Hello.
From 1.5 release notes: "You will need to disable the DNS proxy for hosts
that are provisioned with a Realm set, as IPA adds the forward record for
you." Are there any plans to allow adding hosts to FreeIPA realm and not to
create DNS records in FIPA (using existing DNS proxy for this)?
Thank you.
Hi Raul,
Foreman doesn't actually control the creation. If the FreeIPA server has
DNS turned on, then ipa-client-install will send it's IP and FreeIPA
will create the record at registration time.
We do control delete (which is just a flag we send - delete or not).
I've never actually tried to turn the FreeIPA functionality off, and I
don't see an obvious way to do it – what's the reason to want to use
the Foreman DNS proxy instead?
If you're using different DNS outside of IPA you can leave the
DNS proxy, maybe that's not clear in the documentation.
···
On Sat, Jul 12, 2014 at 06:00:39AM -0700, raul.laansoo@bigbank.ee wrote:
> Hello.
>
> From 1.5 release notes: "You will need to disable the DNS proxy for hosts
> that are provisioned with a Realm set, as IPA adds the forward record for
> you." Are there any plans to allow adding hosts to FreeIPA realm and not to
> create DNS records in FIPA (using existing DNS proxy for this)?
>
> Thank you.
–
Stephen Benjamin
Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Charles Cachera, Michael Cunningham,
Michael O’Neill, Charles Peters
Hi.
I have installed FreeIPA without DNS server and configured Foreman for IPA
support. When I try to create new host with Realm selected, I get error:
Failed to create testipa.<domain>'s realm entry: ERF12-5287
[ProxyAPI::ProxyException]: Unable to create realm entry
([RestClient::BadRequest]: 400 Bad Request) for proxy
https://foreman.<domain>:8443/realm/<realm>.
domain == realm
Foreman is configured as DNS Smart Proxy. Is want Foreman to create DNS
records (reverse included), but not in IPA DNS (not available/not
configured) but in other DNS (available/configured).
HTH
pühapäev, 13. juuli 2014 12:17.36 UTC+3 kirjutas Stephen Benjamin:
···
>
> On Sat, Jul 12, 2014 at 06:00:39AM -0700, raul.l...@bigbank.ee > wrote:
> > Hello.
> >
> > From 1.5 release notes: "You will need to disable the DNS proxy for
> hosts
> > that are provisioned with a Realm set, as IPA adds the forward record
> for
> > you." Are there any plans to allow adding hosts to FreeIPA realm and not
> to
> > create DNS records in FIPA (using existing DNS proxy for this)?
> >
> > Thank you.
>
> Hi Raul,
>
> Foreman doesn't actually control the creation. If the FreeIPA server has
> DNS turned on, then ipa-client-install will send it's IP and FreeIPA
> will create the record at registration time.
>
> We do control delete (which is just a flag we send - delete or not).
>
> I've never actually tried to turn the FreeIPA functionality off, and I
> don't see an obvious way to do it -- what's the reason to want to use
> the Foreman DNS proxy instead?
>
> If you're using *different* DNS outside of IPA you can leave the
> DNS proxy, maybe that's not clear in the documentation.
>
>
> --
> Stephen Benjamin
>
> ______________________________________________________
> Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
> Handelsregister: Amtsgericht München, HRB 153243
> Geschäftsführer: Charles Cachera, Michael Cunningham,
> Michael O'Neill, Charles Peters
>
>
>
> Hi.
>
> I have installed FreeIPA without DNS server and configured Foreman for IPA
> support. When I try to create new host with Realm selected, I get error:
>
> Failed to create testipa.<domain>'s realm entry: ERF12-5287
> [ProxyAPI::ProxyException]: Unable to create realm entry
> ([RestClient::BadRequest]: 400 Bad Request) for proxy
> https://foreman.<domain>:8443/realm/<realm>.
>
> domain == realm
This doesn't look related to DNS then – the Smart Proxy is trying to
create a host entry in FreeIPA and get a one-time password, and it's
failing.
Can you take a look in /var/log/foreman-proxy/proxy.log to see if
there's an error message about why it might not be working?
It might help to take a look at your /etc/foreman-proxy/settings.yml,
too to make sure it's configured as described in the manual.
As a last step, you can also enable debug in the IPA server.
There's some more info here:
ERF12-5287 - Foreman
> Foreman is configured as DNS Smart Proxy. Is want Foreman to create DNS
> records (reverse included), but not in IPA DNS (not available/not
> configured) but in other DNS (available/configured).
That's fine, you can leave your DNS smart proxy as it is.
···
On Sun, Jul 13, 2014 at 10:57:52AM -0700, raul.laansoo@bigbank.ee wrote:
HTH
pühapäev, 13. juuli 2014 12:17.36 UTC+3 kirjutas Stephen Benjamin:
On Sat, Jul 12, 2014 at 06:00:39AM -0700, raul.l...@bigbank.ee > > <javascript:> wrote:
Hello.
