[Freeipa-users] Installing FreeIPA 3.1 - 3.3 On RHEL
Hi all. The newest IPA version that exists in the RHN repository is 3.0.0-37. I would like to install IPA version greater then 3.0 on RHEL 6.x. How would you recommend installing newer versions? Using Fedora repository, EPEL or just download the tarball and build it? thank you very much, John ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] reverse lookup dns records in trust setup
Hi, I have an AD and IdM server. AD domain - john.com IdM domain - linux.john.com each spans multiple netwrok segments, with some segments having both linux and windows machines. the IdM is configured to forward DNS requests to AD (forward first), and the AD is configured to forward requests in the linux.john.com domain to the IdM. However, I'm having a problem regarding reverse lookup zones. Where should they be so they can be accessed from both linux and windows machines? If I put them in IdM, how will the AD know which requests to forward to the IdM? It seems to me that I need to somehow register them at the AD, so the A record is in the IdM server and the PTR is in the AD. Is it possible to do it automatically, or am I supposed to configure the IdM server to create the A record upon client registration and the manually create the PTR record in AD? Is there another solution that eludes me? Thank you very much, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? Thank you very much, John On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek pspa...@redhat.com wrote: On 29.6.2015 13:57, John Stein wrote: Hi, I have an AD and IdM server. AD domain - john.com IdM domain - linux.john.com each spans multiple netwrok segments, with some segments having both linux and windows machines. the IdM is configured to forward DNS requests to AD (forward first), and the AD is configured to forward requests in the linux.john.com domain to the IdM. However, I'm having a problem regarding reverse lookup zones. Where should they be so they can be accessed from both linux and windows machines? From DNS's point of view it does not matter, pick one side (AD or IPA) to host the reverse zone and configure delegation or forwarding on the other side. That is all you need if you are willing to update records manually. If I put them in IdM, how will the AD know which requests to forward to the IdM? Either properly configure delegation (if you have control over the parent zone) or add forwarder (only if you do not have control over parent zone - usual caveats for forwarding apply). It seems to me that I need to somehow register them at the AD, so the A record is in the IdM server and the PTR is in the AD. Is it possible to do it automatically, host/ principals from IPA Kerberos realm are generally not allowed to get tickets for AD realm so automatic update from IPA to AD is not possible. It might work the other way around (I did not test this): - Configure reverse zone in IPA - Configure delegation/forwarding in AD so all clients can properly resolve the reverse zone - Allow all clients to update their PTR records. Update policy like this might work: $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 I would like to hear from you if this works in your environment or not. Thank you! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Replication Questions
Hi, Looking at the documentation, I've found no examples of creating replication agreement with only one server. What I assume needs to be done is this: For each replica, run ipa-replica-prepare and follow the documentation. This creates replication agreements between two nodes. From there, I should use ipa-replica-manage to add replication agreements to whichever nodes I want that were not the original two. For instance: from server1 I run ipa-replica-prepare to prepare the files for server2 and server3 and then run ipa-replica-install on them with their respective files. So my replication agreements are s1 - s2 s1 - s3 After that I use ipa-replica-manage to create trust between server2 and server3. Am I right? Thank you, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD trust deployment without IPA authority over reverse lookup zone
Hi, I consider deploying IPA in my organization.The environment is disconnected from the internet.I have some concerns I'm not sure how to resolve. The environment consists mostly of windows servers (thousands) and workstations (ten thousand) managed by AD (CORP.COM). There is also a small linux environment (up to a thousand servers) that are currently not centerally managed (user-wise). I want to utilize IPA and the AD trust feature to implement SSO. I'd like to have a sub-domain ran by IPA (LINUX.CORP.COM). Because the environment is windows dominated, the AD is used as the authoritative DNS server for all forward and reverse lookup zones. The AD trust requires that both the IPA and AD will be authoritative over their respective forward and reverse lookup zones. However, the linux and windows servers are spread across multiple subnets without any big-scale logic, therefore it is not practical to create a reverse lookup zone for each subnet in the IPA server as those subnets contain both linux and windows machines. I came up with some solutions: 1) Have only the AD as a DNS server and give up on ipa-client-install and automatic client registration. 2) DNS synchronization between IPA and AD. 3) Have the IPA manage the forward zone (linux.corp.com), and have the clients update its own A record automatically upon ipa-client-install, while having the AD manage the reverse zones (A or B class subnets) with me creating the PTR records manually. The IPA will be configured as a conditional forwarder for linux.corp.com, while the AD will be configured as a global forwarder in the IPA server. I strongly dislike the first two solutions and I would like your opinion on the feasibility of the third. I'm also open for any other ideas. If there aren't any, is this solution feasible? Thanks, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, What I meant was that the IPA server is managing two zones: Linux.john.com Which has these records Ipa1 A 192.168.0.140 client1 A 192.168.0.11 0.168.192.in-addr.arpa. Which has these records 11 PTR client1.linux.john.com @ NS ipa1.linux.john.com In the AD forward lookup zones John.com linux (Same as parent folder) NS ipa1.linux.john.com Anything more that's unclear? Thank you very much! John On Tue, Jul 14, 2015, 15:52 Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 14:49, John Stein wrote: I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek pspa...@redhat.com wrote: On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek pspa...@redhat.com wrote: On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. A zone should be configured only on one server (or set of synchronized servers). Could you tell us what exactly (using what commands or GUI in IPA and AD) did you configure? It would be good if you did not obfuscate DNS names in the steps because the obfuscation often hides the real cause of problem :-) Have a nice day! Petr^2 Spacek Thank you very much, John On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek pspa...@redhat.com wrote: On 29.6.2015 13:57, John Stein wrote: Hi, I have an AD and IdM server. AD domain - john.com IdM domain - linux.john.com each spans multiple netwrok segments, with some segments having both linux and windows machines. the IdM is configured to forward DNS requests to AD (forward first), and the AD is configured to forward requests in the linux.john.com domain to the IdM. However, I'm having a problem regarding reverse lookup zones. Where should they be so they can be accessed from both linux and windows machines? From DNS's point of view it does not matter, pick one side (AD or IPA) to host the reverse zone and configure delegation or forwarding on the other side. That is all you need if you are willing to update records manually. If I put them in IdM, how will the AD know which requests to forward to the IdM? Either properly configure delegation (if you have control over the parent zone) or add forwarder (only if you do not have control over parent zone - usual caveats for forwarding apply). It seems to me that I need to somehow register them at the AD, so the A record is in the IdM server and the PTR is in the AD. Is it possible to do it automatically, host/ principals from IPA Kerberos realm are generally not allowed to get tickets for AD realm so automatic update from IPA to AD is not possible. It might work the other way around (I did not test this): - Configure reverse zone in IPA - Configure delegation/forwarding in AD so all clients can properly resolve the reverse zone - Allow all clients to update their PTR records. Update policy like this might work: $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 I would like to hear from you if this works in your environment or not. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, Does that mean deleting the NS record on AD and creating an A record instead? Thanks, John On Wed, Jul 15, 2015, 18:28 Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 15:19, John Stein wrote: Hi, What I meant was that the IPA server is managing two zones: Linux.john.com Which has these records Ipa1 A 192.168.0.140 client1 A 192.168.0.11 0.168.192.in-addr.arpa. Which has these records 11 PTR client1.linux.john.com @ NS ipa1.linux.john.com In the AD forward lookup zones John.com linux (Same as parent folder) NS ipa1.linux.john.com Anything more that's unclear? This is enough. You have the same 'master' zone configured on IPA and AD, which does not make sense from DNS point of view. You need to move all records to one server and configure 'forward' zone on the other server. In AD terminology you need to create 'conditional forwarder'. Petr^2 Spacek Thank you very much! John On Tue, Jul 14, 2015, 15:52 Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 14:49, John Stein wrote: I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek pspa...@redhat.com wrote: On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Using NTP SRV records
Hi, I have an IPA server installed with --no-ntp, and created SRV records _ntp._udp_.linux.john.com pointing to my actual NTP servers. However, when I run ipa-client-install it is configured with the IPA server as an NTP server. Am I missing something? Thanks, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using NTP SRV records
Thank you (both of you) John On Tue, Jul 7, 2015 at 2:42 PM Baird, Josh jba...@follett.com wrote: You need to specify '--no-ntp' on 'ipa-client-install' Josh *From:* freeipa-users-boun...@redhat.com [mailto: freeipa-users-boun...@redhat.com] *On Behalf Of *John Stein *Sent:* Tuesday, July 07, 2015 7:38 AM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Using NTP SRV records Hi, I have an IPA server installed with --no-ntp, and created SRV records _ntp._udp_.linux.john.com pointing to my actual NTP servers. However, when I run ipa-client-install it is configured with the IPA server as an NTP server. Am I missing something? Thanks, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replication Questions
Thanks for the reply. Maybe this should be added to the documentation? John On Tue, Jul 7, 2015 at 11:02 AM Łukasz Jaworski en...@kofeina.net wrote: Yes. ipa-replica-manage connect s2 s3 and for CA replication: ipa-csreplica-manage connect s2 s3 Best regards, Ender Wiadomość napisana przez John Stein tde3...@gmail.com w dniu 7 lip 2015, o godz. 07:56: Hi, Looking at the documentation, I've found no examples of creating replication agreement with only one server. What I assume needs to be done is this: For each replica, run ipa-replica-prepare and follow the documentation. This creates replication agreements between two nodes. From there, I should use ipa-replica-manage to add replication agreements to whichever nodes I want that were not the original two. For instance: from server1 I run ipa-replica-prepare to prepare the files for server2 and server3 and then run ipa-replica-install on them with their respective files. So my replication agreements are s1 - s2 s1 - s3 After that I use ipa-replica-manage to create trust between server2 and server3. Am I right? Thank you, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project