Re: [Freeipa-users] ipa-replica-prepare error
Hi, Dne 10.7.2015 v 22:33 Orion Poplawski napsal(a): On 07/08/2015 11:31 AM, Orion Poplawski wrote: But then when I go to make a replica: # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX Directory Manager (existing master) password: (SEC_ERROR_LIBRARY_FAILURE) security library failure. Which looks like others are experiencing (with not resolution that I could see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html Unfortunately this error code can mean almost anything, NSS isn't particularly helpful with errors. Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help. Filed https://fedorahosted.org/freeipa/ticket/5117 Without ipa-replica-prepare log or pk12util output it's really hard to tell what's going on. Could you provide the output of the following commands: # pk12util -l nwra.com.p12 # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX ? Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ns-slapd high cpu usage
On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote:
> hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and
> Jul,7th - so it looks like it is iterating the changelog over and over
> again.
> Th consumer side Is "cn=meTosrv-m14-24.ccr.buffalo.edu" - is this the master
> ?
>
> can you provide the result of the following search from
> m14-24.ccr.buffalo.edu adn the server with the high cpu:
>
> ldapsearch -o ldif-wrap=no -x -D ... -w -b "cn=config"
> "objectclass=nsds5replica" nsds50ruv
master is srv-m14-24.. here's the results of the ldapsearch:
[srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b
"cn=config" "objectclass=nsds5replica" nsds50ruv
# replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config
dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config
nsds50ruv: {replicageneration} 5527f7110004
nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389}
5527f7710004 55a55aed0014
nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389}
5537c7730005 5591a3d200070005
nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389}
55943dda0006 5594537800020006
# replica, o\3Dipaca, mapping tree, config
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds50ruv: {replicageneration} 5527f74b0060
nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389}
5527f7540060 55a557f60060
nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389}
55943e6e0056 55943e6f00010056
nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389}
5537c7ba005b 5582c7e40004005b
server with high cpu load is srv-m14-26. here's the results of the ldapsearch
from this server:
[srv-m14-26 ~]$ ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -W -b
"cn=config" "objectclass=nsds5replica" nsds50ruv
# replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config
dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config
nsds50ruv: {replicageneration} 5527f7110004
nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389}
5537c7730005 55a55b4700030005
nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389}
5527f7710004 55a53eba0004
nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389}
55943dda0006 5594537800020006
# replica, o\3Dipaca, mapping tree, config
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
nsds50ruv: {replicageneration} 5527f74b0060
nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389}
5537c7ba005b 5582c7e40004005b
nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389}
5527f7540060 55a557f60060
nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389}
55943e6e0056 55943e6f00010056
srv-m14-25-02 is our 3rd replicate which we recently added back in after it
failed (was added back in 7/1).
Let me know if you need anything else. Thanks for the help.
--Andrew
>
> On 07/14/2015 02:35 PM, Andrew E. Bruno wrote:
> >On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote:
> >>On 07/13/2015 06:36 PM, Andrew E. Bruno wrote:
> >>>On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote:
> On 07/13/2015 05:05 PM, Andrew E. Bruno wrote:
> >On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote:
> >>can you get a pstack of the slapd process along with a top -H to find th
> >>ethread with high cpu usage
> >Attached is the full stacktrace of the running ns-slapd proccess. top -H
> >shows this thread (2879) with high cpu usage:
> >
> >2879 dirsrv20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10
> >ns-slapd
> this thread is a replication thread sending updates, what is strange is
> that
> the current csn_str is quite old (july, 7th), I can't tell which
> agreeement
> this thread is handling, but looks like it is heavily reading the
> changeglog
> and sending updates. anything changed recently in replication setup ?
> >>>Yes, we had one replica fail on (6/19) which we removed (not this one
> >>>showing high CPU load). Had to perform some manual cleanup of the ipa-ca
> >>>RUVs. Then we added the replica back in on 7/1. Since then, replication
> >>>appears to have been running normally between the 3 replicas. We've been
> >>>monitoring utilization since 7/1 and only recently seen this spike (past
> >>>24 hours or so).
> >>is it still in this state ? or was it a spike.
> >Yes same state.
> >
> >>if it still is high cpu consuming, could you
> >>- get a few pstack like the one before with some time in between, I would
> >>like to see if it is progressing with the csns or looping on the same one
> >Attached are a few stacktraces. The thread pegging the cpu is:
> >
> >PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND
> >287
[Freeipa-users] Reverse DNS and Forwarding
I have FreeIPA setup as our primary DNS on an AWS VPC. I setup global
forwarding ('Forward First') so that it will forward queries to Amazon's
DNS, and then fall back on IPA if it doesn't see a hit.
This works perfectly fine for forward DNS lookups:
$ # This host does not exist on FreeIPA, but does on Amazon DNS
$ host ip-10-0-6-17.ec2.internal
ip-10-0-6-17.ec2.internal has address 10.0.6.17
However, for reverse lookups, it doesn't seem to get forwarded
$ # Same host, reverse lookup fails at FreeIPA
$ host 10.0.6.17
Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN)
$ # Explicitly forwarding to Amazon DNS, reverse lookup works
$ host 10.0.6.17 10.0.0.2
Using domain server:
Name: 10.0.0.2
Address: 10.0.0.2#53
Aliases:
17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal.
Please help. Thanks!
--
*Nevada Sanchez*
Co-Founder, ASIC Design Team Lead
and put a dent in
the universe!
