[Freeipa-users] ipa automount bug?

[William Muriithi]

Evening,

I am trying to import some autos map from a file to FreeIPA LDAP and
have noticed two problems that can be considered a bug in my humble
opinion.  This is on:

ipa-server-4.2.0-15.0.1.el7

1.  This either is a documentation bug that suggest one can specify a
parent map while thats actually not the case or ipa I am running has a
bug and can't handle parent map. Below is what I get when I try to
specify parent map:

[root@hydrogen ~]# ipa automountmap-add-indirect default
auto.projects-prs1013 –-mount=/projects/prs1013
--parentmap=auto.projects

ipa: ERROR: command 'automountmap_add_indirect' takes at most 2 arguments

 I had got the idea that this is possible from the documentation below:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-maps.html

According to the document, I should be able to specify an automap
parent.  However, it don’t look like that’s actually supported.



2. How would one import an existing maps to ipa auto.home map.  Import
seem to be only capable of importing to auto.master, which make its
utility doubtful

[root@hydrogen ~]# ipa automountlocation-import  default
/tmp/2016-10-26/auto.home

Imported maps:
Imported keys:

Added adam to auto.master
..

I think we should have a flag that allow importation of key to other
other maps other than auto.master

Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified.

[Tyrell Jentink]

Hello all,

I'm still having problems with my IPA Client install...  My errors aren't
bringing up any meaningful results on Google, so I really appreciate any
hints anyone might have!

To narrow the scope of the problem, I simply rebuilt both the server and
the client from scratch... This time without Active Directory Realm trusts,
so things are nice and clean. To wit, I have been using
http://www.freeipa.org/page/Active_Directory_trust_setup and
https://blog.christophersmart.com/articles/freeipa-how-to-fedora/ as
references, and I have run the following:

ON THE SERVER:

   - dnf -y update && dnf install -y "*ipa-server" "*ipa-server-trust-ad"
   "*ipa-server-dns" bind bind-dyndb-ldap
   - echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >>
   /etc/hosts
   (I also added the AD server to my hosts file, although that shouldn't be
   messing with anything...)
   - hostname ipa_hostname.ipa_domain
   - hostnamectl set-hostname ipa_hostname.ipa_domain
   - reboot (And took a snapshot of the VM)
   - for x in freeipa-ldap freeipa-ldaps dns ntp; do firewall-cmd
   --permanent --zone=FedoraServer --add-service=${x} ; done
   - systemctl reload firewalld.service
   - ipa-server-install --setup-dns --no-forwarders
   (I had no errors there...  But I can share my logs if anyone wants to
   see them)
   - And I rebooted again, took another snapshot, and verified the
   following:
  - kinit admin
  id admin
  getent passwd admin
  All return appropriate values on the server...
  - nslookup ipa_hostname.ipa_domain works on both the server and on
  the client...

So, ON TO THE CLIENT:

   - echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >>
   /etc/hosts
   - echo "nameserver ipa_ip_address" >> /etc/resolv.conf
   - (OF course, I verified that the client can ping the server, and
   nslookup against the server)
   - ipa-client-install --enable-dns-updates --ssh-trust-dns --force-ntpd
   And this is where I ran into problems... My output:

