<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello,<br>
<br>
can you send content of these entries (I need mainly member and
memberof attributes)?:<br>
DN: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=com<br>
DN:
<a class="moz-txt-link-abbreviated" href="mailto:krbprincipalname=DNS/example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com">krbprincipalname=DNS/example.com@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com</a><br>
DN: cn=System: Read DNS
Entries,cn=permissions,cn=pbac,dc=example,dc=com<br>
<br>
On 05/11/14 16:17, Rob Verduijn wrote:<br>
</div>
<blockquote
cite="mid:CAMkGkc6RckmFNWu0X4pfV2jBUi4A3gBnbyuQbR+zBKfzQEAgKg@mail.gmail.com"
type="cite">
<div dir="ltr"><span
style="font-family:arial,sans-serif;font-size:12.8000001907349px">Hello,</span>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">I
use only a single freeipa server (so no replica to bother)</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">Internal
zones worked before the update</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">After
the update, internal zones no longer worked.</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">After
reverting back the snapshot the internal zones worked again,
no additional actions were needed.</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px"><br>
</div>
<div
style="font-family:arial,sans-serif;font-size:12.8000001907349px">Rob</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-11-05 16:11 GMT+01:00 Petr Spacek
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
Rob V., you did not answered to my question when DNS worked
for you last time. Did it work right after reverting the
snapshot?<br>
<br>
Petr^2 Spacek
<div class="HOEnZb">
<div class="h5"><br>
<br>
On 5.11.2014 16:09, Rob Verduijn wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello again,<br>
<br>
I don't know about foreman upstream, the current
version that I am using<br>
included in the katello installation is 1.6<br>
And the foreman manpage still requires the
configuration of the<br>
realm-smart-proxy.<br>
<a moz-do-not-send="true"
href="http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm"
target="_blank">http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm</a><br>
<br>
About the snapshot:<br>
I removed all the katello entries from my current
freeipa installation ( I<br>
peeked in the script to see what it did )<br>
- user (foreman-realm)<br>
- role (Smart Host Proxy Manager)<br>
- privilege (Smart Host Proxy Management)<br>
- 3 custom permissions ( modify host password,
write host certificate,<br>
modify host userclass )<br>
applied the update to freeipa 4.1.<br>
my local dns zones did not resolv again<br>
running the ipa-ldap-updater did not fix it<br>
<br>
So I guess that it is not due to the katello
integration or the<br>
realm-smart-proxy script.<br>
<br>
Rob<br>
<br>
2014-11-05 14:39 GMT+01:00 Petr Spacek <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>>:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
On 4.11.2014 17:15, Rob Verduijn wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
The problem with 'foreman-prepare-realm' and
freeipa was that it claimed<br>
that a few o thef permissions required did not
exist when it tried to add<br>
them to the 'smart proxy host management'
privilege.<br>
<br>
I think it was because the permissions were all in
lower case without the<br>
'System: ' prefix. This is just an assumption
since I did not get to work<br>
even after adding them manually. So I figured to
try it again after<br>
reverting back to 3.3.5.<br>
<br>
After downgrading I learned that it did not work
due to a bug in a ruby<br>
script. (fixed by commenting out line 505-506<br>
in /usr/share/ruby/xmlrpc/client.rb on the katello
host, see<br>
<a moz-do-not-send="true"
href="https://bugs.ruby-lang.org/issues/8182"
target="_blank">https://bugs.ruby-lang.org/issues/8182</a>
and<br>
<a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=1071187"
target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1071187</a>
)<br>
<br>
After which I tried the upgrade again.<br>
<br>
regarding<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart</a><br>
I did look again using the kredentials as
mentioned in step 4. and saw<br>
only<br>
3 objects (1x idnsConfigObject 2x nsContainer)<br>
When using admin credentials I saw all the dns
zone entries.<br>
<br>
I can see the zone entries in the ipa gui.<br>
<br>
Also when I look at the permissions in ipa there
are no longer any<br>
permissions that have the 'System: ' prefix.<br>
<br>
