Re: [Freeipa-users] Inplace upgrade

[Devin Acosta]

Barry,

Yes you should be able to just do a: "yum update ipa-server" and you should be 
good to go.


-- 
Devin Acosta, RHCE, LFCE
Linux Certified Engineer
e: de...@linuxguru.co


On May 3, 2016 at 9:10:04 PM, barry...@gmail.com (barry...@gmail.com) wrote:

Hi :

How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64

to  ipa-server-3.0.0-37.el6.x86_64

This is minor version upgrade , can it just type update command?


Regards

Barry
--  
Manage your subscription for the Freeipa-users mailing list:  
https://www.redhat.com/mailman/listinfo/freeipa-users  
Go to http://freeipa.org for more info on the project-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Inplace upgrade

[barrykfl]

Can speicific ninor version?
2016年5月4日 下午1:15 於 "Devin Acosta"  寫道：

> Barry,
>
> Yes you should be able to just do a: "yum update ipa-server" and you
> should be good to go.
>
>
> --
> Devin Acosta, RHCE, LFCE
> Linux Certified Engineer
> e: de...@linuxguru.co
>
>
> On May 3, 2016 at 9:10:04 PM, barry...@gmail.com (barry...@gmail.com)
> wrote:
>
> Hi :
>
> How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64
>
> to  ipa-server-3.0.0-37.el6.x86_64
>
> This is minor version upgrade , can it just type update command?
>
>
> Regards
>
> Barry
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Inplace upgrade

[barrykfl]

Hi :

How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64

to  ipa-server-3.0.0-37.el6.x86_64

This is minor version upgrade , can it just type update command?


Regards

Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA Client in Docker

[Hosakote Nagesh, Pawan]

Our apps are running in a docker image based on Ubuntu 14.04 that cannot be 
changed to redhat. We want to install freeipa-clietn within this docker so that 
our app
Uses freeipa ldap as against default ldap.

The freeipa-client gets successfully installed in Ubuntu 14.04 plain machine, 
that why is why I am hoping making it run in a Ubun14.04 docker should also be 
very much possible.

As you can see the things get stuck in not starting bus process properly(this 
problem is not seen in ubuntu on plain machine). I cannot see much debug 
statements by enabling —debug option in ipa-client-install.
Its not clear why this process doesn’t get started and what is missing in 
container as against plain machine which is making this install fail.

I am on to this issue for 2 full days now. I am pasting whatever debug 
statements I got during install, here:

Command
—
ipa-client-install —domain= —server=  
hostname=jupyterhub.com --no-ntp --no-dns-sshfp



Log (After Error starts to happen)
—
Attached

My main suspect is dbus service unable to start in this container where it 
launches on a plain machine.

-
Best,
Pawan






On 5/3/16, 2:03 PM, "Lukas Slebodnik"  wrote:

>On (03/05/16 18:25), Hosakote Nagesh, Pawan wrote:
>>Currently this is the error I m stuck with. There isn’t enough material 
>>online to proceed further. Failure starts with bus error..
>>
>>Logs during ipa-client-install..
>>
>>
>>Synchronizing time with KDC...
>>Password for service_...@eaz.ebayc3.com: 
>>Successfully retrieved CA cert
>>Subject: CN=Certificate Authority,O=EAZ.EBAYC3.COM
>>Issuer:  CN=Certificate Authority,O=EAZ.EBAYC3.COM
>>Valid From:  Mon Dec 07 05:17:30 2015 UTC
>>Valid Until: Fri Dec 07 05:17:30 2035 UTC
>>
>>
>>Enrolled in IPA realm EAZ.EBAYC3.COM
>>Created /etc/ipa/default.conf
>>New SSSD config will be created
>>Configured /etc/sssd/sssd.conf
>>Configured /etc/krb5.conf for IPA realm EAZ.EBAYC3.COM
>>dbus failed to start: Command '/usr/sbin/service dbus start ' returned 
>>non-zero exit status 1
>I think the error message is clear.
>There was a problem with starting dbus service within a container.
>
>>certmonger failed to stop: [Errno 2] No such file or directory: 
>>'/var/run/ipa/services.list'
>>certmonger request for host certificate failed
>>2016-05-02 22:11:53,099 CRIT reaped unknown pid 241)
>>.
>>
>>On 5/3/16, 1:45 AM, "Lukas Slebodnik"  wrote:
>>
>>>On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote:
Thanks for your quick response. I am trying this on ubuntu.

This is the bug I m facing right now: 
https://lists.launchpad.net/freeipa/msg00236.html 
They say its fixed in Trusty release of Ubuntu. But it doesn’t work for me. 
There is no other material also 
On how to fix this dbus error.

root@jupyterhub:/#  lsb_release -rd
Description:Ubuntu 14.04.4 LTS
Release:14.04
root@jupyterhub:/#
>>>Do I understand it correctly that you want to build your own image
>>>based on ubuntu?
>>>
>>>If answer is yes then I would recommend to use ubuntu xenial (16.04).
>>>
>>>But the benefit of container technologies is that you can use
>>>image based on different distribution and therefore it would be the
>>>best if you could use https://hub.docker.com/r/fedora/sssd/
>>>(which was already mentioned.
>>>
>May I know why you do not want to use existing working contianer
>based on image fedora/sssd.
>
>You would save some time with troubleshooting things which were already solved.
>
>If you want a help then please provide more info.
>I assume you use docker and not lxd (based on subject)
>Please share details how did you build an image and how do you
>run container ...
>
>LS
{\rtf1\ansi\ansicpg1252\cocoartf1404\cocoasubrtf460
{\fonttbl\f0\fnil\fcharset0 AndaleMono;}
{\colortbl;\red255\green255\blue255;\red47\green255\blue18;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\partightenfactor0

\f0\fs38 \cf2 \cb0 \CocoaLigature0 New SSSD config will be created\
Configured /etc/sssd/sssd.conf\
Starting external process\
args=/usr/bin/certutil -A -d sql:/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt\
Process finished, return code=0\
stdout=\
stderr=\
Backing up system configuration file '/etc/krb5.conf'\
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'\
Starting external process\
args=keyctl get_persistent @s 0\
Process finished, return code=2\
stdout=\
stderr=Unknown command\
\
Writing Kerberos configuration to /etc/krb5.conf:\
#File modified by ipa-client-install\
\
includedir /var/lib/sss/pubconf/krb5.include.d/\
\
[libdefaults]\
  default_realm = EAZ.EBAYC3.COM\
  dns_lookup_realm = false\
  dns_lookup_kdc = false\
  rdns = false\
  ticket_lifetime = 24h\
  forwardable = yes\
\
[realms]\
  EAZ.EBAYC3.COM = \{\
kdc = 

Re: [Freeipa-users] Who uses FreeIPA?

