Yes, that is the fix!
After I added it to the ipaservers hostgroup, ran ipa-healthcheck, this
error is gone!
Thank you, Rob and Florence!
Kathy.
On Fri, Aug 20, 2021 at 11:12 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
Kathy Zhu wrote:
> Hi Florence,
>
> Thank you for your help here!
>
> Please see attached details. As you expected,
dn="fqdn=ipa2.example.com
> <
http://ipa2.example.com>,cn=computers,cn=accounts,dc=example,dc=com".
> How to correct this? Thanks.
See if this host is in the ipaservers host group. If not add it.
rob
>
> Kathy.
>
> [root@ipa2 ~]# klist -A
>
> Ticket cache: KEYRING:persistent:0:0
>
> Default principal: admin(a)EXAMPLE.COM <mailto:admin@EXAMPLE.COM>
>
>
> Valid starting Expires Service principal
>
> 08/19/2021 16:23:24 08/20/2021 16:22:52
> HTTP/ipa2.example.com(a)EXAMPLE.COM <mailto:ipa2.example.com@EXAMPLE.COM>
>
> 08/19/2021 16:23:17 08/20/2021 16:22:52 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
> <mailto:EXAMPLE.COM@EXAMPLE.COM>
>
> [root@ipa2 ~]#
>
> [root@ipa2 ~]# klist -k /etc/krb5.keytab
>
> Keytab name: FILE:/etc/krb5.keytab
>
> KVNO Principal
>
> ----
>
--------------------------------------------------------------------------
>
> 1 host/ipa2.example.com(a)EXAMPLE.COM <mailto:
ipa2.example.com(a)EXAMPLE.COM>
>
> 1 host/ipa2.example.com(a)EXAMPLE.COM <mailto:
ipa2.example.com(a)EXAMPLE.COM>
>
> [root@ipa2 ~]#
>
> [root@ipa2 tmp]# grep "cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" access
>
> [20/Aug/2021:10:29:27.781656511 -0700] conn=129591 op=3 SRCH
> base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)"
attrs=ALL
>
> [root@ipa2 tmp]#
>
> [root@ipa2 tmp]# grep "conn=129591" access | grep "BIND dn="
>
> [20/Aug/2021:10:29:27.774670410 -0700] conn=129591 op=0 BIND dn=""
> method=sasl version=3 mech=GSSAPI
>
> [20/Aug/2021:10:29:27.778256471 -0700] conn=129591 op=1 BIND dn=""
> method=sasl version=3 mech=GSSAPI
>
> [20/Aug/2021:10:29:27.780236168 -0700] conn=129591 op=2 BIND dn=""
> method=sasl version=3 mech=GSSAPI
>
> [root@ipa2 tmp]#
>
> [root@ipa2 tmp]# grep "conn=129591 op=2" access | grep RESULT
>
> [20/Aug/2021:10:29:27.780808034 -0700] conn=129591 op=2 RESULT err=0
> tag=97 nentries=0 etime=0.000631206
dn="fqdn=ipa2.example.com
> <
http://ipa2.example.com>,cn=computers,cn=accounts,dc=example,dc=com"
>
> [root@ipa2 tmp]#
>
> [root@ipa2 ~]#
>
>
>
> On Thu, Aug 19, 2021 at 11:25 PM Florence Renaud <flo(a)redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> Hi,
>
> What is the output of
> klist -A
> klist -k /etc/krb5.keytab
> on the machine where ipa-healthcheck command fails?
> ipa-healthcheck is using a kerberos ticket to authenticate to the
> LDAP server (obtained from /etc/krb5.keytab), and has different
> access rights depending on the identity mapped to this ticket. I
> suspect that the LDAP operations don't return any entry because they
> are mapped to a wrong identity.
