[Freeipa-users] dns stops working after upgrade

Rob Verduijn rob.verduijn at gmail.com
Tue Nov 4 16:15:52 UTC 2014 

The problem with 'foreman-prepare-realm' and freeipa was that it claimed
that a few o thef permissions required did not exist when it tried to add
them to the 'smart proxy host management' privilege.

I think it was because the permissions were all in lower case without the
'System: ' prefix. This is just an assumption since I did not get to work
even after adding them manually. So I figured to try it again after
reverting back to 3.3.5.

After downgrading I learned that it did not work due to a bug in a ruby
script. (fixed by commenting out line 505-506
in /usr/share/ruby/xmlrpc/client.rb on the katello host, see
https://bugs.ruby-lang.org/issues/8182 and
https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )

After which I tried the upgrade again.

regarding
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
I did look again using the kredentials as mentioned in step 4. and saw only
3 objects (1x idnsConfigObject 2x nsContainer)
When using admin credentials I saw all the dns zone entries.

I can see the zone entries in the ipa gui.

Also when I look at the permissions in ipa there are no longer any
permissions that have the 'System: ' prefix.

Rob

2014-11-04 15:52 GMT+01:00 Petr Spacek <pspacek at redhat.com>:

> On 4.11.2014 15:27, Rob Verduijn wrote:
>
>> Hello again,
>>
>> I've managed to integrate my katello configuration with freeipa.
>> Now I not only use freeipa authentication in katello but also when a host
>> is defined in katello it automagically gets created in the freeipa realm ,
>> certs, otp,dns all working great.
>>
>> however, to obtain all this integration greatness I had to downgrade my
>> freeipa to 3.3.5 again (revert snapshot) because the katello realm
>> integration tool (foreman-prepare-realm) is not capable of dealing with
>> 4.X
>> versions of freeipa.
>>
> It would be nice if you could get tell us more details about the problem
> you had with Katello, AFAIK we are not aware of any.
>
>  And now the named-pkcs11 again does not see my internal zones.
>>
>> This page
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
>> thinks
>> I should contact the freeipa-users list
>>
>
> Do I understand correctly that you did all the steps 0-4 successfully and
> then you found out that you can't see DNS objects in LDAP (step 5) when
> using ldapsearch with DNS principal?
>
> Can you see the objects in IPA web UI or CLI? If it is the case then we
> will need help from LDAP ACI expert (pviktori? :-).
>
> Petr^2 Spacek
>
>
>  The command 'ipa-ldap-updater
>> /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it.
>> and the command 'ipa-ldap-updater' didn't fix it either.
>>
>> So I am now stuck at freeipa 3.3.5 again (with a working katello
>> integration, so I got some mixed emotions about it)
>> Any ideas anyone ?
>> Rob
>>
>>
>>
>>
>>
>>
>> 2014-10-29 22:14 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:
>>
>>  Hello,
>>>
>>> I've tested the update again.
>>>
>>> The bind-utils conflict is still there when I issue "yum update
>>> freeipa-server" ( as indicated on the freeipa 4.1 download page
>>> http://www.freeipa.org/page/Downloads#Upgrading )
>>>
>>> 'yum update' works fine
>>>
>>> My internal zones didn't resolv after the update
>>> ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't
>>> fix
>>> it
>>> ipa-ldap-updater did fix the 'access control instructions' and my
>>> internal
>>> dns zones started to resolv again :-)
>>>
>>> Cheers
>>> Rob
>>>
>>>
>>> 2014-10-29 18:14 GMT+01:00 Petr Spacek <pspacek at redhat.com>:
>>>
>>>  On 29.10.2014 16:46, Rob Verduijn wrote:
>>>>
>>>>  Hello,
>>>>>
>>>>> # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
>>>>>    fixes the problem.
>>>>>
>>>>> I can resolv my internal dns zones again:-)
>>>>>
>>>>> Many thanx.
>>>>>
>>>>> Since this problem happened every time I tried to update the freeipa
>>>>> server.
>>>>> I could re-run the update with some debug options if you like so you
>>>>> can
>>>>> pinpoint what goes wrong with the update script if you like.
>>>>>
>>>>>
>>>> I have re-build some packages in mkosek's CORP so now you should not see
>>>> encounter dependency problems. Simple 'yum upgrade' should give you all
>>>> the
>>>> required packages.
>>>>
>>>> We are looking at other problems in upgrade process right now so there
>>>> is
>>>> not much to test except package dependencies.
>>>>
>>>> --
>>>> Petr^2 Spacek
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141104/4467e66a/attachment.htm>

More information about the Freeipa-users mailing list