freeipa server removed from DNS at seemingly random intervals
by James Richard
At random intervals the A record for one of the two IPA servers gets deleted.
Using integrated BIND.
The named log looks like the following. Strange that it fails a sanity check but then goes ahead and does it anyway.
"client 10.30.10.27" is the FreeIPA server itself.
13-Dec-2018 00:31:34.389 client 10.30.10.27#53265/key host/mdc-ipa-01.idm.planetrisk.com\(a)IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': deleting rrset at 'mdc-ipa-01.idm.planetrisk.com' A
13-Dec-2018 00:31:34.398 client 10.30.10.27#53265/key host/mdc-ipa-01.idm.planetrisk.com\(a)IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': update rejected: post update name server sanity check failed
13-Dec-2018 00:31:34.449 client 10.30.10.27#45570/key host/mdc-ipa-01.idm.planetrisk.com\(a)IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': deleting rrset at 'mdc-ipa-01.idm.planetrisk.com' AAAA
13-Dec-2018 00:31:34.449 zone 10.30.10.in-addr.arpa/IN: sending notifies (serial 1544679094)
13-Dec-2018 00:31:34.456 zone idm.planetrisk.com/IN: sending notifies (serial 1544679094)
13-Dec-2018 00:31:34.511 client 10.30.10.27#40273/key host/mdc-ipa-01.idm.planetrisk.com\(a)IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': deleting rrset at 'mdc-ipa-01.idm.planetrisk.com' A
13-Dec-2018 00:31:34.519 client 10.30.10.27#54534/key host/mdc-ipa-01.idm.planetrisk.com\(a)IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': deleting rrset at 'mdc-ipa-01.idm.planetrisk.com' AAAA
13-Dec-2018 00:32:00.754 client 10.60.2.120#40990 (112.2.60.10.in-addr.arpa): RFC 1918 response from Internet for 112.2.60.10.in-addr.arpa
13-Dec-2018 00:40:13.066 zone idm.planetrisk.com/IN: sending notifies (serial 1544679613)
This is a two node cluster. At one time in the past before I took it over there was a failed attempt to integrate with Active Directory.
I'm pretty sure I have removed all of the Active Directory integration components.
I do want to retain the ability to have client enrollment trigger a DNS update.
My guess it's related to sssd:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
dyndns_update was enable in the sssd config on the FreeIPA server. I simply removed the relevant lines in sssd.conf and restarted sssd but the problem keeps happening.
Any ideas on where I should look to prevent this from continuing to happen?
CentOS Linux release 7.6.1810 (Core)
ipa-client.x86_64 4.6.4-10.el7.centos @base
ipa-client-common.noarch 4.6.4-10.el7.centos @base
ipa-common.noarch 4.6.4-10.el7.centos @base
ipa-python-compat.noarch 4.6.4-10.el7.centos @base
ipa-server.x86_64 4.6.4-10.el7.centos @base
ipa-server-common.noarch 4.6.4-10.el7.centos @base
ipa-server-dns.noarch 4.6.4-10.el7.centos @base
ipa-server-trust-ad.x86_64 4.6.4-10.el7.centos @base
libipa_hbac.x86_64 1.16.2-13.el7 @base
python-iniparse.noarch 0.4-9.el7 @anaconda
python-ipaddress.noarch 1.0.16-2.el7 @base
python-libipa_hbac.x86_64 1.16.2-13.el7 @base
python2-ipaclient.noarch 4.6.4-10.el7.centos @base
python2-ipalib.noarch 4.6.4-10.el7.centos @base
python2-ipaserver.noarch 4.6.4-10.el7.centos @base
sssd-ipa.x86_64 1.16.2-13.el7 @base
5 years, 3 months
Upgrading from 4.2.4 (FC23)
by Roberto Cornacchia
Dear all,
Upgrading is always scary, I will appreciate any comment on the following.
Our freeIPA is serving a small number of FC desktops and users (< 10), and
is running on a FC 23 server, with packages for ipa versioned 4.2.4-2.fc23.
The simplest thing I can do is of course to upgrade the FC system until the
latest, one version at the time. What I probably want to do is actually
move to CentOS - I'm fed up with running after FC releases.
In both cases (especially in the second case), I thought it may be wise to
make a replica of the ipa server before starting the upgrade.
My plan would be:
- Have an up-to-date CentOS system (IPA-B), enroll it and promote it to
replica of the existing one (IPA-A)
- [ Question: is it better to have IPA-B on a recent version or on the same
version as IPA-A? ]
- Shut down IPA-A
- Verify that IPA-B works
- Wipe out IPA-A, install recent CentOS.
- Enroll IPA-A
- Promote it to replica.
- Enjoy
Am I overlooking something? Could I do something more prudently?
