[Freeipa-users] Using puppet to add servers to IPA

[Brent Clark]

Hello,

I'm looking to use puppet to add my servers to IPA automatically. This
would be used when building VMs from templates and their first puppet run
would add them into IPA.

I am wondering if anyone has any success with doing this? Any thing I
should consider... any gotchas.

Thanks!

-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog 


 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] WebUI questions.

[Brent Clark]

When I assign a user the role of "User Administrator", when they log into
the WebUI, they can see all the role, dns, config, tab and links.

They should only see the necessary tabs and links that having that role
requires and none of the extra stuff.

Is there a way to limit when appears in the WebUI based on Role?

-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog 


 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cannot delete PTR DNS records from the command line

[Brent Clark]

Hmm, amazing what works when you spell stuff right.

Epic Fail on my part. Face plant in the mud.

Apologies to all for such silliness that I have put you all thru.

Thanks!


On Thu, Feb 13, 2014 at 9:25 AM, Petr Vobornik  wrote:

> Hello,
>
> The zone name is:
> 41.100.10.in-addr.arpa.
> Not:
> 41.100.10.in-addr-arpa.
>
> HTH
>
>
> On 13.2.2014 16:40, Brent Clark wrote:
>
>> Here are the results of the commands asked for. Also attached is a png of
>> the webui showing the zone and record exists that I want to delete.
>>
>> Many Thanks!
>>
>>
>> ipa dnsrecord-find 41.100.10.in-addr-arpa. 250
>> 
>> Number of entries returned 0
>> 
>>
>> ipa dnszone-show 41.100.10.in-addr-arpa.
>> ipa: ERROR: 41.100.10.in-addr-arpa.: DNS zone not found
>>
>> host 10.100.41.250
>> 250.41.100.10.in-addr.arpa domain name pointer test1.test.com.
>>
>>
>>
>>
>> On Thu, Feb 13, 2014 at 8:23 AM, Petr Spacek  wrote:
>>
>>  On 13.2.2014 16:15, Brent Clark wrote:
>>>
>>>  I have run into a problem where I cannot delete PTR DNS records from the
>>>> command line. This is something that until recently I have never
>>>> attempted.
>>>>
>>>> IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64
>>>>
>>>> When I try to delete a PTR record I get this message.
>>>> ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1
>>>> ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified
>>>>
>>>> ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com
>>>> ipa: ERROR: 250: DNS resource record not found
>>>>
>>>> ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250
>>>> ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified
>>>>
>>>> Its got to be a simple thing I am missing, can someone please show what
>>>> I
>>>> am doing wrong?
>>>>
>>>>
>>> Please send us output from commands:
>>>
>>> $ ipa dnszone-show 41.100.10.in-addr-arpa.
>>> $ ipa dnsrecord-find 41.100.10.in-addr-arpa. 250
>>>
>>> Thank you.
>>>
>>> --
>>> Petr^2 Spacek
>>>
>>>
>>
>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
> --
> Petr Vobornik
>



-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog <http://www.tendrilinc.com/news-room/blog/>
<http://www.tendrilinc.com/>

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cannot delete PTR DNS records from the command line

[Brent Clark]

Here are the results of the commands asked for. Also attached is a png of
the webui showing the zone and record exists that I want to delete.

Many Thanks!


ipa dnsrecord-find 41.100.10.in-addr-arpa. 250

Number of entries returned 0


ipa dnszone-show 41.100.10.in-addr-arpa.
ipa: ERROR: 41.100.10.in-addr-arpa.: DNS zone not found

host 10.100.41.250
250.41.100.10.in-addr.arpa domain name pointer test1.test.com.




On Thu, Feb 13, 2014 at 8:23 AM, Petr Spacek  wrote:

> On 13.2.2014 16:15, Brent Clark wrote:
>
>> I have run into a problem where I cannot delete PTR DNS records from the
>> command line. This is something that until recently I have never
>> attempted.
>>
>> IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64
>>
>> When I try to delete a PTR record I get this message.
>> ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1
>> ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified
>>
>> ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com
>> ipa: ERROR: 250: DNS resource record not found
>>
>> ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250
>> ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified
>>
>> Its got to be a simple thing I am missing, can someone please show what I
>> am doing wrong?
>>
>
> Please send us output from commands:
>
> $ ipa dnszone-show 41.100.10.in-addr-arpa.
> $ ipa dnsrecord-find 41.100.10.in-addr-arpa. 250
>
> Thank you.
>
> --
> Petr^2 Spacek
>



-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog <http://www.tendrilinc.com/news-room/blog/>
<http://www.tendrilinc.com/>

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] cannot delete PTR DNS records from the command line

[Brent Clark]

I have run into a problem where I cannot delete PTR DNS records from the
command line. This is something that until recently I have never attempted.

IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64

When I try to delete a PTR record I get this message.
ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1
ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com
ipa: ERROR: 250: DNS resource record not found

ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250
ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified

Its got to be a simple thing I am missing, can someone please show what I
am doing wrong?

Thanks!
-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog 


 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Cisco ASA and Foreman

[Brent Clark]

Hello everyone,

First I want to say how much help everyone is and that I am migrating
servers to FreeIPA clients. :)

I also have a couple other devices/applications that are currently set up
to query my old LDAP infrastructure for authentication.

I have been able to migrate them to FreeIPA, but on over port 389. When I
try 636, it fails.

Did some looking around the web and haven't found anything that helps me.

Wondering if anyone has any experience using FreeIPA port 636 to
authenticate Cisco ASA and Foreman?

Thanks!

-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog 
[image: Tendril] 

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa-users Digest, Vol 57, Issue 66

[Brent Clark]

I use the following on my CentOS 6.3 servers for the ssh keys to work from
IPA.

sshd.conf
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys




> --
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Freeipa -ssh keys
> Message-ID: <517994ae.4050...@redhat.com>
>
>
> > AuthorizedKeysCommand '/usr/bin/sss_ssh_authorizedkeys %u'
>

-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog 
[image: Tendril] 

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Cloned server

[Brent Clark]

Question,

Using ESXi to run many virtual servers in my environment. Sometimes its
necessary to "clone" a server to a new name to have a copy of it. If the
server is a IPA member, so will be the clone (?) until the clones hostname
changes.

I have done some looking around and I haven't found a solution to the issue
that comes up in this situation. I don't want to remove the original host
entry from IPA, but I do need to "uninstall" the configuration from the
cloned server before I can add it back to IPA under its new hostname.

Is there a way to accomplish this, or do I have to remove the original
server from IPA, uninstall off the original and clone, then add each back
into IPA?

Thanks for all your help.

-- 
Brent S. Clark

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication Issue

[Brent Clark]

Thanks for all the help!

After fixing the DNS issues, I then solved the LDAP error by rebooting the
master and replica. Something I hadnt done since installing IPA on both of
them and setting them up.


On Fri, Apr 5, 2013 at 9:51 AM, Rich Megginson  wrote:

> On 04/05/2013 08:41 AM, Simo Sorce wrote:
>
>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
>>
>>> You were correct, my reverse DNS entries for the master and replica
>>> were missing. Odd, since they both existed at one point.
>>>
>>
>> Rob,
>> I think we should open a ticket against 389ds, we should never depend on
>> PTR records.
>>
>> In this case I believe the ldap libraries are at fault since they now
>> force SASL canonicalization on which is know to be broken for gssapi as
>> it causes reverse resolution.
>>
>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ?
>>
> Yes.
> ldap/servers/slapd/ldaputil.c:ldap_set_option(ld,
> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
>
> Should this be off by default?  Should this be configurable?
>
>
>
>> Simo.
>>
>>> Running the same commands again results in the following
>>> On the Replica system
>>>
>>>
>>> ipa-replica-manage list replica.example.com -v
>>>
>>> master.example.com: replica
>>>last init status: None
>>>last init ended: None
>>>last update status: 0 Replica acquired successfully: Incremental
>>> update succeeded
>>>last update ended: 2013-04-05 14:18:11+00:00
>>>
>>>
>>> ipa-replica-manage list master.example.com -v
>>>
>>> Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info':
>>> 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied
>>> (Cannot determine realm for numeric host address)', 'desc': 'Local
>>> error'}
>>> ===
>>> On the master system
>>>
>>>
>>> ipa-replica-manage list replica.example.com -v
>>> master.example.com: replica
>>>last init status: None
>>>last init ended: None
>>>last update status: 0 Replica acquired successfully: Incremental
>>> update succeeded
>>>last update ended: 2013-04-05 14:19:39+00:00
>>>
>>>
>>> ipa-replica-manage list master.example.tni01.com -v
>>> replica.example.com: replica
>>>last init status: 0 Total update succeeded
>>>last init ended: 2013-04-04 20:06:44+00:00
>>>last update status: 49  - LDAP error: Invalid credentials
>>>last update ended: 2013-04-04 20:06:55+00:00
>>>
>>>
>>>
>>>
>>> On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden 
>>> wrote:
>>>  Brent Clark wrote:
>>>  Ok, I have done as Steven Jones requested... here is
>>>  the output from the
>>>  replica
>>>   I am able to kinit to admin using the
>>> password.
>>>   issuing the ipa-replica-manage command
>>> on the replica
>>>  for the replica
>>>replcia.mydomain.com<
>>> http://replcia.mydomain.com>:
>>>  replica
>>> last init status: None
>>>last init ended: None
>>>last update status: -2  - System error
>>>last update ended: None
>>>   Same command but for the master
>>>  Failed to get data from 'master.example.com
>>>   <http://master.example.com>':
>>> {'info': SASL (-1):
>>>  generic failure:
>>>   GSSAPI Error: An invalid name was
>>> supplied (Cannot
>>>  determine realm for
>>>  numeric host address)', 'desc':'Local error'}
>>>   I can ping, telnet on all the IPA
>>> ports and ssh to the
>>>  main server from
>>>  the replica.
>>>   So... im confused.
>>>   Also on a whim, I was able to add a
>>> server to the
>>>  replica and that hos

