[Freeipa-users] Unable to configure DNSSEC signing
Gary T. Giesen
ggiesen+freeipa-users at giesen.me
Fri May 6 13:51:24 UTC 2016
So thanks to Martin Basti and Petr Spacek, I've found the problem. I was
adding the old mkosek/freeipa repository, which when 4.1 was the latest
version was correct, but now 4.2 is in base. I wasn't actually installing
4.1 from the mkosek COPR, but it was pulling in the following dependencies
from there:
jboss-annotations-1.1-api.noarch 1.0.1-0.6.20120212git76e1a2.el7.centos
@mkosek-freeipa
open-sans-fonts.noarch 1.10-1.el7.centos
@mkosek-freeipa
pki-base.noarch 10.2.5-6.el7.centos
@mkosek-freeipa
pki-ca.noarch 10.2.5-6.el7.centos
@mkosek-freeipa
pki-kra.noarch 10.2.5-6.el7.centos
@mkosek-freeipa
pki-server.noarch 10.2.5-6.el7.centos
@mkosek-freeipa
pki-tools.x86_64 10.2.5-6.el7.centos
@mkosek-freeipa
python-ldap.x86_64 2.4.16-1.el7.centos
@mkosek-freeipa
python-qrcode-core.noarch 5.0.1-2.el7.centos
@mkosek-freeipa
relaxngDatatype.noarch 1.0-11.el7 @base
resteasy-base-atom-provider.noarch 3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-client.noarch 3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-jackson-provider.noarch
3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-jaxb-provider.noarch 3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-jaxrs.noarch 3.0.6-1.el7.centos
@mkosek-freeipa
resteasy-base-jaxrs-api.noarch 3.0.6-1.el7.centos
@mkosek-freeipa
slapi-nis.x86_64 0.54.2-1.el7.centos
@mkosek-freeipa
Thanks very much to both of you for helping sort this out as I was
completely lost.
Cheers,
GTG
-----Original Message-----
From: Gary T. Giesen [mailto:ggiesen at giesen.me]
Sent: May-05-16 1:11 PM
To: 'Petr Spacek' <pspacek at redhat.com>; freeipa-users at redhat.com
Subject: RE: [Freeipa-users] Unable to configure DNSSEC signing
As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and
I have the same problem.
These are the steps I took:
# yum update -y
# yum install -y nano net-tools wget
# yum install -y
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# cd /etc/yum.repos.d/
# wget -N
https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-
freeipa-epel-7.repo
# yum install -y haveged
# systemctl start haveged
# systemctl enable haveged
# yum install -y ipa-server ipa-server-dns # ipa-server-install -r
EXAMPLE.COM -n example.com --mkhomedir
--ip-address=192.0.2.10 --idstart=100000 --idmax=199999 --no-ui-redirect
--ssh-trust-dns --setup-dns --no-forwarders --no-reverse # ipa-dns-install
--no-forwarders --no-reverse --dnssec-master # ipa dnszone-mod example.com
--dnssec=true
GTG
-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen
Sent: May-05-16 11:19 AM
To: 'Petr Spacek' <pspacek at redhat.com>; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
I'm not entirely sure if this is what you were asking for, but here's a
manual LDAP query and the associated logs, and then I restarted
ipa-dnskeysyncd and the logs associated with that as well:
[root at host /]# date
Thu May 5 10:52:12 EDT 2016
[root at host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub
'(|(objectClass=idnsZone)(objectClass=idnsS
ecKey)(objectClass=ipk11PublicKey))'
SASL/GSSAPI authentication started
SASL username: user at EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=dns,dc=example,dc=com> with scope subtree # filter:
(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKe
y)
)
# requesting: ALL
#
# example.com., dns, example.com
dn: idnsname=example.com.,cn=dns,dc=example,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
idnsSOAminimum: 3600
objectClass: idnszone
objectClass: top
objectClass: idnsrecord
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAserial: 1462338941
idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
krb5-self * A AAA; grant EXAMPLE.COM krb5-self * SSHFP;
idnsSOArefresh: 3600
idnsAllowQuery: any;
idnsName: example.com.
idnsSOAmName: host.example.com.
idnsSOArName: hostmaster.example.com.
idnsAllowDynUpdate: TRUE
nSRecord: host.example.com.
mXRecord: 5 mx.example.com.
