Re: [Freeipa-users] Permission for root running cron task as a different user

2014-08-21 Thread Rob Crittenden 
William Muriithi wrote:
> Evening,
> 
> Came across a problem where a cron job I had setup last night seemed not
> to run. On further investigation, I noticed FreeIPA must be pushing a
> policy that block cron task that adopt a different user than the one its
> set under.
> 
> I am certain its FreeIPA related as I have a system that's not enrolled
> and the task run fine there.
> 
> Now, this is curiosity sake as I solved the problem using groups, but
> how would one allow root to schedule a job that run as non root?
> 
> * 4 * * * williamm /usr/local/bin/some-script.sh
> 
> Aug 21 14:06:02 muriithi crond[6621]: (williamm) FAILED to authorize
> user with PAM (Permission denied) Aug 21 14:07:01 wmuriithi crond[6625]:
> (williamm) FAILED to authorize user with PAM (Permission denied) Aug 21
> 14:08:01 wmuriithi crond[6628]: (williamm) FAILED to authorize user with
> PAM (Permission denied)

You probably need to grant access via HBAC rules.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Permission for root running cron task as a different user

2014-08-21 Thread William Muriithi 
Evening,

Came across a problem where a cron job I had setup last night seemed not to
run. On further investigation, I noticed FreeIPA must be pushing a policy
that block cron task that adopt a different user than the one its set under.

I am certain its FreeIPA related as I have a system that's not enrolled and
the task run fine there.

Now, this is curiosity sake as I solved the problem using groups, but how
would one allow root to schedule a job that run as non root?

* 4 * * * williamm /usr/local/bin/some-script.sh

Aug 21 14:06:02 muriithi crond[6621]: (williamm) FAILED to authorize user
with PAM (Permission denied) Aug 21 14:07:01 wmuriithi crond[6625]:
(williamm) FAILED to authorize user with PAM (Permission denied) Aug 21
14:08:01 wmuriithi crond[6628]: (williamm) FAILED to authorize user with
PAM (Permission denied)

Regards,

William
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ntp and srv records

2014-08-21 Thread Lucas Yamanishi 
On 08/21/2014 12:17 AM, Les Stott wrote:
>
> Hi All,
>
>  
>
> Am about to start rolling out clinet installs on rhel6 hosts with dns
> autodiscovery.
>
>  
>
> Enviroment: rhel6, ipa-3.0.0-37.el6.
>
>  
>
> I already have setup SRV records for Kerberos and ldap etc.
>
>  
>
> Are the following ntp records as SRV records necessary also?
>
>  
>
> ;ntp server
>
> _ntp._udp   IN SRV 0 100 123ntp1.mydomain.com.
>
> _ntp._udp   IN SRV 0 100 123ntp2.mydomain.com.
>
>  
>
> I’ve seen some guides that don’t reference them, others that do. I
> don’t see any adverse effects on the two freeipa servers (master +
> replica) that are currently running without the ntp srv records.
>
>  
>
> Thanks in advance,
>
>  
>
> Regards,
>
>  
>
> Les
>
>  
>
>
>
*ipa-client-install* and *ipa-server-install* use them to sync time
before they proceed to crypto operations, but they're not strictly
required, especially if time is already in sync.  If the records are not
available they attempt to sync directly with the IPA server, failing
that they will throw a warning and continue.  Microsoft has also been
adding support for them to a lot of their AD-connected mobile software,
but I think they too use it as a convenience, not a requirement.

--  
-
*question everything*learn something*answer nothing*

Lucas Yamanishi
--
Systems Administrator, ADNET Systems, Inc.
NASA Space and Earth Science Data Analysis (606.9)
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dirsrv access log redirect

2014-08-21 Thread Mike LoSapio 
You can use this. 

http://www.rsyslog.com/doc/imfile.html





On 8/21/14, 9:54 AM, "Rich Megginson"  wrote:

>On 08/21/2014 06:59 AM, Rob Crittenden wrote:
>> barry...@gmail.com wrote:
>>> Hi:
>>>
>>> I m not avaibable to test the pipe setting as the servers are live now
>>> and need restrt..can i simply config rsyslog server using
>>> /var/log/dirsrv/slapf-abc.com/access
>>>>>k=fDZpZZQMmYwf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2FCtC2n%2BOWoKLZBLdyvsujbjT
>>>a%2Bu0JdpPSEU%3D%0A&m=xi7h2Vatp0VcMsq6kgqvowQ4cvc3TETggnxgkKN%2BOCs%3D%0
>>>A&s=0697d19c286f8960436806a08c1db329b315eda30cb1251762522b95d3a4419a>
>>> to redirect ot another rsyslog server ?
>> Please keep responses on the list.
>>
>> I don't know, perhaps someone else does.
>
>I don't understand the question.  dirsrv does not use syslog.  You would
>have to use the Named Pipe thing and write your own script to send the
>contents of the access log to syslog/rsyslog.
>
>>
>> rob
>>
>>>
>>>
>>> 2014-08-20 21:15 GMT+08:00 Rob Crittenden >> >:
>>>
>>>  Dmitri Pal wrote:
>>>  > On 08/20/2014 06:23 AM, barry...@gmail.com
>>>   wrote:
>>>  >> Dear all:
>>>  >>
>>>  >> I got 2 servers as cluster ... how can i redirect all logs
>>>server2 's
>>>  >> /var/log/dirsrv/slapd-abc.com/access
>>>  
>>>>>k=fDZpZZQMmYwf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2FCtC2n%2BOWoKLZBLdyvsujbjT
>>>a%2Bu0JdpPSEU%3D%0A&m=xi7h2Vatp0VcMsq6kgqvowQ4cvc3TETggnxgkKN%2BOCs%3D%0
>>>A&s=e9bd6622c394ecea1514bb0a5a9c658d36d92287bc0687c694839969237c574f>
>>>>>k=fDZpZZQMmYwf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2FCtC2n%2BOWoKLZBLdyvsujbjT
>>>a%2Bu0JdpPSEU%3D%0A&m=xi7h2Vatp0VcMsq6kgqvowQ4cvc3TETggnxgkKN%2BOCs%3D%0
>>>A&s=e9bd6622c394ecea1514bb0a5a9c658d36d92287bc0687c694839969237c574f> to
>>>  >> server 1 's  /var/log/dirsrv/slapd-abc.com/access
>>>  
>>>>>k=fDZpZZQMmYwf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2FCtC2n%2BOWoKLZBLdyvsujbjT
>>>a%2Bu0JdpPSEU%3D%0A&m=xi7h2Vatp0VcMsq6kgqvowQ4cvc3TETggnxgkKN%2BOCs%3D%0
>>>A&s=e9bd6622c394ecea1514bb0a5a9c658d36d92287bc0687c694839969237c574f>
>>>  >> 
>>>>>k=fDZpZZQMmYwf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2FCtC2n%2BOWoKLZBLdyvsujbjT
>>>a%2Bu0JdpPSEU%3D%0A&m=xi7h2Vatp0VcMsq6kgqvowQ4cvc3TETggnxgkKN%2BOCs%3D%0
>>>A&s=e9bd6622c394ecea1514bb0a5a9c658d36d92287bc0687c694839969237c574f>
>>>  >>
>>>  >> so i can view once ?what config should consider ?  Or should i
>>>use
>>>  >> syslog to collect server2
>>>  >> and redirect all to server 1 ?
>>>  >>
>>>  >> thks
>>>  >>
>>>  >>
>>>  >>
>>>  > You should use log collection tools of your choice to collect
>>>and
>>>  > process the logs.
>>>  > You can send logs to syslog and then use rsyslog to collect it.
>>>After
>>>  > that you can use different tools to process it: logstash,
>>>splunk, etc.
>>>
>>>  Take a look at this page for instructions on redirecting logging
>>>in
>>>  389-ds: 
>>>https://urldefense.proofpoint.com/v1/url?u=http://www.port389.org/wiki/N
>>>amed_Pipe_Log_Script&k=fDZpZZQMmYwf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2FCtC2
>>>n%2BOWoKLZBLdyvsujbjTa%2Bu0JdpPSEU%3D%0A&m=xi7h2Vatp0VcMsq6kgqvowQ4cvc3T
>>>ETggnxgkKN%2BOCs%3D%0A&s=8c04f5678b42c1447199d8156d262952ed4699d479f77a8
>>>54c6d062843c55251
>>>
>>>  rob
>>>
>>>  --
>>>  Manage your subscription for the Freeipa-users mailing list:
>>>  
>>>https://urldefense.proofpoint.com/v1/url?u=https://www.redhat.com/mailma
>>>n/listinfo/freeipa-users&k=fDZpZZQMmYwf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2F
>>>CtC2n%2BOWoKLZBLdyvsujbjTa%2Bu0JdpPSEU%3D%0A&m=xi7h2Vatp0VcMsq6kgqvowQ4c
>>>vc3TETggnxgkKN%2BOCs%3D%0A&s=2d47703b2e0fe0f7e7e0483a60087064ead7232f809
>>>26069c422618d09f3b89b
>>>  Go To 
>>>https://urldefense.proofpoint.com/v1/url?u=http://freeipa.org/&k=fDZpZZQ
>>>MmYwf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2FCtC2n%2BOWoKLZBLdyvsujbjTa%2Bu0Jdp
>>>PSEU%3D%0A&m=xi7h2Vatp0VcMsq6kgqvowQ4cvc3TETggnxgkKN%2BOCs%3D%0A&s=46c88
>>>503d24246c7333d66185f382446351d3a3719f20e3dfdc9c5a2921cf615 for more
>>>info on the project
>>>
>>>
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://urldefense.proofpoint.com/v1/url?u=https://www.redhat.com/mailman/
>listinfo/freeipa-users&k=fDZpZZQMmYwf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2FCtC2
>n%2BOWoKLZBLdyvsujbjTa%2Bu0JdpPSEU%3D%0A&m=xi7h2Vatp0VcMsq6kgqvowQ4cvc3TET
>ggnxgkKN%2BOCs%3D%0A&s=2d47703b2e0fe0f7e7e0483a60087064ead7232f80926069c42
>2618d09f3b89b
>Go To 
>https://urldefense.proofpoint.com/v1/url?u=http://freeipa.org/&k=fDZpZZQMm
>Ywf27OU23GmAQ%3D%3D%0A&r=8E1gsOSt%2FCtC2n%2BOWoKLZBLdyvsujbjTa%2Bu0JdpPSEU
>%3D%0A&

Re: [Freeipa-users] dirsrv access log redirect

2014-08-21 Thread Rich Megginson 

On 08/21/2014 06:59 AM, Rob Crittenden wrote:

barry...@gmail.com wrote:

Hi:

I m not avaibable to test the pipe setting as the servers are live now
and need restrt..can i simply config rsyslog server using
/var/log/dirsrv/slapf-abc.com/access 
to redirect ot another rsyslog server ?

Please keep responses on the list.

I don't know, perhaps someone else does.


I don't understand the question.  dirsrv does not use syslog.  You would 
have to use the Named Pipe thing and write your own script to send the 
contents of the access log to syslog/rsyslog.




rob




2014-08-20 21:15 GMT+08:00 Rob Crittenden mailto:rcrit...@redhat.com>>:

 Dmitri Pal wrote:
 > On 08/20/2014 06:23 AM, barry...@gmail.com
  wrote:
 >> Dear all:
 >>
 >> I got 2 servers as cluster ... how can i redirect all logs server2 's
 >> /var/log/dirsrv/slapd-abc.com/access
   to
 >> server 1 's  /var/log/dirsrv/slapd-abc.com/access
 
 >> 
 >>
 >> so i can view once ?what config should consider ?  Or should i use
 >> syslog to collect server2
 >> and redirect all to server 1 ?
 >>
 >> thks
 >>
 >>
 >>
 > You should use log collection tools of your choice to collect and
 > process the logs.
 > You can send logs to syslog and then use rsyslog to collect it. After
 > that you can use different tools to process it: logstash, splunk, etc.

 Take a look at this page for instructions on redirecting logging in
 389-ds: http://www.port389.org/wiki/Named_Pipe_Log_Script

 rob

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install via Kickstart in RHEL7

2014-08-21 Thread Rich Megginson 

On 08/21/2014 05:55 AM, Martin Kosek wrote:

On 08/20/2014 05:24 PM, Rich Megginson wrote:

On 08/20/2014 09:18 AM, Baird, Josh wrote:

Hi,

We are attempting to run ipa-client-install in the %post section of a
Kickstart in order to join the host to an IPA domain (3.3/RHEL7 IdM).  We are
using something like:

/usr/sbin/ipa-client-install -w 'one-time-password' --realm=REALM.COM -U
--no-ssh --no-sshd --no-ntp --domain=realm.com

The machine does indeed join the domain correctly, but the certmonger request
fails.  Looking at the logs, we can see this:

2014-08-19T15:02:45Z DEBUG Starting external process
2014-08-19T15:02:45Z DEBUG args=/bin/systemctl is-active certmonger.service
2014-08-19T15:02:45Z DEBUG Process finished, return code=0
2014-08-19T15:02:45Z DEBUG stdout=
2014-08-19T15:02:45Z DEBUG stderr=Running in chroot, ignoring request.

The error is occurring because the certmonger service fails to start.  This
is because systemd is not able to manipulate services in a chrooted
environment (ala the anaconda installation environment).  Prior to systemd,
this would work fine as services could start normally via init in a
chroot/%post.

