Re: [Freeipa-users] Service discovery and selection for IPA
On Tue, Nov 01, 2016 at 06:44:46PM -0400, Jake wrote: > Hey All, > Quick question on IPA Service discover and selection (ldap/kerberos in ad > trust). > > Do IPA clients ping results of SRV records to determine which server they > send requests (for ldap/kerberos specifically)? > > I have 8 AD Domain controllers, 2 in each location, and 4 ipa servers (2 in > each of 2 locations), it seems the ipa servers rarely choose the local ad > controllers, is there a way to adjust this? Must I setup something like > geo-dns with different service weights per subnet? Please note that the identity lookups of AD users are mostly done by SSSD on the IPA masters and the IPA clients read the AD user data from the IPA masters. So I would make sure that the IPA masters are assigned to a local site, then SSSD should prefer DCs from that site. The DNS queries and the discovery should be visible in the SSSD domain logs on the IPA masters. Authentication is done by calling libkrb5 on the clients which is not site-aware. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to clear DNS cache
I am running FreeIPA 3.0.0 on CentOS 6. I appear to have stale records for for smtp.gmail.com in my cache, which are preventing me from sending email. I've been unable to figure out how to delete these records, which seem to be stored in LDAP. Any assistance/pointers appreciated. Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] /etc/ipa/default.conf on clients
I need to migrate ipa server from host rhel6.local to host rhel7.local and retire host rhel6.local . For the existing clients, do I need to change /etc/ipa/default.conf ? Do I even need this file if sssd is working on the clients?Thanks. The current default.conf has two lines pointing to rhel6.local. #File modified by ipa-client-install [global] basedn = realm = domain = server = rhel6.local xmlrpc_uri = https://rhel6.local/ipa/xml enable_ra = True -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to revert ipa-adtrust-install...
On 19/09/16 08:49, Martin Babinsky wrote: On 09/17/2016 12:43 PM, lejeczek wrote: On 15/09/16 22:37, Rob Crittenden wrote: What do you mean control? If you don't want ipactl to manage the smb service, look for an entry in cn=masters,cn=ipa,cn=etc,dc=example,dc=com and delete it if you find it. rob all I find there is: objectClass: nsContainer objectClass: top cn: masters does the same pertain winbind? Does IPA need/use winbind if Samba under IPA is not the case? You must perform subtree search and search for the entry named 'cn=ADTRUST', like so: """ ldapsearch -Y GSSAPI -b 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test' '(cn=ADTRUST)' SASL/GSSAPI authentication started SASL username: ad...@ipa.test SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (cn=ADTRUST) # requesting: ALL # # ADTRUST, master1.ipa.test, masters, ipa, etc, ipa.test dn: cn=ADTRUST,cn=master1.ipa.test,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test objectClass: ipaConfigObject objectClass: nsContainer objectClass: top ipaConfigString: startOrder 60 ipaConfigString: enabledService cn: ADTRUST # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 """ Then remove the "ipaConfigString: enabledService" attribute from the entry to tell "ipactl" that it should not control this service anymore: [root@master1 ~]# ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@ipa.test SASL SSF: 56 SASL data security layer installed. dn: cn=ADTRUST,cn=master1.ipa.test,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test changetype: modify delete: ipaConfigString ipaConfigString: enabledService modifying entry "cn=ADTRUST,cn=master1.ipa.test,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test" If you then do "ipactl restart" and "ipactl status", it should not display smb.service anymore and you are free to use them as you wish. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project