[Freeipa-users] Unable to configure DNSSEC signing [solved]
Martin Basti
mbasti at redhat.com
Fri May 6 13:50:27 UTC 2016
After investigation on IRC, it looks that old mkosek/freeipa repo is
guilty, this repo should not be used for centos 4.2+
On 05.05.2016 19:11, Gary T. Giesen wrote:
> As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and
> I have the same problem.
>
> These are the steps I took:
>
> # yum update -y
> # yum install -y nano net-tools wget
> # yum install -y
> https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
> # cd /etc/yum.repos.d/
> # wget -N
> https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-fr
> eeipa-epel-7.repo
> # yum install -y haveged
> # systemctl start haveged
> # systemctl enable haveged
> # yum install -y ipa-server ipa-server-dns
> # ipa-server-install -r EXAMPLE.COM -n example.com --mkhomedir
> --ip-address=192.0.2.10 --idstart=100000 --idmax=199999 --no-ui-redirect
> --ssh-trust-dns --setup-dns --no-forwarders --no-reverse
> # ipa-dns-install --no-forwarders --no-reverse --dnssec-master
> # ipa dnszone-mod example.com --dnssec=true
>
>
> GTG
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen
> Sent: May-05-16 11:19 AM
> To: 'Petr Spacek' <pspacek at redhat.com>; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>
> I'm not entirely sure if this is what you were asking for, but here's a
> manual LDAP query and the associated logs, and then I restarted
> ipa-dnskeysyncd and the logs associated with that as well:
>
>
> [root at host /]# date
> Thu May 5 10:52:12 EDT 2016
> [root at host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub
> '(|(objectClass=idnsZone)(objectClass=idnsS
> ecKey)(objectClass=ipk11PublicKey))'
> SASL/GSSAPI authentication started
> SASL username: user at EXAMPLE.COM
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=dns,dc=example,dc=com> with scope subtree # filter:
> (|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey)
> )
> # requesting: ALL
> #
>
> # example.com., dns, example.com
> dn: idnsname=example.com.,cn=dns,dc=example,dc=com
> idnsZoneActive: TRUE
> idnsSOAexpire: 1209600
> idnsSOAminimum: 3600
> objectClass: idnszone
> objectClass: top
> objectClass: idnsrecord
> idnsAllowTransfer: none;
> idnsSOAretry: 900
> idnsSOAserial: 1462338941
> idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
> krb5-self * A AAA; grant EXAMPLE.COM krb5-self * SSHFP;
> idnsSOArefresh: 3600
> idnsAllowQuery: any;
> idnsName: example.com.
> idnsSOAmName: host.example.com.
> idnsSOArName: hostmaster.example.com.
> idnsAllowDynUpdate: TRUE
> nSRecord: host.example.com.
> mXRecord: 5 mx.example.com.
> tXTRecord: v=spf1 ip4:104.207.128.239 ip6:2001:19f0:300:24e1::10 -all
> idnsSecInlineSigning: TRUE
>
> # 2a6519b4-8d9c-11e5-8ced-56000017eb11, keys, sec, dns, example.com
> dn:
> ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d
> c=example,dc=com
> objectClass: ipk11PublicKey
> objectClass: ipk11Object
> objectClass: top
> objectClass: ipaPublicKeyObject
> objectClass: ipk11Key
> objectClass: ipk11StorageObject
> ipk11Wrap: FALSE
> ipk11Label: dnssec-replica:host.example.com.
> ipaPublicKey::
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxk6apYsMbT7MH87pCzK
>
> GyVkpAmp+nOL8Alo/pwfaOALJO6EFfhvw+V+9Lnx1jKObnrAHo0O7j3c8qDqAmewjdS1beFb
> GyVkpAmp+beLG
> u
>
> GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+nMoQ3hdYMZEeBQtTLbMrhOAQR6EUksCbG
> GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+pvkj
> c
>
> xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+ZDaJ7sm1WMgHupKndUpl2vdvJWtEi2j
> xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+41/4
> q
>
> FOYXAyIgx+3yv7OG9X1D5qBb7v/IqtFuJFRqc0LIdBvWUlHn5LTLYh4rtb2h/6DUK/ZnGlJ+
> FOYXAyIgx+Sss5
> Q
> nmuhUiky3cJ0KvQIDAQAB
> ipk11Verify: FALSE
> ipk11Id:: b4AQWy4+gJz2XABOkWEgnw==
> ipk11VerifyRecover: FALSE
> ipk11UniqueId: 2a6519b4-8d9c-11e5-8ced-56000017eb11
>
> # 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11, keys, sec, dns, example.com
> dn:
> ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d
> c=example,dc=com
> objectClass: ipk11PublicKey
> objectClass: ipk11Object
> objectClass: top
> objectClass: ipaPublicKeyObject
> objectClass: ipk11Key
> objectClass: ipk11StorageObject
> ipk11Wrap: FALSE
> ipk11Label: dnssec-replica:host.example.com.
