Re: [Freeipa-users] Naming a FreeIPA domain and router differences

On 8.12.2016 22:40, Harry Kashouli wrote: > Ah, I think I totally misread the DNS page, the first time... > https://www.freeipa.org/page/DNS > > > Looks like I should put the router on int.custom.com as a domain, and I can > create the freeipa domain as domain.custom.com It depends on you how yo

Re: [Freeipa-users] Kerberos realm for different domain

On 10.12.2016 19:20, Alexander Bokovoy wrote: > On la, 10 joulu 2016, William Muriithi wrote: >> Stephen >>> >>> Can you have a domain that belongs to a Kerberos realm with a completely >>> different domain? For example, could example.com belong to the >>> ANOTHERDOMAIN.COM realm as long as we cont

Re: [Freeipa-users] ipa-dnskeysyncd not starting

On 19.12.2016 14:07, Rob Verduijn wrote: > Hello, > > I'm running ipa on centos 7.3 with the latest patches applied. > > It seem to run fine however the ipa-dnskeysyncd keeps failing to start and > I keep seeing this message in my logs: > > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bin

Re: [Freeipa-users] Kerberos realm for different domain

On 15.12.2016 23:59, Brian Candler wrote: >> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > > wrote: >> >> >> yes you can do it. DNS domain and Kerberos realm are two different >> things. It's common and AFAIK recommended to capitalize DNS domain >> to get the

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

On 8.12.2016 10:12, Pieter Nagel wrote: > On Thu, Dec 8, 2016 at 10:59 AM, Alexander Bokovoy > wrote: > >> It is really simply: your DNS domain named as your Kerberos realm must >> be under your control, one way or another, to allow automatic discovery >> of resources to work. >> > > Thanks, thi

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On 20.12.2016 12:41, Brian J. Murrell wrote: > On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote: >> >> So there are actually no issues with credentials, it needs more >> debugging, in past we have similar case but we haven't found the >> root >> cause why it doesn't have the right credential

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On 21.12.2016 13:05, Brian J. Murrell wrote: > On Wed, 2016-12-21 at 08:24 +0100, Petr Spacek wrote: >> >> You can try to add line >> KRB5_TRACE=/dev/stdout >> to >> /etc/sysconfig/ipa-dnskeysyncd > > [27472] 1482320667.240500: Retrieving > ipa-dnske

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Okay, I believe that this is the problem: On 21.12.2016 15:53, Brian J. Murrell wrote: > [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107 connection > from local to /var/run/slapd-EXAMPLE.COM.socket ... > [21/Dec/2016:09:39:12.064476101 -0500] conn=77028 op=0 BIND dn="" method=sa

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On 21.12.2016 21:36, Brian J. Murrell wrote: > Some additional information. I can't seem to use the CLI either. > Perhaps that is expected: > > # kinit admin > Password for ad...@example.com: > > # klist > Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m > Default principal: ad...@example.

Re: [Freeipa-users] Partial Domain Authority

On 9.4.2014 00:06, Simo Sorce wrote: On Tue, 2014-04-08 at 16:42 -0500, Justin Brown wrote: I'm sure that I'm doing this very wrong, but I'm wondering if anyone can offer any solutions. I currently have a relatively small domain that's used internally. Let's say fandingo.org. This domain covers

Re: [Freeipa-users] SAML 2.0 support

On 9.4.2014 15:15, Simo Sorce wrote: On Wed, 2014-04-09 at 13:05 +, Ondrej Valousek wrote: Hi List, Quick question, is something like SAML 2.0 support planned for IPA to help establishing SSO for a web based applications? I mean something similar to ADFS. I am working on a project called

[Freeipa-users] Announcing bind-dyndb-ldap version 4.3

send any other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek @ Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] External Collaboration Domains

On 13.4.2014 15:21, Dmitri Pal wrote: There is where I see a leap of faith. SAML -> SSH. It is not possible. And I am not sure OpenSSH would be interested to support it. They had hard time supporting Certs. No SAML->SSH. Even if it were possible, it would involve configuring every host in the do

Re: [Freeipa-users] nothing sync'ed to AD

On 17.4.2014 16:16, Rob Crittenden wrote: Will Last wrote: Hi, I have got a freeipa server (pa-server-3.0.0-37) running on centos 6.5 and am trying to set up sync with/to AD on win 2008/R2, basically following https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Id

Re: [Freeipa-users] AD-IPA sync from multiple AD controllers

On 23.4.2014 09:52, Dave Jones wrote: Thanks for the clarification Rob, you confirmed what I already thought. Dave, it would be great if you could rephrase problematic paragraphs in docs to make it understandable. If you can spend few minutes on it, please see http://www.freeipa.org/page/Con

Re: [Freeipa-users] Hardening freeipa on the internet

On 25.4.2014 10:11, Martin Kosek wrote: On 04/25/2014 09:50 AM, Andrew Holway wrote: Hello, I am having a think about running freeipa on the open seas for more distributed organisations and would like to understand where the weaknesses might be. I would almost certainly only make the ui unavail

Re: [Freeipa-users] Are replica gpg files reusable?

On 25.4.2014 00:15, Dave Jones wrote: Hi Rob, I was considering installing replicas using puppet. Having pre-prepared replica files available would be easier than having to run an ipa-replica-prepare and scp copy. I had guessed the ldap/kerberos replication would handle the user/password/DNS

Re: [Freeipa-users] Best practices for core servers

On 28.4.2014 13:03, Bret Wortman wrote: We are planning to reconfigure our core Freeipa servers, basically building a replacement infrastructure and migrating to it. What we're planning right now is a core of three Freeipa servers each of which has a CA, with as much distribution of replication a

Re: [Freeipa-users] Hardening freeipa on the internet

On 25.4.2014 11:00, Petr Spacek wrote: On 25.4.2014 10:11, Martin Kosek wrote: On 04/25/2014 09:50 AM, Andrew Holway wrote: Hello, I am having a think about running freeipa on the open seas for more distributed organisations and would like to understand where the weaknesses might be. I would

[Freeipa-users] [SOLVED] Can't use "ipa" commands on brand new ipa server instance

On 28.4.2014 20:05, Bret Wortman wrote: On 04/28/2014 01:53 PM, Simo Sorce wrote: On 04/28/2014 01:32 PM, Simo Sorce wrote: On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote: On 04/28/2014 01:19 PM, Bret Wortman wrote: I just got a new ipa server instantiated and haven't actually installe

Re: [Freeipa-users] Biasing which master clients talk to first

On 1.5.2014 16:44, Rob Crittenden wrote: Steven Jones wrote: Hi, We have a master at our DR site which is "further way" than our 2 local masters, is there a way (in DNS say) that we could "encourage" clients to use the closer IPA masters? eg host -t SRV _ldap._tcp.ods.vuw.ac.nz _ldap._tcp.ods

Re: [Freeipa-users] DNS SOA Records

On 13.5.2014 21:32, Dmitri Pal wrote: On 05/13/2014 02:12 PM, Bob wrote: I ran ipa dnszone-mod vh1.vzwnet.com --update-policy="grant bob-key name test.vh1.vzwnet.com.;" I then execute the nsupdate: [root@nj51rhidms16v ~]# ./bobtest.sh ; TSIG error with server: tsig ind

Re: [Freeipa-users] weird behavior on centos 6

On 15.5.2014 00:25, Dmitri Pal wrote: On 05/14/2014 06:12 PM, Carl E. Ma wrote: Hello, Recently I realized our centos 6 freeipa clients hangs randomly. With some research, the issue is related to autofs bug, which was mentioned year ago - Automount fails for IPA user when kerberos ticket is exp

Re: [Freeipa-users] be aware of name collision problem

Hello, On 21.5.2014 13:31, Davis Goodman wrote: ldapsearch -D "cn=Directory Manager” -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" Please note that domain shadowing/hijacking/name collisions are *strongly* discouraged. You *should not* use domain names you d

Re: [Freeipa-users] be aware of name collision problem

On 21.5.2014 15:46, Davis Goodman wrote: -- <http://www.digital-district.ca/> On May 21, 2014, at 8:17 , Petr Spacek mailto:pspa...@redhat.com>> wrote: Hello, On 21.5.2014 13:31, Davis Goodman wrote: ldapsearch -D "cn=Directory Manager” -W -LLL -x -b cn=ipa-l

Re: [Freeipa-users] Wildcard DNS record supported ?

-dyndb-ldap-4.3-1.fc20.src.rpm and rebuild it on CentOS 6.5. You will have to lower required version of BIND in SPEC file. Please note that it is completely untested. Let me know if you have any further questions. Petr Spacek Cheers, Mattt 2014-05-23 13:57 GMT+02:00 Martin Kosek : On 05/23

Re: [Freeipa-users] Wildcard DNS record supported ?

On 23.5.2014 15:46, Martin Kosek wrote: On 05/23/2014 03:44 PM, Petr Spacek wrote: On 23.5.2014 13:59, Matt . wrote: Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? In theory yes, but nobody tested that

Re: [Freeipa-users] named's LDAP connection hangs

On 16.6.2014 09:41, Thomas Raehalme wrote: Hi, We have a problem with IPA going out of service every now and then. There seems to be two kinds of situations: 1) The connection between named and dirsrv fails. Named can resolve external names but the domain managed by IPA does not resolve any nam

Re: [Freeipa-users] Standard Logging

On 17.6.2014 19:24, Rob Crittenden wrote: Innes, Duncan wrote: Fair call Rob, I should have put "standard" in quotes. I think I meant to. I know applications doing their own logging is pretty wide spread too. It's just that moving to a more unified tool that performed the logging, remote shipp

[Freeipa-users] Links in mailing-list footer

Hello list, I wonder if we could improve mailing list footer for freeipa-users. It can be configured in mailig list administration in section "Non-digest options". Currently the footer looks like: "___ Freeipa-users mailing list Freeipa-users@redhat

Re: [Freeipa-users] Links in mailing-list footer

On 18.6.2014 14:52, Simo Sorce wrote: On Wed, 2014-06-18 at 09:30 +0200, Petr Spacek wrote: Hello list, I wonder if we could improve mailing list footer for freeipa-users. It can be configured in mailig list administration in section "Non-digest options". Currently the footer

Re: [Freeipa-users] Having difficulty installing on Fedora 20

Hello! That is interesting. Do you have latest updates? Please see http://www.freeipa.org/page/Troubleshooting On 24.6.2014 18:41, Carl Perry wrote: > Unexpected error - see /var/log/ipaserver-install.log for details: If the web page doesn't cover your case please send us the log file mention

Re: [Freeipa-users] Having difficulty installing on Fedora 20

uld override settings in local named.conf files Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica Just meddling around with ipa myself Rob 2014-06-24 19:11 GMT+02:00 Petr Spacek : Hello! That is interesting. Do you have la

Re: [Freeipa-users] FreeIPA Psotfix+Dovecot

On 25.6.2014 15:03, Dave Gonzalez wrote: Hey again guys, I know and understand there are topics that draw more interest and attention than others but I'd really need to insist on a *working* FreeIPA+Postfix+Dovecto tutorial tested by any members of the community?. I'd like to deploy this setup

Re: [Freeipa-users] named's LDAP connection hangs

nything out. I hope that's okay. Thank you for the help! Best regards, Thomas On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek mailto:pspa...@redhat.com>> wrote: On 16.6.2014 09:41, Thomas Raehalme wrote: Hi, We have a problem with IPA going out of service every now and then. There se

Re: [Freeipa-users] Having difficulty installing on Fedora 20

27;m kind of at a loss how to debug at this point, since even the debug logs either don't exist or have no data in them. Any suggestions would be appreciated. I'm also willing to upload log files someplace if someone with more experience than I would like to look at them. -Carl On

[Freeipa-users] [Freeipa-interest] Announcing bind-dyndb-ldap version 5.0

elp with upgrade. !!! CAUTION !!! Downgrading back to any 4.x version is supported. == Feedback == Please provide comments, report bugs and send any other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek @ Red Hat -- Mana

Re: [Freeipa-users] FreeIPA customized for Kolab

On 4.7.2014 00:49, Carlos Raúl Laguna wrote: In cn=config a extensibleObject whit a domainRelatedObject and aci (require by kolab) Not sure what this means - does this mean you added objectclass: extensibleObject to dn: cn=config? Thanks for the fast reply, and Yes, it is required so kolab can

Re: [Freeipa-users] IPA commands failing

On 7.7.2014 20:21, Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On a RHEL 6.5 environment the IPA command line tools are failing me with the following: ipa ping ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): ht

Re: [Freeipa-users] Migrating from a hybrid web/posix LDAP

On 13.7.2014 03:31, Nordgren, Bryce L -FS wrote: Hi guys, I set up freeipa 4.0.0 on a brand new Fedora 20 box, from your copr repos. Install and config went fine. Kinit: fine. Trying to migrate from my old ldap setup: problem. Old ldap setup primarily had accounts for web apps (inetOrgPerson

Re: [Freeipa-users] Difference between Masters and Replicas?

On 16.7.2014 15:03, Petr Viktorin wrote: On 07/16/2014 02:34 PM, Choudhury, Suhail wrote: Hi, I'd like some clarification on what a "master" and "replica" is please. Once installed, all masters are identical (except some might have a CA and some not). The distinction is useful when installing

Re: [Freeipa-users] Adding cross realm trust principals

On 21.7.2014 09:30, Alexander Bokovoy wrote: On Mon, 21 Jul 2014, Andreas Ladanyi wrote: Hello, i want to migrate an existing MIT Kerberos Realm to IPA and want to setup a cross realm trust relationship. I exactly have the problem discussed on this Mailinglist https://www.redhat.com/archives/fr

Re: [Freeipa-users] Correct syntax for round-robin DNS srv records

On 22.7.2014 00:13, Mark Heslin wrote: Hi All, I had some off-list exchanges with Petr Spacek on this but am still trying to work out the correct syntax. I have 2 hosts: - foo1.example.com - foo2.example.com and would like to create a round-robin DNS srv record for both called

Re: [Freeipa-users] DNS migration from AD to freeIPA managed DNS

On 22.7.2014 15:33, Shashi M wrote: I am looking for some help on DNS configuration migraion from AD to FreeIPA. I am planning implement AD trust in my current freeIPA setup which is currently having AD-IPA one way sync. New setup, I would also like to mange the DNS throug IPA. Currently unix D

Re: [Freeipa-users] Correct syntax for round-robin DNS srv records

". No modification to /etc/services is necessary. AFAIK /etc/services just allows clients to translate service name to port number but this will not be used anyway because clients will get port number from DNS. Petr^2 Spacek Thank you both! -m On 07/22/2014 03:16 AM, Petr Spacek wrot

Re: [Freeipa-users] Correct *usage* for round-robin DNS srv records

On 23.7.2014 18:01, Mark Heslin wrote: Hi Alexander, >SRV records need to be resolved first by your software and then resolved >records used to perform lookups of the SRV entry content. Ah, yes that explain it. >If your clients don't know how to do that, you can use multiple A/ >recor

[Freeipa-users] Announcing bind-dyndb-ldap version 5.1

The FreeIPA team is proud to announce bind-dyndb-ldap version 5.1. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 20+ and and is on its way to updates-testing: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-5

Re: [Freeipa-users] FreeIPA 4.0.0 and CentOS release 6.5

On 24.7.2014 18:26, Chris Whittle wrote: Would CentOS7 work with FreeIPA 4? In theory - it could work. However you will have to build few new packages, including 389 DS, Kerberos libs, Dogtag CA and bind-dyndb-ldap. I'm attaching SPEC file diff from 3.3.3 to 4.0.0 so you can see what new pa

Re: [Freeipa-users] IPA Replica does not start Bind but runs Manually

On 5.8.2014 11:24, Matt . wrote: Hi, I got this solved but the replica doesn't do it's forwards on the zone's it need to foreward for, the master with the same settings does. I have done a new install but the same happens. WHat could be wrong here ? Please provide us with installation logs /

Re: [Freeipa-users] FreeIPA and FQDN requirements

Hello, On 8.8.2014 21:16, brendan kearney wrote: Maybe I am reading too far into rfc 1178, but I hardly think making hostnames required to be fqdns is in anybodys interest. It is not a requirement now in any other technology anywhere, so what is the impetus to push it? I dont see any value in

Re: [Freeipa-users] Mass update IP addresses

On 8.8.2014 22:16, Dmitri Pal wrote: On 07/22/2014 11:04 AM, KodaK wrote: For various reasons, I need to move a lot of my IPA clients to a different subnet. I'd like to automate this as much as possible. My initial thought is to use a combination of puppet and ipa commands, but I wanted to see

Re: [Freeipa-users] IPA Master Issue - Not starting

Hello, On 15.8.2014 03:52, Peter Grant wrote: 2014-08-15T11:43:46.434383+10:00 host named[6470]: Failed to init credentials (Decrypt integrity check failed) 2014-08-15T11:43:46.434884+10:00 host named[6470]: loading configuration: failure 2014-08-15T11:43:46.434991+10:00 host named[6470]: ex

Re: [Freeipa-users] Minimal permissions for "joiner" account?

On 15.8.2014 12:51, Martin Kosek wrote: On 08/15/2014 11:25 AM, Michael Lasevich wrote: ... The only thing that bugs me is that I am calling IPA python code from my salt reactor python code via subprocess - there has got to be a better, more direct way - but I found documentation too confusing

[Freeipa-users] Improving FreeIPA.org

Hello community, Do you have an idea how to improve Freeipa.org web site? Share it! I will start: The main page currently contains three links placed right above "Main features" section header: "Learn more about FreeIPA • What FreeIPA means for me? • Try FreeIPA in a public demo" It seems

Re: [Freeipa-users] IPA Master Issue - Not starting

command ipa-getkeytab -s secondary.domain.com -p DNS/master.domain@domain.com -k /etc/named.keytab Maybe it is caused by broken replication (one KDC have different keys than the other KDC). I would start with replication problems and focus on named later. Petr^2 Spacek i am unable to regen

Re: [Freeipa-users] Need for some pull-style replication, or an alternate solution

On 20.8.2014 10:58, Dmitri Pal wrote: On 08/19/2014 07:55 PM, Joshua J. Kugler wrote: A replica must connect to the master for initial setup; after that, the master pushes to the replica. j On Tuesday, August 19, 2014 09:26:11 Ludwig Krispenz wrote: What's wrong with your scenario B: master(s

Re: [Freeipa-users] ntp and srv records

On 21.8.2014 06:17, Les Stott wrote: Hi All, Am about to start rolling out clinet installs on rhel6 hosts with dns autodiscovery. Enviroment: rhel6, ipa-3.0.0-37.el6. I already have setup SRV records for Kerberos and ldap etc. Are the following ntp records as SRV records necessary also? Te

Re: [Freeipa-users] FreeIPA bind also-notify behavior.

-dyndb-ldap was capable of native DNS operations like AXFR/IXFR which can be used to actually deploy slave DNS servers. I wonder if also-notify is something different. CCing Petr Spacek to advise. AFAIU slave DNS servers not controlled by IPA yes, replicas as slaves - no. Let me summarize: - AXFR is

Re: [Freeipa-users] Filters in bind-dyndb-ldap

On 4.9.2014 14:28, Martin Kosek wrote: Actually, FreeIPA&bind-dynd-ldap use idnszoneactive attribute (TRUE/FALSE) to define which zones are active and which are not. Martin is right, I will add couple more details about this: idnszoneactive attribute should work in bind-dyndb-ldap < 4.0. Versi

Re: [Freeipa-users] DNS not responding properly....

Hello, On 5.9.2014 18:14, Bret Wortman wrote: I've got an odd situation with one of our networks. Our systems are properly registered in DNS within IPA, and the web interface and IPA queries work to resolve the hosts, but named isn't playing along with us. [root@ipa1 data]# ipa dnsrecord-find f

Re: [Freeipa-users] DNS not responding properly....

My guess is that you can simply remove the forwarder and thing will start working again: $ ipa dnszone-mod foo.net --forwarder='' Have a nice day! Petr^2 Spacek On 09/05/2014 01:56 PM, Petr Spacek wrote: Hello, On 5.9.2014 18:14, Bret Wortman wrote: I've got an odd sit

Re: [Freeipa-users] BIND not starting after IPA install

On 11.9.2014 14:20, Renier Gertzen wrote: Hi, My bind server refuses to start. I get the following: Sep 11 14:14:40 orpst named-sdb[4343]: generating session key for dynamic DNS Sep 11 14:14:40 orpst named-sdb[4343]: sizing zone task pool based on 6 zones Sep 11 14:14:40 orpst named-sdb[4343]: s

Re: [Freeipa-users] BIND not starting after IPA install

y Oracle repackaging? Petr^2 Spacek From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Renier Gertzen Sent: 12 September 2014 09:17 AM To: Petr Spacek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] BIND not starting after IPA install Yes,

Re: [Freeipa-users] Max life set 0 already but still promot admin rese tpassword every 3 months

On 12.9.2014 13:18, Dmitri Pal wrote: On 09/12/2014 07:13 AM, Dmitri Pal wrote: On 09/12/2014 12:13 AM, barry...@gmail.com wrote: Hi: i set max life no expiry already but still pomt reset password every 3 month any idea to disable it ??? what happening Regards Where/how did you set it an

Re: [Freeipa-users] json api docs

On 12.9.2014 15:47, Petr Viktorin wrote: On 09/12/2014 03:36 PM, Tamas Papp wrote: On 09/12/2014 02:47 PM, Martin Kosek wrote: On 09/11/2014 02:06 AM, Dmitri Pal wrote: On 09/10/2014 07:10 PM, Tamas Papp wrote: hi All, Is there an offficial API documentation available? Unfortunately not m

[Freeipa-users] [Freeipa-interest] Announcing bind-dyndb-ldap version 5.3

The FreeIPA team is proud to announce bind-dyndb-ldap version 5.3. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 21+ and and is on its way to updates-testing: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-5

Re: [Freeipa-users] BIND not starting after IPA install

On 12.9.2014 10:57, Renier Gertzen wrote: Hi Before starting IPA install i did "yum -y intstall bind*". I think that did it. Regards, On Fri, 2014-09-12 at 10:43 +0200, Petr Spacek wrote: Hello! On 12.9.2014 09:39, Renier Gertzen wrote: Issue resolved in the following manne

Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot

On 19.9.2014 23:15, Genadi Postrilko wrote: The DNS server service of AD is running. I am able to resolve with nslookup command. I have just restarted the named service and i am able to kinit again. It looks like the named deamon, cannot recognize that the forwarder is back online. Is there some

[Freeipa-users] Announcing bind-dyndb-ldap version 6.0

The FreeIPA team is proud to announce bind-dyndb-ldap version 6.0. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 21+ and and is on its way to updates-testing: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-6

Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot

On 24.9.2014 18:00, Genadi Postrilko wrote: 2014-09-22 9:29 GMT+03:00 Petr Spacek : 'IPA forwarders' are exactly the same as normal 'BIND forward zone' so they involve normal DNS cache. Which type of forwarder do you have configured? Is your 'forwarding policy'

Re: [Freeipa-users] Services and Keytabs for load-balanced hostnames

On 29.9.2014 23:12, Simo Sorce wrote: On Mon, 29 Sep 2014 23:25:08 +0300 Alexander Bokovoy wrote: On Mon, 29 Sep 2014, Mark Heslin wrote: Folks, I'm looking for the best approach to take for configuring IdM clients to access web services (HTTP) with keytabs when a front-end load-balanced hos

Re: [Freeipa-users] Fedora 21 and 4.0.3

On 30.9.2014 17:42, Janelle wrote: Hi again, Ok, so that fixed the issues with Fedora - and 4.0.3 is working fine. A related question - would the COPR repo have 4.0.3 for Fedora 20? Maybe that would be the way to go for more solid testing of supported IPA than running it on Alpha of Fedora? You

Re: [Freeipa-users] named and IpA

On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We have IdM running on a RHEL V7 system and have configured a local DNS server in our test lab. We have loaded the various SRV and TXT records needed by the IdM server. PROBLEM: From the IdM server we can only

Re: [Freeipa-users] DNS: Possible to set a CNAME for bare domain?

Hello, I will add few more details: "ALIAS" virtual record and its derivatives are not standardized yet and AFAIK there is no implementation which works with DNSSEC. IPA uses BIND 9.9 as DNS backend and BINDitself doesn't support any variant of ALIAS record at the moment. As a result, IPA do

Re: [Freeipa-users] FW: named and IpA

at.com] On Behalf Of Petr Spacek Sent: Friday, October 03, 2014 1:26 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named and IpA On 2.10.2014 19:05, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: We have IdM running on a RHEL V7 system and have configured a local DNS ser

Re: [Freeipa-users] FW: FW: named and IpA

On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks very much for the additional input. The configuration as you describe it is correct with a minor detail correction that I didn't notice earlier.16.112.240.27 is the master for the osn.cxo.cpqcorp.net

Re: [Freeipa-users] FW: FW: FW: named and IpA

ver to the last functional server. I hope I understood you question :-) Petr^2 Spacek Al -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Monday, October 06, 2014 7:35 AM To: freeipa-users@redhat.

Re: [Freeipa-users] Enrolling with multiple IPA servers

On 6.10.2014 20:43, Alexander Bokovoy wrote: On Mon, 06 Oct 2014, Nordgren, Bryce L -FS wrote: The hostname put by ipa-client-install corresponds to the server to which this client is enrolled. You enroll with a single server, after all. How would one enroll with multiple IPA servers? For ins

Re: [Freeipa-users] FW: FW: FW: named and IpA

On 10.10.2014 10:32, Jan Pazdziora wrote: On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote: On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possib

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server has DNS SRV entries" was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsur

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server has DNS SRV entries" was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsur

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

A domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I s

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Petr^2 Spacek 14-Oct-14 17:43, Petr Spacek пишет: On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: "specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) ". Currently my FreeIPA server's hostname is ipa1.e

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

On 22.10.2014 09:10, Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package "flavours" topic. For now, all the details for enabling an

Re: [Freeipa-users] migration 3.3->4.1 & CA change

On 22.10.2014 22:06, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello List, So the whole not being able to change the CA easily is becoming a regular point of contention in meetings. If I have read the e-mails on this list correctly this issue is fixed in 4.1. Aft

Re: [Freeipa-users] Question About Properly Configuring DNS

On 27.10.2014 19:15, Simo Sorce wrote: On Mon, 27 Oct 2014 17:50:13 + "Trevor T Kates (Services - 6)" wrote: -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, October 27, 2014 12:30 PM To: Trevor T Kates (Services - 6) Cc: freeipa-users@redhat.com Subject:

Re: [Freeipa-users] dns stops working after upgrade

On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti : On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been

Re: [Freeipa-users] dns stops working after upgrade

ic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek : On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 G

Re: [Freeipa-users] dns stops working after upgrade

On 29.10.2014 16:46, Rob Verduijn wrote: Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again:-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update

Re: [Freeipa-users] [SOLVED] IPA DNS response issue

On 19.3.2014 15:12, David wrote: On Wed, Mar 19, 2014 at 01:57:24PM +0100, Petr Spacek wrote: On 18.3.2014 15:26, David wrote: We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some odd behavior with respect to serving DNS. Periodically (interval at random)

Re: [Freeipa-users] DNS forwarders in 4.1.0

On 31.10.2014 04:38, Rolf Nufable wrote: Hello , I've been trying to install freeipa server v 4.1.0 on my fedora 20 machine and I can't complete the installation because of hte DNS forwarders What exactly is the problem/symptom? Are you receiving an error? Or something else? We need to see

Re: [Freeipa-users] dns stops working after upgrade

Upgrading ) 'yum update' works fine My internal zones didn't resolv after the update ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix it ipa-ldap-updater did fix the 'access control instructions' and my internal dns zones started to resolv again

Re: [Freeipa-users] Trust relationship redundancy

On 4.11.2014 21:57, William Muriithi wrote: Afternoon, I have two AD and would like to retain that redundancy within IPA after establishing trust relationship. How would one achieve that? I have attempted the following: [root@ipa3-yyz-int ~]# ipa dnszone-add example.local --name-server=srvyyz

Re: [Freeipa-users] dns stops working after upgrade

ecessarily enough. Petr^2 Spacek 2014-11-04 15:52 GMT+01:00 Petr Spacek : On 4.11.2014 15:27, Rob Verduijn wrote: Hello again, I've managed to integrate my katello configuration with freeipa. Now I not only use freeipa authentication in katello but also when a host is defined in kat

Re: [Freeipa-users] dns stops working after upgrade

nning the ipa-ldap-updater did not fix it So I guess that it is not due to the katello integration or the realm-smart-proxy script. Rob 2014-11-05 14:39 GMT+01:00 Petr Spacek : On 4.11.2014 17:15, Rob Verduijn wrote: The problem with 'foreman-prepare-realm' and freeipa was that it cla

Re: [Freeipa-users] dns stops working after upgrade

On 5.11.2014 16:20, Rob Verduijn wrote: Hello, Yes I noticed the name change it took me a while to realise it was a known ruby bug in katello that caused the real problem. I also checked after I updated the 'katello integrated' update from 3.3.5 to 4.1 and the permissions were neatly renamed to

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

On 6.11.2014 16:41, Dmitri Pal wrote: On 11/06/2014 10:00 AM, Martin Basti wrote: On 06/11/14 14:58, Walter van Lille wrote: Hi, I need some assistance please. I've taken over an IPA server to manage a few months ago, and it was working fine until recently when it started acting up seemingly o

Re: [Freeipa-users] FreeIPA bind also-notify behavior.

144 I have sent patch to the devel list and it is waiting for review at the moment. It should be fixed in nearest release of bind-dyndb-ldap. Thank you very much for catching this! Petr^2 Spacek > On Wed, Sep 3, 2014 at 2:25 AM, Petr Spacek wrote: > >> On 1.9.2014 12:16, Dmitr

Re: [Freeipa-users] The ipa-replica-install command failed, exception: SystemExit: Invalid IP Address ... Cannot use IP network address

On 7.11.2014 14:08, Traiano Welcome wrote: > Hi List > > I'm trying to configure a replica for a primary freeipa IdM server > (both CentOS 7, AD trusts configured on primary), but "ipa-replica-install" > fails with the following error: > -- > ipa-replica-install -d --setup-ca --setup-dns --no-fo

Re: [Freeipa-users] The ipa-replica-install command failed, exception: SystemExit: Invalid IP Address ... Cannot use IP network address

On 7.11.2014 17:20, Traiano Welcome wrote: > Hi Petr > > > > On Fri, Nov 7, 2014 at 6:19 PM, Petr Spacek wrote: >> On 7.11.2014 14:08, Traiano Welcome wrote: >>> Hi List >>> >>> I'm trying to configure a replica for a primary freeipa I

<    1   2   3   4   5   6   7   >