Re: [Freeipa-users] Improving FreeIPA.org
Hi, I think a small screenshot in the middle or on the side of the main webpage will serve to increase the coolness of the website and may possibly even result in many more people trying it out and visiting the demo. Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Petr Spacek [pspa...@redhat.com] Sent: 19 August 2014 16:13 To: freeipa-users@redhat.com Subject: [Freeipa-users] Improving FreeIPA.org Hello community, Do you have an idea how to improve Freeipa.org web site? Share it! I will start: The main page currently contains three links placed right above Main features section header: Learn more about FreeIPA • What FreeIPA means for me? • Try FreeIPA in a public demo It seems to me that two links Learn more about FreeIPA [http://www.freeipa.org/page/About] and What FreeIPA means for me? [http://www.freeipa.org/page/Leaflet] are somehow too much for the main page. I propose to either merge About and Leaflet or to hide Leaflet from main page. It would be better to replace Leaftlet with Quick Start Guide: Learn more about FreeIPA • Quick Start Guide • Try FreeIPA in a public demo -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replica Issues
Hi, Check your GSSAPIAuthentication settings in sshd.conf and restart sshd: GSSAPIAuthentication yes GSSAPICleanupCredentials yes Last week I had some replication problems between replicas which were fixed after re-enabling GSSAPI. Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Joseph, Matthew (EXP) [matthew.jos...@lmco.com] Sent: 28 July 2014 17:46 To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA Replica Issues Hello, I’m currently running into some issues with my replica server. I noticed it wasn’t getting any updates from the master server so I tried to do a force-sync but it states that it is an “invalid password” which I know it is not the case. I tried doing an ipa-replica-manager list replica_server but it gives me the SASL(-13) authentication failure: GSSAPI Failure: gss_accept_sec_context, ‘desc’ Invalid Credentials I’ve tried doing a kdestroy and have it prompt me for the password but again, same error. Any idea what this would be? Thanks, Matt Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA Replication Status
Hi, I'm finding that on all IPA servers in 1 cluster the replication status shows as either busy or started, but no succeeded status is being reported: [root@recsds2 ~]# ipa-replica-manage list -v $HOSTNAME recsds1.bskyb.com: replica last init status: None last init ended: None last update status: 1 Can't acquire busy replica last update ended: 2014-07-23 11:29:48+00:00 recsds3.bskyb.com: replica last init status: None last init ended: None last update status: 1 Can't acquire busy replica last update ended: 2014-07-23 11:29:46+00:00 [root@recsds2 ~]# ipa-replica-manage list -v $HOSTNAME recsds1.bskyb.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: None recsds3.bskyb.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: None This is as opposed to another IPA cluster: /home/sch # ipa-replica-manage list -v $HOSTNAME ipa01.ath.skycdc.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-23 11:24:22+00:00 ipa01.hhe.skycdc.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-23 11:24:22+00:00 ipa02.ath.skycdc.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-23 11:24:22+00:00 ipa02.hhe.skycdc.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-23 11:24:22+00:00 ipa02.slu.skycdc.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-23 11:24:21+00:00 Do you know what may be causing this? Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replication Status
