[Freeipa-users] dns stops working after upgrade
Martin Basti
mbasti at redhat.com
Wed Nov 5 16:43:49 UTC 2014
Can you send me DNS related ACI in dc=tjako,dc=thuis
On 05/11/14 17:08, Rob Verduijn wrote:
> and here is the 4.1 version
>
> Rob
>
>
> cat output-4.1.txt
> # extended LDIF
> #
> # LDAPv3
> # base <cn=DNS Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis> with
> scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # DNS Servers, privileges, pbac, tjako.thuis
> dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis
> objectClass: top
> objectClass: groupofnames
> objectClass: nestedgroup
> cn: DNS Servers
> description: DNS Servers
> memberOf: cn=add dns entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
> memberOf: cn=remove dns entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
> memberOf: cn=update dns entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
> memberOf: cn=Read DNS Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
> memberOf: cn=Write DNS
> Configuration,cn=permissions,cn=pbac,dc=tjako,dc=thuis
> member:
> krbprincipalname=DNS/freeipa.tjako.thuis at TJAKO.THUIS,cn=services,cn=ac
> counts,dc=tjako,dc=thuis
> member:
> krbprincipalname=ipa-dnskeysyncd/freeipa.tjako.thuis at TJAKO.THUIS,cn=se
> rvices,cn=accounts,dc=tjako,dc=thuis
>
There are missing DNSSEC permissions.
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> # extended LDIF
> #
> # LDAPv3
> # base <
> krbprincipalname=DNS/tjako.thuis at TJAKO.THUIS,cn=services,cn=accounts,dc=tjako,dc=thuis>
> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 4
> result: 32 No such object
> matchedDN: cn=services,cn=accounts,dc=tjako,dc=thuis
>
> # numResponses: 1
> # extended LDIF
> #
> # LDAPv3
> # base <cn=Read DNS Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis>
> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # Read DNS Entries, permissions, pbac, tjako.thuis
> dn: cn=Read DNS Entries,cn=permissions,cn=pbac,dc=tjako,dc=thuis
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermission
> cn: Read DNS Entries
> description: Read DNS entries
> ipaPermissionType: SYSTEM
> member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=tjako,dc=thuis
> member: cn=DNS Servers,cn=privileges,cn=pbac,dc=tjako,dc=thuis
> member: cn=Smart Proxy Host
> Management,cn=privileges,cn=pbac,dc=tjako,dc=thuis
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> 2014-11-05 16:31 GMT+01:00 Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>:
>
> Hello,
>
> can you send content of these entries (I need mainly member and
> memberof attributes)?:
> DN: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=com
> DN:
> krbprincipalname=DNS/example.com at EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
> <mailto:krbprincipalname=DNS/example.com at EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com>
> DN: cn=System: Read DNS
> Entries,cn=permissions,cn=pbac,dc=example,dc=com
>
>
> On 05/11/14 16:17, Rob Verduijn wrote:
>> Hello,
>>
>> I use only a single freeipa server (so no replica to bother)
>>
>> Internal zones worked before the update
>> After the update, internal zones no longer worked.
>> After reverting back the snapshot the internal zones worked
>> again, no additional actions were needed.
>>
>> Rob
>>
>> 2014-11-05 16:11 GMT+01:00 Petr Spacek <pspacek at redhat.com
>> <mailto:pspacek at redhat.com>>:
>>
>> Hello,
>>
>> Rob V., you did not answered to my question when DNS worked
>> for you last time. Did it work right after reverting the
>> snapshot?
>>
>> Petr^2 Spacek
>>
>>
>> On 5.11.2014 16:09, Rob Verduijn wrote:
>>
>> Hello again,
>>
>> I don't know about foreman upstream, the current version
>> that I am using
>> included in the katello installation is 1.6
>> And the foreman manpage still requires the configuration
>> of the
>> realm-smart-proxy.
>> http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm
>>
>> About the snapshot:
>> I removed all the katello entries from my current freeipa
>> installation ( I
>> peeked in the script to see what it did )
>> - user (foreman-realm)
>> - role (Smart Host Proxy Manager)
>> - privilege (Smart Host Proxy Management)
>> - 3 custom permissions ( modify host password, write
>> host certificate,
>> modify host userclass )
>> applied the update to freeipa 4.1.
>> my local dns zones did not resolv again
>> running the ipa-ldap-updater did not fix it
>>
>> So I guess that it is not due to the katello integration
>> or the
>> realm-smart-proxy script.
>>
>> Rob
>>
>> 2014-11-05 14:39 GMT+01:00 Petr Spacek
>> <pspacek at redhat.com <mailto:pspacek at redhat.com>>:
>>
>> On 4.11.2014 17:15, Rob Verduijn wrote:
>>
>> The problem with 'foreman-prepare-realm' and
>> freeipa was that it claimed
>> that a few o thef permissions required did not
>> exist when it tried to add
>> them to the 'smart proxy host management' privilege.
>>
>> I think it was because the permissions were all
>> in lower case without the
>> 'System: ' prefix. This is just an assumption
>> since I did not get to work
>> even after adding them manually. So I figured to
>> try it again after
>> reverting back to 3.3.5.
>>
>> After downgrading I learned that it did not work
>> due to a bug in a ruby
>> script. (fixed by commenting out line 505-506
>> in /usr/share/ruby/xmlrpc/client.rb on the
>> katello host, see
>> https://bugs.ruby-lang.org/issues/8182 and
>> https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )
>>
>> After which I tried the upgrade again.
