Re: [Freeipa-users] FreeIPA server in Docker container improved

[Mark Heslin]

On 04/08/2015 08:42 AM, Jan Pazdziora wrote:

Hello world!

The ability to run FreeIPA server in a container was recently
improved by adding support for storing the server configuration and
data in a volume, making it easier to backup the server, upgrade it to
newer versions, as well as adding the ability to start a container
as a replica of existing (containerized or non-containerized) IPA
server.

Using IPA in a container can be an easy way to try IPA or test things
on different OSes (there are multiple per-OS branches in the GitHub
repo and multiple images built), as well as running IPA on a machine
where it would otherwise clash with other software. It it still
an unsupported release but working in multiple tests on our side, so
we encourage our community members to try it out.

We will welcome your comments about your experience with the code at

https://github.com/adelton/docker-freeipa

or automated build images at

https://registry.hub.docker.com/u/adelton/freeipa-server/

README was amended to describe the new usage options.


Hi Jan,

Nice work. Has this been tested on Atomic host yet (just curious)?

-m


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Services and Keytabs for load-balanced hostnames

[Mark Heslin]

On 09/29/2014 04:25 PM, Alexander Bokovoy wrote:

On Mon, 29 Sep 2014, Mark Heslin wrote:

Folks,

I'm looking for the best approach to take for configuring IdM clients 
to access web services (HTTP)

with keytabs when a front-end load-balanced hostname is in place.

I have a distributed OpenShift Enterprise configuration with three 
broker hosts (broker1, broker2, broker3)

with all three configured as IdM clients.

IdM is configured with one server (idm-srv1.example.com), one replica 
(idm-srv2.example.com); an HTTP service

has been created for each broker host:

 # ipa service-add HTTP/broker1.example.com
 # ipa service-add HTTP/broker2.example.com
 # ipa service-add HTTP/broker3.example.com

A DNS round-robin hostname called '*broker**.example.com*' has also 
been configured to distribute broker requests

across the three brokers:

 # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.11
 # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.12
 # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.13

Effectively, this creates a DNS A record that acts as a pseudo DNS 
load-balancer.


To access the HTTP services, we have been creating keytabs for for 
the first broker host:


  # ipa-getkeytab -s idm-srv1.example.com -p 
HTTP/*broker1*.example@example.com
   -k 
/var/www/openshift/broker/httpd/conf.d/http.keytab


and copying the keytab over to the other two OpenShift broker hosts.

This all works fine but in the event that *broker1* should go down, 
the other broker hosts will lose access
to the web service. Ideally, we would like to have web services use 
the more generic, "load balanced"
hostname (*broker.example.com*) and in turn have the keytabs use this 
name as well.


I tried creating an HTTP service using the "load balanced" hostname 
(*broker.example.com*) but that appears to fail

due to *broker.example.com* not being a valid host within IdM:

  # ipa service-add HTTP/broker.example.com
  ipa: ERROR: The host 'broker.example.com' does not exist to add a 
service to.


In the F18 FreeIPA guide it discusses creating a combined keytab file 
(Section 6.5.4) using ktutil:


http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#Using_the_Same_Service_Principal_for_Multiple_Services 



but would that still work as intended should a broker host go down?

The next section (6.5.5) mentions creating a keytab to create a 
service principal that can be used across multiple hosts:


 # ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k 
/etc/httpd/conf/krb5.keytab -e des-cbc-crc


Which seems more in-line with my thinking and exactly what we've been 
doing but again, if I try to do that
using the "load balanced" hostname (*broker.example.com*) it fails 
sicne it's not a valid host within IdM.


What is the best method to doing this?

Make a host named broker.example.com
ipa host-add broker.example.com --force

--force will make sure to create the host object even if there is no
such name in the DNS.

Then create services for this host.


Nice - just what we were looking for!



You'll need to set up your balancer hosts to use the proper service
principal instead of allowing them to construct the principal themselves
based on the hostname.



Thank you Alexander :-)

-m


--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Services and Keytabs for load-balanced hostnames

[Mark Heslin]

Folks,

I'm looking for the best approach to take for configuring IdM clients to 
access web services (HTTP)

with keytabs when a front-end load-balanced hostname is in place.

I have a distributed OpenShift Enterprise configuration with three 
broker hosts (broker1, broker2, broker3)

with all three configured as IdM clients.

IdM is configured with one server (idm-srv1.example.com), one replica 
(idm-srv2.example.com); an HTTP service

has been created for each broker host:

  # ipa service-add HTTP/broker1.example.com
  # ipa service-add HTTP/broker2.example.com
  # ipa service-add HTTP/broker3.example.com

A DNS round-robin hostname called '*broker**.example.com*' has also been 
configured to distribute broker requests

across the three brokers:

  # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.11
  # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.12
  # ipa dnsrecord-add example.com broker --a-ip-address=10.0.0.13

Effectively, this creates a DNS A record that acts as a pseudo DNS 
load-balancer.


To access the HTTP services, we have been creating keytabs for for the 
first broker host:


   # ipa-getkeytab -s idm-srv1.example.com -p 
HTTP/*broker1*.example@example.com
-k 
/var/www/openshift/broker/httpd/conf.d/http.keytab


and copying the keytab over to the other two OpenShift broker hosts.

This all works fine but in the event that *broker1* should go down, the 
other broker hosts will lose access
to the web service. Ideally, we would like to have web services use the 
more generic, "load balanced"
hostname (*broker.example.com*) and in turn have the keytabs use this 
name as well.


I tried creating an HTTP service using the "load balanced" hostname 
(*broker.example.com*) but that appears to fail

due to *broker.example.com* not being a valid host within IdM:

   # ipa service-add HTTP/broker.example.com
   ipa: ERROR: The host 'broker.example.com' does not exist to add a 
service to.


In the F18 FreeIPA guide it discusses creating a combined keytab file 
(Section 6.5.4) using ktutil:


http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#Using_the_Same_Service_Principal_for_Multiple_Services

but would that still work as intended should a broker host go down?

The next section (6.5.5) mentions creating a keytab to create a service 
principal that can be used across multiple hosts:


  # ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k 
/etc/httpd/conf/krb5.keytab -e des-cbc-crc


Which seems more in-line with my thinking and exactly what we've been 
doing but again, if I try to do that
using the "load balanced" hostname (*broker.example.com*) it fails sicne 
it's not a valid host within IdM.


What is the best method to doing this?

Thank you,

-m


--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Fedora Core IPTables or FirewallID?

[Mark Heslin]

Chris,

My understanding is that firewalld "services" are where we're heading 
but I'm not entirely

sure how much or how little of these are fully supported/available yet.

I've copied Thomas - he'll know :-)

-m



On 08/26/2014 10:26 AM, Chris Whittle wrote:
Here is what I found that seems to work from 
http://adam.younglogic.com/2013/04/firewall-d-for-freeipa/


It only has to be ran once...

cat >/etc/firewalld/services/kerberos.xml <

  kerberos
  Kerberos
  
  

EOD

  cat >/etc/firewalld/services/kpasswd.xml <

  kpasswd
  kpasswd
  
  

EOD

  cat >/etc/firewalld/services/ldap.xml <

  ldap
  Lightweight Directory Access Protocol
  

EOD

  cat >/etc/firewalld/services/ldaps.xml <

  ldaps
  Lightweight Directory Access Protocol over 
SSL

  

EOD

  firewall-cmd --permanent --zone=public --add-service=dns
  firewall-cmd --permanent --zone=public --add-service=http
  firewall-cmd --permanent --zone=public --add-service=https
  firewall-cmd --permanent --zone=public --add-service=kerberos
  firewall-cmd --permanent --zone=public --add-service=kpasswd
  firewall-cmd --permanent --zone=public --add-service=ldap
  firewall-cmd --permanent --zone=public --add-service=ldaps
  firewall-cmd --permanent --zone=public --add-service=ntp
  firewall-cmd --reload



On Tue, Aug 26, 2014 at 9:22 AM, Mark Heslin <mailto:mhes...@redhat.com>> wrote:


Hi Chris,

Take a look at the attached snippet - it will walk you through
configuring firewalld
with named chains on RHEL 7. You don't have to use named chains
but makes managing
multiple chains cleaner. Do make sure you 'mask' iptables - only
using 'disable' can still cause
conflicts in some circumstances.

This is extracted from the recently published reference
architecture "Integrating OpenShift Enterprise
with IdM in RHEL 7":

https://access.redhat.com/articles/1155603 (The redhat.com
<http://redhat.com> links are not yet in place).

The context here was for an IdM server but I also used the same
approach for the IdM replica
and RHEL 7 clients.

hth,

-m



On 08/25/2014 10:22 PM, Chris Whittle wrote:

I've got my server up and running great with one exception every
time I reboot I have to login and flush the iptables or nothing
can connect.

I've found a ton of fixes and none seem to work, I'm on FC20 does
anyone have experience with it and wouldn't mind helping?





-- 


Red Hat Reference Architectures

Follow Us:https://twitter.com/RedHatRefArch
Plus Us:https://plus.google.com/u/0/b/114152126783830728030/
Like Us:https://www.facebook.com/rhrefarch





--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Enabling ntp if not done during ipa-server-install

[Mark Heslin]

On 08/15/2014 03:51 PM, Simo Sorce wrote:

On Fri, 2014-08-15 at 20:46 +0200, Petr Viktorin wrote:

On 08/15/2014 08:11 PM, Lucas Yamanishi wrote:

On 08/15/2014 10:33 AM, Redmond, Stacy wrote:


I installed my ipa server with –no-ntp but find that I want to enable
it on my server, and all my replicas.  Is it possible to do post install?

Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
isn’t integrated with FreeIPA as much as it’s a good idea to run it
along side FreeIPA/; Kerberos and other crypto operations depend on good
time-sync. All you need to do to [...]

Thanks for the instructions, Lucas.


Adding it may be easy, but users don't necessarily know that, so it
would make sense to provide an ipa-ntp-install command to take care of
all the details.
I filed a RFE for ipa-ntp-install:
https://fedorahosted.org/freeipa/ticket/4497

IIRC Ntpd also supports an interface (may require patching) to allow
signing packets (I remember vaguely samba AD has an interface for this).

Maybe we should open a ticket to make use of that too and really
formally integrate and configure ntpd to sign outgoing packets.

Simo.



I just wanted to add 2 points that may or may not apply to you:

 1. The RHEL7 IdM guide recommends *not* running NTP on an IdM server 
that is on a VM:


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#prereq-ntp

  It's not entirely clear to me whether this still holds true today 
or if it's an old documentation artifact.


2. For RHEL 7, the default time service is chronyd, not ntpd. From my 
readings it appears that chronyd
is primarily for "mobile" devices like laptops. If you're running 
IdM on a RHEL 7 server then I'd suggest
masking the chronyd service (systemctl mask chronyd) and enabling 
ntpd just as outlined

in the OSE-IdM reference architecture:

  https://access.redhat.com/articles/1155603

  See sections 2.2.5 Time Services (ntpd, chronyd) and 4.5 
Configure Time Service (NTP).


-m


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Trusts: Should tcp/389/636 be excluded or not?

[Mark Heslin]

On 08/04/2014 04:37 PM, Alexander Bokovoy wrote:

On Mon, 04 Aug 2014, Mark Heslin wrote:

Folks,

Does anyone know the current disposition of $subject? The FreeIPA 
documentation:


http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Firewall_configuration 



would seem to indicate this is no longer necessary. Is this 
"official" or should we block

just the Win/AD server from these ports?

Alexander Bokovoy and I were working together last Friday on a 
cross-realm Kerberos trust
to an AD server (Win2012 R2) and noticed replication was not working 
because I had
tcp/389 and tcp/636 REJECT configured on the IdM servers. After 
removing the rules

everything is working again.

Currently, I still have the rules removed but would like to know 
whether to keep them removed

or add them back in but block only the packets from the Win/AD server.

Never ever block tcp/389 and tcp/636 between IPA servers or your
replication will not work at all. The instruction we show at the end of
ipa-adtrust-install is related only to communication with AD DCs for
the sake of their sanity as any attempt to use LDAP(S) over TCP against
IPA servers will most likely confuse Windows machines due to completely
different schema used. LDAP over UDP is required for trusts as
connectionless LDAP (CLDAP) is part of discovery protocol that AD
machines expect to work.

Blocking TCP/389 and TCP/636 between AD DCs and IPA servers should not
hurt.


Good. I can modify the firewalld rules accordingly:

  ipv4 filter ipa-server-chain 0 --proto tcp --destination-port 389 ! 
--source {ad-server-ip} --jump ACCEPT
  ipv4 filter ipa-server-chain 0 --proto tcp --destination-port 636 ! 
--source {ad-server-ip} --jump ACCEPT


Thanks Alexander :-)

-m



--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] AD Trusts: Should tcp/389/636 be excluded or not?

[Mark Heslin]

Folks,

Does anyone know the current disposition of $subject? The FreeIPA 
documentation:


http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Firewall_configuration

would seem to indicate this is no longer necessary. Is this "official" 
or should we block

just the Win/AD server from these ports?

Alexander Bokovoy and I were working together last Friday on a 
cross-realm Kerberos trust
to an AD server (Win2012 R2) and noticed replication was not working 
because I had
tcp/389 and tcp/636 REJECT configured on the IdM servers. After removing 
the rules

everything is working again.

Currently, I still have the rules removed but would like to know whether 
to keep them removed

or add them back in but block only the packets from the Win/AD server.

Thanks,

=m



--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues

[Mark Heslin]

On 07/28/2014 02:39 PM, Joseph, Matthew (EXP) wrote:


Weird, when I do kdestroy it prompts me for a password to do the 
ipa-replica-manage list command and I supply the password but it 
states invaloud crednetials.


When I do kinit and supply the password it works.

They use the same account/password don't they?

Actually, I think not :-) If I do not have a ticket (admin) then it 
prompts for the Directory Manager password
and that depends on how you've set it during the installation. If you 
get a ticket as admin, the it doesn't prompt
for the Directory Manager password - doesn't need it as admin has 
broader permissions.


If you have no ticket, and is failing on the Directory Manager password 
when prompted, then Directory Manager

must have a different password.

-m

*From:*freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Mark Heslin

*Sent:* Monday, July 28, 2014 3:27 PM
*To:* freeipa-users@redhat.com
*Subject:* EXTERNAL: Re: [Freeipa-users] IPA Replica Issues

On 07/28/2014 02:12 PM, Mark Heslin wrote:

On 07/28/2014 12:46 PM, Joseph, Matthew (EXP) wrote:

Hello,

I'm currently running into some issues with my replica server.

