Re: [Freeipa-users] SSHFP upload

[Sean Hogan]

Sorry guys... this is on us.  They also missed a few other rules in the
request so please disregard.


But for clarity in resolution:

Make sure firewalls have right rules set.  In this instance TCP 53 bi
directional as the they only did uni directional which spawned the SOA
issue.  All good now.

Thanks for the help.



Sean Hogan







From:   Sean Hogan/Durham/IBM
To: Martin Basti 
Cc: freeipa-users 
Date:   05/06/2016 02:36 PM
Subject:Re: [Freeipa-users] SSHFP upload


Hi Martin,

   TCP 53 was not open as per the firewall request and ipa docs.  That is
corrected now but it is still failing to update sshfp but now instead of
can not comm with DNS server I am getting the below.
This is on a box that was enrolled... I ipa client-install --uninstall ...
remove ca.crt and krb5.keytab and then ran ipa-client-install
--enable-dns-update --force

2016-05-06T21:27:16Z DEBUG args=/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt
2016-05-06T21:27:16Z DEBUG stdout=
2016-05-06T21:27:16Z DEBUG stderr=; Communication with Correct DNS IP#53
failed: operation canceled
; response to SOA query was unsuccessful

2016-05-06T21:27:16Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
2016-05-06T21:27:16Z WARNING Could not update DNS SSHFP records.
2016-05-06T21:27:16Z DEBUG args=/sbin/service nscd status
2016-05-06T21:27:16Z DEBUG stdout=
2016-05-06T21:27:16Z DEBUG stderr=nscd: unrecognized service



Sean Hogan








From:   Martin Basti 
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users 
Date:   05/06/2016 01:25 PM
Subject:Re: [Freeipa-users] SSHFP upload







On 06.05.2016 22:18, Sean Hogan wrote:


  Yes sir..

  Dynamic update value is set to true on both test.local and the
  reverse zone.

  Form what Robert mentioned I am looking at the install logs now.


  So this is where DNS update is bombing:
  2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate
  -g /etc/ipa/.dns_update.txt
  2016-04-26T16:31:08Z DEBUG stdout=
  2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS
  server IP"#53 failed:
  operation canceled
  could not talk to any default name server


That is weird, maybe do you have allowed TCP/53? It may try to use TCP
instead of UDP

And please check on "Correct DNS server" if there is any logged entry about
dynamic update from client (journalctl -u named[-pkcs11])

Martin



  2016-04-26T16:31:08Z DEBUG nsupdate failed: Command
  '/usr/bin/nsupdate -g /etc/i
  pa/.dns_update.txt' returned non-zero exit status 1
  2016-04-26T16:31:08Z ERROR Failed to update DNS records.

  And this is where SSHFP updates are bombing:
  2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate
  -g /etc/ipa/.dns_update.txt
  2016-04-26T16:31:09Z DEBUG stdout=
  2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS
  server IP"#53 failed:
  operation canceled
  could not talk to any default name server

  2016-04-26T16:31:09Z DEBUG nsupdate failed: Command
  '/usr/bin/nsupdate -g /etc/i
  pa/.dns_update.txt' returned non-zero exit status 1
  2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records.
  2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status
  2016-04-26T16:31:09Z DEBUG stdout=
  2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service


  So it looks like it can not talk to port 53 but nslookup is working
  fine from the box and outputting the server response as the correct
  dns ip which is in the logs
  Server: correct IP of DNS server
  Address: correct IP of DNS server#53

  Name: dingle.test.local
  Address: correct ip of dingle

  reoslv.conf has 1st listing as the same ip as in the logs and
  nslookup result.

  Sean Hogan





  Inactive
  hide details for Martin Basti ---05/06/2016
  12:25:59
  PM---Hello, records are updated by nslookup do you
  have
  allowed dMartin Basti ---05/06/2016 12:25:59
  PM---Hello, records are updated by nslookup do you have allowed
  dynamic updates in the zone settings?

  From: Martin Basti 
  To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users
  
  Date: 05/06/2016 12:25 PM
  Subject: Re: [Freeipa-users] SSHFP upload





  Hello, records are updated by nslookup


  do you have allowed dynamic updates in the zone settings?


  Martin



  On 06.05.2016 21:18, Sean Hogan wrote:


  Hi All,

  Wondering if someone knows how the SSHFPs of a box are
  getting uploaded to IPA during ipa-client-install
  --enable-dns-updates? Is it going over port 389,636,22?

  Have an issue that on one network my 

Re: [Freeipa-users] SSHFP upload

[Sean Hogan]

Hi Martin,

   TCP 53 was not open as per the firewall request and ipa docs.  That is
corrected now but it is still failing to update sshfp but now instead of
can not comm with DNS server I am getting the below.
This is on a box that was enrolled... I ipa client-install --uninstall ...
remove ca.crt and krb5.keytab and then ran ipa-client-install
--enable-dns-update --force

2016-05-06T21:27:16Z DEBUG args=/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt
2016-05-06T21:27:16Z DEBUG stdout=
2016-05-06T21:27:16Z DEBUG stderr=; Communication with Correct DNS IP#53
failed: operation canceled
; response to SOA query was unsuccessful

2016-05-06T21:27:16Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt' returned non-zero exit status 1
2016-05-06T21:27:16Z WARNING Could not update DNS SSHFP records.
2016-05-06T21:27:16Z DEBUG args=/sbin/service nscd status
2016-05-06T21:27:16Z DEBUG stdout=
2016-05-06T21:27:16Z DEBUG stderr=nscd: unrecognized service



Sean Hogan







From:   Martin Basti 
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users 
Date:   05/06/2016 01:25 PM
Subject:Re: [Freeipa-users] SSHFP upload







On 06.05.2016 22:18, Sean Hogan wrote:


  Yes sir..

  Dynamic update value is set to true on both test.local and the
  reverse zone.

  Form what Robert mentioned I am looking at the install logs now.


  So this is where DNS update is bombing:
  2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate
  -g /etc/ipa/.dns_update.txt
  2016-04-26T16:31:08Z DEBUG stdout=
  2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS
  server IP"#53 failed:
  operation canceled
  could not talk to any default name server


That is weird, maybe do you have allowed TCP/53? It may try to use TCP
instead of UDP

And please check on "Correct DNS server" if there is any logged entry about
dynamic update from client (journalctl -u named[-pkcs11])

Martin



  2016-04-26T16:31:08Z DEBUG nsupdate failed: Command
  '/usr/bin/nsupdate -g /etc/i
  pa/.dns_update.txt' returned non-zero exit status 1
  2016-04-26T16:31:08Z ERROR Failed to update DNS records.

