<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Can you send me DNS related ACI in
dc=tjako,dc=thuis<br>
<br>
On 05/11/14 17:08, Rob Verduijn wrote:<br>
</div>
<blockquote
cite="mid:CAMkGkc6m-LMbnn161JycSFoEoZAgFFRVp1-wvCeMYC+vwR8LWw@mail.gmail.com"
type="cite">
<div dir="ltr">and here is the 4.1 version
<div><br>
</div>
<div>Rob</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>cat output-4.1.txt </div>
<div># extended LDIF</div>
<div>#</div>
<div># LDAPv3</div>
<div># base <cn=DNS
Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis> with
scope subtree</div>
<div># filter: (objectclass=*)</div>
<div># requesting: ALL</div>
<div>#</div>
<div><br>
</div>
<div># DNS Servers, privileges, pbac, tjako.thuis</div>
<div>dn: cn=DNS
Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis</div>
<div>objectClass: top</div>
<div>objectClass: groupofnames</div>
<div>objectClass: nestedgroup</div>
<div>cn: DNS Servers</div>
<div>description: DNS Servers</div>
<div>memberOf: cn=add dns
entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis</div>
<div>memberOf: cn=remove dns
entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis</div>
<div>memberOf: cn=update dns
entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis</div>
<div>memberOf: cn=Read DNS
Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis</div>
<div>memberOf: cn=Write DNS
Configuration,cn=permissions,cn=pbac,dc=tjako,dc=thuis</div>
<div>member:
<a class="moz-txt-link-abbreviated" href="mailto:krbprincipalname=DNS/freeipa.tjako.thuis@TJAKO.THUIS,cn=services,cn=ac">krbprincipalname=DNS/freeipa.tjako.thuis@TJAKO.THUIS,cn=services,cn=ac</a></div>
<div> counts,dc=tjako,dc=thuis</div>
<div>member:
<a class="moz-txt-link-abbreviated" href="mailto:krbprincipalname=ipa-dnskeysyncd/freeipa.tjako.thuis@TJAKO.THUIS,cn=se">krbprincipalname=ipa-dnskeysyncd/freeipa.tjako.thuis@TJAKO.THUIS,cn=se</a></div>
<div> rvices,cn=accounts,dc=tjako,dc=thuis</div>
<div><br>
</div>
</div>
</div>
</blockquote>
There are missing DNSSEC permissions.<br>
<br>
<blockquote
cite="mid:CAMkGkc6m-LMbnn161JycSFoEoZAgFFRVp1-wvCeMYC+vwR8LWw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div># search result</div>
<div>search: 4</div>
<div>result: 0 Success</div>
<div><br>
</div>
<div># numResponses: 2</div>
<div># numEntries: 1</div>
<div># extended LDIF</div>
<div>#</div>
<div># LDAPv3</div>
<div># base <
<a class="moz-txt-link-abbreviated" href="mailto:krbprincipalname=DNS/tjako.thuis@TJAKO.THUIS,cn=services,cn=accounts,dc=tjako,dc=thuis">krbprincipalname=DNS/tjako.thuis@TJAKO.THUIS,cn=services,cn=accounts,dc=tjako,dc=thuis</a>>
with scope subtree</div>
<div># filter: (objectclass=*)</div>
<div># requesting: ALL</div>
<div>#</div>
<div><br>
</div>
<div># search result</div>
<div>search: 4</div>
<div>result: 32 No such object</div>
<div>matchedDN: cn=services,cn=accounts,dc=tjako,dc=thuis</div>
<div><br>
</div>
<div># numResponses: 1</div>
<div># extended LDIF</div>
<div>#</div>
<div># LDAPv3</div>
<div># base <cn=Read DNS
Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis> with
scope subtree</div>
<div># filter: (objectclass=*)</div>
<div># requesting: ALL</div>
<div>#</div>
<div><br>
</div>
<div># Read DNS Entries, permissions, pbac, tjako.thuis</div>
<div>dn: cn=Read DNS
Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis</div>
<div>objectClass: top</div>
<div>objectClass: groupofnames</div>
<div>objectClass: ipapermission</div>
<div>cn: Read DNS Entries</div>
<div>description: Read DNS entries</div>
<div>ipaPermissionType: SYSTEM</div>
<div>member: cn=DNS
Administrators,cn=privileges,cn=pbac,dc=tjako,dc=thuis</div>
<div>member: cn=DNS
Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis</div>
<div>member: cn=Smart Proxy Host
Management,cn=privileges,cn=pbac,dc=tjako,dc=thuis</div>
<div><br>
</div>
<div># search result</div>
<div>search: 4</div>
<div>result: 0 Success</div>
<div><br>
</div>
<div># numResponses: 2</div>
<div># numEntries: 1</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-11-05 16:31 GMT+01:00 Martin Basti
