[Freeipa-users] Active Directory slave zone in FreeIPA DNS (Franklin)
Dmitri Pal
dpal at redhat.com
Fri Sep 7 19:55:41 UTC 2012
On 08/27/2012 07:53 AM, Petr Spacek wrote:
> Hello,
>
> On 08/23/2012 07:00 AM, Franklin Catoni wrote:
>> >>Hi,
>> Hello,
>> >>Is the zone not transferring at all, or is it just the updates that's
>> >>not transferred to the AD slave server?
>> It's not transferring at all.
>> >>If the zone is not transferring at all: Did yo modify the "Allow
>> >>transfer" property of the zone ?
>> yes, I change the parameter to allow zone transfers from the AD
>> >>If the updates is not transferring: I believe automatic increment
>> of the
>> >>zone serial number will be supported in IPA 3.0. The IPA
>> developers will
>> >>have to confirm that. However you can manually change the serial
>> number
>> >>under Zone Settings.
>> Yes, I also read this information but I was hoping there was some other
>> solution to the issue. And I've done manually change the serial
>> number of the
>> zone but without success
>> >>Hope this helps.
>> Thanks
>>
>> >>Regards,
>> >>Siggi
>
> I'm a bit confused, so I tried to summarize your configuration. Please
> correct me if I'm wrong:
>
> zone "ejemplo.com" = hosted on AD server
> zone "ejemplo.gob.ve" = hosted on FreeIPA server
>
> What is your target? Do you want to have both zones on each server?
> I.e. one server will be master for one zone and slave for the other
> zone (at the same time)?
>
> Zone transfers are supported from IPA 3.0. IPA can host only master
> zones, slave zones have to be set in /etc/named.conf manually. There
> is no centralized management of slave zones.
>
>
> Generally, you can test zone-transfers with dig:
>
> slave$ dig @master_IP -t AXFR zone.name
>
> It should print something like:
>
> zone.example. 86400 IN SOA
> unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123
> 123 666 1
> zone.example. 86400 IN NS unused-4-107.brq.redhat.com.
> zone.example. 86400 IN TXT "zone.example"
> ...
> zone.example. 86400 IN SOA
> unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123
> 123 666 1
>
> This way you can test ACL and other settings on master.
>
> Does transfer with dig it work for both master servers?
>
> Petr^2 Spacek
>
I can find any updates on this thread.
Has the issue been resolved?
>
>>
>> 2012/8/20 <freeipa-users-request at redhat.com
>> <mailto:freeipa-users-request at redhat.com>>
>>
>> Send Freeipa-users mailing list submissions to
>> freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> or, via email, send a message with subject or body 'help' to
>> freeipa-users-request at redhat.com
>> <mailto:freeipa-users-request at redhat.com>
>>
>> You can reach the person managing the list at
>> freeipa-users-owner at redhat.com
>> <mailto:freeipa-users-owner at redhat.com>
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Freeipa-users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: Active Directory slave zone in FreeIPA DNS (Sigbjorn Lie)
>> 2. Re: sssd client cache timer and merging IPA domains
>> (Rob Crittenden)
>> 3. Re: Question about migration and scripts variables
>> (Rob Crittenden)
>> 4. Specifying load balancing to SSSD clients (Innes, Duncan)
>> 5. Re: Specifying load balancing to SSSD clients (Mark St.
>> Laurent)
>>
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Sun, 19 Aug 2012 18:23:20 +0200
>> From: Sigbjorn Lie <sigbjorn at nixtra.com
>> <mailto:sigbjorn at nixtra.com>>
>> To: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>> Subject: Re: [Freeipa-users] Active Directory slave zone in FreeIPA
>> DNS
>> Message-ID: <503112F8.8000900 at nixtra.com
>> <mailto:503112F8.8000900 at nixtra.com>>
>> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>>
>> On 08/19/2012 04:39 PM, Franklin Catoni wrote:
>> > Greetings community.
>> >
>> > I do not speak English so I will do my best.
>> >
>> > I have two environments in my company, a domain "ejemplo.com
>> <http://ejemplo.com>
>> > <http://ejemplo.com>" with Windows Active Directory running on
>> Windows
>> > Server 2003 Enterprise Edition SP2 and domain "ejemplo.gob.ve
>> <http://ejemplo.gob.ve>
>> > <http://ejemplo.gob.ve>" with FreeIPA v2.2. mounted on Centos
>> 6.3 x64.