[Lukas Slebodnik]

On (03/05/16 15:09), Alexandre de Verteuil wrote:
>Hello all,
>
>I've deployed FreeIPA in my home lab and I'm happy to have single
>sign-on for all my Archlinux virtual machines and Fedora laptops :)
>
>It took me lots of research and conversations before hearing about
>FreeIPA for the first time while searching for a libre SSO solution. I
>think FreeIPA needs much more exposure. I am really impressed with it.
>Tomorrow I am giving a short presentation at my workplace to talk about
>it and invite other sysadmins to try it.
>
>I would like to make a slide showing the current adoption of FreeIPA. I
>read that Red Hat uses it internally, but do they actually deploy it in
>their client's infrastructures? Are there any big companies that use it?
>Even if I only have reports of schools and small businesses would be
>good enough to say it's production ready and it has traction.
>
>Whether you are reporting about your own use or you know where I can
>find out more would be greatly appreciated! I have not found a "Who uses
>FreeIPA" page on the Internet.
>
The GNOME Infrastructure is now powered by FreeIPA!
October 7, 2014

https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Who uses FreeIPA?

[Simo Sorce]

Hello Alexandre,

Red Hat does not strictly track Idm[1] usage across the customer base so
we do not have complete stats, but we can say we have thousands of
deployments, which range from 1 to more than 20 servers and from a few
dozen to tens of thousands of clients attached to those servers, per
deployment.

Hope this helps,
Simo.

[1] Red Hat Identity Management is the product name use to distribute
FreeIPA to RHEL customers.

On Tue, 2016-05-03 at 15:09 -0400, Alexandre de Verteuil wrote:
> Hello all,
> 
> I've deployed FreeIPA in my home lab and I'm happy to have single
> sign-on for all my Archlinux virtual machines and Fedora laptops :)
> 
> It took me lots of research and conversations before hearing about
> FreeIPA for the first time while searching for a libre SSO solution. I
> think FreeIPA needs much more exposure. I am really impressed with it.
> Tomorrow I am giving a short presentation at my workplace to talk about
> it and invite other sysadmins to try it.
> 
> I would like to make a slide showing the current adoption of FreeIPA. I
> read that Red Hat uses it internally, but do they actually deploy it in
> their client's infrastructures? Are there any big companies that use it?
> Even if I only have reports of schools and small businesses would be
> good enough to say it's production ready and it has traction.
> 
> Whether you are reporting about your own use or you know where I can
> find out more would be greatly appreciated! I have not found a "Who uses
> FreeIPA" page on the Internet.
> 
> Best regards,
> -- 
> Alexandre de Verteuil 
> public key ID : 0xDD237C00
> http://alexandre.deverteuil.net/
> 


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA Client in Docker

[Lukas Slebodnik]

On (03/05/16 18:25), Hosakote Nagesh, Pawan wrote:
>Currently this is the error I m stuck with. There isn’t enough material online 
>to proceed further. Failure starts with bus error..
>
>Logs during ipa-client-install..
>
>
>Synchronizing time with KDC...
>Password for service_...@eaz.ebayc3.com: 
>Successfully retrieved CA cert
>Subject: CN=Certificate Authority,O=EAZ.EBAYC3.COM
>Issuer:  CN=Certificate Authority,O=EAZ.EBAYC3.COM
>Valid From:  Mon Dec 07 05:17:30 2015 UTC
>Valid Until: Fri Dec 07 05:17:30 2035 UTC
>
>
>Enrolled in IPA realm EAZ.EBAYC3.COM
>Created /etc/ipa/default.conf
>New SSSD config will be created
>Configured /etc/sssd/sssd.conf
>Configured /etc/krb5.conf for IPA realm EAZ.EBAYC3.COM
>dbus failed to start: Command '/usr/sbin/service dbus start ' returned 
>non-zero exit status 1
I think the error message is clear.
There was a problem with starting dbus service within a container.

>certmonger failed to stop: [Errno 2] No such file or directory: 
>'/var/run/ipa/services.list'
>certmonger request for host certificate failed
>2016-05-02 22:11:53,099 CRIT reaped unknown pid 241)
>.
>
>On 5/3/16, 1:45 AM, "Lukas Slebodnik"  wrote:
>
>>On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote:
>>>Thanks for your quick response. I am trying this on ubuntu.
>>>
>>>This is the bug I m facing right now: 
>>>https://lists.launchpad.net/freeipa/msg00236.html 
>>>They say its fixed in Trusty release of Ubuntu. But it doesn’t work for me. 
>>>There is no other material also 
>>>On how to fix this dbus error.
>>>
>>>root@jupyterhub:/#  lsb_release -rd
>>>Description:Ubuntu 14.04.4 LTS
>>>Release:14.04
>>>root@jupyterhub:/#
>>Do I understand it correctly that you want to build your own image
>>based on ubuntu?
>>
>>If answer is yes then I would recommend to use ubuntu xenial (16.04).
>>
>>But the benefit of container technologies is that you can use
>>image based on different distribution and therefore it would be the
>>best if you could use https://hub.docker.com/r/fedora/sssd/
>>(which was already mentioned.
>>
May I know why you do not want to use existing working contianer
based on image fedora/sssd.

You would save some time with troubleshooting things which were already solved.

If you want a help then please provide more info.
I assume you use docker and not lxd (based on subject)
Please share details how did you build an image and how do you
run container ...

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] RES: Who uses FreeIPA?

[Luiz Fernando Vianna da Silva]

Hello Alexandre.

FreeIPA is the open source project, or as Red Hat calls it the upstream 
project, that fuels Red Hat IDM [1].
As to IDM, there are many large corporations that use it on production and 
mission critical environments.

Due to non-disclosure agreements I cannot give you fine details about the 
customers I support that have Red Hat IDM deployed on their environments.
For instance,  one of my customers, which is largest Latin American credit and 
debit card operator (in terms of financial transaction volume), uses Red Hat 
IDM, which is based on the FreeIPA project [2], on pretty much 100% of its 
Linux and Unix production environments.

I suggest you reach out to your Red Hat's commercial representative and ask for 
IDM success cases. I bet he would be glad to help you.

[1] https://access.redhat.com/products/identity-management
[2] 
https://www.redhat.com/archives/rh-community-de-berlin/2012-November/pdfOlwXB8dm7U.pdf

Best Regards
__
Luiz Fernando Vianna da Silva

-Mensagem original-
De: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] 
Em nome de Alexandre de Verteuil
Enviada em: terça-feira, 3 de maio de 2016 16:10
Para: freeipa-users@redhat.com
Assunto: [Freeipa-users] Who uses FreeIPA?

Hello all,

I've deployed FreeIPA in my home lab and I'm happy to have single sign-on for 
all my Archlinux virtual machines and Fedora laptops :)

It took me lots of research and conversations before hearing about FreeIPA for 
the first time while searching for a libre SSO solution. I think FreeIPA needs 
much more exposure. I am really impressed with it.
Tomorrow I am giving a short presentation at my workplace to talk about it and 
invite other sysadmins to try it.

I would like to make a slide showing the current adoption of FreeIPA. I read 
that Red Hat uses it internally, but do they actually deploy it in their 
client's infrastructures? Are there any big companies that use it?
Even if I only have reports of schools and small businesses would be good 
enough to say it's production ready and it has traction.

Whether you are reporting about your own use or you know where I can find out 
more would be greatly appreciated! I have not found a "Who uses FreeIPA" page 
on the Internet.

