Re: [Freeipa-users] sssd client cache timer and merging IPA domains
On 08/20/2012 08:44 AM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> >> On 08/17/2012 08:38 AM, Rob Crittenden wrote: >>> Lucas Yamanishi wrote: On 08/16/2012 05:39 PM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> >> On 08/16/2012 05:32 PM, Rob Crittenden wrote: >>> Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ >>> >>> Does a group exist with that GID? You can try something like: >>> >>> $ ipa group-find --gid=10463 >>> >> >> The group doesn't exist. The GID is the counterpart to my UID. > > Try adding --private. > > rob > Nope. It doesn't exist. Other groups migrated. Why would the private groups fail? >>> >>> I don't know, what have you done to date, including versions? >>> >>> rob >> I've been following the stable Scientific Linux releases since 6.1. >> Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The >> version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just >> upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now >> 2.2.0-16.el6.x86_64. >> >> So... >> 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 > >> 2.2.0-16.el6.x86_64 >> >> > > Can you verify that managed entries are configured: > > # ipa-managed-entries -l > > It should return: > > UPG Definition > NGP Definition > > This enables user-private groups and netgroup-private groups. > > rob Yes. That returned as expected. -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Specifying load balancing to SSSD clients
OK - thanks. But is there any way IPA can be tweaked to do this without an "external" product (albeit a Red Hat one)? Is it possible for the sssd clients to round-robin their requests between 2 or more servers? Is this an sssd question or generic enough to be in this list? Would this functionallity be of use to freeIPA in general? (my view = yes) Cheers Duncan Innes | Linux Architect From: Mark St. Laurent [mailto:mstla...@redhat.com] Sent: 20 August 2012 15:15 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ Norman "Mark" St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: m...@redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ From: "Duncan Innes" To: freeipa-users@redhat.com Sent: Monday, August 20, 2012 9:48:30 AM Subject: [Freeipa-users] Specifying load balancing to SSSD clients Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 when both 1 & 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 & ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want to). Is there any current configuration that I can use to force load balancing between ipa1/ipa2 under ideal conditions. Falling back to ipa2 when ipa1 is out of action. Falling back to (load balanced perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. Hope the description is reasonable. Thanks Duncan Innes | Linux Architect Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Specifying load balancing to SSSD clients
On Mon, Aug 20, 2012 at 02:48:30PM +0100, Innes, Duncan wrote: > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a few > things on my estate and would be looking to deploy something like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com and > ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 > when both 1 & 2 are out of action. Clients would revert to using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 Yes, this has been done on the SSSD side as https://fedorahosted.org/sssd/ticket/1128 The new feature is going to be part of SSSD 1.9.0. In particular, you would configure the IPA domain like this: ipa_server = ipa1.domain.com, ipa2.domain.com ipa_backup_server = ipa3.domain.com, ipa4.domain.com > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > No, load balancing is currently not supported. What *might* work, although I haven't tested the scenario, is creating a new DNS A record that would resolve to IP addresses of both ipa1 and ipa2. The clients would then connect to the first IP address they received. But as I said, I haven't tested this at all. Feel free to file an RFE, but quite frankly, I think this is precisely what SRV records have been designed for. The load balancing would be performed based on the value of the "weight" field in the SRV record. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Specifying load balancing to SSSD clients
http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ Norman "Mark" St. Laurent Federal Team: Senior Solutions Architect Red Hat 8260 Greensboro Drive, Suite 300 McLean VA, 22102 Email: m...@redhat.com Cell: 703.772.1434 Check this Link out!!! Cool Stuff: http://mil-oss.org/ - Original Message - From: "Duncan Innes" To: freeipa-users@redhat.com Sent: Monday, August 20, 2012 9:48:30 AM Subject: [Freeipa-users] Specifying load balancing to SSSD clients Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 when both 1 & 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 & ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want to). Is there any current configuration that I can use to force load balancing between ipa1/ipa2 under ideal conditions. Falling back to ipa2 when ipa1 is out of action. Falling back to (load balanced perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. Hope the description is reasonable. Thanks Duncan Innes | Linux Architect Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Specifying load balancing to SSSD clients
Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_ datacentre A ipa2.domain.com / ipa3.domain.com \_ datacentre B ipa4.domain.com / The datacentres are linekd, but bandwidth not great. Client's in datacentre A should therefore use ipa1.domain.com and ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4 when both 1 & 2 are out of action. Clients would revert to using ipa1/ipa2 whenever either of them came back online. I understand this configuration has already been done as part of https://fedorahosted.org/freeipa/ticket/2282 What I'm wondering is if I can force my clients to load balance communication between ipa1 & ipa2. I don't have the ability to use the _srv_ records in DNS as that's set up for the AD servers on our network. I also can't create separate DNS servers for the Linux estate (not that I'd particularly want to). Is there any current configuration that I can use to force load balancing between ipa1/ipa2 under ideal conditions. Falling back to ipa2 when ipa1 is out of action. Falling back to (load balanced perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. Hope the description is reasonable. Thanks Duncan Innes | Linux Architect Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question about migration and scripts variables
James James wrote:
Hi,
my first question is about the migrate process. Is it possible to
renumber the users during the migrate process (ipa migrate-ds) in a way
that all imported users will have a new UID ?
I haven't tested this but you might try
--user-ignore-attribute=uidnumber,gidnumber.
my second question is about ipalib. I wanted to make a hook on the user
creation. The hook works fine. I just want to know if there is a way to
have the value of variables like the username, the name of the creator,
the e-mail of the creator and stuff like that.
The current user is available via: principal = getattr(context, 'principal')
Using this you can look up that user:
(binddn, bindattrs) = find_entry_by_attr("krbprincipalname", principal,
"krbPrincipalAux")
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
Lucas Yamanishi wrote: On 08/17/2012 08:38 AM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:39 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The "ipa migrate-ds" tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 The group doesn't exist. The GID is the counterpart to my UID. Try adding --private. rob Nope. It doesn't exist. Other groups migrated. Why would the private groups fail? I don't know, what have you done to date, including versions? rob I've been following the stable Scientific Linux releases since 6.1. Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now 2.2.0-16.el6.x86_64. So... 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 > 2.2.0-16.el6.x86_64 Can you verify that managed entries are configured: # ipa-managed-entries -l It should return: UPG Definition NGP Definition This enables user-private groups and netgroup-private groups. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