> ipaPublicKey::
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oo1sC+p8/NCfI8r2Te
>
> 4onEHxk4yrrLWfwfuKl3lN/3QHmahPAjyHNYnm8srL45/lJzNqoZpI4yGyhWtCpNQhnnoD+W67aX
> N
>
> 2KGnshBTYE8IGG2zCHtQ0p5CJtNTNZFyIH4pyNiLfk/QLi1ptzk79f9u6Bwq4RdEKdzEk4R1G58C
> w
>
> cpUlKlG6pzGk+OpiX1a3Iw8ZCfgmYIEOmHSpexz0aRBA4q2ADdRn4dERL/aP+lWC+IQEj749
> cpUlKlG6pzGk+wn+Q
> H
>
> sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+n7XajelYh5YqkOY8PN
> sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+cFgL
> 9
> O+iB9tqWJJiFChQIDAQAB
> ipk11Verify: FALSE
> ipk11Id:: L9nKKUY2ypycB3EldvJjVg==
> ipk11VerifyRecover: FALSE
> ipk11UniqueId: 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11
>
> # 70eca210-0ee0-11e6-9e98-56000017eb11, keys, sec, dns, example.com
> dn:
> ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d
> c=example,dc=com
> objectClass: ipk11PublicKey
> objectClass: ipk11Object
> objectClass: top
> objectClass: ipaPublicKeyObject
> objectClass: ipk11Key
> objectClass: ipk11StorageObject
> ipk11Wrap: FALSE
> ipk11Label: dnssec-replica:host.example.com.
> ipaPublicKey::
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAnwbNG7EwTIlWwlWvu
>
> pPOEQnV7ahv7xMoF0v9qzoEZ+ccx9Wp515IWs6okmX6UhB/HELhO3EP5iCftL2iOq+aTa3Zx
> pPOEQnV7ahv7xMoF0v9qzoEZ+8Z/+
> F
>
> JtpXPFkbCweUiOxr8vq4VLTppLmok0q+Dlm5CYaQUYs5en3d9HFtmaYt3m8JD5a58AkAzozo
> JtpXPFkbCweUiOxr8vq4VLTppLmok0q+ACrO
> m
>
> st5aNIkwo/YGdSa0e1tNcb7Xv7RhBSGbFlrpFfwj5uX3QyI57CSxR7S5FYjOD8lG8tmlCjKuuOhH
> O
>
> ST8uzatbirX0kiaVH3ENohDUmEV+zW6T9//TBG2xTRTw6v7TAM21klWMCNKoUYVyh84c34jd
> ST8uzatbirX0kiaVH3ENohDUmEV+arVr
> Q
> PvEPCDzNF6C15NwIDAQAB
> ipk11Verify: FALSE
> ipk11Id:: teifTM9dTfpDRQgbL8rsFQ==
> ipk11VerifyRecover: FALSE
> ipk11UniqueId: 70eca210-0ee0-11e6-9e98-56000017eb11
>
> # fba8d874-10a2-11e6-86aa-56000017eb11, keys, sec, dns, example.com
> dn:
> ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d
> c=example,dc=com
> objectClass: ipk11PublicKey
> objectClass: ipk11Object
> objectClass: top
> objectClass: ipaPublicKeyObject
> objectClass: ipk11Key
> objectClass: ipk11StorageObject
> ipk11Wrap: FALSE
> ipk11Label: dnssec-replica:host.example.com.
