[Freeipa-users] reverse DNS lookup does not work
reverse DNS lookup stopped working after I broke some replication agreements (perhaps unrelated, but worth mentioning). Regular A records resolve fine. The records can be seen in LDAP (using ldapsearch with GSSAPI after kinit -t /etc/named.keytab): the zone: # 0.63.10.in-addr.arpa., dns, ipa.example.net dn: idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net idnsUpdatePolicy: grant IPA.example.NET krb5-self * PTR; grant IPA.example.NET krb5-self * SSHFP; idnsAllowDynUpdate: TRUE idnsForwarders: 172.23.1.5 idnsAllowSyncPTR: TRUE idnsSOAserial: 1439302482 idnsSOArName: hostmaster.ipa.example.net. idnsZoneActive: TRUE idnsSOAexpire: 1209600 nSRecord: ldap1.example.lan. idnsSOAminimum: 3600 objectClass: idnszone objectClass: top objectClass: idnsrecord idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOArefresh: 3600 idnsAllowQuery: any; idnsName: 0.63.10.in-addr.arpa. idnsSOAmName: ldap1.example.lan. the entry: # 68, 0.63.10.in-addr.arpa., dns, ipa.example.net dn: idnsname=68,idnsname=0.63.10.in-addr.arpa.,cn=dns,dc=ipa,dc=example,dc=net objectClass: top objectClass: idnsrecord cNAMERecord: ds02.example.lan. idnsName: 68 but the reverse dns lookup fails anyway: [root@ldap1 ~]# dig -x 10.63.0.68 ; DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 -x 10.63.0.68 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 59911 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;68.0.63.10.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 10.in-addr.arpa. 86400 IN SOA 10.in-addr.arpa. . 0 28800 7200 604800 86400 ;; Query time: 4 msec ;; SERVER: 172.23.1.5#53(172.23.1.5) ;; WHEN: Tue Aug 11 14:40:08 UTC 2015 ;; MSG SIZE rcvd: 87 [root@ldap1 ~]# Any thoughts? -- S poštovanjem / Regards, Nikola Kržalić. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA groups not shown on client
Just in case somebody is still struggling with this... On ubuntu 14.04 I had to set enumerate option to true in sssd.conf to make this work. On Fri, May 22, 2015 at 6:28 PM, Christoph Kaminski christoph.kamin...@biotronik.com wrote: freeipa-users-boun...@redhat.com schrieb am 22.05.2015 09:37:04: Von: Nikola Kržalić nik...@krzalic.com An: freeipa-users@redhat.com Datum: 22.05.2015 15:05 Betreff: [Freeipa-users] FreeIPA groups not shown on client Gesendet von: freeipa-users-boun...@redhat.com I have a ubuntu system running IPA client. I am able to log in via ssh using IPA users, but I do not get any group memberships or sudo rules. Same configuration works on a different system (running CentOS). sssd domain log output shows that the groups are retrieved from server successfully: (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] (0x1000): Added group [admins] for user [nkrzalic] (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] (0x1000): Added group [ipausers] for user [nkrzalic] (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] (0x1000): Added group [editors] for user [nkrzalic] (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] (0x1000): Added group [trust admins] for user [nkrzalic] (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] (0x1000): Added group [devops_team] for user [nkrzalic] (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] (0x1000): Added group [dev_team] for user [nkrzalic] (Fri May 22 07:04:37 2015) [sssd[be[ipa.*]]] [hbac_eval_user_element] (0x1000): Added group [sys_team] for user [nkrzalic] However, these groups are not shown on the user upon login: nkrzalic@ircsrv1:~$ id uid=281200051(nkrzalic) gid=281200051(nkrzalic) groups=281200051(nkrzalic) I tried cleaning sssd cache but that didn't help. sssd conf is as follows: [sssd] services = nss, pam, ssh, sudo config_file_version = 2 nsswitch.conf seems to be correct as well: # /etc/nsswitch.conf passwd: compat sss group: compat sss shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis sss sudoers:files sss Interestingly after I do getent group devops_team this group shows up: nkrzalic@ircsrv1:~$ id uid=281200051(nkrzalic) gid=281200051(nkrzalic) groups=281200051(nkrzalic),28121(devops_team) nkrzalic@ircsrv1:~$ Any ideas? try to kill the cache with: (stop sssd) rm -rf /var/lib/sss/db/* (start sssd) we has had the same problems often here and only really kill the cache has fixed it (sss_cache -A hasnt help) Greetz Christoph Kaminski -- S poštovanjem / Regards, Nikola Kržalić. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project