Discovery was successful!
> Client hostname: trainmaster.ipa.rxrhouse.net
> Realm: IPA.RXRHOUSE.NET 
> DNS Domain: ipa.rxrhouse.net
> IPA Server: ipa-pdc.ipa.rxrhouse.net
> BaseDN: dc=ipa,dc=rxrhouse,dc=net
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Attempting to sync time using ntpd.  Will timeout after 15 seconds
> Unable to sync time with NTP server, assuming the time is in sync. Please
> check
>
>that 123 UDP port is opened.
> User authorized to enroll computers: admin
> Password for ad...@ipa.rxrhouse.net:
> Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> 
> Issuer:  CN=Certificate Authority,O=IPA.RXRHOUSE.NET
> 
> Valid From:  Thu Sep 08 17:27:47 2016 UTC
> Valid Until: Mon Sep 08 17:27:47 2036 UTC
> Enrolled in IPA realm IPA.RXRHOUSE.NET 
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET
> 
> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json
> Forwarding 'ping' to json server 'https://ipa-pdc.ipa.rxrhouse.
> net/ipa/json'
> Forwarding 'ca_is_enabled' to json server 'https://ipa-pdc.ipa.rxrhouse.
> net/ipa/json'
> Systemwide CA database updated.
> Failed to update DNS records.
> Missing reverse record(s) for address(es): 10.42.0.100.
> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Forwarding 'host_mod' to json server 'https://ipa-pdc.ipa.rxrhouse.
> net/ipa/json'
> Could not update DNS SSHFP records.
> SSSD enabled
> Configured /etc/openldap/ldap.conf
> NTP enabled
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Configuring ipa.rxrhouse.net as NIS domain.
> Client configuration complete.



   - Of interest, I DID solve my NTP issues from before!  On the downside,
   that wasn't the source of my DNS issues...
   In /var/log/ipaclient-install, I still have the following clipping of
   errors, which I'm merely assuming are the relevant piece:

2016-10-26T23:30:40Z DEBUG Starting external process
> 2016-10-26T23:30:40Z DEBUG args=/sbin/ip -oneline address show dev enp1s6
> 2016-10-26T23:30:40Z DEBUG Process finished, return code=0
> 2016-10-26T23:30:40Z DEBUG stdout=2: enp1s6inet 10.42.0.100/8 brd
> 10.255.255.255 scope global dynamic enp1s6\   valid_lft 588384sec
> preferred_lft 588384sec
> 2: enp1s6inet6 fe80::e779:3263:960d:ff87/64 scope link \
> valid_lft forever preferred_lft forever
>
> 2016-10-26T23:30:40Z DEBUG stderr=
> 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to
> 

Re: [Freeipa-users] ipa-replica-prepare failing

[Fraser Tweedale]

On Wed, Oct 26, 2016 at 04:18:12PM -0700, Joshua Ruybal wrote:
> While trying to run IPA replica prepare with debug, we see an unexplained
> failure.
> 
> Debug seems to show the process running smoothly, then I see: "Certificate
> issuance failed".
> 
> Looking at previous mail-archives, I see that someone has run into this
> before, however all permissions on caIPAserviceCert.cfg are correct (the
> solution for him).
> 
> Is there any method to get more details on the failure from
> ipa-replica-prepare?
> 
> Thanks
> 
Need some more information to be able to render assistance :)

Do you have any logs pertaining to the failure?  Is certificate
issuance working e.g. via `ipa cert-request'?  Are all certificates
in your infrastructure currently valid?

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-replica-prepare failing

[Joshua Ruybal]

While trying to run IPA replica prepare with debug, we see an unexplained
failure.

Debug seems to show the process running smoothly, then I see: "Certificate
issuance failed".

Looking at previous mail-archives, I see that someone has run into this
before, however all permissions on caIPAserviceCert.cfg are correct (the
solution for him).

Is there any method to get more details on the failure from
ipa-replica-prepare?

Thanks

-- 


*Joshua Ruybal | Systems Engineer*
o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549>
e: jruy...@owneriq.com


  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA domains and sub-domains

[Alexander Bokovoy]

On ke, 26 loka 2016, Ranbir wrote:

Hi Everyone!

If I have two networks, say A and B, and I want both to use the same 
FreeIPA server, should I have one Freeipa domain for network A and a 
sub-domain for network B, (domain.local and b.domain.local), or should 
I create two top level domains (a.local and b.local)? What's the 
recommended way to do this?

Does not really matter if you are talking about DNS.

Read https://www.freeipa.org/page/Deployment_Recommendations for more
details on DNS recommendations.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA domains and sub-domains

[Ranbir]

Hi Everyone!