> ipaPublicKey::
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9r9+8POEp8nb+jiEi6
>
> pvvuWWex2KuHeV1f1qo6LCe3oMSkZ39I73cdJZIfirt2E/D+CWSUMGwbWmNOnMUMIDI8YAnxLQ//
> K
>
> uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+VR1007Dhl5e7dEagHUlEw5OXPQ2jgeq6kCMU
> uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+Uteu
> 3
>
> Nye/G2K51GzAJcAXlrBdVEek02LuhszHtxjYDxevq90my+0GXVb2nU9mPghIKnkwsQeHUoHXH83p
> H
>
> NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+T8KV6sGRqMi8rlGIU9biuYHrmGZca
> NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+UuAY
> R
> NXCIrWIUrDV21cQIDAQAB
> ipk11Verify: FALSE
> ipk11Id:: WXrLuKBlC8r8UsjjGf2zww==
> ipk11VerifyRecover: FALSE
> ipk11UniqueId: fba8d874-10a2-11e6-86aa-56000017eb11
>
> # a7bac2a6-10a5-11e6-9c20-56000017eb11, keys, sec, dns, example.com
> dn:
> ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d
> c=example,dc=com
> objectClass: ipk11PublicKey
> objectClass: ipk11Object
> objectClass: top
> objectClass: ipaPublicKeyObject
> objectClass: ipk11Key
> objectClass: ipk11StorageObject
> ipk11Wrap: FALSE
> ipk11Label: dnssec-replica:host.example.com.
> ipaPublicKey::
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4m3sUosT4X9x8EjwrtQ
>
> B6mQDmClMNs3M8hCJ6UKvcCH/X+yFH2IAht5L85IOBCqmy8RQSL2fPY6BuCxx0krDPPvFBUfCW2i
> /
>
> X0s2RN+vdZQ6xtCe/Q8CHxTZmXsJLrOS8WsiggbHXh7QqkP8sY4Xl2N14OFDNTmSgtQWKnKj
> X0s2RN+Jloy
> g
>
> D03p+lo7BxFmOP9L1C+NGDhiiKjBwVexBNFlYSyUXEFacIDXAIjI/WMgxeCl/9Xu9wwAW5GY
> D03p+lo7BxFmOP9L1C+iYOR
> D
>
> KTl9h4JgUDRrge82OBMu0kQt0FyLCdVKl3Kw5GiMazWoTnK8KGpvuZl46whl9IbOYtPeQpHEhhSw
> X
> w36Ii4Y+e6eYeoQIDAQAB
> ipk11Verify: FALSE
> ipk11Id:: +Y0cQI+gUJelIpun/N1IYQ==
> ipk11VerifyRecover: FALSE
> ipk11UniqueId: a7bac2a6-10a5-11e6-9c20-56000017eb11
>
> # 2f32c0f8-10c9-11e6-bf47-56000017eb11, keys, sec, dns, example.com
> dn:
> ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d
> c=example,dc=com
> objectClass: ipk11PublicKey
> objectClass: ipk11Object
> objectClass: top
> objectClass: ipaPublicKeyObject
> objectClass: ipk11Key
> objectClass: ipk11StorageObject
> ipk11Wrap: TRUE
> ipk11Label: dnssec-replica:host.example.com.
> ipaPublicKey::
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApWEc/C9jgjoCzQ2wTKT
>
> zJ9obG74mlYyokaP/rZyYA0nIIqrKF1DwArt7wemVzrMf9m8b70MyYlOZm77KJiw1gMD9qzcJieI
> m
>
> +two+BYb6zRAvp4o2HlTwG+x/UpOct8EnakilUh7zOhGFkEyk9m9+WnWBcXGX63lfiodL4sC
> +two+BYb6zRAvp4o2HlTwG+rtBd
> s
>
> CIfF6bPH9yHYSYpa4/s/flW/mM7fRMSd0hO3ayYYxSg8INitFHVwnUj/MENxdFejeMPXlyROW/6m
> h
>
> kwBQjhLSYnmzvgiP2rNnA6AJIMX0cxjuxjswNaAS5vULG1Vju51Mb0f8V3RLv5P1L0dQYoY7S5Hb
> O
> aaO7c+27moTOZPQIDAQAB
> ipk11Verify: FALSE
> ipk11Id:: mn+arLpqrb1jDdDZXlroUg==
> ipk11VerifyRecover: FALSE
> ipk11UniqueId: 2f32c0f8-10c9-11e6-bf47-56000017eb11
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 8
> # numEntries: 7
>
>
>
> My manual LDAP search (/var/log/dirsrv/slapd-EXAMPLE-COM/access):
>
> [05/May/2016:10:52:13 -0400] conn=613 fd=109 slot=109 SSL connection from
> 2001:db8:300:24e1::10 to 2001:db8:300:24e1::10
> [05/May/2016:10:52:13 -0400] conn=613 TLS1.2 256-bit AES-GCM
> [05/May/2016:10:52:13 -0400] conn=613 op=0 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [05/May/2016:10:52:13 -0400] conn=613 op=0 RESULT err=14 tag=97 nentries=0
> etime=0, SASL bind in progress
> [05/May/2016:10:52:13 -0400] conn=613 op=1 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [05/May/2016:10:52:13 -0400] conn=613 op=1 RESULT err=14 tag=97 nentries=0
> etime=0, SASL bind in progress
> [05/May/2016:10:52:13 -0400] conn=613 op=2 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [05/May/2016:10:52:13 -0400] conn=613 op=2 RESULT err=0 tag=97 nentries=0
> etime=0 dn="uid=user,cn=users,cn=accounts,dc=example,dc=com"
> [05/May/2016:10:52:13 -0400] conn=613 op=3 SRCH
> base="cn=dns,dc=example,dc=com" scope=2
> filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu
> blicKey))" attrs=ALL
> [05/May/2016:10:52:13 -0400] conn=613 op=3 RESULT err=0 tag=101 nentries=7
> etime=0
> [05/May/2016:10:52:13 -0400] conn=613 op=4 UNBIND
> [05/May/2016:10:52:13 -0400] conn=613 op=4 fd=109 closed - U1
>
>
> I then restarted ipa-dnskeysyncd (journalctl -u ipa-dnskeysyncd):
>
> May 05 10:52:19 host.example.com systemd[1]: Stopping IPA key daemon...
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13719]: ipa : INFO
> Signal 15 received: Shutting down!
> May 05 10:52:19 host.example.com systemd[1]: Started IPA key daemon.
> May 05 10:52:19 host.example.com systemd[1]: Starting IPA key daemon...
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing all plugin modules in ipalib.plugins...
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.aci May 05 10:52:19 host.example.com
> ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.automember May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.automount May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.baseldap May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.baseuser May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.batch May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.caacl May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.cert May 05 10:52:19 host.example.com
> ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.certprofile May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.config May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.delegation May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.dns May 05 10:52:19 host.example.com
> ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.domainlevel May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.group May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.hbacrule May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.hbacsvc May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.hbacsvcgroup May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.hbactest May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.host May 05 10:52:19 host.example.com
> ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.hostgroup May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.idrange May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.idviews May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.internal May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.kerberos May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.krbtpolicy May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.migration May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.misc May 05 10:52:19 host.example.com
> ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.netgroup May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.otpconfig May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.otptoken May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.otptoken_yubikey May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.passwd May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.permission May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.ping May 05 10:52:19 host.example.com
> ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.pkinit May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.privilege May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.pwpolicy May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> Starting external process
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> args='klist' '-V'
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Process
> finished, return code=0 May 05 10:52:19 host.example.com
> ipa-dnskeysyncd[13834]: ipa: DEBUG:
> stdout=Kerberos 5 version 1.13.2
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stderr=
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.radiusproxy May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.realmdomains May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.role May 05 10:52:19 host.example.com
> ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.rpcclient May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.selfservice May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.selinuxusermap May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.server May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.service May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.servicedelegation May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.session May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: WARNING:
> session memcached servers not running
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.stageuser May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.sudocmd May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.sudocmdgroup May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.sudorule May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.topology May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.trust May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.user May 05 10:52:19 host.example.com
> ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.vault May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipalib.plugins.virtual May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing all plugin modules in ipaserver.plugins...
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipaserver.plugins.dogtag May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipaserver.plugins.join May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipaserver.plugins.ldap2 May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipaserver.plugins.rabase May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> importing plugin module ipaserver.plugins.xmlserver May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> SessionAuthManager.register: name=jsonserver_session_43658512 May 05
> 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> SessionAuthManager.register: name=xmlserver_session_43681424 May 05 10:52:19
> host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml'
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> session_auth_duration: 0:20:00
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> session_auth_duration: 0:20:00
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> Mounting ipaserver.rpcserver.xmlserver() at '/xml'
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> session_auth_duration: 0:20:00
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token'
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json'
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> session_auth_duration: 0:20:00
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json'
> May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> session_auth_duration: 0:20:00
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> session_auth_duration: 0:20:00
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> session_auth_duration: 0:20:00
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
> Mounting ipaserver.rpcserver.change_password() at '/session/change_password'
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG
> Kerberos principal: ipa-dnskeysyncd/host.example.com
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG
> Initializing principal ipa-dnskeysyncd/host.example.com using keytab
> /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG
> using ccache /tmp/ipa-dnskeysyncd.ccache
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG
> Attempt 1/5: success
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG
> LDAP URL:
> ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket/cn%3Ddns%2Cdc%3Dexample%2Cdc
> %3Dme??sub?%28%7C%28objectClass%3DidnsZone%29%28objectClass%3DidnsSecKey%29%
> 28objectClass%3Dipk11PublicKey%29%29
> May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO
> LDAP bind...
