[Freeipa-users] dns stops working after upgrade

Petr Viktorin pviktori at redhat.com
Thu Nov 6 10:05:48 UTC 2014 

On 11/05/2014 05:22 PM, Rob Verduijn wrote:
> I saw in the upstream foreman-prepare-realm script that the new
> permission names should include a prefix "System: "
> That Prefix is not there, what did change was that some permissions
> where no longer lower case only.
> ie in 3.3.5 the permission is 'write dns configuration' and in 4.1 it
> becomes 'Write DNS Configuration'
>
> Rob

Right. There were some changes to IPA's default policy too, but I don't 
think it should affect the Foreman proxy very much. For example there 
are now permissions for reading data, but most are granted to all 
authenticated users by default.

I've left some comments in the pull request.

> 2014-11-05 16:25 GMT+01:00 Petr Spacek <pspacek at redhat.com
> <mailto:pspacek at redhat.com>>:
>
>     On 5.11.2014 16:20, Rob Verduijn wrote:
>
>         Hello,
>
>         Yes I noticed the name change it took me a while to realise it
>         was a known
>         ruby bug in katello that caused the real problem.
>
>         I also checked after I updated the 'katello integrated' update
>         from 3.3.5
>         to 4.1 and the permissions were neatly renamed to their new
>         counterparts.
>
>         However the internal dns no longer worked :(
>
>
>     So the permissions broke after upgrade to 4.1, right? pviktori, can
>     you give us some advice?
>
>     Thanks!
>
>     Petr^2 Spacek
>
>         Rob
>
>         2014-11-05 16:17 GMT+01:00 Stephen Benjamin <stephen at redhat.com
>         <mailto:stephen at redhat.com>>:
>
>             On Wed, Nov 05, 2014 at 09:41:59AM -0500, Rob Crittenden wrote:
>
>                         Also when I look at the permissions in ipa there
>                         are no longer any
>                         permissions that have the 'System: ' prefix.
>
>
>                     AFAIK the foreman proxy is not necessary (and not
>                     supported) with IPA
>                     4.x because it was obsoleted by 'native' proxy
>                     delivered by Foreman
>                     upstream.
>
>                     Am I right, Rob (Crittenden)? :-)
>
>
>                 I believe he's referring to the native smart proxy here.
>                 It includes a
>                 script to setup permissions. I guess it hasn't been
>                 tested against a 4.x
>                 IPA master.
>
>
>             The permissions have changed names in FreeIPA 4.0, which
>             means the
>             script won't work.  I've tested this one against 4.1 on F21
>             and it
>             works:
>
>
>             https://raw.githubusercontent.__com/stbenjam/smart-proxy/8278/__sbin/foreman-prepare-realm
>             <https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/sbin/foreman-prepare-realm>
>
>             There's an open pull request against foreman's Smart Proxy
>             to include
>             that in the next release:
>
>             https://github.com/theforeman/__smart-proxy/pull/231--
>             <https://github.com/theforeman/smart-proxy/pull/231-->
>


-- 
Petr³

More information about the Freeipa-users mailing list