If I have two networks, say A and B, and I want both to use the same 
FreeIPA server, should I have one Freeipa domain for network A and a 
sub-domain for network B, (domain.local and b.domain.local), or should I 
create two top level domains (a.local and b.local)? What's the 
recommended way to do this?



--
Ranbir

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] rpm dependencies

[lejeczek]

hi all

quick question - does IPA rpms depend on samaba's?
I'm hoping I can remove samba-common but dnf fies a 46 
packages long list of dependencies - is it somehow broken?
If is not and that is 100% correct long chain of deps - then 
can samba be safely downgraded to 3.6.x ? given that IPA 
does not integrate samba in my configuration.


many thanks
L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install fails because of IPv6?

[Martin Basti]

On 26.10.2016 17:25, Jochen Demmer wrote:



Am 26.10.2016 um 16:48 schrieb Martin Basti:




On 26.10.2016 16:42, Jochen Demmer wrote:



Am 26.10.2016 um 16:27 schrieb Martin Basti:




On 26.10.2016 16:10, Jochen Demmer wrote:

Hi,

my answers also inline.

Am 26.10.2016 um 15:38 schrieb Martin Basti:


Hi, comments inline


On 26.10.2016 14:28, Jochen Demmer wrote:

Hi,

I've been running and using a single FreeIPA server 
successfully, i.e.:

Fedora 24
freeipa-server-4.3.2-2.fc24.x86_64
This server is only available via IPv6, because I can't get 
public lPv4 addresses no more.


Now I want to setup a FreeIPA replica at another site also 
running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64

First I run "ipa-client-install" which succeeds without an error.
When I invoke "ipa-replica-install" I get this error:
ipa : ERRORCould not resolve hostname 
*hostname.mydoma.in* using DNS. Clients may not function 
properly. Please check your DNS setup. (Note that this check 
queries IPA DNS directly and ignores /etc/hosts.)

LOG:
2016-10-26T12:14:39Z DEBUG Search DNS server 
*hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', 
'2a01:f11:1:1::1']) for *hostname.mydoma.in*


Can you check with dig or host command if the hostname is really 
resolvable on that machine? do you have proper resolver in 
/etc/resolv.conf?
There is a resolver given in /etc/resolv.conf. When I do "host 
<>" I get the right IPv6 back.

That is weird because IPA is doing basically the same.





*hostname.mydoma.in* is actually the DNS entry for the old 
FreeIPA server, which actually resolves, but only to an IPv6 
address of course.

I can continue the installation though by entering "yes".

I then get asked:
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name:

When I enter the IPv6 address of the new replica host it doesn't 
accept but infinitely asks this question instead.


Have you pressed enter twice? It should end prompt and continue 
with installation

Enter without an IP -> No usable IP address provided nor resolved.
Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot 
use IP network address 2a02:1:2:3::4 


How do you have configured IP address on your interface? Does it 
have prefix /128?
Yes, that's right. It's an IP being assigned statefully by a DHCPv6 
server.
There is also another dynamic IP within the same prefix having /64. 
I don't want to use this one of course, because its IID changes.


Could you set (temporarily) prefix for that address to /64 and re-run 
installer? IPA 4.3 has check that prevents you to use /128 prefix
Well now I don't even get asked for the IP. The setup wizard 
continues, but I now get this error:


  [27/43]: restarting directory server
ipa : CRITICAL Failed to restart the directory server (Command 
'/bin/systemctl restart dirsrv@MY-REALM.service' returned non-zero 
exit status 1). See the installation log for details.

  [28/43]: setting up initial replication
  [error] error: [Errno 111] Connection refused

LOG:
2016-10-26T15:14:46Z DEBUG Process finished, return code=1
2016-10-26T15:14:46Z DEBUG stdout=
2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv@MY-REALM.service 
failed because the control process exited with error code. See 
"systemctl status dirsrv@MY-REALM.service" and "journalctl -xe" for 
details.
2016-10-26T15:14:46Z CRITICAL Failed to restart the directory server 
(Command '/bin/systemctl restart dirsrv@MY-REALM.service' returned 
non-zero exit status 1). See the installation log for details.

