automember hostgroup by account?
by Amos
Is it possible to have an automember rule to add a host to a hostgroup
based on the account used with ipa-install-client?
Amos
3 years, 11 months
Deploying IPA on AWS
by William Muriithi
Hello everyone
We want to move some of the systems for a co-location into AWS. IPA
systems are some of our candidate servers.
I have attempted to get this working by setting up a replica server in
the cloud and attempting to setup replication - over VPN - and its not
working. This is due to DNS issue on AWS being biased toward AWS DNS.
If I use nmap, it verify I can reach port 53 (TCP and UDP) on the
co-location from AWS, but if I do a dig against existing DNS, it
doesn't seem to resolve.
Have anyone gone through the exercise recently and managed to figure
how to work around this limitation? Would be grateful if someone can
share how the worked around this problem.
Regards,
William
3 years, 12 months
IPA and legacy systems
by Ronald Wimmer
What would be a good solution to add systems where the FQDN cannot be
changed?
Would it make sense to add a second DNS A Record in the IPA domain for
each of these systems?
Is there any experience on how to deal with such a situation?
Thanks a lot in advance!
Cheers,
Ronald
3 years, 12 months
AD users login and lookup fails with short name in Ubuntu16 freeipa-client
by Suchismita Panda
Hi,
We are trying to configure our FreeIPA environment. We are using
freeipa-client in both Ubuntu 18 and Ubuntu 16 servers. The FreeIPA server
has one way trust to our AD. We have the domain name resolution order
setup in the FreeIPA server. The AD users are able to ssh login to Ubuntu
18 fluently. But in Ubuntu 16, the AD user ssh login works only with domain
name extension for AD users and fails with short name. Inside the Ubuntu 16
client, AD user lookup as well fails for short name, but works with domain
name extension.
Is there any extra configuration needed in sssd.conf other than the default
configuration generated by freeipa-client?
TIA
3 years, 12 months
New DNS records not populating
by Andrew Meyer
I recently had a server that didn't get added to DNS but was joined to FreeIPA system. I just went backto fix it. I tried removing the host rebooting and re-adding it to the FreeIPA system. After doing this new DNS records did not get added. I went back to manually add the DNS records (A,SSHFP) and was successful however when I try to ssh to the server I get this:
[andrew.meyer@jump01 ~]$ ssh pihole01.loc.example.com
sss_ssh_knownhostsproxy: Could not resolve hostname pihole01.loc.example.com
kex_exchange_identification: Connection closed by remote host
[andrew.meyer@jump01 ~]$
But when I try to run a dig against the records added none of the them come back.
[andrew.meyer@jump01 ~]$ dig pihole01.loc.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> pihole01.loc.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2980
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 05879881b6a519f543d896f85ecd7e4235ba486f22821495 (good)
;; QUESTION SECTION:
;pihole01.loc.example.com. IN A
;; AUTHORITY SECTION:
loc.example.com. 3600 IN SOA freeipa001.loc.example.com. hostmaster.loc.example.com. 1590523365 3600 900 1209600 3600
;; Query time: 0 msec
;; SERVER: 10.150.10.12#53(10.150.10.12)
;; WHEN: Tue May 26 15:38:26 CDT 2020
;; MSG SIZE rcvd: 141
[andrew.meyer@jump01 ~]$
[andrew.meyer@jump01 ~]$ dig pihole01.loc.example.com A
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> pihole01.loc.example.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24317
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: da22b671a9a042aa3acbb8d95ecd71177b0f9a24a87f4651 (good)
;; QUESTION SECTION:
;pihole01.loc.example.com. IN A
;; AUTHORITY SECTION:
loc.example.com. 3600 IN SOA freeipa001.loc.example.com. hostmaster.loc.example.com. 1590520949 3600 900 1209600 3600
