Hi François,
Thx for getting back to me. So far no luck.
On Fri, 21 Aug 2020 at 9:05 pm, François Cami <fcami(a)redhat.com
<mailto:fcami@redhat.com>> wrote:
On Fri, Aug 21, 2020 at 1:08 AM Chris Welsh via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> Hi Rob,
>
> Could this be because I removed the replica and there are records
still dangling in the config? Is there a way to find out where they
are and remove them?
At worst, use ldapsearch to identify remaining objects.
I have now moved to domain level “1” and re-joined the replica (2nd
master with ca), but got the original message beck in the new masters
logs which was the reason why I removed it (tried to simplify to get to
the root cause of intermittent loss of groups for users). And
unfortunately this did not solve the issue with users looking their
group creds (I do not enumerate groups) . (6 users today). :-(
> At the moment we have no active replicas,
So you have a single instance? OK. Please don't run that for too long.
Thx
> as I wanted to simplify the config so as to find the root cause of
intermittent loss of groups. Looks like this could be adding to my
headaches.
>
> And finally, having domain level not set to one will prevent me
from creating replicas on the first place?
Domain Level 0 (DL0) support has been removed. You will be able to
create replicas using old versions, but ideally, once the above
problem is sorted out, you might be better off updating to DL1.
Thx
> On Fri, 21 Aug 2020, 6:42 am Rob Crittenden, <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
>>
>> Chris Welsh via FreeIPA-users wrote:
>> > Hi Rob,
>> >
>> > I have run your tool and found it to report some issues. I
wonder if you could help me figure out what they are. Our problem is
that we often have staff who loose their groups and this has been
happening for 3 years. sss_cache -u username sometimes fixes it. Any
advise greatly welcome. Note that I have removed our send are master
“vmpdr-linuxidm......”
>> >
>> > Really ken to solve this but no expert.
>> > Centos 7.8 server and clients
>> > ipa-server-4.6.6
>>
>> The "Unexpected SRV entry in DNS" warnings mean that some servers
are
>> defined in the IPA domain with services that IPA provides but those
>> servers aren't IPA servers.
>>
>> Similarly, "Expected SRV record missing", a SRV record is missing
for an
>> IPA service for one or more IPA servers.
>>
>> "expected ipa-ca IPAddr missing" means that the IPA server at
>> 10.126.18.129 is not in the ipa-ca CNAME (and also caught with
the count
>> of ipa-ca records).
>>
>> The final errors are due to your installation still using domain
level
>> 0. You can ignore these if you don't want to or can't update domain
>> levels.
https://www.freeipa.org/page/Domain_Levels
>>
>> rob
>>
>> >
>> >
>> > [
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Unexpected SRV entry in DNS",
>> > "key": "_ntp._udp.unix.foo.org.au
<
http://udp.unix.foo.org.au>.:vmdr-linuxidm.unix.foo.org.au
<
http://vmdr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "57735f69-6d98-4ae1-9f0a-dd848bbfa1f7",
>> > "duration": "0.024868",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Expected SRV record missing",
>> > "key": "_kerberos._tcp.dc._msdcs.unix.foo.org.au
<
http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au
<
http://vmpr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "3b789068-16ff-4684-bb5e-3add8a62b2b8",
>> > "duration": "0.025853",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Unexpected SRV entry in DNS",
>> > "key": "_kerberos._tcp.unix.foo.org
<
http://tcp.unix.foo.org>.au.:vmpr-linuxidm.unix.foo.org.au
<
http://vmpr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "bab58235-1a9b-48bc-9b4c-b0e75b91d619",
>> > "duration": "0.027710",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Unexpected SRV entry in DNS",
>> > "key": "_kerberos._tcp.unix.foo.org
<
http://tcp.unix.foo.org>.au.:vmdr-linuxidm.unix.foo.org.au
<
http://vmdr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "44a47316-ba13-4226-9625-2f29f369cdd4",
>> > "duration": "0.027825",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Expected SRV record missing",
>> > "key":
"_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.unix.foo.org.au
<
http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au
<
http://vmpr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "313a97f5-9f05-4465-a50f-27996c22c306",
>> > "duration": "0.028995",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Unexpected SRV entry in DNS",
>> > "key": "_kerberos._udp.unix.foo.org
<
http://udp.unix.foo.org>.au.:vmdr-linuxidm.unix.foo.org.au
<
http://vmdr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "d00274ff-12a9-465f-957e-392c4edd7e5a",
>> > "duration": "0.030514",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Unexpected SRV entry in DNS",
>> > "key": "_kerberos-master._udp.unix.foo.org.au
<
http://foo.org.au>.:vmdr-linuxidm.unix.foo.org.au
<
http://vmdr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "0e50f8e7-6321-429a-b84e-3a88922ec07b",
>> > "duration": "0.031876",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Unexpected SRV entry in DNS",
>> > "key": "_kpasswd._udp.unix.foo.org
<
http://udp.unix.foo.org>.au.:vmdr-linuxidm.unix.foo.org.au
<
http://vmdr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "011bf574-e7ea-4f5d-8bf6-f5ecdd722ecd",
>> > "duration": "0.033430",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Unexpected SRV entry in DNS",
>> > "key": "_kpasswd._tcp.unix.foo.org
<
http://tcp.unix.foo.org>.au.:vmdr-linuxidm.unix.foo.org.au
<
http://vmdr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "d00839d9-6e83-481d-9685-8eaca6caea14",
>> > "duration": "0.034777",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Expected SRV record missing",
>> > "key":
"_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.unix.foo.org.au
<
http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au
<
http://vmpr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "8bff3eb5-521d-4029-b368-c1b4cd39047c",
>> > "duration": "0.036379",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Unexpected SRV entry in DNS",
>> > "key": "_ldap._tcp.unix.foo.org.au
<
http://tcp.unix.foo.org.au>.:vmdr-linuxidm.unix.foo.org.au
<
http://vmdr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "2091880e-5777-4854-abb4-bc14c032b1af",
>> > "duration": "0.037861",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Expected SRV record missing",
>> > "key": "_ldap._tcp.dc._msdcs.unix.foo.org.au
<
http://foo.org.au>.:vmpr-linuxidm.unix.foo.org.au
<
http://vmpr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "8f9862fa-45a0-4bdd-b561-93a6a15ac7f1",
>> > "duration": "0.038836",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Unexpected SRV entry in DNS",
>> > "key": "_kerberos-master._tcp.unix.foo.org.au
<
http://foo.org.au>.:vmdr-linuxidm.unix.foo.org.au
<
http://vmdr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "cfd7b896-da90-4ac4-9b08-eccdbafeca30",
>> > "duration": "0.040348",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Expected SRV record missing",
>> > "key":
"_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.unix.foo.org.au
<
http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au
<
http://vmpr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "3c38ad1e-96a5-41fd-a161-56dde9601896",
>> > "duration": "0.041473",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "Expected SRV record missing",
>> > "key": "_kerberos._udp.dc._msdcs.unix.foo.org.au
<
http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au
<
http://vmpr-linuxidm.unix.foo.org.au>."
>> > },
>> > "uuid": "fd6a163f-a338-4ff0-a2f2-9fb00064ab93",
>> > "duration": "0.042447",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "msg": "expected ipa-ca IPAddr missing",
>> > "key": "10.126.18.129"
>> > },
>> > "uuid": "59581cec-e08f-4e67-aed1-697698d66e92",
>> > "duration": "0.044304",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.idns",
>> > "kw": {
>> > "expected": 1,
>> > "count": 2,
>> > "msg": "Got {count} ipa-ca A records, expected
{expected}"
>> > },
>> > "uuid": "6852b70e-b366-44a3-bc1f-6bde42f79209",
>> > "duration": "0.044392",
>> > "when": "20200820104327Z",
>> > "check": "IPADNSSystemRecordsCheck",
>> > "result": "WARNING"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.topology",
>> > "kw": {
>> > "msg": "topologysuffix-verify domain failed, Topology
management requires minimum domain level 1 "
>> > },
>> > "uuid": "e5386d69-3028-4c71-8a93-87de8e954682",
>> > "duration": "0.002170",
>> > "when": "20200820104332Z",
>> > "check": "IPATopologyDomainCheck",
>> > "result": "ERROR"
>> > },
>> > {
>> > "source": "ipahealthcheck.ipa.topology",
>> > "kw": {
>> > "msg": "topologysuffix-verify domain failed, Topology
management requires minimum domain level 1 "
>> > },
>> > "uuid": "c50ccc80-d031-4a52-a097-43b6b09c46c6",
>> > "duration": "0.005159",
>> > "when": "20200820104332Z",
>> > "check": "IPATopologyDomainCheck",
>> > "result": "ERROR"
>> > }
>> > ]
>> > _______________________________________________
>> > FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>> > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> >
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
regards, Christopher Welsh