Thanks for your input!
Roberto
5 years, 3 months
Add second hostname in FreeIPA CA
by Peter Tselios
Hello everyone,
I have 2 FreeIPA servers in AWS and a LB in front of them to serve the UI and the LDAP (just the gui and just the LDAP. For Kerberos, we use DNS discovery).
My problem is that I cannot use TLS with LDAP connections because the CA does not have the LB's name in SAN.
Is there any way to **add** in the CA certificate the additional hostname?
5 years, 3 months
dyndb-ldap - Default idnsAllowTransfer not using global option
by Bryan Mesich
Hello,
This is more of a bind-dyndb-ldap question, but documentation pointed me
here when asking questions. I'm using the RHEL7.6 supplied version of
Bind and bind-dyndb-ldap. Versions are:
bind-dyndb-ldap-11.1-4.el7
bind-9.9.4-72.el7
I'm also using an up-stream version of OpenLDAP (2.4.44). I'm having
trouble with the idnsAllowTransfer attribute. Specifically, a zone will
not default to the global "allow-transfer" option. Explicitly setting
idnsAllowTransfer attribute in the the zone fixes the problem, but the
documentation for idnsAllowTransfer states:
"If not set then zone inherits global allow-transfer from named.conf."
Not specifying idnsAllowQuery properly defaults to the global
allow-query list in named.conf. Not sure if its a bug, or just
out-of-date documentation. A point in the right direction would be
appreciated.
Cheers,
Bryan
--
Bryan Mesich
Sr. System Administrator
DIGI-KEY ELECTRONICS
701 Brooks Ave. South
Thief River Falls, MN 56701 USA
5 years, 3 months
Connecting an Cisco ISE Radius Server with FreeIPA
by Nikolaos Hatzepanagiotides
Dear Community,
first of all, thank you for that great developing!
Like the subject say, I try to connect a Radius Server which is on my Cisco ISE.
I want to use MsChapV2 for Authentication.
But I can't find a real manual on how to connect a radius server with freeIPA.
Just the FreeRadius manuals which I can't apply on my setup.
Do you have a manual on setting up freeipa to use the radius.
I already did a ipa-adtrust-install and added the Radius-Server (ISE) with FQDN with the command: ipa service-add 'radius/FQDN' and ipa service-add-host --hosts=FQDN radius/FQDN
and ipa role-add-member --hosts=FQDN
But i think this is not all i have to do in order to work with the radius server.
My Question is also: Do I have to create a keytab from my Radius-Server (ISE) and put it no ipa.
Something like in this guide shown?
http://ilcofon.net/index.php/2018/01/05/wifi-authenticate-with-radius-and...
ipa-getkeytab -p- 'radius/FQDN-RADIUS' -s FQDN-IPA -k /root/radius.keytab
(By the way: Sorry for my bad english, I hope you can read it.)
Thanks in advance!
Best Regards
Nikoalos Hatzepanagiotides
5 years, 3 months
FreeIPA with Radius Server (Cisco ISE)
by Nikolaos Hatzipanagiotidis
Dear Community,
thank you for joining the Community!
I am struggeling on connecting my FreeIPA with an Cisco ISE Radius Server.
I want to use MsChapV2 for Authentication.
But I can't find a real manual on how to connect a radius server with
freeIPA.
Just the FreeRadius manuals which I can't apply on my setup.
Do you have a manual on setting up freeipa to use the radius.
I already did a ipa-adtrust-install and added the Radius-Server (ISE) with
FQDN with the command: ipa service-add 'radius/FQDN' and ipa
service-add-host --hosts=FQDN radius/FQDN
and ipa role-add-member --hosts=FQDN
But i think this is not all i have to do in order to work with the radius
server.
My Question is also: Do I have to create a keytab from my Radius-Server
(ISE) and put it no ipa.
Something like in this guide shown?
http://ilcofon.net/index.php/2018/01/05/wifi-authenticate-with-radius-and...
*ipa-getkeytab -p- 'radius/FQDN-RADIUS' -s FQDN-IPA -k /root/radius.keytab *
(By the way: Sorry for my bad english, I hope you can read it.)
Thanks in advance!
Best Regards
Nikoalos Hatzepanagiotides
5 years, 3 months
Re: ipa-replica-install error migrating CentOS 6 to 7
by Florence Blanc-Renaud
On 12/5/18 3:12 PM, Marc Wiatrowski wrote:
> hello flo,
>
> I attached the log to only you... Wasn't sure if there was anything in
> there that wasn't ok to go to the whole list.
>
Hi Marc,
(adding the list in cc)
indeed the error happens in a code path that wasn't fixed. Could you
open a new pagure ticket (https://pagure.io/freeipa/new_issue)? Please
attach the end of the logs, after the line
[28/41]: setting up initial replication
(you can replace your domain name with XX).
thanks,
flo
> thanks for looking!
> Marc
>
> On Wed, Dec 5, 2018 at 3:55 AM Florence Blanc-Renaud <flo(a)redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> On 12/4/18 9:55 PM, Marc Wiatrowski via FreeIPA-users wrote:
> > I'm trying to migrate a CentOS 6 IPA setup to CentOS 7. Both
> are fully
> > updated CentOS 6.10 (ipa-server-3.0.0-51) and CentOS 7.6
> > (ipa-server-4.6.4-10)
> >
> > I've been following:
> >
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
> >
> > I ran copy-schema-to-ca.py on centos6 and created the replica
> info file
> > without any issues. But then:
> >
> > [root@centos7]$ ipa-replica-install
> > /var/lib/ipa/replica-info-centos7.gpg --setup-ca --ip-address
> > 192.168.1.1 --setup-dns --no-forwarders
> > Directory Manager (existing master) password:
> >
> > Run connection check to master
> > admin(a)DOMAIN.NET <mailto:admin@DOMAIN.NET>
> <mailto:admin@DOMAIN.NET <mailto:admin@DOMAIN.NET>> password:
> > Connection check OK
> > Adding [192.168.1.1 centos7.domain.net
> <http://centos7.domain.net> <http://centos7.domain.net>] to
> > your /etc/hosts file
> > Configuring NTP daemon (ntpd)
> > [1/4]: stopping ntpd
> > [2/4]: writing configuration
> > [3/4]: configuring ntpd to start on boot
> > [4/4]: starting ntpd
> > Done configuring NTP daemon (ntpd).
> > Configuring directory server (dirsrv). Estimated time: 30 seconds
> > [1/41]: creating directory server instance
> > [2/41]: enabling ldapi
> > ....
> > [27/41]: ignore time skew for initial replication
> > [28/41]: setting up initial replication
> > [error] DatabaseError: Server is unwilling to perform:
> modification
> > of attribute nsds5replicabinddngroupcheckinterval is not allowed in
> > replica entry
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> > ipapython.admintool: ERROR Server is unwilling to perform:
> > modification of attribute nsds5replicabinddngroupcheckinterval is
> not
> > allowed in replica entry
> > ipapython.admintool: ERROR The ipa-replica-install command
> failed.
> > See /var/log/ipareplica-install.log for more information
> >
> > centos6:/var/log/dirsrv/slapd/errors:
> > [04/Dec/2018:14:58:13 -0500] NSMMReplicationPlugin -
> > replica_config_modify: modification of attribute
> > nsds5replicabinddngroupcheckinterval is not allowed in replica entry
> >
> > The ipareplica-install.log contains the same errors at the end.
> I have
> > googled and seen similar issues but the solutions span from fixed
> > already in a previous release to not having an answer in the
> thread. It
> > appears CentOS 6 shouldn't have this attribute and that should be
> ok?
> > but fails all the same.
> >
> > Any suggestions?
> Hi Marc,
>
> can you provide the full content of ipareplica-install.log? The exact
> stack trace will help me check if we forgot some places when fixing the
> issue.
>
> Thanks,
> flo
> > Thank you in advance,
> > Marc
> >
> > _______________________________________________
> > FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>
5 years, 3 months
Installation Replica reports error: Full PKINIT configuration did not succeed
by 74cmonty
Hi,
after completing master installation I started setup of replica.
This means I first enrolled the replica server as a client and then executed this command:
ipa-replica-install
The installation log reports this error:
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Is this an error or normal behavior of replica installation?
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
5 years, 3 months
Samba integration
by Николай Савельев
Hello.
I try to set up samba with freeipa.
I use this article https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
But I have strange error:
дек 10 13:48:58 nfs.fs.lan smbd[14242]: [2018/12/10 13:48:58.758419, 0] ../source3/auth/auth_util.c:1372(make_new_session_info_guest)
дек 10 13:48:58 nfs.fs.lan smbd[14242]: create_local_token failed: NT_STATUS_NO_MEMORY
дек 10 13:48:58 nfs.fs.lan smbd[14242]: [2018/12/10 13:48:58.758577, 0] ../source3/smbd/server.c:1993(main)
дек 10 13:48:58 nfs.fs.lan smbd[14242]: ERROR: failed to setup guest info.
дек 10 13:48:58 nfs.fs.lan systemd[1]: smb.service: main process exited, code=exited, status=255/n/a
дек 10 13:48:58 nfs.fs.lan systemd[1]: Failed to start Samba SMB Daemon.
What does it mean?
--
С уважением, Николай.
5 years, 3 months