  And this is where SSHFP updates are bombing:
  2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate
  -g /etc/ipa/.dns_update.txt
  2016-04-26T16:31:09Z DEBUG stdout=
  2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS
  server IP"#53 failed:
  operation canceled
  could not talk to any default name server

  2016-04-26T16:31:09Z DEBUG nsupdate failed: Command
  '/usr/bin/nsupdate -g /etc/i
  pa/.dns_update.txt' returned non-zero exit status 1
  2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records.
  2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status
  2016-04-26T16:31:09Z DEBUG stdout=
  2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service


  So it looks like it can not talk to port 53 but nslookup is working
  fine from the box and outputting the server response as the correct
  dns ip which is in the logs
  Server: correct IP of DNS server
  Address: correct IP of DNS server#53

  Name: dingle.test.local
  Address: correct ip of dingle

  reoslv.conf has 1st listing as the same ip as in the logs and
  nslookup result.

  Sean Hogan





  Inactive
  hide details for Martin Basti ---05/06/2016
  12:25:59
  PM---Hello, records are updated by nslookup do you
  have
  allowed dMartin Basti ---05/06/2016 12:25:59
  PM---Hello, records are updated by nslookup do you have allowed
  dynamic updates in the zone settings?

  From: Martin Basti 
  To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users
  
  Date: 05/06/2016 12:25 PM
  Subject: Re: [Freeipa-users] SSHFP upload





  Hello, records are updated by nslookup


  do you have allowed dynamic updates in the zone settings?


  Martin



  On 06.05.2016 21:18, Sean Hogan wrote:


  Hi All,

  Wondering if someone knows how the SSHFPs of a box are
  getting uploaded to IPA during ipa-client-install
  --enable-dns-updates? Is it going over port 389,636,22?

  Have an issue that on one network my enrolls work fine
  and everything gets updated. A new network was put in
  place but still part of the same domain and I get SSHFP
  failed to upload. I was assuming this has something to do
  with DNS but Network team says bi directional port 53 is
  good and I can nslookup. Both new and old networks point
  to the same IPA DNS server for enrolling. The IPs of the
  new network still fall in my reverse zone.

  

Re: [Freeipa-users] nsds5ReplConflict / Replication issue!

[Mark Reynolds]

On 05/06/2016 03:29 PM, Devin Acosta wrote:

I am running the latest FreeIPA on CentOS 7.2.

I noticed I had a “nsds5ReplConflict” with an item, i tried to follow 
the webpage to rename and delete but that failed.

Is this the page you looked at:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

If it is the same process, what exactly failed?

Thanks,
Mark
I then tried to have ipa1-i2x reload from ipa01-aws instance, now now 
it seems to have gone maybe worse?
can you please advise how to get back to a healthy system. I 
initially added a system account as recommended so i could have say 
like Jira/Confluence do User searches against IDM.


[dacosta@ipa1-i2x ~]$ ldapsearch -x -D "cn=directory manager" -w 
‘password' -b "dc=rsinc,dc=local" "nsds5ReplConflict=*" \* 
nsds5ReplConflict

# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] SSHFP upload

[Martin Basti]

On 06.05.2016 22:18, Sean Hogan wrote:


Yes sir..

Dynamic update value is set to true on both test.local and the reverse 
zone.


Form what Robert mentioned I am looking at the install logs now.


So this is where DNS update is bombing:
2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate -g 
/etc/ipa/.dns_update.txt

2016-04-26T16:31:08Z DEBUG stdout=
2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS 
server IP"#53 failed:

operation canceled
could not talk to any default name server

That is weird, maybe do you have allowed TCP/53? It may try to use TCP 
instead of UDP


And please check on "Correct DNS server" if there is any logged entry 
about dynamic update from client (journalctl -u named[-pkcs11])


Martin



2016-04-26T16:31:08Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate 
-g /etc/i

pa/.dns_update.txt' returned non-zero exit status 1
2016-04-26T16:31:08Z ERROR Failed to update DNS records.

And this is where SSHFP updates are bombing:
2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate -g 
/etc/ipa/.dns_update.txt

2016-04-26T16:31:09Z DEBUG stdout=
2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS 
server IP"#53 failed:

operation canceled
could not talk to any default name server

2016-04-26T16:31:09Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate 
-g /etc/i

pa/.dns_update.txt' returned non-zero exit status 1
2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records.
2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status
2016-04-26T16:31:09Z DEBUG stdout=
2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service


So it looks like it can not talk to port 53 but nslookup is working 
fine from the box and outputting the server response as the correct 
dns ip which is in the logs

Server: correct IP of DNS server
Address: correct IP of DNS server#53

Name: dingle.test.local
Address: correct ip of dingle

reoslv.conf has 1st listing as the same ip as in the logs and nslookup 
result.


Sean Hogan





Inactive hide details for Martin Basti ---05/06/2016 12:25:59 
PM---Hello, records are updated by nslookup do you have allowed 
dMartin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated 
by nslookup do you have allowed dynamic updates in the zone settings?


From: Martin Basti 
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users 
Date: 05/06/2016 12:25 PM
Subject: Re: [Freeipa-users] SSHFP upload





Hello, records are updated by nslookup

do you have allowed dynamic updates in the zone settings?

Martin


On 06.05.2016 21:18, Sean Hogan wrote:

Hi All,

Wondering if someone knows how the SSHFPs of a box are getting
uploaded to IPA during ipa-client-install
--enable-dns-updates? Is it going over port 389,636,22?

Have an issue that on one network my enrolls work fine and
everything gets updated. A new network was put in place but
still part of the same domain and I get SSHFP failed to
upload. I was assuming this has something to do with DNS but
Network team says bi directional port 53 is good and I can
nslookup. Both new and old networks point to the same IPA DNS
server for enrolling. The IPs of the new network still fall in
my reverse zone.

So My DNS is setup with:
test.local
10.in-addr.arpa

and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x



Results of current Network

Enrolled in IPA realm TEST.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.LOCAL
trying *_https://bob.test.local/ipa/xml_*

Forwarding 'env' to server u'_https://bob.test.local/ipa/xml_'
DNS server record set to: dingle.test.local -> IP of dingle
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server
u'_https://bob.test.local/ipa/xml_'
SSSD enabled
Configuring test.local as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.




Results of New network
Enrolled in IPA realm TEST.LOCAL
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.LOCAL
trying *_https://bob.test.local/ipa/xml_*

Forwarding 

Re: [Freeipa-users] nsds5ReplConflict / Replication issue!

[Devin Acosta]

I did try to resync idm1-i2x from ipa01-aws, probably was a bad idea.. 
Is there any way to basically have it resync and get a fresh copy from 
the other nodes that are ok?




Well it initially started when I noticed errors in the logs about having 
a conflict on a record. So i was trying to get that record cleaned up. I 
then though oh maybe I should just have it reload everything from 
another server, and i wonder if now that's why the box is just giving 
strange results.


i had ipa1-i2x.rsinc.local reload from ipa01-aws.rsinc.local, you can 
see the output of the commands below about replication status. I can 
still log into ipa1-i2x.rsinc.local,


[dacosta@ipa1-i2x ~]$ ipa-replica-manage -v list ipa02-aws.rsinc.local
ipa: WARNING: session memcached servers not running
ipa01-aws.rsinc.local: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: 0 Replica acquired successfully: Incremental update 
started

last update ended: 1970-01-01 00:00:00+00:00
[dacosta@ipa1-i2x ~]$ ipa-replica-manage -v list ipa01-aws.rsinc.local
ipa: WARNING: session memcached servers not running
ipa02-aws.rsinc.local: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: 0 Replica acquired successfully: Incremental update 
succeeded

last update ended: 2016-05-06 19:47:26+00:00
ipa1-i2x.rsinc.local: replica
last init status: 0 Total update succeeded
last init ended: 2016-05-06 18:46:29+00:00
last update status: 0 Replica acquired successfully: Incremental update 
succeeded

last update ended: 2016-05-06 19:46:59+00:00
[dacosta@ipa1-i2x ~]$ ipa-replica-manage -v list ipa1-i2x.rsinc.local
ipa: WARNING: session memcached servers not running
ipa01-aws.rsinc.local: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: 1 Can't acquire busy replica
last update ended: 1970-01-01 00:00:00+00:00

I do have these errors on (idm1-i2x) in the errors:

[06/May/2016:18:48:46 +] NSMMReplicationPlugin - ruv_compare_ruv: 
RUV [changelog max RUV] does not contain element [{replica 4 
ldap://ipa01-aws.rsinc.local:389} 56e2f9e70004 
572ce68100020004] which is present in RUV [database RUV]
[06/May/2016:18:48:46 +] NSMMReplicationPlugin - 
replica_check_for_data_reload: Warning: for replica dc=rsinc,dc=local 
there were some differences between the changelog max RUV and the 
database RUV.  If there are obsolete elements in the database RUV, you 
should remove them using the CLEANALLRUV task.  If they are not 
obsolete, you should check their status to see why there are no changes 
from those servers in the changelog.
[06/May/2016:18:48:46 +] NSMMReplicationPlugin - ruv_compare_ruv: 
RUV [changelog max RUV] does not contain element [{replica 91 
ldap://ipa1-i2x.rsinc.local:389} 56f02d3b005b 
56f02d67005b] which is present in RUV [database RUV]
[06/May/2016:18:48:46 +] NSMMReplicationPlugin - 
replica_check_for_data_reload: Warning: for replica o=ipaca there were 
some differences between the changelog max RUV and the database RUV.  If 
there are obsolete elements in the database RUV, you should remove them 
using the CLEANALLRUV task.  If they are not obsolete, you should check 
their status to see why there are no changes from those servers in the 
changelog.
[06/May/2016:18:48:46 +] set_krb5_creds - Could not get initial 
credentials for principal [ldap/ipa1-i2x.rsinc.local@RSINC.LOCAL] in 
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see 
e-text))
[06/May/2016:18:48:46 +] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available)) errno 0 (Success)
[06/May/2016:18:48:46 +] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 
(Local error)
[06/May/2016:18:48:46 +] NSMMReplicationPlugin - 
agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind 
with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide 
more information (No Kerberos credentials available))
[06/May/2016:18:48:46 +] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[06/May/2016:18:48:46 +] - Listening on All Interfaces port 636 for 
LDAPS requests
[06/May/2016:18:48:46 +] - Listening on 
/var/run/slapd-RSINC-LOCAL.socket for LDAPI requests
[06/May/2016:18:48:50 +] NSMMReplicationPlugin - 
agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind 
with GSSAPI auth resumed

[06/May/2016:18:49:18 +] - Retry count exceeded in delete
[06/May/2016:18:49:18 +] DSRetroclPlugin - delete_changerecord: 
could not delete change record 436145 (rc: 51)


Thanks 

Re: [Freeipa-users] SSHFP upload

[Sean Hogan]

Yes sir..

  Dynamic update value is set to true on both test.local and the reverse
zone.

Form what Robert mentioned I am looking at the install logs now.


So this is where DNS update is bombing:
2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt
2016-04-26T16:31:08Z DEBUG stdout=
2016-04-26T16:31:08Z DEBUG stderr=; Communication with  "Correct DNS server
IP"#53 failed:
operation canceled
could not talk to any default name server

2016-04-26T16:31:08Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
-g /etc/i
pa/.dns_update.txt' returned non-zero exit status 1
2016-04-26T16:31:08Z ERROR Failed to update DNS records.

And this is where SSHFP updates are bombing:
2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt
2016-04-26T16:31:09Z DEBUG stdout=
2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS server
IP"#53 failed:
operation canceled
could not talk to any default name server

2016-04-26T16:31:09Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate
-g /etc/i
pa/.dns_update.txt' returned non-zero exit status 1
2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records.
2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status
2016-04-26T16:31:09Z DEBUG stdout=
2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service


So it looks like it can not talk to port 53 but nslookup is working fine
from the box and outputting the server response as the correct dns ip which
is in the logs
Server: correct IP of DNS server
Address:correct IP of DNS server#53

Name:   dingle.test.local
Address: correct ip of dingle

reoslv.conf has 1st listing as the same ip as in the logs and nslookup
result.

Sean Hogan







From:   Martin Basti 
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users

Date:   05/06/2016 12:25 PM
Subject:Re: [Freeipa-users] SSHFP upload



Hello, records are updated by nslookup


do you have allowed dynamic updates in the zone settings?


Martin



On 06.05.2016 21:18, Sean Hogan wrote:


  Hi All,

  Wondering if someone knows how the SSHFPs of a box are getting
  uploaded to IPA during ipa-client-install --enable-dns-updates? Is it
  going over port 389,636,22?

  Have an issue that on one network my enrolls work fine and everything
  gets updated. A new network was put in place but still part of the
  same domain and I get SSHFP failed to upload. I was assuming this has
  something to do with DNS but Network team says bi directional port 53
  is good and I can nslookup. Both new and old networks point to the
  same IPA DNS server for enrolling. The IPs of the new network still
  fall in my reverse zone.

  So My DNS is setup with:
  test.local
  10.in-addr.arpa

  and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x



  Results of current Network


 Enrolled in IPA realm TEST.LOCAL   
 Created /etc/ipa/default.conf  
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf   
 Configured /etc/sssd/sssd.conf 
 Configured /etc/krb5.conf for IPA realm TEST.LOCAL 
 trying https://bob.test.local/ipa/xml  
 Forwarding 'env' to server u'  
 https://bob.test.local/ipa/xml'
 DNS server record set to: dingle.test.local -> IP of   
 dingle 
 Adding SSH public key  
 from /etc/ssh/ssh_host_dsa_key.pub 
 Adding SSH public key  
 from /etc/ssh/ssh_host_rsa_key.pub 
 Forwarding 'host_mod' to server u' 
 https://bob.test.local/ipa/xml'
 SSSD enabled   
 Configuring test.local as NIS domain   
 Configured /etc/openldap/ldap.conf 
 NTP enabled
 Configured /etc/ssh/ssh_config 
 Configured /etc/ssh/sshd_config
 Client configuration complete. 








  Results of New network

 Enrolled in IPA realm TEST.LOCAL   
 Attempting to get host TGT...  
 Created /etc/ipa/default.conf  
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf   
 Configured /etc/sssd/sssd.conf 
 Configured /etc/krb5.conf for IPA realm TEST.LOCAL 
 trying https://bob.test.local/ipa/xml  
 Forwarding 'env' to 

Re: [Freeipa-users] nsds5ReplConflict / Replication issue!

[Martin Basti]

Please keep freeipa-users in loop

Well indeed something bad is happening with replication, did you tried 
reinitialize replica? Maybe guys from DS will know what is happening.



Martin


On 06.05.2016 21:51, Devin Acosta wrote:

Martin,

Well it initially started when I noticed errors in the logs about 
having a conflict on a record. So i was trying to get that record 
cleaned up. I then though oh maybe I should just have it reload 
everything from another server, and i wonder if now that's why the box 
is just giving strange results.


i had ipa1-i2x.rsinc.local reload from ipa01-aws.rsinc.local, you can 
see the output of the commands below about replication status. I can 
still log into ipa1-i2x.rsinc.local,


[dacosta@ipa1-i2x ~]$ ipa-replica-manage -v list ipa02-aws.rsinc.local
ipa: WARNING: session memcached servers not running
ipa01-aws.rsinc.local: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: 0 Replica acquired successfully: Incremental 
update started

last update ended: 1970-01-01 00:00:00+00:00
[dacosta@ipa1-i2x ~]$ ipa-replica-manage -v list ipa01-aws.rsinc.local
ipa: WARNING: session memcached servers not running
ipa02-aws.rsinc.local: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: 0 Replica acquired successfully: Incremental 
update succeeded

last update ended: 2016-05-06 19:47:26+00:00
ipa1-i2x.rsinc.local: replica
last init status: 0 Total update succeeded
last init ended: 2016-05-06 18:46:29+00:00
last update status: 0 Replica acquired successfully: Incremental 
update succeeded

last update ended: 2016-05-06 19:46:59+00:00
[dacosta@ipa1-i2x ~]$ ipa-replica-manage -v list ipa1-i2x.rsinc.local
ipa: WARNING: session memcached servers not running
ipa01-aws.rsinc.local: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: 1 Can't acquire busy replica
last update ended: 1970-01-01 00:00:00+00:00

I do have these errors on (idm1-i2x) in the errors:

[06/May/2016:18:48:46 +] NSMMReplicationPlugin - ruv_compare_ruv: 
RUV [changelog max RUV] does not contain element [{replica 4 
ldap://ipa01-aws.rsinc.local:389} 56e2f9e70004 
572ce68100020004] which is present in RUV [database RUV]
[06/May/2016:18:48:46 +] NSMMReplicationPlugin - 
replica_check_for_data_reload: Warning: for replica dc=rsinc,dc=local 
there were some differences between the changelog max RUV and the 
database RUV.  If there are obsolete elements in the database RUV, you 
should remove them using the CLEANALLRUV task.  If they are not 
obsolete, you should check their status to see why there are no 
changes from those servers in the changelog.
[06/May/2016:18:48:46 +] NSMMReplicationPlugin - ruv_compare_ruv: 
RUV [changelog max RUV] does not contain element [{replica 91 
ldap://ipa1-i2x.rsinc.local:389} 56f02d3b005b 
56f02d67005b] which is present in RUV [database RUV]
[06/May/2016:18:48:46 +] NSMMReplicationPlugin - 
replica_check_for_data_reload: Warning: for replica o=ipaca there were 
some differences between the changelog max RUV and the database RUV.  
If there are obsolete elements in the database RUV, you should remove 
them using the CLEANALLRUV task.  If they are not obsolete, you should 
check their status to see why there are no changes from those servers 
in the changelog.
[06/May/2016:18:48:46 +] set_krb5_creds - Could not get initial 
credentials for principal [ldap/ipa1-i2x.rsinc.local@RSINC.LOCAL] in 
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see 
e-text))
[06/May/2016:18:48:46 +] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available)) errno 0 (Success)
[06/May/2016:18:48:46 +] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] authentication mechanism [GSSAPI]: 
error -2 (Local error)
[06/May/2016:18:48:46 +] NSMMReplicationPlugin - 
agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind 
with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): 
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (No Kerberos credentials available))
[06/May/2016:18:48:46 +] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[06/May/2016:18:48:46 +] - Listening on All Interfaces port 636 
for LDAPS requests
[06/May/2016:18:48:46 +] - Listening on 
/var/run/slapd-RSINC-LOCAL.socket for LDAPI requests
[06/May/2016:18:48:50 +] NSMMReplicationPlugin - 
agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind 
with GSSAPI auth resumed

[06/May/2016:18:49:18 +] - Retry count exceeded in delete
[06/May/2016:18:49:18 +] DSRetroclPlugin - 

Re: [Freeipa-users] nsds5ReplConflict / Replication issue!

[Martin Basti]

On 06.05.2016 21:29, Devin Acosta wrote:

I am running the latest FreeIPA on CentOS 7.2.

I noticed I had a “nsds5ReplConflict” with an item, i tried to follow 
the webpage to rename and delete but that failed. I then tried to 
have ipa1-i2x reload from ipa01-aws instance, now now it seems to 
have gone maybe worse?
can you please advise how to get back to a healthy system. I 
initially added a system account as recommended so i could have say 
like Jira/Confluence do User searches against IDM.


[dacosta@ipa1-i2x ~]$ ldapsearch -x -D "cn=directory manager" -w 
‘password' -b "dc=rsinc,dc=local" "nsds5ReplConflict=*" \* 
nsds5ReplConflict

# extended LDIF
#
# LDAPv3
# base 

[Freeipa-users] nsds5ReplConflict / Replication issue!

[Devin Acosta]

I am running the latest FreeIPA on CentOS 7.2.

I noticed I had a “nsds5ReplConflict” with an item, i tried to follow 
the webpage to rename and delete but that failed. I then tried to have 
ipa1-i2x reload from ipa01-aws instance, now now it seems to have gone 
maybe worse?
can you please advise how to get back to a healthy system. I initially 
added a system account as recommended so i could have say like 
Jira/Confluence do User searches against IDM.


[dacosta@ipa1-i2x ~]$ ldapsearch -x -D "cn=directory manager" -w 
‘password' -b "dc=rsinc,dc=local" "nsds5ReplConflict=*" \* 
nsds5ReplConflict

# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] SSHFP upload

[Martin Basti]

Hello, records are updated by nslookup

do you have allowed dynamic updates in the zone settings?

Martin


On 06.05.2016 21:18, Sean Hogan wrote:


Hi All,

Wondering if someone knows how the SSHFPs of a box are getting 
uploaded to IPA during ipa-client-install --enable-dns-updates? Is it 
going over port 389,636,22?


Have an issue that on one network my enrolls work fine and everything 
gets updated. A new network was put in place but still part of the 
same domain and I get SSHFP failed to upload. I was assuming this has 
something to do with DNS but Network team says bi directional port 53 
is good and I can nslookup. Both new and old networks point to the 
same IPA DNS server for enrolling. The IPs of the new network still 
fall in my reverse zone.


So My DNS is setup with:
test.local
10.in-addr.arpa

and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x



Results of current Network


Enrolled in IPA realm TEST.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.LOCAL
trying *_https://bob.test.local/ipa/xml_* 


Forwarding 'env' to server u'https://bob.test.local/ipa/xml'
DNS server record set to: dingle.test.local -> IP of dingle
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml'
SSSD enabled
Configuring test.local as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.




Results of New network
Enrolled in IPA realm TEST.LOCAL
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.LOCAL
trying *_https://bob.test.local/ipa/xml_* 


Forwarding 'env' to server u'https://bob.test.local/ipa/xml'
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring test.local as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete






Sean Hogan






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSHFP upload

[Rob Crittenden]

Sean Hogan wrote:

Hi All,

Wondering if someone knows how the SSHFPs of a box are getting uploaded
to IPA during ipa-client-install --enable-dns-updates? Is it going over
port 389,636,22?

Have an issue that on one network my enrolls work fine and everything
gets updated. A new network was put in place but still part of the same
domain and I get SSHFP failed to upload. I was assuming this has
something to do with DNS but Network team says bi directional port 53 is
good and I can nslookup. Both new and old networks point to the same IPA
DNS server for enrolling. The IPs of the new network still fall in my
reverse zone.

So My DNS is setup with:
test.local
10.in-addr.arpa

and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x


It updates over DNS using nsupdate.


Results of current Network


Look in /var/log/ipaclient-install.log for details.

rob




Enrolled in IPA realm TEST.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.LOCAL
trying *_https://bob.test.local/ipa/xml_*

Forwarding 'env' to server u'https://bob.test.local/ipa/xml'
DNS server record set to: dingle.test.local -> IP of dingle
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml'
SSSD enabled
Configuring test.local as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.




Results of New network
Enrolled in IPA realm TEST.LOCAL
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TEST.LOCAL
trying *_https://bob.test.local/ipa/xml_*

Forwarding 'env' to server u'https://bob.test.local/ipa/xml'
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring test.local as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete






Sean Hogan






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSHFP upload

[Sean Hogan]

Hi All,

  Wondering if someone knows how the SSHFPs of a box are getting uploaded
to IPA during ipa-client-install --enable-dns-updates?  Is it going over
port 389,636,22?

Have an issue that on one network my enrolls work fine and everything gets
updated.  A new network was put in place but still part of the same domain
and I get SSHFP failed to upload.  I was assuming this has something to do
with DNS but Network team says bi directional port 53 is good and I can
nslookup.  Both new and old networks point to the same IPA DNS server for
enrolling.  The IPs of the new network still fall in my reverse zone.

So My DNS is setup with:
test.local
10.in-addr.arpa

and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x



Results of current Network


 Enrolled in IPA realm TEST.LOCAL   
 Created /etc/ipa/default.conf  
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf   
 Configured /etc/sssd/sssd.conf 
 Configured /etc/krb5.conf for IPA realm TEST.LOCAL 
 trying https://bob.test.local/ipa/xml  
 Forwarding 'env' to server 
 u'https://bob.test.local/ipa/xml'  
 DNS server record set to: dingle.test.local -> IP of   
 dingle 
 Adding SSH public key  
 from /etc/ssh/ssh_host_dsa_key.pub 
 Adding SSH public key  
 from /etc/ssh/ssh_host_rsa_key.pub 
 Forwarding 'host_mod' to server
 u'https://bob.test.local/ipa/xml'  
 SSSD enabled   
 Configuring test.local as NIS domain   
 Configured /etc/openldap/ldap.conf 
 NTP enabled
 Configured /etc/ssh/ssh_config 
 Configured /etc/ssh/sshd_config
 Client configuration complete. 






Results of New network

 Enrolled in IPA realm TEST.LOCAL   
 Attempting to get host TGT...  
 Created /etc/ipa/default.conf  
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf   
 Configured /etc/sssd/sssd.conf 
 Configured /etc/krb5.conf for IPA realm TEST.LOCAL 
 trying https://bob.test.local/ipa/xml  
 Forwarding 'env' to server 
 u'https://bob.test.local/ipa/xml'  
 Failed to update DNS records.  
 Adding SSH public key  
 from /etc/ssh/ssh_host_rsa_key.pub 
 Adding SSH public key  
 from /etc/ssh/ssh_host_dsa_key.pub 
 Forwarding 'host_mod' to server
 u'https://bob.test.local/ipa/xml'  
 Could not update DNS SSHFP records.
 SSSD enabled   
 Configuring test.local as NIS domain   
 Configured /etc/openldap/ldap.conf 
 NTP enabled
 Configured /etc/ssh/ssh_config 
 Configured /etc/ssh/sshd_config
 Client configuration complete  










Sean Hogan

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Exposing LDAP attributes with hyphens in their names?

