[Freeipa-users] Active Directory slave zone in FreeIPA DNS (Franklin)

Thu Aug 23 05:00:38 UTC 2012

>>Hi,
Hello,
>>Is the zone not transferring at all, or is it just the updates that's
>>not transferred to the AD slave server?
It's not transferring at all.
>>If the zone is not transferring at all: Did yo modify the "Allow
>>transfer" property of the zone ?
yes, I change the parameter to allow zone transfers from the AD
>>If the updates is not transferring: I believe automatic increment of the
>>zone serial number will be supported in IPA 3.0. The IPA developers will
>>have to confirm that. However you can manually change the serial number
>>under Zone Settings.
Yes, I also read this information but I was hoping there was some other
solution to the issue. And I've done manually change the serial number of
the zone but without success
>>Hope this helps.
Thanks

>>Regards,
>>Siggi

2012/8/20 <freeipa-users-request at redhat.com>

> Send Freeipa-users mailing list submissions to
>         freeipa-users at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.redhat.com/mailman/listinfo/freeipa-users
> or, via email, send a message with subject or body 'help' to
>         freeipa-users-request at redhat.com
>
> You can reach the person managing the list at
>         freeipa-users-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeipa-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Active Directory slave zone in FreeIPA DNS (Sigbjorn Lie)
>    2. Re: sssd client cache timer and merging IPA domains
>       (Rob Crittenden)
>    3. Re: Question about migration and scripts variables
>       (Rob Crittenden)
>    4. Specifying load balancing to SSSD clients (Innes, Duncan)
>    5. Re: Specifying load balancing to SSSD clients (Mark St. Laurent)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 19 Aug 2012 18:23:20 +0200
> From: Sigbjorn Lie <sigbjorn at nixtra.com>
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Active Directory slave zone in FreeIPA
>         DNS
> Message-ID: <503112F8.8000900 at nixtra.com>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> On 08/19/2012 04:39 PM, Franklin Catoni wrote:
> > Greetings community.
> >
> > I do not speak English so I will do my best.
> >
> > I have two environments in my company, a domain "ejemplo.com
> > <http://ejemplo.com>" with Windows Active Directory running on Windows
> > Server 2003 Enterprise Edition SP2 and domain  "ejemplo.gob.ve
> > <http://ejemplo.gob.ve>" with FreeIPA v2.2. mounted on Centos 6.3 x64.
> >  This is because we are in the middle of a platform migration process
> > (a very slow process) from proprietary solutions to open source.
> >
> > DNS and DHCP service for my two environments is offered by the server
> > Centos 6.3 which is mounted FreeIPA directory, clients are Windows
> > computers Active Directory domain and linux computers in the domain Ipa.
> >
> > Currently the zone "ejemplo.gob.ve <http://ejemplo.gob.ve>" is
> > administered by the FreeIPA DNS using the plugin
> > (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone using
> > bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain
> > "ejemplo.com <http://ejemplo.com>" Active Directory
> >
> > Name resolution works perfectly for both Linux and Windows clients.
> >
> > Now here comes the tricky part
> >
> > In order to find a more centralized management of my services, I try
> > to configure a slave zone to Active Directory through FreeIPA with
> > dyndb bind-plugin-ldap and so to eliminate configuration through bind,
> > but the transfers zone does not work, causing this many problems on
> > both platforms.
> >
> > The log shows me the following error:
> >
> > ServidorIPA named[3706]: zone ejemplo.com/IN/local
> > <http://ejemplo.com/IN/local>: zone serial (2012081801) unchanged.
> > zone may fail to transfer to slaves
> >
> > I've spent enough time looking at Super Google information that can
> > help me but it has not been easy, because it seems to be a rare
> situation.
> >
> > I ask. You can set this up under these circumstances?
> > Someone has accomplished?
> > Some information that horiente me to get a solution?
> >
> > Thanks for your time.
> >
> Hi,
>
> Is the zone not transferring at all, or is it just the updates that's
> not transferred to the AD slave server?
>
> If the zone is not transferring at all: Did yo modify the "Allow
> transfer" property of the zone ?
>
> If the updates is not transferring: I believe automatic increment of the
> zone serial number will be supported in IPA 3.0. The IPA developers will
> have to confirm that. However you can manually change the serial number
> under Zone Settings.
>
> Hope this helps.
>
>
> Regards,
> Siggi
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://www.redhat.com/archives/freeipa-users/attachments/20120819/73825288/attachment.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 20 Aug 2012 08:44:32 -0400
> From: Rob Crittenden <rcritten at redhat.com>
> To: Lucas Yamanishi <lyamanishi at sesda2.com>
> Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] sssd client cache timer and merging IPA
>         domains
