[Freeipa-users] Re: DNS resolution failures

2024-02-16 Thread Natxo Asenjo via FreeIPA-users
hi,

a bit late, but you should check the forwarding logs (maybe enable them,
bit unsure if it is enabled per default on named).

Without any proof, my gut feeling is on dnssec :-), I have had to turn it
off a few times.

Regards,

Natxo Asenjo

On Tue, Jan 30, 2024 at 5:11 PM David Harvey via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Just checking if there are any suggestions as to how to debug this
> effectively. The lack of smoking barrel log entries we've seen with it have
> left us a little stumped!
> Thanks as always,
> David
>
> On Wed, 17 Jan 2024 at 10:54, Tania Hagan via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hi Freeipa-users,
>>
>> We are currently running Freeipa version 4.9.11 on Rocky 8.8.
>>
>> We have noticed over the last few months that external name resolution
>> e.g. google.com fails to resolve on multiple Freeipa replicas even
>> though the service named-pkcs11 remains up and running and journalctl or
>> logs aren’t showing up any obvious errors to why this might be happening.
>> We temporarily fix this by restarting the service, but the problem comes
>> back at random times.
>>
>> We currently have 39 DNS Zones
>>
>> Our DNS Global Configuration has a forward policy of forward only, though
>> the individual zones are set to forward first.
>>
>> I’ve read a few articles that say maybe changing the forward policy might
>> fix it, but nothing that mentions how to double check if changing the
>> policy will fix it.
>>
>> Are there any useful troubleshooting checks I could run to either help
>> explain why our service keeps failing at random intervals or confirm any
>> changes would fix the issue without the risk of potential downtime of our
>> DNS service?
>>
>> Many Thanks,
>> Tania
>> --
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
> --
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>


-- 
--
Groeten,
natxo
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


[Freeipa-users] Re: handling certificate expirations

2024-02-16 Thread Grant Janssen via FreeIPA-users
this was definitely the hot tip.
executing a server upgrade fixed everything for me.

thanx rob
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


[Freeipa-users] Error during enrolling

2024-02-16 Thread Dmitry Krasov via FreeIPA-users
Centos 9 ipa-client install error:
Failed to obtain host TGT: Major (458752): No credentials were supplied, or the 
credentials were unavailable or inaccessible, Minor (2529639122): 
Pre-authentication failed: No key table entry found for 
host/ipaclient.dom@dom.loc
--

This program will set up IPA client.

Version 4.11.0

 

Client hostname: ipaclient.dom.loc

Realm: DOM.LOC

DNS Domain: dom.loc

IPA Server: ipa.dom.loc

BaseDN: dc=dom,dc=loc

 

Synchronizing time

Configuration of chrony was changed by installer.

Attempting to sync time with chronyc.

Time synchronization was successful.

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=DOM.LOC

Issuer:  CN=Certificate Authority,O=DOM.LOC

Valid From:  2022-12-12 10:19:12+00:00

Valid Until: 2042-12-12 10:19:12+00:00

 

Enrolled in IPA realm DOM.LOC

Please make sure the following ports are opened in the firewall settings:

 TCP: 80, 88, 389

 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)

Also note that following ports are necessary for ipa-client working properly 
after enrollment:

 TCP: 464

 UDP: 464, 123 (if NTP enabled)

Failed to obtain host TGT: Major (458752): No credentials were supplied, or the 
credentials were unavailable or inaccessible, Minor (2529639122): 
Pre-authentication failed: No key table entry found for 
host/ipaclient.dom@dom.loc

Installation failed. Rolling back changes.

Disabling client Kerberos and LDAP configurations

Restoring client configuration files

nscd daemon is not installed, skip configuration

nslcd daemon is not installed, skip configuration

Client uninstall complete.
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue