OK, I deserve a slap. I had forgotten to set up the two-way trust again since the ipa-server-install --uninstall && reinstall. That's back in place.
So I found Sumit Bose's https://www.youtube.com/watch?v=infot4cmZgM and realized I could not add groups to any new, external user group using the ipa server's web interface. Error in the GUI is, E-BOZO.COM\Domain Users: invalid 'truster domain object': no trusted domain matched the specified flat name. On Mon, Dec 8, 2014 at 2:49 PM, Matthew Herzog <matthew.her...@gmail.com> wrote: > sssd_<hostname>.log > (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] > [sysdb_search_groups] (0x2000): No such entry > (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [sysdb_delete_user] > (0x0400): Error: 2 (No such file or directory) > (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success > (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x17b0030], connected[1], > ops[(nil)], ldap[0x17ab240] > (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch] > (0x4000): dbus conn: 0x178eb70 > (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch] > (0x4000): Dispatching. > > > On Mon, Dec 8, 2014 at 2:32 PM, Matthew Herzog <matthew.her...@gmail.com> > wrote: > >> ipa-client-3.0.0-42.el6.x86_64 on OEL 6.5 (server has 3.3.3 IPA) >> >> >> On Mon, Dec 8, 2014 at 2:26 PM, Dmitri Pal <d...@redhat.com> wrote: >> >>> On 12/08/2014 02:10 PM, Matthew Herzog wrote: >>> >>> Here are some errors I'm seeing on the client. >>> >>> tail -f sssd_lnx.e-bozo.com.log >>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>> (0x4000): dbus conn: 0x1e72ad0 >>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>> (0x4000): Dispatching. >>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] >>> [sbus_message_handler] (0x4000): Received SBUS method [ping] >>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] >>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >>> (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] >>> [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] >>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>> (0x4000): dbus conn: 0x1e72ad0 >>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>> (0x4000): Dispatching. >>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] >>> [sbus_message_handler] (0x4000): Received SBUS method [ping] >>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] >>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >>> (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] >>> [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] >>> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>> (0x4000): dbus conn: 0x1e72ad0 >>> (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] >>> (0x4000): Dispatching. >>> >>> [root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log >>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >>> sss_process_init() failed >>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to >>> connect to monitor services. >>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010): >>> fatal error setting up backend connector >>> (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >>> sss_process_init() failed >>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to >>> connect to monitor services. >>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): >>> fatal error setting up backend connector >>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >>> sss_process_init() failed >>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to >>> connect to monitor services. >>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): >>> fatal error setting up backend connector >>> (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): >>> sss_process_init() failed >>> >>> >>> What is the version of the client? >>> Please add debug_level=9 to sssd.conf in different sections to rise the >>> verbosity of the log and see what is really going on there. >>> https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting >>> >>> >>> >>> >>> >>> On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog < >>> matthew.her...@gmail.com> wrote: >>> >>>> I have never seen my IPA servers produce a zone file nor has the >>>> install script ever mentioned the creation of such. In fact, I just ran >>>> ipa-server-install --uninstall && ipa-server-install and there was no >>>> mention of a zone file. >>>> >>>> Where should I look in the file system to be sure? I see nothing in >>>> /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's yum repo. >>>> (Not my choice.) >>>> >>>> dsee7 is *not *running Kerberos. dsee7 is *not *configured with SRV >>>> records. I guess I'll need to add SRV records for all my Linux hosts. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek <pspa...@redhat.com> >>>> wrote: >>>> >>>>> On 8.12.2014 14:44, Matthew Herzog wrote: >>>>> > Petr said, "You can run ipa-server-install *without* --setup-dns >>>>> option and >>>>> > at the end of >>>>> > installation it will produce DNS records which you have to manually >>>>> add to >>>>> > your existing DNS database." >>>>> > >>>>> > I can't see how this would be useful or which machines I would need >>>>> to add >>>>> > to our DNS. >>>>> > >>>>> > Perhaps I should have explained that we are not going to set up a >>>>> new DNS >>>>> > domain for the ipa-managed servers. >>>>> Good. >>>>> >>>>> Now you should run ipa-server-install *without* --setup-dns, using >>>>> lnx.e-bozo.com as you IPA domain. It will install full IPA server and >>>>> spit out >>>>> DNS zone file. >>>>> >>>>> Then you *have to* take this zone file and import it to your existing >>>>> DNS >>>>> infrastructure - that will give you fully functional IPA domain >>>>> lnx.e-bozo.com. >>>>> >>>>> Caveat: >>>>> Preceding text assumes that 'dsee7' is nor using either Kerberos nor >>>>> DNS SRV >>>>> records for LDAP service in domain lnx.e-bozo.com, i.e. clients >>>>> connecting to >>>>> DSEE7 should be (most likely) statically configured with DSEE7 server >>>>> name. >>>>> >>>>> Petr^2 Spacek >>>>> >>>>> > We have an Oracle dsee7 server doing >>>>> > LDAP for our Linux servers and accounts. We want to migrate to IPA >>>>> so we >>>>> > don't have to maintain a Linux/LDAP account for every user who needs >>>>> access >>>>> > to Linux servers. All of our users start with an account in AD and >>>>> since >>>>> > none of my predecessors knew about Winbind, they set up dsee7. >>>>> > >>>>> > So I'm thinking we'll need to import all our dsee7 accounts AND make >>>>> it >>>>> > possible for AD users to access the Linux systems without needing to >>>>> create >>>>> > them in IPA. >>>>> > >>>>> > On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek <pspa...@redhat.com> >>>>> wrote: >>>>> > >>>>> >> On 8.12.2014 05:02, Dmitri Pal wrote: >>>>> >>> On 12/07/2014 10:10 PM, Matthew Herzog wrote: >>>>> >>>> So should the FreeIPA server be authoritative for the Kerb. >>>>> realm/DNS >>>>> >> domain >>>>> >>>> or can it/should it be a slave DNS server instead? Or caching >>>>> only? >>>>> >>> >>>>> >>> IPA DNS can't be a slave so you either delegate a whole zone to it >>>>> or >>>>> >> manage >>>>> >>> IPA DNS domain via your own DNS server. >>>>> >> >>>>> >> Generally, "slave" is not allowed to do any changes so it is >>>>> useless in >>>>> >> your >>>>> >> scenario. >>>>> >> >>>>> >> You can run ipa-server-install *without* --setup-dns option and at >>>>> the end >>>>> >> of >>>>> >> installation it will produce DNS records which you have to manually >>>>> add to >>>>> >> your existing DNS database. >>>>> >> >>>>> >> Did you try that? >>>>> >> >>>>> >> Petr^2 Spacek >>>>> >> >>>>> >>>> On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal <d...@redhat.com >>>>> >>>> <mailto:d...