> Message-ID: <50323130.6030102 at redhat.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Lucas Yamanishi wrote:
> >
> > On 08/17/2012 08:38 AM, Rob Crittenden wrote:
> >> Lucas Yamanishi wrote:
> >>>
> >>> On 08/16/2012 05:39 PM, Rob Crittenden wrote:
> >>>> Lucas Yamanishi wrote:
> >>>>>
> >>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote:
> >>>>>> Lucas Yamanishi wrote:
> >>>>>>> I just migrated my IPA instance from one to another a couple days
> >>>>>>> ago to
> >>>>>>> recover after a lost CA and failed yum upgrade.  The "ipa
> migrate-ds"
> >>>>>>> tool works very well, though I am having a few very minor issues.
>  On
> >>>>>>> the upside, as far as I can tell, you can skip the steps about
> >>>>>>> Kerberos
> >>>>>>> key generation as outlined in the documentation.  I've been able to
> >>>>>>> kinit just fine with my migrated users.
> >>>>>>>
> >>>>>>>
> >>>>>>> Below are the few errors I've noticed.
> >>>>>>>
> >>>>>>> * When I ssh into an enrolled host using a migrated user's
> >>>>>>> credentials I
> >>>>>>> get this error:
> >>>>>>>
> >>>>>>>       id: cannot find name for group ID 104600003\
> >>>>>>
> >>>>>> Does a group exist with that GID? You can try something like:
> >>>>>>
> >>>>>> $ ipa group-find --gid=104600003
> >>>>>>
> >>>>>
> >>>>> The group doesn't exist.  The GID is the counterpart to my UID.
> >>>>
> >>>> Try adding --private.
> >>>>
> >>>> rob
> >>>>
> >>>
> >>> Nope. It doesn't exist.
> >>>
> >>> Other groups migrated.  Why would the private groups fail?
> >>
> >> I don't know, what have you done to date, including versions?
> >>
> >> rob
> > I've been following the stable Scientific Linux releases since 6.1.
> > Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64.  The
> > version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just
> > upgraded from 2.1.3-9.el6.x86_64.  I migrated to and use now
> > 2.2.0-16.el6.x86_64.
> >
> > So...
> > 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ---->
> > 2.2.0-16.el6.x86_64
> >
> >
>
> Can you verify that managed entries are configured:
>
> # ipa-managed-entries -l
>
> It should return:
>
> UPG Definition
> NGP Definition
>
> This enables user-private groups and netgroup-private groups.
>
> rob
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 20 Aug 2012 08:56:51 -0400
> From: Rob Crittenden <rcritten at redhat.com>
> To: James James <jreg2k at gmail.com>
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Question about migration and scripts
>         variables
> Message-ID: <50323413.4090906 at redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> James James wrote:
> > Hi,
> >
> > my first question is about the migrate process. Is it possible to
> > renumber the users during the migrate process (ipa migrate-ds) in a way
> > that all imported users will have a new UID ?
>
> I haven't tested this but you might try
> --user-ignore-attribute=uidnumber,gidnumber.
>
> > my second question is about ipalib. I wanted to make a hook on the user
> > creation. The hook works fine. I just want to know if there is a way to
> > have the value of variables like the username, the name of the creator,
> > the e-mail of the creator and stuff like that.
>
> The current user is available via: principal = getattr(context,
> 'principal')
>
> Using this you can look up that user:
>
> (binddn, bindattrs) = find_entry_by_attr("krbprincipalname", principal,
> "krbPrincipalAux")
>
> rob
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 20 Aug 2012 14:48:30 +0100
> From: "Innes, Duncan" <Duncan.Innes at virginmoney.com>
> To: <freeipa-users at redhat.com>
> Subject: [Freeipa-users] Specifying load balancing to SSSD clients
> Message-ID:
>         <56343345B145C043AE990701E3D193952B5511 at EXVS2.nrplc.localnet>
> Content-Type: text/plain;       charset="us-ascii"
>
> Folks,
>
> Hopefully this isn't a dumb question, but I'm constrained by a few
> things on my estate and would be looking to deploy something like the
> following:
>
> 2 Datacentres
> 2 IPA servers at each datacentre
>
> ipa1.domain.com \_ datacentre A
> ipa2.domain.com /
>
> ipa3.domain.com \_ datacentre B
> ipa4.domain.com /
>
> The datacentres are linekd, but bandwidth not great.
>
> Client's in datacentre A should therefore use ipa1.domain.com and
> ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4
> when both 1 & 2 are out of action.  Clients would revert to using
> ipa1/ipa2 whenever either of them came back online.
>
> I understand this configuration has already been done as part of
> https://fedorahosted.org/freeipa/ticket/2282
>
> What I'm wondering is if I can force my clients to load balance
> communication between ipa1 & ipa2.
>
> I don't have the ability to use the _srv_ records in DNS as that's set
> up for the AD servers on our network.  I also can't create separate DNS
> servers for the Linux estate (not that I'd particularly want to).
>
> Is there any current configuration that I can use to force load
> balancing between ipa1/ipa2 under ideal conditions.  Falling back to
> ipa2 when ipa1 is out of action.  Falling back to (load balanced
> perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action.
>
> Hope the description is reasonable.
>
> Thanks
>
> Duncan Innes | Linux Architect
>
>
> Northern Rock plc is part of the Virgin Money group of companies.
>
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete this
> message.
>
> Virgin Money Personal Financial Service Limited is authorised and
> regulated by the Financial Services Authority. Company no. 3072766.
>
> Virgin Money Unit Trust Managers Limited is authorised and regulated by
> the Financial Services Authority. Company no. 3000482.
>
> Virgin Money Cards Limited. Introducer appointed representative only of
> Virgin Money Personal Financial Service Limited. Company no. 4232392.
>
> Virgin Money Management Services Limited. Company no. 3072772.
>
> Virgin Money Holdings (UK) Limited. Company no. 3087587.
>
> Each of the above companies is registered in England and Wales and has its
> registered office at Discovery House, Whiting Road, Norwich NR4 6EJ.
>
> Northern Rock plc. Authorised and regulated by the Financial Services
> Authority. Registered in England and Wales (Company no. 6952311) with its
> registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3
> 4PL.
>
> The above companies use the trading name Virgin Money.
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 20 Aug 2012 10:15:08 -0400 (EDT)
> From: "Mark St. Laurent" <mstlaure at redhat.com>
> To: Duncan Innes <Duncan.Innes at virginmoney.com>
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Specifying load balancing to SSSD clients
> Message-ID:
>         <290044214.13057699.1345472108805.JavaMail.root at redhat.com>
> Content-Type: text/plain; charset="utf-8"
>
> http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/
>
>
> Norman "Mark" St. Laurent
> Federal Team: Senior Solutions Architect
> Red Hat
> 8260 Greensboro Drive, Suite 300
> McLean VA, 22102
> Email: msl at redhat.com
> Cell: 703.772.1434
>
> Check this Link out!!! Cool Stuff: http://mil-oss.org/
>
> ----- Original Message -----
>
> From: "Duncan Innes" <Duncan.Innes at virginmoney.com>
> To: freeipa-users at redhat.com
> Sent: Monday, August 20, 2012 9:48:30 AM
> Subject: [Freeipa-users] Specifying load balancing to SSSD clients
>
> Folks,
>
> Hopefully this isn't a dumb question, but I'm constrained by a few
> things on my estate and would be looking to deploy something like the
> following:
>
> 2 Datacentres
> 2 IPA servers at each datacentre
>
> ipa1.domain.com \_ datacentre A
> ipa2.domain.com /
>
> ipa3.domain.com \_ datacentre B
> ipa4.domain.com /
>
> The datacentres are linekd, but bandwidth not great.
>
> Client's in datacentre A should therefore use ipa1.domain.com and
> ipa2.domain.com as primary servers and only fail over to ipa3 & ipa4
> when both 1 & 2 are out of action. Clients would revert to using
> ipa1/ipa2 whenever either of them came back online.
>
> I understand this configuration has already been done as part of
> https://fedorahosted.org/freeipa/ticket/2282
>
> What I'm wondering is if I can force my clients to load balance
> communication between ipa1 & ipa2.
>
> I don't have the ability to use the _srv_ records in DNS as that's set
> up for the AD servers on our network. I also can't create separate DNS
> servers for the Linux estate (not that I'd particularly want to).
>
> Is there any current configuration that I can use to force load
> balancing between ipa1/ipa2 under ideal conditions. Falling back to
> ipa2 when ipa1 is out of action. Falling back to (load balanced
> perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action.
>
> Hope the description is reasonable.
>
> Thanks
>
> Duncan Innes | Linux Architect
>
>
> Northern Rock plc is part of the Virgin Money group of companies.
>
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete this
> message.
>
> Virgin Money Personal Financial Service Limited is authorised and
> regulated by the Financial Services Authority. Company no. 3072766.
>
> Virgin Money Unit Trust Managers Limited is authorised and regulated by
> the Financial Services Authority. Company no. 3000482.
>
> Virgin Money Cards Limited. Introducer appointed representative only of
> Virgin Money Personal Financial Service Limited. Company no. 4232392.
>
> Virgin Money Management Services Limited. Company no. 3072772.
>
> Virgin Money Holdings (UK) Limited. Company no. 3087587.
>
> Each of the above companies is registered in England and Wales and has its
> registered office at Discovery House, Whiting Road, Norwich NR4 6EJ.
>
> Northern Rock plc. Authorised and regulated by the Financial Services
> Authority. Registered in England and Wales (Company no. 6952311) with its
> registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3
> 4PL.
>
> The above companies use the trading name Virgin Money.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://www.redhat.com/archives/freeipa-users/attachments/20120820/30f4d804/attachment.html
> >
>
> ------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> End of Freeipa-users Digest, Vol 49, Issue 34
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120823/a247ffe4/attachment.htm>