Hello,  ipa-healthcheck is a great tool! Really appreciate Rob to make it working for Centos.  When I ran it on all of our IPA servers, one server reported:  [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found [root@ipa2 ~]#  I created a user and a group on this server then deleted them, rerun ipa-healthcheck, I still get the same error. Here is the jason format of it:    {     "source": "ipahealthcheck.ipa.dna",      "kw": {       "exception": "no matching entry found"     },      "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e",      "duration": "0.136489",      "when": "20210819224225Z",      "check": "IPADNARangeCheck",      "result": "CRITICAL"   } We have 7 ipa servers, this is the only server with this error.  The success one looks like below:    {     "source": "ipahealthcheck.ipa.dna",     "kw": {       "range_start": 1889601184,       "next_start": 0,       "next_max": 0,       "range_max": 1889625999     },     "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",     "duration": "0.309565",     "when": "20210630231006Z",     "check": "IPADNARangeCheck",     "result": "SUCCESS"   } Any suggestions/ideas to fix it?

Hi Rob, Thanks for replying! It is not missing and I can create new user or group on it: [root@ipa2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaExcludeScope: cn=provisioning,dc=example,dc=com dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaMagicRegen: -1 dnaMaxValue: 1889657499 dnaNextValue: 1889650758 dnaScope: dc=example,dc=com dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa2 ~]# On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden <rcritten(a)redhat.com&gt; wrote: > Kathy Zhu via FreeIPA-users wrote: > > Hello, > > > > ipa-healthcheck is a great tool! Really appreciate Rob to make it > > working for Centos. > > > > When I ran it on all of our IPA servers, one server reported: > > > > [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human > > > > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry > found > > > > [root@ipa2 ~]# > > > > > > I created a user and a group on this server then deleted them, > > rerun ipa-healthcheck, I still get the same error. Here is the jason > > format of it: > > > > { > > > > "source": "ipahealthcheck.ipa.dna", > > > > "kw": { > > > > "exception": "no matching entry found" > > > > }, > > > > "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e", > > > > "duration": "0.136489", > > > > "when": "20210819224225Z", > > > > "check": "IPADNARangeCheck", > > > > "result": "CRITICAL" > > > > } > > > > > > We have 7 ipa servers, this is the only server with this error. > > > > The success one looks like below: > > > > { > > "source": "ipahealthcheck.ipa.dna", > > "kw": { > > "range_start": 1889601184, > > "next_start": 0, > > "next_max": 0, > > "range_max": 1889625999 > > }, > > "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63", > > "duration": "0.309565", > > "when": "20210630231006Z", > > "check": "IPADNARangeCheck", > > "result": "SUCCESS" > > } > > > > > > Any suggestions/ideas to fix it? > > It looks in here for the configuration. It could thrown a not found if > it is missing (though why/how it could be I don't know): > > cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > > rob > >

Hi, What is the output of klist -A klist -k /etc/krb5.keytab on the machine where ipa-healthcheck command fails? ipa-healthcheck is using a kerberos ticket to authenticate to the LDAP server (obtained from /etc/krb5.keytab), and has different access rights depending on the identity mapped to this ticket. I suspect that the LDAP operations don't return any entry because they are mapped to a wrong identity. You can also have a look at the directory server access logs to check which identity is used: 1. open /var/log/dirsrv/slapd-DOMAIN-COM/access 2. look for a line containing the following: SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" 3. In this line, note the conn=<value>. In my machine I see for instance: [20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL 4. Go up in the logs and find the BIND operation that took place on this connection: the line must contain the same *conn=<value>* and *BIND dn=*: [20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND dn=*"" method=sasl version=3 mech=GSSAPI 5. Find the correspond result: the line must contain the same *conn=<value> op=<value>* and will give you the dn used for the LDAP operation: [20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT err=0 tag=97 nentries=0 wtime=0.000152828 optime=0.002257466 etime=0.002407324 *dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"* In my example ipa-healthcheck fails to find the cn=Posix IDs entry because it is using a LDAP connection bound as uid=idmuser, who doesn't have the required read permissions. HTH, flo On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org&gt; wrote: > I ran the same ldapsearch on a good server and compared the outputs. Here > are the differences: > > dnaMaxValue: 1889657499 | > dnaMaxValue: 1889607999 > > dnaNextValue: 1889650758 | > dnaNextValue: 1889601276 > > > Thanks. > > > Kathy. > > On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu <kzhu(a)nuro.ai&gt; wrote: > >> Hi Rob, >> >> Thanks for replying! >> >> It is not