tXTRecord: v=spf1 ip4:104.207.128.239 ip6:2001:19f0:300:24e1::10 -all
idnsSecInlineSigning: TRUE
# 2a6519b4-8d9c-11e5-8ced-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxk6apYsMbT7MH87pCzK
GyVkpAmp+nOL8Alo/pwfaOALJO6EFfhvw+V+9Lnx1jKObnrAHo0O7j3c8qDqAmewjdS1beFb
GyVkpAmp+beLG
u
GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+nMoQ3hdYMZEeBQtTLbMrhOAQR6EUksCbG
GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+pvkj
c
xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+ZDaJ7sm1WMgHupKndUpl2vdvJWtEi2j
xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+41/4
q
FOYXAyIgx+3yv7OG9X1D5qBb7v/IqtFuJFRqc0LIdBvWUlHn5LTLYh4rtb2h/6DUK/ZnGlJ+
FOYXAyIgx+Sss5
Q
nmuhUiky3cJ0KvQIDAQAB
ipk11Verify: FALSE
ipk11Id:: b4AQWy4+gJz2XABOkWEgnw==
ipk11VerifyRecover: FALSE
ipk11UniqueId: 2a6519b4-8d9c-11e5-8ced-56000017eb11
# 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oo1sC+p8/NCfI8r2Te
4onEHxk4yrrLWfwfuKl3lN/3QHmahPAjyHNYnm8srL45/lJzNqoZpI4yGyhWtCpNQhnnoD+W67
aX
N
2KGnshBTYE8IGG2zCHtQ0p5CJtNTNZFyIH4pyNiLfk/QLi1ptzk79f9u6Bwq4RdEKdzEk4R1G5
8C
w
cpUlKlG6pzGk+OpiX1a3Iw8ZCfgmYIEOmHSpexz0aRBA4q2ADdRn4dERL/aP+lWC+IQEj749
cpUlKlG6pzGk+wn+Q
H
sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+n7XajelYh5YqkOY8PN
sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+cFgL
9
O+iB9tqWJJiFChQIDAQAB
ipk11Verify: FALSE
ipk11Id:: L9nKKUY2ypycB3EldvJjVg==
ipk11VerifyRecover: FALSE
ipk11UniqueId: 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11
# 70eca210-0ee0-11e6-9e98-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAnwbNG7EwTIlWwlWvu
pPOEQnV7ahv7xMoF0v9qzoEZ+ccx9Wp515IWs6okmX6UhB/HELhO3EP5iCftL2iOq+aTa3Zx
pPOEQnV7ahv7xMoF0v9qzoEZ+8Z/+
F
JtpXPFkbCweUiOxr8vq4VLTppLmok0q+Dlm5CYaQUYs5en3d9HFtmaYt3m8JD5a58AkAzozo
JtpXPFkbCweUiOxr8vq4VLTppLmok0q+ACrO
m
st5aNIkwo/YGdSa0e1tNcb7Xv7RhBSGbFlrpFfwj5uX3QyI57CSxR7S5FYjOD8lG8tmlCjKuuO
hH
O
ST8uzatbirX0kiaVH3ENohDUmEV+zW6T9//TBG2xTRTw6v7TAM21klWMCNKoUYVyh84c34jd
ST8uzatbirX0kiaVH3ENohDUmEV+arVr
Q
PvEPCDzNF6C15NwIDAQAB
ipk11Verify: FALSE
ipk11Id:: teifTM9dTfpDRQgbL8rsFQ==
ipk11VerifyRecover: FALSE
ipk11UniqueId: 70eca210-0ee0-11e6-9e98-56000017eb11
# fba8d874-10a2-11e6-86aa-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9r9+8POEp8nb+jiEi6
pvvuWWex2KuHeV1f1qo6LCe3oMSkZ39I73cdJZIfirt2E/D+CWSUMGwbWmNOnMUMIDI8YAnxLQ
//
K
uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+VR1007Dhl5e7dEagHUlEw5OXPQ2jgeq6kCMU
uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+Uteu
3
Nye/G2K51GzAJcAXlrBdVEek02LuhszHtxjYDxevq90my+0GXVb2nU9mPghIKnkwsQeHUoHXH8
3p
H
NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+T8KV6sGRqMi8rlGIU9biuYHrmGZca
NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+UuAY
R
NXCIrWIUrDV21cQIDAQAB
ipk11Verify: FALSE
ipk11Id:: WXrLuKBlC8r8UsjjGf2zww==
ipk11VerifyRecover: FALSE
ipk11UniqueId: fba8d874-10a2-11e6-86aa-56000017eb11
# a7bac2a6-10a5-11e6-9c20-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4m3sUosT4X9x8EjwrtQ
B6mQDmClMNs3M8hCJ6UKvcCH/X+yFH2IAht5L85IOBCqmy8RQSL2fPY6BuCxx0krDPPvFBUfCW
