Re: [Freeipa-users] Upgrade from IPA 4.2
Thank you for hint, Martin! Looks like upgrade went smooth just with yum upgrade. Following multi step upgrade in previous versions I was hesitant this time. Andrey From: Martin Bašti <mba...@redhat.com<mailto:mba...@redhat.com>> Date: Wednesday, April 5, 2017 at 4:11 AM To: Lachlan Musicman <data...@gmail.com<mailto:data...@gmail.com>>, Andrey Ptashnik <aptash...@cccis.com<mailto:aptash...@cccis.com>> Cc: "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" <freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>> Subject: Re: [Freeipa-users] Upgrade from IPA 4.2 On 04/04/2017 02:23 AM, Lachlan Musicman wrote: On 4 April 2017 at 04:28, Andrey Ptashnik <aptash...@cccis.com<mailto:aptash...@cccis.com>> wrote: Hello, We have Centos 7.2 and IPA 4.2 version. I remember that in previous versions in order to upgrade to the latest one I had to run IPA upgrade scripts that would separately upgrade LDAP database. Is that the same procedure if I need to upgrade from version 4.2? Andrey, That wasn't my experience. We just did a yum update and it all seemed to work. Given it's role, I presume you have or can set up a test env you can try it on? cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper Yum upgrade should run upgrade script automatically. Now we have just one script ipa-server-upgrade Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Upgrade from IPA 4.2
Hello, We have Centos 7.2 and IPA 4.2 version. I remember that in previous versions in order to upgrade to the latest one I had to run IPA upgrade scripts that would separately upgrade LDAP database. Is that the same procedure if I need to upgrade from version 4.2? Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA Read Only Replica
Team, Is it possible to setup read only replica for use in DMZ for example? Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA server as a domain controller for more than one domain
Hi IPA team, Can I use the same FreeIPA server to be a domain controller for more than one domain? Regards, Andrey Ptashnik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Higher client versions joining 4.2.0 IPA cluster
Hello FreeIPA team, Our FreeIPA server cluster is at version 4.2.0 and expecting Ubuntu 16 machines with FreeIPA client software 4.3.1 soon to join our IPA domain. Are there any compatibility issues that we may encounter? Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Higher client versions joining 4.2.0 IPA cluster
Hello FreeIPA team, Our FreeIPA server cluster is at version 4.2.0 and expecting Ubuntu 16 machines with FreeIPA client software 4.3.1 soon to join our IPA domain. Are there any compatibility issues that we may encounter? Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA to IPA trust
Hello IPA team, Is there a way to implement IPA to IPA trust between different domains? We are thinking of using more than one domain, however we will need users to cross login from one domain to another. Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM
Alexander, Thank you for your feedback, this is what I expected to do - 'ipa-client-install —uninstall' and expected and easy quick fix for my request. It seem to work in environment where server portion is on CentOS/RHEL 7.1 and clients as well on 7.1 with IPA 4.1 However when clients are little older like CentOS/RHEL 6.5-6.6 behavior in our case was different, we had to manually delete records with "ipa host-del” command like Martin Kosek mentioned. So I wanted to reiterate with Red Hat team if 'ipa-client-install —uninstall' is still the proper way to clean up records completely. Additionally if I can expect the same behavior on client versions lower than CentOS/RHEL 7.1 + IPA 4.1 Regards, Andrey Ptashnik On 12/14/15, 4:21 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >On Fri, 11 Dec 2015, Andrey Ptashnik wrote: >>Hello Team, >> >>We have many servers in our environment that are on a different stage >>of their lifecycle. All of them are added to IPA domain. There are >>cases when servers gets moved, sometimes crash, sometimes are being >>rebuild or decommissioned. In those cases we need to completely remove >>server identity from IPA including DNS, Host, Certificate and other >>associated records. >>What is the most proper way to completely remove client records in case >>if server needs to be rebuilt with the same host name down the road? >>(hardware failure happened, server crashed and needs to be rebuild – is >>a perfect example). >'ipa-client-install --uninstall' results in calling 'ipa-join --unenroll -h >hostname' >which in turn calls 'ipa host-disable hostname'. The latter on the >IPA server side does following: > - disables the host entry > - disables any service associated with the host > - revokes certificates associated with the host > - removes keytab associated with the host > >Disabling services involves revoking of certificates and removal of >keytabs associated with these services. > >Of course, 'keytab removal' means only that the keys are removed from >LDAP entries, not that keytab files are removed. > >Note that none of DNS entries are removed. > >If you don't have hosts anymore, you can issue 'ipa host-disable hostname' >from any other host under credentials of a user that has enough >privileges to remove the host and associated services. 'admins' group >membership should be strong enough to achieve this goal. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM
Hello Team, We have many servers in our environment that are on a different stage of their lifecycle. All of them are added to IPA domain. There are cases when servers gets moved, sometimes crash, sometimes are being rebuild or decommissioned. In those cases we need to completely remove server identity from IPA including DNS, Host, Certificate and other associated records. What is the most proper way to completely remove client records in case if server needs to be rebuilt with the same host name down the road? (hardware failure happened, server crashed and needs to be rebuild – is a perfect example). Regards, Andrey Ptashnik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Clean up DNS Host Cert and other records from IPA
Hello Team, We have many servers in our environment that are on a different stage of their lifecycle. All of them are added to IPA domain. There are cases when servers gets moved, sometimes crash, sometimes are being rebuild or decommissioned. In those cases we need to completely remove server identity from IPA including DNS, Host, Certificate and other associated records. What is the most proper way to completely remove client records in case if server needs to be rebuilt with the same host name down the road? (hardware failure happened, server crashed and needs to be rebuild – is a perfect example). Regards, Andrey Ptashnik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] "DNS resource record not found" error when searching or deleting records
Dear Team, I’m trying to remove DNS records from IPA server and getting following error: "ipa: ERROR: webapps001.mz984: DNS resource record not found" I suspect that there was such server "webapps001.mz984" in the past properly added to IPA server via “spa-client-install” utility , but it was probably crashed and removed from the network without running "ipa-client-install —uninstall”. I’m able to locate this record via CLI: [root@ipa-idm]# ipa dnsrecord-find 123.xyz.com mz984 Record name: webapps001.mz984 A record: 10.16.9.232 Number of entries returned 1 [root@ipa-idm]# This is what happens when I’m trying to delete this record: [root@ipa-idm]# ipa dnsrecord-del 123.xyz.com. webapps001.mz984 --a-rec 10.16.9.232 ipa: ERROR: webapps001.mz984: DNS resource record not found [root@ipa-idm]# This is my DNS zone config: [root@ipa-idm]# ipa dnszone-show 123.xyz.com Zone name: 123.xyz.com. Active zone: TRUE Authoritative nameserver: ipa-idm.123.xyz.com. Administrator e-mail address: hostmaster.123.xyz.com. SOA serial: 1449502971 SOA refresh: 1800 SOA retry: 900 SOA expire: 604800 SOA minimum: 900 Allow query: any; Allow transfer: 10.xxx.xxx.xxx [root@ipa-idm]# [root@ipa-idm]# ipa dnsconfig-show Allow PTR sync: TRUE [root@ipa-idm]# In Web GUI when I’m trying to search for this particular record “Operations Error” window appears with "DNS resource record not found” error message. Are there any ways to forcefully delete such stalled records or find out the root cause of this error message? Regards, Andrey Ptashnik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records
Martin, Here is the output you requested: [root@ipa-idm]# ipa dnsrecord-find 123.xyz.com mz984 --all --raw dn: idnsName=webapps001.mz984+nsuniqueid=650db4bc-88c511e5-90e7864e-76f6b2c3,idnsname=123.xyz.com.,cn=dns,dc=123,dc=xyz,dc=com idnsname: webapps001.mz984 arecord: 10.16.9.232 dNSTTL: 1200 objectClass: idnsRecord objectClass: top Number of entries returned 1 [root@ipa-idm]# Regards, Andrey Ptashnik From: Martin Basti <mba...@redhat.com<mailto:mba...@redhat.com>> Date: Monday, December 7, 2015 at 12:45 PM To: Andrey Ptashnik <aptash...@cccis.com<mailto:aptash...@cccis.com>>, "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" <freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>> Subject: Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records On 07.12.2015 18:08, Andrey Ptashnik wrote: Dear Team, I’m trying to remove DNS records from IPA server and getting following error: "ipa: ERROR: webapps001.mz984: DNS resource record not found" I suspect that there was such server "webapps001.mz984" in the past properly added to IPA server via “spa-client-install” utility , but it was probably crashed and removed from the network without running "ipa-client-install —uninstall”. I’m able to locate this record via CLI: [root@ipa-idm]# ipa dnsrecord-find 123.xyz.com mz984 Record name: webapps001.mz984 A record: 10.16.9.232 Number of entries returned 1 [root@ipa-idm]# This is what happens when I’m trying to delete this record: [root@ipa-idm]# ipa dnsrecord-del 123.xyz.com. webapps001.mz984 --a-rec 10.16.9.232 ipa: ERROR: webapps001.mz984: DNS resource record not found [root@ipa-idm]# This is my DNS zone config: [root@ipa-idm]# ipa dnszone-show 123.xyz.com Zone name: 123.xyz.com. Active zone: TRUE Authoritative nameserver: ipa-idm.123.xyz.com. Administrator e-mail address: hostmaster.123.xyz.com. SOA serial: 1449502971 SOA refresh: 1800 SOA retry: 900 SOA expire: 604800 SOA minimum: 900 Allow query: any; Allow transfer: 10.xxx.xxx.xxx [root@ipa-idm]# [root@ipa-idm]# ipa dnsconfig-show Allow PTR sync: TRUE [root@ipa-idm]# In Web GUI when I’m trying to search for this particular record “Operations Error” window appears with "DNS resource record not found” error message. Are there any ways to forcefully delete such stalled records or find out the root cause of this error message? Regards, Andrey Ptashnik Hello, please execute: ipa dnsrecord-find 123.xyz.com mz984 --all --raw I suspect that they might be a replication conflict, I need to see output of command to be sure. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records
