February 2018 - FreeIPA-users - Fedora mailing-lists

IPA-Server Deletion issues
by Jamal Mahmoud 14 Feb '18

14 Feb '18

I'm having strange issues with removing one of my freeIPA masters, I managed to mess up the deletion process and my system seems to be stuck in a state of limbo, my current setup is 3 servers ( 1 has been decommissioned) that all share the CA/Domain responsibilities. When i run the command . *ipa-replica-manage list* it produces 3 servers as active masters, when this is not true as i have uninstalled ipa-server on one. Trying to delete it through that command has given me no luck, even using *--force* and *--cleanup* does not work. the same error output appears: *oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>: server not found* I'm not very good with ldap tools but after running *ldapsearch -x * there is a reference to the oxygen server still sitting in there, it seems that the dirty entry is still hanging around my system, i'm wondering if there is any way to resolve this? ldapsearch output: *defaultServerList: oxygen.eggvfx.ie <http://oxygen.eggvfx.ie> nitrogen.eggvfx.ie <http://nitrogen.eggvfx.ie> lithium.eggvfx.ie <http://lithium.eggvfx.ie>* Looking at the topology graph in the web ui i can see that there are still ties between one of my servers and oxygen. It will also not allow me to delete the server ties ( error: *Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed.)* nor will the ui allow me to delete the IPA server (*oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>: server not found*) Any help is greatly appreciated, Many Thanks, Jamal Mahmoud

3 13

ipa-server-install --dirsrv-config-file example
by Alex M 14 Feb '18

14 Feb '18

Hello! I'm sorry for a dumb question, but i cant find documentation on ldif file syntax, that can be used for unattended installation (with ldapmodify) like ipa-server-install --dirsrv-config-file someparams.ldif. Can someone point me to this doc or share the example of this file? Thanks

4 8

deploying freeipa
by Andrew Meyer 13 Feb '18

13 Feb '18

I know I have sent in multiple emails, but we are trying to deploy FreeIPA correctly. However I am getting asked to find out some other details. Can FreeIPA survive w/o DNS? We would like to implement FreeIPA and still be able to use the SSH, sudo, selinux, LDAP & krb5. We are moving to AWS and management is afraid that we will have to maintain multiple sets of DNS. And that if FreeIPA is the focal point for all servers and god for bid it crashes, there goes our whole environment. They would like to put the zone in R53 and have that handle ALL the records. If we do go through with not installing DNS w/ FreeIPA will we be shooting ourselves in the foot? I know that FreeIPA relies heavily on DNS and I have seen multiple conversations regarding not to do this, but is this somewhere in the best practices? I found this thread from 2015 but I don't think it applies anymore:Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS | | | Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS | | | The problem is that we have 30 domains that we want to use in R53 and he wants to bypass FreeIPA for doing DNS other than for auth and sudo and ldap. Could we put entries in the /etc/hosts file to point to the FreeIPA servers? I feel like this might work and might be more problematic down the line. Regards,Andrew

4 8

Migration AD trust and group
by Henrik Stigendal 13 Feb '18

13 Feb '18

Hi, I am looking into migrating an existing deployment of LDAP with hundreds of users and hundreds of groups into a IPA solution with trust against AD. All users currently exists with the same names in AD but groups does not, one solution would be adding all those groups to AD with gidNumber set to only administer the users and groups in AD. External groups seems to be the solution, but that would require external groups created in the IPA, I would like to avoid that and have tested with groups only in AD with gidNumber set and it seems to work, I can at least see the group and SUDO rules works with the group. So my question is, can you use groups in AD without referencing them in IPA and any please throw in any other suggestions for trying to have all data in active directory without having to change anything in the IPA when adding users or groups (or host/netgroups for that matter) Thanks Henrik Sent from my iPad

1 0

dsInOps
by Jim Richard 12 Feb '18

12 Feb '18

1 0

DNS forward zones
by Andrew Meyer 12 Feb '18

12 Feb '18

Is it possible to have DNS forward zones only exist on servers in a specific location?

1 0

resolvers
by Andrew Meyer 12 Feb '18

12 Feb '18

If I don't have global resolver FreeIPA will fallback to using what is in /etc/resolv.conf, correct?