missing and I can create new user or group on it: >> >> [root@ipa2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=Posix >> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" >> >> Enter LDAP Password: >> >> # extended LDIF >> >> # >> >> # LDAPv3 >> >> # base <cn=Posix IDs,cn=Distributed Numeric Assignment >> Plugin,cn=plugins,cn=config> with scope subtree >> >> # filter: (objectclass=*) >> >> # requesting: ALL >> >> # >> >> >> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >> >> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >> Plugin,cn=plugins,cn=config >> >> cn: Posix IDs >> >> dnaExcludeScope: cn=provisioning,dc=example,dc=com >> >> dnaFilter: >> (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip >> >> aIDobject)) >> >> dnaMagicRegen: -1 >> >> dnaMaxValue: 1889657499 >> >> dnaNextValue: 1889650758 >> >> dnaScope: dc=example,dc=com >> >> dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com >> >> dnaThreshold: 500 >> >> dnaType: uidNumber >> >> dnaType: gidNumber >> >> objectClass: top >> >> objectClass: extensibleObject >> >> >> # search result >> >> search: 2 >> >> result: 0 Success >> >> >> # numResponses: 2 >> >> # numEntries: 1 >> >> [root@ipa2 ~]# >> >> >> >> >> On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden <rcritten(a)redhat.com&gt; >> wrote: >> >>> Kathy Zhu via FreeIPA-users wrote: >>> > Hello, >>> > >>> > ipa-healthcheck is a great tool! Really appreciate Rob to make it >>> > working for Centos. >>> > >>> > When I ran it on all of our IPA servers, one server reported: >>> > >>> > [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human >>> > >>> > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry >>> found >>> > >>> > [root@ipa2 ~]# >>> > >>> > >>> > I created a user and a group on this server then deleted them, >>> > rerun ipa-healthcheck, I still get the same error. Here is the jason >>> > format of it: >>> > >>> > { >>> > >>> > "source": "ipahealthcheck.ipa.dna", >>> > >>> > "kw": { >>> > >>> > "exception": "no matching entry found" >>> > >>> > }, >>> > >>> > "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e", >>> > >>> > "duration": "0.136489", >>> > >>> > "when": "20210819224225Z", >>> > >>> > "check": "IPADNARangeCheck", >>> > >>> > "result": "CRITICAL" >>> > >>> > } >>> > >>> > >>> > We have 7 ipa servers, this is the only server with this error. >>> > >>> > The success one looks like below: >>> > >>> > { >>> > "source": "ipahealthcheck.ipa.dna", >>> > "kw": { >>> > "range_start": 1889601184, >>> > "next_start": 0, >>> > "next_max": 0, >>> > "range_max": 1889625999 >>> > }, >>> > "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63", >>> > "duration": "0.309565", >>> > "when": "20210630231006Z", >>> > "check": "IPADNARangeCheck", >>> > "result": "SUCCESS" >>> > } >>> > >>> > >>> > Any suggestions/ideas to fix it? >>> >>> It looks in here for the configuration. It could thrown a not found if >>> it is missing (though why/how it could be I don't know): >>> >>> cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> >>> rob >>> >>> _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >

Kathy Zhu wrote: > Hi Florence, > > Thank you for your help here! > > Please see attached details. As you expected, dn="fqdn=ipa2.example.com > <http://ipa2.example.com>,cn=computers,cn=accounts,dc=example,dc=com";. > How to correct this? Thanks. See if this host is in the ipaservers host group. If not add it. rob > > Kathy. > > [root@ipa2 ~]# klist -A > > Ticket cache: KEYRING:persistent:0:0 > > Default principal: admin(a)EXAMPLE.COM <mailto:admin@EXAMPLE.COM> > > > Valid starting Expires Service principal > > 08/19/2021 16:23:24 08/20/2021 16:22:52 > HTTP/ipa2.example.com(a)EXAMPLE.COM <mailto:ipa2.example.com@EXAMPLE.COM> > > 08/19/2021 16:23:17 08/20/2021 16:22:52 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM > <mailto:EXAMPLE.COM@EXAMPLE.COM> > > [root@ipa2 ~]# > > [root@ipa2 ~]# klist -k /etc/krb5.keytab > > Keytab name: FILE:/etc/krb5.keytab > > KVNO Principal > > ---- > -------------------------------------------------------------------------- > > 1 host/ipa2.example.com(a)EXAMPLE.COM <mailto: ipa2.example.com(a)EXAMPLE.COM&gt; > > 1 host/ipa2.example.com(a)EXAMPLE.COM <mailto: ipa2.example.com(a)EXAMPLE.COM&gt; > > [root@ipa2 ~]# > > [root@ipa2 tmp]# grep "cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" access > > [20/Aug/2021:10:29:27.781656511 -0700] conn=129591 op=3 SRCH > base="cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL > > [root@ipa2 tmp]# > > [root@ipa2 tmp]# grep "conn=129591" access | grep "BIND dn=" > > [20/Aug/2021:10:29:27.774670410 -0700] conn=129591 op=0 BIND dn="" > method=sasl version=3 mech=GSSAPI > > [20/Aug/2021:10:29:27.778256471 -0700] conn=129591 op=1 BIND dn="" > method=sasl version=3 mech=GSSAPI > > [20/Aug/2021:10:29:27.780236168 -0700] conn=129591 op=2 BIND dn="" > method=sasl version=3 mech=GSSAPI > > [root@ipa2 tmp]# > > [root@ipa2 tmp]# grep "conn=129591 op=2" access | grep RESULT > > [20/Aug/2021:10:29:27.780808034 -0700] conn=129591 op=2 RESULT err=0 > tag=97 nentries=0 etime=0.000631206 dn="fqdn=ipa2.example.com > <http://ipa2.example.com>,cn=computers,cn=accounts,dc=example,dc=com" > > [root@ipa2 tmp]# > > [root@ipa2 ~]# > > > > On Thu, Aug 19, 2021 at 11:25 PM Florence Renaud <flo(a)redhat.com > <mailto:flo@redhat.com>> wrote: > > Hi, > > What is the output of > klist -A > klist -k /etc/krb5.keytab > on the machine where ipa-healthcheck command fails? > ipa-healthcheck is using a kerberos ticket to authenticate to the > LDAP server (obtained from /etc/krb5.keytab), and has different > access rights depending on the identity mapped to this ticket. I > suspect that the LDAP operations don't return any entry because they > are mapped to a wrong identity. > > You can also have a look at the directory server access logs to > check which identity is used: > 1. open /var/log/dirsrv/slapd-DOMAIN-COM/access > 2. look for a line containing the following: > SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" > 3. In this line, note the conn=<value>. In my machine I see for > instance: > [20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH > base="cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL > 4. Go up in the logs and find the BIND operation that took place on > this connection: the line must contain the same *conn=<value>* and > *BIND dn=*: > [20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND > dn=*"" method=sasl version=3 mech=GSSAPI > 5. Find the correspond result: the line must contain the same > *conn=<value> op=<value>* and will give you the dn used for the LDAP > operation: > [20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT > err=0 tag=97 nentries=0 wtime=0.000152828 optime=0.002257466 > etime=0.002407324 > *dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"* > > In my example ipa-healthcheck fails to find the cn=Posix IDs entry > because it is using a LDAP connection bound as uid=idmuser, who > doesn't have the required read permissions. > > HTH, > flo > > On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users > <freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > I ran the same ldapsearch on a good server and compared the > outputs. Here are the differences: > > dnaMaxValue: 1889657499 | > dnaMaxValue: 1889607999 > > dnaNextValue: 1889650758 | > dnaNextValue: 1889601276 > > > Thanks. > > > Kathy. > > > On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu <kzhu(a)nuro.ai > <mailto:kzhu@nuro.ai>> wrote: > > Hi Rob, > > Thanks for replying! > > It is not missing and I can create new user or group on it: > > [root@ipa2 ~]# ldapsearch -D "cn=directory manager" -W -b > "cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" > > Enter LDAP Password: > > # extended LDIF > > # > > # LDAPv3 > > # base <cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config> with scope subtree > > # filter: (objectclass=*) > > # requesting: ALL > > # > > > # Posix IDs, Distributed Numeric Assignment Plugin, plugins, > config > > dn: cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > > cn: Posix IDs > > dnaExcludeScope: cn=provisioning,dc=example,dc=com > > dnaFilter: > (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip > > aIDobject)) > > dnaMagicRegen: -1 > > dnaMaxValue: 1889657499 > > dnaNextValue: 1889650758 > > dnaScope: dc=example,dc=com > > dnaSharedCfgDN: > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com > > dnaThreshold: 500 > > dnaType: uidNumber > > dnaType: gidNumber > > objectClass: top > > objectClass: extensibleObject > > > # search result > > search: 2 > > result: 0 Success > > > # numResponses: 2 > > # numEntries: 1 > > [root@ipa2 ~]# > > > > > On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>> wrote: > > Kathy Zhu via FreeIPA-users wrote: > > Hello, > > > > ipa-healthcheck is a great tool! Really appreciate Rob > to make it > > working for Centos. > > > > When I ran it on all of our IPA servers, one server > reported: > > > > [root@ipa2 ~]# ipa-healthcheck--failures-only > --output-type human > > > > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no > matching entry found > > > > [root@ipa2 ~]# > > > > > > I created a user and a group on this server then > deleted them, > > rerun ipa-healthcheck, I still get the same error. > Here is the jason > > format of it: > > > > { > > > > "source": "ipahealthcheck.ipa.dna", > > > > "kw": { > > > > "exception": "no matching entry found" > > > > }, > > > > "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e", > > > > "duration": "0.136489", > > > > "when": "20210819224225Z", > > > > "check": "IPADNARangeCheck", > > > > "result": "CRITICAL" > > > > } > > > > > > We have 7 ipa servers, this is the only server with > this error. > > > > The success one looks like below: > > > > { > > "source": "ipahealthcheck.ipa.dna", > > "kw": { > > "range_start": 1889601184, > > "next_start": 0, > > "next_max": 0, > > "range_max": 1889625999 > > }, > > "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63", > > "duration": "0.309565", > > "when": "20210630231006Z", > > "check": "IPADNARangeCheck", > > "result": "SUCCESS" > > } > > > > > > Any suggestions/ideas to fix it? > > It looks in here for the configuration. It could thrown > a not found if > it is missing (though why/how it could be I don't know): > > cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > > rob > > _______________________________________________ > FreeIPA-users mailing list -- > freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >