[Freeipa-users] Exporting data?

Thu Sep 5 06:33:24 UTC 2013

On 4.9.2013 20:23, Bret Wortman wrote:
> ...and I tried exporting the DNS data but ended up with a bunch of files
> that looked liket his:
>
> # cat foo.net.db
>
> ; <<>> DiG 9.9.3-rl.156.01.P1-RedHat-9.9.3-3.P1.fc18 <<>> +onesoa -t AXFR
> foo.net
> ;; global options: +cmd
> ; Transfer failed.
> #
>
> The logs showed:
>
> <timestamp> ipamaster named[31633]: client 1.2.3.4#39992 (foo.net) : zone
> transfer 'foo.net/AXFR/IN' denied

You have to add IP '1.2.3.4' to the allow-transfer Address List Match.

$ ipa dnszone-mod --allow-transfer='localhost; 1.2.3.4;'

See
http://www.zytrax.com/books/dns/ch7/address_match_list.html
for further details.

Petr^2 Spacek

> On Wed, Sep 4, 2013 at 1:32 PM, Simo Sorce <simo at redhat.com> wrote:
>
>> On Wed, 2013-09-04 at 09:40 -0400, Dmitri Pal wrote:
>>> On 09/04/2013 09:26 AM, Petr Spacek wrote:
>>>> On 4.9.2013 15:04, Bret Wortman wrote:
>>>>> What's the right venue for making a suggestion? In particular, I'd
>>>>> like to
>>>>> toss out there that it would be really nice to be able to export, at a
>>>>> minimum, DNS and user data from IPA in the form of a zone file and a
>>>>> passwd/shadow file pair.
>>>>>
>>>>> I realize there might be security implications to the latter, and
>>>>> masking
>>>>> out passwords might be advisiable. And there's no easy way,
>>>>> necessarily, to
>>>>> get out sudo information. But having DNS and user details would at
>> least
>>>>> permit a sysadmin having major issues (like I have been for the past
>> two
>>>>> weeks) to get up and running in some form, using puppet or some other
>>>>> tool
>>>>> to distribute flat files with named running against a static zone
>>>>> file, or
>>>>> even to migrate off IPA if absolutely necessary.
>>>>
>>>> Hello,
>>>>
>>>> for DNS you can use normal zone transfer. Just configure IPA zone to
>>>> allow zone transfer to an IP address (localhost means 'localy to IPA
>>>> server') and use standard DNS tools, e.g. dig:
>>>>
>>>> $ ipa dnszone-mod example.com --allow-transfer='localhost;'
>>>> $ dig +onesoa -t AXFR example.com > /root/example.com.db
>>>>
>>>> That is all you need for DNS, you have the standard zone file.
>>>>
>>>>
>>>> I believe that you can use SSSD (with enumeration enabled) to run
>>>> "getent passwd > /root/passwd.bck". I have no idea how it works with
>>>> shadow map/password. Try to ask sssd-users at lists.fedorahosted.org.
>>>>
>>> And to add to it:
>>> IPA does not keep password in clear or the hashes that are used in
>>> passwd and shadow files for security reasons so it can't generate these
>>> files as you suggest.
>>
>> We do have hashes, the default is SHA256, it is stored in userPassword
>> and is used to validate LDAP binds, however we never let it out of LDAP,
>> neither SSSD not the integrate NIS server expose the password hash to
>> clients. You need Directory Manager privileges to read it.