I noticed it wasn't getting any updates from the master server
so I tried to do a force-sync but it states that it is an
"invalid password" which I know it is not the case.

I tried doing an ipa-replica-manager list replica_server but
it gives me the SASL(-13) authentication failure: GSSAPI
Failure: gss_accept_sec_context, 'desc' Invalid Credentials

I've tried doing a kdestroy and have it prompt me for the
password but again, same error.

Any idea what this would be?


Thanks,

Matt



Joe,

Are you actually getting a valid Kerberos ticket - on the surface
it would not appear so.

Also, the command is 'ipa-replica-manage list':

Example:
  # ipa-replica-manage list
  idm-srv1.example.com: master
  idm-srv2.example.com: master

-m



Joe,

I forgot to add, you should be able to do this without a Kerberos ticket
but you'll need to specify the Directory Mnager password:

Example:
  #  ipa-replica-manage list
  Directory Manager password: 

  idm-srv1.example.com: master
  idm-srv2.example.com: master
  # klist
  klist: No credentials cache found (ticket cache KEYRING:persistent:0:0)

I'm runnning RHEL 7 - not sure whether or not this behavior is different
on earlier versions.

-m






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Replica Issues

[Mark Heslin]

On 07/28/2014 02:12 PM, Mark Heslin wrote:

On 07/28/2014 12:46 PM, Joseph, Matthew (EXP) wrote:


Hello,

I'm currently running into some issues with my replica server.

I noticed it wasn't getting any updates from the master server so I 
tried to do a force-sync but it states that it is an "invalid 
password" which I know it is not the case.


I tried doing an ipa-replica-manager list replica_server but it gives 
me the SASL(-13) authentication failure: GSSAPI Failure: 
gss_accept_sec_context, 'desc' Invalid Credentials


I've tried doing a kdestroy and have it prompt me for the password 
but again, same error.


Any idea what this would be?


Thanks,

Matt




Joe,

Are you actually getting a valid Kerberos ticket - on the surface it 
would not appear so.


Also, the command is 'ipa-replica-manage list':

Example:
  # ipa-replica-manage list
  idm-srv1.example.com: master
  idm-srv2.example.com: master

-m




Joe,

I forgot to add, you should be able to do this without a Kerberos ticket
but you'll need to specify the Directory Mnager password:

Example:
  #  ipa-replica-manage list
  Directory Manager password: 

  idm-srv1.example.com: master
  idm-srv2.example.com: master
  # klist
  klist: No credentials cache found (ticket cache KEYRING:persistent:0:0)

I'm runnning RHEL 7 - not sure whether or not this behavior is different
on earlier versions.

-m





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Replica Issues

[Mark Heslin]

On 07/28/2014 12:46 PM, Joseph, Matthew (EXP) wrote:


Hello,

I'm currently running into some issues with my replica server.

I noticed it wasn't getting any updates from the master server so I 
tried to do a force-sync but it states that it is an "invalid 
password" which I know it is not the case.


I tried doing an ipa-replica-manager list replica_server but it gives 
me the SASL(-13) authentication failure: GSSAPI Failure: 
gss_accept_sec_context, 'desc' Invalid Credentials


I've tried doing a kdestroy and have it prompt me for the password but 
again, same error.


Any idea what this would be?


Thanks,

Matt




Joe,

Are you actually getting a valid Kerberos ticket - on the surface it 
would not appear so.


Also, the command is 'ipa-replica-manage list':

Example:
  # ipa-replica-manage list
  idm-srv1.example.com: master
  idm-srv2.example.com: master

-m

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD startup failures on ipa clients

[Mark Heslin]

Not sure why 'yum check' didn't report anything - I'll run it by release 
engineering

and see if they have anything to share.

Thank you!

-m


On 07/28/2014 09:19 AM, Jakub Hrozek wrote:

On Mon, Jul 28, 2014 at 09:02:17AM -0400, Mark Heslin wrote:

Hi Jakub,

(Top posting to save scrolling).

Success. It looks like the c-ares package was not installed during
ipa-client install:

# rpm -qV c-ares
package c-ares is not installed
# yum reinstall c-ares
...
Package(s) c-ares available, but not installed.
Error: Nothing to do
# yum clean all
...
# yum install c-ares
...
Installed:
c-ares.x86_64 0:1.7.0-6.el6

Complete!

# service sssd restart
Stopping sssd: cat: /var/run/sssd.pid: No such file or directory
[FAILED]
Starting sssd: [  OK  ]
#

Now the ssh keys are working :-)

So one last question. Would we normally track this down this way for a
customer or simply

I think just installing the package should be fine. I wonder why didn't
yum check report the broken c-ares dependency?


have them uninstall and re-install the ipa client? Is there any disadvantage
to that?

no, that should be fine as well, except for losing some local
modifications and maybe getting a keytab with a higher kvno.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD startup failures on ipa clients

[Mark Heslin]

Hi Jakub,

(Top posting to save scrolling).

Success. It looks like the c-ares package was not installed during 
ipa-client install:


   # rpm -qV c-ares
   package c-ares is not installed
   # yum reinstall c-ares
   ...
   Package(s) c-ares available, but not installed.
   Error: Nothing to do
   # yum clean all
   ...
   # yum install c-ares
   ...
   Installed:
   c-ares.x86_64 0:1.7.0-6.el6

   Complete!

   # service sssd restart
   Stopping sssd: cat: /var/run/sssd.pid: No such file or 
directory[FAILED]

   Starting sssd: [  OK  ]
   #

Now the ssh keys are working :-)

So one last question. Would we normally track this down this way for a 
customer or simply
have them uninstall and re-install the ipa client? Is there any 
disadvantage to that?


Thank you!

-m


On 07/28/2014 08:38 AM, Jakub Hrozek wrote:

On Mon, Jul 28, 2014 at 08:28:01AM -0400, Mark Heslin wrote:

On 07/28/2014 07:33 AM, Jakub Hrozek wrote:

On Mon, Jul 28, 2014 at 07:28:22AM -0400, Mark Heslin wrote:

Hi Jakub,

I've added the output of 'sssd -i -d4' below:

On 07/28/2014 03:39 AM, Jakub Hrozek wrote:

On Sun, Jul 27, 2014 at 10:42:34PM -0400, Mark Heslin wrote:

Folks,

I just stumbled on an odd issue. I have an OpenShift deployment with 2
brokers, 2 nodes, 1 rhc client
all running RHEL 6.5. I also have 2 IPA servers (1 server, 1 replica), 1 IPA
admin (tools) client all running RHEL 7.0.
All OpenShift hosts, client and IPA client are members of IPA domain
'interop.example.com'.

After creating ssh public keys on the IPA admin client for user 'ose-admin1'
and uploading them into IPA,
I am able to ssh with the key to all IPA domain hosts as user 'ose-admin1'
except the 2 node hosts.
In looking closer at the 2 node hosts I noticed that SSSD keeps failing on
start:

# service sssd restart
Stopping sssd: cat: /var/run/sssd.pid: No such file or directory
[FAILED]
Starting sssd: [FAILED]

Starting with debug mode shows:

   [root@node1/2 ~]# sssd -d9
   (Sun Jul 27 22:12:29:527689 2014) [sssd] [check_file] (0x0400): lstat for
[/var/run/nscd/socket] failed: [2][No such file or directory].
   (Sun Jul 27 22:12:29:529293 2014) [sssd] [ldb] (0x0400):
server_sort:Unable to register control with rootdse!
   (Sun Jul 27 22:12:29:529596 2014) [sssd] [confdb_get_domain_internal]
(0x0400): No enumeration for [interop.example.com]!
   (Sun Jul 27 22:12:29:529646 2014) [sssd] [confdb_get_domain_internal]
(0x1000): pwd_expiration_warning is -1
   (Sun Jul 27 22:12:29:529686 2014) [sssd] [server_setup] (0x0040): Becoming
a daemon.

