
master replication working already.


can anyone provide what the replication requirements are for 
bind-dyndb-ldap?  currently, the SyncRepl module is loaded and the 
overlay is created and configured for the mdb.  i have tried to help get 
olcServerID and olcMirrorMode set in cn=config and 
olcDatabase={2}mdb,cn=config respectively, but some errors were 
encountered there.  is there a best practices doc that we can review?


the environment, as best i can tell is ubuntu, openldap 2.4.42 and bind 
9.  exact os and bind versions are not known right now.


thanks,

brendan kearney

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-09 Thread lejeczek




On 08/11/16 19:37, Martin Basti wrote:



On 08.11.2016 19:41, lejeczek wrote:

hi everyone
when I look at my domain I see something which seems 
inconsistent to me (eg. work5 is not part of the domain, 
was --uninstalled)

Do these record need fixing?
I'm asking becuase one of the servers, despite the fact 
the ipa dns related toolkit(on that server) shows zone & 
records, to dig/host/etc. presents nothing, empty 
responses!??


$ ipa dnsrecord-find xx.xx.xx.xx.x.
  Record name: @
  NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
 dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

  Record name: _kerberos
  TXT record: .xx.xx..xx.xx.x

  Record name: 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: 
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs

  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _ldap._tcp.dc._msdcs
  SRV record: 0 100 389 rider, 0 100 389 work5

  Record name: _kerberos._udp.dc._msdcs
  SRV record: 0 100 88 rider, 0 100 88 work5

  Record name: _kerberos._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kerberos-master._tcp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kpasswd._tcp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 
dzien, 0 100 464 whale


  Record name: _ldap._tcp
  SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 
whale, 0 100 389 rider


  Record name: _kerberos._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kerberos-master._udp
  SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 
rider, 0 100 88 swir


  Record name: _kpasswd._udp
  SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 
dzien, 0 100 464 whale


  Record name: _ntp._udp
  SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 
whale, 0 100 123 swir


thanks.
L.




Hello,

if server work5 is uninstalled, then work5 SRV records 
should be removed.


Martin


Martin, would you be able suggest a way to troubleshoot that 
problem that one (only) server (rider) seems to present no 
data for the whole domain? Remaining servers correctly 
respond to any queries. One curious thing is that I $rndc 
trace 6; and (I see debug level changed in journalctl) I do 
not see anything in the logs when I query.

Zone allows any to query it.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-09 Thread Petr Spacek

On 9.11.2016 16:57, lejeczek wrote:
> 
> 
> On 09/11/16 14:35, Martin Basti wrote:
>>
>>
>> On 09.11.2016 15:33, lejeczek wrote:
>>>
>>>
>>> On 09/11/16 13:48, Martin Basti wrote:


 On 09.11.2016 14:11, lejeczek wrote:
>
>
> On 09/11/16 12:43, Martin Basti wrote:
>>
>>
>> On 09.11.2016 12:15, lejeczek wrote:
>>>
>>>
>>> On 08/11/16 19:37, Martin Basti wrote:


 On 08.11.2016 19:41, lejeczek wrote:
> hi everyone
> when I look at my domain I see something which seems inconsistent to
> me (eg. work5 is not part of the domain, was --uninstalled)
> Do these record need fixing?
> I'm asking becuase one of the servers, despite the fact the ipa dns
> related toolkit(on that server) shows zone & records, to
> dig/host/etc. presents nothing, empty responses!??
>
> $ ipa dnsrecord-find xx.xx.xx.xx.x.
>   Record name: @
>   NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
>  dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.
>
>   Record name: _kerberos
>   TXT record: .xx.xx..xx.xx.x
>
>   Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
>   SRV record: 0 100 88 rider, 0 100 88 work5
>
>   Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
>   SRV record: 0 100 389 rider, 0 100 389 work5
>
>   Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
>   SRV record: 0 100 88 rider, 0 100 88 work5
>
>   Record name: _kerberos._tcp.dc._msdcs
>   SRV record: 0 100 88 rider, 0 100 88 work5
>
>   Record name: _ldap._tcp.dc._msdcs
>   SRV record: 0 100 389 rider, 0 100 389 work5
>
>   Record name: _kerberos._udp.dc._msdcs
>   SRV record: 0 100 88 rider, 0 100 88 work5
>
>   Record name: _kerberos._tcp
>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
> 88 swir
>
>   Record name: _kerberos-master._tcp
>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
> 88 swir
>
>   Record name: _kpasswd._tcp
>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
> 464 whale
>
>   Record name: _ldap._tcp
>   SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100
> 389 rider
>
>   Record name: _kerberos._udp
>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
> 88 swir
>
>   Record name: _kerberos-master._udp
>   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
> 88 swir
>
>   Record name: _kpasswd._udp
>   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
> 464 whale
>
>   Record name: _ntp._udp
>   SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0
> 100 123 swir
>
> thanks.
> L.
>