[Jeffery Harrell]

Hi. I’m very new to IPA; I only picked it up a couple weeks ago. So this may be 
a remedial question.

I’d like to expose, both via the CLI and the GUI, certain LDAP attributes which 
have hyphens in their names — e.g., "apple-user-homeurl.” The Param class 
rejects these attributes because of the hyphens; the name of the Param doesn’t 
conform to the regular expression so an exception gets thrown. This code does 
not work:

user.user.takes_params = user.user.takes_params + (
Str(
'apple-user-homeurl?',
cli_name='appleuserhomeurl',
label=_('Apple User Home URL'),
doc=_('Apple user home URL.'),
),
)
Is there a sensible way of getting around that, or will I have to subclass 
Param and write a whole bunch of new code to get this to work?

Thanks very much.

Jeffery

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Petr Spacek]

On 6.5.2016 15:51, Gary T. Giesen wrote:
> So thanks to Martin Basti and Petr Spacek, I've found the problem. I was
> adding the old mkosek/freeipa repository, which when 4.1 was the latest
> version was correct, but now 4.2 is in base. I wasn't actually installing
> 4.1 from the mkosek COPR, but it was pulling in the following dependencies
> from there:
> 
> jboss-annotations-1.1-api.noarch   1.0.1-0.6.20120212git76e1a2.el7.centos
>  
> @mkosek-freeipa
> open-sans-fonts.noarch 1.10-1.el7.centos
> @mkosek-freeipa
> pki-base.noarch10.2.5-6.el7.centos
> @mkosek-freeipa
> pki-ca.noarch  10.2.5-6.el7.centos
> @mkosek-freeipa
> pki-kra.noarch 10.2.5-6.el7.centos
> @mkosek-freeipa
> pki-server.noarch  10.2.5-6.el7.centos
> @mkosek-freeipa
> pki-tools.x86_64   10.2.5-6.el7.centos
> @mkosek-freeipa
> python-ldap.x86_64 2.4.16-1.el7.centos

python-ldap would be my suspect.

Can you confirm that downrading/upgrading the python-ldap package is
sufficient to reproduce/fix the issue?

Thank you!

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to configure DNSSEC signing

[Gary T. Giesen]

So thanks to Martin Basti and Petr Spacek, I've found the problem. I was
adding the old mkosek/freeipa repository, which when 4.1 was the latest
version was correct, but now 4.2 is in base. I wasn't actually installing
4.1 from the mkosek COPR, but it was pulling in the following dependencies
from there:

jboss-annotations-1.1-api.noarch   1.0.1-0.6.20120212git76e1a2.el7.centos
 
@mkosek-freeipa
open-sans-fonts.noarch 1.10-1.el7.centos
@mkosek-freeipa
pki-base.noarch10.2.5-6.el7.centos
@mkosek-freeipa
pki-ca.noarch  10.2.5-6.el7.centos
@mkosek-freeipa
pki-kra.noarch 10.2.5-6.el7.centos
@mkosek-freeipa
pki-server.noarch  10.2.5-6.el7.centos
@mkosek-freeipa
pki-tools.x86_64   10.2.5-6.el7.centos
@mkosek-freeipa
python-ldap.x86_64 2.4.16-1.el7.centos
@mkosek-freeipa
python-qrcode-core.noarch  5.0.1-2.el7.centos
@mkosek-freeipa
relaxngDatatype.noarch 1.0-11.el7@base
resteasy-base-atom-provider.noarch 3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-client.noarch3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-jackson-provider.noarch
   3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-jaxb-provider.noarch 3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-jaxrs.noarch 3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-jaxrs-api.noarch 3.0.6-1.el7.centos
@mkosek-freeipa
slapi-nis.x86_64   0.54.2-1.el7.centos
@mkosek-freeipa

Thanks very much to both of you for helping sort this out as I was
completely lost.

Cheers,

GTG

-Original Message-
From: Gary T. Giesen [mailto:ggie...@giesen.me] 
Sent: May-05-16 1:11 PM
To: 'Petr Spacek' ; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Unable to configure DNSSEC signing

As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and
I have the same problem.

These are the steps I took:

# yum update -y
# yum install -y nano net-tools wget
# yum install -y
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# cd /etc/yum.repos.d/
# wget -N
https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-
freeipa-epel-7.repo
# yum install -y haveged
# systemctl start haveged
# systemctl enable haveged
# yum install -y ipa-server ipa-server-dns # ipa-server-install -r
EXAMPLE.COM -n example.com --mkhomedir
--ip-address=192.0.2.10 --idstart=10 --idmax=19 --no-ui-redirect
--ssh-trust-dns --setup-dns --no-forwarders --no-reverse # ipa-dns-install
--no-forwarders --no-reverse --dnssec-master # ipa dnszone-mod example.com
--dnssec=true


GTG

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gary T. Giesen
Sent: May-05-16 11:19 AM
To: 'Petr Spacek' ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

I'm not entirely sure if this is what you were asking for, but here's a
manual LDAP query and the associated logs, and then I restarted
ipa-dnskeysyncd and the logs associated with that as well:


[root@host /]# date
Thu May  5 10:52:12 EDT 2016
[root@host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub
'(|(objectClass=idnsZone)(objectClass=idnsS
ecKey)(objectClass=ipk11PublicKey))'
SASL/GSSAPI authentication started
SASL username: u...@example.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] Unable to configure DNSSEC signing [solved]

[Martin Basti]

After investigation on IRC, it looks that old mkosek/freeipa repo is 
guilty, this repo should not be used for centos 4.2+



On 05.05.2016 19:11, Gary T. Giesen wrote:

As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and
I have the same problem.

These are the steps I took:

# yum update -y
# yum install -y nano net-tools wget
# yum install -y
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# cd /etc/yum.repos.d/
# wget -N
https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-fr
eeipa-epel-7.repo
# yum install -y haveged
# systemctl start haveged
# systemctl enable haveged
# yum install -y ipa-server ipa-server-dns
# ipa-server-install -r EXAMPLE.COM -n example.com --mkhomedir
--ip-address=192.0.2.10 --idstart=10 --idmax=19 --no-ui-redirect
--ssh-trust-dns --setup-dns --no-forwarders --no-reverse
# ipa-dns-install --no-forwarders --no-reverse --dnssec-master
# ipa dnszone-mod example.com --dnssec=true


GTG

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gary T. Giesen
Sent: May-05-16 11:19 AM
To: 'Petr Spacek' ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

I'm not entirely sure if this is what you were asking for, but here's a
manual LDAP query and the associated logs, and then I restarted
ipa-dnskeysyncd and the logs associated with that as well:


[root@host /]# date
Thu May  5 10:52:12 EDT 2016
[root@host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub
'(|(objectClass=idnsZone)(objectClass=idnsS
ecKey)(objectClass=ipk11PublicKey))'
SASL/GSSAPI authentication started
SASL username: u...@example.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

[David LeVene]

Thanks for the information Petr - As you have recommended another AD server or 
Samba 4 is the best solution.