Martin, For my education, how did you identify that from my output? Regards, Andrey Ptashnik From: Martin Basti <mba...@redhat.com<mailto:mba...@redhat.com>> Date: Monday, December 7, 2015 at 1:24 PM To: Andrey Ptashnik <aptash...@cccis.com<mailto:aptash...@cccis.com>>, "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" <freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>> Subject: Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records Yes, it is replication conflict. Please follow: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html On 07.12.2015 20:19, Andrey Ptashnik wrote: Martin, Here is the output you requested: [root@ipa-idm]# ipa dnsrecord-find 123.xyz.com mz984 --all --raw dn: idnsName=webapps001.mz984+nsuniqueid=650db4bc-88c511e5-90e7864e-76f6b2c3,idnsname=123.xyz.com.,cn=dns,dc=123,dc=xyz,dc=com idnsname: webapps001.mz984 arecord: 10.16.9.232 dNSTTL: 1200 objectClass: idnsRecord objectClass: top Number of entries returned 1 ---- [root@ipa-idm]# Regards, Andrey Ptashnik From: Martin Basti <<mailto:mba...@redhat.com>mba...@redhat.com<mailto:mba...@redhat.com>> Date: Monday, December 7, 2015 at 12:45 PM To: Andrey Ptashnik <aptash...@cccis.com<mailto:aptash...@cccis.com>>, "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" <freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>> Subject: Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records On 07.12.2015 18:08, Andrey Ptashnik wrote: Dear Team, I’m trying to remove DNS records from IPA server and getting following error: "ipa: ERROR: webapps001.mz984: DNS resource record not found" I suspect that there was such server "webapps001.mz984" in the past properly added to IPA server via “spa-client-install” utility , but it was probably crashed and removed from the network without running "ipa-client-install —uninstall”. I’m able to locate this record via CLI: [root@ipa-idm]# ipa dnsrecord-find 123.xyz.com mz984 Record name: webapps001.mz984 A record: 10.16.9.232 Number of entries returned 1 [root@ipa-idm]# This is what happens when I’m trying to delete this record: [root@ipa-idm]# ipa dnsrecord-del 123.xyz.com. webapps001.mz984 --a-rec 10.16.9.232 ipa: ERROR: webapps001.mz984: DNS resource record not found [root@ipa-idm]# This is my DNS zone config: [root@ipa-idm]# ipa dnszone-show 123.xyz.com Zone name: 123.xyz.com. Active zone: TRUE Authoritative nameserver: ipa-idm.123.xyz.com. Administrator e-mail address: hostmaster.123.xyz.com. SOA serial: 1449502971 SOA refresh: 1800 SOA retry: 900 SOA expire: 604800 SOA minimum: 900 Allow query: any; Allow transfer: 10.xxx.xxx.xxx [root@ipa-idm]# [root@ipa-idm]# ipa dnsconfig-show Allow PTR sync: TRUE [root@ipa-idm]# In Web GUI when I’m trying to search for this particular record “Operations Error” window appears with "DNS resource record not found” error message. Are there any ways to forcefully delete such stalled records or find out the root cause of this error message? Regards, Andrey Ptashnik Hello, please execute: ipa dnsrecord-find 123.xyz.com mz984 --all --raw I suspect that they might be a replication conflict, I need to see output of command to be sure. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Minimal compatibility with REHL / CentOS 5.5
Thank you, Rob and Martin! I was under impression that that v.5 was not supported at all, because "yum search ipa” did not return any search results in main or EPEL repository. Andrey Ptashnik On 11/16/15, 3:24 AM, "Martin Kosek" <mko...@redhat.com> wrote: >On 11/16/2015 02:34 AM, Rob Crittenden wrote: >> Andrey Ptashnik wrote: >>> Hello IPA team, >>> >>> I’m wondering if there is any compatibility that can be established with >>> legacy RHEL CentOS 5.5 machines. Is there any easy way to setup minimal >>> feature set like central authentication and maybe something else? >> >> ipa-client exists there. You can use that. >> >> rob > >You can even use the login of AD Users via FreeIPA Trust Legacy Client >feature. >More info here: > >https://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf > >https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-legacy.html > >Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Minimal compatibility with REHL / CentOS 5.5
Hello IPA team, I’m wondering if there is any compatibility that can be established with legacy RHEL CentOS 5.5 machines. Is there any easy way to setup minimal feature set like central authentication and maybe something else? Regards, Andrey Ptashnik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Steps to rebuild a master node in IPA cluster
Hello IPA Team, In one location we have IPA cluster based on CentOS 7.1 with IPA 4.1.0. One master and another replica. We noticed that Master node potentially has a corrupted database, some records cannot be deleted and IPA services crush one in a while. Second member (aka replica) is stable. We wanted to rebuild the Master node. What are the correct steps to move master functions to the replica, retire the old master and rebuild it? Regards, Andrey Ptashnik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0
I usually try not to. On the other side I see that many important fixes are coming with major/minor releases, and trying to figure out my course of actions until fixes and/or release become available. Regards, Andrey Ptashnik On 10/12/15, 7:46 PM, "freeipa-users-boun...@redhat.com on behalf of Steven Jones" <freeipa-users-boun...@redhat.com on behalf of steven.jo...@vuw.ac.nz> wrote: >Hi, > >IPA is a complex beast, you would be brave/foolish to upgrade it outside of >the Redhat support matrix. > >Also I would / will wait 1~2 months before upgrading to 7.2 so any serious >bugs/issues are found by someone else. > >regards > >Steven > > >From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on >behalf of Andrey Ptashnik <aptash...@cccis.com> >Sent: Tuesday, 13 October 2015 8:43 a.m. >To: Alexander Bokovoy >Cc: freeipa-users@redhat.com >Subject: Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0 > >I see, so your best advice is to wait for official release of 7.2 and upgrade >all at once even if I need just a few simple fixes like “search for non-admin >users” and etc…? > >Are there any approximate timeline for 7.2 release? > >Regards, > >Andrey Ptashnik > > > > > >On 10/12/15, 2:10 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: > >>On Mon, 12 Oct 2015, Andrey Ptashnik wrote: >>>I we have a production environment, is it a safe move to upgrade to 7.2 Beta? >>Beta is for testing new features, not for production yet. >> >>>And then still question remains what are correct steps to go from 4.1.0 to >>>4.2.0? >>As Rob said, you do package updates and as part of that process an >>upgrade will be done. There is no specific upgrade path instructions >>between 4.1 and 4.2, unlike between 3.0 and 3.3+. >> >>-- >>/ Alexander Bokovoy > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Correct upgrade steps for IPA server 4.1.0
Hello IPA Server Team, We have IPA server cluster on RHEL 7.1 and IPA version 4.1.0 and planning to upgrade to 4.2.1. What are correct steps doing so? Wiki (http://www.freeipa.org/page/Upgrade#FreeIPA_4.1.x_or_older )shows: FreeIPA 4.1.x or older # ipa-ldap-updater --upgrade # ipa-upgradeconfig But I have a feeling that there might be some prerequisites that is a common knowledge that was not mentioned and I’m not aware of… Are there any steps that needs to be completed before I execute above commands? Regards, Andrey Ptashnik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0
Also I don’t see IPA server 4.2.1 in RHEL repository, is it already available? [root@sever]# yum list ipa-server ipa-server.x86_64 4.1.0-18.el7_1.4 @rhui-REGION-rhel-server-releases [root@server]# Regards, Andrey Ptashnik From: <freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>> on behalf of Andrey Ptashnik Date: Monday, October 12, 2015 at 12:21 PM To: "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>" Subject: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0 Hello IPA Server Team, We have IPA server cluster on RHEL 7.1 and IPA version 4.1.0 and planning to upgrade to 4.2.1. What are correct steps doing so? Wiki (http://www.freeipa.org/page/Upgrade#FreeIPA_4.1.x_or_older )shows: FreeIPA 4.1.x or older # ipa-ldap-updater --upgrade # ipa-upgradeconfig But I have a feeling that there might be some prerequisites that is a common knowledge that was not mentioned and I’m not aware of… Are there any steps that needs to be completed before I execute above commands? Regards, Andrey Ptashnik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0
I see that RHEL 7.2 relase date is still “TBA”. Are there any plans to make newer versions of IPA sever sooner than RHEL 7.2? Regards, Andrey Ptashnik On 10/12/15, 1:26 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >On Mon, 12 Oct 2015, Andrey Ptashnik wrote: >>Also I don’t see IPA server 4.2.1 in RHEL repository, is it already available? >> >>[root@sever]# yum list ipa-server >>ipa-server.x86_64 4.1.0-18.el7_1.4 @rhui-REGION-rhel-server-releases >>[root@server]# >It is available already as part of RHEL 7.2 beta: http://red.ht/1i65UND > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0
I we have a production environment, is it a safe move to upgrade to 7.2 Beta? And then still question remains what are correct steps to go from 4.1.0 to 4.2.0? Regards, Andrey Ptashnik On 10/12/15, 1:44 PM, "Rob Crittenden" <rcrit...@redhat.com> wrote: >Andrey Ptashnik wrote: >> Also I don’t see IPA server 4.2.1 in RHEL repository, is it already >> available? > >4.2 (plus patches) is planned for RHEL 7.2. A beta is available today. > >> >> [root@sever]# yum list ipa-server >> ipa-server.x86_64 4.1.0-18.el7_1.4 @rhui-REGION-rhel-server-releases >> [root@server]# > >The upgrade is automatic once new packages are installed. > >rob > >> >> Regards, >> >> Andrey Ptashnik >> >> >> From: <freeipa-users-boun...@redhat.com >> <mailto:freeipa-users-boun...@redhat.com>> on behalf of Andrey Ptashnik >> Date: Monday, October 12, 2015 at 12:21 PM >> To: "freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>" >> Subject: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0 >> >> Hello IPA Server Team, >> >> We have IPA server cluster on RHEL 7.1 and IPA version 4.1.0 and >> planning to upgrade to 4.2.1. >> >> What are correct steps doing so? >> >> Wiki (http://www.freeipa.org/page/Upgrade#FreeIPA_4.1.x_or_older )shows: >> FreeIPA 4.1.x or older >> # ipa-ldap-updater --upgrade >> # ipa-upgradeconfig >> >> But I have a feeling that there might be some prerequisites that is a >> common knowledge that was not mentioned and I’m not aware of… Are there >> any steps that needs to be completed before I execute above commands? >> >> Regards, >> >> Andrey Ptashnik >> >> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0
