9:14 a.m.
Question: Why are these healthcheck issues present? IPA03 can run a trust show and the
Domain Security Identifier matches the kw key.
Should the uuid be the same or different between IPA02 and IPA03?
Scenario:
3 IPA servers
Replication pattern:
1 -> 2 & 3
2 -> 1 & 3
3 -> 1 & 2
All servers are:
AD trust agent
AD trust controller
CA server
DNS server
health check on IPA01 is completely healthy
[root@gsil-ipa03 ~]# ipa-healthcheck --failures-only
CN=GSIL-CA,DC=gsil,DC=smil not found, assuming 3rd party
[
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustDomainsCheck",
"result": "WARNING",
"uuid": "82ff4156-efd4-4bab-a092-ce5d5736c7e8",
"when": "20230324133158Z",
"duration": "0.235919",
"kw": {
"key": "domain-status",
"domain": "gsil.x",
"msg": "Domain {domain} is not online"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "WARNING",
"uuid": "c8a1bebe-fd44-4ea6-8d98-f20ad6726d00",
"when": "20230324133158Z",Domain Security Identifier
"duration": "0.008165",
"kw": {
"key": "S-1-5-21-3568498085-2952124370-1649233135",
"error": "returned nothing",
"msg": "Look up of {key} {error}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "ERROR",
"uuid": "c0aed85c-9c0a-42df-83ab-d69b4bc054a5",
"when": "20230324133158Z",
"duration": "0.114333",
"kw": {
"key": "AD Global Catalog",
"output": "Active servers:\nIPA: gsil-ipa03.idm.x.x",
"sssctl": "/usr/sbin/sssctl",
"domain": "gsil.x",
"msg": "{key} not found in {sssctl} 'domain-status' output:
{output}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "ERROR",
"uuid": "6542b352-88ae-4524-ba76-94960adfe9a7",
"when": "20230324133158Z",
"duration": "0.114378",
"kw": {
"key": "AD Domain Controller",
"output": "Active servers:\nIPA: gsil-ipa03.idm.x.x",
"sssctl": "/usr/sbin/sssctl",
"domain": "gsil.x",
"msg": "{key} not found in {sssctl} 'domain-status' output:
{output}"
}
}
]
[root@gsil-ipa03 ~]# ipa trust-show
Realm name: gsil.x
Realm name: gsil.x
Domain NetBIOS name: GSIL
Domain Security Identifier: S-1-5-21-3568498085-2952124370-1649233135
Trust direction: Trusting forest
Trust type: Active Directory domain
[root@gsil-ipa02 ~]# ipa-healthcheck --failures-only
caSigningCert External CA not found, assuming 3rd party
[
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustDomainsCheck",
"result": "WARNING",
"uuid": "319ec55d-6d71-48fa-bb80-4ab5acb9a62b",
"when": "20230324133810Z",
"duration": "0.281341",
"kw": {
"key": "domain-status",
"domain": "gsil.x",
"msg": "Domain {domain} is not online"
}
}
]
9:36 a.m.
New subject: Healthcheck for IPATrustCatalog contradicts ipa trust-show - false positive?
Jeremy Tourville via FreeIPA-users wrote:
Question: Why are these healthcheck issues present? IPA03 can run a
trust show and the Domain Security Identifier matches the kw key.
Should the uuid be the same or different between IPA02 and IPA03?
The first U in UUID is unique.
Scenario:
3 IPA servers
Replication pattern:
1 -> 2 & 3
2 -> 1 & 3
3 -> 1 & 2
All servers are:
AD trust agent
AD trust controller
CA server
DNS server
health check on IPA01 is completely healthy
[root@gsil-ipa03 ~]# ipa-healthcheck --failures-only
CN=GSIL-CA,DC=gsil,DC=smil not found, assuming 3rd party
[
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustDomainsCheck",
"result": "WARNING",
"uuid": "82ff4156-efd4-4bab-a092-ce5d5736c7e8",
"when": "20230324133158Z",
"duration": "0.235919",
"kw": {
"key": "domain-status",
"domain": "gsil.x",
"msg": "Domain {domain} is not online"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "WARNING",
"uuid": "c8a1bebe-fd44-4ea6-8d98-f20ad6726d00",
"when": "20230324133158Z",Domain Security Identifier
"duration": "0.008165",
"kw": {
"key": "S-1-5-21-3568498085-2952124370-1649233135",
"error": "returned nothing",
"msg": "Look up of {key} {error}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "ERROR",
"uuid": "c0aed85c-9c0a-42df-83ab-d69b4bc054a5",
"when": "20230324133158Z",
"duration": "0.114333",
"kw": {
"key": "AD Global Catalog",
"output": "Active servers:\nIPA: gsil-ipa03.idm.x.x",
"sssctl": "/usr/sbin/sssctl",
"domain": "gsil.x",
"msg": "{key} not found in {sssctl} 'domain-status' output:
{output}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "ERROR",
"uuid": "6542b352-88ae-4524-ba76-94960adfe9a7",
"when": "20230324133158Z",
"duration": "0.114378",
"kw": {
"key": "AD Domain Controller",
"output": "Active servers:\nIPA: gsil-ipa03.idm.x.x",
"sssctl": "/usr/sbin/sssctl",
"domain": "gsil.x",
"msg": "{key} not found in {sssctl} 'domain-status' output:
{output}"
}
}
]
[root@gsil-ipa03 ~]# ipa trust-show
Realm name: gsil.x
Realm name: gsil.x
Domain NetBIOS name: GSIL
Domain Security Identifier: S-1-5-21-3568498085-2952124370-1649233135
Trust direction: Trusting forest
Trust type: Active Directory domain
SSSD on this machine cannot communicate with the AD server for some
reason. You'll need to dive into the SSSD logs to find out why.
Having a trust in IPA is no guarantee that the trust is working now,
just that it was working at the time the trust agreement was created.
rob
[root@gsil-ipa02 ~]# ipa-healthcheck --failures-only
caSigningCert External CA not found, assuming 3rd party
[
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustDomainsCheck",
"result": "WARNING",
"uuid": "319ec55d-6d71-48fa-bb80-4ab5acb9a62b",
"when": "20230324133810Z",
"duration": "0.281341",
"kw": {
"key": "domain-status",
"domain": "gsil.x",
"msg": "Domain {domain} is not online"
}
}
]
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
405
days inactive
405
days old
freeipa-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Jeremy Tourville -
Rob Crittenden