Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
I think I got it working. Solution in my case was to run following on client nodes: yum install sssd-1.12.4-47.el6.x86_64 And on IPA server for each Forward and Reverse lookup zone I ran: ipa dnszone-mod X.COM. --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa dnszone-mod 44.28.10.in-addr.arpa. --allow-sync-ptr=TRUE --dynamic-update=TRUE Ultimately I think bringing all nodes to SSSD 1.12.4 version solved the problem. Thank you, IPA team, for your support! Regards, Andrey Ptashnik On 9/17/15, 10:32 AM, "Rob Crittenden"wrote: >Andrey Ptashnik wrote: >> Any ideas on that? > >/var/log/ipaclient-install.log probably has more details on the DNS >update failure. > >rob > >> >> Regards, >> >> Andrey Ptashnik | Network Architect >> CCC Information Services Inc. >> 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 >> Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptash...@cccis.com >> >> >> >> >> >> >> >> On 9/16/15, 11:30 AM, "freeipa-users-boun...@redhat.com on behalf of Andrey >> Ptashnik" > aptash...@cccis.com> wrote: >> >>> Alexander, >>> >>> Thank you for your feedback! >>> >>> In my environment I noticed that client machines that are on Red Hat 6 have >>> version 3.0.0 of IPA client installed. >>> >>> [root@ptr-test-6 ~]# yum list installed | grep ipa >>> ipa-client.x86_64 3.0.0-47.el6 >>> ipa-python.x86_64 3.0.0-47.el6 >>> >>> >>> [root@ptr-test-6 ~]# yum list installed | grep sssd >>> python-sssdconfig.noarch 1.12.4-47.el6 >>> sssd.x86_641.12.4-47.el6 >>> sssd-ad.x86_64 1.12.4-47.el6 >>> sssd-client.x86_64 1.12.4-47.el6 >>> sssd-common.x86_64 1.12.4-47.el6 >>> sssd-common-pac.x86_64 1.12.4-47.el6 >>> sssd-ipa.x86_641.12.4-47.el6 >>> sssd-krb5.x86_64 1.12.4-47.el6 >>> sssd-krb5-common.x86_641.12.4-47.el6 >>> sssd-ldap.x86_64 1.12.4-47.el6 >>> sssd-proxy.x86_64 1.12.4-47.el6 >>> [root@ptr-test-6 ~]# >>> >>> >>> And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 >>> - when I add machines to the domain using command below: >>> >>> # ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir >>> >>> DNS record populate in Forward lookup zone, but no PTR records appear in >>> Reverse lookup zones. That behavior is not the same with IPA client 4.1 and >>> IPA server 4.1 version combination. >>> >>> Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see >>> output below: >>> >>> Synchronizing time with KDC... >>> Enrolled in IPA realm X.COM >>> Attempting to get host TGT... >>> Created /etc/ipa/default.conf >>> New SSSD config will be created >>> Configured sudoers in /etc/nsswitch.conf >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm X.COM >>> trying https://ipa-idm.X.COM/ipa/xml >>> Forwarding 'env' to server u'https://ipa-idm.X.COM/ipa/xml' >>> Failed to update DNS records. >>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >>> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >>> Forwarding 'host_mod' to server u'https://ipa-idm.X.COM/ipa/xml' >>> SSSD enabled >>> Configuring X.COM as NIS domain >>> Configured /etc/openldap/ldap.conf >>> NTP enabled >>> Configured /etc/ssh/ssh_config >>> Configured /etc/ssh/sshd_config >>> Client configuration complete. >>> >>> >>> Regards, >>> >>> Andrey Ptashnik >>> >>> >>> >>> >>> >>> >>> On 9/16/15, 8:43 AM, "Alexander Bokovoy" wrote: >>> On Wed, 16 Sep 2015, Andrey Ptashnik wrote: > Dear IPA Team, > > We have a situation in our datacenter where we deployed Red Hat 7.1 > with IPA server 4.1 and on the other hand we still have older machines > with Red Hat 5 and 6. I noticed that repositories associated with > version 6 have older version of the client software – v.3.0. Therefore > some functionality is missing from client package 3 vs 4, like > automatic update of both forward and reverse DNS records. > > Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without > much breaking dependencies in OS? You don't need to install IPA python packages on older machines. These packages are mostly for administration purposes. Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 version of SSSD is on par with RHEL 7 version in the recent updates. Additionally, MIT Kerberos backports were done in the recent updates to allow OTP functionality in RHEL6 as well. So most of features are there already, client-wise. RHEL5 version does not have such updates and you can implement most of the support with existing SSSD and output of 'ipa-advise' tool on IPA
Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
Any ideas on that? Regards, Andrey Ptashnik | Network Architect CCC Information Services Inc. 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptash...@cccis.com On 9/16/15, 11:30 AM, "freeipa-users-boun...@redhat.com on behalf of Andrey Ptashnik"wrote: >Alexander, > >Thank you for your feedback! > >In my environment I noticed that client machines that are on Red Hat 6 have >version 3.0.0 of IPA client installed. > >[root@ptr-test-6 ~]# yum list installed | grep ipa >ipa-client.x86_64 3.0.0-47.el6 >ipa-python.x86_64 3.0.0-47.el6 > > >[root@ptr-test-6 ~]# yum list installed | grep sssd >python-sssdconfig.noarch 1.12.4-47.el6 >sssd.x86_641.12.4-47.el6 >sssd-ad.x86_64 1.12.4-47.el6 >sssd-client.x86_64 1.12.4-47.el6 >sssd-common.x86_64 1.12.4-47.el6 >sssd-common-pac.x86_64 1.12.4-47.el6 >sssd-ipa.x86_641.12.4-47.el6 >sssd-krb5.x86_64 1.12.4-47.el6 >sssd-krb5-common.x86_641.12.4-47.el6 >sssd-ldap.x86_64 1.12.4-47.el6 >sssd-proxy.x86_64 1.12.4-47.el6 >[root@ptr-test-6 ~]# > > >And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - >when I add machines to the domain using command below: > ># ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir > >DNS record populate in Forward lookup zone, but no PTR records appear in >Reverse lookup zones. That behavior is not the same with IPA client 4.1 and >IPA server 4.1 version combination. > >Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see >output below: > >Synchronizing time with KDC... >Enrolled in IPA realm X.COM >Attempting to get host TGT... >Created /etc/ipa/default.conf >New SSSD config will be created >Configured sudoers in /etc/nsswitch.conf >Configured /etc/sssd/sssd.conf >Configured /etc/krb5.conf for IPA realm X.COM >trying https://ipa-idm.X.COM/ipa/xml >Forwarding 'env' to server u'https://ipa-idm.X.COM/ipa/xml' >Failed to update DNS records. >Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >Forwarding 'host_mod' to server u'https://ipa-idm.X.COM/ipa/xml' >SSSD enabled >Configuring X.COM as NIS domain >Configured /etc/openldap/ldap.conf >NTP enabled >Configured /etc/ssh/ssh_config >Configured /etc/ssh/sshd_config >Client configuration complete. > > >Regards, > >Andrey Ptashnik > > > > > > >On 9/16/15, 8:43 AM, "Alexander Bokovoy" wrote: > >>On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>>Dear IPA Team, >>> >>>We have a situation in our datacenter where we deployed Red Hat 7.1 >>>with IPA server 4.1 and on the other hand we still have older machines >>>with Red Hat 5 and 6. I noticed that repositories associated with >>>version 6 have older version of the client software – v.3.0. Therefore >>>some functionality is missing from client package 3 vs 4, like >>>automatic update of both forward and reverse DNS records. >>> >>>Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>>much breaking dependencies in OS? >>You don't need to install IPA python packages on older machines. These >>packages are mostly for administration purposes. >> >>Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >>version of SSSD is on par with RHEL 7 version in the recent updates. >>Additionally, MIT Kerberos backports were done in the recent updates to >>allow OTP functionality in RHEL6 as well. So most of features are there >>already, client-wise. >> >>RHEL5 version does not have such updates and you can implement most of >>the support with existing SSSD and output of 'ipa-advise' tool on IPA >>masters. nsupdate integration would probably need to be done >>differently. >> >>Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >>much sense. >> >>-- >>/ Alexander Bokovoy > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
Andrey Ptashnik wrote: > Any ideas on that? /var/log/ipaclient-install.log probably has more details on the DNS update failure. rob > > Regards, > > Andrey Ptashnik | Network Architect > CCC Information Services Inc. > 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 > Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptash...@cccis.com > > > > > > > > On 9/16/15, 11:30 AM, "freeipa-users-boun...@redhat.com on behalf of Andrey > Ptashnik"> wrote: > >> Alexander, >> >> Thank you for your feedback! >> >> In my environment I noticed that client machines that are on Red Hat 6 have >> version 3.0.0 of IPA client installed. >> >> [root@ptr-test-6 ~]# yum list installed | grep ipa >> ipa-client.x86_64 3.0.0-47.el6 >> ipa-python.x86_64 3.0.0-47.el6 >> >> >> [root@ptr-test-6 ~]# yum list installed | grep sssd >> python-sssdconfig.noarch 1.12.4-47.el6 >> sssd.x86_641.12.4-47.el6 >> sssd-ad.x86_64 1.12.4-47.el6 >> sssd-client.x86_64 1.12.4-47.el6 >> sssd-common.x86_64 1.12.4-47.el6 >> sssd-common-pac.x86_64 1.12.4-47.el6 >> sssd-ipa.x86_641.12.4-47.el6 >> sssd-krb5.x86_64 1.12.4-47.el6 >> sssd-krb5-common.x86_641.12.4-47.el6 >> sssd-ldap.x86_64 1.12.4-47.el6 >> sssd-proxy.x86_64 1.12.4-47.el6 >> [root@ptr-test-6 ~]# >> >> >> And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - >> when I add machines to the domain using command below: >> >> # ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir >> >> DNS record populate in Forward lookup zone, but no PTR records appear in >> Reverse lookup