2i
/
X0s2RN+vdZQ6xtCe/Q8CHxTZmXsJLrOS8WsiggbHXh7QqkP8sY4Xl2N14OFDNTmSgtQWKnKj
X0s2RN+Jloy
g
D03p+lo7BxFmOP9L1C+NGDhiiKjBwVexBNFlYSyUXEFacIDXAIjI/WMgxeCl/9Xu9wwAW5GY
D03p+lo7BxFmOP9L1C+iYOR
D
KTl9h4JgUDRrge82OBMu0kQt0FyLCdVKl3Kw5GiMazWoTnK8KGpvuZl46whl9IbOYtPeQpHEhh
Sw
X
w36Ii4Y+e6eYeoQIDAQAB
ipk11Verify: FALSE
ipk11Id:: +Y0cQI+gUJelIpun/N1IYQ==
ipk11VerifyRecover: FALSE
ipk11UniqueId: a7bac2a6-10a5-11e6-9c20-56000017eb11
# 2f32c0f8-10c9-11e6-bf47-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: TRUE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApWEc/C9jgjoCzQ2wTKT
zJ9obG74mlYyokaP/rZyYA0nIIqrKF1DwArt7wemVzrMf9m8b70MyYlOZm77KJiw1gMD9qzcJi
eI
m
+two+BYb6zRAvp4o2HlTwG+x/UpOct8EnakilUh7zOhGFkEyk9m9+WnWBcXGX63lfiodL4sC
+two+BYb6zRAvp4o2HlTwG+rtBd
s
CIfF6bPH9yHYSYpa4/s/flW/mM7fRMSd0hO3ayYYxSg8INitFHVwnUj/MENxdFejeMPXlyROW/
6m
h
kwBQjhLSYnmzvgiP2rNnA6AJIMX0cxjuxjswNaAS5vULG1Vju51Mb0f8V3RLv5P1L0dQYoY7S5
Hb
O
aaO7c+27moTOZPQIDAQAB
ipk11Verify: FALSE
ipk11Id:: mn+arLpqrb1jDdDZXlroUg==
ipk11VerifyRecover: FALSE
ipk11UniqueId: 2f32c0f8-10c9-11e6-bf47-56000017eb11
# search result
search: 4
result: 0 Success
# numResponses: 8
# numEntries: 7
My manual LDAP search (/var/log/dirsrv/slapd-EXAMPLE-COM/access):
[05/May/2016:10:52:13 -0400] conn=613 fd=109 slot=109 SSL connection from
2001:db8:300:24e1::10 to 2001:db8:300:24e1::10
[05/May/2016:10:52:13 -0400] conn=613 TLS1.2 256-bit AES-GCM
[05/May/2016:10:52:13 -0400] conn=613 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[05/May/2016:10:52:13 -0400] conn=613 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[05/May/2016:10:52:13 -0400] conn=613 op=1 BIND dn="" method=sasl
version=3 mech=GSSAPI
[05/May/2016:10:52:13 -0400] conn=613 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[05/May/2016:10:52:13 -0400] conn=613 op=2 BIND dn="" method=sasl
version=3 mech=GSSAPI
[05/May/2016:10:52:13 -0400] conn=613 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=user,cn=users,cn=accounts,dc=example,dc=com"
[05/May/2016:10:52:13 -0400] conn=613 op=3 SRCH
base="cn=dns,dc=example,dc=com" scope=2
filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11
Pu
blicKey))" attrs=ALL
[05/May/2016:10:52:13 -0400] conn=613 op=3 RESULT err=0 tag=101 nentries=7
etime=0
[05/May/2016:10:52:13 -0400] conn=613 op=4 UNBIND
[05/May/2016:10:52:13 -0400] conn=613 op=4 fd=109 closed - U1
I then restarted ipa-dnskeysyncd (journalctl -u ipa-dnskeysyncd):
May 05 10:52:19 host.example.com systemd[1]: Stopping IPA key daemon...
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13719]: ipa :
INFO
Signal 15 received: Shutting down!
May 05 10:52:19 host.example.com systemd[1]: Started IPA key daemon.
May 05 10:52:19 host.example.com systemd[1]: Starting IPA key daemon...
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing all plugin modules in ipalib.plugins...
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.aci May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.automember May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.automount May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.baseldap May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.baseuser May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.batch May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.caacl May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.cert May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.certprofile May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.config May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.delegation May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.dns May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.domainlevel May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.group May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacrule May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacsvc May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacsvcgroup May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbactest May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.host May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hostgroup May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.idrange May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.idviews May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.internal May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.kerberos May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.krbtpolicy May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.migration May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.misc May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.netgroup May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.otpconfig May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.otptoken May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.otptoken_yubikey May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.passwd May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.permission May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.ping May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.pkinit May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.privilege May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.pwpolicy May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Starting external process
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
args='klist' '-V'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Process finished, return code=0 May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
stdout=Kerberos 5 version 1.13.2
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
stderr= May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa:
DEBUG:
importing plugin module ipalib.plugins.radiusproxy May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.realmdomains May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.role May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.rpcclient May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.selfservice May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.selinuxusermap May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.server May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.service May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.servicedelegation May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.session May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: WARNING:
session memcached servers not running
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.stageuser May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.sudocmd May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.sudocmdgroup May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.sudorule May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.topology May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.trust May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.user May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.vault May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.virtual May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing all plugin modules in ipaserver.plugins...
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.dogtag May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.join May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.ldap2 May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.rabase May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.xmlserver May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
SessionAuthManager.register: name=jsonserver_session_43658512 May 05
10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
SessionAuthManager.register: name=xmlserver_session_43681424 May 05
10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.xmlserver() at '/xml'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.change_password() at '/session/change_password'
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa :
DEBUG
Kerberos principal: ipa-dnskeysyncd/host.example.com
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa :
DEBUG
Initializing principal ipa-dnskeysyncd/host.example.com using keytab
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa :
DEBUG
using ccache /tmp/ipa-dnskeysyncd.ccache
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa :
DEBUG
Attempt 1/5: success
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa :
DEBUG
LDAP URL:
ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket/cn%3Ddns%2Cdc%3Dexample%2C
dc
%3Dme??sub?%28%7C%28objectClass%3DidnsZone%29%28objectClass%3DidnsSecKey%2
9%
28objectClass%3Dipk11PublicKey%29%29
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa :
INFO
LDAP bind...
May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May
05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05
10:52:21 host.example.com python2[13834]: GSSAPI client step 1 May 05
10:52:21 host.example.com python2[13834]: GSSAPI client step 2
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa :
INFO
Commencing sync process
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None
(not received yet)
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
idnsname=example.com.,cn=dns,dc=example,dc=com
203dbe2d-8d9c-11e5-bb23-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones:
{'203dbe2d-8d9c-11e5-bb23-e7a3b46d8929': <DNS name example.com.>} May 05
10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=
example,dc=com 203dbe63-8d9c-11e5-bb23-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=
example,dc=com 9d5e3d66-ccd4-11e5-bb23-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=
example,dc=com 59985f1f-0ee0-11e6-aa2d-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=
example,dc=com dc691799-10a2-11e6-aa2d-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=
example,dc=com 83e74997-10a5-11e6-aa2d-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d
c=
example,dc=com 0f260699-10c9-11e6-aa2d-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is:
host.example.com:389#krbprincipalname=ipa-dnskeysyncd/host.example.com at exa
mp
le.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:
(|
(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey)
)#
33443
Logs as a result of ipa-dnskeysyncd restart
(/var/log/dirsrv/slapd-EXAMPLE-COM/access):
[05/May/2016:10:52:20 -0400] conn=614 fd=83 slot=83 connection from local to
/var/run/slapd-EXAMPLE-COM.socket
[05/May/2016:10:52:20 -0400] conn=614 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[05/May/2016:10:52:20 -0400] conn=614 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[05/May/2016:10:52:20 -0400] conn=614 op=1 BIND dn="" method=sasl
version=3 mech=GSSAPI
[05/May/2016:10:52:20 -0400] conn=614 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[05/May/2016:10:52:20 -0400] conn=614 op=2 BIND dn="" method=sasl
version=3 mech=GSSAPI
[05/May/2016:10:52:20 -0400] conn=614 op=2 RESULT err=0 tag=97 nentries=0
etime=0
dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=servi
ce
s,cn=accounts,dc=example,dc=com"
[05/May/2016:10:52:20 -0400] conn=614 op=3 SRCH
base="cn=dns,dc=example,dc=com" scope=2
filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11
Pu
blicKey))" attrs=ALL
[05/May/2016:10:52:20 -0400] conn=614 op=3 RESULT err=269 tag=121
nentries=0
etime=0
Cheers,
GTG
-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen
Sent: May-03-16 10:19 AM
To: 'Petr Spacek' <pspacek at redhat.com>; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
Thanks Petr. I'm on IRC as well if a more interactive troubleshooting
session would be better.
Cheers,
GTG
-----Original Message-----
From: Petr Spacek [mailto:pspacek at redhat.com]
Sent: May-03-16 9:59 AM
To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
On 3.5.2016 15:29, Gary T. Giesen wrote:
> All lines from the log file with conn=152.