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hello,<br>
<br>
can you send content of these entries (I need mainly
member and memberof attributes)?:<br>
DN: cn=DNS
Servers,cn=privileges,cn=pbac,dc=example,dc=com<br>
DN:
<a moz-do-not-send="true"
href="mailto:krbprincipalname=DNS/example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com"
target="_blank">krbprincipalname=DNS/example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com</a><br>
DN: cn=System: Read DNS
Entries,cn=permissions,cn=pbac,dc=example,dc=com
<div>
<div class="h5"><br>
<br>
On 05/11/14 16:17, Rob Verduijn wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr"><span
style="font-family:arial,sans-serif;font-size:12.8000001907349px">Hello,</span>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">I
use only a single freeipa server (so no replica
to bother)</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">Internal
zones worked before the update</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">After
the update, internal zones no longer worked.</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">After
reverting back the snapshot the internal zones
worked again, no additional actions were needed.</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">Rob</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-11-05 16:11
GMT+01:00 Petr Spacek <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">Hello,<br>
<br>
Rob V., you did not answered to my question
when DNS worked for you last time. Did it work
right after reverting the snapshot?<br>
<br>
Petr^2 Spacek
<div>
<div><br>
<br>
On 5.11.2014 16:09, Rob Verduijn wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> Hello
again,<br>
<br>
I don't know about foreman upstream, the
current version that I am using<br>
included in the katello installation is
1.6<br>
And the foreman manpage still requires
the configuration of the<br>
realm-smart-proxy.<br>
<a moz-do-not-send="true"
href="http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm"
target="_blank">http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm</a><br>
<br>
About the snapshot:<br>
I removed all the katello entries from
my current freeipa installation ( I<br>
peeked in the script to see what it did
)<br>
- user (foreman-realm)<br>
- role (Smart Host Proxy Manager)<br>
- privilege (Smart Host Proxy
Management)<br>
- 3 custom permissions ( modify host
password, write host certificate,<br>
modify host userclass )<br>
applied the update to freeipa 4.1.<br>
my local dns zones did not resolv again<br>
running the ipa-ldap-updater did not fix
it<br>
<br>
So I guess that it is not due to the
katello integration or the<br>
realm-smart-proxy script.<br>
<br>
Rob<br>
<br>
2014-11-05 14:39 GMT+01:00 Petr Spacek
<<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> On 4.11.2014
17:15, Rob Verduijn wrote:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> The problem
with 'foreman-prepare-realm' and
freeipa was that it claimed<br>
that a few o thef permissions
required did not exist when it tried
to add<br>
them to the 'smart proxy host
management' privilege.<br>
<br>
I think it was because the
permissions were all in lower case
without the<br>
'System: ' prefix. This is just an
assumption since I did not get to
work<br>
even after adding them manually. So
I figured to try it again after<br>
reverting back to 3.3.5.<br>
<br>
After downgrading I learned that it
did not work due to a bug in a ruby<br>
script. (fixed by commenting out
line 505-506<br>
in /usr/share/ruby/xmlrpc/client.rb
on the katello host, see<br>
<a moz-do-not-send="true"
href="https://bugs.ruby-lang.org/issues/8182"
target="_blank">https://bugs.ruby-lang.org/issues/8182</a>
and<br>
<a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=1071187"
target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1071187</a>
)<br>
<br>
After which I tried the upgrade
again.<br>
<br>
regarding<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart</a><br>
I did look again using the
kredentials as mentioned in step 4.
