Re: [Freeipa-users] Minimum Disk Size
I would suggest, 1 x 3ghz CPU, 2gb of ram and around 80gb disk space. To give you an idea of a small IPA server to see what is used, Though note the recommendation is for root and /usr to now be one partition and /boot should probably be a bit bigger, say 400mb. === -bash-4.1$ df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/VolGroupboot-LogVolroot 8.7G 945M 7.3G 12% / /dev/sda1 194M 95M 90M 52% /boot /dev/mapper/VolGroupdata1-LogVoldata01 16G 44M 15G 1% /data01 /dev/mapper/VolGroupboot-LogVolhome 22G 118M 21G 1% /home /dev/mapper/VolGroupboot-LogVolopt 2.0G 3.0M 1.9G 1% /opt /dev/mapper/VolGroupboot-LogVoltmp 7.6G 131M 7.1G 2% /tmp /dev/mapper/VolGroupboot-LogVolusr 9.6G 2.9G 6.2G 32% /usr /dev/mapper/VolGroupboot-LogVolvar 9.6G 1.3G 7.8G 14% /var /dev/mapper/VolGroupdata2-LogVolvarlib 17G 1.7G 15G 11% /var/lib /dev/mapper/VolGroupboot-LogVolvarlog 9.6G 2.4G 6.7G 27% /var/log /dev/mapper/VolGroupboot-LogVolaudit 7.6G 18M 7.2G 1% /var/log/audit == regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Minimum Disk Size
On 4.2.2015 02:03, Dan Mossor wrote: What would be the minimum recommended disk size for a virtual FreeIPA server on a network consisting of less than 30 users and 100 hosts? This is effectively few megabytes of data in the database. We are often testing FreeIPA on machine with 10 GB of storage and it works fine as long as logs are rotated properly (and you do not fill disk with something else :-). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] basic question on DNS configuration
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roberto Cornacchia Sent: Tuesday, February 03, 2015 5:20 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] basic question on DNS configuration Hi guys, I can't wait to get freeIPA installed in our small enterprise, but I'd first like to get a couple of basic things straight. My first doubt is about the DNS configuration. Currently, we use a setting that I guess is rather common for small enterprises: We own an example.comhttp://example.com domain which is managed by the DNS of an external provider. A couple of subdomains point to public IP addresses outside our local network (e.g. www.example.comhttp://www.example.com is hosted at our internet provider, server1.example.comhttp://server1.example.com points at a server hosted in a datacenter, etc). All the remaining subdomain (*.example.comhttp://example.com) point at one IP which corresponds to our local router. Then we use some simple forwarding rules to forward on to machines that are behind the router (service1.example.comhttp://service1.example.com, desktop1.example.comhttp://desktop1.example.com, desktop2.example.comhttp://desktop2.example.com, etc). Internally, because the enterprise is rather small, we are not using a DNS, but simply /etc/hosts files on each machine. When they can't resolve whatever.example.comhttp://whatever.example.com, then the request goes to the external DNS. (sorry about the long-ish background information, probably this configuration is commonly named somehow, but I don't know how) Now, a first simple question for you guys would be: When installing freeIPA, with DNS, is the network configuration above still advisable? Can there be any problem? Or should I rather use a different domain for the internal network (I would really NOT like this option, but I'm very interested to know why I should, if that is the case). A second basic question is: Would you see any potential problem in installing freeIPA on a FC21 Server which currently hosts Atlassian Jira + Atlassian Stash (therefore git repositories) + the required mysql databases? My guess would be that they would not interfere, as: - httpd (and related ports) is currently unused) - Both Jira and Stash use thier own tomcat installation on custom ports - mysql shouldn't be a problem? - The machine isn't overloaded at all (4-5 developers use those services) Am I overlooking something? Obviously I'd rather have a dedicated freeIPA server, but if the above mentioned coexistence isn't a problem, then this would be more cost-effective. Thank you very much for your help, I'm looking forward to this upgrade. Roberto I would recommend that you create a ‘local’ domain for your internal LAN though you certainly can use your domain name for both the internal LAN and the external world. Obviously you would have to create ‘manual’ entries in DNS for the external servers (like www.example.comhttp://www.example.com) so your internal LAN systems can resolve it. If you have a ‘local’ domain for your internal LAN, there aren’t name collisions, no need to manually maintain DNS entries for off-LAN servers and no confusion of essentially faking your LAN systems into believing that the IPA server is authoritative for example.com domain when the rest of the world thinks otherwise. The choice is yours. As for using F21 – you get the latest version of FreeIPA which is something I wish I had here. Git / Stash / Jira represent a fairly hefty memory footprint even if there isn’t that much CPU load. If you have the RAM and cpu cores to handle tossing FreeIPA onto the stack, go for it. You probably will want a replica too as the replica keeps your LAN running if the primary server is unavailable for whatever reason and it minimizes backup needs substantially. Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] autofs - nfsnobody
Hello there again! I'm bothering you again because I am having some problems with autofs/NFS and IPA. All files created from a regular user (enrolled client) gets the nfsnobody user and group. Folder gets auto mounted. Thanks in advance! Here is what I did to configure it at server (server.estudio) and client (pc01.estudio): SERVER = ipa service-add nfs/server.estudio ipa-getkeytab -s server.estudio -p nfs/server.estudio -k /etc/krb5.keytab ipa-client-automount mkdir /export chmod 777 /export echo /export *(rw,sync,sec=sys:krb5:krb5i:krb5p) /etc/exports reboot ** CLIENT ipa-getkeytab -s server.estudio -p host/server.estudio@ESTUDIO -k /etc/krb5.keytab ipa-client-automount reboot echo aaa /export/aaa [user@pc01 /]$ ls -la /export total 12 drwxrwxrwx. 2 root root 4096 feb 3 13:36 . dr-xr-xr-x. 21 root root 4096 feb 3 13:36 .. -rw-rw-r--. 1 nfsnobody nfsnobody4 feb 3 13:36 aaa -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)
Well, that explains why I had a lot of mDNS traffic flowing... Finally I just removed the .local from the domain and everything works as intended. Now I am fighting with autofs and kerberized NFS... Is there any up-to-date guide that you can point me to? Thanks! 2015-02-02 16:33 GMT-03:00 Alexander Bokovoy aboko...@redhat.com: On Mon, 02 Feb 2015, Gerardo Cuppari wrote: Well, I just reinstalled everything without the .local in the domain and everything worked at first. Sorry for the troubles... Odd is that with ipa 3 on Centos 7 everything worked with domain estudio.local Do you have avahi activated and 'hosts: files mdns4_minimal [notfound=RETURN] ...' in your /etc/nsswitch.conf? Avahi overtakes .local domain because RFC 6762 reserves .local for multicast DNS name resolution protocol. http://en.wikipedia.org/wiki/.local#Multicast_DNS_standard Any DNS query for a name ending with .local MUST be sent to the mDNS IPv4 link-local multicast address 224.0.0.251 (or its IPv6 equivalent FF02::FB)… Fedora chose to follow this policy and force use of mDNS resolver through [notfound=RETURN] option (i.e., get .local names resolved via /etc/hosts and mDNS only). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] basic question on DNS configuration
Hi guys, I can't wait to get freeIPA installed in our small enterprise, but I'd first like to get a couple of basic things straight. My first doubt is about the DNS configuration. Currently, we use a setting that I guess is rather common for small enterprises: We own an example.com domain which is managed by the DNS of an external provider. A couple of subdomains point to public IP addresses outside our local network (e.g. www.example.com is hosted at our internet provider, server1.example.com points at a server hosted in a datacenter, etc). All the remaining subdomain (*.example.com) point at one IP which corresponds to our local router. Then we use some simple forwarding rules to forward on to machines that are behind the router (service1.example.com, desktop1.example.com, desktop2.example.com, etc). Internally, because the enterprise is rather small, we are not using a DNS, but simply /etc/hosts files on each machine. When they can't resolve whatever.example.com, then the request goes to the external DNS. (sorry about the long-ish background information, probably this configuration is commonly named somehow, but I don't know how) Now, a first simple question for you guys would be: When installing freeIPA, with DNS, is the network configuration above still advisable? Can there be any problem? Or should I rather use a different domain for the internal network (I would really NOT like this option, but I'm very interested to know why I should, if that is the case). A second basic question is: Would you see any potential problem in installing freeIPA on a FC21 Server which currently hosts Atlassian Jira + Atlassian Stash (therefore git repositories) + the required mysql databases? My guess would be that they would not interfere, as: - httpd (and related ports) is currently unused) - Both Jira and Stash use thier own tomcat installation on custom ports - mysql shouldn't be a problem? - The machine isn't overloaded at all (4-5 developers use those services) Am I overlooking something? Obviously I'd rather have a dedicated freeIPA server, but if the above mentioned coexistence isn't a problem, then this would be more cost-effective. Thank you very much for your help, I'm looking forward to this upgrade. Roberto -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)
Hi Martin, thanks for your replies! Please, don't tell me I am getting all these errors because of the .local domain! If so, I will surelly kill someone haha I checked /etc/named.conf and changed to no dnssec-validation and here is what you requested: [root@pc01 ~]# dig server.estudio.local ; DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 server.estudio.local ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 31554 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;server.estudio.local. IN A ;; ANSWER SECTION: server.estudio.local. 1200IN A 192.168.56.2 ;; AUTHORITY SECTION: estudio.local. 86400 IN NS server.estudio.local. ;; Query time: 0 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: lun feb 02 12:29:17 ART 2015 ;; MSG SIZE rcvd: 79 ** [root@pc01 ~]# dig -t ptr 2.56.168.192.in-addr.arpa ; DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 -t ptr 2.56.168.192.in-addr.arpa ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 36167 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;2.56.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 2.56.168.192.in-addr.arpa. 86400 IN PTR server.estudio.local. ;; AUTHORITY SECTION: 56.168.192.in-addr.arpa. 86400 IN NS server.estudio.local. ;; ADDITIONAL SECTION: server.estudio.local. 1200IN A 192.168.56.2 ;; Query time: 0 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: lun feb 02 12:34:27 ART 2015 ;; MSG SIZE rcvd: 118 2015-02-02 12:17 GMT-03:00 Martin Basti mba...@redhat.com: On 02/02/15 16:07, Martin Basti wrote: On 02/02/15 14:13, Gerardo Cuppari wrote: Hello! I am trying to enroll one host to my IPA server (4.1.2) and I am having one problem: the ipa-client-install script keeps giving me errors at the forwarding ping to json server step. My configuration is: - server.estudio.local 192.168.56.2 Fedora Server 21 ipa 4.1.2 - pc01.estudio.local 192.168.56.106 Fedora Works. 21 Both have firewalld down (just to test) and can reach each other. I've been trying to get this working without success (solved other minor issues) and so I'm asking for your help. The only way I can make it work is by adding the --force switch to ipa-client-install script but, that way, it just disregards errors. Thanks in advance!!! Here are my tests: SERVER == [root@server ~]# ipa ping --- IPA server version 4.1.2. API version 2.109 --- CLIENT == [root@pc01 ~]# dig server ; DiG 9.9.6-P1-RedHat-9.9.6-6.P1.fc21 server ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 29286 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;server.IN A ;; Query time: 10 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: lun feb 02 09:51:07 ART 2015 ;; MSG SIZE rcvd: 35 *** [root@pc01 ~]# nslookup server Server: 192.168.56.2 Address:192.168.56.2#53 Name: server.estudio.local Address: 192.168.56.2 *** Here I disable chronyd so I can run the script without NTP sync errors: [root@pc01 ~]# systemctl disable chronyd Removed symlink /etc/systemd/system/multi-user.target.wants/chronyd.service. [root@pc01 ~]# service chronyd stop Redirecting to /bin/systemctl stop chronyd.service *** Without having server.estudio.local on /etc/hosts file: [root@pc01 ~]# ipa-client-install --enable-dns-updates --mkhomedir --ssh-trust-dns Skip server.estudio.local: cannot verify if this is an IPA server Provide your IPA server name (ex: ipa.example.com): Skip server.estudio.local: cannot verify if this is an IPA server Failed to verify that server.estudio.local is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. IPA client is not configured on this system. *** Here I added hostname and IP address to /etc/hosts file (don't know why it doesn't
Re: [Freeipa-users] sssd compatibility with older RHEL 6 minor releases.
Also, when upgrading, please make sure to upgrade to the 6.6.z version of SSSD - there were couple important fixes. AFAIK, the version should be sssd-1.11.6-30.el6_6.3 Martin On 02/02/2015 10:35 PM, Genadi Postrilko wrote: Thank you for your reply. I think ill go with the first option, it about time to upgrade :). Genadi. 2015-02-01 2:09 GMT+02:00 Dmitri Pal d...@redhat.com: On 01/31/2015 01:37 PM, Genadi Postrilko wrote: Hello all. The environment i'm currently working to migrate under IPA identity management contains mostly RHEL 6.2 servers. I'm planing to use Active Directory Cross Forest Trust for Identities, IPA as sudo provider, and all the other goodies that IPA provides. If i want to enjoy all the new features (at least most of them), i know that clients have to be sssd version 1.9. And if i want IPA to be auto configured as sudo provider it has to be sssd 1.11. When reading the mailing list i noticed that sssd 1.11 is mentioned as feature of rhel 6.6. What i would like and understand is what could go wrong if i will install sssd 1.11 on rhel 6.2 servers.And what is is your general recommendations for older RHEL 6 (minor) releases? It will pull a lot of dependencies and most of your system will look like 6.6 system Also the upgrade like this might reveal some issues as the upgrades are expected to be gradual. 1-2 versions is ok but 4 is quit a big leap. Overall it is a bit risky to do it. You have three options: - upgrade properly but probably in two steps 6.2 - 6.4 - 6.6 - use SSSD from 6.2 as is for now. It will have limited functionality but can leverage AD users from the trust. You would need to configure SSSD to use LDAP for authentication and point to compat tree of IPA to take advantage of the trust. See details here: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf - take your chances and try a hybrid you propose but it is not a formally supported configuration. Thanks in advance, Genadi. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)
On 02/03/2015 07:48 AM, Gerardo Cuppari wrote: Well, that explains why I had a lot of mDNS traffic flowing... Finally I just removed the .local from the domain and everything works as intended. Now I am fighting with autofs and kerberized NFS... http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA Is there any up-to-date guide that you can point me to? Thanks! 2015-02-02 16:33 GMT-03:00 Alexander Bokovoy aboko...@redhat.com mailto:aboko...@redhat.com: On Mon, 02 Feb 2015, Gerardo Cuppari wrote: Well, I just reinstalled everything without the .local in the domain and everything worked at first. Sorry for the troubles... Odd is that with ipa 3 on Centos 7 everything worked with domain estudio.local Do you have avahi activated and 'hosts: files mdns4_minimal [notfound=RETURN] ...' in your /etc/nsswitch.conf? Avahi overtakes .local domain because RFC 6762 reserves .local for multicast DNS name resolution protocol. http://en.wikipedia.org/wiki/.local#Multicast_DNS_standard Any DNS query for a name ending with .local MUST be sent to the mDNS IPv4 link-local multicast address 224.0.0.251 (or its IPv6 equivalent FF02::FB)... Fedora chose to follow this policy and force use of mDNS resolver through [notfound=RETURN] option (i.e., get .local names resolved via /etc/hosts and mDNS only). -- / Alexander Bokovoy -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] CA Replication Installation Failing
Has anyone got any ideas on this? I am stuck with not being able to deploy a CA Replica and this is halting rollout of the project. Help please... Regards, Les -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Friday, 30 January 2015 4:48 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Les Stott Sent: Wednesday, 10 December 2014 6:22 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing -Original Message- From: Ade Lee [mailto:a...@redhat.com] Sent: Wednesday, 10 December 2014 5:05 AM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On Tue, 2014-12-09 at 07:48 +, Les Stott wrote: __ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. I think that this is a safe bet to be the problem. The error in the log snippet you posted says: errorStringThe pkcs12 file is not correct./errorString This indicates that the clone CA was unable to decode the pkcs12 file in the replica. Perhaps the certs changed -- or the DM password changed? Ade I regenerated the replica file and retired the CA replica setup, but it failed at the same point with the same error. I am thinking that the next step is to uninstall the ipa replica to cleanup, remove all traces and re-add as a replica on serverb. I wonder if the cert that its having an issue with is the one on serverB under /etc/ipa/ca.crt which is from Dec 2013. I will try that in a couple of days as I have to schedule this work in as its in production. Regards, Les May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. I actually do have serverc and serverd. I planned to have CA replication on at least 2 other servers, but held off on trying on serverc due to issues with serverb. I'll report back what i find after regenerating the replica file and re-trying to setup CA replication. After a bit of a hiatus I have revisited this issue and I still have it. Just to re-iterate the problem... Trying to setup a ca replica on an already installed replica fails in rhel 6.6, ipa-3.0.0.42, pki 9.0.3-38. /usr/sbin/ipa-ca-install -p xx -w xx -U /var/lib/ipa/replica-info- myhost.mydomain.com.gpg It fails showing CRITICAL failed to configure ca instance Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. It doesn't matter if I run it interactively or unattended. I have done this on similar servers that were rhel 6.5, pki-9.0.3-32, ipa 3.0.0- 37 without any issue. The /var/log/ipareplica-ca-install.log shows the following error about White Spaces: # Attempting to connect to: mymaster.mydomain.com:9445 Connected. Posting Query = https://
[Freeipa-users] Minimum Disk Size
What would be the minimum recommended disk size for a virtual FreeIPA server on a network consisting of less than 30 users and 100 hosts? Regards, Dan -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project