I have the following errors on different boxes: [root@recsds1 sch32]# tail -f /var/log/dirsrv/slapd-RECS-BSKYB-COM/errors [23/Jul/2014:12:28:54 +0100] NSMMReplicationPlugin - CleanAllRUV Task: Replicas have not been cleaned yet, retrying in 10 seconds [23/Jul/2014:12:29:06 +0100] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to finish cleaning... [23/Jul/2014:12:29:06 +0100] NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas finished cleaning, retrying in 10 seconds [23/Jul/2014:12:29:16 +0100] NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas finished cleaning, retrying in 20 seconds [23/Jul/2014:12:29:36 +0100] NSMMReplicationPlugin - CleanAllRUV Task: Not all replicas finished cleaning, retrying in 40 seconds [root@recsds3 sch32]# tail -f /var/log/dirsrv/slapd-RECS-BSKYB-COM/errors [23/Jul/2014:12:52:10 +0100] agmt=cn=meTorecsds2.bskyb.com (recsds2:389) - Can't locate CSN 53c7ba270010 in the changelog (DB rc=-30988). The consumer may need to be reinitialized. [23/Jul/2014:12:52:10 +0100] NSMMReplicationPlugin - agmt=cn=meTorecsds2.bskyb.com (recsds2:389): changelog iteration code returned a dummy entry with csn 53c7c6b100020010, skipping ... [23/Jul/2014:12:52:13 +0100] agmt=cn=meTorecsds4.bskyb.com (recsds4:389) - Can't locate CSN 53c7ba7500040010 in the changelog (DB rc=-30988). The consumer may need to be reinitialized. [23/Jul/2014:12:52:13 +0100] NSMMReplicationPlugin - agmt=cn=meTorecsds4.bskyb.com (recsds4:389): changelog iteration code returned a dummy entry with csn 53c7c6b100020010, skipping ... [23/Jul/2014:12:52:13 +0100] agmt=cn=meTorecsds2.bskyb.com (recsds2:389) - Can't locate CSN 53c7ba270010 in the changelog (DB rc=-30988). The consumer may need to be reinitialized. [root@recsds4 ~]# tail -f /var/log/dirsrv/slapd-RECS-BSKYB-COM/errors [23/Jul/2014:12:52:03 +0100] ldbm_back_modify - Attempt to modify a tombstone entry nsuniqueid=b0838195-0da911e4-9433f833-313b8581,krbprincipalname=DNS/recsds1.bskyb@recs.bskyb.com,cn=services,cn=accounts,dc=recs,dc=bskyb,dc=com [23/Jul/2014:12:52:03 +0100] ldbm_back_modify - Attempt to modify a tombstone entry nsuniqueid=85992d8b-0da911e4-9433f833-313b8581,fqdn=recsds1.bskyb.com,cn=computers,cn=accounts,dc=recs,dc=bskyb,dc=com [23/Jul/2014:12:52:06 +0100] ldbm_back_modify - Attempt to modify a tombstone entry nsuniqueid=b0838195-0da911e4-9433f833-313b8581,krbprincipalname=DNS/recsds1.bskyb@recs.bskyb.com,cn=services,cn=accounts,dc=recs,dc=bskyb,dc=com [root@recsds5 sch32]# tail -f /var/log/dirsrv/slapd-RECS-BSKYB-COM/errors [23/Jul/2014:12:52:08 +0100] NSMMReplicationPlugin - agmt=cn=meTorecsds4.bskyb.com (recsds4:389): Consumer failed to replay change (uniqueid 85992d8b-0da911e4-9433f833-313b8581, CSN 53c7ba7e00030010): Server is unwilling to perform (53). Will retry later. [23/Jul/2014:12:52:08 +0100] NSMMReplicationPlugin - agmt=cn=meTorecsds4.bskyb.com (recsds4:389): Consumer failed to replay change (uniqueid b0838197-0da911e4-9433f833-313b8581, CSN 53c7ba900010): Server is unwilling to perform (53). Will retry later. [23/Jul/2014:12:52:16 +0100] NSMMReplicationPlugin - agmt=cn=meTorecsds4.bskyb.com (recsds4:389): Consumer failed to replay change (uniqueid b0838195-0da911e4-9433f833-313b8581, CSN 53c7ba7500050010): Server is unwilling to perform (53). Will retry later. The background to this is a storage crash caused the master CA IAP to get fudged, and I then proceeded to promote a replica to master CA, re-added crashed IPAs and trying to sync them all up again and clean old orphaned RUVs. Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB From: Martin Kosek [mko...@redhat.com] Sent: 23 July 2014 12:43 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Replication Status On 07/23/2014 01:36 PM, Choudhury, Suhail wrote: Hi, I'm finding that on all IPA servers in 1 cluster the replication status shows as either busy or started, but no succeeded status is being reported: [root@recsds2 ~]# ipa-replica-manage list -v $HOSTNAME recsds1.bskyb.com: replica last init status: None last init ended: None last update status: 1 Can't acquire busy replica last update ended: 2014-07-23 11:29:48+00:00 recsds3.bskyb.com: replica last init status: None last init ended: None last update status: 1 Can't acquire busy replica last update ended: 2014-07-23 11:29:46+00:00 [root@recsds2 ~]# ipa-replica-manage list -v $HOSTNAME recsds1.bskyb.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: None recsds3.bskyb.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: None This is as opposed
[Freeipa-users] Difference between Masters and Replicas?