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
I restarted network services on the host, then I restarted sssd again. The record appeared! On Tue, Jul 14, 2015 at 3:50 PM, Sina Owolabi wrote: > I removed the A record and restarted SSSD. > The DNS record did not update. > > On Tue, Jul 14, 2015 at 2:20 PM, Martin Basti wrote: >> On 13/07/15 19:58, Sina Owolabi wrote: >>> >>> Hi Martin >>> >>> Yes all my sssd configs are set ipa_dyndns_update = True >>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >>> them. >>> I've tried to set it in the very first zone (setup during >>> installation) but dnszone-mod complains: >>> >>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >>> ipa: ERROR: no modifications to be performed >>> >>> But I don't see it in the show command: >>> >>> ipa dnszone-show mydom.com >>>Zone name: mydom.com. >>>Active zone: TRUE >>>Authoritative nameserver: services.mydom.com. >>>Administrator e-mail address: hostmaster.mydom.com. >>>SOA serial: 1436799166 >>>SOA refresh: 3600 >>>SOA retry: 900 >>>SOA expire: 1209600 >>>SOA minimum: 3600 >>>Allow query: any; >>>Allow transfer: none; >>> >>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: On 12/07/15 10:05, Sina Owolabi wrote: > > Hi > > I have several dns zones defined in IPA. I noticed recently that the > zone files are empty. I find this odd because I created them like the > example below. > Is it possible to force clients to auto-update reverse zones? > > Thanks in advance! > > How I created all the zones: > >ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 > --allow-sync-ptr=TRUE --dynamic-update > Zone name: 0.14.10.in-addr.arpa. > Active zone: TRUE > Authoritative nameserver: services.ourdomain.com. > Administrator e-mail address: hostmaster > SOA serial: 1436688202 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3000 > BIND update policy: grant QRIOS.COM krb5-subdomain > 0.14.10.in-addr.arpa. PTR; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > Allow PTR sync: TRUE > Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti >> >> Can you try to restart SSSD, or to remove the A record and then restart SSSD >> on the particular host? >> >> -- >> Martin Basti >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ns-slapd high cpu usage
hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and Jul,7th - so it looks like it is iterating the changelog over and over again. Th consumer side Is "cn=meTosrv-m14-24.ccr.buffalo.edu" - is this the master ? can you provide the result of the following search from m14-24.ccr.buffalo.edu adn the server with the high cpu: ldapsearch -o ldif-wrap=no -x -D ... -w -b "cn=config" "objectclass=nsds5replica" nsds50ruv On 07/14/2015 02:35 PM, Andrew E. Bruno wrote: On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: can you get a pstack of the slapd process along with a top -H to find th ethread with high cpu usage Attached is the full stacktrace of the running ns-slapd proccess. top -H shows this thread (2879) with high cpu usage: 2879 dirsrv20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd this thread is a replication thread sending updates, what is strange is that the current csn_str is quite old (july, 7th), I can't tell which agreeement this thread is handling, but looks like it is heavily reading the changeglog and sending updates. anything changed recently in replication setup ? Yes, we had one replica fail on (6/19) which we removed (not this one showing high CPU load). Had to perform some manual cleanup of the ipa-ca RUVs. Then we added the replica back in on 7/1. Since then, replication appears to have been running normally between the 3 replicas. We've been monitoring utilization since 7/1 and only recently seen this spike (past 24 hours or so). is it still in this state ? or was it a spike. Yes same state. if it still is high cpu consuming, could you - get a few pstack like the one before with some time in between, I would like to see if it is progressing with the csns or looping on the same one Attached are a few stacktraces. The thread pegging the cpu is: PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND 2879 dirsrv20 0 3819252 1.978g 11684 R 99.9 3.2 10148:26 ns-slapd - check the consumer side. is there anything in the error log ? does the access log show replication activity from this server Here's some errors showing up on the first master server rep1 (rep2 is the server with pegged cpu): [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad60060): Operations error (1). Will retry later. [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-pki-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f60060): Operations error (1). Will retry later. [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-rep2-tomcat" (rep2:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa0060): Operations error (1). Will retry later. Here's some snips from the access log of the rep2: [14/Jul/2015:08:22:31 -0400] conn=87 op=9794 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [14/Jul/2015:08:22:31 -0400] conn=87 op=9794 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:22:31 -0400] conn=87 op=9795 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [14/Jul/2015:08:22:31 -0400] conn=87 op=9795 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:22:33 -0400] conn=87 op=9796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" .. [14/Jul/2015:08:23:38 -0400] conn=782341 op=129 RESULT err=0 tag=103 nentries=0 etime=0 csn=55a4ff6c0005 .. [14/Jul/2015:08:24:02 -0400] conn=781901 op=1745 RESULT err=0 tag=101 nentries=1 etime=0 [14/Jul/2015:08:24:03 -0400] conn=87 op=9810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [14/Jul/2015:08:24:03 -0400] conn=87 op=9810 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:24:03 -0400] conn=87 op=9811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [14/Jul/2015:08:24:03 -0400] conn=87 op=9811 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:24:05 -0400] conn=87 op=9812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [14/Jul/2015:08:24:05 -0400] conn=87 op=9812 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:24:08 -0400] conn=87 op=9813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [14/Jul/2015:08:24:08 -0400] conn=87 op=9813 RESULT err=0 tag=120 nentries=0 etime=0 [14/Jul/2015:08:24:10 -0400] conn=87 op=9814 EXT oid="2.16.840.1.113730.3.5.5"
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