and saw<br>
only<br>
3 objects (1x idnsConfigObject 2x
nsContainer)<br>
When using admin credentials I saw
all the dns zone entries.<br>
<br>
I can see the zone entries in the
ipa gui.<br>
<br>
Also when I look at the permissions
in ipa there are no longer any<br>
permissions that have the 'System: '
prefix.<br>
<br>
</blockquote>
<br>
AFAIK the foreman proxy is not
necessary (and not supported) with IPA
4.x<br>
because it was obsoleted by 'native'
proxy delivered by Foreman upstream.<br>
<br>
Am I right, Rob (Crittenden)? :-)<br>
<br>
Anyway, back to your DNS problem. Did
it worked before you installed<br>
Foreman proxy? Or not? I.e. is it
working when you revert the snapshot?<br>
<br>
Do you have other replicas in the
replication topology? Please keep in<br>
mind that changes in LDAP (including
changes to permissions) are replicated<br>
so reverting one VM and not others is
not necessarily enough.<br>
<br>
Petr^2 Spacek<br>
<br>
<br>
2014-11-04 15:52 GMT+01:00 Petr
Spacek <<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
On 4.11.2014 15:27, Rob Verduijn
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
Hello again,<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
I've managed to integrate my
katello configuration with
freeipa.<br>
Now I not only use freeipa
authentication in katello but
also when a<br>
host<br>
is defined in katello it
automagically gets created in
the freeipa<br>
realm ,<br>
certs, otp,dns all working
great.<br>
<br>
however, to obtain all this
integration greatness I had to
downgrade my<br>
freeipa to 3.3.5 again (revert
snapshot) because the katello
realm<br>
integration tool
(foreman-prepare-realm) is not
capable of dealing with<br>
4.X<br>
versions of freeipa.<br>
<br>
It would be nice if you could
get tell us more details about
the<br>
</blockquote>
problem<br>
you had with Katello, AFAIK we are
not aware of any.<br>
<br>
And now the named-pkcs11 again
does not see my internal zones.<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
This page<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart</a><br>
thinks<br>
I should contact the
freeipa-users list<br>
<br>
<br>
</blockquote>
Do I understand correctly that you
did all the steps 0-4 successfully
and<br>
then you found out that you can't
see DNS objects in LDAP (step 5)
when<br>
using ldapsearch with DNS
principal?<br>
<br>
Can you see the objects in IPA web
UI or CLI? If it is the case then
we<br>
will need help from LDAP ACI
expert (pviktori? :-).<br>
<br>
Petr^2 Spacek<br>
<br>
<br>
The command 'ipa-ldap-updater<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
/usr/share/ipa/updates/55-pbacmemberof.update'
didn't fix it.<br>
and the command
'ipa-ldap-updater' didn't fix it
either.<br>
<br>
So I am now stuck at freeipa
3.3.5 again (with a working
katello<br>
integration, so I got some mixed
emotions about it)<br>
Any ideas anyone ?<br>
Rob<br>
<br>
<br>
<br>
<br>
<br>
<br>
2014-10-29 22:14 GMT+01:00 Rob
Verduijn <<a
moz-do-not-send="true"
href="mailto:rob.verduijn@gmail.com"
target="_blank">rob.verduijn@gmail.com</a>>:<br>
<br>
Hello,<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
I've tested the update again.<br>
<br>
The bind-utils conflict is
still there when I issue "yum
update<br>
freeipa-server" ( as indicated
on the freeipa 4.1 download
page<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/page/Downloads#Upgrading"
target="_blank">http://www.freeipa.org/page/Downloads#Upgrading</a>
)<br>
<br>
'yum update' works fine<br>
<br>
My internal zones didn't
resolv after the update<br>
ipa-ldap-updater
/usr/share/ipa/updates/55-pbacmemberof.update
didn't<br>
fix<br>
it<br>
ipa-ldap-updater did fix the
'access control instructions'
and my<br>
internal<br>
dns zones started to resolv
again :-)<br>
<br>
Cheers<br>
Rob<br>
<br>
<br>
2014-10-29 18:14 GMT+01:00
Petr Spacek <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>:<br>
<br>
On 29.10.2014 16:46, Rob
Verduijn wrote:<br>
<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
Hello,<br>
<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
# ipa-ldap-updater
/usr/share/ipa/updates/55-pbacmemberof.update<br>
fixes the problem.<br>
<br>
I can resolv my internal
dns zones again:-)<br>
<br>
Many thanx.<br>
<br>
Since this problem
happened every time I
tried to update the
freeipa<br>
server.<br>
I could re-run the update
with some debug options if
you like so you<br>
can<br>
pinpoint what goes wrong
with the update script if
you like.<br>
<br>
<br>
I have re-build some
packages in mkosek's CORP
so now you should<br>
</blockquote>
not see<br>
encounter dependency
problems. Simple 'yum
upgrade' should give you<br>
all<br>
the<br>
required packages.<br>
<br>
We are looking at other
problems in upgrade process
right now so there<br>
is<br>
not much to test except
package dependencies.<br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>