[Freeipa-users] guidance and strategies for supporting production use including dev/test IPA systems?
Thanks to support from folks on this list I have a 3-node multi-site replicating FreeIPA system supporting a number of 1-way trusts to various AD Forests. Testing has gone well and it's clear that this "POC" will soon transition to production. Because of the importance of this system to our environment I'm trying to flesh out a proper strategy for testing upgrades and updates in a way that lets us keep our system highly available and online. And seeing how rapidly this software is being developed w/ new features and how dependent we are on the most recent version (or how badly I want to try the version in RHEL-BETA-3) I think this is a system we will possibly be upgrading somewhat often ... I understand that replicas can run newer versions of IPA/IDM than the master so that is one path by which we can carefully test updates and patches but I don't think that covers all the scenarios ... Can anyone share strategies or war stories for how testing is done in support of production IPA/IDM environments? Especially when Trusts need to be set up with many external AD systems? Do people run discrete standalone dev/test IPA domains/realms to create isolated environments or is there some other good strategy that allows testing to be done within the same domain/realm? Thanks! -Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV (mixed?) records
On 09/11/16 12:43, Martin Basti wrote: On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? don't mind SRV records for now, it returns no record at all, it forwards and caches but not for the domain itself. on rider (suffice I point to other member server and records are there) $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. @10.5.6.100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 ;; Query time: 5 msec ;; SERVER: 10.5.6.100#53(10.5.6.100) ;; WHEN: Wed Nov 09 12:56:16 GMT 2016 ;; MSG SIZE rcvd: 120 I obfuscated FQDNs but it seems like it forwards to a parent domain (to which it's supposed, by dnsforwardzone) And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all there. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV (mixed?) records
On 09.11.2016 14:11, lejeczek wrote: On 09/11/16 12:43, Martin Basti wrote: On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? don't mind SRV records for now, it returns no record at all, it forwards and caches but not for the domain itself. on rider (suffice I point to other member server and records are there) $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. @10.5.6.100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 ;; Query time: 5 msec ;; SERVER: 10.5.6.100#53(10.5.6.100) ;; WHEN: Wed Nov 09 12:56:16 GMT 2016 ;; MSG SIZE rcvd: 120 I obfuscated FQDNs but it seems like it forwards to a parent domain (to which it's supposed, by dnsforwardzone) And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all there. I'm lost now, I don't understand you, you told me that resolving on 'rider' server doesn't work, then you write me that it is expected because you have fowardzone set, but you cannot have forwardzone and master zone for the same domain, IPA doesn't allow it, so I have no idea what is not working for you. (You didn't make it easier by obfuscating output) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IDM server doesn't boot after update to RHEL 7.3
It looks like something is messed up in the systemd configuration after 7.3. My system doesn't boot at all. The boot screen would display the message: "Failed to register match for Disconnected message: Connection timed out". After some trial and error, I've managed to boot it. Here's what works right now: 1) Boot into system rescue target with debug shell 2) start sssd 3) isolate graphical.target I have a replica which I haven't upgraded to 7.3 yet. So I can compare the two systems to isolate the problem. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] system to pick up pa user-mod --uid change - how long?
On (08/11/16 15:09), Brian Candler wrote: >On 08/11/2016 13:57, lejeczek wrote: >> I've changed an uid of a.user but system: $ id a.user - still shows old >> id. >> When is the system supposed to notice that change? > >You might want to force the cache to expire early. Try: > >sss_cache -U > >or > >sss_cache -u > >(I'm afraid I don't know what the automatic expiry time is) > In worst case, it would be a 1.5 hour by default. That's the reason why there is an utility sss_cache LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV (mixed?) records
On 09/11/16 13:48, Martin Basti wrote: On 09.11.2016 14:11, lejeczek wrote: On 09/11/16 12:43, Martin Basti wrote: On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? don't mind SRV records for now, it returns no record at all, it forwards and caches but not for the domain itself. on rider (suffice I point to other member server and records are there) $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. @10.5.6.100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 ;; Query time: 5 msec ;; SERVER: 10.5.6.100#53(10.5.6.100) ;; WHEN: Wed Nov 09 12:56:16 GMT 2016 ;; MSG SIZE rcvd: 120 I obfuscated FQDNs but it seems like it forwards to a parent domain (to which it's supposed, by dnsforwardzone) And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all there. I'm lost now, I don't understand you, you told me that resolving on 'rider' server doesn't work, then you write me that it is expected because you have fowardzone set, but you cannot have forwardzone and master zone for the same domain, IPA doesn't allow it, so I have no idea what is not working for you. (You didn't make it easier by obfuscating output) Martin no no, sorry, I mean - it forwards whereas is should be authoritative for it's own FQDN. I realize it is not obvious after I obfuscated the output, but here: ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 this looks like the only domain with is dnsforwardzone, everything else is dnszone parent.xx.xx. - is the only forward private.my.parent.xx.xx - it is IPA domain & dnszone I query
Re: [Freeipa-users] SRV (mixed?) records
On 09.11.2016 15:33, lejeczek wrote: On 09/11/16 13:48, Martin Basti wrote: On 09.11.2016 14:11, lejeczek wrote: On 09/11/16 12:43, Martin Basti wrote: On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? don't mind SRV records for now, it returns no record at all, it forwards and caches but not for the domain itself. on rider (suffice I point to other member server and records are there) $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. @10.5.6.100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 ;; Query time: 5 msec ;; SERVER: 10.5.6.100#53(10.5.6.100) ;; WHEN: Wed Nov 09 12:56:16 GMT 2016 ;; MSG SIZE rcvd: 120 I obfuscated FQDNs but it seems like it forwards to a parent domain (to which it's supposed, by dnsforwardzone) And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all there. I'm lost now, I don't understand you, you told me that resolving on 'rider' server doesn't work, then you write me that it is expected because you have fowardzone set, but you cannot have forwardzone and master zone for the same domain, IPA doesn't allow it, so I have no idea what is not working for you. (You didn't make it easier by obfuscating output) Martin no no, sorry, I mean - it forwards whereas is should be authoritative for it's own FQDN. I realize it is not obvious after I obfuscated the output, but here: ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 this looks like the only domain with is dnsforwardzone, everything else is dnszone parent.xx.xx. - is the only forward private.my.parent.xx.xx - it is IPA domain &
Re: [Freeipa-users] SRV (mixed?) records
On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Package naming conflicts with update to RHEL 7.3
Thanks Martin. That bug report is private. I take it that it's not very serious ? On Mon, Nov 7, 2016 at 3:12 AM, Martin Babinskywrote: > On 11/07/2016 01:31 AM, Prasun Gera wrote: > >> Getting this in yum check all after update to 7.3 >> >> ipa-client-4.4.0-12.el7.x86_64 has installed conflicts freeipa-client: >> ipa-client-4.4.0-12.el7.x86_64 >> ipa-client-common-4.4.0-12.el7.noarch has installed conflicts >> freeipa-client-common: ipa-client-common-4.4.0-12.el7.noarch >> ipa-common-4.4.0-12.el7.noarch has installed conflicts freeipa-common: >> ipa-common-4.4.0-12.el7.noarch >> ipa-python-compat-4.4.0-12.el7.noarch has installed conflicts >> freeipa-python-compat: ipa-python-compat-4.4.0-12.el7.noarch >> >> >> >> > Hi Prasun, > > That is a false positive caused by a bug in yum, see > https://bugzilla.redhat.com/show_bug.cgi?id=1370134 > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What is the use of /etc/krb5.conf?