>
> [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from
> local to /var/run/slapd-EXAMPLE-COM.socket
> [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97
> nentries=0 etime=0, SASL bind in progress
> [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97
> nentries=0 etime=0, SASL bind in progress
> [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl
> version=3 mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97
> nentries=0
> etime=0
> dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=s
> ervice
> s,cn=accounts,dc=example,dc=com"
> [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH
> base="cn=dns,dc=example,dc=com" scope=2
> filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i
> pk11Pu
> blicKey))" attrs=ALL
> [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121
> nentries=0
> etime=0
This seems to be okay, I will think about it a bit more and return back to
you when I find something.
Petr^2 Spacek
>
> -----Original Message-----
> From: Petr Spacek [mailto:pspacek at redhat.com]
> Sent: May-03-16 8:50 AM
> To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
> freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>
> Hmm, this is really weird.
>
> It should log message "Initial LDAP dump is done, sychronizing with
> ODS and BIND" which is apparently not there. Maybe LDAP server is
> doing something weird ...
>
> Could you inspect /var/log/dirsrv/*/access_log and look for lines
> similar to ones in the attached file, please?
>
> It should start with log message like
> "connection from local to /var/run/slapd-*".
> This line will have identifier like "conn=84". We are looking for conn
> number (e.g. "conn=84") which is related to BIND DN
> "dn="krbprincipalname=ipa-dnskeysyncd/*".
>
> If you find the right conn number, look for other lines containing the
> same conn number and operation "SRCH base="cn=dns,*". This SRCH line
> will have specific identifier like "conn=84 op=3".
>
> Now you have identifier for particular operation. Look for RESULT line
> with the same ID.
>
> How does it look?
>
> Can you copy&paste complete all lines with identifier conn=??? you
found?
>
> Thanks!
> Petr^2 Spacek
>
> On 3.5.2016 13:37, Gary T. Giesen wrote:
>> See attached.
>>
>> GTG
>>
>> -----Original Message-----
>> From: Petr Spacek [mailto:pspacek at redhat.com]
>> Sent: May-03-16 7:33 AM
>> To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
>> freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>
>> On 3.5.2016 13:28, Gary T. Giesen wrote:
>>> 1. Confirmed, it was already set to ISMASTER=1
>>>
>>> 2. Logs:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is:
> None
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
> entry:
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones:
> {'203dbe2d-8d9c-1
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
> entry:
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
> entry:
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
> entry:
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
> entry:
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
> entry:
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of
> entry:
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is:
> host.exa
>>
>> The log seems to be truncated. Please attach it as a file to avoid
>> truncation and line wrapping problems.
>>
>> Thanks
>> Petr^2 Spacek
>>
>>>
>>>
>>> 3. # rpm -q ipa-server
>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>> Sent: May-03-16 7:08 AM
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>>
>>> Okay, this is a problem. It should list your zone example.com
>>> because it has DNSSEC signing enabled.
>>>
>>> Make sure you are working on host.example.com (the host listed by
>>> the ldapsearch above).
>>>
>>> I would check two things:
>>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1".
>>> If it does not, re-run ipa-dns-install with --dnssec-master option
>>> to fix
>> that.
>>>
>>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and
>>> make sure that it contains line "debug=True" and restart
>>> ipa-dnskeysyncd when you are done with it.
>>>
>>> The log should be much longer after this change.
>>>
>>> I hope it will help to identify the root cause.
>>>
>>> What IPA version do you use?
>>> $ rpm -q freeipa-server
>>>
>>> Petr^2 Spacek
>>>
>>>
>>>
>>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has
>>>> had no effect. The only log entries I see are:
>>>>
>>>> # journalctl -u ipa-dnskeysyncd
>>>>
>>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key
> daemon...
>>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa
:
>>> INFO
>>>> Signal 15 received: Shutting down!
>>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
>>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key
> daemon...
>>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa:
WARNING:
>>>> session memcached servers not running May 02 20:35:53
>>>> host.example.com ipa-dnskeysyncd[15014]: ipa
:
>>> INFO
>>>> LDAP bind...
>>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step
>>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client
>>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI
>>>> client step 1 May 02 20:35:54 host.example.com python2[15014]:
>>>> GSSAPI
> client step 2
>>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa
:
>>> INFO
>>>> Commencing sync process
>>>>
>>>>
>>>>
>>>> Can anyone advise on next steps? I've been banging my head against
>>>> a wall for a couple days now and would really appreciate some help.
>
>
> --
> Petr^2 Spacek
>
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list