Additionally, we see the error:

Unable to find 'admin' user with 'getent passwd ad...@domain.com'

Again, this is because systemd is unable to start sssd in the chrooted
installation environment.  I'm wondering if anyone else has experienced these
issues with systemd unable to start these required services during
installation and what you did to work around them.  One option would be to
move the ipa-client-install out of Kickstart and have Puppet join the host to
the domain post-installation (after firstboot), but this isn't really ideal.

Any advice or suggestions would be appreciated.

Create a file that is run at boot, presumably after networking and certmonger
are started.

What I saw as the common approach in OpenStack or other projects are scripts
and configurations for Cloud-init [1].

Are there people using it for this purpose or are there other (better) 
approaches?


Yes, you can do ipa-server-install/ipa-client-install from a cloud-init 
user-data runcmd script.  However, there are selinux issues - some of 
the transitions from the cloud-init contexts are not handled correctly.  
What you can do is to first run with selinux in Permissive mode, 
audit2allow -M cloudinit < /var/log/audit/audit.log , then in subsequent 
runs do semodule -i cloudinit.pp with selinux Enforcing.


However, cloud-init and kickstart do not mix afaik.



[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/End_User_Guide/user-data.html

Martin


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dirsrv access log redirect

2014-08-21 Thread Rob Crittenden 
barry...@gmail.com wrote:
> Hi:
> 
> I m not avaibable to test the pipe setting as the servers are live now
> and need restrt..can i simply config rsyslog server using
> /var/log/dirsrv/slapf-abc.com/access 
> to redirect ot another rsyslog server ?

Please keep responses on the list.

I don't know, perhaps someone else does.

rob

> 
> 
> 
> 2014-08-20 21:15 GMT+08:00 Rob Crittenden  >:
> 
> Dmitri Pal wrote:
> > On 08/20/2014 06:23 AM, barry...@gmail.com
>  wrote:
> >> Dear all:
> >>
> >> I got 2 servers as cluster ... how can i redirect all logs server2 's
> >> /var/log/dirsrv/slapd-abc.com/access
>   to
> >> server 1 's  /var/log/dirsrv/slapd-abc.com/access
> 
> >> 
> >>
> >> so i can view once ?what config should consider ?  Or should i use
> >> syslog to collect server2
> >> and redirect all to server 1 ?
> >>
> >> thks
> >>
> >>
> >>
> > You should use log collection tools of your choice to collect and
> > process the logs.
> > You can send logs to syslog and then use rsyslog to collect it. After
> > that you can use different tools to process it: logstash, splunk, etc.
> 
> Take a look at this page for instructions on redirecting logging in
> 389-ds: http://www.port389.org/wiki/Named_Pipe_Log_Script
> 
> rob
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa 2 client connecting to ipa 3 server

2014-08-21 Thread Martin Kosek 
On 08/20/2014 09:49 PM, Dmitri Pal wrote:
> On 08/20/2014 09:43 PM, Rob Crittenden wrote:
>> Walid wrote:
>>> Thanks Rob, we have native python2.4, and anaconda python 2.7,  so i
>>> guess if anything needs python 2.6 or greater it would not be an issue.
>>> I  am just wondering if there are people using the upstream project in
>>> such a legacy system ;-)
>> It's not just python, it's all the modules as well.
>>
>> In the end the issue isn't so much ipa-client as all the related
>> dependencies. The ipa-client package just helps configure things, sssd
>> does all the heavy lifting. If you wanted to backport anything I'd start
>> there, and it is likely extremely non-trivial.
>>
>> I know that people still use RHEL-5 and the current 2.2-based client.
>> It, and its related packages, generally works fine you just miss out on
>> some of the newer features, particularly in sssd (like sudo and autofs).
> You can try to build sssd on 5.3 but I suspect it will require so many
> dependencies that you system would look more like a 5.10.
> You can try but this will be an adventurous effort.
> For old systems like that we recommend using what they had then and not SSSD.
> Users will be able to authenticate and posix data will be the same as on the
> more modern systems which should be sufficient for the needs of those old
> systems anyways.