Thanks Martin, and I always forget I can man a conf file. On Tuesday, November 8, 2016 12:09 PM, Martin Babinskywrote: On 11/08/2016 05:13 PM, Ask Stack wrote: > I thought /etc/krb5.conf controls which kerberos server the clients talk > to. > > As a test, I removed /etc/krb5.conf and rebooted the client. After > reboot, I can still log in and "kinit user" . > Removing /etc/krb5.keytab, however would stop user from logging in and > sssd to start. > > > /etc/krb5.conf configures Kerberos client library: it instructs the client about which realm it should use, whether to use dns discovery or use static list of KDC and mapping between DNS domains and realms. Read `man krb5.conf' for more info. sssd stores plenty of information about Kerberos realm in its own configuration (realm, DNS discovery etc.) so it can authenticate the user even without valid krb5.conf (as you observed). However, to pull in user info from authoritative source (IPA LDAP), sssd authenticates against IPA as the host principal using /etc/krb5.keytab, that's why it stopped working and refused to start after you removed it. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV (mixed?) records
On 09/11/16 14:35, Martin Basti wrote: On 09.11.2016 15:33, lejeczek wrote: On 09/11/16 13:48, Martin Basti wrote: On 09.11.2016 14:11, lejeczek wrote: On 09/11/16 12:43, Martin Basti wrote: On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? don't mind SRV records for now, it returns no record at all, it forwards and caches but not for the domain itself. on rider (suffice I point to other member server and records are there) $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. @10.5.6.100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 ;; Query time: 5 msec ;; SERVER: 10.5.6.100#53(10.5.6.100) ;; WHEN: Wed Nov 09 12:56:16 GMT 2016 ;; MSG SIZE rcvd: 120 I obfuscated FQDNs but it seems like it forwards to a parent domain (to which it's supposed, by dnsforwardzone) And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all there. I'm lost now, I don't understand you, you told me that resolving on 'rider' server doesn't work, then you write me that it is expected because you have fowardzone set, but you cannot have forwardzone and master zone for the same domain, IPA doesn't allow it, so I have no idea what is not working for you. (You didn't make it easier by obfuscating output) Martin no no, sorry, I mean - it forwards whereas is should be authoritative for it's own FQDN. I realize it is not obvious after I obfuscated the output, but here: ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 this looks like the only domain with is dnsforwardzone, everything else is dnszone parent.xx.xx. - is
Re: [Freeipa-users] Setting "preserve" as default action when deleting in webUI
Hello Pavel, Yes I did. "PRESERVE.JS WAS EXECUTED" is printed in my browser's console, and yet "delete" ("supprimer", in French) is still the default. (as you can see in linked image) Le 31/10/2016 à 16:18, Pavel Vomacka a écrit : > Hello Sebastien, > > I tried your plugin and it works correctly. Default value is Preserve > with your plugin. Did you copy your plugin into > /var/share/ipa/ui/js/plugins/plugin_name/plugin_name.js ? That should > be enough. > > > On 10/28/2016 12:14 AM, Sebastien Julliot wrote: >> Hello guys, >> >> >> Thank you for your answers. First, I was able to modify the minified js >> to change the default. Ugly solution, but it works for now. >> >> I am trying to write a plugin but it seems that I missed something here >> since, despite being executed, the default is not changed .. >> >> Here is my code, freely inspired of what I think I understood of your >> 'association_search_fix.js' example: >> >> define([ >> >> 'freeipa/ipa', >> >> 'freeipa/user', >> >> ], >> >> function(IPA, user) { >> >> exp = {}; >> >> >> exp.orig_create_active_user_del_dialog = >> IPA.user.create_active_user_del_dialog; >> >> IPA.user.create_active_user_del_dialog = function(dialog) { >> >> dialog.deleter_dialog_create_content(); >> >> dialog.option_layout = IPA.fluid_layout({ >> >> label_cls: 'col-sm-3', >> >> widget_cls: 'col-sm-9' >> >> }); >> >> dialog.option_radio = IPA.radio_widget({ >> >> name: 'preserve', >> >> label: '@i18n:objects.user.delete_mode', >> >> options: [ >> >> { label: '@i18n:objects.user.mode_delete', value: >> 'false' }, >> >> { label: '@i18n:objects.user.mode_preserve', value: >> 'true' } >> >> ], >> >> default_value: 'true' >> >> }); >> >> var html = dialog.option_layout.create([dialog.option_radio]); >> >> dialog.container.append(html); >> >> dialog.option_radio.set_value(['']); >> >> return dialog; >> >> }; >> >> //exp.orig_create_active_user_del_dialog = >> IPA.user.create_active_user_del_dialog; >> >> console.log('PRESERVE.JS WAS EXECUTED'); >> >> return exp; >> >> }); >> >> I checked that disabling the comment or not does not change anything. >> >> >> Can you see what I missed here ? >> >> >> Thanks a lot, >> >> Sebastien Julliot. >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken
Do you mean that dhcpd on Ubuntu is configured against the very same FreeIPA server? yes. Testing both on VMs with a private network. Are you sure that dhcpd is using the same credentials to BIND to LDAP? There might be an access control issue if different hosts use different credentials or so. It would help if you described how you bound to LDAP using ldapsearch. Yes. To make sure, I using the ipa admin credentials. On both hosts I can do a $ ldapsearch -x and retrieve the ldif info. running on both: $ strace -e trace=network dhcpd -d I get this line on the Ubuntu host: socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 5 setsockopt(5, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(5, SOL_TCP, TCP_NODELAY, [1], 4) = 0 connect(5, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.138")}, 16) = 0 On the Fedora host (FreeIPA server), there is no try to connect to. I thought that it might be trying to use a socket, but still no try even with an outside IP as host. There is one difference between Fedora and Ubuntu dhcpds. On Ubuntu, there is a separated ldap package to dhcp-server (isc-dhcp-server-ldap). On Fedora it is supposedly merged on the same binary on dhcp-server (dhcp-server-4.3.4-3.fc24.x86_64). That's why it would be a good start for me to know that someone else uses dhcpd with ldap on Fedora. -rsd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] bind-dyndb-ldap and replication requirements
i am asking this for a friend who is trying to figure out how to get bind-dyndb-ldap working against openldap on ubuntu. she does not have replication between two or more ldap instances, and needs to figure out the minimum requirements for bind-dyndb-ldap. i have been trying to help her, but i am unsure about what is needed, as i have n-way multi master replication working already. can anyone provide what the replication requirements are for bind-dyndb-ldap? currently, the SyncRepl module is loaded and the overlay is created and configured for the mdb. i have tried to help get olcServerID and olcMirrorMode set in cn=config and olcDatabase={2}mdb,cn=config respectively, but some errors were encountered there. is there a best practices doc that we can review? the environment, as best i can tell is ubuntu, openldap 2.4.42 and bind 9. exact os and bind versions are not known right now. thanks, brendan kearney -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV (mixed?) records
On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV (mixed?) records
On 9.11.2016 16:57, lejeczek wrote: > > > On 09/11/16 14:35, Martin Basti wrote: >> >> >> On 09.11.2016 15:33, lejeczek wrote: >>> >>> >>> On 09/11/16 13:48, Martin Basti wrote: On 09.11.2016 14:11, lejeczek wrote: > > > On 09/11/16 12:43, Martin Basti wrote: >> >> >> On 09.11.2016 12:15, lejeczek wrote: >>> >>> >>> On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: > hi everyone > when I look at my domain I see something which seems inconsistent to > me (eg. work5 is not part of the domain, was --uninstalled) > Do these record need fixing? > I'm asking becuase one of the servers, despite the fact the ipa dns > related toolkit(on that server) shows zone & records, to > dig/host/etc. presents nothing, empty responses!?? > > $ ipa dnsrecord-find xx.xx.xx.xx.x. > Record name: @ > NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., > dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. > > Record name: _kerberos > TXT record: .xx.xx..xx.xx.x > > Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs > SRV record: 0 100 88 rider, 0 100 88 work5 > > Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs > SRV record: 0 100 389 rider, 0 100 389 work5 > > Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs > SRV record: 0 100 88 rider, 0 100 88 work5 > > Record name: _kerberos._tcp.dc._msdcs > SRV record: 0 100 88 rider, 0 100 88 work5 > > Record name: _ldap._tcp.dc._msdcs > SRV record: 0 100 389 rider, 0 100 389 work5 > > Record name: _kerberos._udp.dc._msdcs > SRV record: 0 100 88 rider, 0 100 88 work5 > > Record name: _kerberos._tcp > SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 > 88 swir > > Record name: _kerberos-master._tcp > SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 > 88 swir > > Record name: _kpasswd._tcp > SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 > 464 whale > > Record name: _ldap._tcp > SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 > 389 rider > > Record name: _kerberos._udp > SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 > 88 swir > > Record name: _kerberos-master._udp > SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 > 88 swir > > Record name: _kpasswd._udp > SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 > 464 whale > > Record name: _ntp._udp > SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 > 100 123 swir > > thanks. > L. > Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin >>> >>> Martin, would you be able suggest a way to troubleshoot that problem >>> that one (only) server (rider) seems to present no data for the whole >>> domain? Remaining servers correctly respond to any queries. One curious >>> thing is that I $rndc trace 6; and (I see debug level changed in >>> journalctl) I do not see anything in the logs when I query. >>> Zone allows any to query it. >>> >>> >> >> What dig @rider command returns for SRV queries? >> > don't mind SRV records for now, it returns no record at all, it forwards > and caches but not for the domain itself. > on rider (suffice I point to other member server and records are there) > > $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. > @10.5.6.100 > ;; global options: +cmd > ;; Sending: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 > ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;.xx.xx..xx.xx.x. IN ANY > > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;.xx.xx..xx.xx.x. IN ANY > > ;; AUTHORITY SECTION: > .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. > 1478696070 1800 900 604800