Best regards,
--
Alexandre de Verteuil  public key ID : 0xDD237C00 
http://alexandre.deverteuil.net/

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Free IPA Client in Docker

[Hosakote Nagesh, Pawan]

Currently this is the error I m stuck with. There isn’t enough material online 
to proceed further. Failure starts with bus error..

Logs during ipa-client-install..


Synchronizing time with KDC...
Password for service_...@eaz.ebayc3.com: 
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EAZ.EBAYC3.COM
Issuer:  CN=Certificate Authority,O=EAZ.EBAYC3.COM
Valid From:  Mon Dec 07 05:17:30 2015 UTC
Valid Until: Fri Dec 07 05:17:30 2035 UTC


Enrolled in IPA realm EAZ.EBAYC3.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EAZ.EBAYC3.COM
dbus failed to start: Command '/usr/sbin/service dbus start ' returned non-zero 
exit status 1
certmonger failed to stop: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
certmonger request for host certificate failed
2016-05-02 22:11:53,099 CRIT reaped unknown pid 241)
.

.
.
.

-
Best,
Pawan




On 5/3/16, 1:45 AM, "Lukas Slebodnik"  wrote:

>On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote:
>>Thanks for your quick response. I am trying this on ubuntu.
>>
>>This is the bug I m facing right now: 
>>https://lists.launchpad.net/freeipa/msg00236.html 
>>They say its fixed in Trusty release of Ubuntu. But it doesn’t work for me. 
>>There is no other material also 
>>On how to fix this dbus error.
>>
>>root@jupyterhub:/#  lsb_release -rd
>>Description:Ubuntu 14.04.4 LTS
>>Release:14.04
>>root@jupyterhub:/#
>Do I understand it correctly that you want to build your own image
>based on ubuntu?
>
>If answer is yes then I would recommend to use ubuntu xenial (16.04).
>
>But the benefit of container technologies is that you can use
>image based on different distribution and therefore it would be the
>best if you could use https://hub.docker.com/r/fedora/sssd/
>(which was already mentioned.
>
>LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Who uses FreeIPA?

[Alexandre de Verteuil]

Hello all,

I've deployed FreeIPA in my home lab and I'm happy to have single
sign-on for all my Archlinux virtual machines and Fedora laptops :)

It took me lots of research and conversations before hearing about
FreeIPA for the first time while searching for a libre SSO solution. I
think FreeIPA needs much more exposure. I am really impressed with it.
Tomorrow I am giving a short presentation at my workplace to talk about
it and invite other sysadmins to try it.

I would like to make a slide showing the current adoption of FreeIPA. I
read that Red Hat uses it internally, but do they actually deploy it in
their client's infrastructures? Are there any big companies that use it?
Even if I only have reports of schools and small businesses would be
good enough to say it's production ready and it has traction.

Whether you are reporting about your own use or you know where I can
find out more would be greatly appreciated! I have not found a "Who uses
FreeIPA" page on the Internet.

Best regards,
-- 
Alexandre de Verteuil 
public key ID : 0xDD237C00
http://alexandre.deverteuil.net/

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] cron reports "ORPHAN (no passwd entry)" for the @reboot jobs

[Harald Dunkel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Lukas,

On 05/03/16 10:21, Lukas Slebodnik wrote:
> But that's not a problem of sssd. It bug in cron service file. If cron relies 
> on user lookup then it shoudl not be started before nss-user-lookup.target.
> 
> Fedora has correct service file for crond.
> 
> sh$ systemctl cat crond.service # /usr/lib/systemd/system/crond.service 
> [Unit] Description=Command Scheduler After=auditd.service 
> nss-user-lookup.target systemd-user-sessions.service time-sync.target 
> ypbind.service
> 
> [Service] EnvironmentFile=/etc/sysconfig/crond ExecStart=/usr/sbin/crond -n 
> $CRONDARGS ExecReload=/bin/kill -HUP $MAINPID KillMode=process
> 
> [Install] WantedBy=multi-user.target
> 
> Debian has quite minimal version sh$ systemctl cat cron.service # 
> /lib/systemd/system/cron.service [Unit] Description=Regular background 
> program processing daemon Documentation=man:cron(8)
> 
> [Service] EnvironmentFile=-/etc/default/cron ExecStart=/usr/sbin/cron -f 
> $EXTRA_OPTS IgnoreSIGPIPE=false KillMode=process
> 
> [Install] WantedBy=multi-user.target
> 

Sorry, but thats not the case for the cron service installed on
my systems. See the first post in this thread: This cron.service
contains "Type=idle", i.e. cron is run after all the other
services, including nss-user-lookup.target. See
https://bugs.debian.org/767016

IMHO sssd is the only instance to exactly know *when* its user
database is available. Before this state is reached it should
not give up control to the nss-user-lookup.target. The output
of "ps -ef" run by the cron job showed it does.


Regards
Harri

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXKOl5AAoJEAqeKp5m04HLm/EH/3lCCnOQXW+i2vU0KENvjXJf
05KlPABO8ZOZzC10do7c/JwCpHXBFJjZwtfID9BRezdJ5KXWV2B5mT7Z/dpiPy+R
2/GKhoaHPpW+v8ZZdgFyS4hlRrq4B/6/XRs3FFJ8V8AAI257ZY6efQQAuYjWfBVG
Eya+BqxUcjCZfddYp7ZziKxzOs+kEnFiLwi3rKeeohUMWdLGBuETL8EwnTjqDbmV
Qq0jswmzVM7mDZuC0ZehUuHlu5WNeAkjnFzi2owkZ7H42SXoRxoz+RjXUkfxfIP+
X33Jw6BABIbn03FfHOApblirmbrh6+uxrtZQEEucRRdpO9RF92czEK6RQc2JTiU=
=4x+q
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Gary T. Giesen]

Thanks Petr. I'm on IRC as well if a more interactive troubleshooting
session would be better.

Cheers,

GTG

-Original Message-
From: Petr Spacek [mailto:pspa...@redhat.com] 
Sent: May-03-16 9:59 AM
To: Gary T. Giesen ;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

On 3.5.2016 15:29, Gary T. Giesen wrote:
> All lines from the log file with conn=152.
> 
> [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from 
> local to /var/run/slapd-EXAMPLE-COM.socket
> [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl 
> version=3 mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 
> nentries=0 etime=0, SASL bind in progress
> [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl 
> version=3 mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 
> nentries=0 etime=0, SASL bind in progress
> [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl 
> version=3 mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 
> nentries=0
> etime=0
> dn="krbprincipalname=ipa-dnskeysyncd/host.example@example.com,cn=s
> ervice
> s,cn=accounts,dc=example,dc=com"
> [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH 
> base="cn=dns,dc=example,dc=com" scope=2 
> filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i
> pk11Pu
> blicKey))" attrs=ALL
> [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 
> nentries=0
> etime=0

This seems to be okay, I will think about it a bit more and return back to
you when I find something.