Re: [Freeipa-users] Replication Issue

[Brent Clark]

You were correct, my reverse DNS entries for the master and replica were
missing. Odd, since they both existed at one point.

Running the same commands again results in the following
On the Replica system

ipa-replica-manage list replica.example.com -v
master.example.com: replica
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update
succeeded
  last update ended: 2013-04-05 14:18:11+00:00

ipa-replica-manage list master.example.com -v
Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info': 'SASL(-1):
generic failure: GSSAPI Error: An invalid name was supplied (Cannot
determine realm for numeric host address)', 'desc': 'Local error'}
===
On the master system

ipa-replica-manage list replica.example.com -v
master.example.com: replica
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update
succeeded
  last update ended: 2013-04-05 14:19:39+00:00

ipa-replica-manage list master.example.tni01.com -v
replica.example.com: replica
  last init status: 0 Total update succeeded
  last init ended: 2013-04-04 20:06:44+00:00
  last update status: 49  - LDAP error: Invalid credentials
  last update ended: 2013-04-04 20:06:55+00:00



On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden  wrote:

> Brent Clark wrote:
>
>> Ok, I have done as Steven Jones requested... here is the output from the
>> replica
>>
>> I am able to kinit to admin using the password.
>>
>> issuing the ipa-replica-manage command on the replica for the replica
>>
>> replcia.mydomain.com <http://replcia.mydomain.com>: replica
>>
>>   last init status: None
>>   last init ended: None
>>   last update status: -2  - System error
>>   last update ended: None
>>
>> Same command but for the master
>> Failed to get data from 'master.example.com
>> <http://master.example.com>': {'info': SASL (-1): generic failure:
>>
>> GSSAPI Error: An invalid name was supplied (Cannot determine realm for
>> numeric host address)', 'desc':'Local error'}
>>
>> I can ping, telnet on all the IPA ports and ssh to the main server from
>> the replica.
>>
>> So... im confused.
>>
>> Also on a whim, I was able to add a server to the replica and that host
>> info did make it to the master.
>>
>
> Sounds like a DNS issue. Make sure forward and reverse DNS works for
> master.example.com.
>
> rob
>
>


-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog <http://www.tendrilinc.com/news-room/blog/>
[image: Tendril] <http://www.tendrilinc.com/>

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Replication Issue

[Brent Clark]

Ok, I have done as Steven Jones requested... here is the output from the
replica

I am able to kinit to admin using the password.

issuing the ipa-replica-manage command on the replica for the replica

replcia.mydomain.com: replica
 last init status: None
 last init ended: None
 last update status: -2  - System error
 last update ended: None

Same command but for the master
Failed to get data from 'master.example.com': {'info': SASL (-1): generic
failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm
for numeric host address)', 'desc':'Local error'}

I can ping, telnet on all the IPA ports and ssh to the main server from the
replica.

So... im confused.

Also on a whim, I was able to add a server to the replica and that host
info did make it to the master.

-- 
Brent S. Clark

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Replication Issue

[Brent Clark]

I have set up 2 IPA servers. I followed the docs on Redhat site to do so.
Everything went smooth and the replica was able to pull everything from the
master. I was able to import data from an LDAP server and all my users and
groups show up fine.

I changed my user id password in the GUI on the replica and it did not
propagate to the master. As I tried to login to the master server with the
new password and it error-ed. It did take the old password. So I think it
didn't replicate the password change.

In addition, I also cannot login to the replica using my user id anymore
with either the old or new password.

Any thoughts/help is appreciated.

My set up is CentOS 6.3 with ipa-server-2.2.0-17.

-- 
Brent S. Clark
NOC Engineer

2580 55th St.  |  Boulder, Colorado 80301
www.tendrilinc.com  |  blog 
[image: Tendril] 

 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
Please note that any views or opinions presented in this email are solely those 
of the author and do not necessarily represent those of the company.
Finally, the recipient should check this email and any attachments for the 
presence of viruses.
The company accepts no liability for any damage caused by any virus transmitted 
by this email.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users