>> > This is because we are in the middle of a platform migration
>> process
>> > (a very slow process) from proprietary solutions to open source.
>> >
>> > DNS and DHCP service for my two environments is offered by the
>> server
>> > Centos 6.3 which is mounted FreeIPA directory, clients are
>> Windows
>> > computers Active Directory domain and linux computers in the
>> domain Ipa.
>> >
>> > Currently the zone "ejemplo.gob.ve <http://ejemplo.gob.ve>
>> <http://ejemplo.gob.ve>" is
>> > administered by the FreeIPA DNS using the plugin
>> > (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone
>> using
>> > bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain
>> > "ejemplo.com <http://ejemplo.com> <http://ejemplo.com>" Active
>> Directory
>> >
>> > Name resolution works perfectly for both Linux and Windows
>> clients.
>> >
>> > Now here comes the tricky part
>> >
>> > In order to find a more centralized management of my services,
>> I try
>> > to configure a slave zone to Active Directory through FreeIPA
>> with
>> > dyndb bind-plugin-ldap and so to eliminate configuration
>> through bind,
>> > but the transfers zone does not work, causing this many
>> problems on
>> > both platforms.
>> >
>> > The log shows me the following error:
>> >
>> > ServidorIPA named[3706]: zone ejemplo.com/IN/local
>> <http://ejemplo.com/IN/local>
>> > <http://ejemplo.com/IN/local>: zone serial (2012081801)
>> unchanged.
>> > zone may fail to transfer to slaves
>> >
>> > I've spent enough time looking at Super Google information
>> that can
>> > help me but it has not been easy, because it seems to be a
>> rare situation.
>> >
>> > I ask. You can set this up under these circumstances?
>> > Someone has accomplished?
>> > Some information that horiente me to get a solution?
>> >
>> > Thanks for your time.
>> >
>> Hi,
>>
>> Is the zone not transferring at all, or is it just the updates
>> that's
>> not transferred to the AD slave server?
>>
>> If the zone is not transferring at all: Did yo modify the "Allow
>> transfer" property of the zone ?
>>
>> If the updates is not transferring: I believe automatic increment
>> of the
>> zone serial number will be supported in IPA 3.0. The IPA
>> developers will
>> have to confirm that. However you can manually change the serial
>> number
>> under Zone Settings.
>>
>> Hope this helps.
>>
>>
>> Regards,
>> Siggi
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>>
>> <https://www.redhat.com/archives/freeipa-users/attachments/20120819/73825288/attachment.html>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 20 Aug 2012 08:44:32 -0400
>> From: Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>
>> To: Lucas Yamanishi <lyamanishi at sesda2.com
>> <mailto:lyamanishi at sesda2.com>>
>> Cc: "freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>"
>> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>> Subject: Re: [Freeipa-users] sssd client cache timer and merging IPA
>> domains
>> Message-ID: <50323130.6030102 at redhat.com
>> <mailto:50323130.6030102 at redhat.com>>
>> Content-Type: text/plain; charset=UTF-8; format=flowed
>>
>> Lucas Yamanishi wrote:
>> >
>> > On 08/17/2012 08:38 AM, Rob Crittenden wrote:
>> >> Lucas Yamanishi wrote:
>> >>>
>> >>> On 08/16/2012 05:39 PM, Rob Crittenden wrote:
>> >>>> Lucas Yamanishi wrote:
>> >>>>>
>> >>>>> On 08/16/2012 05:32 PM, Rob Crittenden wrote:
>> >>>>>> Lucas Yamanishi wrote:
>> >>>>>>> I just migrated my IPA instance from one to another a
>> couple days
>> >>>>>>> ago to
>> >>>>>>> recover after a lost CA and failed yum upgrade. The
>> "ipa migrate-ds"
>> >>>>>>> tool works very well, though I am having a few very
>> minor issues. On
>> >>>>>>> the upside, as far as I can tell, you can skip the steps
>> about
>> >>>>>>> Kerberos
>> >>>>>>> key generation as outlined in the documentation. I've
>> been able to
>> >>>>>>> kinit just fine with my migrated users.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> Below are the few errors I've noticed.
>> >>>>>>>
>> >>>>>>> * When I ssh into an enrolled host using a migrated user's
>> >>>>>>> credentials I
>> >>>>>>> get this error:
>> >>>>>>>
>> >>>>>>> id: cannot find name for group ID 104600003\
>> >>>>>>
>> >>>>>> Does a group exist with that GID? You can try something
>> like:
>> >>>>>>
>> >>>>>> $ ipa group-find --gid=104600003
>> >>>>>>
>> >>>>>
>> >>>>> The group doesn't exist. The GID is the counterpart to my
>> UID.
>> >>>>
>> >>>> Try adding --private.
>> >>>>
>> >>>> rob
>> >>>>
>> >>>
>> >>> Nope. It doesn't exist.
>> >>>
>> >>> Other groups migrated. Why would the private groups fail?
>> >>
>> >> I don't know, what have you done to date, including versions?
>> >>
>> >> rob
>> > I've been following the stable Scientific Linux releases since
>> 6.1.
>> > Based on repo archives, I guess that would be
>> 2.0.0-23.el6.x86_64. The
>> > version was at 2.2.0-16.el6.x86_64 when I migrated, which I
>> had just
>> > upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now
>> > 2.2.0-16.el6.x86_64.
>> >
>> > So...
>> > 2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 ->
>> 2.2.0-16.el6.x86_64 ---->
>> > 2.2.0-16.el6.x86_64
>> >
>> >
>>
>> Can you verify that managed entries are configured:
>>
>> # ipa-managed-entries -l
>>
>> It should return:
>>
>> UPG Definition
>> NGP Definition
>>
>> This enables user-private groups and netgroup-private groups.
>>
>> rob
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 20 Aug 2012 08:56:51 -0400
>> From: Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>
>> To: James James <jreg2k at gmail.com <mailto:jreg2k at gmail.com>>
>> Cc: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>> Subject: Re: [Freeipa-users] Question about migration and scripts
>> variables
>> Message-ID: <50323413.4090906 at redhat.com
>> <mailto:50323413.4090906 at redhat.com>>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> James James wrote:
>> > Hi,
>> >
>> > my first question is about the migrate process. Is it possible to
>> > renumber the users during the migrate process (ipa migrate-ds)
>> in a way
>> > that all imported users will have a new UID ?
>>
>> I haven't tested this but you might try
>> --user-ignore-attribute=uidnumber,gidnumber.
>>
>> > my second question is about ipalib. I wanted to make a hook on
>> the user
>> > creation. The hook works fine. I just want to know if there is
>> a way to
>> > have the value of variables like the username, the name of the
>> creator,
>> > the e-mail of the creator and stuff like that.
>>
>> The current user is available via: principal = getattr(context,
>> 'principal')
>>
>> Using this you can look up that user:
>>
>> (binddn, bindattrs) = find_entry_by_attr("krbprincipalname",
>> principal,
>> "krbPrincipalAux")
>>
>> rob
>>
>>
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Mon, 20 Aug 2012 14:48:30 +0100
>> From: "Innes, Duncan" <Duncan.Innes at virginmoney.com
>> <mailto:Duncan.Innes at virginmoney.com>>
>> To: <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>> Subject: [Freeipa-users] Specifying load balancing to SSSD clients
>> Message-ID:
>>
>> <56343345B145C043AE990701E3D193952B5511 at EXVS2.nrplc.localnet>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> Folks,
>>
>> Hopefully this isn't a dumb question, but I'm constrained by a few
>> things on my estate and would be looking to deploy something like
>> the
>> following:
>>
>> 2 Datacentres
>> 2 IPA servers at each datacentre
>>
>> ipa1.domain.com <http://ipa1.domain.com> \_ datacentre A
>> ipa2.domain.com <http://ipa2.domain.com> /
>>
>> ipa3.domain.com <http://ipa3.domain.com> \_ datacentre B
>> ipa4.domain.com <http://ipa4.domain.com> /
>>
>> The datacentres are linekd, but bandwidth not great.