Petr^2 Spacek

> 
> -Original Message-
> From: Petr Spacek [mailto:pspa...@redhat.com]
> Sent: May-03-16 8:50 AM
> To: Gary T. Giesen ;
> freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
> 
> Hmm, this is really weird.
> 
> It should log message "Initial LDAP dump is done, sychronizing with 
> ODS and BIND" which is apparently not there. Maybe LDAP server is 
> doing something weird ...
> 
> Could you inspect /var/log/dirsrv/*/access_log and look for lines 
> similar to ones in the attached file, please?
> 
> It should start with log message like
> "connection from local to /var/run/slapd-*".
> This line will have identifier like "conn=84". We are looking for conn 
> number (e.g. "conn=84") which is related to BIND DN 
> "dn="krbprincipalname=ipa-dnskeysyncd/*".
> 
> If you find the right conn number, look for other lines containing the 
> same conn number and operation "SRCH base="cn=dns,*". This SRCH line 
> will have specific identifier like "conn=84 op=3".
> 
> Now you have identifier for particular operation. Look for RESULT line 
> with the same ID.
> 
> How does it look?
> 
> Can you copy complete all lines with identifier conn=??? you found?
> 
> Thanks!
> Petr^2 Spacek
> 
> On 3.5.2016 13:37, Gary T. Giesen wrote:
>> See attached.
>>
>> GTG
>>
>> -Original Message-
>> From: Petr Spacek [mailto:pspa...@redhat.com]
>> Sent: May-03-16 7:33 AM
>> To: Gary T. Giesen ;
>> freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>
>> On 3.5.2016 13:28, Gary T. Giesen wrote:
>>> 1. Confirmed, it was already set to ISMASTER=1
>>>
>>> 2. Logs:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGCurrent cookie is:
> None
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUGLDAP zones:
> {'203dbe2d-8d9c-1
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGNew cookie is:
> host.exa
>>
>> The log seems to be truncated. Please attach it as a file to avoid 
>> truncation and line wrapping problems.
>>
>> Thanks
>> Petr^2 Spacek
>>
>>>
>>>
>>> 3. # rpm -q ipa-server
>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>>
>>> 

Re: [Freeipa-users] Password Encryption Method

[Zak Wolfinger]

The old version of 389-ds-base is 1.2.11.15-48.  The version we are migrating 
to is 1.3.4.0-29


> On Apr 30, 2016, at 9:30 AM, Rob Crittenden  wrote:
> 
> Zak Wolfinger wrote:
>> Did the password encryption method change between V3.0 and newer
>> versions?  Where can I find out what method is being used?  I知 running
>> into hash issues when using GADS to sync to Google.
> 
> I don't think so, I think SSHA is still the default. Knowing what versions of 
> 389-ds-base you're asking about would probably be helpful.
> 
> rob
> 
>> 
>> Cheers,
>> *Zak Wolfinger*
>> 
>> Infrastructure Engineer  |  Emmaｮ
>> zak.wolfin...@myemma.com 
>> 800.595.4401 or 615.292.5888 x197
>> 615.292.0777 (fax)
>> *
>> *
>> Emma helps organizations everywhere communicate & market in style.
>> Visit us online at www.myemma.com
>> 
>> 
>> 
>> 
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Petr Spacek]

On 3.5.2016 15:29, Gary T. Giesen wrote:
> All lines from the log file with conn=152.
> 
> [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from local to
> /var/run/slapd-EXAMPLE-COM.socket
> [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 nentries=0
> etime=0, SASL bind in progress
> [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 nentries=0
> etime=0, SASL bind in progress
> [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 nentries=0
> etime=0
> dn="krbprincipalname=ipa-dnskeysyncd/host.example@example.com,cn=service
> s,cn=accounts,dc=example,dc=com"
> [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH
> base="cn=dns,dc=example,dc=com" scope=2
> filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu
> blicKey))" attrs=ALL
> [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 nentries=0
> etime=0

This seems to be okay, I will think about it a bit more and return back to you
when I find something.

Petr^2 Spacek

> 
> -Original Message-
> From: Petr Spacek [mailto:pspa...@redhat.com] 
> Sent: May-03-16 8:50 AM
> To: Gary T. Giesen ;
> freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
> 
> Hmm, this is really weird.
> 
> It should log message "Initial LDAP dump is done, sychronizing with ODS and
> BIND" which is apparently not there. Maybe LDAP server is doing something
> weird ...
> 
> Could you inspect /var/log/dirsrv/*/access_log and look for lines similar to
> ones in the attached file, please?
> 
> It should start with log message like
> "connection from local to /var/run/slapd-*".
> This line will have identifier like "conn=84". We are looking for conn
> number (e.g. "conn=84") which is related to BIND DN
> "dn="krbprincipalname=ipa-dnskeysyncd/*".
> 
> If you find the right conn number, look for other lines containing the same
> conn number and operation "SRCH base="cn=dns,*". This SRCH line will have
> specific identifier like "conn=84 op=3".
> 
> Now you have identifier for particular operation. Look for RESULT line with
> the same ID.
> 
> How does it look?
> 
> Can you copy complete all lines with identifier conn=??? you found?
> 
> Thanks!
> Petr^2 Spacek
> 
> On 3.5.2016 13:37, Gary T. Giesen wrote:
>> See attached.
>>
>> GTG
>>
>> -Original Message-
>> From: Petr Spacek [mailto:pspa...@redhat.com]
>> Sent: May-03-16 7:33 AM
>> To: Gary T. Giesen ;
>> freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>
>> On 3.5.2016 13:28, Gary T. Giesen wrote:
>>> 1. Confirmed, it was already set to ISMASTER=1
>>>
>>> 2. Logs:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGCurrent cookie is:
> None
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUGLDAP zones:
> {'203dbe2d-8d9c-1
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGNew cookie is:
> host.exa
>>
>> The log seems to be truncated. Please attach it as a file to avoid 
>> truncation and line wrapping problems.
>>
>> Thanks
>> Petr^2 Spacek
>>
>>>
>>>
>>> 3. # rpm -q ipa-server
>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>>
>>> -Original Message-
>>> From: freeipa-users-boun...@redhat.com 
>>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
>>> Sent: May-03-16 7:08 AM
>>> To: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>>
>>> Okay, this is a problem. It should list your zone example.com because 
>>> it has DNSSEC signing enabled.
>>>

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Gary T. Giesen]

All lines from the log file with conn=152.

[03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from local to
/var/run/slapd-EXAMPLE-COM.socket
[03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl version=3
mech=GSSAPI
[03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl version=3
mech=GSSAPI
[03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl version=3
mech=GSSAPI
[03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 nentries=0
etime=0
dn="krbprincipalname=ipa-dnskeysyncd/host.example@example.com,cn=service
s,cn=accounts,dc=example,dc=com"
[03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH
base="cn=dns,dc=example,dc=com" scope=2
filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu
blicKey))" attrs=ALL
[03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 nentries=0
etime=0

-Original Message-
From: Petr Spacek [mailto:pspa...@redhat.com] 
Sent: May-03-16 8:50 AM
To: Gary T. Giesen ;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

Hmm, this is really weird.

It should log message "Initial LDAP dump is done, sychronizing with ODS and
BIND" which is apparently not there. Maybe LDAP server is doing something
weird ...

Could you inspect /var/log/dirsrv/*/access_log and look for lines similar to
ones in the attached file, please?

It should start with log message like
"connection from local to /var/run/slapd-*".
This line will have identifier like "conn=84". We are looking for conn
number (e.g. "conn=84") which is related to BIND DN
"dn="krbprincipalname=ipa-dnskeysyncd/*".

If you find the right conn number, look for other lines containing the same
conn number and operation "SRCH base="cn=dns,*". This SRCH line will have
specific identifier like "conn=84 op=3".

Now you have identifier for particular operation. Look for RESULT line with
the same ID.

How does it look?

Can you copy complete all lines with identifier conn=??? you found?

Thanks!
Petr^2 Spacek

On 3.5.2016 13:37, Gary T. Giesen wrote:
> See attached.
> 
> GTG
> 
> -Original Message-
> From: Petr Spacek [mailto:pspa...@redhat.com]
> Sent: May-03-16 7:33 AM
> To: Gary T. Giesen ;
> freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
> 
> On 3.5.2016 13:28, Gary T. Giesen wrote:
>> 1. Confirmed, it was already set to ISMASTER=1
>>
>> 2. Logs:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGCurrent cookie is:
None
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUGLDAP zones:
{'203dbe2d-8d9c-1
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of
entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGNew cookie is:
host.exa
> 
> The log seems to be truncated. Please attach it as a file to avoid 
> truncation and line wrapping problems.
> 
> Thanks
> Petr^2 Spacek
> 
>>
>>
>> 3. # rpm -q ipa-server
>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com 
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
>> Sent: May-03-16 7:08 AM
>> To: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>
>> Okay, this is a problem. It should list your zone example.com because 
>> it has DNSSEC signing enabled.
>>
>> Make sure you are working on host.example.com (the host listed by the 
>> ldapsearch above).
>>
>> I would check two things:
>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If 
>> it does not, re-run ipa-dns-install with --dnssec-master option to 
>> fix
> that.
>>
>> 2. Debug logs from the daemon. Please edit 

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Petr Spacek]

Hmm, this is really weird.

It should log message "Initial LDAP dump is done, sychronizing with ODS and
BIND" which is apparently not there. Maybe LDAP server is doing something
weird ...

Could you inspect /var/log/dirsrv/*/access_log and look for lines similar to
ones in the attached file, please?

It should start with log message like
"connection from local to /var/run/slapd-*".
This line will have identifier like "conn=84". We are looking for conn number
(e.g. "conn=84") which is related to BIND DN
"dn="krbprincipalname=ipa-dnskeysyncd/*".

If you find the right conn number, look for other lines containing the same
conn number and operation "SRCH base="cn=dns,*". This SRCH line will have
specific identifier like "conn=84 op=3".

Now you have identifier for particular operation. Look for RESULT line with
the same ID.

How does it look?

Can you copy complete all lines with identifier conn=??? you found?

Thanks!
Petr^2 Spacek

On 3.5.2016 13:37, Gary T. Giesen wrote:
> See attached.
> 
> GTG
> 
> -Original Message-
> From: Petr Spacek [mailto:pspa...@redhat.com] 
> Sent: May-03-16 7:33 AM
> To: Gary T. Giesen ;
> freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
> 
> On 3.5.2016 13:28, Gary T. Giesen wrote:
>> 1. Confirmed, it was already set to ISMASTER=1
>>
>> 2. Logs:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGCurrent cookie is: None
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUGLDAP zones: {'203dbe2d-8d9c-1
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGNew cookie is: host.exa
> 
> The log seems to be truncated. Please attach it as a file to avoid
> truncation and line wrapping problems.
> 
> Thanks
> Petr^2 Spacek
> 
>>
>>
>> 3. # rpm -q ipa-server
>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com 
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
>> Sent: May-03-16 7:08 AM
>> To: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>
>> Okay, this is a problem. It should list your zone example.com because 
>> it has DNSSEC signing enabled.
>>
>> Make sure you are working on host.example.com (the host listed by the 
>> ldapsearch above).
>>
>> I would check two things:
>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If 
>> it does not, re-run ipa-dns-install with --dnssec-master option to fix
> that.
>>
>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and 
>> make sure that it contains line "debug=True" and restart 
>> ipa-dnskeysyncd when you are done with it.
>>
>> The log should be much longer after this change.
>>
>> I hope it will help to identify the root cause.
>>
>> What IPA version do you use?
>> $ rpm -q freeipa-server
>>
>> Petr^2 Spacek
>>
>>
>>
>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had 
>>> no effect. The only log entries I see are:
>>>
>>> # journalctl -u ipa-dnskeysyncd
>>>
>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon...
>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa :
>> INFO
>>> Signal 15 received: Shutting down!
>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon...
>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
>>> session memcached servers not running
>>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa :
>> INFO
>>> LDAP bind...
>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 
>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 
>>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 
>>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client 

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Gary T. Giesen]

See attached.

GTG

-Original Message-
From: Petr Spacek [mailto:pspa...@redhat.com] 
Sent: May-03-16 7:33 AM
To: Gary T. Giesen ;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

On 3.5.2016 13:28, Gary T. Giesen wrote:
> 1. Confirmed, it was already set to ISMASTER=1
> 
> 2. Logs:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGCurrent cookie is: None
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUGLDAP zones: {'203dbe2d-8d9c-1
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGNew cookie is: host.exa

The log seems to be truncated. Please attach it as a file to avoid
truncation and line wrapping problems.

Thanks
Petr^2 Spacek

> 
> 
> 3. # rpm -q ipa-server
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
> Sent: May-03-16 7:08 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
> 
> Okay, this is a problem. It should list your zone example.com because 
> it has DNSSEC signing enabled.
> 
> Make sure you are working on host.example.com (the host listed by the 
> ldapsearch above).
> 
> I would check two things:
> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If 
> it does not, re-run ipa-dns-install with --dnssec-master option to fix
that.
> 
> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and 
> make sure that it contains line "debug=True" and restart 
> ipa-dnskeysyncd when you are done with it.
> 
> The log should be much longer after this change.
> 
> I hope it will help to identify the root cause.
> 
> What IPA version do you use?
> $ rpm -q freeipa-server
> 
> Petr^2 Spacek
> 
> 
> 
>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had 
>> no effect. The only log entries I see are:
>>
>> # journalctl -u ipa-dnskeysyncd
>>
>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon...
>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa :
> INFO
>> Signal 15 received: Shutting down!
>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon...
>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
>> session memcached servers not running
>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa :
> INFO
>> LDAP bind...
>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 
>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 
>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 
>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2
>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa :
> INFO
>> Commencing sync process
>>
>>
>>
>> Can anyone advise on next steps? I've been banging my head against a 
>> wall for a couple days now and would really appreciate some help.


ipa-dnskeysyncd.log
Description: Binary data
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Petr Spacek]

On 3.5.2016 13:28, Gary T. Giesen wrote:
> 1. Confirmed, it was already set to ISMASTER=1
> 
> 2. Logs:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGCurrent cookie is: None
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUGLDAP zones: {'203dbe2d-8d9c-1
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGDetected add of entry: 
> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUGNew cookie is: host.exa

The log seems to be truncated. Please attach it as a file to avoid truncation
and line wrapping problems.

Thanks
Petr^2 Spacek

> 
> 
> 3. # rpm -q ipa-server
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
> Sent: May-03-16 7:08 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
> 
> Okay, this is a problem. It should list your zone example.com because it has
> DNSSEC signing enabled.
> 
> Make sure you are working on host.example.com (the host listed by the
> ldapsearch above).
> 
> I would check two things:
> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If it
> does not, re-run ipa-dns-install with --dnssec-master option to fix that.
> 
> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and make
> sure that it contains line "debug=True" and restart ipa-dnskeysyncd when you
> are done with it.
> 
> The log should be much longer after this change.
> 
> I hope it will help to identify the root cause.
> 
> What IPA version do you use?
> $ rpm -q freeipa-server
> 
> Petr^2 Spacek
> 
> 
> 
>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had 
>> no effect. The only log entries I see are:
>>
>> # journalctl -u ipa-dnskeysyncd
>>
>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon...
>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa :
> INFO
>> Signal 15 received: Shutting down!
>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon...
>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
>> session memcached servers not running
>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa :
> INFO
>> LDAP bind...
>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 
>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 
>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 
>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2
>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa :
> INFO
>> Commencing sync process
>>
>>
>>
>> Can anyone advise on next steps? I've been banging my head against a 
>> wall for a couple days now and would really appreciate some help.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Gary T. Giesen]

1. Confirmed, it was already set to ISMASTER=1

2. Logs:

May 03 07:21:05 host.example.com ipa-dnskeysyncd[27099]: ipa : INFO
Signal 15 received: Shutting down!
May 03 07:21:05 host.example.com systemd[1]: Started IPA key daemon.
May 03 07:21:05 host.example.com systemd[1]: Starting IPA key daemon...
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing all plugin modules in ipalib.plugins...
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.aci
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.automember
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.automount
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.baseldap
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.baseuser
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.batch
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.caacl
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.cert
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.certprofile
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.config
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.delegation
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.dns
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.domainlevel
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.group
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacrule
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacsvc
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacsvcgroup
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbactest
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.host
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hostgroup
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.idrange
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.idviews
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.internal
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.kerberos
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.krbtpolicy
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.migration
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.misc
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.netgroup
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.otpconfig
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.otptoken
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.otptoken_yubikey
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.passwd
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.permission
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.ping
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.pkinit
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.privilege
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.pwpolicy
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Starting external process
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
args='klist' '-V'
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: 

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Petr Spacek]

On 3.5.2016 02:40, Gary T. Giesen wrote:
> I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to
> configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've
> been unable for the life of me to get it to sign zones. I've followed the
> steps at
> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but
> as yet have been unable to get signing to work.
> 
> # ipa dnszone-show example.com
>   Zone name: example.com.
>   Active zone: TRUE
>   Authoritative nameserver: host.example.com.
>   Administrator e-mail address: hostmaster.example.com.
>   SOA serial: 1462235022
>   SOA refresh: 3600
>   SOA retry: 900
>   SOA expire: 1209600
>   SOA minimum: 3600
>   Allow query: any;
>   Allow transfer: none;
>   Allow in-line DNSSEC signing: TRUE
> 
> 
> 
> 
> ldapsearch -Y GSSAPI
> '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
> SASL/GSSAPI authentication started
> SASL username: ad...@example.com
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base 

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Gary T. Giesen]

I made a change to the zone to try to trigger an update and got the follow
in the log:

May 03 06:33:24 host.example.com named-pkcs11[27082]: zone example.com/IN
(signed): serial 1462271604 (unsigned 1462271604)
May 03 06:33:24 host.example.com named-pkcs11[27082]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
May 03 06:33:24 host.example.com named-pkcs11[27082]: zone example.com/IN
(signed): receive_secure_serial: not found

I'm not sure if it's a cause for concern or not.

Cheers,

GTG

-Original Message-
From: Gary T. Giesen [mailto:ggie...@giesen.me] 
Sent: May-03-16 6:30 AM
To: 'Martin Basti' ; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Unable to configure DNSSEC signing

May 03 06:21:09 host.example.com systemd[1]: Stopping Berkeley Internet Name
Domain (DNS) with native PKCS#11...
...
May 03 06:21:11 host.example.com named-pkcs11[27082]: zone example.com/IN
(signed): next key event: 03-May-2016 07:21:11.049


Cheers,

GTG

-Original Message-
From: Martin Basti [mailto:mba...@redhat.com]
Sent: May-03-16 4:06 AM
To: Gary T. Giesen ;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing


Hello,

can you please check journalctl -u named-pkcs11 ?

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Gary T. Giesen]

May 03 06:21:09 host.example.com systemd[1]: Stopping Berkeley Internet Name
Domain (DNS) with native PKCS#11...
May 03 06:21:09 host.example.com named-pkcs11[27047]: received control
channel command 'stop'
May 03 06:21:09 host.example.com named-pkcs11[27047]: shutting down:
flushing changes
May 03 06:21:09 host.example.com named-pkcs11[27047]: stopping command
channel on 127.0.0.1#953
May 03 06:21:09 host.example.com named-pkcs11[27047]: stopping command
channel on ::1#953
May 03 06:21:09 host.example.com named-pkcs11[27047]: zone example.com/IN
(signed): shutting down
May 03 06:21:09 host.example.com named-pkcs11[27047]: zone example.com/IN
(unsigned): shutting down
May 03 06:21:09 host.example.com named-pkcs11[27047]: no longer listening on
::#53
May 03 06:21:09 host.example.com named-pkcs11[27047]: no longer listening on
127.0.0.1#53
May 03 06:21:09 host.example.com named-pkcs11[27047]: no longer listening on
1.2.3.4#53
May 03 06:21:09 host.example.com named-pkcs11[27047]: exiting
May 03 06:21:09 host.example.com systemd[1]: Starting Berkeley Internet Name
Domain (DNS) with native PKCS#11...
May 03 06:21:09 host.example.com bash[27077]: zone localhost.localdomain/IN:
loaded serial 0
May 03 06:21:09 host.example.com bash[27077]: zone localhost/IN: loaded
serial 0
May 03 06:21:09 host.example.com bash[27077]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loa
May 03 06:21:09 host.example.com bash[27077]: zone
1.0.0.127.in-addr.arpa/IN: loaded serial 0
May 03 06:21:09 host.example.com bash[27077]: zone 0.in-addr.arpa/IN: loaded
serial 0
May 03 06:21:09 host.example.com named-pkcs11[27082]: starting BIND
9.9.4-RedHat-9.9.4-29.el7_2.3 -u named
May 03 06:21:09 host.example.com named-pkcs11[27082]: built with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
May 03 06:21:09 host.example.com named-pkcs11[27082]:

May 03 06:21:09 host.example.com named-pkcs11[27082]: BIND 9 is maintained
by Internet Systems Consortium,
May 03 06:21:09 host.example.com named-pkcs11[27082]: Inc. (ISC), a
non-profit 501(c)(3) public-benefit
May 03 06:21:09 host.example.com named-pkcs11[27082]: corporation.  Support
and training for BIND 9 are
May 03 06:21:09 host.example.com named-pkcs11[27082]: available at
https://www.isc.org/support
May 03 06:21:09 host.example.com named-pkcs11[27082]:

May 03 06:21:09 host.example.com named-pkcs11[27082]: adjusted limit on open
files from 4096 to 1048576
May 03 06:21:09 host.example.com named-pkcs11[27082]: found 4 CPUs, using 4
worker threads
May 03 06:21:09 host.example.com named-pkcs11[27082]: using 4 UDP listeners
per interface
May 03 06:21:09 host.example.com named-pkcs11[27082]: using up to 4096
sockets
May 03 06:21:09 host.example.com named-pkcs11[27082]: loading configuration
from '/etc/named.conf'
May 03 06:21:09 host.example.com named-pkcs11[27082]: reading built-in
trusted keys from file '/etc/named.iscdlv.key'
May 03 06:21:09 host.example.com named-pkcs11[27082]: using default UDP/IPv4
port range: [1024, 65535]
May 03 06:21:09 host.example.com named-pkcs11[27082]: using default UDP/IPv6
port range: [1024, 65535]
May 03 06:21:09 host.example.com named-pkcs11[27082]: listening on IPv6
interfaces, port 53
May 03 06:21:09 host.example.com named-pkcs11[27082]: listening on IPv4
interface lo, 127.0.0.1#53
May 03 06:21:09 host.example.com named-pkcs11[27082]: listening on IPv4
interface eth0, 1.2.3.4#53
May 03 06:21:09 host.example.com named-pkcs11[27082]: generating session key
for dynamic DNS
May 03 06:21:09 host.example.com named-pkcs11[27082]: sizing zone task pool
based on 6 zones
May 03 06:21:09 host.example.com named-pkcs11[27082]: /etc/named.conf:12: no
forwarders seen; disabling forwarding
May 03 06:21:09 host.example.com named-pkcs11[27082]: set up managed keys
zone for view _default, file '/var/named/dynamic/managed-
May 03 06:21:09 host.example.com named-pkcs11[27082]: bind-dyndb-ldap
version 8.0 compiled at 15:16:02 Nov 20 2015, compiler 4.8.5 
May 03 06:21:09 host.example.com named-pkcs11[27082]: option
'serial_autoincrement' is not supported, ignoring
May 03 06:21:09 host.example.com named-pkcs11[27082]: GSSAPI client step 1
May 03 06:21:09 host.example.com named-pkcs11[27082]: GSSAPI client step 1
May 03 06:21:09 host.example.com named-pkcs11[27082]: GSSAPI client step 1
May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 2
May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 1
May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 1
May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 1
May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 2
May 03 06:21:10 host.example.com named-pkcs11[27082]: LDAP instance 'ipa' is
being synchronized, please ignore message 'all zones l
May 03 06:21:10 host.example.com 

Re: [Freeipa-users] Free IPA Client in Docker

[Lukas Slebodnik]

On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote:
>Thanks for your quick response. I am trying this on ubuntu.
>
>This is the bug I m facing right now: 
>https://lists.launchpad.net/freeipa/msg00236.html 
>They say its fixed in Trusty release of Ubuntu. But it doesn’t work for me. 
>There is no other material also 
>On how to fix this dbus error.
>
>root@jupyterhub:/#  lsb_release -rd
>Description:Ubuntu 14.04.4 LTS
>Release:14.04
>root@jupyterhub:/#
Do I understand it correctly that you want to build your own image
based on ubuntu?

If answer is yes then I would recommend to use ubuntu xenial (16.04).

But the benefit of container technologies is that you can use
image based on different distribution and therefore it would be the
best if you could use https://hub.docker.com/r/fedora/sssd/
(which was already mentioned.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] cron reports "ORPHAN (no passwd entry)" for the @reboot jobs

[Lukas Slebodnik]

On (03/05/16 07:35), Harald Dunkel wrote:
>Hi Lukas,
>
>On 05/02/16 17:59, Lukas Slebodnik wrote:
>> Could you provide output of "systemctl cat sssd.service"?
>> In my case, it should be started before nss-user-lookup.target
>> 
>> # /usr/lib/systemd/system/sssd.service
>> [Unit]
>> Description=System Security Services Daemon
>> # SSSD must be running before we permit user sessions
>> Before=systemd-user-sessions.service nss-user-lookup.target
>> Wants=nss-user-lookup.target
>> 
>> [Service]
>> EnvironmentFile=-/etc/sysconfig/sssd
>> ExecStart=/usr/sbin/sssd -D -f
>> # These two should be used with traditional UNIX forking daemons
>> # consult systemd.service(5) for more details
>> Type=forking
>> PIDFile=/var/run/sssd.pid
>> 
>> [Install]
>> WantedBy=multi-user.target
>
>I got
>
>   # /lib/systemd/system/sssd.service
>   [Unit]
>   Description=System Security Services Daemon
>   # SSSD must be running before we permit user sessions
>   Before=systemd-user-sessions.service nss-user-lookup.target
>   Wants=nss-user-lookup.target
>
>   [Service]
>   EnvironmentFile=-/etc/sysconfig/sssd
>   ExecStart=/usr/sbin/sssd -D -f
>   # These two should be used with traditional UNIX forking daemons
>   # consult systemd.service(5) for more details
>   Type=forking
>   PIDFile=/var/run/sssd.pid
>
>   [Install]
>   WantedBy=multi-user.target
>
>Except for the first comment line diff doesn't show a
>difference.
>
>Maybe there is a misunderstanding: IMHO its not sufficient to start
>sssd before systemd-user-sessions.service and nss-user-lookup.target.
>sssd and all its internal sssd_something services must have
>completed their initialization (including the user database) before
>these services can be started.
>
>Here is the output of "ps -ef", created by the "@reboot" crontab
>entry:
>
>UID PID   PPID  C STIME TTY  TIME CMD
>root  1  0  0 14:27 ?00:00:00 /sbin/init
>root 23  1  0 14:27 ?00:00:00 /lib/systemd/systemd-journald
>root159  1  0 14:28 ?00:00:00 dhclient -v -pf 
>/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
>daemon  193  1  0 14:28 ?00:00:00 /usr/sbin/atd -f
>root194  1  0 14:28 ?00:00:00 /usr/sbin/cron -f
>root195  1  0 14:28 ?00:00:00 /usr/sbin/ModemManager
>root198  1  0 14:28 ?00:00:00 /usr/sbin/inetd -i
>root199  1  0 14:28 ?00:00:00 /usr/sbin/sshd -D
>root200  1  0 14:28 ?00:00:00 lldpd: monitor
>root201  1  0 14:28 ?00:00:00 /usr/sbin/sssd -D -f
>message+206  1  0 14:28 ?00:00:00 /usr/bin/dbus-daemon 
>--system --address=systemd: --nofork --nopidfile --systemd-activation
>lp  218  1  0 14:28 ?00:00:00 /usr/sbin/lpd -s
>root220  1  0 14:28 ?00:00:00 /usr/sbin/ntpd -p 
>/var/run/ntpd.pid -c /var/lib/ntp/ntp.conf.dhcp -u 112:121
>root226  1  0 14:28 ?00:00:00 /usr/sbin/certmonger -S -p 
>/var/run/certmonger.pid -n
>root227  1  0 14:28 ?00:00:00 /usr/sbin/rsyslogd -n
>_lldpd  229200  0 14:28 ?00:00:00 lldpd: no neighbor
>root262  1  0 14:28 ?00:00:00 /usr/lib/policykit-1/polkitd 
>--no-debug
>root263194  0 14:28 ?00:00:00 /usr/sbin/CRON -f
>zabbix  271  1  0 14:28 ?00:00:00 /usr/sbin/zabbix_agentd
>zabbix  274271  0 14:28 ?00:00:00 /usr/sbin/zabbix_agentd: 
>collector [idle 1 sec]
>zabbix  275271  0 14:28 ?00:00:00 /usr/sbin/zabbix_agentd: 
>listener #1 [waiting for connection]
>zabbix  276271  0 14:28 ?00:00:00 /usr/sbin/zabbix_agentd: 
>listener #2 [waiting for connection]
>zabbix  277271  0 14:28 ?00:00:00 /usr/sbin/zabbix_agentd: 
>listener #3 [waiting for connection]
>zabbix  278271  0 14:28 ?00:00:00 /usr/sbin/zabbix_agentd: 
>active checks #1 [idle 1 sec]
>root492226  0 14:28 ?00:00:00 
>/usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root502226  0 14:28 ?00:00:00 
>/usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>Debian-+504  1  0 14:28 ?00:00:00 /usr/sbin/exim4 -bd -q30m
>root505226  0 14:28 ?00:00:00 
>/usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root506226  0 14:28 ?00:00:00 
>/usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root507226  0 14:28 ?00:00:00 
>/usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root508226  0 14:28 ?00:00:00 
>/usr/lib/x86_64-linux-gnu/certmonger/ipa-submit
>root509226  0 14:28 ?00:00:00 
>/usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit
>root510263  0 14:28 ?00:00:00 /bin/sh -c ( ps -ef; ls -al 

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Martin Basti]

On 03.05.2016 02:40, Gary T. Giesen wrote:

I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to
configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've
been unable for the life of me to get it to sign zones. I've followed the
steps at
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but
as yet have been unable to get signing to work.

# ipa dnszone-show example.com
   Zone name: example.com.
   Active zone: TRUE
   Authoritative nameserver: host.example.com.
   Administrator e-mail address: hostmaster.example.com.
   SOA serial: 1462235022
   SOA refresh: 3600
   SOA retry: 900
   SOA expire: 1209600
   SOA minimum: 3600
   Allow query: any;
   Allow transfer: none;
   Allow in-line DNSSEC signing: TRUE




ldapsearch -Y GSSAPI
'(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))'
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] is it possible to use 'ipa-replica' to syncuserbetween different suffix AD and IPA domain?

[Matrix]

Hi, Petr


all steps listed in section 7.4 of Windows integration guide have been done.


user for sync is 'cn=ipa,cn=users,dc=examplemedia,dc=net'


and l have been verified it with ldapsearch, detail cmd as below:
# ldapsearch -H ldap://ipaad.examplemedia.net -D 
'cn=ipa,cn=users,dc=examplemedia,dc=net' -w 'RedHat1!' -b 
"cn=users,dc=examplemedia,dc=net" -LLL -ZZ


and sync cmd is created by: 


# ipa-replica-manage connect --winsync 
--binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='RedHat1!' 
--passsync='redhatredhat' --cacert='/etc/openldap/cacerts/ad.cer' 
--win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net


after it has been created, i have also force-sync it. 


# ipa-replica-manage force-sync --from=ipaad.examplemedia.net
Directory Manager password:


ipa: INFO: Setting agreement 
cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping
 tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement 
cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping
 tree,cn=config




root@ipaserver:/var/log/dirsrv/slapd-DEV-EXAMPLE-NET · 06:47 AM Tue May 03 ·
!41 # echo $?
0



Nothing error was reported. Any debug info or log i can provide for further 
analysis? 


Thanks


Matrix




-- Original --
From:  "Petr Vobornik";;
Date:  Mon, May 2, 2016 02:46 AM
To:  "Matrix"; "freeipa-users"; 

Subject:  Re: [Freeipa-users] is it possible to use 'ipa-replica' to 
syncuserbetween different suffix AD and IPA domain?



On 04/28/2016 05:30 PM, Matrix wrote:
> Hi, Petr
> 
> Thanks for your quickly reply.
> 
> I want to integrated linux servers with existed AD, centralized manage 
> HBAC/Sudo 
> rules.
> 
> So i have setup a standalone IPA server with domain 'example.net', trying to 
> sync users from existed AD to it with following cmd:
> 
> ipa-replica-manage connect --winsync 
> --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='' 
> --passsync='' --cacert='/etc/openldap/cacerts/ipaad.cer' 
> --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net
> 
> 
> After it has been successfully established, users in AD did not sync to IPA.

Before we go into debugging, please make sure that you have done the
steps described in section 7.4 of Windows integration guide:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html

> 
> 
> For 'trusts' integration method, since user did not sync to IPA at all, how 
> to 
> set sudo/HBAC rules for users? I have not tried it.
> 
> 
> Matrix
> 
> 
> 
> 
> -- Original --
> *From: * "Petr Vobornik";;
> *Date: * Thu, Apr 28, 2016 11:21 PM
> *To: * "Matrix"; "freeipa-users";
> *Subject: * Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync 
> userbetween different suffix AD and IPA domain?
> 
> On 04/28/2016 04:44 PM, Matrix wrote:
>  > Hi, all
>  >
>  > I am trying to do a centrelized solution
>  >
>  > AD domain is 'examplemedia.net'
>  >
>  > IPA domain is 'example.net'
>  >
>  > After ipa-replica has been established, i found that nothing has been 
> synced
>  > from AD to IPA.
>  >
>  > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>  >
>  > I doubt that for different suffix is supported ?  If so, anyone can show 
> some
>  > hint for me to investigate more?
>  >
>  > Thanks for your kindly help.
>  >
>  > Matrix
> 
> Hello,
> 
> what is your goal and current setup?
> 
> By "ipa-replica has been established" do you mean that you installed a
> new currently standalone IPA server? And connected it somehow with AD?
> 
> Or did you run `ipa-replica-manage connect --winsync ...`
> 
> It would be good to mention that IPA server[1] cannot be a replica of an
> AD server. But it can integrate with it. Either by using
> winsync(synchronization) or the recommended solution: Trusts [2].
> 
> Documentation:
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
> [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html
> 
> HTH
> -- 
> Petr Vobornik
> 


-- 
Petr Vobornik-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

[Rakesh Rajasekharan]

Hi,

I am running a freeipa server 4.2.x.

I have the following password global password policy set to force a history
of 3

ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8
--maxfail=3 --failinterval=300


This works good when the user himself changes the password.. and IPA does
not allow reusing older password.

However, if the admin resets it "ipa user-mod testuser --random" then it
seems to reset the password history as well and the user can now re-use his
older password

Is this expected or is there something I can do about it.

Also, is there a way to get the password expiry warning at the terminal
when a user logs in , something similar to the "pwdExpireWarning" in ldap.

I searched a bit and could only find setting up email alerts .


Thanks,
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project