@redhat.com>> wrote: >>>>> >>>> >>>>> >>>> On 12/07/2014 09:51 PM, Matthew Herzog wrote: >>>>> >>>>> What must be done in or on the ipa server with regard to >>>>> DNS, if >>>>> >>>>> anything? >>>>> >>>>> >>>>> >>>>> Our DNS works. It works well. We have four Linux DNS servers >>>>> and >>>>> >>>>> two AD domain controllers that also do DNS. >>>>> >>>>> >>>>> >>>>> So if we already have DNS working well in our domain, why do >>>>> we >>>>> >>>>> want to manage DNS in IPA? >>>>> >>>> >>>>> >>>> Let us keep the discussion on the list. >>>>> >>>> IPA when used with AD trust presents itself as a separate >>>>> forest. >>>>> >>>> AD thinks that it is working with another AD forest. >>>>> >>>> For that to work we need to follow MSFT rules about >>>>> relationship >>>>> >>>> between Kerberos realm and DNS domain. >>>>> >>>> AD assumes that for every trusted forest Kerberos realm = DNS >>>>> >>>> domain. IPA makes it easy to do because it has integrated >>>>> tools to >>>>> >>>> manage IPA DNS domain. >>>>> >>>> If you want to manage it yourself through your DNS you can do >>>>> it, >>>>> >>>> just more manual operations for you. >>>>> >>>> >>>>> >>>> HTH >>>>> >>>> >>>>> >>>> Thanks >>>>> >>>> Dmitri >>>>> >>>> >>>>> >>>> >>>>> >>>>> >>>>> >>>>> On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal <d...@redhat.com >>>>> >>>>> <mailto:d...@redhat.com>> wrote: >>>>> >>>>> >>>>> >>>>> On 12/07/2014 06:44 PM, Matthew Herzog wrote: >>>>> >>>>>> Thanks guys. I'm sorry for my delay in responding. >>>>> >>>>>> >>>>> >>>>>> Firstly, I was under the impression (from reading the >>>>> docs) >>>>> >>>>>> that having named running on IPA server was critical. >>>>> >>>>> >>>>> >>>>> Properly configured DNS is critical. >>>>> >>>>> How you accomplish it is up to you. >>>>> >>>>> IPA allows you to have a DNS server that would simplify >>>>> DNS >>>>> >>>>> management but it can be done manually too. This is why >>>>> DNS >>>>> >>>>> is optional. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> Also, the first question the ipa-server-install script >>>>> asks >>>>> >>>>>> is, "Do you want to configure integrated DNS (BIND)? ." >>>>> >>>>>> While it's true the default answer is no, it leads one >>>>> to >>>>> >>>>>> believe that DNS is central to IPA. Also the >>>>> >>>>>> ipa-client-install script says, >>>>> >>>>>> >>>>> >>>>>> [root@freeipa-poc-client02 ~]# ipa-client-install >>>>> >>>>>> DNS discovery failed to determine your DNS domain >>>>> >>>>>> Provide the domain name of your IPA server (ex: >>>>> example.com >>>>> >>>>>> <http://example.com>): >>>>> >>>>>> >>>>> >>>>>> I can resolve -anything- from the machine using dig or >>>>> >> whatever. >>>>> >>>>>> >>>>> >>>>>> Ultimately, the reason I started to be concerned about >>>>> my >>>>> >>>>>> IPA server's DNS config was because I was not able to >>>>> >>>>>> authenticate AD accounts to a client machine. I saw a >>>>> bunch >>>>> >>>>>> of errors in the client's sssd logs which of course I >>>>> can't >>>>> >>>>>> find now. >>>>> >>>>>> >>>>> >>>>>> Perhaps it was these . . . >>>>> >>>>>> >>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>> >>>>>> Service nss replied to ping >>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>> >>>>>> Service sudo replied to ping >>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>> >>>>>> Service pam replied to ping >>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>> >>>>>> Service ssh replied to ping >>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>> >>>>>> Service pac replied to ping >>>>> >>>>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>>> >>>>>> Service bo3.e-bozo.com <http://bo3.e-bozo.com> replied >>>>> to >>>>> >> ping >>>>> >>>>>> >>>>> >>>>>> I'm not allowed onto the AD domain controllers to >>>>> examine >>>>> >>>>>> log files or I'd be checking those first. >>>>> >>>>>> >>>>> >>>>>> So ultimately the goal is to authenticate AD users and >>>>> users >>>>> >>>>>> that exist in our ldap schema. We need to set up groups >>>>> of >>>>> >>>>>> users that can run sudo commands on specific groups of >>>>> hosts. >>>>> >>>>> >>>>> >>>>> Did you setup trusts as explained on the following page? >>>>> >>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> >>>>> >>>>>> On Wed, Dec 3, 2014 at 3:46 AM, Petr Spacek >>>>> >>>>>> <pspa...@redhat.com <mailto:pspa...