At this point sssd became a deamon and detached from the terminal, so no
more debug info was printed. Can you run sssd again, adding "-i"
(interactive) this time?

[root@node2 ~]# sssd -i -d4
(Mon Jul 28 07:25:20 2014) [sssd] [get_ping_config] (0x0100): Time between
service pings for [interop.example.com]: [10]
(Mon Jul 28 07:25:20 2014) [sssd] [get_ping_config] (0x0100): Time between
SIGTERM and SIGKILL for [interop.example.com]: [60]
(Mon Jul 28 07:25:20 2014) [sssd] [start_service] (0x0100): Queueing service
interop.example.com for startup
/usr/libexec/sssd/sssd_be: error while loading shared libraries:
libcares.so.2: cannot open shared object file: No such file or directory

^^^ Here goes the error. Can you check if c-ares is installed and has
the expected version? Yum check would be a good start, I think.

Here's what I found:

   # ll /usr/libexec/sssd/sssd_be
   -rwxr-xr-x. 1 root root 577480 Dec 19  2013 /usr/libexec/sssd/sssd_be

   # yum check
   Loaded plugins: priorities, security, subscription-manager
   This system is receiving updates from Red Hat Subscription Management.
   check all

#

Seems to be clean. Thoughts?

-m


rpm -q c-ares
rpm -qV c-ares
yum reinstall c-ares

make sure c-ares is the right architecture, same as the sssd deamon,
libraries can be multilib.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD startup failures on ipa clients

[Mark Heslin]

On 07/28/2014 07:33 AM, Jakub Hrozek wrote:

On Mon, Jul 28, 2014 at 07:28:22AM -0400, Mark Heslin wrote:

Hi Jakub,

I've added the output of 'sssd -i -d4' below:

On 07/28/2014 03:39 AM, Jakub Hrozek wrote:

On Sun, Jul 27, 2014 at 10:42:34PM -0400, Mark Heslin wrote:

Folks,

I just stumbled on an odd issue. I have an OpenShift deployment with 2
brokers, 2 nodes, 1 rhc client
all running RHEL 6.5. I also have 2 IPA servers (1 server, 1 replica), 1 IPA
admin (tools) client all running RHEL 7.0.
All OpenShift hosts, client and IPA client are members of IPA domain
'interop.example.com'.

After creating ssh public keys on the IPA admin client for user 'ose-admin1'
and uploading them into IPA,
I am able to ssh with the key to all IPA domain hosts as user 'ose-admin1'
except the 2 node hosts.
In looking closer at the 2 node hosts I noticed that SSSD keeps failing on
start:

# service sssd restart
Stopping sssd: cat: /var/run/sssd.pid: No such file or directory
[FAILED]
Starting sssd: [FAILED]

Starting with debug mode shows:

   [root@node1/2 ~]# sssd -d9
   (Sun Jul 27 22:12:29:527689 2014) [sssd] [check_file] (0x0400): lstat for
[/var/run/nscd/socket] failed: [2][No such file or directory].
   (Sun Jul 27 22:12:29:529293 2014) [sssd] [ldb] (0x0400):
server_sort:Unable to register control with rootdse!
   (Sun Jul 27 22:12:29:529596 2014) [sssd] [confdb_get_domain_internal]
(0x0400): No enumeration for [interop.example.com]!
   (Sun Jul 27 22:12:29:529646 2014) [sssd] [confdb_get_domain_internal]
(0x1000): pwd_expiration_warning is -1
   (Sun Jul 27 22:12:29:529686 2014) [sssd] [server_setup] (0x0040): Becoming
a daemon.

At this point sssd became a deamon and detached from the terminal, so no
more debug info was printed. Can you run sssd again, adding "-i"
(interactive) this time?

[root@node2 ~]# sssd -i -d4
(Mon Jul 28 07:25:20 2014) [sssd] [get_ping_config] (0x0100): Time between
service pings for [interop.example.com]: [10]
(Mon Jul 28 07:25:20 2014) [sssd] [get_ping_config] (0x0100): Time between
SIGTERM and SIGKILL for [interop.example.com]: [60]
(Mon Jul 28 07:25:20 2014) [sssd] [start_service] (0x0100): Queueing service
interop.example.com for startup
/usr/libexec/sssd/sssd_be: error while loading shared libraries:
libcares.so.2: cannot open shared object file: No such file or directory

^^^ Here goes the error. Can you check if c-ares is installed and has
the expected version? Yum check would be a good start, I think.

Here's what I found:

  # ll /usr/libexec/sssd/sssd_be
  -rwxr-xr-x. 1 root root 577480 Dec 19  2013 /usr/libexec/sssd/sssd_be

  # yum check
  Loaded plugins: priorities, security, subscription-manager
  This system is receiving updates from Red Hat Subscription Management.
  check all

#

Seems to be clean. Thoughts?

-m

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD startup failures on ipa clients

[Mark Heslin]

Hi Jakub,

I've added the output of 'sssd -i -d4' below:

On 07/28/2014 03:39 AM, Jakub Hrozek wrote:

On Sun, Jul 27, 2014 at 10:42:34PM -0400, Mark Heslin wrote:

Folks,

I just stumbled on an odd issue. I have an OpenShift deployment with 2
brokers, 2 nodes, 1 rhc client
all running RHEL 6.5. I also have 2 IPA servers (1 server, 1 replica), 1 IPA
admin (tools) client all running RHEL 7.0.
All OpenShift hosts, client and IPA client are members of IPA domain
'interop.example.com'.

After creating ssh public keys on the IPA admin client for user 'ose-admin1'
and uploading them into IPA,
I am able to ssh with the key to all IPA domain hosts as user 'ose-admin1'
except the 2 node hosts.
In looking closer at the 2 node hosts I noticed that SSSD keeps failing on
start:

# service sssd restart
Stopping sssd: cat: /var/run/sssd.pid: No such file or directory
[FAILED]
Starting sssd: [FAILED]

Starting with debug mode shows:

   [root@node1/2 ~]# sssd -d9
   (Sun Jul 27 22:12:29:527689 2014) [sssd] [check_file] (0x0400): lstat for
[/var/run/nscd/socket] failed: [2][No such file or directory].
   (Sun Jul 27 22:12:29:529293 2014) [sssd] [ldb] (0x0400):
server_sort:Unable to register control with rootdse!
   (Sun Jul 27 22:12:29:529596 2014) [sssd] [confdb_get_domain_internal]
(0x0400): No enumeration for [interop.example.com]!
   (Sun Jul 27 22:12:29:529646 2014) [sssd] [confdb_get_domain_internal]
(0x1000): pwd_expiration_warning is -1
   (Sun Jul 27 22:12:29:529686 2014) [sssd] [server_setup] (0x0040): Becoming
a daemon.

At this point sssd became a deamon and detached from the terminal, so no
more debug info was printed. Can you run sssd again, adding "-i"
(interactive) this time?