Hi, I'd like some clarification on what a master and replica is please. This doc suggests you start with 1 master and a replica can be promoted to a master by changing /var/lib/pki-ca/conf/CS.cfg: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html However IPA is supposed to be multi-master replication, and replication agreements appears to be two ways when checking ipa-replica-manage list hostname on a given IPA server. So when creating a replica using: ipa-replica-install --setup-ca --setup-dns --forwarder=172.20.220.25 --forwarder=172.20.220.27 /root/replica-info-ipa01.domain.com.gpg am I creating another master replica? Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA Replica Install Failing with UnboundLocalError: local variable 'replman' referenced before assignment
Hi, I'm trying to install some new IPA replicas but getting this installation error: -- ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/rename_managed.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_anonymous_aci.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_services.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa : DEBUGds group dirsrv exists ipa : DEBUGSaving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' ipa : INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 458, in main if replman and replman.conn: ipa : INFO The ipa-replica-install command failed, exception: UnboundLocalError: local variable 'replman' referenced before assignment Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: UnboundLocalError: local variable 'replman' referenced before assignment -- These are the relevant lines in ipa-replica-install: -- except errors.NotFound: pass if found: sys.exit(3) except errors.ACIError: sys.exit(\nThe password provided is incorrect for LDAP server %s % config.master_host_name) except errors.LDAPError: sys.exit(\nUnable to connect to LDAP server %s % config.master_host_name) finally: if conn and conn.isconnected(): conn.disconnect() if replman and replman.conn: replman.conn.unbind_s() -- This is on a freshly installed and updated CentOS release 6.5 (Final) box running 2.6.32-431.20.3.el6.x86_64 kernel, SELinux disabled and with the following IPA packages: ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-server-selinux-3.0.0-37.el6.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 ipa-server-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Any help/ideas much appreciated. Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replica Install Failing with UnboundLocalError: local variable 'replman' referenced before assignment
FYI, These are IPA replicas being re-added. I removing these replman lines in the installer script: # Try out the password ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=config.dirman_password, tls_cacertfile=CACERT) replman = ReplicationManager(config.realm_name, config.master_host_name, config.dirman_password) found = False try: entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn)) print The host %s already exists on the master server.\nYou should remove it before proceeding: % host print %% ipa host-del %s % host found = True except errors.NotFound: pass try: (agreement_cn, agreement_dn) = replman.agreement_dn(host) entry = conn.get_entry(agreement_dn, ['*']) print A replication agreement for this host already exists. It needs to be removed. Run this on the master that generated the info file: print %% ipa-replica-manage del %s --force % host found = True except errors.NotFound: pass if found: sys.exit(3) except errors.ACIError: sys.exit(\nThe password provided is incorrect for LDAP server %s % config.master_host_name) except errors.LDAPError: sys.exit(\nUnable to connect to LDAP server %s % config.master_host_name) finally: if conn and conn.isconnected(): conn.disconnect() if replman and replman.conn: replman.conn.unbind_s() and then ran the install again but it is now failing on: ipa : DEBUGstderr= ipa : DEBUGwait_for_open_ports: localhost [9180, 9443, 9444] timeout 120 ipa : INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 433, in main install_dns_records(config, options) File /usr/sbin/ipa-replica-install, line 251, in install_dns_records dm_password=config.dirman_password): File /usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py, line 192, in dns_container_exists raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn) ipa : INFO The ipa-replica-install command failed, exception: RuntimeError: LDAP server on ipabox1.domain.com is not responding. Is IPA installed? Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. LDAP server on ipabox1.domain.com is not responding. Is IPA installed? However LDAP ports on the IPA master are working and accessible(checked using telnet and ldapsearch). Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Choudhury, Suhail [suhail.choudh...@bskyb.com] Sent: 15 July 2014 10:52 To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA Replica Install Failing with UnboundLocalError: local variable 'replman' referenced before assignment Hi, I'm trying to install some new IPA replicas but getting this installation error: -- ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/rename_managed.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_anonymous_aci.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_services.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/updateclient.py' ipa : DEBUGimporting plugin module '/usr/lib/python2.6/site-packages/ipaserver/install/plugins/upload_cacrt.py' ipa : DEBUGds group dirsrv exists ipa : DEBUGSaving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' ipa : INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script
Re: [Freeipa-users] IPA Replica Install Failing with UnboundLocalError: local variable 'replman' referenced before assignment