From 1.5 release notes: “You will need to disable the DNS proxy for
hosts
that are provisioned with a Realm set, as IPA adds the forward record
for
you.” Are there any plans to allow adding hosts to FreeIPA realm and not
to
create DNS records in FIPA (using existing DNS proxy for this)?
Thank you.
Hi Raul,
Foreman doesn’t actually control the creation. If the FreeIPA server has
DNS turned on, then ipa-client-install will send it’s IP and FreeIPA
will create the record at registration time.
We do control delete (which is just a flag we send - delete or not).
I’ve never actually tried to turn the FreeIPA functionality off, and I
don’t see an obvious way to do it – what’s the reason to want to use
the Foreman DNS proxy instead?
If you’re using different DNS outside of IPA you can leave the
DNS proxy, maybe that’s not clear in the documentation.
–
Stephen Benjamin
Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Charles Cachera, Michael Cunningham,
Michael O’Neill, Charles Peters
–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
–
Stephen Benjamin
Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
Handelsregister: Amtsgericht München, HRB 153243
Geschäftsführer: Charles Cachera, Michael Cunningham,
Michael O’Neill, Charles Peters
Solved this with the help of Stephen on IRC. Summary.
- No need to disable DNS in Foreman proxy, if you do not use FreeIPA DNS.
- The keytab has to be readable by the Foreman proxy user (requirement I
missed).
- Must trust all the certificates in the certificate chain. Use the
procedure described in Foreman docs for trusting IPA CA cetificate for all
certificates in CA chain.
pühapäev, 13. juuli 2014 21:14.29 UTC+3 kirjutas Stephen Benjamin:
···
>
> On Sun, Jul 13, 2014 at 10:57:52AM -0700, raul.l...@bigbank.ee > wrote:
> > Hi.
> >
> > I have installed FreeIPA without DNS server and configured Foreman for
> IPA
> > support. When I try to create new host with Realm selected, I get error:
> >
> > Failed to create testipa.'s realm entry: ERF12-5287
> > [ProxyAPI::ProxyException]: Unable to create realm entry
> > ([RestClient::BadRequest]: 400 Bad Request) for proxy
> > https://foreman.:8443/realm/.
> >
> > domain == realm
>
> This doesn't look related to DNS then -- the Smart Proxy is trying to
> create a host entry in FreeIPA and get a one-time password, and it's
> failing.
>
> Can you take a look in /var/log/foreman-proxy/proxy.log to see if
> there's an error message about why it might not be working?
>
> It might help to take a look at your /etc/foreman-proxy/settings.yml,
> too to make sure it's configured as described in the manual.
>
> As a last step, you can also enable debug in the IPA server.
>
> There's some more info here:
>
> http://projects.theforeman.org/projects/foreman/wiki/ERF12-5287
>
>
> > Foreman is configured as DNS Smart Proxy. Is want Foreman to create DNS
> > records (reverse included), but not in IPA DNS (not available/not
> > configured) but in other DNS (available/configured).
>
> That's fine, you can leave your DNS smart proxy as it is.
>
> > HTH
> >
> > pühapäev, 13. juuli 2014 12:17.36 UTC+3 kirjutas Stephen Benjamin:
> > >
> > > On Sat, Jul 12, 2014 at 06:00:39AM -0700, raul.l...@bigbank.ee > > > wrote:
> > > > Hello.
> > > >
> > > > From 1.5 release notes: "You will need to disable the DNS proxy for
> > > hosts
> > > > that are provisioned with a Realm set, as IPA adds the forward
> record
> > > for
> > > > you." Are there any plans to allow adding hosts to FreeIPA realm and
> not
> > > to
> > > > create DNS records in FIPA (using existing DNS proxy for this)?
> > > >
> > > > Thank you.
> > >
> > > Hi Raul,
> > >
> > > Foreman doesn't actually control the creation. If the FreeIPA server
> has
> > > DNS turned on, then ipa-client-install will send it's IP and FreeIPA
> > > will create the record at registration time.
> > >
> > > We do control delete (which is just a flag we send - delete or not).
> > >
> > > I've never actually tried to turn the FreeIPA functionality off, and I
> > > don't see an obvious way to do it -- what's the reason to want to use
> > > the Foreman DNS proxy instead?
> > >
> > > If you're using *different* DNS outside of IPA you can leave the
> > > DNS proxy, maybe that's not clear in the documentation.
> > >
> > >
> > > --
> > > Stephen Benjamin
> > >
> > > ______________________________________________________
> > > Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
> > > Handelsregister: Amtsgericht München, HRB 153243
> > > Geschäftsführer: Charles Cachera, Michael Cunningham,
> > > Michael O'Neill, Charles Peters
> > >
> > >
> > >
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Foreman users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to foreman-user...@googlegroups.com .
> > To post to this group, send email to forema...@googlegroups.com
> .
> > Visit this group at http://groups.google.com/group/foreman-users.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> Stephen Benjamin
>
> ______________________________________________________
> Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
> Handelsregister: Amtsgericht München, HRB 153243
> Geschäftsführer: Charles Cachera, Michael Cunningham,
> Michael O'Neill, Charles Peters
>
>
>