> May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05
> 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05
> 10:52:21 host.example.com python2[13834]: GSSAPI client step 1 May 05
> 10:52:21 host.example.com python2[13834]: GSSAPI client step 2
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO
> Commencing sync process
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None
> (not received yet)
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> idnsname=example.com.,cn=dns,dc=example,dc=com
> 203dbe2d-8d9c-11e5-bb23-e7a3b46d8929
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones:
> {'203dbe2d-8d9c-11e5-bb23-e7a3b46d8929': <DNS name example.com.>} May 05
> 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
> example,dc=com 203dbe63-8d9c-11e5-bb23-e7a3b46d8929
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
> example,dc=com 9d5e3d66-ccd4-11e5-bb23-e7a3b46d8929
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
> example,dc=com 59985f1f-0ee0-11e6-aa2d-e7a3b46d8929
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
> example,dc=com dc691799-10a2-11e6-aa2d-e7a3b46d8929
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
> example,dc=com 83e74997-10a5-11e6-aa2d-e7a3b46d8929
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
> ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
> example,dc=com 0f260699-10c9-11e6-aa2d-e7a3b46d8929
> May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is:
> host.example.com:389#krbprincipalname=ipa-dnskeysyncd/host.example.com at examp
> le.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(|
> (objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))#
> 33443
>
>
> Logs as a result of ipa-dnskeysyncd restart
> (/var/log/dirsrv/slapd-EXAMPLE-COM/access):
>
> [05/May/2016:10:52:20 -0400] conn=614 fd=83 slot=83 connection from local to
> /var/run/slapd-EXAMPLE-COM.socket
> [05/May/2016:10:52:20 -0400] conn=614 op=0 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [05/May/2016:10:52:20 -0400] conn=614 op=0 RESULT err=14 tag=97 nentries=0
> etime=0, SASL bind in progress
> [05/May/2016:10:52:20 -0400] conn=614 op=1 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [05/May/2016:10:52:20 -0400] conn=614 op=1 RESULT err=14 tag=97 nentries=0
> etime=0, SASL bind in progress
> [05/May/2016:10:52:20 -0400] conn=614 op=2 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [05/May/2016:10:52:20 -0400] conn=614 op=2 RESULT err=0 tag=97 nentries=0
> etime=0
> dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=service
> s,cn=accounts,dc=example,dc=com"
> [05/May/2016:10:52:20 -0400] conn=614 op=3 SRCH
> base="cn=dns,dc=example,dc=com" scope=2
> filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu
> blicKey))" attrs=ALL
> [05/May/2016:10:52:20 -0400] conn=614 op=3 RESULT err=269 tag=121 nentries=0
> etime=0
>
>
> Cheers,
>
> GTG
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen
> Sent: May-03-16 10:19 AM
> To: 'Petr Spacek' <pspacek at redhat.com>; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>
> Thanks Petr. I'm on IRC as well if a more interactive troubleshooting
> session would be better.
>
> Cheers,
>
> GTG
>
> -----Original Message-----
> From: Petr Spacek [mailto:pspacek at redhat.com]
> Sent: May-03-16 9:59 AM
> To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
> freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>
> On 3.5.2016 15:29, Gary T. Giesen wrote:
>> All lines from the log file with conn=152.
>>
>> [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from
>> local to /var/run/slapd-EXAMPLE-COM.socket
>> [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl
>> version=3 mech=GSSAPI
>> [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97
>> nentries=0 etime=0, SASL bind in progress
>> [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl
>> version=3 mech=GSSAPI
>> [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97
>> nentries=0 etime=0, SASL bind in progress
>> [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl
>> version=3 mech=GSSAPI
>> [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97
>> nentries=0
>> etime=0
>> dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=s
>> ervice
>> s,cn=accounts,dc=example,dc=com"
>> [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH
>> base="cn=dns,dc=example,dc=com" scope=2
>> filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i
>> pk11Pu
>> blicKey))" attrs=ALL
>> [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121
>> nentries=0
>> etime=0
> This seems to be okay, I will think about it a bit more and return back to
> you when I find something.