zones. That behavior is not the same with IPA client 4.1 and >> IPA server 4.1 version combination. >> >> Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see >> output below: >> >> Synchronizing time with KDC... >> Enrolled in IPA realm X.COM >> Attempting to get host TGT... >> Created /etc/ipa/default.conf >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm X.COM >> trying https://ipa-idm.X.COM/ipa/xml >> Forwarding 'env' to server u'https://ipa-idm.X.COM/ipa/xml' >> Failed to update DNS records. >> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >> Forwarding 'host_mod' to server u'https://ipa-idm.X.COM/ipa/xml' >> SSSD enabled >> Configuring X.COM as NIS domain >> Configured /etc/openldap/ldap.conf >> NTP enabled >> Configured /etc/ssh/ssh_config >> Configured /etc/ssh/sshd_config >> Client configuration complete. >> >> >> Regards, >> >> Andrey Ptashnik >> >> >> >> >> >> >> On 9/16/15, 8:43 AM, "Alexander Bokovoy" wrote: >> >>> On Wed, 16 Sep 2015, Andrey Ptashnik wrote: Dear IPA Team, We have a situation in our datacenter where we deployed Red Hat 7.1 with IPA server 4.1 and on the other hand we still have older machines with Red Hat 5 and 6. I noticed that repositories associated with version 6 have older version of the client software – v.3.0. Therefore some functionality is missing from client package 3 vs 4, like automatic update of both forward and reverse DNS records. Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without much breaking dependencies in OS? >>> You don't need to install IPA python packages on older machines. These >>> packages are mostly for administration purposes. >>> >>> Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >>> version of SSSD is on par with RHEL 7 version in the recent updates. >>> Additionally, MIT Kerberos backports were done in the recent updates to >>> allow OTP functionality in RHEL6 as well. So most of features are there >>> already, client-wise. >>> >>> RHEL5 version does not have such updates and you can implement most of >>> the support with existing SSSD and output of 'ipa-advise' tool on IPA >>> masters. nsupdate integration would probably need to be done >>> differently. >>> >>> Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >>> much sense. >>> >>> -- >>> / Alexander Bokovoy >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
On 09/16/2015 06:30 PM, Andrey Ptashnik wrote: Alexander, Thank you for your feedback! In my environment I noticed that client machines that are on Red Hat 6 have version 3.0.0 of IPA client installed. [root@ptr-test-6 ~]# yum list installed | grep ipa ipa-client.x86_64 3.0.0-47.el6 ipa-python.x86_64 3.0.0-47.el6 [root@ptr-test-6 ~]# yum list installed | grep sssd python-sssdconfig.noarch 1.12.4-47.el6 sssd.x86_641.12.4-47.el6 sssd-ad.x86_64 1.12.4-47.el6 sssd-client.x86_64 1.12.4-47.el6 sssd-common.x86_64 1.12.4-47.el6 sssd-common-pac.x86_64 1.12.4-47.el6 sssd-ipa.x86_641.12.4-47.el6 sssd-krb5.x86_64 1.12.4-47.el6 sssd-krb5-common.x86_641.12.4-47.el6 sssd-ldap.x86_64 1.12.4-47.el6 sssd-proxy.x86_64 1.12.4-47.el6 [root@ptr-test-6 ~]# And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - when I add machines to the domain using command below: # ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir DNS record populate in Forward lookup zone, but no PTR records appear in Reverse lookup zones. That behavior is not the same with IPA client 4.1 and IPA server 4.1 version combination. Do you have enables PTR sync in forward zone configuration and do you have allowed dynamic updates for reverse zones? How does the ipa41 client work, does it populate PTR record? Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see output below: Synchronizing time with KDC... Enrolled in IPA realm X.COM Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm X.COM trying https://ipa-idm.X.COM/ipa/xml Forwarding 'env' to server u'https://ipa-idm.X.COM/ipa/xml' Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://ipa-idm.X.COM/ipa/xml' SSSD enabled Configuring X.COM as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Regards, Andrey Ptashnik On 9/16/15, 8:43 AM, "Alexander Bokovoy"wrote: On Wed, 16 Sep 2015, Andrey Ptashnik wrote: Dear IPA Team, We have a situation in our datacenter where we deployed Red Hat 7.1 with IPA server 4.1 and on the other hand we still have older machines with Red Hat 5 and 6. I noticed that repositories associated with version 6 have older version of the client software – v.3.0. Therefore some functionality is missing from client package 3 vs 4, like automatic update of both forward and reverse DNS records. Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without much breaking dependencies in OS? You don't need to install IPA python packages on older machines. These packages are mostly for administration purposes. Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 version of SSSD is on par with RHEL 7 version in the recent updates. Additionally, MIT Kerberos backports were done in the recent updates to allow OTP functionality in RHEL6 as well. So most of features are there already, client-wise. RHEL5 version does not have such updates and you can implement most of the support with existing SSSD and output of 'ipa-advise' tool on IPA masters. nsupdate integration would probably need to be done differently. Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not much sense. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
