[Freeipa-users] IPA 4.1.0 in RHEL 7.1

Dmitri Pal dpal at redhat.com
Wed Mar 11 23:17:15 UTC 2015 

On 03/11/2015 04:37 PM, Steven Jones wrote:
> ======
> [root at vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg  --skip-conncheck
> Checking forwarders, please wait ...
> WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
> Please fix forwarder configuration to enable DNSSEC support.
> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> WARNING: DNSSEC validation will be disabled
> ======
>
> The AD server is a win2k12r2.

Thanks, I will follow up.

> regards
>
> Steven
> ________________________________________
> From: freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com> on behalf of Dmitri Pal <dpal at redhat.com>
> Sent: Thursday, 12 March 2015 9:07 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
>
> On 03/11/2015 03:49 PM, Steven Jones wrote:
>> Hi,
>>
>> When I try to join a 7.1 based replica to an existing setup and use an AD forwarder the command complains that the AD box isnt doing DNSSEC suggesting to me it is present in 7.1?
> Can you share the message that you get and what steps you take to get to
> that message?
>
>> At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA cluster.  Or a 7.1 client to IPA, to 6.6 for that matter, 7.0 works fine though.
>>
>>
>> regards
>>
>> Steven
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com <freeipa-users-bounces at redhat.com> on behalf of Erinn Looney-Triggs <erinn.looneytriggs at gmail.com>
>> Sent: Thursday, 12 March 2015 8:15 a.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
>>
>> First off congratulations on getting this out. Love the new UI, all pretty and
>> integrates well with the access.redhat.com UI.
>>
>> Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was
>> included in the 4.1.0 release, but near as I can tell it is not part of IPA
>> 4.1.0 in RHEL 7.1.
>>
>> Third, there appears to be a behavior change from in ipalib. I cleaned up a
>> little inventory script for ansible, you can take a look at it here:
>> https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py
>>
>> Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30
>> worked, now it fails:
>>
>> Traceback (most recent call last):
>>     File "./freeipa.py", line 133, in <module>
>>       list_groups(api)
>>     File "./freeipa.py", line 71, in list_groups
>>       result = api.Command.host_find()['result']
>>     File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in
>> __call__
>>       ret = self.run(*args, **options)
>>     File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run
>>       return self.forward(*args, **options)
>>     File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 776, in
>> forward
>>       return self.Backend.rpcclient.forward(self.name, *args, **kw)
>>     File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 880, in forward
>>       command = getattr(self.conn, name)
>>     File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 97, in
>> __get_conn
>>       self.id, threading.currentThread().getName())
>> AttributeError: no context.rpcclient in thread 'MainThread'
>>
>> Is this expected? Is this a regression?
>>
>> Thanks again for your work.
>>
>> -Erinn
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list