>
> Petr^2 Spacek
>
>> -----Original Message-----
>> From: Petr Spacek [mailto:pspacek at redhat.com]
>> Sent: May-03-16 8:50 AM
>> To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
>> freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>
>> Hmm, this is really weird.
>>
>> It should log message "Initial LDAP dump is done, sychronizing with
>> ODS and BIND" which is apparently not there. Maybe LDAP server is
>> doing something weird ...
>>
>> Could you inspect /var/log/dirsrv/*/access_log and look for lines
>> similar to ones in the attached file, please?
>>
>> It should start with log message like
>> "connection from local to /var/run/slapd-*".
>> This line will have identifier like "conn=84". We are looking for conn
>> number (e.g. "conn=84") which is related to BIND DN
>> "dn="krbprincipalname=ipa-dnskeysyncd/*".
>>
>> If you find the right conn number, look for other lines containing the
>> same conn number and operation "SRCH base="cn=dns,*". This SRCH line
>> will have specific identifier like "conn=84 op=3".
>>
>> Now you have identifier for particular operation. Look for RESULT line
>> with the same ID.
>>
>> How does it look?
>>
>> Can you copy&paste complete all lines with identifier conn=??? you found?
>>
>> Thanks!
>> Petr^2 Spacek
>>
>> On 3.5.2016 13:37, Gary T. Giesen wrote:
>>> See attached.
>>>
>>> GTG
>>>
>>> -----Original Message-----
>>> From: Petr Spacek [mailto:pspacek at redhat.com]
>>> Sent: May-03-16 7:33 AM
>>> To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
>>> freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>>
>>> On 3.5.2016 13:28, Gary T. Giesen wrote:
>>>> 1. Confirmed, it was already set to ISMASTER=1
>>>>
>>>> 2. Logs:
>>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is:
>> None
>>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
>> entry:
>>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones:
>> {'203dbe2d-8d9c-1
>>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
>> entry:
>>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
>> entry:
>>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
>> entry:
>>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
>> entry:
>>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
>> entry:
>>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
>> entry:
>>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is:
>> host.exa
>>> The log seems to be truncated. Please attach it as a file to avoid
>>> truncation and line wrapping problems.
>>>
>>> Thanks
>>> Petr^2 Spacek
>>>
>>>>
>>>> 3. # rpm -q ipa-server
>>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>>>
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com
>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>>> Sent: May-03-16 7:08 AM
>>>> To: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>>>
>>>> Okay, this is a problem. It should list your zone example.com
>>>> because it has DNSSEC signing enabled.
>>>>
>>>> Make sure you are working on host.example.com (the host listed by
>>>> the ldapsearch above).
>>>>
>>>> I would check two things:
>>>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1".
>>>> If it does not, re-run ipa-dns-install with --dnssec-master option
>>>> to fix
>>> that.
>>>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and
>>>> make sure that it contains line "debug=True" and restart
>>>> ipa-dnskeysyncd when you are done with it.
>>>>
>>>> The log should be much longer after this change.
>>>>
>>>> I hope it will help to identify the root cause.
>>>>
>>>> What IPA version do you use?
>>>> $ rpm -q freeipa-server
>>>>
>>>> Petr^2 Spacek
>>>>
>>>>
>>>>
>>>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has
>>>>> had no effect. The only log entries I see are:
>>>>>
>>>>> # journalctl -u ipa-dnskeysyncd
>>>>>
>>>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key
>> daemon...
>>>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa :
>>>> INFO
>>>>> Signal 15 received: Shutting down!
>>>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
>>>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key
>> daemon...
>>>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
>>>>> session memcached servers not running
>>>>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa :
>>>> INFO
>>>>> LDAP bind...
>>>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step
>>>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client
>>>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI
>>>>> client step 1 May 02 20:35:54 host.example.com python2[15014]:
>>>>> GSSAPI
>> client step 2
>>>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa :
>>>> INFO
>>>>> Commencing sync process
>>>>>
>>>>>
>>>>>
>>>>> Can anyone advise on next steps? I've been banging my head against
>>>>> a wall for a couple days now and would really appreciate some help.
>>
>> --
>> Petr^2 Spacek
>>
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
More information about the Freeipa-users
mailing list