2016-10-26T15:14:46Z DEBUG   duration: 1 seconds
2016-10-26T15:14:46Z DEBUG   [28/43]: setting up initial replication
2016-10-26T15:14:56Z DEBUG Traceback (most recent call last):

When I try to restart manually with, "/bin/systemctl restart 
dirsrv@MY-REALM.service"

 this is what systemd logs:
https://paste.fedoraproject.org/461439/raw/




Could you please check /var/log/dirsrv/slapd-*/errors  there might be 
more details.


Did you reused an old IPA server for this installation?

Martin










Honestly, I can't see what I might have done wrong.
Old FreeIPA has hostname is in sync forward and reverse record.
New FreeIPA host as well has hostname that symmetrically 
resolves, even though the hostname is using another second level 
domain.


Any hints?
Jochen Demmer




Martin

Jochen











-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install fails because of IPv6?

[Martin Basti]

On 26.10.2016 16:42, Jochen Demmer wrote:



Am 26.10.2016 um 16:27 schrieb Martin Basti:




On 26.10.2016 16:10, Jochen Demmer wrote:

Hi,

my answers also inline.

Am 26.10.2016 um 15:38 schrieb Martin Basti:


Hi, comments inline


On 26.10.2016 14:28, Jochen Demmer wrote:

Hi,

I've been running and using a single FreeIPA server successfully, 
i.e.:

Fedora 24
freeipa-server-4.3.2-2.fc24.x86_64
This server is only available via IPv6, because I can't get public 
lPv4 addresses no more.


Now I want to setup a FreeIPA replica at another site also running 
IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64

First I run "ipa-client-install" which succeeds without an error.
When I invoke "ipa-replica-install" I get this error:
ipa : ERRORCould not resolve hostname 
*hostname.mydoma.in* using DNS. Clients may not function properly. 
Please check your DNS setup. (Note that this check queries IPA DNS 
directly and ignores /etc/hosts.)

LOG:
2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* 
(['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for 
*hostname.mydoma.in*


Can you check with dig or host command if the hostname is really 
resolvable on that machine? do you have proper resolver in 
/etc/resolv.conf?
There is a resolver given in /etc/resolv.conf. When I do "host 
<>" I get the right IPv6 back.

That is weird because IPA is doing basically the same.





*hostname.mydoma.in* is actually the DNS entry for the old FreeIPA 
server, which actually resolves, but only to an IPv6 address of 
course.

I can continue the installation though by entering "yes".

I then get asked:
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name:

When I enter the IPv6 address of the new replica host it doesn't 
accept but infinitely asks this question instead.


Have you pressed enter twice? It should end prompt and continue 
with installation

Enter without an IP -> No usable IP address provided nor resolved.
Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot 
use IP network address 2a02:1:2:3::4 


How do you have configured IP address on your interface? Does it have 
prefix /128?
Yes, that's right. It's an IP being assigned statefully by a DHCPv6 
server.
There is also another dynamic IP within the same prefix having /64. I 
don't want to use this one of course, because its IID changes.


Could you set (temporarily) prefix for that address to /64 and re-run 
installer? IPA 4.3 has check that prevents you to use /128 prefix









Honestly, I can't see what I might have done wrong.
Old FreeIPA has hostname is in sync forward and reverse record.
New FreeIPA host as well has hostname that symmetrically resolves, 
even though the hostname is using another second level domain.


Any hints?
Jochen Demmer




Martin

Jochen







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install fails because of IPv6?

[Jochen Demmer]

Am 26.10.2016 um 16:27 schrieb Martin Basti:
>
>
>
> On 26.10.2016 16:10, Jochen Demmer wrote:
>> Hi,
>>
>> my answers also inline.
>>
>> Am 26.10.2016 um 15:38 schrieb Martin Basti:
>>>
>>> Hi, comments inline
>>>
>>>
>>> On 26.10.2016 14:28, Jochen Demmer wrote:
 Hi,

 I've been running and using a single FreeIPA server successfully, i.e.:
 Fedora 24
 freeipa-server-4.3.2-2.fc24.x86_64
 This server is only available via IPv6, because I can't get public
 lPv4 addresses no more.

 Now I want to setup a FreeIPA replica at another site also running
 IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64
 First I run "ipa-client-install" which succeeds without an error.
 When I invoke "ipa-replica-install" I get this error:
 ipa : ERRORCould not resolve hostname
 *hostname.mydoma.in* using DNS. Clients may not function properly.
 Please check your DNS setup. (Note that this check queries IPA DNS
 directly and ignores /etc/hosts.)
 LOG:
 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in*
 (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for
 *hostname.mydoma.in*
>>>
>>> Can you check with dig or host command if the hostname is really
>>> resolvable on that machine? do you have proper resolver in
>>> /etc/resolv.conf?
>> There is a resolver given in /etc/resolv.conf. When I do "host
>> <>" I get the right IPv6 back.
> That is weird because IPA is doing basically the same.
>
>>>

 *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA
 server, which actually resolves, but only to an IPv6 address of course.
 I can continue the installation though by entering "yes".

 I then get asked:
 Enter the IP address to use, or press Enter to finish.
 Please provide the IP address to be used for this host name:

 When I enter the IPv6 address of the new replica host it doesn't
 accept but infinitely asks this question instead.
>>>
>>> Have you pressed enter twice? It should end prompt and continue with
>>> installation
>> Enter without an IP -> No usable IP address provided nor resolved.
>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot
>> use IP network address 2a02:1:2:3::4 
>
> How do you have configured IP address on your interface? Does it have
> prefix /128?
Yes, that's right. It's an IP being assigned statefully by a DHCPv6 server.
There is also another dynamic IP within the same prefix having /64. I
don't want to use this one of course, because its IID changes.

>
>>>

 Honestly, I can't see what I might have done wrong.
 Old FreeIPA has hostname is in sync forward and reverse record.
 New FreeIPA host as well has hostname that symmetrically resolves,
 even though the hostname is using another second level domain.

 Any hints?
 Jochen Demmer


>>>
>>> Martin
>> Jochen
>>
>



0x54A5283E.asc
Description: application/pgp-keys
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] container for custom objects

[Rob Crittenden]

Michael Ströder wrote:

HI!

I'd like to add some custom entries (custom STRUCTURAL object class) to FreeIPA
tree in 389-DS. But I'd like to make sure that there won't be any issues when
upgrading the system later on.

So where to add a container for those custom objects?
At top-level domain entry?


Yeah, something off dc=example,dc=com is probably the "safest" place. No 
guarantees can be made. It might make sense to file an RFE for IPA to 
create a container to put custom containers into.




BTW: Is there documentation describing the DIT in detail?


This is about all there is AFAIK, 
http://www.freeipa.org/page/FreeIPAv1:UsingRhdsWithIpa


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install fails because of IPv6?

[Martin Basti]

On 26.10.2016 16:10, Jochen Demmer wrote:

Hi,

my answers also inline.

Am 26.10.2016 um 15:38 schrieb Martin Basti:


Hi, comments inline


On 26.10.2016 14:28, Jochen Demmer wrote:

Hi,

I've been running and using a single FreeIPA server successfully, i.e.:
Fedora 24
freeipa-server-4.3.2-2.fc24.x86_64
This server is only available via IPv6, because I can't get public 
lPv4 addresses no more.


Now I want to setup a FreeIPA replica at another site also running 
IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64

First I run "ipa-client-install" which succeeds without an error.
When I invoke "ipa-replica-install" I get this error:
ipa : ERRORCould not resolve hostname 
*hostname.mydoma.in* using DNS. Clients may not function properly. 
Please check your DNS setup. (Note that this check queries IPA DNS 
directly and ignores /etc/hosts.)

