[Freeipa-users] CA replicas on all?
Hi all, Just wondering if there are issues with running CA replicas on all the servers? Are there maybe performance issues or anything that I might not be aware of? ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
The last 3 sentences of my original post refer to me adding the NS records for the slave. Is that what you mean? "I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave." -Original Message- From: Baird, Josh Sent: Saturday, May 02, 2015 7:33 AM To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely, bind-dyndb-ldap does not support 'also-notify' which would allow us to send notifies each time a zone update occurs to slave servers that are not in the RRSet [1]. To compensate for this in my environment, I had to lower the 'refresh' timer on the IPA zone. [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of nat...@nathanpeters.com Sent: Friday, May 1, 2015 8:20 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. I also have another host running PowerDNS serving as a slave. The FreeIPA servers are setup to allow transfers to the slave by IP. When adding the zone, the slave transfered it properly. However, when I update the zone in FreeIPA, although the serial number changes, in the /var/log/messages I only see an attempt to transfer to the second IPA server, and not the slave. This is the only log entry : May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client 10.178.0.99#29832: received notify for zone 'mydomain.net' I have restarted all services using ipactl restart several times. I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. According to the FreeIPA manual, once that NS entry is added, any zone updates should trigger a notify, but still the only notifications go out to FreeIPA servers and nothing else. Any idea how to fix this so FreeIPA notifies non IPA servers? I'm pretty sure I've followed all the instructions to the letter on this one... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cross Realm Authentication between two FreeIPA Servers
- Original Message - > Do we have any plans to implement in future? Yes, once we get everything ready for fully working AD trusts support (i.e. IPA users being able to login to Windows machines). The reason for that is because we will be re-using the same infrastructure in both cases so the code will largely be the same to drive both use cases. This is very important because then we don't need to update SSSD on the machines where current AD trust feature is already supported -- they will be able to operate with IPA-IPA trust the instant moment it is established. Actual process of setting up IPA-IPA trust will be a bit different, of course, as we have better ways to set the trust up in this case. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely, bind-dyndb-ldap does not support 'also-notify' which would allow us to send notifies each time a zone update occurs to slave servers that are not in the RRSet [1]. To compensate for this in my environment, I had to lower the 'refresh' timer on the IPA zone. [1] https://fedorahosted.org/bind-dyndb-ldap/ticket/152 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of nat...@nathanpeters.com Sent: Friday, May 1, 2015 8:20 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves I have 2 FreeIPA 4.1.4 servers setup on CentOS 7 as replicas. I also have another host running PowerDNS serving as a slave. The FreeIPA servers are setup to allow transfers to the slave by IP. When adding the zone, the slave transfered it properly. However, when I update the zone in FreeIPA, although the serial number changes, in the /var/log/messages I only see an attempt to transfer to the second IPA server, and not the slave. This is the only log entry : May 2 01:06:56 dc1 named-pkcs11[5897]: zone mydomain.net/IN: sending notifies (serial 1430528817) May 2 01:06:57 dc1 named-pkcs11[5897]: client 10.178.0.99#29832: received notify for zone 'mydomain.net' I have restarted all services using ipactl restart several times. I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. According to the FreeIPA manual, once that NS entry is added, any zone updates should trigger a notify, but still the only notifications go out to FreeIPA servers and nothing else. Any idea how to fix this so FreeIPA notifies non IPA servers? I'm pretty sure I've followed all the instructions to the letter on this one... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cross Realm Authentication between two FreeIPA Servers
Do we have any plans to implement in future? Thanks, Shaik On 2 May 2015 at 20:15, Alexander Bokovoy wrote: > - Original Message - > > > Hi, > > > can you please let me know, how to setup Cross Realm Authentication > between > > two FreeIPA Servers? > Not supported yet. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cross Realm Authentication between two FreeIPA Servers
- Original Message - > Hi, > can you please let me know, how to setup Cross Realm Authentication between > two FreeIPA Servers? Not supported yet. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Cross Realm Authentication between two FreeIPA Servers
Hi, can you please let me know, how to setup Cross Realm Authentication between two FreeIPA Servers? Thanks, Shaik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project