[Freeipa-users] dns stops working after upgrade
Martin Basti
mbasti at redhat.com
Wed Nov 5 15:31:06 UTC 2014
Hello,
can you send content of these entries (I need mainly member and memberof
attributes)?:
DN: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=com
DN:
krbprincipalname=DNS/example.com at EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
DN: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=example,dc=com
On 05/11/14 16:17, Rob Verduijn wrote:
> Hello,
>
> I use only a single freeipa server (so no replica to bother)
>
> Internal zones worked before the update
> After the update, internal zones no longer worked.
> After reverting back the snapshot the internal zones worked again, no
> additional actions were needed.
>
> Rob
>
> 2014-11-05 16:11 GMT+01:00 Petr Spacek <pspacek at redhat.com
> <mailto:pspacek at redhat.com>>:
>
> Hello,
>
> Rob V., you did not answered to my question when DNS worked for
> you last time. Did it work right after reverting the snapshot?
>
> Petr^2 Spacek
>
>
> On 5.11.2014 16:09, Rob Verduijn wrote:
>
> Hello again,
>
> I don't know about foreman upstream, the current version that
> I am using
> included in the katello installation is 1.6
> And the foreman manpage still requires the configuration of the
> realm-smart-proxy.
> http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm
>
> About the snapshot:
> I removed all the katello entries from my current freeipa
> installation ( I
> peeked in the script to see what it did )
> - user (foreman-realm)
> - role (Smart Host Proxy Manager)
> - privilege (Smart Host Proxy Management)
> - 3 custom permissions ( modify host password, write host
> certificate,
> modify host userclass )
> applied the update to freeipa 4.1.
> my local dns zones did not resolv again
> running the ipa-ldap-updater did not fix it
>
> So I guess that it is not due to the katello integration or the
> realm-smart-proxy script.
>
> Rob
>
> 2014-11-05 14:39 GMT+01:00 Petr Spacek <pspacek at redhat.com
> <mailto:pspacek at redhat.com>>:
>
> On 4.11.2014 17:15, Rob Verduijn wrote:
>
> The problem with 'foreman-prepare-realm' and freeipa
> was that it claimed
> that a few o thef permissions required did not exist
> when it tried to add
> them to the 'smart proxy host management' privilege.
>
> I think it was because the permissions were all in
> lower case without the
> 'System: ' prefix. This is just an assumption since I
> did not get to work
> even after adding them manually. So I figured to try
> it again after
> reverting back to 3.3.5.
>
> After downgrading I learned that it did not work due
> to a bug in a ruby
> script. (fixed by commenting out line 505-506
> in /usr/share/ruby/xmlrpc/client.rb on the katello
> host, see
> https://bugs.ruby-lang.org/issues/8182 and
> https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )
>
> After which I tried the upgrade again.
>
> regarding
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
> I did look again using the kredentials as mentioned in
> step 4. and saw
> only
> 3 objects (1x idnsConfigObject 2x nsContainer)
> When using admin credentials I saw all the dns zone
> entries.
>
> I can see the zone entries in the ipa gui.
>
> Also when I look at the permissions in ipa there are
> no longer any
> permissions that have the 'System: ' prefix.
>
>
> AFAIK the foreman proxy is not necessary (and not
> supported) with IPA 4.x
> because it was obsoleted by 'native' proxy delivered by
> Foreman upstream.
>
> Am I right, Rob (Crittenden)? :-)
>
> Anyway, back to your DNS problem. Did it worked before you
> installed
> Foreman proxy? Or not? I.e. is it working when you revert
> the snapshot?
>
> Do you have other replicas in the replication topology?
> Please keep in
> mind that changes in LDAP (including changes to
> permissions) are replicated
> so reverting one VM and not others is not necessarily enough.
>
> Petr^2 Spacek
>
>
> 2014-11-04 15:52 GMT+01:00 Petr Spacek
> <pspacek at redhat.com <mailto:pspacek at redhat.com>>:
>
>
> On 4.11.2014 15:27, Rob Verduijn wrote:
>
>
> Hello again,
>
>
> I've managed to integrate my katello
> configuration with freeipa.
> Now I not only use freeipa authentication in
> katello but also when a
> host
> is defined in katello it automagically gets
> created in the freeipa
> realm ,
> certs, otp,dns all working great.
>
> however, to obtain all this integration
> greatness I had to downgrade my
> freeipa to 3.3.5 again (revert snapshot)
> because the katello realm
> integration tool (foreman-prepare-realm) is
> not capable of dealing with
> 4.X
> versions of freeipa.
>
> It would be nice if you could get tell us
> more details about the
>
> problem
> you had with Katello, AFAIK we are not aware of any.
>
> And now the named-pkcs11 again does not see my
> internal zones.
>
>
> This page
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
> thinks
> I should contact the freeipa-users list
>
>
> Do I understand correctly that you did all the
> steps 0-4 successfully and
> then you found out that you can't see DNS objects
> in LDAP (step 5) when
> using ldapsearch with DNS principal?
>
> Can you see the objects in IPA web UI or CLI? If
> it is the case then we
> will need help from LDAP ACI expert (pviktori? :-).
>
> Petr^2 Spacek
>
>
> The command 'ipa-ldap-updater
>
> /usr/share/ipa/updates/55-pbacmemberof.update'
> didn't fix it.
> and the command 'ipa-ldap-updater' didn't fix
> it either.
>
> So I am now stuck at freeipa 3.3.5 again (with
> a working katello
> integration, so I got some mixed emotions
> about it)
> Any ideas anyone ?
> Rob
>
>
>
>
>
>
> 2014-10-29 22:14 GMT+01:00 Rob Verduijn
> <rob.verduijn at gmail.com
> <mailto:rob.verduijn at gmail.com>>:
>
> Hello,
>
>
> I've tested the update again.
>
> The bind-utils conflict is still there
> when I issue "yum update
> freeipa-server" ( as indicated on the
> freeipa 4.1 download page
> http://www.freeipa.org/page/Downloads#Upgrading
> )
>
> 'yum update' works fine
>
> My internal zones didn't resolv after the
> update
> ipa-ldap-updater
> /usr/share/ipa/updates/55-pbacmemberof.update
> didn't
> fix
> it
> ipa-ldap-updater did fix the 'access
> control instructions' and my
> internal
> dns zones started to resolv again :-)
>
> Cheers
> Rob
>
>
> 2014-10-29 18:14 GMT+01:00 Petr Spacek
> <pspacek at redhat.com
> <mailto:pspacek at redhat.com>>:
>
> On 29.10.2014 16:46, Rob Verduijn wrote:
>
>
> Hello,
>
>
> # ipa-ldap-updater
> /usr/share/ipa/updates/55-pbacmemberof.update
> fixes the problem.
>
> I can resolv my internal dns zones
> again:-)
>
> Many thanx.
>
> Since this problem happened every
> time I tried to update the freeipa
> server.
> I could re-run the update with
> some debug options if you like so you
> can
> pinpoint what goes wrong with the
> update script if you like.
>
>
> I have re-build some packages in
> mkosek's CORP so now you should
>
> not see
> encounter dependency problems. Simple
> 'yum upgrade' should give you
> all
> the
> required packages.
>
> We are looking at other problems in
> upgrade process right now so there
> is
> not much to test except package
> dependencies.
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141105/84449dae/attachment.htm>
More information about the Freeipa-users
mailing list