Okay tried that Petr, but yes still getting the LDAP connection error: return_value = main_function() File /usr/sbin/ipa-replica-install, line 431, in main tls_cacertfile=CACERT) File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py, line 846, in create_connection self.handle_errors(e) File /usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py, line 736, in handle_errors error=u'LDAP Server Down') ipa : INFO The ipa-replica-install command failed, exception: NetworkError: cannot connect to 'ldaps://ipa01.domain.com': LDAP Server Down Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: NetworkError: cannot connect to 'ldaps://ipa01.domain.com': LDAP Server Down Running the LDAP query directly is successful: [root@recsds3 ~]# ldapsearch -x -s one -b cn=schema -h ipa01.domain.com # extended LDIF # # LDAPv3 # base cn=schema with scope oneLevel # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Is there an exhaustive list of ports(TCP/UDP) required for IPA replica setup? I just successfully created an IPA replica by connecting to another IPA master so it perhaps it is a specific port that is required that is not apparent? Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB From: Petr Viktorin [pvikt...@redhat.com] Sent: 15 July 2014 15:52 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Replica Install Failing with UnboundLocalError: local variable 'replman' referenced before assignment On 07/15/2014 04:25 PM, Choudhury, Suhail wrote: Hi Petr, Yes definitely using IPA 3.0 packages as per the package details provided earlier. Ah, I see. This was reverted in a patch for EL6. Sorry for doubting you. To get rid of the error, since you're not afraid to modify code, you can follow the instruction inline: The following code is present in the replica installer script: # Try out the password ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) Here, insert the line: replman = None try: conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=config.dirman_password, tls_cacertfile=CACERT) replman = ReplicationManager(config.realm_name, config.master_host_name, config.dirman_password) found = False try: entry = conn.find_entries(u'fqdn=%s' % host, ['dn', 'fqdn'], DN(api.env.container_host, api.env.basedn)) print The host %s already exists on the master server.\nYou should remove it before proceeding: % host print %% ipa host-del %s % host found = True except errors.NotFound: pass try: (agreement_cn, agreement_dn) = replman.agreement_dn(host) entry = conn.get_entry(agreement_dn, ['*']) print A replication agreement for this host already exists. It needs to be removed. Run this on the master that generated the info file: print %% ipa-replica-manage del %s --force % host found = True except errors.NotFound: pass if found: sys.exit(3) except errors.ACIError: sys.exit(\nThe password provided is incorrect for LDAP server %s % config.master_host_name) except errors.LDAPError: sys.exit(\nUnable to connect to LDAP server %s % config.master_host_name) finally: if conn and conn.isconnected(): conn.disconnect() if replman and replman.conn: replman.conn.unbind_s() The background to this problem is that we have 6 x IPA servers, 2 each in 3 x DCs. In one DC we had a problem with storage
Re: [Freeipa-users] Export data
Hi Martin, Thanks for your previous answer. And how can I export a list of DNS entries using ldapsearch? Regards, Suhail. DevOps BSkyB. From: Martin Kosek [mko...@redhat.com] Sent: 22 January 2014 13:30 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Export data On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Martin Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this p! aragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Export DNS to external
Hi, We are looking at adding redundancy to our IPA setup by using DNS servers external to our IPA servers, so in the event of IPA dying we can still resolve against these external DNS servers. So I'm looking at how I can add a server running BIND as a DNS slave. Normally on a DNS slave we can set something like the following in named.conf: = // query-source address * port 53; allow-transfer {208.99.198.184/32;}; }; // // a caching only nameserver config // controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; }; }; zone localhost IN { type master; file localhost.zone; allow-update { none; }; }; zone yourdomain.com IN { type slave; file /var/named/yourdomain.com.zone; // allow-update { none; }; allow-transfer { 192.168.0.1/32; }; masters { 192.168.0.1; }; }; zone 0.168.192.in-addr.arpa IN { type slave; file /var/named/0.168.192.rev; // allow-update { none; }; allow-transfer { 192.168.0.1/32; }; masters { 192.168.0.1; }; }; = In the IPA server's named.conf I see DNS entries are loaded up via LDAP: = include /etc/named.rfc1912.zones; dynamic-db ipa { library ldap.so; arg uri ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-COM.socket; arg base cn=dns, dc=sub,dc=domain,dc=com; arg fake_mname ipa01.sub.domain.com.; arg auth_method sasl; arg sasl_mech GSSAPI; arg sasl_user DNS/ipa01.sub.domain.com; arg zone_refresh 0; arg psearch yes; arg connections 4; arg serial_autoincrement yes; }; = Has anyone successfully pulled DNS zones out of IPA to BIND slaves? -- Regards, Suhail. DevOps(Recs), BSkyB. Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this p! aragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Export data
Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. -- Regards, Suhail. DevOps(Recs), BSkyB. Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this p! aragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Connecting hosts DNS from 1 IPA master/domain to another
Hi guys, Nice to meet you all. I need to migrate hosts(host1.domain1.com, host2.domain1.com) and DNS from one IPA master(ipa.domain1.com) to another IPA master(ipa.domain2.com), which will then hold the DNS for both domains(domain1.com and domain2.com) and will become the IPA master for all hosts(host1.domain1.com, host1.domain2.com). Would you say the easiest and hassle-free method of doing this would be to uninstall the IPA client on all hosts on ipa.domain1.com and run fresh ipa-client-installs on them to connect them to ipa.domain2.com ? I'm following the other export users/groups thread on the FreeIPA mailing list but it's not applicable as we currently hold duplicate users/groups on both IPAs. -- Regards, Suhail. DevOps(Recs), BSkyB. Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this p! aragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users