On 14/07/15 16:52, Sina Owolabi wrote: I restarted network services on the host, then I restarted sssd again. The record appeared! Great :) On Tue, Jul 14, 2015 at 3:50 PM, Sina Owolabi wrote: I removed the A record and restarted SSSD. The DNS record did not update. On Tue, Jul 14, 2015 at 2:20 PM, Martin Basti wrote: On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti Can you try to restart SSSD, or to remove the A record and then restart SSSD on the particular host? -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
I removed the A record and restarted SSSD. The DNS record did not update. On Tue, Jul 14, 2015 at 2:20 PM, Martin Basti wrote: > On 13/07/15 19:58, Sina Owolabi wrote: >> >> Hi Martin >> >> Yes all my sssd configs are set ipa_dyndns_update = True >> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >> them. >> I've tried to set it in the very first zone (setup during >> installation) but dnszone-mod complains: >> >> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >> ipa: ERROR: no modifications to be performed >> >> But I don't see it in the show command: >> >> ipa dnszone-show mydom.com >>Zone name: mydom.com. >>Active zone: TRUE >>Authoritative nameserver: services.mydom.com. >>Administrator e-mail address: hostmaster.mydom.com. >>SOA serial: 1436799166 >>SOA refresh: 3600 >>SOA retry: 900 >>SOA expire: 1209600 >>SOA minimum: 3600 >>Allow query: any; >>Allow transfer: none; >> >> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>> >>> On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE >>> Hello, >>> >>> do you have --allow-sync-ptr=True configured in zones where the >>> particular >>> A/ records are? >>> >>> SSSD is able to update records. >>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>> sssd-ipa) >>> >>> -- >>> Martin Basti >>> > > Can you try to restart SSSD, or to remove the A record and then restart SSSD > on the particular host? > > -- > Martin Basti > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti Can you try to restart SSSD, or to remove the A record and then restart SSSD on the particular host? -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, What I meant was that the IPA server is managing two zones: Linux.john.com Which has these records Ipa1 A 192.168.0.140 client1 A 192.168.0.11 0.168.192.in-addr.arpa. Which has these records 11 PTR client1.linux.john.com @ NS ipa1.linux.john.com In the AD forward lookup zones >John.com >>linux (Same as parent folder) NS ipa1.linux.john.com Anything more that's unclear? Thank you very much! John On Tue, Jul 14, 2015, 15:52 Petr Spacek wrote: > On 14.7.2015 14:49, John Stein wrote: > > I ran the above commands exactly as I told you on the IPA server. I also > > set the IPA server as a global forwarder in the AD. > > > > On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > > > >> > On 5.7.2015 08:38, John Stein wrote: > >>> > > Hi, > >>> > > > >>> > > I ran these commands in the IdM server > >>> > > > >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant > JOHN.COM > >>> > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > >>> > > > >>> > > At the Active Directory I have A and PTR records for the IdM > server and > >> > it > >>> > > is configured as a global forwarder. > >>> > > At the IdM server there are A and PTR records for both the IdM > server and > >>> > > another client. > > Can you explain what you did, exactly? I do not know what 'I have A and PTR > records for the IdM server' exactly means. We need to know exactly what you > typed in and where you clicked in AD. > > The original information is not sufficient, that is why I asking for more > details. > > Petr^2 Spacek > > >>> > > However this setup does not work. > >>> > > From the IdM and linux client every record is resolvable, however > from > >> > the > >>> > > AD only the IdM is resolvable and the client is not. > >>> > > > >>> > > Maybe there's another thing I need to configure in the AD in order > to > >>> > > enable forwarding that I'm missing? > >> > > >> > I'm not sure I understand you. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 14.7.2015 14:49, John Stein wrote: > I ran the above commands exactly as I told you on the IPA server. I also > set the IPA server as a global forwarder in the AD. > > On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > >> > On 5.7.2015 08:38, John Stein wrote: >>> > > Hi, >>> > > >>> > > I ran these commands in the IdM server >>> > > >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM >>> > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 >>> > > >>> > > At the Active Directory I have A and PTR records for the IdM server and >> > it >>> > > is configured as a global forwarder. >>> > > At the IdM server there are A and PTR records for both the IdM server >>> > > and >>> > > another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek >>> > > However this setup does not work. >>> > > From the IdM and linux client every record is resolvable, however from >> > the >>> > > AD only the IdM is resolvable and the client is not. >>> > > >>> > > Maybe there's another thing I need to configure in the AD in order to >>> > > enable forwarding that I'm missing? >> > >> > I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
Thank you again. The configuration does conform. On Tue, Jul 14, 2015 at 1:47 PM, Petr Spacek wrote: > On 14.7.2015 14:44, Sina Owolabi wrote: >> Thanks Petr. >> >> Can I assume that any fresh clients added to the IDM domain, is going >> to have both its forward and reverse records populated? > > Yes, as long as your configuration conforms with > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR > > Please let us know if you encounter any problems. > > Petr^2 Spacek > >> On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek wrote: >>> On 14.7.2015 10:28, Sina Owolabi wrote: Thanks Martin The expanded command shows all the output. Curiously, I still don't see any reverse addresses yet except on the reverse domain for this primary zone. Ive restarted the IPA servers in hopes of a Windows-y solution but it didn't help :-) >>> >>> SyncPTR does something only when the data change. I.e. it will do nothing if >>> your A/ records are up to date (even if clients send update). >>> >>> I'm afraid that there is no pre-made tool to do the mass update, sorry. You >>> probably need to script something yourself. >>> >>> Petr^2 Spacek >>> output: ipa dnszone-show mydom.com --all dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: dc.