Re: [Freeipa-users] bind-dyndb-ldap and replication requirements
On 10.11.2016 06:43, David Kupka wrote: > On 10/11/16 01:14, Brendan Kearney wrote: >> i am asking this for a friend who is trying to figure out how to get >> bind-dyndb-ldap working against openldap on ubuntu. she does not have >> replication between two or more ldap instances, and needs to figure out >> the minimum requirements for bind-dyndb-ldap. i have been trying to >> help her, but i am unsure about what is needed, as i have n-way multi >> master replication working already. >> >> can anyone provide what the replication requirements are for >> bind-dyndb-ldap? currently, the SyncRepl module is loaded and the >> overlay is created and configured for the mdb. i have tried to help get >> olcServerID and olcMirrorMode set in cn=config and >> olcDatabase={2}mdb,cn=config respectively, but some errors were >> encountered there. is there a best practices doc that we can review? >> >> the environment, as best i can tell is ubuntu, openldap 2.4.42 and bind >> 9. exact os and bind versions are not known right now. >> >> thanks, >> >> brendan kearney >> > > Hello Brendan, > I don't have any experience with running OpenLDAP + bind-dyndb-ldap but quick > web search showed me this: > > https://blogs.mindspew-age.com/2013/06/07/bind-dns-openldap-mdb-dynamic-domainsub-domain-configuration-of-dns/ > > > The article is about CentOS 6 and more than 3 years old but still might be > helpful because it's mainly about Bind 9 configuration. This article is not applicable to new versions of bind-dyndb-ldap, the new versions require SyncRepl. Any OpenLDAP article about setting SyncRepl provider will suffice, bind-dyndb-ldap does not require anything special on OpenLDAP side. You can use following command to test if SyncRepl works and access control is correct: $ ldapsearch -h ldap.example.com -D "uid=bind-user,cn=users,${BASE}" -w root4lab -E sync=rp -b "cn=dns,${BASE}" '(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))' -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dyndb-ldap and replication requirements
On 10/11/16 01:14, Brendan Kearney wrote: i am asking this for a friend who is trying to figure out how to get bind-dyndb-ldap working against openldap on ubuntu. she does not have replication between two or more ldap instances, and needs to figure out the minimum requirements for bind-dyndb-ldap. i have been trying to help her, but i am unsure about what is needed, as i have n-way multi master replication working already. can anyone provide what the replication requirements are for bind-dyndb-ldap? currently, the SyncRepl module is loaded and the overlay is created and configured for the mdb. i have tried to help get olcServerID and olcMirrorMode set in cn=config and olcDatabase={2}mdb,cn=config respectively, but some errors were encountered there. is there a best practices doc that we can review? the environment, as best i can tell is ubuntu, openldap 2.4.42 and bind 9. exact os and bind versions are not known right now. thanks, brendan kearney Hello Brendan, I don't have any experience with running OpenLDAP + bind-dyndb-ldap but quick web search showed me this: https://blogs.mindspew-age.com/2013/06/07/bind-dns-openldap-mdb-dynamic-domainsub-domain-configuration-of-dns/ The article is about CentOS 6 and more than 3 years old but still might be helpful because it's mainly about Bind 9 configuration. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Local error]'
Hi, I have installed sssd in a RHEL5 client. ipa-client/sssd version: ipa-client-2.1.3-7.el5 sssd-client-1.5.1-71.el5 sssd-1.5.1-71.el5 sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local error]'. (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error] (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (7): Waiting for child [7]. (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (4): child [7] finished successfully. I have tried to google to find root cause. some link explained it should be something wrong with dns. I have double confirmed it. # nslookup client02.stg.example.net Server: 10.2.1.21 Address:10.2.1.21#53 Name: client02.stg.example.net Address: 10.2.3.32 # nslookup 10.2.3.32 Server: 10.2.1.21 Address:10.2.1.21#53 32.3.2.10.in-addr.arpa name = client02.stg.example.net. # nslookup ipaslave.stg.example.net Server: 10.2.1.21 Address:10.2.1.21#53 Name: ipaslave.stg.example.net Address: 10.2.1.250 # nslookup 10.2.1.250 Server: 10.2.1.21 Address:10.2.1.21#53 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. Any hints or troubleshooting ideas would be appreciated. Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project