</blockquote>
<br>
AFAIK the foreman proxy is not necessary (and not
supported) with IPA 4.x<br>
because it was obsoleted by 'native' proxy delivered
by Foreman upstream.<br>
<br>
Am I right, Rob (Crittenden)? :-)<br>
<br>
Anyway, back to your DNS problem. Did it worked
before you installed<br>
Foreman proxy? Or not? I.e. is it working when you
revert the snapshot?<br>
<br>
Do you have other replicas in the replication
topology? Please keep in<br>
mind that changes in LDAP (including changes to
permissions) are replicated<br>
so reverting one VM and not others is not
necessarily enough.<br>
<br>
Petr^2 Spacek<br>
<br>
<br>
2014-11-04 15:52 GMT+01:00 Petr Spacek <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On 4.11.2014 15:27, Rob Verduijn wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<br>
Hello again,<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<br>
I've managed to integrate my katello
configuration with freeipa.<br>
Now I not only use freeipa authentication in
katello but also when a<br>
host<br>
is defined in katello it automagically gets
created in the freeipa<br>
realm ,<br>
certs, otp,dns all working great.<br>
<br>
however, to obtain all this integration
greatness I had to downgrade my<br>
freeipa to 3.3.5 again (revert snapshot)
because the katello realm<br>
integration tool (foreman-prepare-realm) is
not capable of dealing with<br>
4.X<br>
versions of freeipa.<br>
<br>
It would be nice if you could get tell us
more details about the<br>
</blockquote>
problem<br>
you had with Katello, AFAIK we are not aware of
any.<br>
<br>
And now the named-pkcs11 again does not see
my internal zones.<br>
<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<br>
This page<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart</a><br>
thinks<br>
I should contact the freeipa-users list<br>
<br>
<br>
</blockquote>
Do I understand correctly that you did all the
steps 0-4 successfully and<br>
then you found out that you can't see DNS
objects in LDAP (step 5) when<br>
using ldapsearch with DNS principal?<br>
<br>
Can you see the objects in IPA web UI or CLI? If
it is the case then we<br>
will need help from LDAP ACI expert (pviktori?
:-).<br>
<br>
Petr^2 Spacek<br>
<br>
<br>
The command 'ipa-ldap-updater<br>
<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
/usr/share/ipa/updates/55-pbacmemberof.update'
didn't fix it.<br>
and the command 'ipa-ldap-updater' didn't fix
it either.<br>
<br>
So I am now stuck at freeipa 3.3.5 again (with
a working katello<br>
integration, so I got some mixed emotions
about it)<br>
Any ideas anyone ?<br>
Rob<br>
<br>
<br>
<br>
<br>
<br>
<br>
2014-10-29 22:14 GMT+01:00 Rob Verduijn <<a
moz-do-not-send="true"
href="mailto:rob.verduijn@gmail.com"
target="_blank">rob.verduijn@gmail.com</a>>:<br>
<br>
Hello,<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<br>
I've tested the update again.<br>
<br>
The bind-utils conflict is still there when
I issue "yum update<br>
freeipa-server" ( as indicated on the
freeipa 4.1 download page<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/page/Downloads#Upgrading"
target="_blank">http://www.freeipa.org/page/Downloads#Upgrading</a>
)<br>
<br>
'yum update' works fine<br>
<br>
My internal zones didn't resolv after the
update<br>
ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
didn't<br>
fix<br>
it<br>
ipa-ldap-updater did fix the 'access control
instructions' and my<br>
internal<br>
dns zones started to resolv again :-)<br>
<br>
Cheers<br>
Rob<br>
<br>
<br>
2014-10-29 18:14 GMT+01:00 Petr Spacek <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>:<br>
<br>
On 29.10.2014 16:46, Rob Verduijn wrote:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<br>
Hello,<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<br>
# ipa-ldap-updater
/usr/share/ipa/updates/55-pbacmemberof.update<br>
fixes the problem.<br>
<br>
I can resolv my internal dns zones
again:-)<br>
<br>
Many thanx.<br>
<br>
Since this problem happened every time I
tried to update the freeipa<br>
server.<br>
I could re-run the update with some
debug options if you like so you<br>
can<br>
pinpoint what goes wrong with the update
script if you like.<br>
<br>
<br>
I have re-build some packages in
mkosek's CORP so now you should<br>
</blockquote>
not see<br>
encounter dependency problems. Simple 'yum
upgrade' should give you<br>
all<br>
the<br>
required packages.<br>
<br>
We are looking at other problems in
upgrade process right now so there<br>
is<br>
not much to test except package
dependencies.<br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>