LOG:
2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* 
(['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for 
*hostname.mydoma.in*


Can you check with dig or host command if the hostname is really 
resolvable on that machine? do you have proper resolver in 
/etc/resolv.conf?
There is a resolver given in /etc/resolv.conf. When I do "host 
<>" I get the right IPv6 back.

That is weird because IPA is doing basically the same.





*hostname.mydoma.in* is actually the DNS entry for the old FreeIPA 
server, which actually resolves, but only to an IPv6 address of course.

I can continue the installation though by entering "yes".

I then get asked:
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name:

When I enter the IPv6 address of the new replica host it doesn't 
accept but infinitely asks this question instead.


Have you pressed enter twice? It should end prompt and continue with 
installation

Enter without an IP -> No usable IP address provided nor resolved.
Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot use 
IP network address 2a02:1:2:3::4 


How do you have configured IP address on your interface? Does it have 
prefix /128?






Honestly, I can't see what I might have done wrong.
Old FreeIPA has hostname is in sync forward and reverse record.
New FreeIPA host as well has hostname that symmetrically resolves, 
even though the hostname is using another second level domain.


Any hints?
Jochen Demmer




Martin

Jochen



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] container for custom objects

[Michael Ströder]

HI!

I'd like to add some custom entries (custom STRUCTURAL object class) to FreeIPA
tree in 389-DS. But I'd like to make sure that there won't be any issues when
upgrading the system later on.

So where to add a container for those custom objects?
At top-level domain entry?

BTW: Is there documentation describing the DIT in detail?

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install fails because of IPv6?

[Jochen Demmer]

Hi,

my answers also inline.

Am 26.10.2016 um 15:38 schrieb Martin Basti:
>
> Hi, comments inline
>
>
> On 26.10.2016 14:28, Jochen Demmer wrote:
>> Hi,
>>
>> I've been running and using a single FreeIPA server successfully, i.e.:
>> Fedora 24
>> freeipa-server-4.3.2-2.fc24.x86_64
>> This server is only available via IPv6, because I can't get public
>> lPv4 addresses no more.
>>
>> Now I want to setup a FreeIPA replica at another site also running
>> IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64
>> First I run "ipa-client-install" which succeeds without an error.
>> When I invoke "ipa-replica-install" I get this error:
>> ipa : ERRORCould not resolve hostname
>> *hostname.mydoma.in* using DNS. Clients may not function properly.
>> Please check your DNS setup. (Note that this check queries IPA DNS
>> directly and ignores /etc/hosts.)
>> LOG:
>> 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in*
>> (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for
>> *hostname.mydoma.in*
>
> Can you check with dig or host command if the hostname is really
> resolvable on that machine? do you have proper resolver in
> /etc/resolv.conf?
There is a resolver given in /etc/resolv.conf. When I do "host
<>" I get the right IPv6 back.
>
>>
>> *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA
>> server, which actually resolves, but only to an IPv6 address of course.
>> I can continue the installation though by entering "yes".
>>
>> I then get asked:
>> Enter the IP address to use, or press Enter to finish.
>> Please provide the IP address to be used for this host name:
>>
>> When I enter the IPv6 address of the new replica host it doesn't
>> accept but infinitely asks this question instead.
>
> Have you pressed enter twice? It should end prompt and continue with
> installation
Enter without an IP -> No usable IP address provided nor resolved.
Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot use
IP network address 2a02:1:2:3::4
>
>>
>> Honestly, I can't see what I might have done wrong.
>> Old FreeIPA has hostname is in sync forward and reverse record.
>> New FreeIPA host as well has hostname that symmetrically resolves,
>> even though the hostname is using another second level domain.
>>
>> Any hints?
>> Jochen Demmer
>>
>>
>
> Martin
Jochen



0x54A5283E.asc
Description: application/pgp-keys
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install fails because of IPv6?

[Martin Basti]

Hi, comments inline


On 26.10.2016 14:28, Jochen Demmer wrote:

Hi,

I've been running and using a single FreeIPA server successfully, i.e.:
Fedora 24
freeipa-server-4.3.2-2.fc24.x86_64
This server is only available via IPv6, because I can't get public 
lPv4 addresses no more.