I see, so your best advice is to wait for official release of 7.2 and upgrade all at once even if I need just a few simple fixes like “search for non-admin users” and etc…? Are there any approximate timeline for 7.2 release? Regards, Andrey Ptashnik On 10/12/15, 2:10 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >On Mon, 12 Oct 2015, Andrey Ptashnik wrote: >>I we have a production environment, is it a safe move to upgrade to 7.2 Beta? >Beta is for testing new features, not for production yet. > >>And then still question remains what are correct steps to go from 4.1.0 to >>4.2.0? >As Rob said, you do package updates and as part of that process an >upgrade will be done. There is no specific upgrade path instructions >between 4.1 and 4.2, unlike between 3.0 and 3.3+. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
I think I got it working. Solution in my case was to run following on client nodes: yum install sssd-1.12.4-47.el6.x86_64 And on IPA server for each Forward and Reverse lookup zone I ran: ipa dnszone-mod X.COM. --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa dnszone-mod 44.28.10.in-addr.arpa. --allow-sync-ptr=TRUE --dynamic-update=TRUE Ultimately I think bringing all nodes to SSSD 1.12.4 version solved the problem. Thank you, IPA team, for your support! Regards, Andrey Ptashnik On 9/17/15, 10:32 AM, "Rob Crittenden" <rcrit...@redhat.com> wrote: >Andrey Ptashnik wrote: >> Any ideas on that? > >/var/log/ipaclient-install.log probably has more details on the DNS >update failure. > >rob > >> >> Regards, >> >> Andrey Ptashnik | Network Architect >> CCC Information Services Inc. >> 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 >> Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptash...@cccis.com >> >> >> >> >> >> >> >> On 9/16/15, 11:30 AM, "freeipa-users-boun...@redhat.com on behalf of Andrey >> Ptashnik" <freeipa-users-boun...@redhat.com on behalf of >> aptash...@cccis.com> wrote: >> >>> Alexander, >>> >>> Thank you for your feedback! >>> >>> In my environment I noticed that client machines that are on Red Hat 6 have >>> version 3.0.0 of IPA client installed. >>> >>> [root@ptr-test-6 ~]# yum list installed | grep ipa >>> ipa-client.x86_64 3.0.0-47.el6 >>> ipa-python.x86_64 3.0.0-47.el6 >>> >>> >>> [root@ptr-test-6 ~]# yum list installed | grep sssd >>> python-sssdconfig.noarch 1.12.4-47.el6 >>> sssd.x86_641.12.4-47.el6 >>> sssd-ad.x86_64 1.12.4-47.el6 >>> sssd-client.x86_64 1.12.4-47.el6 >>> sssd-common.x86_64 1.12.4-47.el6 >>> sssd-common-pac.x86_64 1.12.4-47.el6 >>> sssd-ipa.x86_641.12.4-47.el6 >>> sssd-krb5.x86_64 1.12.4-47.el6 >>> sssd-krb5-common.x86_641.12.4-47.el6 >>> sssd-ldap.x86_64 1.12.4-47.el6 >>> sssd-proxy.x86_64 1.12.4-47.el6 >>> [root@ptr-test-6 ~]# >>> >>> >>> And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 >>> - when I add machines to the domain using command below: >>> >>> # ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir >>> >>> DNS record populate in Forward lookup zone, but no PTR records appear in >>> Reverse lookup zones. That behavior is not the same with IPA client 4.1 and >>> IPA server 4.1 version combination. >>> >>> Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see >>> output below: >>> >>> Synchronizing time with KDC... >>> Enrolled in IPA realm X.COM >>> Attempting to get host TGT... >>> Created /etc/ipa/default.conf >>> New SSSD config will be created >>> Configured sudoers in /etc/nsswitch.conf >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm X.COM >>> trying https://ipa-idm.X.COM/ipa/xml >>> Forwarding 'env' to server u'https://ipa-idm.X.COM/ipa/xml' >>> Failed to update DNS records. >>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >>> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >>> Forwarding 'host_mod' to server u'https://ipa-idm.X.COM/ipa/xml' >>> SSSD enabled >>> Configuring X.COM as NIS domain >>> Configured /etc/openldap/ldap.conf >>> NTP enabled >>> Configured /etc/ssh/ssh_config >>> Configured /etc/ssh/sshd_config >>> Client configuration complete. >>> >>> >>> Regards, >>> >>> Andrey Ptashnik >>> >>> >>> >>> >>> >>> >>> On 9/16/15, 8:43 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >>> >>>> On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>>>> Dear IPA Team, >>>>> >>>>> We have a situation in our datacenter where we deployed Red Hat 7.1 >>>>> with IPA server 4.1 and on the other hand we still have older machines >>>>> with Red Hat 5 and 6. I noticed that repositories associated with >>>>> ver
Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
Any ideas on that? Regards, Andrey Ptashnik | Network Architect CCC Information Services Inc. 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptash...@cccis.com On 9/16/15, 11:30 AM, "freeipa-users-boun...@redhat.com on behalf of Andrey Ptashnik" <freeipa-users-boun...@redhat.com on behalf of aptash...@cccis.com> wrote: >Alexander, > >Thank you for your feedback! > >In my environment I noticed that client machines that are on Red Hat 6 have >version 3.0.0 of IPA client installed. > >[root@ptr-test-6 ~]# yum list installed | grep ipa >ipa-client.x86_64 3.0.0-47.el6 >ipa-python.x86_64 3.0.0-47.el6 > > >[root@ptr-test-6 ~]# yum list installed | grep sssd >python-sssdconfig.noarch 1.12.4-47.el6 >sssd.x86_641.12.4-47.el6 >sssd-ad.x86_64 1.12.4-47.el6 >sssd-client.x86_64 1.12.4-47.el6 >sssd-common.x86_64 1.12.4-47.el6 >sssd-common-pac.x86_64 1.12.4-47.el6 >sssd-ipa.x86_641.12.4-47.el6 >sssd-krb5.x86_64 1.12.4-47.el6 >sssd-krb5-common.x86_641.12.4-47.el6 >sssd-ldap.x86_64 1.12.4-47.el6 >sssd-proxy.x86_64 1.12.4-47.el6 >[root@ptr-test-6 ~]# > > >And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - >when I add machines to the domain using command below: > ># ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir > >DNS record populate in Forward lookup zone, but no PTR records appear in >Reverse lookup zones. That behavior is not the same