@redhat.com>> wrote: >>>>> >>>>>> >>>>> >>>>>> On 3.12.2014 04:35, Dmitri Pal wrote: >>>>> >>>>>> > On 12/02/2014 08:54 PM, Matthew Herzog wrote: >>>>> >>>>>> >> Any other ideas? I just spun up a new VM and >>>>> took the >>>>> >>>>>> defaults on everything >>>>> >>>>>> >> while running ipa-server-install (the defaults >>>>> did >>>>> >>>>>> make sense) and my new VM >>>>> >>>>>> >> can't resolve -anything- in the domain in which >>>>> it >>>>> >>>>>> lives. The "old" VM >>>>> >>>>>> >> (running the same versions of everything on the >>>>> same >>>>> >>>>>> OS) can't even resolve >>>>> >>>>>> >> the clients I have registered with it! >>>>> >>>>>> >> >>>>> >>>>>> >> So I'm pretty frustrated and am wondering, what >>>>> >>>>>> _exactly_ is the role of >>>>> >>>>>> >> bind in the IPA server and how is it expected to >>>>> know >>>>> >>>>>> anything about the >>>>> >>>>>> >> local DNS domain without becoming a bind slave >>>>> server? >>>>> >>>>>> > >>>>> >>>>>> > I am not sure I am 100% with you but... >>>>> >>>>>> > If you use the defaults and nothing else you get >>>>> to >>>>> >>>>>> the scenario when IPA has >>>>> >>>>>> > its DNS but it is a self contained environment. It >>>>> >>>>>> seems that this is what you >>>>> >>>>>> > observe. >>>>> >>>>>> > It is expected that you decide in advance what you >>>>> >>>>>> want to do with DNS. There >>>>> >>>>>> > are several options: >>>>> >>>>>> > 1) You can delegate a zone to IPA to manage, then >>>>> you >>>>> >>>>>> need to connect your IPA >>>>> >>>>>> > DNS to your existing DNS during install or after. >>>>> >>>>>> > In this case the systems joined to IPA will be a >>>>> part >>>>> >>>>>> of IPA domain/zone and >>>>> >>>>>> > would also be able to resolve other systems around >>>>> >>>>>> > 2) Not use IPA DNS if you do not want to take >>>>> >>>>>> advantage of it >>>>> >>>>>> > 3) Have a self contained demo/lab environment >>>>> that you >>>>> >>>>>> currently observe. >>>>> >>>>>> > >>>>> >>>>>> > What is the intent? >>>>> >>>>>> >>>>> >>>>>> I agree with Dmitri, we need more information from >>>>> you: >>>>> >>>>>> - You said "my new VM can't resolve -anything- in >>>>> the >>>>> >>>>>> domain in which it >>>>> >>>>>> lives." - Which domain do you mean? >>>>> >>>>>> >>>>> >>>>>> - Apparently you have configured FreeIPA to serve >>>>> zone >>>>> >>>>>> e-bozo.com <http://e-bozo.com>. Do you have >>>>> >>>>>> this zone configured on some other DNS server at the >>>>> >>>>>> same time? >>>>> >>>>>> >>>>> >>>>>> Please keep in mind that authoritative servers >>>>> should >>>>> >>>>>> share the database. You >>>>> >>>>>> will get naming collisions if e-bozo.com >>>>> >>>>>> <http://e-bozo.com> is served by FreeIPA DNS >>>>> servers and >>>>> >>>>>> some other servers at the same time. Maybe that is >>>>> the >>>>> >>>>>> problem you see right now. >>>>> >>>>>> >>>>> >>>>>> As Dmitri said, the architecturally correct >>>>> solution is >>>>> >>>>>> to decide if you want >>>>> >>>>>> to use FreeIPA DNS or not. You have option to either >>>>> >>>>>> remove non-FreeIPA DNS >>>>> >>>>>> servers and import data to FreeIPA or to add >>>>> >>>>>> FreeIPA-specific DNS records to >>>>> >>>>>> existing DNS servers and do not configure FreeIPA >>>>> to act >>>>> >>>>>> as DNS server. >>>>> >>>>>> >>>>> >>>>>> Petr^2 Spacek >>>>> >>>>>> >>>>> >>>>>> >> Thanks. >>>>> >>>>>> >> >>>>> >>>>>> >> On Tue, Dec 2, 2014 at 11:58 AM, Petr Spacek >>>>> >>>>>> <pspa...@redhat.com <mailto:pspa...@redhat.com> >>>>> >>>>>> >> <mailto:pspa...@redhat.com >>>>> >>>>>> <mailto:pspa...@redhat.com>>> wrote: >>>>> >>>>>> >> >>>>> >>>>>> >> On 2.12.2014 17:36, Martin Basti wrote: >>>>> >>>>>> >> > On 02/12/14 17:28, Matthew Herzog wrote: >>>>> >>>>>> >> >> I just realized that my IPA servers cannot >>>>> >>>>>> resolve ANY servers >>>>> >>>>>> >> in my domain. >>>>> >>>>>> >> >> What do I need to do to fix this? Below >>>>> is my >>>>> >>>>>> named.conf. >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> options { >>>>> >>>>>> >> >> // turns on IPv6 for port 53, IPv4 is on >>>>> by >>>>> >>>>>> default for >>>>> >>>>>> >> all ifaces >>>>> >>>>>> >> >> listen-on-v6 {any;}; >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> // Put files that named is allowed to >>>>> write >>>>> >>>>>> in the >>>>> >>>>>> >> data/ directory: >>>>> >>>>>> >> >> directory "/var/named"; // the default >>>>> >>>>>> >> >> dump-file "data/cache_dump.db"; >>>>> >>>>>> >> >> statistics-file "data/named_stats.txt"; >>>>> >>>>>> >> >> memstatistics-file >>>>> "data/named_mem_stats.txt"; >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> forward first; >>>>> >>>>>> >> >> forwarders { >>>>> >>>>>> >> >> 10.100.8.41; >>>>> >>>>>> >> >> 10.100.8.40; >>>>> >>>>>> >> >> 10.100.4.13; >>>>> >>>>>> >> >> 10.100.4.14; >>>>> >>>>>> >> >> 10.100.4.19; >>>>> >>>>>> >> >> 10.100.4.44; >>>>> >>>>>> >> >> }; >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> // Any host is permitted to issue >>>>> recursive >>>>> >>>>>> queries >>>>> >>>>>> >> >> allow-recursion { any; }; >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> tkey-gssapi-keytab "/etc/named.keytab"; >>>>> >>>>>> >> >> pid-file "/run/named/named.pid"; >>>>> >>>>>> >> >> }; >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> /* If you want to enable debugging, eg. >>>>> using >>>>> >>>>>> the 'rndc trace' >>>>> >>>>>> >> command, >>>>> >>>>>> >> >> * By default, SELinux policy does not >>>>> allow >>>>> >>>>>> named to modify >>>>> >>>>>> >> the /var/named >>>>> >>>>>> >> >> directory, >>>>> >>>>>> >> >> * so put the default debug log file in >>>>> data/ : >>>>> >>>>>> >> >> */ >>>>> >>>>>> >> >> logging { >>>>> >>>>>> >> >> channel default_debug { >>>>> >>>>>> >> >> file "data/named.run"; >>>>> >>>>>> >> >> severity dynamic; >>>>> >>>>>> >> >> print-time yes; >>>>> >>>>>> >> >> }; >>>>> >>>>>> >> >> }; >>>>> >>>>>> >> >> }; >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> zone "." IN { >>>>> >>>>>> >> >> type hint; >>>>> >>>>>> >> >> file "named.ca <http://named.ca> >>>>> >>>>>> <http://named.ca> <http://named.ca>"; >>>>> >>>>>> >> >> }; >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> include "/etc/named.rfc1912.zones"; >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> dynamic-db "ipa" { >>>>> >>>>>> >> >> library "ldap.so"; >>>>> >>>>>> >> >> arg "uri >>>>> >>>>>> >> >>>>> ldapi://%2fvar%2frun%2fslapd-BO3-E-BOZO-COM.socket"; >>>>> >>>>>> >> >> arg "base cn=dns, >>>>> dc=bo3,dc=e-bozo,dc=com"; >>>>> >>>>>> >> >> arg "fake_mname >>>>> freeipa-poc01.bo3.e-bozo.com >>>>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com> >>>>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>>>> >>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>."; >>>>> >>>>>> >> >> arg "auth_method sasl"; >>>>> >>>>>> >> >> arg "sasl_mech GSSAPI"; >>>>> >>>>>> >> >> arg "sasl_user >>>>> >>>>>> DNS/freeipa-poc01.bo3.e-bozo.com >>>>> >>>>>> <http://freeipa-poc01.bo3.e-bozo.com> >>>>> >>>>>> >> <http://freeipa-poc01.bo3.e-bozo.com> >>>>> >>>>>> >> >> <http://freeipa-poc01.bo3.e-bozo.com>"; >>>>> >>>>>> >> >> arg "serial_autoincrement yes"; >>>>> >>>>>> >> >> }; >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> >>>>> >>>>>> >> >> >>>>> >>>>>> >> > Hello, >>>>> >>>>>> >> > >>>>> >>>>>> >> > which version ipa do you use? which >>>>> platform? >>>>> >>>>>> Which version >>>>> >>>>>> >> bind-dyndb-ldap? >>>>> >>>>>> >> > >>>>> >>>>>> >> > Can you run these commands, and check if >>>>> there >>>>> >>>>>> any errors? >>>>> >>>>>> >> > ipactl status >>>>> >>>>>> >> > systemctl status named (respectively >>>>> >>>>>> journalctl -u named) >>>>> >>>>>> >> >>>>> >>>>>> >> We also may want to see information listed >>>>> on page >>>>> >>>>>> >> >>>>> >>>>>> >>>>> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting >>>>> >>>>> -- >>>>> Petr^2 Spacek >>>>> >>>> >>>> >>>> >>>> -- >>>> If life gives you melons, you may be dyslexic. >>>> >>> >>> >>> >>> -- >>> If life gives you melons, you may be dyslexic. >>> >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project >>> >> >> >> >> -- >> If life gives you melons, you may be dyslexic. >> > > > > -- > If life gives you melons, you may be dyslexic. > -- If life gives you melons, you may be dyslexic.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project