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436861122 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM krb5-self * ; grant mydom.COM krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE arecord: pu.bl.ic.add mxrecord: 0 mail.mydom.com. nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. objectclass: idnszone, top, idnsrecord On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: > On 13/07/15 19:58, Sina Owolabi wrote: >> >> Hi Martin >> >> Yes all my sssd configs are set ipa_dyndns_update = True >> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >> them. >> I've tried to set it in the very first zone (setup during >> installation) but dnszone-mod complains: >> >> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >> ipa: ERROR: no modifications to be performed >> >> But I don't see it in the show command: >> >> ipa dnszone-show mydom.com >>Zone name: mydom.com. >>Active zone: TRUE >>Authoritative nameserver: services.mydom.com. >>Administrator e-mail address: hostmaster.mydom.com. >>SOA serial: 1436799166 >>SOA refresh: 3600 >>SOA retry: 900 >>SOA expire: 1209600 >>SOA minimum: 3600 >>Allow query: any; >>Allow transfer: none; > > You must use option --all > > ipa dnszone-show mydom.com --all > > > Martin > >> >> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>> >>> On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE >>> Hello, >>> >>> do you have --allow-sync-ptr=True configured in zones where the >>> particular >>> A/ records are? >>> >>> SSSD is able to update records. >>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>> sssd-ipa) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > On 5.7.2015 08:38, John Stein wrote: > > Hi, > > > > I ran these commands in the IdM server > > > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > > > > At the Active Directory I have A and PTR records for the IdM server and > it > > is configured as a global forwarder. > > At the IdM server there are A and PTR records for both the IdM server and > > another client. > > However this setup does not work. > > From the IdM and linux client every record is resolvable, however from > the > > AD only the IdM is resolvable and the client is not. > > > > Maybe there's another thing I need to configure in the AD in order to > > enable forwarding that I'm missing? > > I'm not sure I understand you. > > A zone should be configured only on one server (or set of synchronized > servers). > > Could you tell us what exactly (using what commands or GUI in IPA and AD) > did > you configure? > > It would be good if you did not obfuscate DNS names in the steps because > the > obfuscation often hides the real cause of problem :-) > > Have a nice day! > > Petr^2 Spacek > > > > Thank you very much, > > John > > > > On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek wrote: > > > >> On 29.6.2015 13:57, John Stein wrote: > >>> Hi, > >>> > >>> I have an AD and IdM server. > >>> AD domain - john.com > >>> IdM domain - linux.john.com > >>> > >>> each spans multiple netwrok segments, with some segments having both > >> linux > >>> and windows machines. > >>> > >>> the IdM is configured to forward DNS requests to AD (forward first), > and > >>> the AD is configured to forward requests in the linux.john.com domain > to > >>> the IdM. > >>> > >>> However, I'm having a problem regarding reverse lookup zones. Where > >> should > >>> they be so they can be accessed from both linux and windows machines? > >> > >> >From DNS's point of view it does not matter, pick one side (AD or IPA) > to > >> host > >> the reverse zone and configure delegation or forwarding on the other > side. > >> That is all you need if you are willing to update records manually. > >> > >>> If I put them in IdM, how will the AD know which requests to forward to > >> the > >>> IdM? > >> > >> Either properly configure delegation (if you have control over the > parent > >> zone) or add forwarder (only if you do not have control over parent > zone - > >> usual caveats for forwarding apply). > >> > >>> It seems to me that I need to somehow register them at the AD, so the A > >>> record is in the IdM server and the PTR is in the AD. Is it possible to > >> do > >>> it automatically, > >> > >> "host/" principals from IPA Kerberos realm are generally not allowed to > get > >> tickets for AD realm so automatic update from IPA to AD is not possible. > >> > >> It might work the other way around (I did not test this): > >> - Configure reverse zone in IPA > >> - Configure delegation/forwarding in AD so all clients can properly > resolve > >> the reverse zone > >> - Allow all clients to update their PTR records. Update policy like this > >> might > >> work: > >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant > AD.EXAMPLE > >> krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' > >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > >> > >> I would like to hear from you if this works in your environment or not. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA Server Won't Start Up After ipactl restart
Hi Please, I would really need some help in troubleshooting one of my domain servers which I restarted the IPA services. Its an CentOS 7.1 server running ipa-4.1.0 [root@dc01 ~]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Failed to read data from service file: Failed to get list of dc to probe status! Configured hostname 'dc01.mydom.com' does not match any master server in LDAP: dc.mydom.com dc02.mydom.com dc01.mydom.com dc01.mydom.com Shutting down [root@dc01 ~]# -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
On 14.7.2015 14:44, Sina Owolabi wrote: > Thanks Petr. > > Can I assume that any fresh clients added to the IDM domain, is going > to have both its forward and reverse records populated? Yes, as long as your configuration conforms with https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR Please let us know if you encounter any problems. Petr^2 Spacek > On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek wrote: >> On 14.7.2015 10:28, Sina Owolabi wrote: >>> Thanks Martin >>> >>> >>> The expanded command shows all the output. Curiously, I still don't >>> see any reverse addresses yet except on the reverse domain for this >>> primary zone. Ive restarted the IPA servers in hopes of a Windows-y >>> solution but it didn't help :-) >> >> SyncPTR does something only when the data change. I.e. it will do nothing if >> your A/ records are up to date (even if clients send update). >> >> I'm afraid that there is no pre-made tool to do the mass update, sorry. You >> probably need to script something yourself. >> >> Petr^2 Spacek >> >>> output: >>> ipa dnszone-show mydom.com --all >>> dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com >>> Zone name: mydom.com. >>> Active zone: TRUE >>> Authoritative nameserver: dc.mydom.com. >>> Administrator e-mail address: hostmaster.mydom.com. >>> SOA serial: 1436861122 >>> SOA refresh: 3600 >>> SOA retry: 900 >>> SOA expire: 1209600 >>> SOA minimum: 3600 >>> BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM >>> krb5-self * ; grant mydom.COM krb5-self * SSHFP; >>> Dynamic update: TRUE >>> Allow query: any; >>> Allow transfer: none; >>> Allow PTR sync: TRUE >>> arecord: pu.bl.ic.add >>> mxrecord: 0 mail.mydom.com. >>> nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. >>> objectclass: idnszone, top, idnsrecord >>> >>> On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: On 13/07/15 19:58, Sina Owolabi wrote: > > Hi Martin > > Yes all my sssd configs are set ipa_dyndns_update = True > I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set > them. > I've tried to set it in the very first zone (setup during > installation) but dnszone-mod complains: > > # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE > ipa: ERROR: no modifications to be performed > > But I don't see it in the show command: > > ipa dnszone-show mydom.com >Zone name: mydom.com. >Active zone: TRUE >Authoritative nameserver: services.mydom.com. >Administrator e-mail address: hostmaster.mydom.com. >SOA serial: 1436799166 >SOA refresh: 3600 >SOA retry: 900 >SOA expire: 1209600 >SOA minimum: 3600 >Allow query: any; >Allow transfer: none; You must use option --all ipa dnszone-show mydom.com --all Martin > > On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >> >> On 12/07/15 10:05, Sina Owolabi wrote: >>> >>> Hi >>> >>> I have several dns zones defined in IPA. I noticed recently that the >>> zone files are empty. I find this odd because I created them like the >>> example below. >>> Is it possible to force clients to auto-update reverse zones? >>> >>> Thanks in advance! >>> >>> How I created all the zones: >>> >>>ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >>> --allow-sync-ptr=TRUE --dynamic-update >>> Zone name: 0.14.10.in-addr.arpa. >>> Active zone: TRUE >>> Authoritative nameserver: services.ourdomain.com. >>> Administrator e-mail address: hostmaster >>> SOA serial: 1436688202 >>> SOA refresh: 3600 >>> SOA retry: 900 >>> SOA expire: 1209600 >>> SOA minimum: 3000 >>> BIND update policy: grant QRIOS.COM krb5-subdomain >>> 0.14.10.in-addr.arpa. PTR; >>> Dynamic update: TRUE >>> Allow query: any; >>> Allow transfer: none; >>> Allow PTR sync: TRUE >>> >> Hello, >> >> do you have --allow-sync-ptr=True configured in zones where the >> particular >> A/ records are? >> >> SSSD is able to update records. >> Please check if "dyndns_update" is set to true in sssd.conf. (man >> sssd-ipa) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
Thanks Petr. Can I assume that any fresh clients added to the IDM domain, is going to have both its forward and reverse records populated? On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek wrote: > On 14.7.2015 10:28, Sina Owolabi wrote: >> Thanks Martin >> >> >> The expanded command shows all the output. Curiously, I still don't >> see any reverse addresses yet except on the reverse domain for this >> primary zone. Ive restarted the IPA servers in hopes of a Windows-y >> solution but it didn't help :-) > > SyncPTR does something only when the data change. I.e. it will do nothing if > your A/ records are up to date (even if clients send update). > > I'm afraid that there is no pre-made tool to do the mass update, sorry. You > probably need to script something yourself. > > Petr^2 Spacek > >> output: >> ipa dnszone-show mydom.com --all >> dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com >> Zone name: mydom.com. >> Active zone: TRUE >> Authoritative nameserver: dc.mydom.com. >> Administrator e-mail address: hostmaster.mydom.com. >> SOA serial: 1436861122 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3600 >> BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM >> krb5-self * ; grant mydom.COM krb5-self * SSHFP; >> Dynamic update: TRUE >> Allow query: any; >> Allow transfer: none; >> Allow PTR sync: TRUE >> arecord: pu.bl.ic.add >> mxrecord: 0 mail.mydom.com. >> nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. >> objectclass: idnszone, top, idnsrecord >> >> On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: >>> On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; >>> >>> You must use option --all >>> >>> ipa dnszone-show mydom.com --all >>> >>> >>> Martin >>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: > > On 12/07/15 10:05, Sina Owolabi wrote: >> >> Hi >> >> I have several dns zones defined in IPA. I noticed recently that the >> zone files are empty. I find this odd because I created them like the >> example below. >> Is it possible to force clients to auto-update reverse zones? >> >> Thanks in advance! >> >> How I created all the zones: >> >>ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 >> --allow-sync-ptr=TRUE --dynamic-update >> Zone name: 0.14.10.in-addr.arpa. >> Active zone: TRUE >> Authoritative nameserver: services.ourdomain.com. >> Administrator e-mail address: hostmaster >> SOA serial: 1436688202 >> SOA refresh: 3600 >> SOA retry: 900 >> SOA expire: 1209600 >> SOA minimum: 3000 >> BIND update policy: grant QRIOS.COM krb5-subdomain >> 0.14.10.in-addr.arpa. PTR; >> Dynamic update: TRUE >> Allow query: any; >> Allow transfer: none; >> Allow PTR sync: TRUE >> > Hello, > > do you have --allow-sync-ptr=True configured in zones where the > particular > A/ records are? > > SSSD is able to update records. > Please check if "dyndns_update" is set to true in sssd.conf. (man > sssd-ipa) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users not visible in FreeIPA mapped group
I have the same entry there, my question is that I don't understand why it doesn't it give me any visibility of the AD users mapped in that group, I mean I just see that entry, but what's that supposed to do? It doesn't really change anything with or without, I am missing the supposed value of having the AD users mapped in a FreeIPA posix group. I was expecting to see the AD users in that group, but I got nothing.. I'm a bit confused On Mon, Jul 13, 2015 at 10:52 PM, Alexander Bokovoy wrote: > On Mon, 13 Jul 2015, Angelo Pantano wrote: > >> I added the external groups to map my Domain Admins AD group like the >> freeipa documentation suggests: >> >> # ipa group-add --desc='ad_domain admins external map' ad_admins_external >> --external >> # ipa group-add --desc='ad_domain admins' ad_admins >> # ipa group-add-member ad_admins_external --external 'ad_netbios\Domain >> Admins' >> # ipa group-add-member ad_admins --groups ad_admins_external >> >> But I dont see any user in the web interface under ad_admins or >> ad_admins_external. I thought that this would give us a view of the AD >> users in FreeIPA, but I dont see any difference.. >> Am I missing something here? >> > Where did you look them? > > External members for ad_admins_external group would be under 'external' > tab, like in the attached screenshot. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