with IPA client 4.1 and >IPA server 4.1 version combination. > >Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see >output below: > >Synchronizing time with KDC... >Enrolled in IPA realm X.COM >Attempting to get host TGT... >Created /etc/ipa/default.conf >New SSSD config will be created >Configured sudoers in /etc/nsswitch.conf >Configured /etc/sssd/sssd.conf >Configured /etc/krb5.conf for IPA realm X.COM >trying https://ipa-idm.X.COM/ipa/xml >Forwarding 'env' to server u'https://ipa-idm.X.COM/ipa/xml' >Failed to update DNS records. >Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >Forwarding 'host_mod' to server u'https://ipa-idm.X.COM/ipa/xml' >SSSD enabled >Configuring X.COM as NIS domain >Configured /etc/openldap/ldap.conf >NTP enabled >Configured /etc/ssh/ssh_config >Configured /etc/ssh/sshd_config >Client configuration complete. > > >Regards, > >Andrey Ptashnik > > > > > > >On 9/16/15, 8:43 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: > >>On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>>Dear IPA Team, >>> >>>We have a situation in our datacenter where we deployed Red Hat 7.1 >>>with IPA server 4.1 and on the other hand we still have older machines >>>with Red Hat 5 and 6. I noticed that repositories associated with >>>version 6 have older version of the client software – v.3.0. Therefore >>>some functionality is missing from client package 3 vs 4, like >>>automatic update of both forward and reverse DNS records. >>> >>>Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>>much breaking dependencies in OS? >>You don't need to install IPA python packages on older machines. These >>packages are mostly for administration purposes. >> >>Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >>version of SSSD is on par with RHEL 7 version in the recent updates. >>Additionally, MIT Kerberos backports were done in the recent updates to >>allow OTP functionality in RHEL6 as well. So most of features are there >>already, client-wise. >> >>RHEL5 version does not have such updates and you can implement most of >>the support with existing SSSD and output of 'ipa-advise' tool on IPA >>masters. nsupdate integration would probably need to be done >>differently. >> >>Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >>much sense. >> >>-- >>/ Alexander Bokovoy > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
Dear IPA Team, We have a situation in our datacenter where we deployed Red Hat 7.1 with IPA server 4.1 and on the other hand we still have older machines with Red Hat 5 and 6. I noticed that repositories associated with version 6 have older version of the client software – v.3.0. Therefore some functionality is missing from client package 3 vs 4, like automatic update of both forward and reverse DNS records. Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without much breaking dependencies in OS? Regards, Andrey Ptashnik | Network Architect CCC Information Services Inc. 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 Office: +1-312-229-2533 | Cell : +1-773-315-0200 | aptash...@cccis.com [cid:C84C4611-B864-406E-AC69-259AB623D497] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4
Alexander, Thank you for your feedback! In my environment I noticed that client machines that are on Red Hat 6 have version 3.0.0 of IPA client installed. [root@ptr-test-6 ~]# yum list installed | grep ipa ipa-client.x86_64 3.0.0-47.el6 ipa-python.x86_64 3.0.0-47.el6 [root@ptr-test-6 ~]# yum list installed | grep sssd python-sssdconfig.noarch 1.12.4-47.el6 sssd.x86_641.12.4-47.el6 sssd-ad.x86_64 1.12.4-47.el6 sssd-client.x86_64 1.12.4-47.el6 sssd-common.x86_64 1.12.4-47.el6 sssd-common-pac.x86_64 1.12.4-47.el6 sssd-ipa.x86_641.12.4-47.el6 sssd-krb5.x86_64 1.12.4-47.el6 sssd-krb5-common.x86_641.12.4-47.el6 sssd-ldap.x86_64 1.12.4-47.el6 sssd-proxy.x86_64 1.12.4-47.el6 [root@ptr-test-6 ~]# And I noticed particular behavior with IPA client 3.0.0 and IPA server 4.1 - when I add machines to the domain using command below: # ipa-client-install --enable-dns-updates --ssh-trust-dns —mkhomedir DNS record populate in Forward lookup zone, but no PTR records appear in Reverse lookup zones. That behavior is not the same with IPA client 4.1 and IPA server 4.1 version combination. Also during IPA client v. 3.0.0 configuration on version 6 of Red Hat I see output below: Synchronizing time with KDC... Enrolled in IPA realm X.COM Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm X.COM trying https://ipa-idm.X.COM/ipa/xml Forwarding 'env' to server u'https://ipa-idm.X.COM/ipa/xml' Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://ipa-idm.X.COM/ipa/xml' SSSD enabled Configuring X.COM as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Regards, Andrey Ptashnik On 9/16/15, 8:43 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >On Wed, 16 Sep 2015, Andrey Ptashnik wrote: >>Dear IPA Team, >> >>We have a situation in our datacenter where we deployed Red Hat 7.1 >>with IPA server 4.1 and on the other hand we still have older machines >>with Red Hat 5 and 6. I noticed that repositories associated with >>version 6 have older version of the client software – v.3.0. Therefore >>some functionality is missing from client package 3 vs 4, like >>automatic update of both forward and reverse DNS records. >> >>Is it possible to install IPA client v. 4 on Red Hat 5 and 6 without >>much breaking dependencies in OS? >You don't need to install IPA python packages on older machines. These >packages are mostly for administration purposes. > >Automatic update of forward/reverse DNS zones is done by SSSD. RHEL 6 >version of SSSD is on par with RHEL 7 version in the recent updates. >Additionally, MIT Kerberos backports were done in the recent updates to >allow OTP functionality in RHEL6 as well. So most of features are there >already, client-wise. > >RHEL5 version does not have such updates and you can implement most of >the support with existing SSSD and output of 'ipa-advise' tool on IPA >masters. nsupdate integration would probably need to be done >differently. > >Backporting IPA v4.x client code to RHEL 5 or 6 in general makes not >much sense. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root