>
> You can also have a look at the directory server access logs to
> check which identity is used:
> 1. open /var/log/dirsrv/slapd-DOMAIN-COM/access
> 2. look for a line containing the following:
> SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config"
> 3. In this line, note the conn=<value>. In my machine I see for
> instance:
> [20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH
> base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)"
attrs=ALL
> 4. Go up in the logs and find the BIND operation that took place on
> this connection: the line must contain the same *conn=<value>* and
> *BIND dn=*:
> [20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND
> dn=*"" method=sasl version=3 mech=GSSAPI
> 5. Find the correspond result: the line must contain the same
> *conn=<value> op=<value>* and will give you the dn used for the
LDAP
> operation:
> [20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT
> err=0 tag=97 nentries=0 wtime=0.000152828 optime=0.002257466
> etime=0.002407324
> *dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"*
>
> In my example ipa-healthcheck fails to find the cn=Posix IDs entry
> because it is using a LDAP connection bound as uid=idmuser, who
> doesn't have the required read permissions.
>
> HTH,
> flo
>
> On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> I ran the same ldapsearch on a good server and compared the
> outputs. Here are the differences:
>
> dnaMaxValue: 1889657499 |
> dnaMaxValue: 1889607999
>
> dnaNextValue: 1889650758 |
> dnaNextValue: 1889601276
>
>
> Thanks.
>
>
> Kathy.
>
>
> On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu <kzhu(a)nuro.ai
> <mailto:kzhu@nuro.ai>> wrote:
>
> Hi Rob,
>
> Thanks for replying!
>
> It is not missing and I can create new user or group on it:
>
> [root@ipa2 ~]# ldapsearch -D "cn=directory manager" -W -b
> "cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config"
>
> Enter LDAP Password:
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config> with scope subtree
>
> # filter: (objectclass=*)
>
> # requesting: ALL
>
> #
>
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins,
> config
>
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
>
> cn: Posix IDs
>
> dnaExcludeScope: cn=provisioning,dc=example,dc=com
>
> dnaFilter:
>
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
>
> aIDobject))
>
> dnaMagicRegen: -1
>
> dnaMaxValue: 1889657499
>
> dnaNextValue: 1889650758
>
> dnaScope: dc=example,dc=com
>
> dnaSharedCfgDN:
> cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
>
> dnaThreshold: 500
>
> dnaType: uidNumber
>
> dnaType: gidNumber
>
> objectClass: top
>
> objectClass: extensibleObject
>
>
> # search result
>
> search: 2
>
> result: 0 Success
>
>
> # numResponses: 2
>
> # numEntries: 1
>
> [root@ipa2 ~]#
>
>
>
>
> On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>> wrote:
>
> Kathy Zhu via FreeIPA-users wrote:
> > Hello,
> >
> > ipa-healthcheck is a great tool! Really appreciate Rob
> to make it
> > working for Centos.
> >
> > When I ran it on all of our IPA servers, one server
> reported:
> >
> > [root@ipa2 ~]# ipa-healthcheck--failures-only
> --output-type human
> >
> > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no
> matching entry found
> >
> > [root@ipa2 ~]#
> >
> >
> > I created a user and a group on this server then
> deleted them,
> > rerun ipa-healthcheck, I still get the same error.
> Here is the jason
> > format of it:
> >
> > {
> >
> > "source": "ipahealthcheck.ipa.dna",
> >
> > "kw": {
> >
> > "exception": "no matching entry
found"
> >
> > },
> >
> > "uuid":
"aaf4da70-64ca-435f-8011-b40da74b874e",
> >
> > "duration": "0.136489",
> >
> > "when": "20210819224225Z",
> >
> > "check": "IPADNARangeCheck",
> >
> > "result": "CRITICAL"
> >
> > }
> >
> >
> > We have 7 ipa servers, this is the only server with
> this error.
> >
> > The success one looks like below:
> >
> > {
> > "source": "ipahealthcheck.ipa.dna",
> > "kw": {
> > "range_start": 1889601184,
> > "next_start": 0,
> > "next_max": 0,
> > "range_max": 1889625999
> > },
> > "uuid":
"1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
> > "duration": "0.309565",
> > "when": "20210630231006Z",
> > "check": "IPADNARangeCheck",
> > "result": "SUCCESS"
> > }
> >
> >
> > Any suggestions/ideas to fix it?
>
> It looks in here for the configuration. It could thrown
> a not found if
> it is missing (though why/how it could be I don't know):
>
> cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
>
> rob
>
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
>