Now I want to setup a FreeIPA replica at another site also running 
IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64

First I run "ipa-client-install" which succeeds without an error.
When I invoke "ipa-replica-install" I get this error:
ipa : ERRORCould not resolve hostname *hostname.mydoma.in* 
using DNS. Clients may not function properly. Please check your DNS 
setup. (Note that this check queries IPA DNS directly and ignores 
/etc/hosts.)

LOG:
2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* 
(['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for 
*hostname.mydoma.in*


Can you check with dig or host command if the hostname is really 
resolvable on that machine? do you have proper resolver in /etc/resolv.conf?




*hostname.mydoma.in* is actually the DNS entry for the old FreeIPA 
server, which actually resolves, but only to an IPv6 address of course.

I can continue the installation though by entering "yes".

I then get asked:
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name:

When I enter the IPv6 address of the new replica host it doesn't 
accept but infinitely asks this question instead.


Have you pressed enter twice? It should end prompt and continue with 
installation




Honestly, I can't see what I might have done wrong.
Old FreeIPA has hostname is in sync forward and reverse record.
New FreeIPA host as well has hostname that symmetrically resolves, 
even though the hostname is using another second level domain.


Any hints?
Jochen Demmer




Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-replica-install fails because of IPv6?

[Jochen Demmer]

Hi,

I've been running and using a single FreeIPA server successfully, i.e.:
Fedora 24
freeipa-server-4.3.2-2.fc24.x86_64
This server is only available via IPv6, because I can't get public lPv4
addresses no more.

Now I want to setup a FreeIPA replica at another site also running IPv6,
Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64
First I run "ipa-client-install" which succeeds without an error.
When I invoke "ipa-replica-install" I get this error:
ipa : ERRORCould not resolve hostname *hostname.mydoma.in*
using DNS. Clients may not function properly. Please check your DNS
setup. (Note that this check queries IPA DNS directly and ignores
/etc/hosts.)
LOG:
2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in*
(['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for
*hostname.mydoma.in*

*hostname.mydoma.in* is actually the DNS entry for the old FreeIPA
server, which actually resolves, but only to an IPv6 address of course.
I can continue the installation though by entering "yes".

I then get asked:
Enter the IP address to use, or press Enter to finish.
Please provide the IP address to be used for this host name:

When I enter the IPv6 address of the new replica host it doesn't accept
but infinitely asks this question instead.

Honestly, I can't see what I might have done wrong.
Old FreeIPA has hostname is in sync forward and reverse record.
New FreeIPA host as well has hostname that symmetrically resolves, even
though the hostname is using another second level domain.

Any hints?
Jochen Demmer


0x54A5283E.asc
Description: application/pgp-keys
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch

[David Dejaeghere]

Does anybody have a clue on how to continue with this?

Kind Regards,

David

2016-10-24 10:10 GMT+02:00 David Dejaeghere :