 Hello,

 if server work5 is uninstalled, then work5 SRV records should be 
 removed.

 Martin
>>>
>>> Martin, would you be able suggest a way to troubleshoot that problem
>>> that one (only) server (rider) seems to present no data for the whole
>>> domain? Remaining servers correctly respond to any queries. One curious
>>> thing is that I $rndc trace 6; and (I see debug level changed in
>>> journalctl) I do not see anything in the logs when I query.
>>> Zone allows any to query it.
>>>
>>>
>>
>> What dig @rider  command returns for SRV queries?
>>
> don't mind SRV records for now, it returns no record at all, it forwards
> and caches but not for the domain itself.
> on rider (suffice I point to other member server and records are there)
>
> $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x.
> @10.5.6.100
> ;; global options: +cmd
> ;; Sending:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.xx.xx..xx.xx.x. IN ANY
>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.xx.xx..xx.xx.x. IN ANY
>
> ;; AUTHORITY SECTION:
> .xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x.
> 1478696070 1800 900 604800

Re: [Freeipa-users] bind-dyndb-ldap and replication requirements

2016-11-09 Thread Petr Spacek

On 10.11.2016 06:43, David Kupka wrote:
> On 10/11/16 01:14, Brendan Kearney wrote:
>> i am asking this for a friend who is trying to figure out how to get
>> bind-dyndb-ldap working against openldap on ubuntu.  she does not have
>> replication between two or more ldap instances, and needs to figure out
>> the minimum requirements for bind-dyndb-ldap.  i have been trying to
>> help her, but i am unsure about what is needed, as i have n-way multi
>> master replication working already.
>>
>> can anyone provide what the replication requirements are for
>> bind-dyndb-ldap?  currently, the SyncRepl module is loaded and the
>> overlay is created and configured for the mdb.  i have tried to help get
>> olcServerID and olcMirrorMode set in cn=config and
>> olcDatabase={2}mdb,cn=config respectively, but some errors were
>> encountered there.  is there a best practices doc that we can review?
>>
>> the environment, as best i can tell is ubuntu, openldap 2.4.42 and bind
>> 9.  exact os and bind versions are not known right now.
>>
>> thanks,
>>
>> brendan kearney
>>
> 
> Hello Brendan,
> I don't have any experience with running OpenLDAP + bind-dyndb-ldap but quick
> web search showed me this:
> 
> https://blogs.mindspew-age.com/2013/06/07/bind-dns-openldap-mdb-dynamic-domainsub-domain-configuration-of-dns/
> 
> 
> The article is about CentOS 6 and more than 3 years old but still might be
> helpful because it's mainly about Bind 9 configuration.

This article is not applicable to new versions of bind-dyndb-ldap, the new
versions require SyncRepl.

Any OpenLDAP article about setting SyncRepl provider will suffice,
bind-dyndb-ldap does not require anything special on OpenLDAP side.