Thank you everyone for your help! I found two ways to implement it in IPA server and tested it. So both methods work in my current setup RHEL 7.1 and IPA server 4.1.0. First method allows user to run default terminal as a target user (bash in my case). Second method is using SU command, but runs it as a root user. So depending on security preferences either one could satisfy admins. === Options: !authenticate Who: user1 Access this Host: webserver Run Commands: /usr/bin/sudo /bin/bash As Whom: oracle (external user type is oracle is created locally only) How is it working: [user1@webserver ~]$ sudo -u oracle bash -i [oracle@webserver user1]$ === Options: !authenticate Who: user1 Access this Host: webserver Run Commands: /usr/bin/sudo /bin/su - oracle As Whom: root How is it working: [user1@webserver ~]$ sudo su - oracle Last login: Wed May 13 11:41:52 CDT 2015 on pts/0 [oracle@webserver ~]$ === For some reason NOPASSWD: option was not recognized correctly by IPA server. This is the output I was getting: [user1@webserver ~]$ sudo su - oracle sudo: unknown defaults entry `NOPASSWD:' Last login: Tue May 12 15:00:31 CDT 2015 on pts/1 Last failed login: Wed May 13 10:46:52 CDT 2015 on pts/0 There were 7 failed login attempts since the last successful login. [oracle@webserver ~]$ Regards, Andrey Ptashnik From: Gould, Joshua joshua.go...@osumc.edumailto:joshua.go...@osumc.edu Date: Tuesday, May 12, 2015 at 9:41 PM To: d...@redhat.commailto:d...@redhat.com d...@redhat.commailto:d...@redhat.com, freeipa-users@redhat.commailto:freeipa-users@redhat.com freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root For the NOPASSWD option, I found that using !authenticate in the sudo option is what IPA wants instead. $ ipa sudorule-add-option readfiles Sudo Option: !authenticate - Added option !authenticate to Sudo rule readfiles - From: Dmitri Pal d...@redhat.commailto:d...@redhat.com Organization: Red Hat Reply-To: d...@redhat.commailto:d...@redhat.com d...@redhat.commailto:d...@redhat.com Date: Tuesday, May 12, 2015 at 5:32 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Allow user or group to switch user without password and not becoming root On 05/12/2015 04:44 PM, Andrey Ptashnik wrote: Hello Team, We have RHEL 7.1 and IPA server 4.1.0 in our environment as well as stack of Oracle software that require existence of local passwordless users like weblogic and oracle. Users log in to servers via domain accounts at IPA server. I’m trying to configure Sudo policy in IPA server that will allow users in the company to log in to servers in IPA domain and switch to weblogic or oracle user without having to enter any passwords, but also without increasing their privileges to root. Using plain /etc/sudoers file it can be accomplished something like below: %users ALL = (root) Users will be who of the IPA sudo rule NOPASSWD: This will be an option that you would put into the sudo rule /bin/su – oracle This will be the command. You create a command and then reference it in the rule. At least this is what I would try. How can I configure this behavior in IPA server? Regards, Andrey -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Allow user or group to switch user without password and not becoming root
Hello Team, We have RHEL 7.1 and IPA server 4.1.0 in our environment as well as stack of Oracle software that require existence of local passwordless users like weblogic and oracle. Users log in to servers via domain accounts at IPA server. I’m trying to configure Sudo policy in IPA server that will allow users in the company to log in to servers in IPA domain and switch to weblogic or oracle user without having to enter any passwords, but also without increasing their privileges to root. Using plain /etc/sudoers file it can be accomplished something like below: %users ALL = (root) NOPASSWD: /bin/su – oracle How can I configure this behavior in IPA server? Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using CNAME to point to different domain name
Hi Martin, Thank you for a catch! I just noticed that I was missing the dot you mentioned! Regards, Andrey From: Martin Basti mba...@redhat.commailto:mba...@redhat.com Date: Thursday, May 7, 2015 at 2:37 AM To: Andrey Ptashnik aptash...@cccis.commailto:aptash...@cccis.com, freeipa-users@redhat.commailto:freeipa-users@redhat.com freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Using CNAME to point to different domain name On 06/05/15 22:28, Andrey Ptashnik wrote: Hello Team, We are hosting a few servers at Amazon and using their Elastic Load Balancing service that gives us a link to a load balancer in the following format: webserver-1234567890.us-east-1.elb.amazonaws.com I was looking for a ways to implement a shorter alias using CNAME like: webserver.mydomain.com pointing to longer link from the load balancer webserver-1234567890.us-west-2.elb.amazonaws.com Is there a way to do it in RHEL 7.1 with IPA server 4.1.0 using different domain names? Regards, Andrey Hello Andrey, If I understand correctly, IPA manages mydomain.com zone, so adding CNAME record should be simple: ipa dnsrecord-add mydomain.com webserver --cname-rec='webserver-1234567890.us-west-2.elb.amazonaws.com.' # -- do not forget to add dot at the end If mydomain.com is managed outside IPA, the CNAME should be set on that external server, IPA cannot help in this case. Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Using CNAME to point to different domain name
Hello Team, We are hosting a few servers at Amazon and using their Elastic Load Balancing service that gives us a link to a load balancer in the following format: webserver-1234567890.us-east-1.elb.amazonaws.com I was looking for a ways to implement a shorter alias using CNAME like: webserver.mydomain.com pointing to longer link from the load balancer webserver-1234567890.us-west-2.elb.amazonaws.com Is there a way to do it in RHEL 7.1 with IPA server 4.1.0 using different domain names? Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves
I did notice the same behavior. This is my setup: [root@ipa-idm]# yum list installed ipa-* Installed Packages ipa-admintools.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases ipa-client.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases ipa-python.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases ipa-server.x86_64 4.1.0-18.el7_1.3 @rhui-REGION-rhel-server-releases [root@ipa-idm]# yum list installed bind* Installed Packages bind.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-dyndb-ldap.x86_64 6.0-2.el7 @rhui-REGION-rhel-server-releases bind-libs.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-libs-lite.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-license.noarch 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases bind-utils.x86_64 32:9.9.4-18.el7_1.1 @rhui-REGION-rhel-server-releases In my setup slaves are various DNS servers including Win2k3, Win2k8 and Bind that I don’t have access to, but according to IPA server logs they don’t receive “NOTIFY” messages OR IPA server does not send them to slaves. Regards, Andrey On 5/4/15, 10:24 PM, nat...@nathanpeters.com nat...@nathanpeters.com wrote: freeipa-admintools.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-client.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-python.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-server.x86_64 4.1.4-1.el7.centos @mkosek-freeipa freeipa-server-trust-ad.x86_64 4.1.4-1.el7.centos @mkosek-freeipa bind.x86_6432:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-dyndb-ldap.x86_64 6.1-1.el7.centos @mkosek-freeipa bind-libs.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-libs-lite.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-license.noarch32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-pkcs11.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-pkcs11-libs.x86_6432:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa bind-pkcs11-utils.x86_64 32:9.9.4-20.el7.centos.pkcs11 @mkosek-freeipa And for reference here are the relevant A and NS records from my domain @ NS dc1.mydomain.net. @ NS dc2.mydomain.net. @ NS dns1.mydomain.net. dns1 A 10.21.0.14 Hello! On 2.5.2015 17:12, Nathan Peters wrote: The last 3 sentences of my original post refer to me adding the NS records for the slave. Is that what you mean? I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. Which version of FreeIPA and bind-dyndb-ldap are you using? I will look into it. Petr^2 Spacek -Original Message- From: Baird, Josh Sent: Saturday, May 02, 2015 7:33 AM To: 'nat...@nathanpeters.com' ; freeipa-users@redhat.com Subject: RE: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely, bind-dyndb-ldap does not support 'also-notify' which would allow us to send notifies each time a zone update occurs to slave servers
[Freeipa-users] Private key management
Hello Team, I know that FreeIPA server supports management of public keys for each user and it is a very convenient feature. Are there any possible way to manage private keys as well including features like re-issuing the key pair if it gets compromised? Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Private key management
It looks like Vault is the functionality I was looking for. Thank you Rob and Dmitri for your responses. Regards, Andrey On 4/8/15, 5:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Andrey Ptashnik wrote: Hello Team, I know that FreeIPA server supports management of public keys for each user and it is a very convenient feature. Are there any possible way to manage private keys as well including features like re-issuing the key pair if it gets compromised? I assume you mean SSH keys. IPA doesn't issue keys, so re-issuing is out and AFAIK no plans to do this. There are plans for a Key Recovery vault which can store a private key, see https://fedorahosted.org/freeipa/ticket/3872 . This doesn't help in the case of compromise but it does mean that keys aren't lost. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Two way trust vs one way trust and IPA features
Hello, I’m wondering if establishing two way trust or one way trust in upcoming 4.2 release somehow is going to affect FreeIPA feature set, like ability to add windows groups to external groups or anything else I may not think of right now? Our Windows security team is expressing concerns about two way trust and we are planning to switch to one way when it becomes available. I’m trying to find out what could be affected. Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project