>>
>> regarding
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
>> I did look again using the kredentials as
>> mentioned in step 4. and saw
>> only
>> 3 objects (1x idnsConfigObject 2x nsContainer)
>> When using admin credentials I saw all the dns
>> zone entries.
>>
>> I can see the zone entries in the ipa gui.
>>
>> Also when I look at the permissions in ipa there
>> are no longer any
>> permissions that have the 'System: ' prefix.
>>
>>
>> AFAIK the foreman proxy is not necessary (and not
>> supported) with IPA 4.x
>> because it was obsoleted by 'native' proxy delivered
>> by Foreman upstream.
>>
>> Am I right, Rob (Crittenden)? :-)
>>
>> Anyway, back to your DNS problem. Did it worked
>> before you installed
>> Foreman proxy? Or not? I.e. is it working when you
>> revert the snapshot?
>>
>> Do you have other replicas in the replication
>> topology? Please keep in
>> mind that changes in LDAP (including changes to
>> permissions) are replicated
>> so reverting one VM and not others is not necessarily
>> enough.
>>
>> Petr^2 Spacek
>>
>>
>> 2014-11-04 15:52 GMT+01:00 Petr Spacek
>> <pspacek at redhat.com <mailto:pspacek at redhat.com>>:
>>
>>
>> On 4.11.2014 15:27, Rob Verduijn wrote:
>>
>>
>> Hello again,
>>
>>
>> I've managed to integrate my katello
>> configuration with freeipa.
>> Now I not only use freeipa authentication
>> in katello but also when a
>> host
>> is defined in katello it automagically
>> gets created in the freeipa
>> realm ,
>> certs, otp,dns all working great.
>>
>> however, to obtain all this integration
>> greatness I had to downgrade my
>> freeipa to 3.3.5 again (revert snapshot)
>> because the katello realm
>> integration tool (foreman-prepare-realm)
>> is not capable of dealing with
>> 4.X
>> versions of freeipa.
>>
>> It would be nice if you could get tell
>> us more details about the
>>
>> problem
>> you had with Katello, AFAIK we are not aware
>> of any.
>>
>> And now the named-pkcs11 again does not
>> see my internal zones.
>>
>>
>> This page
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
>> thinks
>> I should contact the freeipa-users list
>>
>>
>> Do I understand correctly that you did all
>> the steps 0-4 successfully and
>> then you found out that you can't see DNS
>> objects in LDAP (step 5) when
>> using ldapsearch with DNS principal?
>>
>> Can you see the objects in IPA web UI or CLI?
>> If it is the case then we
>> will need help from LDAP ACI expert
>> (pviktori? :-).
>>
>> Petr^2 Spacek
>>
>>
>> The command 'ipa-ldap-updater
>>
>> /usr/share/ipa/updates/55-pbacmemberof.update'
>> didn't fix it.
>> and the command 'ipa-ldap-updater' didn't
>> fix it either.
>>
>> So I am now stuck at freeipa 3.3.5 again
>> (with a working katello
>> integration, so I got some mixed emotions
>> about it)
>> Any ideas anyone ?
>> Rob
>>
>>
>>
>>
>>
>>
>> 2014-10-29 22:14 GMT+01:00 Rob Verduijn
>> <rob.verduijn at gmail.com
>> <mailto:rob.verduijn at gmail.com>>:
>>
>> Hello,
>>
>>
>> I've tested the update again.
>>
>> The bind-utils conflict is still
>> there when I issue "yum update
>> freeipa-server" ( as indicated on the
>> freeipa 4.1 download page
>> http://www.freeipa.org/page/Downloads#Upgrading
>> )
>>
>> 'yum update' works fine
>>
>> My internal zones didn't resolv after
>> the update
>> ipa-ldap-updater
>> /usr/share/ipa/updates/55-pbacmemberof.update
>> didn't
>> fix
>> it
>> ipa-ldap-updater did fix the 'access
>> control instructions' and my
>> internal
>> dns zones started to resolv again :-)
>>
>> Cheers
>> Rob
>>
>>
>> 2014-10-29 18:14 GMT+01:00 Petr
>> Spacek <pspacek at redhat.com
>> <mailto:pspacek at redhat.com>>:
>>
>> On 29.10.2014 16:46, Rob Verduijn
>> wrote:
>>
>>
>> Hello,
>>
>>
>> # ipa-ldap-updater
>> /usr/share/ipa/updates/55-pbacmemberof.update
>> fixes the problem.
>>
>> I can resolv my internal dns
>> zones again:-)
>>
>> Many thanx.
>>
>> Since this problem happened
>> every time I tried to update
>> the freeipa
>> server.
>> I could re-run the update
>> with some debug options if
>> you like so you
>> can
>> pinpoint what goes wrong with
>> the update script if you like.
>>
>>
>> I have re-build some
>> packages in mkosek's CORP so
>> now you should
>>
>> not see
>> encounter dependency problems.
>> Simple 'yum upgrade' should give you
>> all
>> the
>> required packages.
>>
>> We are looking at other problems
>> in upgrade process right now so there
>> is
>> not much to test except package
>> dependencies.
>>
>>
>
>
> --
> Martin Basti
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141105/43cb6fad/attachment.htm>
More information about the Freeipa-users
mailing list