You can use following command to test if SyncRepl works and access control is
correct:

$ ldapsearch -h ldap.example.com -D "uid=bind-user,cn=users,${BASE}" -w
root4lab -E sync=rp -b "cn=dns,${BASE}"
'(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))'

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] bind-dyndb-ldap and replication requirements

2016-11-09 Thread David Kupka

On 10/11/16 01:14, Brendan Kearney wrote:

i am asking this for a friend who is trying to figure out how to get
bind-dyndb-ldap working against openldap on ubuntu. she does not have
replication between two or more ldap instances, and needs to figure out
the minimum requirements for bind-dyndb-ldap. i have been trying to
help her, but i am unsure about what is needed, as i have n-way multi
master replication working already.

can anyone provide what the replication requirements are for
bind-dyndb-ldap? currently, the SyncRepl module is loaded and the
overlay is created and configured for the mdb. i have tried to help get
olcServerID and olcMirrorMode set in cn=config and
olcDatabase={2}mdb,cn=config respectively, but some errors were
encountered there. is there a best practices doc that we can review?

the environment, as best i can tell is ubuntu, openldap 2.4.42 and bind
9. exact os and bind versions are not known right now.

thanks,

brendan kearney

Hello Brendan,
I don't have any experience with running OpenLDAP + bind-dyndb-ldap but
quick web search showed me this:

https://blogs.mindspew-age.com/2013/06/07/bind-dns-openldap-mdb-dynamic-domainsub-domain-configuration-of-dns/

The article is about CentOS 6 and more than 3 years old but still might
be helpful because it's mainly about Bind 9 configuration.

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Local error]'

2016-11-09 Thread Matrix

Hi, 

I have installed sssd in a RHEL5 client. 

ipa-client/sssd version:
ipa-client-2.1.3-7.el5
sssd-client-1.5.1-71.el5
sssd-1.5.1-71.el5

sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local 
error]'. 

(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): 
Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): 
ldap_sasl_bind failed (-2)[Local error]
(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (7): 
Waiting for child [7].
(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (4): 
child [7] finished successfully.

I have tried to google to find root cause. some link explained it should be 
something wrong with dns. I have double confirmed it. 

# nslookup client02.stg.example.net
Server: 10.2.1.21
Address:10.2.1.21#53

Name:   client02.stg.example.net
Address: 10.2.3.32


# nslookup 10.2.3.32
Server: 10.2.1.21
Address:10.2.1.21#53

32.3.2.10.in-addr.arpa  name = client02.stg.example.net.


# nslookup ipaslave.stg.example.net
Server: 10.2.1.21
Address:10.2.1.21#53

Name:   ipaslave.stg.example.net
Address: 10.2.1.250

# nslookup 10.2.1.250
Server: 10.2.1.21
Address:10.2.1.21#53

250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.

Any hints or troubleshooting ideas would be appreciated. 

Matrix-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] guidance and strategies for supporting production use including dev/test IPA systems?

Re: [Freeipa-users] SRV (mixed?) records

Re: [Freeipa-users] SRV (mixed?) records

[Freeipa-users] IDM server doesn't boot after update to RHEL 7.3

Re: [Freeipa-users] system to pick up pa user-mod --uid change - how long?

Re: [Freeipa-users] SRV (mixed?) records

Re: [Freeipa-users] SRV (mixed?) records

Re: [Freeipa-users] SRV (mixed?) records

Re: [Freeipa-users] Package naming conflicts with update to RHEL 7.3

Re: [Freeipa-users] What is the use of /etc/krb5.conf?

Re: [Freeipa-users] SRV (mixed?) records

Re: [Freeipa-users] Setting "preserve" as default action when deleting in webUI

Re: [Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken

[Freeipa-users] bind-dyndb-ldap and replication requirements

Re: [Freeipa-users] SRV (mixed?) records

Re: [Freeipa-users] SRV (mixed?) records

Re: [Freeipa-users] bind-dyndb-ldap and replication requirements

Re: [Freeipa-users] bind-dyndb-ldap and replication requirements

[Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Local error]'

19 matches

Site Navigation

Mail list logo

Footer information