On 14.7.2015 10:28, Sina Owolabi wrote: > Thanks Martin > > > The expanded command shows all the output. Curiously, I still don't > see any reverse addresses yet except on the reverse domain for this > primary zone. Ive restarted the IPA servers in hopes of a Windows-y > solution but it didn't help :-) SyncPTR does something only when the data change. I.e. it will do nothing if your A/ records are up to date (even if clients send update). I'm afraid that there is no pre-made tool to do the mass update, sorry. You probably need to script something yourself. Petr^2 Spacek > output: > ipa dnszone-show mydom.com --all > dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com > Zone name: mydom.com. > Active zone: TRUE > Authoritative nameserver: dc.mydom.com. > Administrator e-mail address: hostmaster.mydom.com. > SOA serial: 1436861122 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM > krb5-self * ; grant mydom.COM krb5-self * SSHFP; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > Allow PTR sync: TRUE > arecord: pu.bl.ic.add > mxrecord: 0 mail.mydom.com. > nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. > objectclass: idnszone, top, idnsrecord > > On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: >> On 13/07/15 19:58, Sina Owolabi wrote: >>> >>> Hi Martin >>> >>> Yes all my sssd configs are set ipa_dyndns_update = True >>> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >>> them. >>> I've tried to set it in the very first zone (setup during >>> installation) but dnszone-mod complains: >>> >>> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >>> ipa: ERROR: no modifications to be performed >>> >>> But I don't see it in the show command: >>> >>> ipa dnszone-show mydom.com >>>Zone name: mydom.com. >>>Active zone: TRUE >>>Authoritative nameserver: services.mydom.com. >>>Administrator e-mail address: hostmaster.mydom.com. >>>SOA serial: 1436799166 >>>SOA refresh: 3600 >>>SOA retry: 900 >>>SOA expire: 1209600 >>>SOA minimum: 3600 >>>Allow query: any; >>>Allow transfer: none; >> >> You must use option --all >> >> ipa dnszone-show mydom.com --all >> >> >> Martin >> >>> >>> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: On 12/07/15 10:05, Sina Owolabi wrote: > > Hi > > I have several dns zones defined in IPA. I noticed recently that the > zone files are empty. I find this odd because I created them like the > example below. > Is it possible to force clients to auto-update reverse zones? > > Thanks in advance! > > How I created all the zones: > >ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 > --allow-sync-ptr=TRUE --dynamic-update > Zone name: 0.14.10.in-addr.arpa. > Active zone: TRUE > Authoritative nameserver: services.ourdomain.com. > Administrator e-mail address: hostmaster > SOA serial: 1436688202 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3000 > BIND update policy: grant QRIOS.COM krb5-subdomain > 0.14.10.in-addr.arpa. PTR; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > Allow PTR sync: TRUE > Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ns-slapd high cpu usage
On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: can you get a pstack of the slapd process along with a top -H to find th ethread with high cpu usage Attached is the full stacktrace of the running ns-slapd proccess. top -H shows this thread (2879) with high cpu usage: 2879 dirsrv20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd this thread is a replication thread sending updates, what is strange is that the current csn_str is quite old (july, 7th), I can't tell which agreeement this thread is handling, but looks like it is heavily reading the changeglog and sending updates. anything changed recently in replication setup ? Yes, we had one replica fail on (6/19) which we removed (not this one showing high CPU load). Had to perform some manual cleanup of the ipa-ca RUVs. Then we added the replica back in on 7/1. Since then, replication appears to have been running normally between the 3 replicas. We've been monitoring utilization since 7/1 and only recently seen this spike (past 24 hours or so). is it still in this state ? or was it a spike. if it still is high cpu consuming, could you - get a few pstack like the one before with some time in between, I would like to see if it is progressing with the csns or looping on the same one - check the consumer side. is there anything in the error log ? does the access log show replication activity from this server - eventually enable replication logging: nsslapd-errorlog-level: 8192 On a side note, we get hit with this bug often: https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html (rouge sssd_be processing hammering a replica). This causes high ns-slapd utilization on the replica and restarting sssd on the client host immediately fixes the issue. However, in this case, we're not seeing this behavior. On 07/13/2015 04:46 PM, Andrew E. Bruno wrote: We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and 389-ds 1.3.3.1-16. Recently, the ns-slapd process on one of our replicas started showing higher than normal CPU usage. ns-slapd is pegged at high CPU usage more or less constantly. Seems very similar to this thread: https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not sure if these are related): [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for changenumber=2277387,cn=changelog from entryrdn index (-30993) [13/Jul/2015:04:11:50 -0400] - Operation error fetching changenumber=2277387,cn=changelog (null), error -30993. [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2277387, dn = changenumber=2277387,cn=changelog: Operations error. [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN (01de36ac-295411e5-b94db2ab-07afbca6), error -30993. [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for changenumber=2281464,cn=changelog from entryrdn index (-30993) [13/Jul/2015:07:41:49 -0400] - Operation error fetching changenumber=2281464,cn=changelog (null), error -30993. [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while adding change number 2281464, dn = changenumber=2281464,cn=changelog: Operations error. [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure [1] access logs seem to be showing normal activity. Here's the number of open connections: # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l 62 Note: the other two replicas have much higher open connections (>250) and low cpu load avgs. Here's some output of logconv.pl from our most recent access log on the replica with high cpu load: Start of Logs:13/Jul/2015:04:49:18 End of Logs: 13/Jul/2015:10:06:11 Processed Log Time: 5 Hours, 16 Minutes, 53 Seconds Restarts: 0 Total Connections:2343 - LDAP Connections: 2120 - LDAPI Connections: 223 - LDAPS Connections: 0 - StartTLS Extended Ops: 45 Secure Protocol Versions: - TLS1.2 128-bit AES - 45 Peak Concurrent Connections: 22 Total Operations: 111865 Total Results:111034 Overall Performance: 99.3% Searches: 95585 (5.03/sec) (301.64/min) Modifications:3369 (0.18/sec) (10.63/min) Adds: 0 (0.00/sec) (0.00/min) Deletes: 0 (0.00/sec) (0.00/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0
Re: [Freeipa-users] Primary certificates
On 13/07/15 16:05, Janelle wrote: Good morning, I was wondering, I install my servers with the self-signed certs. Now my management wants me to use official certificates. Is there an easy/recommended way to swap out all the certificates on all the servers? Especially with 16 servers, just trying to figure out if this is something I could script with PSSH or similar in order to do them all at once. Does it matter the order? Thank you ~Janelle Hello! Yes, there is an easy way: 1.Run "ipa-cacert-manage renew --external-ca" on one of CA masters (first ipa-server installed or any replica installed with --setup-ca). This will generate csr you need to get signed by your CA. 2. Then run "ipa-cacert-manage renew --external-cert-file certificate> --external-cert-file " This will update the IPA CA certificate in LDAP. 3. Then you need to run "ipa-certupdate" on all ipa servers and clients to distribute the new certificate. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa and User Private Groups
On Tue, Jul 14, 2015 at 09:01:54AM +, Les Stott wrote: > Jakub, > > Thanks for the follow up. > > We try and stick to standard rhel/epel repo's (due to policy) so I am not > able to install a non-standard version of sssd. OK, please note that pretty much the same version will come to 6.7 in a couple of days. > > I have decided to disable the User Private Group plugin and convert ipausers > to a posix group. There was nothing I could see that required us to use > UPG's. This setup is working for me now. The drawback might be that ipausers would get really large over time and resolving the large group including the members would take a long time. > > Thanks, > > Les > > > -Original Message- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Jakub Hrozek > > Sent: Tuesday, 14 July 2015 6:42 PM > > To: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] freeipa and User Private Groups > > > > On Mon, Jul 13, 2015 at 09:11:09AM +, Les Stott wrote: > > > Hi All, > > > > > > Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64 > > > > > > So, by default, when you create a user in freeipa, That user will be set > > > to > > have a primary group that is hidden and not a POSIX group. > > > > > > This means that when the user logs in to a host, they will see something > > like... > > > > > > id: cannot find name for group ID > > > > It is not expected to not be able to return the name of the user group and I > > don't see that in my setup. I was suspecting rhbz#1165074 but your sssd > > should already have that bug fixed. > > > > Can you see if the packages from > > https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ > > also show that behaviour? > > > > If yes, can you get us sssd logs as described here: > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > > > > > running the id command shows no name returned for this group. > > > > > > I understand you can disable private groups globally, however it is > > discouraged. I also realise you can simply create POSIX groups when creating > > users. > > > > > > In the spirit of trying to stick with the defaults > > > > > > Is there a way to avoid the login error where id can't retrieve the group > > name from a UPG? > > > > > > Thanks, > > > > > > Les > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa and User Private Groups
Jakub, Thanks for the follow up. We try and stick to standard rhel/epel repo's (due to policy) so I am not able to install a non-standard version of sssd. I have decided to disable the User Private Group plugin and convert ipausers to a posix group. There was nothing I could see that required us to use UPG's. This setup is working for me now. Thanks, Les > -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Tuesday, 14 July 2015 6:42 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] freeipa and User Private Groups > > On Mon, Jul 13, 2015 at 09:11:09AM +, Les Stott wrote: > > Hi All, > > > > Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64 > > > > So, by default, when you create a user in freeipa, That user will be set to > have a primary group that is hidden and not a POSIX group. > > > > This means that when the user logs in to a host, they will see something > like... > > > > id: cannot find name for group ID > > It is not expected to not be able to return the name of the user group and I > don't see that in my setup. I was suspecting rhbz#1165074 but your sssd > should already have that bug fixed. > > Can you see if the packages from > https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ > also show that behaviour? > > If yes, can you get us sssd logs as described here: > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > > running the id command shows no name returned for this group. > > > > I understand you can disable private groups globally, however it is > discouraged. I also realise you can simply create POSIX groups when creating > users. > > > > In the spirit of trying to stick with the defaults > > > > Is there a way to avoid the login error where id can't retrieve the group > name from a UPG? > > > > Thanks, > > > > Les > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users not visible in FreeIPA mapped group