1 0

Missing MasterCRL.bin after upgrade from 3.0 to 4 on CentOS 7.4
by Jim Richard 12 Feb '18

12 Feb '18

We have a nice simple setup, a single master running 3.0.0-51.el6.centos and as far as I can tell we're in very good shape, all certs checkout ok, being monitored, nothing expired. Great! Let's finally do the upgrade to CentoOS 7/IPA 4.X Carefully follow all the instructions here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht… <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht…> Everything goes great, I note that CS.cfg on CentOS lives under /etc/pki-ca not /var/lib, ok no problem, great, great and then: I get to this part of the document: 6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly Make sure the /var/lib/ipa/pki-ca/publish/MasterCRL.bin file exists on the new master CA server. The file is generated based on the time interval defined in the /etc/pki/pki- tomcat/ca/CS.cfg file using the ca.crl.MasterCRL.autoUpdateInterval parameter. The default value is 240 minutes (4 hours). If the file exists, the new master CA server is configured correctly, and you can safely dismiss the previous CA master system. And after messing with CS.cfg update interval settings, rebooting etc, I still get no MasterCRL.bin on the new host. Any clues as to what I might be doing wrong? Really hard to say without more info I'm sure. Can you tell me what to check on the original master before I get started with all the upgrade steps? I have rolled back my virtual machine snapshot so I'm back to "everything good" state, I think :) On the original master, before upgrade I have: -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 5 21:00 MasterCRL-20180205-210000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 01:00 MasterCRL-20180206-010000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 05:00 MasterCRL-20180206-050000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 09:00 MasterCRL-20180206-090000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 13:00 MasterCRL-20180206-130000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 17:00 MasterCRL-20180206-170000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 6 21:00 MasterCRL-20180206-210000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 01:00 MasterCRL-20180207-010000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 07:36 MasterCRL-20180207-073614.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 09:00 MasterCRL-20180207-090000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 13:00 MasterCRL-20180207-130000.der -rw-rw-r-- 1 pkiuser pkiuser 59148 Feb 7 17:00 MasterCRL-20180207-170000.der lrwxrwxrwx 1 pkiuser pkiuser 57 Feb 7 17:00 MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20180207-170000.der drwxrwxr-x 2 root pkiuser 36864 Feb 7 17:00 . That looks all correct right? Indicated the master is doing what it should re CRL's etc. I do note that on the new server /var/lib/ipa/pki-ca/publish/ is "root pkiuser 775" not "pkiuser pkiuser", but me thinks that's ok. What log should I look at to see some indication that a transfer or like, "get the CRL list to the new node" is failing? Thanks !! <http://www.placeiq.com/> <http://www.placeiq.com/> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq> <https://www.linkedin.com/company/placeiq> SYSTEM ADMINISTRATOR III (646) 338-8905 <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-…> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-we…> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-we…> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-we…> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-we…> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-pos…> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiat…> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiat…> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiat…> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiat…> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiat…> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?ut…> <http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platfo…> <http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milest…> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-…> <http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-…> <https://www.placeiq.com/2017/05/placeiqs-landmark-powers-location-based-ins…>

2 4

Freeipa Replica with second nfs server
by Jens Laufer 12 Feb '18

12 Feb '18

Hey, as we just bought an new server, i moved everything to him, and it seems to work pretty fine. But now i want to use the spare server as an backup and their the problems started: 1. How i set up a duplicated nfs server for autofs'ing the home directory? 1. a. How is the best practices to keep them synced? Maybe even with an backup function for files that got deleted on one of them? 1. b How i redirect autofs to mount the right nfs when one is failing? As i was researching that and trying out several settings, i mentioned that i wasnt able to get the autofs central managment by freeipa running. I had to write the configs to every client. But i am not quite sure if it wasnt better for the replica settings but also for everyday use to get an centralized configuration of autofs running. so my second question would be: 2. How to run an autofs setting in freeipa and how to apply them to an client? Pls apoligze my english, it is my third language, and thank u all for every help u have to offer Greetings j.

2 1

New replica (4.5) issues
by john.bowman＠zayo.com 12 Feb '18

12 Feb '18

After some trial and error I was finally able to get a new replica + CA (RHEL7.4 and ipa-server 4.5) added to our existing mixed (RHEL 6 and ipa server 3.0 - 4.x) and the ipa-replica-install command completed successfully but now when I run the ipa-manage-replica -v list <host> command I see this: # ipa-replica-manage -v list ipa5.domain.tld Directory Manager password: ipa1.domain.tld: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (3) Replication error acquiring replica: Unable to acquire replica: permission denied. The bind dn does not have permission to supply replication updates to the replica. Will retry later. (permission denied) last update ended: 1970-01-01 00:00:00+00:00 I ran the ipa-replica-manage re-initialize and it runs successfully and the above permission denied error goes away but the host can not be connected to any other replicas, it no longer sees itself as a replica or csreplica. I assume this is due to the re-init. I'm leery of trying to force it to try and join and potentially cause more issues. I would appreciate any helpful suggestions.

2 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2018