JFTR, note that you can also authenticate with users from potentially trusted
AD domains by using:

http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts

Preso here: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install via Kickstart in RHEL7

2014-08-21 Thread Martin Kosek 
On 08/20/2014 05:24 PM, Rich Megginson wrote:
> On 08/20/2014 09:18 AM, Baird, Josh wrote:
>> Hi,
>>
>> We are attempting to run ipa-client-install in the %post section of a
>> Kickstart in order to join the host to an IPA domain (3.3/RHEL7 IdM).  We are
>> using something like:
>>
>> /usr/sbin/ipa-client-install -w 'one-time-password' --realm=REALM.COM -U
>> --no-ssh --no-sshd --no-ntp --domain=realm.com
>>
>> The machine does indeed join the domain correctly, but the certmonger request
>> fails.  Looking at the logs, we can see this:
>>
>> 2014-08-19T15:02:45Z DEBUG Starting external process
>> 2014-08-19T15:02:45Z DEBUG args=/bin/systemctl is-active certmonger.service
>> 2014-08-19T15:02:45Z DEBUG Process finished, return code=0
>> 2014-08-19T15:02:45Z DEBUG stdout=
>> 2014-08-19T15:02:45Z DEBUG stderr=Running in chroot, ignoring request.
>>
>> The error is occurring because the certmonger service fails to start.  This
>> is because systemd is not able to manipulate services in a chrooted
>> environment (ala the anaconda installation environment).  Prior to systemd,
>> this would work fine as services could start normally via init in a
>> chroot/%post.
>>
>> Additionally, we see the error:
>>
>> Unable to find 'admin' user with 'getent passwd ad...@domain.com'
>>
>> Again, this is because systemd is unable to start sssd in the chrooted
>> installation environment.  I'm wondering if anyone else has experienced these
>> issues with systemd unable to start these required services during
>> installation and what you did to work around them.  One option would be to
>> move the ipa-client-install out of Kickstart and have Puppet join the host to
>> the domain post-installation (after firstboot), but this isn't really ideal.
>>
>> Any advice or suggestions would be appreciated.
> 
> Create a file that is run at boot, presumably after networking and certmonger
> are started.

What I saw as the common approach in OpenStack or other projects are scripts
and configurations for Cloud-init [1].

Are there people using it for this purpose or are there other (better) 
approaches?

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html/End_User_Guide/user-data.html

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Ldapsearch with a trailing space

2014-08-21 Thread Ludwig Krispenz 


On 08/21/2014 02:32 AM, Rich Megginson wrote:

On 08/20/2014 05:28 PM, William wrote:

How did you manage to add an attribute value with a trailing space?


Excellent question: Someone else in my workplace managed to stuff this
one up, so that a users objectClass has a trailing space, thus is
returning is base64 on search now.


Ok.  As to how to fix it:
ldapsearch -xLLL -D "cn=directory manager" -W -s base -b "the dn with 
the broken objectclass" 'objectclass=*' objectclass > junk.ldif


then edit junk.ldif to look like this:

dn: the dn with the broken objectclass
changetype: modify
replace: objectclass
objectclass: 
objectclass: 


Basically, all of the objectclasses from ldapsearch, but fixing the 
one with the trailing space


Then use ldapmodify

ldapmodify -x -D "cn=directory manager" -W -f junk.ldif

As to your original question - I'm not sure - I would have thought the 
correct way to do it would have been to use the ldap escape sequence 
for space in the ldap search filter.
I think the behaviour is correct, in caseIgnore match leading and 
trailing spaces are insignificant and any clever way to pass the space 
will be normalized away


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ntp and srv records

2014-08-21 Thread Les Stott 
We have ntp setup on two servers and configured normally via /etc/ntp* etc.

All clients and servers reference the same ntp servers, and all would be on the 
same time. This doesn't require ntp SRV records.

So I personally don't thing ntp srv records are necessary and can't see an 
issue. But wanted to check to be sure

Les

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: Thursday, 21 August 2014 4:52 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ntp and srv records

On 21.8.2014 06:17, Les Stott wrote:
> Hi All,
>
> Am about to start rolling out clinet installs on rhel6 hosts with dns 
> autodiscovery.
>
> Enviroment: rhel6, ipa-3.0.0-37.el6.
>
> I already have setup SRV records for Kerberos and ldap etc.
>
> Are the following ntp records as SRV records necessary also?

Technically not but they are highly recommended (assuming that your IPA servers 
are running a NTP server).

> ;ntp server
> _ntp._udp   IN SRV 0 100 123ntp1.mydomain.com.
> _ntp._udp   IN SRV 0 100 123ntp2.mydomain.com.
>
> I've seen some guides that don't reference them, others that do. I don't see 
> any adverse effects on the two freeipa servers (master + replica) that are 
> currently running without the ntp srv records.

The adverse effect will probably manifest on client side. Things (Kerberos :-) 
will break if time on client is too far away from time on server.

--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project