On Wed, 16 Sep 2015, Andrey Ptashnik wrote: Dear IPA Team, We have a situation in our datacenter where we deployed Red Hat 7.1 with IPA server 4.1 and on the other hand we still have older machines with Red Hat 5 and 6. I noticed that repositories associated with version 6 have older version of the client software – v.3.0. Therefore some functionality is missing from client package 3 vs 4, like automatic update of both forward and reverse DNS records. Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without much breaking dependencies in OS? You don't need to install IPA python packages on older machines. These packages are mostly for administration purposes. Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 version of SSSD is on par with RHEL 7 version in the recent updates. Additionally, MIT Kerberos backports were done in the recent updates to allow OTP functionality in RHEL6 as well. So most of features are there already, client-wise. RHEL5 version does not have such updates and you can implement most of the support with existing SSSD and output of 'ipa-advise' tool on IPA masters. nsupdate integration would probably need to be done differently. Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not much sense. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
Alexander, Thank you for your feedback! In my environment I noticed that client machines that are on Red Hat 6 have version 3.0.0 of IPA client installed. [root@ptr-test-6 ~]# yum list installed | grep ipa ipa-client.x86_64 3.0.0-47.el6 ipa-python.x86_64 3.0.0-47.el6 [root@ptr-test-6 ~]# yum list installed | grep sssd python-sssdconfig.noarch 1.12.4-47.el6 sssd.x86_641.12.4-47.el6 sssd-ad.x86_64 1.12.4-47.el6 sssd-client.x86_64 1.12.4-47.el6 sssd-common.x86_64 1.12.4-47.el6 sssd-common-pac.x86_64 1.12.4-47.el6 sssd-ipa.x86_641.12.4-47.el6 sssd-krb5.x86_64 1.12.4-47.el6 sssd-krb5-common.x86_641.12.4-47.el6 sssd-ldap.x86_64 1.12.4-47.el6 sssd-proxy.x86_64 1.12.4-47.el6 [root@ptr-test-6 ~]# And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - when I add machines to the domain using command below: # ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir DNS record populate in Forward lookup zone, but no PTR records appear in Reverse lookup zones. That behavior is not the same with IPA client 4.1 and IPA server 4.1 version combination. Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see output below: Synchronizing time with KDC... Enrolled in IPA realm X.COM Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm X.COM trying https://ipa-idm.X.COM/ipa/xml Forwarding 'env' to server u'https://ipa-idm.X.COM/ipa/xml' Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://ipa-idm.X.COM/ipa/xml' SSSD enabled Configuring X.COM as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Regards, Andrey Ptashnik On 9/16/15, 8:43 AM, "Alexander Bokovoy"wrote: >On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>Dear IPA Team, >> >>We have a situation in our datacenter where we deployed Red Hat 7.1 >>with IPA server 4.1 and on the other hand we still have older machines >>with Red Hat 5 and 6. I noticed that repositories associated with >>version 6 have older version of the client software – v.3.0. Therefore >>some functionality is missing from client package 3 vs 4, like >>automatic update of both forward and reverse DNS records. >> >>Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>much breaking dependencies in OS? >You don't need to install IPA python packages on older machines. These >packages are mostly for administration purposes. > >Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >version of SSSD is on par with RHEL 7 version in the recent updates. >Additionally, MIT Kerberos backports were done in the recent updates to >allow OTP functionality in RHEL6 as well. So most of features are there >already, client-wise. > >RHEL5 version does not have such updates and you can implement most of >the support with existing SSSD and output of 'ipa-advise' tool on IPA >masters. nsupdate integration would probably need to be done >differently. > >Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >much sense. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project