> These are both the subjects for the old and new root ca cert.
>
> Subject: "CN=tokio-PAPRIKA-CA,DC=tokio,DC=local"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> d5:51:19:a0:7e:2f:b6:4b:cb:71:42:cb:38:bc:50:0a:
> 18:16:58:07:11:c6:d3:ea:66:91:a8:52:02:54:93:28:
> 78:a1:89:36:7a:0f:1e:2a:35:8a:da:85:05:c4:fe:de:
> e8:6a:e8:fd:1b:89:44:8f:8c:62:d6:56:f7:9e:16:d5:
> fd:b4:44:65:71:4f:1a:7d:d6:28:2d:5e:ad:c9:da:60:
> 54:98:02:87:d9:43:62:ab:1b:93:c1:af:0b:b9:80:2e:
> 08:f0:65:46:bf:de:78:c5:d2:19:b8:07:52:d6:01:ab:
> d0:b2:7d:0a:7f:9f:fa:e8:8c:55:86:e0:d3:d5:ef:e7:
> ad:6a:12:a2:b8:75:be:93:c2:05:df:99:a9:d8:a2:cc:
> 7c:2b:49:d6:a3:65:0c:c8:ef:c3:a4:b6:f6:86:1d:c2:
> 56:56:1b:0d:70:7a:67:15:49:2f:b7:92:8e:2a:94:57:
> 53:26:ef:9a:af:89:fe:cb:1e:e7:ac:72:9a:cd:b4:22:
> b1:22:02:fd:95:23:e0:65:d0:36:e8:e1:88:2b:35:02:
> 99:1c:ee:84:10:80:84:a8:e5:61:04:6b:a3:6b:da:c5:
> 49:36:ef:f6:48:09:2c:0d:7c:b2:52:4f:a6:72:cc:e6:
> 30:b5:dd:a0:5b:0e:96:49:78:9d:1e:27:4e:02:40:a1
> Exponent: 65537 (0x10001)
>
> Subject: DC=local, DC=tokio, CN=tokio-PAPRIKA-CA
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:ae:32:35:fa:b5:f4:2d:b8:0c:c3:d9:b0:9f:a8:
> 5d:21:90:58:a9:79:79:7d:85:7e:f1:f2:36:9d:ef:
> 9f:8c:a8:3a:bf:57:5c:2e:6b:5d:2e:91:ba:c6:b7:
> b2:b1:dd:45:de:e6:d4:fe:01:f4:d2:bd:99:9f:9a:
> 71:1d:d4:e4:a7:cd:9e:f3:36:a7:a0:73:55:6b:04:
> 66:ab:c3:63:b3:41:06:ac:c8:c8:3a:4c:eb:83:78:
> 6e:e8:b6:0f:94:fa:a8:7e:7d:89:44:d1:bd:be:14:
> df:0c:ce:4d:b4:e6:0a:e2:d7:84:95:4b:a1:3e:53:
> c9:04:3f:7b:de:1b:fd:7b:b5:b0:69:3b:f9:f2:b5:
> a7:fe:6d:9d:62:6e:9a:fc:1e:32:69:ad:4c:ae:e3:
> 61:dd:92:99:34:4b:bf:6b:02:88:18:88:a2:0f:ca:
> e8:6e:91:f0:e6:2e:4d:83:f6:05:7e:ed:f2:f1:3e:
> b2:36:3f:de:3f:db:93:73:5b:60:ee:8c:48:e0:c0:
> 4c:0e:6a:63:1a:16:af:9e:28:93:40:39:23:bf:d0:
> 77:9c:b7:80:d3:c3:42:d8:27:db:d7:4b:e5:3f:b4:
> d2:ad:57:c2:01:73:c8:45:26:f1:00:93:50:3e:cf:
> 7a:2d:25:d5:43:b6:a7:75:a1:ef:58:f9:c9:11:e8:
> 09:1d
> Exponent: 65537 (0x10001)
>
> 2016-10-24 5:49 GMT+02:00 Fil Di Noto :
>
>> Hi,
>>
>> Can you give an example of what's different between the two subjects?
>>
>> On Sun, Oct 23, 2016 at 9:03 AM, David Dejaeghere <
>> david.dejaegh...@gmail.com> wrote:
>>
>>> Does somebody have an idea how to replace our certificates when the new
>>> ROOT ca certificate has a different subject?
>>> The UI is down because of this.
>>>
>>> 2016-10-19 11:42 GMT+02:00 David Dejaeghere 
>>> :
>>>
 Hello,

 When installing FreeIPA we used the CA from our Windows servers.
 This one recently expired and we created a new one.  It seems that the
 new root CA has another subject name and this seems to be an issue when we
 want to install new certs on our FreeIPA hosts.

 ipa-cacert-manage install certnew.pem -n mycert -t C,,

 Installing CA certificate, please wait
 Failed to install the certificate: subject public key info mismatch

 After validating the subjects are indeed different.

 How can we replace the required certs for dirsrv and http when the ca
 is not installable?

 Kind Regards,

 David



>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project