[root@node2 ~]# sssd -i -d4
(Mon Jul 28 07:25:20 2014) [sssd] [get_ping_config] (0x0100): Time 
between service pings for [interop.example.com]: [10]
(Mon Jul 28 07:25:20 2014) [sssd] [get_ping_config] (0x0100): Time 
between SIGTERM and SIGKILL for [interop.example.com]: [60]
(Mon Jul 28 07:25:20 2014) [sssd] [start_service] (0x0100): Queueing 
service interop.example.com for startup
/usr/libexec/sssd/sssd_be: error while loading shared libraries: 
libcares.so.2: cannot open shared object file: No such file or directory
(Mon Jul 28 07:25:20 2014) [sssd] [mt_svc_exit_handler] (0x0040): Child 
[interop.example.com] exited with code [127]
(Mon Jul 28 07:25:20 2014) [sssd] [get_ping_config] (0x0100): Time 
between service pings for [interop.example.com]: [10]
(Mon Jul 28 07:25:20 2014) [sssd] [get_ping_config] (0x0100): Time 
between SIGTERM and SIGKILL for [interop.example.com]: [60]
(Mon Jul 28 07:25:20 2014) [sssd] [start_service] (0x0100): Queueing 
service interop.example.com for startup
/usr/libexec/sssd/sssd_be: error while loading shared libraries: 
libcares.so.2: cannot open shared object file: No such file or directory
(Mon Jul 28 07:25:20 2014) [sssd] [mt_svc_exit_handler] (0x0040): Child 
[interop.example.com] exited with code [127]
(Mon Jul 28 07:25:22 2014) [sssd] [get_ping_config] (0x0100): Time 
between service pings for [interop.example.com]: [10]
(Mon Jul 28 07:25:22 2014) [sssd] [get_ping_config] (0x0100): Time 
between SIGTERM and SIGKILL for [interop.example.com]: [60]
(Mon Jul 28 07:25:22 2014) [sssd] [start_service] (0x0100): Queueing 
service interop.example.com for startup
/usr/libexec/sssd/sssd_be: error while loading shared libraries: 
libcares.so.2: cannot open shared object file: No such file or directory
(Mon Jul 28 07:25:22 2014) [sssd] [mt_svc_exit_handler] (0x0040): Child 
[interop.example.com] exited with code [127]
(Mon Jul 28 07:25:25 2014) [sssd] [services_startup_timeout] (0x0020): 
Providers did not start in time, forcing services startup!
(Mon Jul 28 07:25:25 2014) [sssd] [services_startup_timeout] (0x0100): 
Now starting services!
(Mon Jul 28 07:25:25 2014) [sssd] [get_ping_config] (0x0100): Time 
between service pings for [nss]: [10]
(Mon Jul 28 07:25:25 2014) [sssd] [get_ping_config] (0x0100): Time 
between SIGTERM and SIGKILL for [nss]: [60]
(Mon Jul 28 07:25:25 2014) [sssd] [start_service] (0x0100): Queueing 
service nss for startup
(Mon Jul 28 07:25:25 2014) [sssd] [get_ping_config] (0x0100): Time 
between service pings for [pam]: [10]
(Mon Jul 28 07:25:25 2014) [sssd] [get_ping_config] (0x0100): Time 
between SIGTERM and SIGKILL for [pam]: [60]
(Mon Jul 28 07:25:25 2014) [sssd] [start_service] (0x0100): Queueing 
service pam for startup
(Mon Jul 28 07:25:25 2014) [sssd] [get_ping_config] (0x0100): Time 
between service pings for [ssh]: [10]
(Mon Jul 28 07:25:25 2014) [sssd] [get_ping_config] (0x0100): Time 
between SIGTERM and SIGKILL for [ssh]: [60]
(Mon Jul 28 07:25:25 2014) [sssd] [start_service] (0x0100): Queueing 
service ssh for startup
(Mon Jul 28 07:25:25 2014) [sssd] [get_ping_config] (0x0100): Time 
between service pings for [pac]: [10]
(Mon Jul 28 07:25:25 2014) [sssd] [get_ping_config] (0x0100): Time 
between SIGTERM and S

[Freeipa-users] SSSD startup failures on ipa clients

[Mark Heslin]

Folks,

I just stumbled on an odd issue. I have an OpenShift deployment with 2 
brokers, 2 nodes, 1 rhc client
all running RHEL 6.5. I also have 2 IPA servers (1 server, 1 replica), 1 
IPA admin (tools) client all running RHEL 7.0.
All OpenShift hosts, client and IPA client are members of IPA domain 
'interop.example.com'.


After creating ssh public keys on the IPA admin client for user 
'ose-admin1' and uploading them into IPA,
I am able to ssh with the key to all IPA domain hosts as user 
'ose-admin1' except the 2 node hosts.
In looking closer at the 2 node hosts I noticed that SSSD keeps failing 
on start:


# service sssd restart
Stopping sssd: cat: /var/run/sssd.pid: No such file or 
directory[FAILED]

Starting sssd: [FAILED]

Starting with debug mode shows:

  [root@node1/2 ~]# sssd -d9
  (Sun Jul 27 22:12:29:527689 2014) [sssd] [check_file] (0x0400): lstat 
for [/var/run/nscd/socket] failed: [2][No such file or directory].
  (Sun Jul 27 22:12:29:529293 2014) [sssd] [ldb] (0x0400): 
server_sort:Unable to register control with rootdse!
  (Sun Jul 27 22:12:29:529596 2014) [sssd] [confdb_get_domain_internal] 
(0x0400): No enumeration for [interop.example.com]!
  (Sun Jul 27 22:12:29:529646 2014) [sssd] [confdb_get_domain_internal] 
(0x1000): pwd_expiration_warning is -1
  (Sun Jul 27 22:12:29:529686 2014) [sssd] [server_setup] (0x0040): 
Becoming a daemon.


The logs show show nothing useful but this problem started during the 
ipa-client-install - the log shows:


  2014-07-23T18:40:22Z DEBUG args=/usr/sbin/authconfig --enablesssdauth 
--enablemkhomedir --update --enablesssd

  2014-07-23T18:40:22Z DEBUG stdout=Starting oddjobd:[  OK ]
  2014-07-23T18:40:22Z DEBUG stderr=
  2014-07-23T18:40:22Z INFO SSSD enabled
  2014-07-23T18:40:29Z DEBUG args=/sbin/service sssd restart
  2014-07-23T18:40:29Z DEBUG stdout=Stopping sssd: [FAILED]
  Starting sssd:[FAILED]

  2014-07-23T18:40:29Z DEBUG stderr=cat: /var/run/sssd.pid: No such 
file or directory


  2014-07-23T18:40:29Z WARNING SSSD service restart was unsuccessful.
  2014-07-23T18:40:29Z DEBUG args=/sbin/chkconfig sssd on
  2014-07-23T18:40:29Z DEBUG stdout=

Any ideas? Have we seen this before? I suppose I could uninstall the ipa 
client and re-install but I didn't want

to touch anything until I hear back.

Thanks!

-m

btw - All systems have been updated as of this evening. Kerberos works 
fine but anything requiring

lookups is toast.





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] id: cannot find name for group ID

[Mark Heslin]

On 07/24/2014 11:33 PM, Jatin Nansi wrote:

What does

getent group ose-developers
getent group 88902

on the ipa client show? the client sssd nss and domain logs will log 
any relevant errors.


Jatin


Hi Jatin,

Beats me but - apparently it's working fine now:

  $  ssh -Y -l ose-dev1 rhc1.interop.example.com
   Last login: Thu Jul 24 19:51:19 2014 from xrhc1.interop.example.com
   Kickstarted on 2013-12-11

   [ose-dev1@rhc1 ~]$ getent group ose-developers
   ose-developers:*:88902:

   [ose-dev1@rhc1 ~]$ getent group 88902
   ose-developers:*:88902:

   [ose-dev1@rhc1 ~]$ id
   uid=88902(ose-dev1) gid=88902*(ose-developers)* 
groups=88902(ose-developers) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


I rebooted both IdM servers, client about an hour before - maybe the 
client had old cache entries?


Thanks and sorry for the false alarm.

-m







On 25/07/14 13:22, Mark Heslin wrote:

Happy Friday,

I'm getting this message on login to an IPA client and not sure why:

  $ ssh -Y -l *ose-dev1* rhc1.interop.example.com
ose-d...@rhc1.interop.example.com's password:
  Last login: Thu Jul 24 19:46:46 2014 from rhc1.interop.example.com
  Kickstarted on 2013-12-11
*id: cannot find name for group ID 88902*   <--- ???

The group and account were created about 2 months ago on an IdM (RHEL 
7) server as follows:


#*ipa group-add ose-developers --desc="OpenShift Developers" 
--gid=88902 *

  
  Added group "ose-developers"
  
Group name: ose-developers
Description: OpenShift Developers
*GID: 88902*

  #*ipa user-add ose-dev1 --first="OSE" --last="Dev 1" 
--displayname="OpenShift Developer 1" --homedir="/home/ose-dev1"  
--shell="/bin/bash" **

--uid=88902 --gidnumber=88902 --password *
   Password: ***
   Enter Password again to verify:
   -
   Added user "ose-dev1"
   -
 User login: ose-dev1
 First name: OSE
 Last name: Dev 1
 Full name: OSE Dev 1
 Display name: OpenShift Developer 1
 Initials: OD
 Home directory: /home/ose-dev1
 GECOS: OSE Dev 1
 Login shell: /bin/bash
 Kerberos principal: ose-d...@interop.example.com
 Email address: ose-d...@interop.example.com
 UID: 88902
*GID: 88902 *
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

On the IdM server, when I run 'group-show', 'group-find' I get:

# ipa group-show ose-developers
  Group name:*ose-developers *
  Description: OpenShift Developers
*GID: 88902 *

# ipa group-find ose-developers
   ---
  1 group matched
  ---
Group name:*ose-developers*
Description: OpenShift Developers
*GID: 88902*
  
  Number of entries returned 1
  

and 'user-show' returns:

# ipa user-show ose-dev1
  User login: ose-dev1
  First name: OSE
  Last name: Dev 1
  Home directory: /home/ose-dev1
  Login shell: /bin/bash
  Email address: ose-d...@interop.example.com
  UID: 88902
*GID: 88902*
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

so clearly the groups, user entries are correct in IdM. On first 
login, the homedir

is created but the group name is not resolved:

  $ pwd
  /home/ose-dev1
  [ose-dev1@xrhc1 ~]$ ls -lad .
  drwxr-xr-x. 3 ose-dev1 *88902* 4096 Jul 24 19:51 .
  $ id
  uid=88902(ose-dev1) *gid=88902* groups=88902 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


Is there some other client side lookup issue that is causing this? 
Why doesn't *gid=88902* map to (*ose-developers*)?


Thanks!

-m


--

Red Hat Reference Architectures

Follow Us:https://twitter.com/RedHatRefArch
Plus Us:https://plus.google.com/u/0/b/114152126783830728030/
Like Us:https://www.facebook.com/rhrefarch









--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] id: cannot find name for group ID

[Mark Heslin]

Happy Friday,

I'm getting this message on login to an IPA client and not sure why:

  $ ssh -Y -l *ose-dev1* rhc1.interop.example.com
  ose-d...@rhc1.interop.example.com's password:
  Last login: Thu Jul 24 19:46:46 2014 from rhc1.interop.example.com
  Kickstarted on 2013-12-11
*id: cannot find name for group ID 88902*   <--- ???

The group and account were created about 2 months ago on an IdM (RHEL 7) 
server as follows:


#*ipa group-add ose-developers --desc="OpenShift Developers" 
--gid=88902 *

  
  Added group "ose-developers"
  
Group name: ose-developers
Description: OpenShift Developers
*GID: 88902*

  #*ipa user-add ose-dev1 --first="OSE" --last="Dev 1" 
--displayname="OpenShift Developer 1" --homedir="/home/ose-dev1" 
--shell="/bin/bash" **

--uid=88902 --gidnumber=88902 --password *
   Password: ***
   Enter Password again to verify:
   -
   Added user "ose-dev1"
   -
 User login: ose-dev1
 First name: OSE
 Last name: Dev 1
 Full name: OSE Dev 1
 Display name: OpenShift Developer 1
 Initials: OD
 Home directory: /home/ose-dev1
 GECOS: OSE Dev 1
 Login shell: /bin/bash
 Kerberos principal: ose-d...@interop.example.com
 Email address: ose-d...@interop.example.com
 UID: 88902
*GID: 88902 *
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

On the IdM server, when I run 'group-show', 'group-find' I get:

# ipa group-show ose-developers
  Group name:*ose-developers *
  Description: OpenShift Developers
*GID: 88902 *

# ipa group-find ose-developers
---
  1 group matched
  ---
Group name:*ose-developers*
Description: OpenShift Developers
*GID: 88902*
  
  Number of entries returned 1
  

and 'user-show' returns:

# ipa user-show ose-dev1
  User login: ose-dev1
  First name: OSE
  Last name: Dev 1
  Home directory: /home/ose-dev1
  Login shell: /bin/bash
  Email address: ose-d...@interop.example.com
  UID: 88902
*GID: 88902*
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

so clearly the groups, user entries are correct in IdM. On first login, 
the homedir

is created but the group name is not resolved:

  $ pwd
  /home/ose-dev1
  [ose-dev1@xrhc1 ~]$ ls -lad .
  drwxr-xr-x. 3 ose-dev1 *88902* 4096 Jul 24 19:51 .
  $ id
  uid=88902(ose-dev1) *gid=88902* groups=88902 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


Is there some other client side lookup issue that is causing this? Why 
doesn't *gid=88902* map to (*ose-developers*)?


Thanks!

-m


--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Correct *usage* for round-robin DNS srv records

[Mark Heslin]

Hi Alexander,

>SRV records need to be resolved first by your software and then resolved
>records used to perform lookups of the SRV entry content.

Ah, yes that explain it.

>If your clients don't know how to do that, you  can use multiple A/
>record entries to allow round-robin them.

The funny thing here is that this is how I initially configured this (A 
Recs) but it was suggested
that I use srv records. Since the OpenShift client do not make use of 
srv records then I'll go back

to my initial configuration with A records.

At least now I understand srv records better and this will be used more 
and more in the future:-)


Thank you all!

-m


On 07/23/2014 10:11 AM, Alexander Bokovoy wrote:

On Wed, 23 Jul 2014, Mark Heslin wrote:

Martin, Petr,

Thanks for helping me sort through the syntax. I have the entries 
added properly:


 # ipa dnsrecord-show example.com _foo.tcp
   Record name: _foo.tcp
   SRV record: 0 0 53 foo1.example.com., 0 0 53 foo2.example.com.

 # host -t srv _foo.tcp
 _foo.tcp.example.com has SRV record 0 0 53 foo2.example.com.
 _foo.tcp.example.com has SRV record 0 0 53 foo1.example.com.

but how to I actually use the entry?

You are already using it above with host command.



# nslookup _foo.tcp
Server:10.19.140.101
Address:10.19.140.101#53

*** Can't find _foo.tcp: No answer

# nslookup _foo.tcp.example.com.
Server:10.19.140.101
Address:10.19.140.101#53

*** Can't find _foo.tcp.example.com.: No answer

This is SRV record, so you need to tell nslookup to look up SRV record,
not A or CNAME as it does by default.



# ping _foo.tcp
ping: unknown host _foo.tcp

SRV records need to be resolved first by your software and then resolved
records used to perform lookups of the SRV entry content.
http://en.wikipedia.org/wiki/SRV_record



The point of this is to create a front-end to balance requests from 
OpenShift clients
across a set of OpenShift brokers. Host "foo" would alternate across 
the first broker

(foo1) and second broker (foo2).
Then OpenShift clients (software) need to know how to resolve SRV 
record prior to

connecting to the host that is pointed by the record.

If your clients don't know how to do that, you  can use multiple A/
record entries to allow round-robin them.




--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Correct *usage* for round-robin DNS srv records

[Mark Heslin]

Martin, Petr,

Thanks for helping me sort through the syntax. I have the entries added 
properly:


  # ipa dnsrecord-show example.com _foo.tcp
Record name: _foo.tcp
SRV record: 0 0 53 foo1.example.com., 0 0 53 foo2.example.com.

  # host -t srv _foo.tcp
  _foo.tcp.example.com has SRV record 0 0 53 foo2.example.com.
  _foo.tcp.example.com has SRV record 0 0 53 foo1.example.com.

but how to I actually use the entry?

 # nslookup _foo.tcp
 Server:10.19.140.101
 Address:10.19.140.101#53

 *** Can't find _foo.tcp: No answer

# nslookup _foo.tcp.example.com.
Server:10.19.140.101
Address:10.19.140.101#53

*** Can't find _foo.tcp.example.com.: No answer

# ping _foo.tcp
ping: unknown host _foo.tcp

The point of this is to create a front-end to balance requests from 
OpenShift clients
across a set of OpenShift brokers. Host "foo" would alternate across the 
first broker

(foo1) and second broker (foo2).

-m




On 07/22/2014 08:06 AM, Mark Heslin wrote:

On 07/22/2014 08:00 AM, Mark Heslin wrote:

Martin, Petr,

I didn't see that missing dot "." - good catch. As always the devil 
is in the details :-)


Two follow up questions:

 1. I've set the priority and weighting equally here but I will add a 
third host
  so would it make sense to just set both priority and weight to 
"0" for all three hosts?:


   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 0 53 
foo1.example.com."
   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 0 53 
foo2.example.com."
   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 0 53 
foo3.example.com."


 2. To Petr's point about registering the "_foo.tcp" service. By 
definition this isn't really
  a true "service" and more like "CNAME with benefits". (Sorry, 
couldn't resist the bad dating reference ;-))
  Do I actually still need to add this to /etc/services? If so, 
then I'd have to do that for

  all hosts in the environment, IdM servers, clients, etc., correct?

  Truth be told, this is just being used for an alternative to a 
true h/w, s/w load balancer
  for demonstration purposes so I'm sure adding it to the 
services file makes sense.


Gah! I meant to say I'm *not* sure adding it to the services file 
makes sense.





Thank you both!

-m




On 07/22/2014 03:16 AM, Petr Spacek wrote:

On 22.7.2014 00:13, Mark Heslin wrote:

Hi All,

I had some off-list exchanges with Petr Spacek on this but am still 
trying to

work out the correct syntax.
I have 2 hosts:

- foo1.example.com
- foo2.example.com

and would like to create a round-robin DNS srv record for both called
foo.example.com

I already have DNS entries for both hosts in IPA:

   # ipa dnsrecord-show example.com foo1
 Record name: foo1
 A record: 10.0.0.1
   # ipa dnsrecord-show example.com foo2
 Record name: foo2
 A record: 10.0.0.2

I'd like to get the correct syntax for adding the srv record for foo.
My understanding is that it should be something like this:

   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo1.example.com"

   Record name: _foo.tcp
   SRV record: 0 50 53 foo1.example.com
   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo2.example.com"

   Record name: _foo.tcp
   SRV record: 0 50 53 foo2.example.com

which seemed to be added ok but on second glance I think not:

   # host -t srv _foo.tcp.example.com
   _foo.tcp..example.com has SRV record 0 50 53 
foo1.example.com.example.com.
   _foo.tcp..example.com has SRV record 0 50 53 
foo2.example.com.example.com.


In looking over the description of rfc2782
<http://en.wikipedia.org/wiki/SRV_record> it appears the IPA syntax 
is a

little different,


I don't think so :-)

Please note the trailing dot in "target" part of 
http://en.wikipedia.org/wiki/SRV_record#Record_format.


IPA behaves in the same way as BIND 9: All domain names without 
trailing dot are automatically extended with zone origin, i.e. 
"example.com.".


You have two options:
# ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 foo1" 
(DNS server will automatically append "example.com.")


or

# ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo1.example.com."

(please note the trailing dot)



Another note is about "_foo". "foo" should be "service name" 
according to
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml 



It will probably not cause any problems if you invent your own name 
(preferably prefixed with x- to avoid collisions in future, e.g. 
"_x-foo"), but it will not hurt you if you register your protocol 
into the registry :-)

See http://tools.ietf.org/html/rfc6335

and the documentation is scarce so admittedly I'

Re: [Freeipa-users] Correct syntax for round-robin DNS srv records

[Mark Heslin]

On 07/22/2014 08:00 AM, Mark Heslin wrote:

Martin, Petr,

I didn't see that missing dot "." - good catch. As always the devil is 
in the details :-)


Two follow up questions:

 1. I've set the priority and weighting equally here but I will add a 
third host
  so would it make sense to just set both priority and weight to 
"0" for all three hosts?:


   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 0 53 
foo1.example.com."
   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 0 53 
foo2.example.com."
   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 0 53 
foo3.example.com."


 2. To Petr's point about registering the "_foo.tcp" service. By 
definition this isn't really
  a true "service" and more like "CNAME with benefits". (Sorry, 
couldn't resist the bad dating reference ;-))
  Do I actually still need to add this to /etc/services? If so, 
then I'd have to do that for

  all hosts in the environment, IdM servers, clients, etc., correct?

  Truth be told, this is just being used for an alternative to a 
true h/w, s/w load balancer
  for demonstration purposes so I'm sure adding it to the services 
file makes sense.


Gah! I meant to say I'm *not* sure adding it to the services file makes 
sense.





Thank you both!

-m




On 07/22/2014 03:16 AM, Petr Spacek wrote:

On 22.7.2014 00:13, Mark Heslin wrote:

Hi All,

I had some off-list exchanges with Petr Spacek on this but am still 
trying to

work out the correct syntax.
I have 2 hosts:

- foo1.example.com
- foo2.example.com

and would like to create a round-robin DNS srv record for both called
foo.example.com

I already have DNS entries for both hosts in IPA:

   # ipa dnsrecord-show example.com foo1
 Record name: foo1
 A record: 10.0.0.1
   # ipa dnsrecord-show example.com foo2
 Record name: foo2
 A record: 10.0.0.2

I'd like to get the correct syntax for adding the srv record for foo.
My understanding is that it should be something like this:

   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo1.example.com"

   Record name: _foo.tcp
   SRV record: 0 50 53 foo1.example.com
   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo2.example.com"

   Record name: _foo.tcp
   SRV record: 0 50 53 foo2.example.com

which seemed to be added ok but on second glance I think not:

   # host -t srv _foo.tcp.example.com
   _foo.tcp..example.com has SRV record 0 50 53 
foo1.example.com.example.com.
   _foo.tcp..example.com has SRV record 0 50 53 
foo2.example.com.example.com.


In looking over the description of rfc2782
<http://en.wikipedia.org/wiki/SRV_record> it appears the IPA syntax 
is a

little different,


I don't think so :-)

Please note the trailing dot in "target" part of 
http://en.wikipedia.org/wiki/SRV_record#Record_format.


IPA behaves in the same way as BIND 9: All domain names without 
trailing dot are automatically extended with zone origin, i.e. 
"example.com.".


You have two options:
# ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 foo1" 
(DNS server will automatically append "example.com.")


or

# ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo1.example.com."

(please note the trailing dot)



Another note is about "_foo". "foo" should be "service name" 
according to
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml 



It will probably not cause any problems if you invent your own name 
(preferably prefixed with x- to avoid collisions in future, e.g. 
"_x-foo"), but it will not hurt you if you register your protocol 
into the registry :-)

See http://tools.ietf.org/html/rfc6335

and the documentation is scarce so admittedly I'm taking a swag at 
this ;-)


I can do this fine without srv but don't have enough familiarity 
with DNS srv

here.
Can anyone help clarify what I'm missing? I'd like to have equal 
weighting,

priority
to both hosts - I'm assuming the port (53) is correct for DNS here 
as well.
What are you trying to achieve? The port number refers to port used 
by your application, not to DNS.








--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Correct syntax for round-robin DNS srv records

[Mark Heslin]

Martin, Petr,

I didn't see that missing dot "." - good catch. As always the devil is 
in the details :-)


Two follow up questions:

 1. I've set the priority and weighting equally here but I will add a 
third host
  so would it make sense to just set both priority and weight to 
"0" for all three hosts?:


   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 0 53 
foo1.example.com."
   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 0 53 
foo2.example.com."
   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 0 53 
foo3.example.com."


 2. To Petr's point about registering the "_foo.tcp" service. By 
definition this isn't really
  a true "service" and more like "CNAME with benefits". (Sorry, 
couldn't resist the bad dating reference ;-))
  Do I actually still need to add this to /etc/services? If so, 
then I'd have to do that for

  all hosts in the environment, IdM servers, clients, etc., correct?

  Truth be told, this is just being used for an alternative to a 
true h/w, s/w load balancer
  for demonstration purposes so I'm sure adding it to the services 
file makes sense.


Thank you both!

-m




On 07/22/2014 03:16 AM, Petr Spacek wrote:

On 22.7.2014 00:13, Mark Heslin wrote:

Hi All,

I had some off-list exchanges with Petr Spacek on this but am still 
trying to

work out the correct syntax.
I have 2 hosts:

- foo1.example.com
- foo2.example.com

and would like to create a round-robin DNS srv record for both called
foo.example.com

I already have DNS entries for both hosts in IPA:

   # ipa dnsrecord-show example.com foo1
 Record name: foo1
 A record: 10.0.0.1
   # ipa dnsrecord-show example.com foo2
 Record name: foo2
 A record: 10.0.0.2

I'd like to get the correct syntax for adding the srv record for foo.
My understanding is that it should be something like this:

   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo1.example.com"

   Record name: _foo.tcp
   SRV record: 0 50 53 foo1.example.com
   # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo2.example.com"

   Record name: _foo.tcp
   SRV record: 0 50 53 foo2.example.com

which seemed to be added ok but on second glance I think not:

   # host -t srv _foo.tcp.example.com
   _foo.tcp..example.com has SRV record 0 50 53 
foo1.example.com.example.com.
   _foo.tcp..example.com has SRV record 0 50 53 
foo2.example.com.example.com.


In looking over the description of rfc2782
<http://en.wikipedia.org/wiki/SRV_record> it appears the IPA syntax is a
little different,


I don't think so :-)

Please note the trailing dot in "target" part of 
http://en.wikipedia.org/wiki/SRV_record#Record_format.


IPA behaves in the same way as BIND 9: All domain names without 
trailing dot are automatically extended with zone origin, i.e. 
"example.com.".


You have two options:
# ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 foo1" (DNS 
server will automatically append "example.com.")


or

# ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo1.example.com."

(please note the trailing dot)



Another note is about "_foo". "foo" should be "service name" according to
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml 



It will probably not cause any problems if you invent your own name 
(preferably prefixed with x- to avoid collisions in future, e.g. 
"_x-foo"), but it will not hurt you if you register your protocol into 
the registry :-)

See http://tools.ietf.org/html/rfc6335

and the documentation is scarce so admittedly I'm taking a swag at 
this ;-)


I can do this fine without srv but don't have enough familiarity with 
DNS srv

here.
Can anyone help clarify what I'm missing? I'd like to have equal 
weighting,

priority
to both hosts - I'm assuming the port (53) is correct for DNS here as 
well.
What are you trying to achieve? The port number refers to port used by 
your application, not to DNS.





--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Correct syntax for round-robin DNS srv records

[Mark Heslin]

Hi All,

I had some off-list exchanges with Petr Spacek on this but am still 
trying to work out the correct syntax.

I have 2 hosts:

   - foo1.example.com
   - foo2.example.com

and would like to create a round-robin DNS srv record for both called 
foo.example.com


I already have DNS entries for both hosts in IPA:

  # ipa dnsrecord-show example.com foo1
Record name: foo1
A record: 10.0.0.1
  # ipa dnsrecord-show example.com foo2
Record name: foo2
A record: 10.0.0.2

I'd like to get the correct syntax for adding the srv record for foo.
My understanding is that it should be something like this:

  # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo1.example.com"

  Record name: _foo.tcp
  SRV record: 0 50 53 foo1.example.com
  # ipa dnsrecord-add example.com _foo.tcp --srv-rec="0 50 53 
foo2.example.com"

  Record name: _foo.tcp
  SRV record: 0 50 53 foo2.example.com

which seemed to be added ok but on second glance I think not:

  # host -t srv _foo.tcp.example.com
  _foo.tcp..example.com has SRV record 0 50 53 
foo1.example.com.example.com.
  _foo.tcp..example.com has SRV record 0 50 53 
foo2.example.com.example.com.


In looking over the description of rfc2782 
 it appears the IPA syntax is a 
little different,

and the documentation is scarce so admittedly I'm taking a swag at this ;-)

I can do this fine without srv but don't have enough familiarity with 
DNS srv here.
Can anyone help clarify what I'm missing? I'd like to have equal 
weighting, priority

to both hosts - I'm assuming the port (53) is correct for DNS here as well.

Thank you very much,

-m





--

Red Hat Reference Architectures

Follow Us: https://twitter.com/RedHatRefArch
Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
Like Us: https://www.facebook.com/rhrefarch

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project