[root@ipa2 ~]# klist -A
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM
Valid starting Expires Service principal
08/19/2021 16:23:24 08/20/2021 16:22:52 HTTP/ipa2.example.com@EXAMPLE.COM
08/19/2021 16:23:17 08/20/2021 16:22:52 krbtgt/EXAMPLE.COM@EXAMPLE.COM
[root@ipa2 ~]#
[root@ipa2 ~]# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/ipa2.example.com@EXAMPLE.COM
1 host/ipa2.example.com@EXAMPLE.COM
[root@ipa2 ~]#
[root@ipa2 tmp]# grep "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" access
[20/Aug/2021:10:29:27.781656511 -0700] conn=129591 op=3 SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[root@ipa2 tmp]#
[root@ipa2 tmp]# grep "conn=129591" access | grep "BIND dn="
[20/Aug/2021:10:29:27.774670410 -0700] conn=129591 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Aug/2021:10:29:27.778256471 -0700] conn=129591 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Aug/2021:10:29:27.780236168 -0700] conn=129591 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[root@ipa2 tmp]#
[root@ipa2 tmp]# grep "conn=129591 op=2" access | grep RESULT
[20/Aug/2021:10:29:27.780808034 -0700] conn=129591 op=2 RESULT err=0 tag=97 nentries=0 etime=0.000631206 dn="fqdn=ipa2.example.com,cn=computers,cn=accounts,dc=example,dc=com"
[root@ipa2 tmp]#
[root@ipa2 ~]#
Hi,What is the output ofklist -Aklist -k /etc/krb5.keytabon the machine where ipa-healthcheck command fails?ipa-healthcheck is using a kerberos ticket to authenticate to the LDAP server (obtained from /etc/krb5.keytab), and has different access rights depending on the identity mapped to this ticket. I suspect that the LDAP operations don't return any entry because they are mapped to a wrong identity.You can also have a look at the directory server access logs to check which identity is used:1. open /var/log/dirsrv/slapd-DOMAIN-COM/access2. look for a line containing the following:SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"3. In this line, note the conn=<value>. In my machine I see for instance:[20/Aug/2021:08:14:03.982502295 +0200] conn=17816 op=3 SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL4. Go up in the logs and find the BIND operation that took place on this connection: the line must contain the same conn=<value> and BIND dn=:[20/Aug/2021:08:14:03.978879492 +0200] conn=17816 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI5. Find the correspond result: the line must contain the same conn=<value> op=<value> and will give you the dn used for the LDAP operation:[20/Aug/2021:08:14:03.981131807 +0200] conn=17816 op=2 RESULT err=0 tag=97 nentries=0 wtime=0.000152828 optime=0.002257466 etime=0.002407324 dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"In my example ipa-healthcheck fails to find the cn=Posix IDs entry because it is using a LDAP connection bound as uid=idmuser, who doesn't have the required read permissions.HTH,floOn Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:I ran the same ldapsearch on a good server and compared the outputs. Here are the differences:dnaMaxValue: 1889657499 | dnaMaxValue: 1889607999
dnaNextValue: 1889650758 | dnaNextValue: 1889601276
Thanks.
Kathy.
_______________________________________________On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu <kzhu@nuro.ai> wrote:Hi Rob,Thanks for replying!It is not missing and I can create new user or group on it:[root@ipa2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=example,dc=com
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 1889657499
dnaNextValue: 1889650758
dnaScope: dc=example,dc=com
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ipa2 ~]#
On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden <rcritten@redhat.com> wrote:Kathy Zhu via FreeIPA-users wrote:
> Hello,
>
> ipa-healthcheck is a great tool! Really appreciate Rob to make it
> working for Centos.
>
> When I ran it on all of our IPA servers, one server reported:
>
> [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human
>
> CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found
>
> [root@ipa2 ~]#
>
>
> I created a user and a group on this server then deleted them,
> rerun ipa-healthcheck, I still get the same error. Here is the jason
> format of it:
>
> {
>
> "source": "ipahealthcheck.ipa.dna",
>
> "kw": {
>
> "exception": "no matching entry found"
>
> },
>
> "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e",
>
> "duration": "0.136489",
>
> "when": "20210819224225Z",
>
> "check": "IPADNARangeCheck",
>
> "result": "CRITICAL"
>
> }
>
>
> We have 7 ipa servers, this is the only server with this error.
>
> The success one looks like below:
>
> {
> "source": "ipahealthcheck.ipa.dna",
> "kw": {
> "range_start": 1889601184,
> "next_start": 0,
> "next_max": 0,
> "range_max": 1889625999
> },
> "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
> "duration": "0.309565",
> "when": "20210630231006Z",
> "check": "IPADNARangeCheck",
> "result": "SUCCESS"
> }
>
>
> Any suggestions/ideas to fix it?
It looks in here for the configuration. It could thrown a not found if
it is missing (though why/how it could be I don't know):
cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure