Re: [Freeipa-users] DNS / Allow PTR sync
Hello Mike, are you talking about IPA WebUI or CLI or DNS dynamic update mechanism? On which distribution and IPA version? On 11/05/2012 10:35 PM, Michael Mercier wrote: Hello, A couple of questions regarding DNS / Allow PTR sync. 1. If you have a zone 'example.com' and you enable Allow PTR sync, should you also enable the option in the reverse zone (e.g. 168.192.in-addr-arpa.)? In webUI - just check the box Create reverse while adding a new A record. Allow PTR sync affects only DNS dynamic update. 2. Do you have to wait a specified amount of time for the PTR record to be removed after you remove a host? No, you don't. Change in webUI should be done immediately. For some time you can see old data on DNS clients because DNS caches all the data extensively. e.g. 1. Add 'testhost', 192.168.10.10 to 'example.com' (with Allow PTR sync enabled on the zone) with 'Create reverse' enabled. 2. Remove 'testhost' from 'example.com' 3. Check 168.192.in-addr.arpa. zone and host 'testhost' still exists. Seems like a bug to me, please file a ticket: https://fedorahosted.org/freeipa/newticket You will be prompted for Fedora account, registration link is: https://admin.fedoraproject.org/accounts/user/new Also, please note limitations of syncPTR on DNS server - it affects DNS dynamic updates: * If the change was made through IPA CLI/WebUI/LDAP directly - it does nothing in any case. * If idnsAllowSyncPTR = true and any A or record was changed through DNS dynamic update mechanism - PTR is automatically updated. * Change is synchronized only if reverse zone is part of LDAP and have dynamic updates allowed (idnsAllowDynUpdate = TRUE). * Enabling idnsAllowSyncPTR will not affect existing records as long as they are not updated though DNS dynamic updates. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS / Allow PTR sync
On 11/06/2012 10:38 AM, Petr Spacek wrote: Hello Mike, are you talking about IPA WebUI or CLI or DNS dynamic update mechanism? On which distribution and IPA version? On 11/05/2012 10:35 PM, Michael Mercier wrote: Hello, A couple of questions regarding DNS / Allow PTR sync. 1. If you have a zone 'example.com' and you enable Allow PTR sync, should you also enable the option in the reverse zone (e.g. 168.192.in-addr-arpa.)? In webUI - just check the box Create reverse while adding a new A record. Allow PTR sync affects only DNS dynamic update. 2. Do you have to wait a specified amount of time for the PTR record to be removed after you remove a host? No, you don't. Change in webUI should be done immediately. For some time you can see old data on DNS clients because DNS caches all the data extensively. e.g. 1. Add 'testhost', 192.168.10.10 to 'example.com' (with Allow PTR sync enabled on the zone) with 'Create reverse' enabled. 2. Remove 'testhost' from 'example.com' 3. Check 168.192.in-addr.arpa. zone and host 'testhost' still exists. Did you have Remove entries from DNS checkbox checked when removing a host? Alternatively, you would need to use --updatedns option if you were running it via CLI. If yes, then please file a ticket as Petr suggested. Thank you, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: DNS / Allow PTR sync
Hello, I missed the reply all button. See my response to Dmitri inline below. Thanks, Mike Begin forwarded message: From: Michael Mercier mmerc...@gmail.com Date: November 5, 2012 8:10:53 PM GMT-05:00 To: d...@redhat.com Subject: Re: [Freeipa-users] DNS / Allow PTR sync Hello, On 5-Nov-12, at 7:12 PM, Dmitri Pal wrote: On 11/05/2012 04:35 PM, Michael Mercier wrote: Hello, A couple of questions regarding DNS / Allow PTR sync. 1. If you have a zone 'example.com' and you enable Allow PTR sync, should you also enable the option in the reverse zone (e.g. 168.192.in-addr-arpa.)? 2. Do you have to wait a specified amount of time for the PTR record to be removed after you remove a host? e.g. 1. Add 'testhost', 192.168.10.10 to 'example.com' (with Allow PTR sync enabled on the zone) with 'Create reverse' enabled. 2. Remove 'testhost' from 'example.com' 3. Check 168.192.in-addr.arpa. zone and host 'testhost' still exists. Which version you are using? I knew this question was coming as soon as I pressed 'send'... :D IPA 2.2 on CentOS 6.3 (latest RPM's) Do you use #ipa host-del --updatedns host The DNS entries are not IPA hosts (i.e. not added with ipa host- add). Most of the DNS entries were added by performing the following: ipa dnsrecord-add example.com hostname --a-rec=x.x.x.x --a-create- reverse My example above was done using the GUI using the DNS page. Thanks, Mike when delete host? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany I get the following response. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa-server.internal,O=CO.MYCOMPANY ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 http://192.168.10.6:443 ipa: DEBUG: Caught fault 4203 from server http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. I am trying to work out which certificate is not trusted and how I should make it trusted. Any help would be appreciated. I suspect you're going to need to add the CA that issued your LDAP server certificate to the IPA Apache NSS certificate database (where our admin framework runs). You'd add it something like this: # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a /path/to/ca.crt The -n 'LDAP CA' adds a nickname to the CA. There is nothing special about this, it just needs to be unique. Use something meaningful to you. Then restart the httpd service and try the migration again. I don't know if we've tested using ldaps, so if my suggestion works can you let us know? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process open FD table is full.
Thanks, I can't view the bug either but I'll pass it on in my support case. Erinn, in case it helps my support case # is 00646841. Oh and sorry for the mail formatting, Outlook at work... Regards Johan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson Sent: den 2 november 2012 17:44 To: Erinn Looney-Triggs Cc: FreeIPAUsers Subject: Re: [Freeipa-users] Process open FD table is full. On 11/02/2012 10:41 AM, Erinn Looney-Triggs wrote: On 11/02/12 07:28, Rich Megginson wrote: On 11/02/2012 09:06 AM, Simo Sorce wrote: On Fri, 2012-11-02 at 08:38 +, Johan Sunnerstig wrote: Looks a lot like a problem I have as well. Check out the /proc/xxx/fd directory of the dirsrv process for your IPA realm, in my case it's full of dead pointers to /var/tmp/ldap_xxx where xxx will be the same on one IPA server(I have two in a multi-master setup). These don't clear out until I restart the dirsrv process, so eventually they'll fill up to the FD limit. For now I have a cron job performing a staggered IPA restart on the two servers and a case open with RH, but I haven't gotten any solution yet. This is also RHEL 6.3 by the way, though the problem appeared in 6.2 for me. This looks a memory leak in libkrb5 or dirsrv leaving around so krb context. Those files are replay caches. Rich, can you investigate the use of libkrb5 in dirsrv ? https://bugzilla.redhat.com/show_bug.cgi?id=825863 Simo. Oops missed this, though this is a private bug so I will have to take y'alls word for it being the thing. Sorry about that. It appears to be a problem with either krb5 or selinux, and there is a proposed fix for RHEL 6.4 I hate private bugs. I am going to open a RH support case, just in case that helps in any way. Yes, please. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
On 11/06/2012 08:07 AM, Rob Crittenden wrote: Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany I get the following response. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa-server.internal,O=CO.MYCOMPANY ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 http://192.168.10.6:443 ipa: DEBUG: Caught fault 4203 from server http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. I am trying to work out which certificate is not trusted and how I should make it trusted. Any help would be appreciated. I suspect you're going to need to add the CA that issued your LDAP server certificate to the IPA Apache NSS certificate database (where our admin framework runs). You'd add it something like this: # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a /path/to/ca.crt The -n 'LDAP CA' adds a nickname to the CA. There is nothing special about this, it just needs to be unique. Use something meaningful to you. Then restart the httpd service and try the migration again. I don't know if we've tested using ldaps, so if my suggestion works can you let us know? IMO the migrate-ds command should have additional argument to point to the cert file to use for connection. Then the framework should get the cert and import it into the store itself. Rob, do you agree that this would be a valid RFE? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
Dmitri Pal wrote: On 11/06/2012 08:07 AM, Rob Crittenden wrote: Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany I get the following response. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa-server.internal,O=CO.MYCOMPANY ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 http://192.168.10.6:443 ipa: DEBUG: Caught fault 4203 from server http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. I am trying to work out which certificate is not trusted and how I should make it trusted. Any help would be appreciated. I suspect you're going to need to add the CA that issued your LDAP server certificate to the IPA Apache NSS certificate database (where our admin framework runs). You'd add it something like this: # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a /path/to/ca.crt The -n 'LDAP CA' adds a nickname to the CA. There is nothing special about this, it just needs to be unique. Use something meaningful to you. Then restart the httpd service and try the migration again. I don't know if we've tested using ldaps, so if my suggestion works can you let us know? IMO the migrate-ds command should have additional argument to point to the cert file to use for connection. Then the framework should get the cert and import it into the store itself. Rob, do you agree that this would be a valid RFE? Yup, certainly something that would make things easier. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user
On 11/06/2012 11:58 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 11/06/2012 08:07 AM, Rob Crittenden wrote: Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany --user-container=ou=People,ou=custsvc,dc=co,dc=mycompany --group-container=ou=Groups,ou=custsvc,dc=co,dc=mycompany I get the following response. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa-server.internal,O=CO.MYCOMPANY ipa: DEBUG: handshake complete, peer = 192.168.10.6:443 http://192.168.10.6:443 ipa: DEBUG: Caught fault 4203 from server http://ipa-server.internal/ipa/xml: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. I am trying to work out which certificate is not trusted and how I should make it trusted. Any help would be appreciated. I suspect you're going to need to add the CA that issued your LDAP server certificate to the IPA Apache NSS certificate database (where our admin framework runs). You'd add it something like this: # certutil -A -d /etc/httpd/alias -n 'LDAP CA' -t CT,C,C -a /path/to/ca.crt The -n 'LDAP CA' adds a nickname to the CA. There is nothing special about this, it just needs to be unique. Use something meaningful to you. Then restart the httpd service and try the migration again. I don't know if we've tested using ldaps, so if my suggestion works can you let us know? IMO the migrate-ds command should have additional argument to point to the cert file to use for connection. Then the framework should get the cert and import it into the store itself. Rob, do you agree that this would be a valid RFE? Yup, certainly something that would make things easier. rob https://fedorahosted.org/freeipa/ticket/3243 -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Rebuilding the failing original IPA master
Hi, It seems I am faced with rebuilding my original IPA mastertrouble is I dont know the impact and problems with doing that. For instance, can I simply, 1) run a db2ldif to export the ldap contents, 2) un-install the IPA server, 3) reboot and re-install it, 4) run ldif2db 5) then re-sync the two replicas? or will the two replicas need rebuilding? and rejoining fresh? Will all the hosts need re-joining? Looking at this I dont know just how easy it is or not to do. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users