Hi,
On Mon, Jan 16, 2023 at 7:42 PM Jeremy Tourville via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
I have recently added a replica to my existing setup. Everything
seems to
work except for 2 issues that I have noted:
#1 IPA health check generates a warning from the replica only (master is
ok)
similar to this:
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "WARNING",
"uuid": "my_uuid",
"when": "20191121135331Z",
"duration": "2.128808",
"kw": {
"key": "my_key",
"error": "returned nothing",
"msg": "Look up of {key} {error}"
}
},
ipa-healthcheck is extracting the domain SID for the AD domain, then tries
to
resolve <domainSID>-500 to a name as this should be the SID of the AD
administrator.
If this fails, enable SSSD debugging on the replica as explained in
https://docs.pagure.org/sssd.sssd/users/troubleshooting.html and check SSSD
logs.
#2 id some_user
returns:
id: 'some_user': no such user
Is it failing for IPA users or AD users?
flo
I have also noted that:
ipa trust-fetch-domains "gsil.smil"
return an error - Fetching domains from trusted forest failed
ipa trustdomain-find is able to find the domain
ipa idrange-find returns the same set of results for both the master and
the replica
ipa-replica-manage dnarange-show
shows that the dna ranges are not overlapping (my understanding is this is
a good thing)
My environment:
Rocky 8.7
FreeIPA 4.9.10
Master: gsil-ipa01
Replica: gsil-ipa02
Both master and replica are configured with server roles: AD trust agent,
AD trust controller, CA server, DNS server, KRA server.
Are issues #1 and #2 related? ie- fix one and the other will work as
expected?
I am still reviewing possible solutions for why ldap lookup using the id
command is not working. But maybe it will never work unless I fix the
healthcheck issue...
Your input is greatly appreciated!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue