[Freeipa-users] Bind Journal errors
Hello, My IPA's named daemon start to show this dyndb journal logs: error: malformed transaction: dyndb-ldap/ipa/master/17.10.10.in-addr.arpa/raw.jnl last serial 1484327694 != transaction first serial 1484327693 restarting it did not help. What should I do? Thanks -rsd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] client in many IPA domains
Hello, Can ipa-client (e.g., anotebook) be in more than one realm? e.g. depending on the network where it is connected. -rsd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server
Ok, Found the issue. I believe it is a Fedora (25) issue, but not sure yet. So, registering here for the archives. My IPA is on a FC25 on a LXC container (2.0.6) on a Jessie host. The IPA container ethernet is on a private bridge (not attached to any real one). The FC container was configured to do an offloading checksum. I believe it was FC's fault, but could be some other lxc host on the same bridge, if possible. Anyways, this command disabled offloading and it start to work: # ethtool --offload eth0 rx off tx off gso off Still, why only the 2k8 r2 complained about this, still have to be verified. -rsd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server
Name: ns4.google.com Type: A (Host Address) (1) Class: IN (0x0001) Time to live: 172792 Data length: 4 Address: 216.239.38.10 -rsd On 16/01/2017 06:31, Brian Candler wrote: On 16/01/2017 00:52, Raul Dias wrote: The packets are getting back That has being stablished already. With Wireshark at the 2008R2 end? I am looking for possible reasons it would disregard the answer, but accept when using a non-freeipa bind9 one. Look at wireshark detail on both sets of responses; check for any differences including the flags. You're sure one of the servers isn't answering with a REFUSED answer for example? (That is, one of the bind servers might not allow queries from the source address of the 2008R2 server) Also compare the bind configs. For example, is DNSSEC enabled in one but not the other? -- Att. Raul Dias -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server
On 15/01/2017 19:15, Brian Candler wrote: On FreeIPA host: tcpdump -i eth0 -nnv -s0 port 53 and host x.x.x.x where x.x.x.x is IP address of the 2008R2 server, and assuming eth0 is the NIC. See if any DNS queries arrive at the FreeIPA server. If no: then the problem is with the 2008R2 server, or the network in between. If yes: then see if FreeIPA is answering the queries or not. The packets are getting back That has being stablished already. I am looking for possible reasons it would disregard the answer, but accept when using a non-freeipa bind9 one. -rsd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server
On 14/01/2017 22:08, Fil Di Noto wrote: Sounds more like a client problem (firewall, hosts file, network settings/routes) Unfortunally not that I have found. Other clients are able to resolve against the IPA server? yes. You are seeing the response come back on a packet capture taken from the windows server? yes. If yes to both of those, maybe the windows server thinks the IPA server is not who it says it is. How does windows verifies this? Note that there is no active directory in place or domain/remote authentication from the windows point of view. Windows is using it only as an plain DNS server. Note that there is another windows server (2008) that works fine. This one is 2008 r2 (if it matters). Is the IPA server hostname/domain name the same as a previous windows host? If so that is probably not good. On Sat, Jan 14, 2017 at 12:01 PM, Raul Dias <r...@dias.com.br <mailto:r...@dias.com.br>> wrote: Hello, I am migrating a network to FreeIPA. LDAP, NFS, no Active Directory. A Windows Server 2008 R2, cannot use FreeIPAs bind to resolve DNS query. This server works fine with my old bind server, google's dns server (8.8.8.8), but not FreeIPA's. Using wireshark, I can see the the response gets to this host, but is simply ignored. Clocks are in sync. Not sure if the problem is in the FreeIPA's side, probably not. Any ideas? -rsd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users <https://www.redhat.com/mailman/listinfo/freeipa-users> Go to http://freeipa.org for more info on the project -- Att. Raul Dias -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Windows Server can't use FreeIPA's DNS server
Hello, I am migrating a network to FreeIPA. LDAP, NFS, no Active Directory. A Windows Server 2008 R2, cannot use FreeIPAs bind to resolve DNS query. This server works fine with my old bind server, google's dns server (8.8.8.8), but not FreeIPA's. Using wireshark, I can see the the response gets to this host, but is simply ignored. Clocks are in sync. Not sure if the problem is in the FreeIPA's side, probably not. Any ideas? -rsd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA DNS Server and DNSMasq
This might be a bit offtopic. I am using dnsmasq with NetworkManger. So, my /etc/resolv.conf has nameserver 127.0.0.1. For some reason I can't get response from dnsmasq queries to the ipa server, it times out. OTOH, I can watch the DNS traffic between dnsmasq and the ipa server. The queries are fine (with answers). If I explicit change nameserver to ipa IP, the queries are fine. So, the problem is between dnsmasq and ipa bind. Has anyone seen anything like this? This is a Ubuntu 16.10 not a member of the ipa. -rsd -- Att. Raul Dias -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken
Do you mean that dhcpd on Ubuntu is configured against the very same FreeIPA
server?
yes. Testing both on VMs with a private network.
Are you sure that dhcpd is using the same credentials to BIND to LDAP? There
might be an access control issue if different hosts use different credentials
or so. It would help if you described how you bound to LDAP using ldapsearch.
Yes.
To make sure, I using the ipa admin credentials.
On both hosts I can do a
$ ldapsearch -x
and retrieve the ldif info.
running on both:
$ strace -e trace=network dhcpd -d
I get this line on the Ubuntu host:
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 5
setsockopt(5, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(5, SOL_TCP, TCP_NODELAY, [1], 4) = 0
connect(5, {sa_family=AF_INET, sin_port=htons(389),
sin_addr=inet_addr("192.168.1.138")}, 16) = 0
On the Fedora host (FreeIPA server), there is no try to connect to.
I thought that it might be trying to use a socket, but still no try even
with an outside IP as host.
There is one difference between Fedora and Ubuntu dhcpds. On Ubuntu,
there is a separated ldap package to dhcp-server
(isc-dhcp-server-ldap). On Fedora it is supposedly merged on the same
binary on dhcp-server (dhcp-server-4.3.4-3.fc24.x86_64).
That's why it would be a good start for me to know that someone else
uses dhcpd with ldap on Fedora.
-rsd
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken
You are right, This might be more a Fedora issue than FreeIPA. I am hoping that someone else is also using DHCP with LDAP (specially with FreeIPA). I am using the IPA-dhcp plugin: https://github.com/jefferyharrell/IPA-dhcp ldapsearch -x shows the entries are fine in the LDAP. Stracing dhcpd shows that it is not making any connection to the LDAP, while it shows an error message. On Fedora 24 (updated), I am using dhcp-server-4.3.4.fc24 /etc/dhcp/dhcpd.conf: ldap-server "10.101.1.1"; #or localhost, or any interface ip or ns name ldap-port 389; ldap-base-dn "cn=dhcp,dc=dias,dc=com,dc=br"; ldap-method static; ldap-debug-file "/var/log/dhcp-ldap-startup.log"; The STDERR output acts as if it were talking to the LDAP server: Cannot find host LDAP entry server.dias.com.br (&(objectClass=dhcpServer)(cn=server.dias.com.br)) As the output of ldapsearch, the entry is there: # server.dias.com.br, dhcp, dias.com.br dn: cn=server.dias.com.br,cn=dhcp,dc=dias,dc=com,dc=br objectClass: dhcpserver objectClass: top dhcpServiceDN: cn=dhcp,dc=dias,dc=com,dc=br cn: server.dias.com.br dhcpStatements: authoritative Using the same config on a ubuntu host, it works fine, which makes me wonder that dhcpd in Fedora 24 does not work at all with LDAP. Or maybe this is a reflection of some FreeIPA server way of life configuration, like sssd. -rsd On 07/11/2016 05:10, Petr Spacek wrote: On 6.11.2016 06:06, Raul Dias wrote: Hello, It seems that DHCP with LDAP on Fedora 24 (FreeIPA) is broken. Can anyone confirm? Doing an strace -e trace=network does not show any attempt to connect to the ldap server. OTOH, the same config on a Ubuntu 16.10 works fine. Hello, AFAIK DHCP support was never part of official FreeIPA builds. What are you trying to achieve and where did you get the builds? We need to know exact software versions and configuration. For further hints how to report bugs please see http://www.freeipa.org/page/Troubleshooting#Reporting_bugs -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken
Hello, It seems that DHCP with LDAP on Fedora 24 (FreeIPA) is broken. Can anyone confirm? Doing an strace -e trace=network does not show any attempt to connect to the ldap server. OTOH, the same config on a Ubuntu 16.10 works fine. -rsd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck at DNS install process
Yes. It worked! Thanks. -rsd On 03/11/2016 12:12, Martin Basti wrote: On 03.11.2016 14:48, Raul Dias wrote: Hello, I am trying to setup a test environment for FreeIPA. I have installed Fedora Server 24 in a VMWare Workstation machine and updated it. There are 2 ethernets: 1 - ens33 -> bridge to the host (dhcp) 2 - ens34 -> Internal (vmware) network for testing the ens34 has: 3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:ab:26:59 brd ff:ff:ff:ff:ff:ff inet 10.101.1.1/24 brd 10.101.1.255 scope global ens34 valid_lft forever preferred_lft forever inet6 fe80::e88e:21e6:c273:5178/64 scope link valid_lft forever preferred_lft forever Setting up FreeIPA with: # ipa-server-install -a secret123 -p secret123 --domain=chaosnet --realm=CHAOSNET --hostname server.chaosnet --setup-dns -v ... Enter the IP address to use, or press Enter to finish. Please provide the IP address to be used for this host name: 10.101.1.1 ipa : DEBUGStarting external process ipa : DEBUGargs=/sbin/ip -family inet -oneline address show ipa : DEBUGProcess finished, return code=0 ipa : DEBUGstdout=1: loinet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 2: ens33inet 192.168.1.148/24 brd 192.168.1.255 scope global dynamic ens33\ valid_lft 11552sec preferred_lft 11552sec 3: ens34inet 10.101.1.1/24 brd 10.101.1.255 scope global ens34\ valid_lft forever preferred_lft forever ipa : DEBUGstderr= Please provide the IP address to be used for this host name: -8< If I enter my IPs: 10.101.1.1, 10.101.1.1/24, 192.168.1.148, 192.168.1.148/24 it will ask again for the IP address. If I enter anything else, it will detect it is not my IP and complain. Am I missing something? A package maybe? Or is it a bug (or me)? # dnf list | grep freeipa freeipa-admintools.noarch 4.3.2-2.fc24 @updates freeipa-client.x86_64 4.3.2-2.fc24 @updates freeipa-client-common.noarch 4.3.2-2.fc24 @updates freeipa-common.noarch 4.3.2-2.fc24 @updates freeipa-server.x86_64 4.3.2-2.fc24 @updates freeipa-server-common.noarch 4.3.2-2.fc24 @updates freeipa-server-dns.noarch 4.3.2-2.fc24 @updates freeipa-server-trust-ad.x86_64 4.3.2-2.fc24 @updates freeipa-python-compat.noarch 4.3.2-2.fc24 updates Thanks for your help, -rsd Hello, have you tried just press enter twice? Martin -- Att. Raul Dias -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