>>
>> Client's in datacentre A should therefore use ipa1.domain.com
>> <http://ipa1.domain.com> and
>> ipa2.domain.com <http://ipa2.domain.com> as primary servers and
>> only fail
>> over to ipa3 & ipa4
>> when both 1 & 2 are out of action. Clients would revert to using
>> ipa1/ipa2 whenever either of them came back online.
>>
>> I understand this configuration has already been done as part of
>> https://fedorahosted.org/freeipa/ticket/2282
>>
>> What I'm wondering is if I can force my clients to load balance
>> communication between ipa1 & ipa2.
>>
>> I don't have the ability to use the _srv_ records in DNS as
>> that's set
>> up for the AD servers on our network. I also can't create
>> separate DNS
>> servers for the Linux estate (not that I'd particularly want to).
>>
>> Is there any current configuration that I can use to force load
>> balancing between ipa1/ipa2 under ideal conditions. Falling back to
>> ipa2 when ipa1 is out of action. Falling back to (load balanced
>> perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action.
>>
>> Hope the description is reasonable.
>>
>> Thanks
>>
>> Duncan Innes | Linux Architect
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Mon, 20 Aug 2012 10:15:08 -0400 (EDT)
>> From: "Mark St. Laurent" <mstlaure at redhat.com
>> <mailto:mstlaure at redhat.com>>
>> To: Duncan Innes <Duncan.Innes at virginmoney.com
>> <mailto:Duncan.Innes at virginmoney.com>>
>> Cc: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>> Subject: Re: [Freeipa-users] Specifying load balancing to SSSD
>> clients
>> Message-ID:
>> <290044214.13057699.1345472108805.JavaMail.root at redhat.com
>> <mailto:290044214.13057699.1345472108805.JavaMail.root at redhat.com>>
>> Content-Type: text/plain; charset="utf-8"
>>
>>
>> http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/
>>
>>
>> Norman "Mark" St. Laurent
>> Federal Team: Senior Solutions Architect
>> Red Hat
>> 8260 Greensboro Drive, Suite 300
>> McLean VA, 22102
>> Email: msl at redhat.com <mailto:msl at redhat.com>
>> Cell: 703.772.1434
>>
>> Check this Link out!!! Cool Stuff: http://mil-oss.org/
>>
>> ----- Original Message -----
>>
>> From: "Duncan Innes" <Duncan.Innes at virginmoney.com
>> <mailto:Duncan.Innes at virginmoney.com>>
>> To: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>> Sent: Monday, August 20, 2012 9:48:30 AM
>> Subject: [Freeipa-users] Specifying load balancing to SSSD clients
>>
>> Folks,
>>
>> Hopefully this isn't a dumb question, but I'm constrained by a few
>> things on my estate and would be looking to deploy something like
>> the
>> following:
>>
>> 2 Datacentres
>> 2 IPA servers at each datacentre
>>
>> ipa1.domain.com <http://ipa1.domain.com> \_ datacentre A
>> ipa2.domain.com <http://ipa2.domain.com> /
>>
>> ipa3.domain.com <http://ipa3.domain.com> \_ datacentre B
>> ipa4.domain.com <http://ipa4.domain.com> /
>>
>> The datacentres are linekd, but bandwidth not great.
>>
>> Client's in datacentre A should therefore use ipa1.domain.com
>> <http://ipa1.domain.com> and
>> ipa2.domain.com <http://ipa2.domain.com> as primary servers and
>> only fail
>> over to ipa3 & ipa4
>> when both 1 & 2 are out of action. Clients would revert to using
>> ipa1/ipa2 whenever either of them came back online.
>>
>> I understand this configuration has already been done as part of
>> https://fedorahosted.org/freeipa/ticket/2282
>>
>> What I'm wondering is if I can force my clients to load balance
>> communication between ipa1 & ipa2.
>>
>> I don't have the ability to use the _srv_ records in DNS as
>> that's set
>> up for the AD servers on our network. I also can't create
>> separate DNS
>> servers for the Linux estate (not that I'd particularly want to).
>>
>> Is there any current configuration that I can use to force load
>> balancing between ipa1/ipa2 under ideal conditions. Falling back to
>> ipa2 when ipa1 is out of action. Falling back to (load balanced
>> perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action.
>>
>> Hope the description is reasonable.
>>
>> Thanks
>>
>> Duncan Innes | Linux Architect
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list