Re: [Freeipa-users] Padding Scheme used in Fedora Dogtag

2017-03-09 Thread Kaamel Periora 
its for the encryption process.

On Tue, Mar 7, 2017 at 7:55 PM, Simo Sorce  wrote:

> On Tue, 2017-03-07 at 12:38 +0530, Kaamel Periora wrote:
> > Dear All,
> >
> > It is required to identify the padding scheme used by the Fedora dogtag
> > system. Appreciate of someone could shed some light on this requirement.
>
> Padding scheme for what exactly ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Question about ipa user accounts and the compat container

2017-03-09 Thread Robert Johnson 
Hello,

I am running into an odd issue haven't been able to find any information
through searching on this issue online.

Environment: We are currently have a IPA master running
ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server.  We have a mix of
RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to
a windows domain.  Compatibility mode is enabled.

The issue I'm seeing is that when I delete an IPA domain user through the
web gui, the user account doesn't appear to be removed completely from the
system.  I verified via "ipa user-find" that the user is no longer in the
system.  I also checked via "ldapsearch" that the user account doesn't
exist in the "accounts" container.  However, when I look in the "users,
compat" container, that user still exists.

This is causing problems with my Solaris clients since they are pointing to
the compat tree so that we can login with the windows accounts on those
servers.  The Solaris client is still seeing the account as being valid and
is asking the user for a password on login which fails because the account
doesn't exist in the IPA domain anymore.

Do I need to remove the account from the ldap compat container manually or
is the IPA user delete command (through the gui and/or command line)
suppose to take care of this ?  Or is there is some sort of clean up
process that I have to wait for to occur before this account gets removed
from that container ?  If so, what is the time frame ?

Thank you

Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

2017-03-09 Thread Matt . 
I'm trying to add a host using Foreman to the FreeIPA realm but this
doesn't work, all things seem to be fine and some other tests from
people are working:

The issue is reported here: http://projects.theforeman.org/issues/18850


My settings are like this:


[root@ipa-01 ~]# ipa role-find
---
6 roles matched
---
  Role name: helpdesk
  Description: Helpdesk

  Role name: IT Security Specialist
  Description: IT Security Specialist

  Role name: IT Specialist
  Description: IT Specialist

  Role name: Security Architect
  Description: Security Architect

  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management

  Role name: User Administrator
  Description: Responsible for creating Users and Groups

Number of entries returned 6

[root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Member users: foreman-proxy, foreman-realm-proxy
  Privileges: Smart Proxy Host Management
[root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
  Permissions: Retrieve Certificates from the CA, System: Add DNS
Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
Update DNS
   Entries, System: Manage Host Certificates, System:
Manage Host Enrollment Password, System: Manage Host Keytab, System:
Modify Hosts,
   System: Remove Hosts, System: Manage Service Keytab,
System: Modify Services, Add Host Enrollment Password
  Granting privilege to roles: Smart Proxy Host Manager
[root@ipa-01 ~]#
[root@ipa-01 ~]# ipa permission-find "Add Host"
-
3 permissions matched
-
  Permission name: Add Host Enrollment Password
  Granted rights: add
  Effective attributes: userpassword
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
  Type: host
  Permission flags: V2, SYSTEM

  Permission name: System: Add Hostgroups
  Granted rights: add
  Bind rule type: permission
  Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
  Type: hostgroup
  Permission flags: V2, MANAGED, SYSTEM

  Permission name: System: Add Hosts
  Granted rights: add
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
  Type: host
  Permission flags: V2, MANAGED, SYSTEM

Number of entries returned 3



Can anyone help me out as I'm unsure where this goes wrong.


Thanks so far!

Regards,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ipa user accounts and the compat container

2017-03-09 Thread Alexander Bokovoy 

On to, 09 maalis 2017, Robert Johnson wrote:

Hello,

I am running into an odd issue haven't been able to find any information
through searching on this issue online.

Environment: We are currently have a IPA master running
ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server.  We have a mix of
RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to
a windows domain.  Compatibility mode is enabled.

The issue I'm seeing is that when I delete an IPA domain user through the
web gui, the user account doesn't appear to be removed completely from the
system.  I verified via "ipa user-find" that the user is no longer in the
system.  I also checked via "ldapsearch" that the user account doesn't
exist in the "accounts" container.  However, when I look in the "users,
compat" container, that user still exists.

This is causing problems with my Solaris clients since they are pointing to
the compat tree so that we can login with the windows accounts on those
servers.  The Solaris client is still seeing the account as being valid and
is asking the user for a password on login which fails because the account
doesn't exist in the IPA domain anymore.

Do I need to remove the account from the ldap compat container manually or
is the IPA user delete command (through the gui and/or command line)
suppose to take care of this ?  Or is there is some sort of clean up
process that I have to wait for to occur before this account gets removed
from that container ?  If so, what is the time frame ?

Compat tree is automatically generated. It also tracks existing objects,
so any time the object is removed from the primary tree, it should be
cleared from the compat tree as well.

If you can reliably demonstrate the problem using
http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel
free to open a bug.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ipa user accounts and the compat container

2017-03-09 Thread Robert Johnson 
On Thu, Mar 9, 2017 at 4:06 PM, Alexander Bokovoy 
wrote:

> On to, 09 maalis 2017, Robert Johnson wrote:
>
>> Hello,
>>
>> I am running into an odd issue haven't been able to find any information
>> through searching on this issue online.
>>
>> Environment: We are currently have a IPA master running
>> ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server.  We have a mix
>> of
>> RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to
>> a windows domain.  Compatibility mode is enabled.
>>
>> The issue I'm seeing is that when I delete an IPA domain user through the
>> web gui, the user account doesn't appear to be removed completely from the
>> system.  I verified via "ipa user-find" that the user is no longer in the
>> system.  I also checked via "ldapsearch" that the user account doesn't
>> exist in the "accounts" container.  However, when I look in the "users,
>> compat" container, that user still exists.
>>
>> This is causing problems with my Solaris clients since they are pointing
>> to
>> the compat tree so that we can login with the windows accounts on those
>> servers.  The Solaris client is still seeing the account as being valid
>> and
>> is asking the user for a password on login which fails because the account
>> doesn't exist in the IPA domain anymore.
>>
>> Do I need to remove the account from the ldap compat container manually or
>> is the IPA user delete command (through the gui and/or command line)
>> suppose to take care of this ?  Or is there is some sort of clean up
>> process that I have to wait for to occur before this account gets removed
>> from that container ?  If so, what is the time frame ?
>>
> Compat tree is automatically generated. It also tracks existing objects,
> so any time the object is removed from the primary tree, it should be
> cleared from the compat tree as well.
>
> If you can reliably demonstrate the problem using
> http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel
> free to open a bug.
>
> --
> / Alexander Bokovoy
>

So after doing some more digging using ldapsearch, I discovered some "odd"
entries.  It appears that all my IPA users appear to have duplicate entries
under the compat tree. So on a hunch I deleted another IPA user and one of
the two entries disappeared from the container.  I tried to use ldapdelete
(and ldapmodify) to remove the "ghost" entry using the DN I found from the
search and I get a "object not found" and then it says that it matched the
base tree.  If I dump the whole compat tree out to a file, the ghost
objects look to be exact duplicates of the original entries (minus the guid
which is different).  I can't seem to find a way to remove them.

Any ideas ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Padding Scheme used in Fedora Dogtag

2017-03-09 Thread Simo Sorce 
On Fri, 2017-03-10 at 10:50 +0530, Kaamel Periora wrote:
> its for the encryption process.

Which process ?
What protocol ?
For data at rest or for secure channels ?

Please be very specific, we use crypto in a multitude of places within
freeIPA.

Simo.

> On Tue, Mar 7, 2017 at 7:55 PM, Simo Sorce  wrote:
> > On Tue, 2017-03-07 at 12:38 +0530, Kaamel Periora wrote:
> > > Dear All,
> > >
> > > It is required to identify the padding scheme used by the Fedora
> > dogtag
> > > system. Appreciate of someone could shed some light on this
> > requirement.
> > 
> > Padding scheme for what exactly ?
> > 
> > Simo.
> > 
> > --
> > Simo Sorce * Red Hat, Inc * New York
> > 
> > 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Question about ipa user accounts and the compat container

2017-03-09 Thread Alexander Bokovoy 

On to, 09 maalis 2017, Robert Johnson wrote:

On Thu, Mar 9, 2017 at 4:06 PM, Alexander Bokovoy 
wrote:


On to, 09 maalis 2017, Robert Johnson wrote:


Hello,

I am running into an odd issue haven't been able to find any information
through searching on this issue online.

Environment: We are currently have a IPA master running
ipa-server-4.4.0-14.el7_3.4.x86_64 on a RHEL 7.3 server.  We have a mix
of
RHEL 6.8, RHEL 7.x and Solaris 10 clients. We also have a one way trust to
a windows domain.  Compatibility mode is enabled.

The issue I'm seeing is that when I delete an IPA domain user through the
web gui, the user account doesn't appear to be removed completely from the
system.  I verified via "ipa user-find" that the user is no longer in the
system.  I also checked via "ldapsearch" that the user account doesn't
exist in the "accounts" container.  However, when I look in the "users,
compat" container, that user still exists.

This is causing problems with my Solaris clients since they are pointing
to
the compat tree so that we can login with the windows accounts on those
servers.  The Solaris client is still seeing the account as being valid
and
is asking the user for a password on login which fails because the account
doesn't exist in the IPA domain anymore.

Do I need to remove the account from the ldap compat container manually or
is the IPA user delete command (through the gui and/or command line)
suppose to take care of this ?  Or is there is some sort of clean up
process that I have to wait for to occur before this account gets removed
from that container ?  If so, what is the time frame ?


Compat tree is automatically generated. It also tracks existing objects,
so any time the object is removed from the primary tree, it should be
cleared from the compat tree as well.

If you can reliably demonstrate the problem using
http://www.freeipa.org/page/Demo (it has compat tree enabled), then feel
free to open a bug.

--
/ Alexander Bokovoy



So after doing some more digging using ldapsearch, I discovered some "odd"
entries.  It appears that all my IPA users appear to have duplicate entries
under the compat tree. So on a hunch I deleted another IPA user and one of
the two entries disappeared from the container.  I tried to use ldapdelete
(and ldapmodify) to remove the "ghost" entry using the DN I found from the
search and I get a "object not found" and then it says that it matched the
base tree.  If I dump the whole compat tree out to a file, the ghost
objects look to be exact duplicates of the original entries (minus the guid
which is different).  I can't seem to find a way to remove them.

Any ideas ?

Demonstrate your problem using the FreeIPA demo instance, please.

Compat tree is not writable, thus you cannot delete anything from it
directly. You only can delete the original entry to cause removal of a
compat entry.

Show how it is not removed with step by step ldapsearch/ipa CLI
operations against our demo instance, please.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Padding Scheme used in Fedora Dogtag

2017-03-09 Thread Alexander Bokovoy 

On pe, 10 maalis 2017, Kaamel Periora wrote:

its for the encryption process.

Sorry, but you need to be more detailed in what you want to achieve.

Crypto libraries support multiple algorithms. What do you need to do?



On Tue, Mar 7, 2017 at 7:55 PM, Simo Sorce  wrote:


On Tue, 2017-03-07 at 12:38 +0530, Kaamel Periora wrote:
> Dear All,
>
> It is required to identify the padding scheme used by the Fedora dogtag
> system. Appreciate of someone could shed some light on this requirement.

Padding scheme for what exactly ?

Simo.

--
Simo Sorce * Red Hat, Inc * New York





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Potential problems when using a loadbalancer

2017-03-09 Thread Wimmer Ronald (BCC.B.SO) 
Hi,

what kind of challenges will I run into when I want to use a loadbalancer in 
front of my two IPA servers?


-  LDAP: Should not be a problem

-  Kerberos: will definitely be a challenge.
Is this link the solution or am I still missing something:
http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gssapi.html

-  Certificates: I stumbled upon a RedHat Knowledgebase entry dealing 
with "Certificate CN not matching when using the loadbalancer's virtual name": 
https://access.redhat.com/solutions/547723

-  What else will be a problem that needs to be solved?

Any hints regarding the "what else" point would be highly appreciated!

Regards,
Ronald
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] What is the next free IP address for a DNS record

2017-03-09 Thread Kees Bakker 
Hey,

Is there an easy way to find out what the next free IP address is when adding a 
new
DNS A record? The web interface sorts the records alphabetically on "Record 
name",
even in-arpa zones. For the latter it would be more convenient to sort 
numerically.

Anyway, what methods are there to know what IP address to use when adding a new
DNS record? Did I overlook something?

BTW. Right now I'm dumping the JSON with
  ipa -vv dnsrecord-find mydomain --sizelimit=9 --all --structured  2>&1 
>/dev/null
and a Python script to make a list sorted on ip address.
-- 
Kees

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the next free IP address for a DNS record

2017-03-09 Thread Martin Basti 
Comments inline


On 09.03.2017 11:12, Kees Bakker wrote:
> Hey,
>
> Is there an easy way to find out what the next free IP address is when adding 
> a new
> DNS A record? The web interface sorts the records alphabetically on "Record 
> name",
> even in-arpa zones. For the latter it would be more convenient to sort 
> numerically.
No, it depends on your system. FreeIPA is not an authoritative source of
IP addresses, this is job for DHCP server or any network management system.

I don't think that we should sort numerically as DNS names works with
bytes, so ASCII sorting is better. Nothing prevents you to use
non-numeric domain with PTR RR type.
>
> Anyway, what methods are there to know what IP address to use when adding a 
> new
> DNS record? Did I overlook something?
Usually when you are adding a new A record, you know for which host it
belongs, so you should use the IP address of the host.

>
> BTW. Right now I'm dumping the JSON with
>   ipa -vv dnsrecord-find mydomain --sizelimit=9 --all --structured  2>&1 
> >/dev/null
> and a Python script to make a list sorted on ip address.

Martin



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Create Replica fail any idea?? thz

2017-03-09 Thread barrykfl 
No expire cer prompt out ., All service ipa status oK.
and 9444 port can telent

Creating SSL certificate for the Directory Server
preparation of replica failed: cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
  File "/usr/sbin/ipa-replica-prepare", line 490, in 
main()

  File "/usr/sbin/ipa-replica-prepare", line 361, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
raise e
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD bug found? FreeIPA vs SSSD

2017-03-09 Thread Jakub Hrozek 
On Thu, Mar 09, 2017 at 11:32:35AM +0200, Alexander Bokovoy wrote:
> On to, 09 maalis 2017, Jakub Hrozek wrote:
> > On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote:
> > > Hola,
> > > 
> > > On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd
> > > (via COPR) 1.15.1, which has a one way trust to an AD domain. 
> > > unix.name.org
> > > -> name.org
> > > 
> > > I've seen some interesting behaviour.
> > > 
> > > Being part of a large organisation with a smaller nix environment and a
> > > larger Windows environment we see all the best of odd AD management
> > > behaviour (eg spaces in usernames...).
> > > 
> > > Turns out some of the groups in AD have an @ symbol in them.
> > > 
> > > The behavioural difference we see is: given userA in group "name @ of
> > > group" that on the FreeIPA server:
> > > 
> > > [r...@vmpr-freeipa.unix.name.org ~]# id us...@name.org
> > > 
> > > works as expected.
> > > 
> > > But on a client
> > > 
> > > [r...@vmpr-linuxclient1.unix.name.org ~]# id us...@name.org
> > > 
> > > returns nothing.
> > 
> > Yes, it is a know issue:
> >https://pagure.io/SSSD/sssd/issue/3219
> > 
> > There were some users who reported this works better with a modified
> > re_expression:
> >re_expression = ((?P.+)@(?P[^@]+$))
> > but I agree we should fix this by default. However, the fix must be done
> > at both the SSSD level and the IPA extdom plugin, which also searches
> > for the @-sign in the user and group names.
> Luckily, a change for extdom plugin seem to be straightforward -- search
> for the *last* occurence of the domain separator, not the first one. We
> had a similar issue with nfs idmapd code too.

Yes, the most tricky part would be testing, to make sure the new regular
expression doesn't break anything. I used the one I showed to unblock
some RHEL customers that were complaining and were a bit stuck, but I
didn't have enough time to run all our available tests with it, that's
why we didn't switch by default..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-09 Thread Harald Dunkel 
On 03/05/17 11:47, Timo Aaltonen wrote:
> 
> pam-auth-update configures pam, there's nothing else to be configured..
> I just ran ipa-client-install on Ubuntu zesty with freeipa-client
> 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine:
> 
> services = nss, sudo, pam, ssh
> 
> 

Do you get the same for 4.4.3-3 (the version in Debian experimental,
AFAICT) on sid? I don't :-(.

Command line:
ipa-client-install --hostname `hostname` --no-ssh --no-sshd --no-nisdomain


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] External DNS and replication

2017-03-09 Thread Martin Basti 


On 09.03.2017 09:04, Wimmer Ronald (BCC.B.SO) wrote:
>
> *From:*Martin Basti [mailto:mba...@redhat.com]
> *Sent:* Mittwoch, 08. März 2017 14:54
> *To:* Wimmer Ronald (BCC.B.SO) ;
> freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] External DNS and replication
>
>  
>
>  
>
>  
>
> On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote:
>
> Hi,
>
>  
>
> I am using FreeIPA with external DNS. Is it ok to balance the
> requests between master and replica with DNS SRV records like this:
>
>  
>
> _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88
> ipa1.example.net.
>
> _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88
> ipa1.example.net.
>
> _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
>
> _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
>
> _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
>
> _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
>
> _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net.
>
> _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net.
>
>  
>
> _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88
> ipa2.example.net.
>
> _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88
> ipa2.example.net.
>
> _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
>
> _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
>
> _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
>
> _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
>
> _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net.
>
> _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net.
>
>  
>
> _kerberos.example.net. 86400 IN TXT "example.net"
>
> Looks good to me
>
>
> ipa-ca.example.net. 86400 IN A 10.66.39.130
>
>  
>
> What about the “ipa-ca” entry?
>
>
> ipa-ca should contain all A/ records of CA replicas
>
> IPA4.4+ support command `ipa dns-update-system-records --dry-run` to
> get all required records
>
>  
>
> Regards,
>
> Ronald
>
>
>
>
> Martin
>
>  
>
> Thank’s a lot. In https://access.redhat.com/solutions/98043 RedHat
> suggest to use same weight and same priority for the SRV records. Does
> that make sense?
>
Priority should be same, otherwise servers with higher priority will
work only as backups (preferably you should have priority 0).
You can edit weight to distribute more load to beefy servers.

Please note that priority and weight is handled on client side, so it
will work only on clients that are processing SRV with priority and
weight. Some clients may ignore it.

>  
>
> I also noticed that I have no ndp record. Are IPA clients relying on
> that entry? Do I have to create these manually?
>
>  
>
> _ntp._udp.example.net.  86400   IN  SRV 10 50 123
> ipaserver1.example.net.
>
> _ntp._udp.example.net.  86400   IN  SRV 10 50 123
> ipaserver2.example.net.
>
It depends on your system configuration on clients. This is basically
used only by ipa-client-install because AFAIK ntp client doesn't support
SRV lookup.

Usually clients have default NTP client configured so it should work.

>  
>
> Ronald
>
>
>



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Potential problems when using a loadbalancer

2017-03-09 Thread Martin Basti 


On 09.03.2017 11:04, Wimmer Ronald (BCC.B.SO) wrote:
>
> Hi,
>
>  
>
> what kind of challenges will I run into when I want to use a
> loadbalancer in front of my two IPA servers?
>
>  
>
> -  LDAP: Should not be a problem
>
> -  Kerberos: will definitely be a challenge.
> Is this link the solution or am I still missing something:
> http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gssapi.html
>
> -  Certificates: I stumbled upon a RedHat Knowledgebase entry
> dealing with “Certificate CN not matching when using the
> loadbalancer’s virtual name”: https://access.redhat.com/solutions/547723
>
> -  What else will be a problem that needs to be solved?
>
>  
>
> Any hints regarding the “what else” point would be highly appreciated!
>
>  
>
> Regards,
>
> Ronald
>
>
>
This may help you

https://www.adelton.com/freeipa/freeipa-behind-load-balancer


signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD bug found? FreeIPA vs SSSD

2017-03-09 Thread Alexander Bokovoy 

On to, 09 maalis 2017, Jakub Hrozek wrote:

On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote:

Hola,

On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd
(via COPR) 1.15.1, which has a one way trust to an AD domain. unix.name.org
-> name.org

I've seen some interesting behaviour.

Being part of a large organisation with a smaller nix environment and a
larger Windows environment we see all the best of odd AD management
behaviour (eg spaces in usernames...).

Turns out some of the groups in AD have an @ symbol in them.

The behavioural difference we see is: given userA in group "name @ of
group" that on the FreeIPA server:

[r...@vmpr-freeipa.unix.name.org ~]# id us...@name.org

works as expected.

But on a client

[r...@vmpr-linuxclient1.unix.name.org ~]# id us...@name.org

returns nothing.


Yes, it is a know issue:
   https://pagure.io/SSSD/sssd/issue/3219

There were some users who reported this works better with a modified
re_expression:
   re_expression = ((?P.+)@(?P[^@]+$))
but I agree we should fix this by default. However, the fix must be done
at both the SSSD level and the IPA extdom plugin, which also searches
for the @-sign in the user and group names.

Luckily, a change for extdom plugin seem to be straightforward -- search
for the *last* occurence of the domain separator, not the first one. We
had a similar issue with nfs idmapd code too.

--
/ Alexander Bokovoy
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index e629247..7c67fb7 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -515,7 +515,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
 char *short_user_name = NULL;
 
 short_user_name = strdup(user_name);
-if ((locat = strchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+if ((locat = strrchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
 if (strcasecmp(locat+1, domain_name) == 0  ) {
 locat[0] = '\0';
 } else {
@@ -626,7 +626,7 @@ int pack_ber_group(enum response_types response_type,
 char *short_group_name = NULL;
 
 short_group_name = strdup(group_name);
-if ((locat = strchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+if ((locat = strrchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
 if (strcasecmp(locat+1, domain_name) == 0  ) {
 locat[0] = '\0';
 } else {
@@ -901,7 +901,7 @@ static int handle_sid_or_cert_request(struct ipa_extdom_ctx 
*ctx,
 goto done;
 }
 
-sep = strchr(fq_name, SSSD_DOMAIN_SEPARATOR);
+sep = strrchr(fq_name, SSSD_DOMAIN_SEPARATOR);
 if (sep == NULL) {
 set_err_msg(req, "Failed to split fully qualified name");
 ret = LDAP_OPERATIONS_ERROR;
@@ -1023,7 +1023,7 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
 char *buf = NULL;
 struct sss_nss_kv *kv_list = NULL;
 
-if (strchr(name, SSSD_DOMAIN_SEPARATOR) == NULL) {
+if (strrchr(name, SSSD_DOMAIN_SEPARATOR) == NULL) {
 ret = asprintf(_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR,
domain_name);
 } else {
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] External DNS and replication

2017-03-09 Thread Wimmer Ronald (BCC.B.SO) 
From: Martin Basti [mailto:mba...@redhat.com]
Sent: Mittwoch, 08. März 2017 14:54
To: Wimmer Ronald (BCC.B.SO) ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] External DNS and replication




On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote:
Hi,

I am using FreeIPA with external DNS. Is it ok to balance the requests between 
master and replica with DNS SRV records like this:

_kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net.
_kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
_kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net.
_ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net.
_ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net.

_kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net.
_kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
_kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net.
_ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net.
_ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net.

_kerberos.example.net. 86400 IN TXT "example.net"
Looks good to me


ipa-ca.example.net. 86400 IN A 10.66.39.130

What about the "ipa-ca" entry?

ipa-ca should contain all A/ records of CA replicas

IPA4.4+ support command `ipa dns-update-system-records --dry-run` to get all 
required records


Regards,
Ronald



Martin

Thank's a lot. In https://access.redhat.com/solutions/98043 RedHat suggest to 
use same weight and same priority for the SRV records. Does that make sense?

I also noticed that I have no ndp record. Are IPA clients relying on that 
entry? Do I have to create these manually?

_ntp._udp.example.net.  86400   IN  SRV 10 50 123 
ipaserver1.example.net.
_ntp._udp.example.net.  86400   IN  SRV 10 50 123 
ipaserver2.example.net.

Ronald
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD bug found? FreeIPA vs SSSD

2017-03-09 Thread Jakub Hrozek 
On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote:
> Hola,
> 
> On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd
> (via COPR) 1.15.1, which has a one way trust to an AD domain. unix.name.org
> -> name.org
> 
> I've seen some interesting behaviour.
> 
> Being part of a large organisation with a smaller nix environment and a
> larger Windows environment we see all the best of odd AD management
> behaviour (eg spaces in usernames...).
> 
> Turns out some of the groups in AD have an @ symbol in them.
> 
> The behavioural difference we see is: given userA in group "name @ of
> group" that on the FreeIPA server:
> 
> [r...@vmpr-freeipa.unix.name.org ~]# id us...@name.org
> 
> works as expected.
> 
> But on a client
> 
> [r...@vmpr-linuxclient1.unix.name.org ~]# id us...@name.org
> 
> returns nothing.

Yes, it is a know issue:
https://pagure.io/SSSD/sssd/issue/3219

There were some users who reported this works better with a modified
re_expression:
re_expression = ((?P.+)@(?P[^@]+$))
but I agree we should fix this by default. However, the fix must be done
at both the SSSD level and the IPA extdom plugin, which also searches
for the @-sign in the user and group names.
> 
> We believe it is because of the group with the @ in the name.
> 
> The AD management team agreed to change the name of one group with an @ in
> it's name, and that has solved the problem - id us...@name.org now works on
> the sssd client.
> 
> Putting aside the critiques of having an @ in a group name, I believe that
> if there isn't a bug, there is at least an inconsistency, between how
> FreeIPA and sssd handle this situation.
> 
> This was a guess based on seeing this in the logs:
> 
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectClass=ipaUserOverride)(uid=awong))][cn=Default Trust
> View,cn=views,cn=accounts,dc=unix,dc=name,dc=org].
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [sdap_parse_entry]
> (0x1000): OriginalDN:
> [ipaanchoruuid=:SID:S-1-5-21-55386287-1424373824-1154838474-83519,cn=Default
> Trust View,cn=views,cn=accounts,dc=unix,dc=name,dc=org].
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state]
> (0x1000): Domain unix.name.org is Active
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state]
> (0x1000): Domain name.org is Active
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [ipa_s2n_exop_send]
> (0x0400): Executing extended operation
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [ipa_s2n_exop_done]
> (0x0400): ldap_extended_operation result: Success(0), (null).
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state]
> (0x1000): Domain unix.name.org is Active
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state]
> (0x1000): Domain name.org is Active
> ...
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state]
> (0x1000): Domain unix.name.org is Active
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state]
> (0x1000): Domain name.org is Active
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state]
> (0x1000): Domain unix.name.org is Active
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [sss_domain_get_state]
> (0x1000): Domain name.org is Active
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]] [add_v1_user_data]
> (0x0040): find_domain_by_name failed.
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]]
> [s2n_response_to_attrs] (0x0040): add_v1_user_data failed.
> (Wed Mar  8 12:03:02 2017) [sssd[be[unix.name.org]]]
> [ipa_s2n_get_user_done] (0x0040): s2n_response_to_attrs failed.
> 
> 
> The last three lines tipped off a colleague who was debugging why this
> userA couldn't login to anything.
> 
> Since then we have created IPA over rides for the groups with @ symbols in
> them. This also works as a solution. It's not our preferred solution, but
> we are users, not managers, of the AD system.
> 
> Cheers
> 
> L.
> 
> 
> 
> 
> 
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
> 
> - Grace Hopper

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the next free IP address for a DNS record

2017-03-09 Thread Simo Sorce 
On Thu, 2017-03-09 at 13:33 +0100, Kees Bakker wrote:
> On 09-03-17 13:26, Tomas Krizek wrote:
> > On 03/09/2017 01:19 PM, Kees Bakker wrote:
> > > On 09-03-17 12:08, Martin Basti wrote:
> > > > On 09.03.2017 11:12, Kees Bakker wrote:
> > > > > Hey,
> > > > > 
> > > > > Is there an easy way to find out what the next free IP
> > > > > address is when adding a new
> > > > > DNS A record? The web interface sorts the records
> > > > > alphabetically on "Record name",
> > > > > even in-arpa zones. For the latter it would be more
> > > > > convenient to sort numerically.
> > > > 
> > > > No, it depends on your system. FreeIPA is not an authoritative
> > > > source of
> > > > IP addresses, this is job for DHCP server or any network
> > > > management system.
> > > 
> > > DHCP, no.
> > > "any network management system", that would be the DNS service in
> > > our FreeIPA.
> > 
> > DNS A records only translate the hostnames to IPv4 addresses. DNS
> > does
> > not assign the addresses. That's something DHCP would do. If you do
> > not
> > use DHCP and assign the IP addresses statically, the network
> > administrator would be the person responsible for assigning you a
> > free
> > IP address.
> > 
> 
> Yes, I'm talking about static addresses. Is it really such a strange
> question to
> ask for static IP addresses?
> 
> The network administrator, that would be me.

Would it be sufficient to you to have a command line tool to run
against LDAP top list all existing IP addresses and sort them ?

If so this is what I use (assuming a realm called example.com):


ldapsearch -Y GSSAPI -s one -b "idnsname=example.com.,cn=dns,dc=example,dc=com" 
aRecord 2>/dev/null |grep "^aRecord" |sort

Note: You need to be logged in (kinit'ed) with a user that has rights
to see the DNS tree.

HTH,
Simo.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the next free IP address for a DNS record

2017-03-09 Thread Tomas Krizek 
On 03/09/2017 01:19 PM, Kees Bakker wrote:
> On 09-03-17 12:08, Martin Basti wrote:
>> Comments inline
>>
>>
>> On 09.03.2017 11:12, Kees Bakker wrote:
>>> Hey,
>>>
>>> Is there an easy way to find out what the next free IP address is when 
>>> adding a new
>>> DNS A record? The web interface sorts the records alphabetically on "Record 
>>> name",
>>> even in-arpa zones. For the latter it would be more convenient to sort 
>>> numerically.
>> No, it depends on your system. FreeIPA is not an authoritative source of
>> IP addresses, this is job for DHCP server or any network management system.
> DHCP, no.
> "any network management system", that would be the DNS service in our FreeIPA.
DNS A records only translate the hostnames to IPv4 addresses. DNS does
not assign the addresses. That's something DHCP would do. If you do not
use DHCP and assign the IP addresses statically, the network
administrator would be the person responsible for assigning you a free
IP address.

-- 
Tomas Krizek

PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the next free IP address for a DNS record

2017-03-09 Thread Kees Bakker 
On 09-03-17 13:26, Tomas Krizek wrote:
> On 03/09/2017 01:19 PM, Kees Bakker wrote:
>> On 09-03-17 12:08, Martin Basti wrote:
>>> On 09.03.2017 11:12, Kees Bakker wrote:
 Hey,

 Is there an easy way to find out what the next free IP address is when 
 adding a new
 DNS A record? The web interface sorts the records alphabetically on 
 "Record name",
 even in-arpa zones. For the latter it would be more convenient to sort 
 numerically.
>>> No, it depends on your system. FreeIPA is not an authoritative source of
>>> IP addresses, this is job for DHCP server or any network management system.
>> DHCP, no.
>> "any network management system", that would be the DNS service in our 
>> FreeIPA.
> DNS A records only translate the hostnames to IPv4 addresses. DNS does
> not assign the addresses. That's something DHCP would do. If you do not
> use DHCP and assign the IP addresses statically, the network
> administrator would be the person responsible for assigning you a free
> IP address.
>

Yes, I'm talking about static addresses. Is it really such a strange question to
ask for static IP addresses?

The network administrator, that would be me.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the next free IP address for a DNS record

2017-03-09 Thread Martin Basti 


On 09.03.2017 13:19, Kees Bakker wrote:
> On 09-03-17 12:08, Martin Basti wrote:
>> Comments inline
>>
>>
>> On 09.03.2017 11:12, Kees Bakker wrote:
>>> Hey,
>>>
>>> Is there an easy way to find out what the next free IP address is when 
>>> adding a new
>>> DNS A record? The web interface sorts the records alphabetically on "Record 
>>> name",
>>> even in-arpa zones. For the latter it would be more convenient to sort 
>>> numerically.
>> No, it depends on your system. FreeIPA is not an authoritative source of
>> IP addresses, this is job for DHCP server or any network management system.
> DHCP, no.
> "any network management system", that would be the DNS service in our FreeIPA.
DNS is not suitable to be a source of unused IP addresses, that's work
for DHCP, DNS has no information about network ranges.
FreeIPA works in different way, you are responsible for creating and
provisioning a host, assigning an IP address and then enroll the host to
FreeIPA (IP address should be automatically updated in DNS). FreeIPA is
so far from being a network management system.

>
>> I don't think that we should sort numerically as DNS names works with
>> bytes, so ASCII sorting is better. Nothing prevents you to use
>> non-numeric domain with PTR RR type.
> In this case I was referring to the reverse DNS records in the in-arpa
> zones. The Record Name for these zones are alway numeric, aren't they?
https://tools.ietf.org/html/rfc2317

>
>>> Anyway, what methods are there to know what IP address to use when adding a 
>>> new
>>> DNS record? Did I overlook something?
>> Usually when you are adding a new A record, you know for which host it
>> belongs, so you should use the IP address of the host.
> I'm not talking about an existing host. I want to add a _new_ host
> with a _new_ DNS A record. There is no IP address yet. And that's exactly
> my problem. What IP address to pick? FreeIPA/DNS is my authority, so to speak.
> But there is no simple method to find the next free IP address.
>
> In the "old days" we had a straightforward bind configuration. I'd had to edit
> two files, one for the domain zone and one for the in-arpa zone. But now the
> DNS server gets its zone information from FreeIPA (through LDAP).
You can use AXFR from DNS to get all records from zone, sort it and
check free IP addresses.
But there is no standard tool for that in DNS. You have to create your
own script
>
>>> BTW. Right now I'm dumping the JSON with
>>>   ipa -vv dnsrecord-find mydomain --sizelimit=9 --all --structured  
>>> 2>&1 >/dev/null
>>> and a Python script to make a list sorted on ip address.
>> Martin
>>




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the next free IP address for a DNS record

2017-03-09 Thread Kees Bakker 
On 09-03-17 12:08, Martin Basti wrote:
> Comments inline
>
>
> On 09.03.2017 11:12, Kees Bakker wrote:
>> Hey,
>>
>> Is there an easy way to find out what the next free IP address is when 
>> adding a new
>> DNS A record? The web interface sorts the records alphabetically on "Record 
>> name",
>> even in-arpa zones. For the latter it would be more convenient to sort 
>> numerically.
> No, it depends on your system. FreeIPA is not an authoritative source of
> IP addresses, this is job for DHCP server or any network management system.

DHCP, no.
"any network management system", that would be the DNS service in our FreeIPA.

>
> I don't think that we should sort numerically as DNS names works with
> bytes, so ASCII sorting is better. Nothing prevents you to use
> non-numeric domain with PTR RR type.

In this case I was referring to the reverse DNS records in the in-arpa
zones. The Record Name for these zones are alway numeric, aren't they?

>> Anyway, what methods are there to know what IP address to use when adding a 
>> new
>> DNS record? Did I overlook something?
> Usually when you are adding a new A record, you know for which host it
> belongs, so you should use the IP address of the host.

I'm not talking about an existing host. I want to add a _new_ host
with a _new_ DNS A record. There is no IP address yet. And that's exactly
my problem. What IP address to pick? FreeIPA/DNS is my authority, so to speak.
But there is no simple method to find the next free IP address.

In the "old days" we had a straightforward bind configuration. I'd had to edit
two files, one for the domain zone and one for the in-arpa zone. But now the
DNS server gets its zone information from FreeIPA (through LDAP).

>
>> BTW. Right now I'm dumping the JSON with
>>   ipa -vv dnsrecord-find mydomain --sizelimit=9 --all --structured  2>&1 
>> >/dev/null
>> and a Python script to make a list sorted on ip address.
> Martin
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the next free IP address for a DNS record

2017-03-09 Thread Kees Bakker 
On 09-03-17 14:07, Simo Sorce wrote:
> On Thu, 2017-03-09 at 13:33 +0100, Kees Bakker wrote:
>> On 09-03-17 13:26, Tomas Krizek wrote:
>>> On 03/09/2017 01:19 PM, Kees Bakker wrote:
 On 09-03-17 12:08, Martin Basti wrote:
> On 09.03.2017 11:12, Kees Bakker wrote:
>> Hey,
>>
>> Is there an easy way to find out what the next free IP
>> address is when adding a new
>> DNS A record? The web interface sorts the records
>> alphabetically on "Record name",
>> even in-arpa zones. For the latter it would be more
>> convenient to sort numerically.
> No, it depends on your system. FreeIPA is not an authoritative
> source of
> IP addresses, this is job for DHCP server or any network
> management system.
 DHCP, no.
 "any network management system", that would be the DNS service in
 our FreeIPA.
>>> DNS A records only translate the hostnames to IPv4 addresses. DNS
>>> does
>>> not assign the addresses. That's something DHCP would do. If you do
>>> not
>>> use DHCP and assign the IP addresses statically, the network
>>> administrator would be the person responsible for assigning you a
>>> free
>>> IP address.
>>>
>> Yes, I'm talking about static addresses. Is it really such a strange
>> question to
>> ask for static IP addresses?
>>
>> The network administrator, that would be me.
> Would it be sufficient to you to have a command line tool to run
> against LDAP top list all existing IP addresses and sort them ?
>
> If so this is what I use (assuming a realm called example.com):
>
>
> ldapsearch -Y GSSAPI -s one -b 
> "idnsname=example.com.,cn=dns,dc=example,dc=com" aRecord 2>/dev/null |grep 
> "^aRecord" |sort
>
> Note: You need to be logged in (kinit'ed) with a user that has rights
> to see the DNS tree.
>

Thanks. That is more or less like what I am doing, beit that I use the JSON 
output
of ipa dnsrecord-find, and a Python script to massage the output and get a list
like this:

172.16.16.87grift
172.16.16.88qlcmdevl
172.16.16.91sp2
172.16.16.95kwistbeek
172.16.16.96keersop
172.16.16.97lutjewad

Anyway, from the answers I gather that this is what it is. Which is not a huge 
problem.
I was just curious if there were easier methods.
-- 
Kees

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project