Cheers
David

-Original Message-
From: Petr Spacek [mailto:pspa...@redhat.com]
Sent: Friday, May 06, 2016 17:27
To: David LeVene ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

On 6.5.2016 02:03, David LeVene wrote:
> Hi Petr,
>
> Thanks for the response.
>
> I didn't know about Samba 4, so that's worth some further investigation on my 
> part - Thanks.
>
> So from what you've said below it can't run as a standalone, but SSSD does 
> allow caching(if a user has authenticated previous).. does IPA have the 
> ability to cache credentials for ~1 hour, so if there is a short loss of 
> network connectivity users still get the OK from the cache?

SSSD's cache will help you only for local authentication on clients (using 
password). It will not help for LDAP BIND or Kerberos authentication.

> I'm still having a look at SyncRepl from slapd for replication, but not sure 
> how this will work in the event that the Provider is uncontactable - as long 
> as it caches credentials/details for ~ 1 hour that's acceptable.

AFAIK SyncRepl is not supported on AD side.


Sorry, but if you are so reliant on AD technology then you probably need to 
either pay for new AD server or use Samba 4.

Petr^2 Spacek

>
> Regards
> David
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
> Sent: Thursday, May 05, 2016 18:17
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching?
>
> On 5.5.2016 06:28, David LeVene wrote:
>> Hey All,
>>
>> I'm looking for a bit of direction around the best way to
>> configure/setup an on-site cache &/or replica from an AD Server which
>> will be uni-directional (AD -> IPA/slapd)
>>
>> The master are multiple AD Servers located around the place, and we exist in 
>> a place which is outside of the core network and that network link is a 
>> single point of failure.
>>
>> What I want to achieve is in the event we lose connectivity with the world 
>> users can still authenticate, but if someone is disabled/updated at the top 
>> level it replicates down. I've got a test AD Server & have been reviewing 
>> IPA, but have hit an issue in that I can't get software installed on the AD 
>> Masters for the 389 dir sync software.
>>
>> Currently I've configured a synchronization based solution with one way 
>> replication from the AD Masters -> IPA. This works fine and I can see all 
>> the users being created in IPA - but as the passwords can't be synced 
>> without installing software I can't use this method.
>
> All methods which can work completely off-line will require access to keys on 
> AD server. This means either some additional software on AD side OR having 
> proper AD server which is hosted locally. This could theoretically be Samba 4 
> AD server if you want to try that.
>
> If your clients are sufficiently new you can try to use SSSD everywhere but 
> it comes with own limitations, e.g. users who never logged in before will not 
> be able to login when the network link is down.
>
> I hope this help.
>
> Petr^2 Spacek
>
>
>> Another nice thing would be to have a separate domain/tree available so we 
>> can split up the staff that are from the master servers and some client 
>> related user/passes that won't be in the Global Directory - but managed from 
>> the same place.
>>
>> Are there any other setup's that will achieve what I require? Have seen 
>> slapd with proxy cache but I'm not sure on this options either and 
>> configuring slapd with all the ldif files manually seems a little daunting 
>> at first sight.
>>
>> Thanks in advance,
>> David
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project This email and
> any attachments may contain confidential and proprietary information of 
> Blackboard that is for the sole use of the intended recipient. If you are not 
> the intended recipient, disclosure, copying, re-distribution or other use of 
> any of this information is strictly prohibited. Please immediately notify the 
> sender and delete this transmission if you received this email in error.
>


--
Petr^2 Spacek
This email and any attachments may contain confidential and proprietary 
information of Blackboard that is for the sole use of the intended recipient. 
If you are not the intended recipient, disclosure, copying, re-distribution or 
other use of any of this information is strictly prohibited. Please immediately 
notify the sender and delete this transmission if you received this email in 
error.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go 

[Freeipa-users] Duplicate serials in issued ipa certs

[wouter.hummelink]

Hello,

I discovered today that our IPA CA has been issuing certs with duplicate 
serials, causing issues in several ways when dealing with hosts that have such 
a cert in place. (Complaints about duplicate serials)
Removing the offending cert from the host results in de same type of error
These all seem to have been issued from the server that in the past was 
reinstalled with the same hostname.

ipa host-show app
ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You 
are attempting to import a cert with the same issuer/serial as an existing 
cert, but that is not the same cert.

IPA cert-find indeed shows 2 issued certs with the same serial (several 
actually)

(anonymized)
Serial number (hex): 0xFFF0007
  Serial number: 268369927
  Status: VALID
  Subject: CN=app.example.org,O=EXAMPLE.ORG

  Serial number (hex): 0xFFF0007
  Serial number: 268369927
  Status: VALID
  Subject: CN=ipa.example.org,O=EXAMPLE.ORG

The ipa client won't let me revoke or otherwise kill these certs with the same 
error.
What to do?

Met vriendelijke groet,

Wouter Hummelink
Cloud Engineer
[Description: Beschrijving: Beschrijving: cid:image003.gif@01CC7CE9.FCFEC140]
KPN IT Solutions
Platform Organisation Cloud Services
Mail: wouter.hummel...@kpn.com
Telefoon: +31 (0)6 1288 2447
[cid:image002.png@01D0DA65.706AE4B0]
P Save Paper - Do you really need to print this e-mail?
*
KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, 
Handelsregister 52959597 Amsterdam
The information transmitted is intended only for use by the addressee and may 
contain confidential and/or privileged material.
Any review, re-transmission, dissemination or other use of it, or the taking of 
any action in reliance upon this information by persons
and/or entities other than the intended recipient is prohibited. If you 
received this in error, please inform the sender and/or addressee immediately
and delete the material. Thank you.
*

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

[Petr Spacek]

On 5.5.2016 18:39, Roderick Johnstone wrote:
> Hi
> 
> I need to run some ipa commands in cron jobs.
> 
> The post here:
> https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
> suggests I need to use a keytab file to authenticate kerberos.
> 
> I've tried the prescription there, with variations, without success.
> 
> My current testing framework is to log into the ipa client (RHEL6.7,
> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy
> the current tickets, re-establish a tgt for the user with kinit using the
> keytab and try to run an ipa command. The ipa command fails (just like in my
> cron jobs which use the same kinit command).
> 
> 1) Log into ipa client as user test.
> 
> 2) Get the keytab
> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
> /home/test/test.keytab -P
> New Principal Password:
> Verify Principal Password:
> Keytab successfully retrieved and stored in: /home/test/test.keytab
> 
> I seem to have to reset the password to what it was in this step, otherwise it
> gets set to something random and the user test cannot log into the ipa client
> any more.
> 
> 3) Log into the ipa client as user test. Then
> $ kdestroy
> $ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH)
> 
> 4) kinit from the keytab:
> $ kinit -F t...@example.com -k -t /home/test/test.keytab
> 
> 5) Check the tickets
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
> Default principal: t...@example.com
> 
> Valid starting ExpiresService principal
> 05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com
> 
> 6) Run an ipa command:
> $ ipa ping
> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
> https://ipa2.example.com/ipa/xml
> 
> Can someone advise what I'm doing wrong in this procedure please (some strings
> were changed to anonymize the setting)?

Kerberos part seems okay but for some reason connection to IPA servers does
not work.

I would try following commands:
$ ipa --debug ping
$ curl 'https://ipa1.example.com/ipa/xml'

and see what these print out.

Petr^2 Spacek

> 
> For completeness of information, the ipa servers are RHEL 7.2,
> ipa-server-4.2.0-15.el7_2.6.1.x86_64.
> 
> Thanks
> 
> Roderick Johnstone

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

[Petr Spacek]

On 6.5.2016 02:03, David LeVene wrote:
> Hi Petr,
> 
> Thanks for the response.
> 
> I didn't know about Samba 4, so that's worth some further investigation on my 
> part - Thanks.
> 
> So from what you've said below it can't run as a standalone, but SSSD does 
> allow caching(if a user has authenticated previous).. does IPA have the 
> ability to cache credentials for ~1 hour, so if there is a short loss of 
> network connectivity users still get the OK from the cache?

SSSD's cache will help you only for local authentication on clients (using
password). It will not help for LDAP BIND or Kerberos authentication.

> I'm still having a look at SyncRepl from slapd for replication, but not sure 
> how this will work in the event that the Provider is uncontactable - as long 
> as it caches credentials/details for ~ 1 hour that's acceptable.

AFAIK SyncRepl is not supported on AD side.


Sorry, but if you are so reliant on AD technology then you probably need to
either pay for new AD server or use Samba 4.

Petr^2 Spacek

> 
> Regards
> David
> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
> Sent: Thursday, May 05, 2016 18:17
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching?
> 
> On 5.5.2016 06:28, David LeVene wrote:
>> Hey All,
>>
>> I'm looking for a bit of direction around the best way to
>> configure/setup an on-site cache &/or replica from an AD Server which
>> will be uni-directional (AD -> IPA/slapd)
>>
>> The master are multiple AD Servers located around the place, and we exist in 
>> a place which is outside of the core network and that network link is a 
>> single point of failure.
>>
>> What I want to achieve is in the event we lose connectivity with the world 
>> users can still authenticate, but if someone is disabled/updated at the top 
>> level it replicates down. I've got a test AD Server & have been reviewing 
>> IPA, but have hit an issue in that I can't get software installed on the AD 
>> Masters for the 389 dir sync software.
>>
>> Currently I've configured a synchronization based solution with one way 
>> replication from the AD Masters -> IPA. This works fine and I can see all 
>> the users being created in IPA - but as the passwords can't be synced 
>> without installing software I can't use this method.
> 
> All methods which can work completely off-line will require access to keys on 
> AD server. This means either some additional software on AD side OR having 
> proper AD server which is hosted locally. This could theoretically be Samba 4 
> AD server if you want to try that.
> 
> If your clients are sufficiently new you can try to use SSSD everywhere but 
> it comes with own limitations, e.g. users who never logged in before will not 
> be able to login when the network link is down.
> 
> I hope this help.
> 
> Petr^2 Spacek
> 
> 
>> Another nice thing would be to have a separate domain/tree available so we 
>> can split up the staff that are from the master servers and some client 
>> related user/passes that won't be in the Global Directory - but managed from 
>> the same place.
>>
>> Are there any other setup's that will achieve what I require? Have seen 
>> slapd with proxy cache but I'm not sure on this options either and 
>> configuring slapd with all the ldif files manually seems a little daunting 
>> at first sight.
>>
>> Thanks in advance,
>> David
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> This email and any attachments may contain confidential and proprietary 
> information of Blackboard that is for the sole use of the intended recipient. 
> If you are not the intended recipient, disclosure, copying, re-distribution 
> or other use of any of this information is strictly prohibited. Please 
> immediately notify the sender and delete this transmission if you received 
> this email in error.
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Looking for documentation for Python API

[Martin Basti]

On 05.05.2016 23:41, Joshua J. Kugler wrote:

[This didn't show up in the archives or list after 12 house, so resending.
Sorry if it's a dupe.]

I've been googling and looking through the documentation, but I have yet to
find official docs for the Python API for FreeIPA.

The first result for 'python' when doing a search on www.freeipa.org is
http://www.freeipa.org/page/Python_Coding_Style On that page, there is a link
to "freeIPA Python API documentation" which goes to

https://www.freeipa.org/page/Documentation#Developer_Documentation

That page, however, doesn't have one mention of Python, and only one mention
of "API" and that is "How to migrate your code to the new LDAP API" which
doesn't seem to be related.  I did manage to find
https://github.com/encukou/freeipa/tree/master/doc/examples which has a couple
(very convoluted) examples, but seems far from complete.

There is a freeipa-python RPM, but *WHERE* is the documentation for the Python
API. Or should I just shell-out to the 'ipa' command from all my python
scripts? :)

I found 
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ and 
https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt so
I'm sure I could work up something with python and requests, but I'd prefer to
use the official API if I could. :)

Any assistance would be great!

j



Hello,

since IPA4.2 web UI contains API browser (IPA Server/API Browser)

So for example for caacl-add: 
api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional 
description")


you can try commands in "ipa console" it contains initialized API, just 
call api.Command.()


API.txt provides the same information as API browser, but browser looks 
better :)


Feel free to ask anything, if you identified gaps in docs which are hard 
to understand for non-IPA developer feel free report it, or feel free to 
create howTo in freeipa.org page.


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project