;; Query time: 0 msec
;; SERVER: 10.150.10.12#53(10.150.10.12)
;; WHEN: Tue May 26 14:42:15 CDT 2020
;; MSG SIZE rcvd: 141
[andrew.meyer@jump01 ~]$
Here are the logs from bind on the freeipa server:
26-May-2020 15:27:24.686 validating asm-fedora.example.local/A: bad cache hit (local/DS)
26-May-2020 15:27:24.687 broken trust chain resolving 'asm-fedora.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:27:24.729 no valid RRSIG resolving 'asm-fedora/DS/IN': 10.150.10.40#53
26-May-2020 15:27:24.729 no valid DS resolving 'asm-fedora/A/IN': 10.150.10.40#53
26-May-2020 15:28:00.622 validating asm-fedora.example.local/A: bad cache hit (local/DS)
26-May-2020 15:28:00.622 broken trust chain resolving 'asm-fedora.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:28:00.636 validating asm-fedora/A: bad cache hit (asm-fedora/DS)
26-May-2020 15:28:00.636 broken trust chain resolving 'asm-fedora/A/IN': 10.150.10.40#53
26-May-2020 15:28:03.868 validating asm-fedora.example.local/A: bad cache hit (local/DS)
26-May-2020 15:28:03.869 broken trust chain resolving 'asm-fedora.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:28:03.886 validating asm-fedora/A: bad cache hit (asm-fedora/DS)
26-May-2020 15:28:03.886 broken trust chain resolving 'asm-fedora/A/IN': 10.150.10.40#53
26-May-2020 15:28:08.154 validating gold-ev-g2.ocsp.swisssign.net/CNAME: no valid signature found
26-May-2020 15:28:08.223 validating gold-ev-g2.ocsp.swisssign.net/CNAME: no valid signature found
26-May-2020 15:28:08.280 validating ocsp.swisssign.net/A: no valid signature found
26-May-2020 15:28:08.349 validating swisssign.net/SOA: no valid signature found
26-May-2020 15:28:08.350 validating ocsp.swisssign.net/NSEC: no valid signature found
26-May-2020 15:28:11.556 insecurity proof failed resolving 'incoming.telemetry.mozilla.org/A/IN': 10.150.10.40#53
26-May-2020 15:28:11.556 insecurity proof failed resolving 'incoming.telemetry.mozilla.org/AAAA/IN': 10.150.10.40#53
26-May-2020 15:28:12.683 insecurity proof failed resolving 'snippets.cdn.mozilla.net/A/IN': 10.150.10.40#53
26-May-2020 15:28:12.683 insecurity proof failed resolving 'snippets.cdn.mozilla.net/AAAA/IN': 10.150.10.40#53
26-May-2020 15:28:26.783 validating gold-server-g2.ocsp.swisssign.net/CNAME: no valid signature found
26-May-2020 15:28:26.897 validating gold-server-g2.ocsp.swisssign.net/CNAME: no valid signature found
26-May-2020 15:28:47.512 insecurity proof failed resolving 'consent.cookiebot.com/A/IN': 10.150.10.40#53
26-May-2020 15:28:47.512 insecurity proof failed resolving 'consent.cookiebot.com/AAAA/IN': 10.150.10.40#53
26-May-2020 15:29:45.969 validating vrty.org.example.local/A: bad cache hit (local/DS)
26-May-2020 15:29:45.969 broken trust chain resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:34:26.510 no valid RRSIG resolving 'local/DS/IN': 10.150.10.40#53
26-May-2020 15:34:26.510 no valid DS resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:39:28.026 validating vrty.org.example.local/A: bad cache hit (local/DS)
26-May-2020 15:39:28.026 broken trust chain resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:40:21.352 validating librenms.example.local/A: bad cache hit (local/DS)
26-May-2020 15:40:21.352 broken trust chain resolving 'librenms.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:40:21.370 validating grocy01.example.local/A: bad cache hit (local/DS)
26-May-2020 15:40:21.370 broken trust chain resolving 'grocy01.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:40:21.392 validating grocy01.example.local/MX: bad cache hit (local/DS)
26-May-2020 15:40:21.392 broken trust chain resolving 'grocy01.example.local/MX/IN': 10.150.10.40#53
26-May-2020 15:40:21.393 validating librenms.example.local/MX: bad cache hit (local/DS)
26-May-2020 15:40:21.393 broken trust chain resolving 'librenms.example.local/MX/IN': 10.150.10.40#53