On Tue, Jul 14, 2015 at 11:06:20AM +0300, Alexander Bokovoy wrote: > On Tue, 14 Jul 2015, Jan Pazdziora wrote: > > > >Would it make sense to have a way of running the SSSD evaluation from > >the WebUI and showing the results there? Clearly distinguished from > >the LDAP data, yet exposed in the WebUI ... > Definitely not here. We have checks for HBAC rules with AD users that > explicitly take external group membership into account already. > > Resolving AD group membership is time-consuming operation and adding it > into a normal path is going to slow down everything. Sure. So how about separate tab, which could also ask for confirmation if the user wants to run the enumeration? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa client on ubuntu and sudo rules
On Mon, Jul 13, 2015 at 05:57:39PM +0200, Lukas Slebodnik wrote: > On (13/07/15 14:49), Karl Forner wrote: > >For reference: > >I could not make the sudo rules on ubuntu 12.04, I tried many many things. > > > Ahh, > Default version of sssd in ubuntu 12.04 is 1.8.2 > http://packages.ubuntu.com/precise/sssd > it's better to use newer version which contains fixes for sudo. When Lukas says "fixes" he means "completely rewritten from scratch" :-) > I would suggest at least the latest 1.9. Yes please, 1.8 is too old. > > But there is another problem. > The default version of sudo in ununtu 12.04 (1.8.3p1) does not contain sssd > support. > http://packages.ubuntu.com/precise/sudo. > > The support for sssd in sudo code was added in upstream sudo 1.8.6 > http://www.sudo.ws/stable.html#1.8.6 > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa and User Private Groups
On Mon, Jul 13, 2015 at 09:11:09AM +, Les Stott wrote: > Hi All, > > Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64 > > So, by default, when you create a user in freeipa, That user will be set to > have a primary group that is hidden and not a POSIX group. > > This means that when the user logs in to a host, they will see something > like... > > id: cannot find name for group ID It is not expected to not be able to return the name of the user group and I don't see that in my setup. I was suspecting rhbz#1165074 but your sssd should already have that bug fixed. Can you see if the packages from https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ also show that behaviour? If yes, can you get us sssd logs as described here: https://fedorahosted.org/sssd/wiki/Troubleshooting > > running the id command shows no name returned for this group. > > I understand you can disable private groups globally, however it is > discouraged. I also realise you can simply create POSIX groups when creating > users. > > In the spirit of trying to stick with the defaults > > Is there a way to avoid the login error where id can't retrieve the group > name from a UPG? > > Thanks, > > Les > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
Thanks Martin The expanded command shows all the output. Curiously, I still don't see any reverse addresses yet except on the reverse domain for this primary zone. Ive restarted the IPA servers in hopes of a Windows-y solution but it didn't help :-) output: ipa dnszone-show mydom.com --all dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: dc.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436861122 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM krb5-self * ; grant mydom.COM krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE arecord: pu.bl.ic.add mxrecord: 0 mail.mydom.com. nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. objectclass: idnszone, top, idnsrecord On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti wrote: > On 13/07/15 19:58, Sina Owolabi wrote: >> >> Hi Martin >> >> Yes all my sssd configs are set ipa_dyndns_update = True >> I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set >> them. >> I've tried to set it in the very first zone (setup during >> installation) but dnszone-mod complains: >> >> # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE >> ipa: ERROR: no modifications to be performed >> >> But I don't see it in the show command: >> >> ipa dnszone-show mydom.com >>Zone name: mydom.com. >>Active zone: TRUE >>Authoritative nameserver: services.mydom.com. >>Administrator e-mail address: hostmaster.mydom.com. >>SOA serial: 1436799166 >>SOA refresh: 3600 >>SOA retry: 900 >>SOA expire: 1209600 >>SOA minimum: 3600 >>Allow query: any; >>Allow transfer: none; > > You must use option --all > > ipa dnszone-show mydom.com --all > > > Martin > >> >> On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: >>> >>> On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE >>> Hello, >>> >>> do you have --allow-sync-ptr=True configured in zones where the >>> particular >>> A/ records are? >>> >>> SSSD is able to update records. >>> Please check if "dyndns_update" is set to true in sssd.conf. (man >>> sssd-ipa) >>> >>> -- >>> Martin Basti >>> > > > -- > Martin Basti > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users not visible in FreeIPA mapped group
On Tue, 14 Jul 2015, Jan Pazdziora wrote: On Tue, Jul 14, 2015 at 09:46:00AM +0300, Alexander Bokovoy wrote: adm...@adx.test),1878600513(domain us...@adx.test),163447(ad_admins) You wouldn't see this in the web UI because web UI is showing what is in the LDAP, not what is visible in the system when SSSD evaluates the group membership. Would it make sense to have a way of running the SSSD evaluation from the WebUI and showing the results there? Clearly distinguished from the LDAP data, yet exposed in the WebUI ... Definitely not here. We have checks for HBAC rules with AD users that explicitly take external group membership into account already. Resolving AD group membership is time-consuming operation and adding it into a normal path is going to slow down everything. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users not visible in FreeIPA mapped group
On Tue, Jul 14, 2015 at 09:46:00AM +0300, Alexander Bokovoy wrote: > adm...@adx.test),1878600513(domain us...@adx.test),163447(ad_admins) > > You wouldn't see this in the web UI because web UI is showing what is in > the LDAP, not what is visible in the system when SSSD evaluates the > group membership. Would it make sense to have a way of running the SSSD evaluation from the WebUI and showing the results there? Clearly distinguished from the LDAP data, yet exposed in the WebUI ... -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; You must use option --all ipa dnszone-show mydom.com --all Martin On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