26-May-2020 15:44:27.810 no valid RRSIG resolving 'local/DS/IN': 10.150.10.40#53
26-May-2020 15:44:27.810 no valid DS resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:46:40.756 validating pihole01.loc.example.com.example.local/AAAA: bad cache hit (local/DS)
26-May-2020 15:46:40.756 broken trust chain resolving 'pihole01.loc.example.com.example.local/AAAA/IN': 10.150.10.40#53
26-May-2020 15:46:40.760 validating pihole01.loc.example.com.example.local/A: bad cache hit (local/DS)
26-May-2020 15:46:40.760 broken trust chain resolving 'pihole01.loc.example.com.example.local/A/IN': 10.150.10.40#53
26-May-2020 15:48:52.134 insecurity proof failed resolving 'collection-endpoint-prod.herokuapp.com/A/IN': 10.150.10.40#53
26-May-2020 15:49:31.721 validating vrty.org.example.local/A: bad cache hit (local/DS)
26-May-2020 15:49:31.721 broken trust chain resolving 'vrty.org.example.local/A/IN': 10.150.10.40#53
[root@freeipa001 data]#
3 years, 12 months
API logout
by Peter Tselios
Hello,
How do I perform a "session logout" in the API?
I am using the ansible's URI module and so far I tried a few different options, like for example this:
- name: Logout from IdM API
uri:
url: "https://{{ ipa_master }}/ipa/session/json"
headers:
Content-type: "application/json"
Accept: "application/json"
Referer: "https://{{ ipa_master }}/ipa"
Cookie: "{{ ipa_session }}"
method: POST
body_format: json
body: |
{
"id": 0,
"method": "session_logout/1",
"params": [
{
"version": "{{ ipa_api_version | default('2.231') }}"
}
]
}
which gives me the following error:
message: 'Invalid JSON-RPC request: params must contain [args, options]'
I also tried to simply visit the /ipa/session/session_logout, or the /ipa/session_logout. Both options gave me a 404.
So, how do I "logout"?
3 years, 12 months
centos with automount maps from ipa AND files
by Klaus Vink Slott
Hi
I am trying to mix files based automount entries with some entries from
IPA. I found that in order to make this work on Centos clients I must
place files before sss in nsswitch. After this discovery I just made my
ansible setup ensure this.
grep automount /etc/nsswitch.conf
#automount: files nisplus sss
automount: files sss
Now moving to Centos 8 I found warnings in nsswitch, not to edit it
directly, so I revisited this oddity. I found that according to
Redhat(1) authselect should not be used anyway, when IPA is in charge.
But the setup made by ipa-client-automount also had the same problem:
sss before files.
Actually, I dont mind which one is consulted first, I have no mixed
maps. But to me it seems that when sss is consulted first, auto.master
is not used at all.
Is this a in my setup or in Centos/Redhat - or am I missing something?
(1)https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/...
--
Regards
Klaus
4 years
Reverse DNS zones with AD Trust
by Vinícius Ferrão
Hello,
I would like to know how to handle reverse DNS zones when AD trust is enabled.
I do have separate domains for AD and IPA as required, but the reverse zones are mixed, since the hosts are on the same network, which is common. In this scenario where should the reverse DNS zone be hosted? On the AD side? On IPA? How to make this work without breaking dynamic DNS updates for the PTR zones? Should any of them keep the zones as slaves?
There’s some older discussions here on the list but without continuity and I don’t know the results, like this one:
https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
In this old thread, the recommendation was to move the reverse zone to IPA and make some grants on BIND to allow Dynamic DNS updates.
But is this still the case?
There’s any oficial guidance in this issue?
This scenario is supported or I must have separate networks, even with VLANs and IP addresses, for *nix and Windows clients?
Thanks,
4 years