On Fri, Aug 21, 2020 at 1:08 AM Chris Welsh via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > > Hi Rob, > > Could this be because I removed the replica and there are records still > dangling in the config? Is there a way to find out where they are and remove > them?
At worst, use ldapsearch to identify remaining objects. > At the moment we have no active replicas, So you have a single instance? OK. Please don't run that for too long. > as I wanted to simplify the config so as to find the root cause of > intermittent loss of groups. Looks like this could be adding to my headaches. > > And finally, having domain level not set to one will prevent me from creating > replicas on the first place? Domain Level 0 (DL0) support has been removed. You will be able to create replicas using old versions, but ideally, once the above problem is sorted out, you might be better off updating to DL1. > On Fri, 21 Aug 2020, 6:42 am Rob Crittenden, <rcrit...@redhat.com> wrote: >> >> Chris Welsh via FreeIPA-users wrote: >> > Hi Rob, >> > >> > I have run your tool and found it to report some issues. I wonder if you >> > could help me figure out what they are. Our problem is that we often have >> > staff who loose their groups and this has been happening for 3 years. >> > sss_cache -u username sometimes fixes it. Any advise greatly welcome. Note >> > that I have removed our send are master “vmpdr-linuxidm......” >> > >> > Really ken to solve this but no expert. >> > Centos 7.8 server and clients >> > ipa-server-4.6.6 >> >> The "Unexpected SRV entry in DNS" warnings mean that some servers are >> defined in the IPA domain with services that IPA provides but those >> servers aren't IPA servers. >> >> Similarly, "Expected SRV record missing", a SRV record is missing for an >> IPA service for one or more IPA servers. >> >> "expected ipa-ca IPAddr missing" means that the IPA server at >> 10.126.18.129 is not in the ipa-ca CNAME (and also caught with the count >> of ipa-ca records). >> >> The final errors are due to your installation still using domain level >> 0. You can ignore these if you don't want to or can't update domain >> levels. https://www.freeipa.org/page/Domain_Levels >> >> rob >> >> > >> > >> > [ >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Unexpected SRV entry in DNS", >> > "key": "_ntp._udp.unix.foo.org.au.:vmdr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "57735f69-6d98-4ae1-9f0a-dd848bbfa1f7", >> > "duration": "0.024868", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Expected SRV record missing", >> > "key": >> > "_kerberos._tcp.dc._msdcs.unix.foo.org.au.:vmpr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "3b789068-16ff-4684-bb5e-3add8a62b2b8", >> > "duration": "0.025853", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Unexpected SRV entry in DNS", >> > "key": "_kerberos._tcp.unix.foo.org.au.:vmpr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "bab58235-1a9b-48bc-9b4c-b0e75b91d619", >> > "duration": "0.027710", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Unexpected SRV entry in DNS", >> > "key": "_kerberos._tcp.unix.foo.org.au.:vmdr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "44a47316-ba13-4226-9625-2f29f369cdd4", >> > "duration": "0.027825", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Expected SRV record missing", >> > "key": >> > "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.unix.foo.org.au.:vmpr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "313a97f5-9f05-4465-a50f-27996c22c306", >> > "duration": "0.028995", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Unexpected SRV entry in DNS", >> > "key": "_kerberos._udp.unix.foo.org.au.:vmdr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "d00274ff-12a9-465f-957e-392c4edd7e5a", >> > "duration": "0.030514", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Unexpected SRV entry in DNS", >> > "key": >> > "_kerberos-master._udp.unix.foo.org.au.:vmdr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "0e50f8e7-6321-429a-b84e-3a88922ec07b", >> > "duration": "0.031876", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Unexpected SRV entry in DNS", >> > "key": "_kpasswd._udp.unix.foo.org.au.:vmdr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "011bf574-e7ea-4f5d-8bf6-f5ecdd722ecd", >> > "duration": "0.033430", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Unexpected SRV entry in DNS", >> > "key": "_kpasswd._tcp.unix.foo.org.au.:vmdr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "d00839d9-6e83-481d-9685-8eaca6caea14", >> > "duration": "0.034777", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Expected SRV record missing", >> > "key": >> > "_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.unix.foo.org.au.:vmpr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "8bff3eb5-521d-4029-b368-c1b4cd39047c", >> > "duration": "0.036379", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Unexpected SRV entry in DNS", >> > "key": "_ldap._tcp.unix.foo.org.au.:vmdr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "2091880e-5777-4854-abb4-bc14c032b1af", >> > "duration": "0.037861", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Expected SRV record missing", >> > "key": >> > "_ldap._tcp.dc._msdcs.unix.foo.org.au.:vmpr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "8f9862fa-45a0-4bdd-b561-93a6a15ac7f1", >> > "duration": "0.038836", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Unexpected SRV entry in DNS", >> > "key": >> > "_kerberos-master._tcp.unix.foo.org.au.:vmdr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "cfd7b896-da90-4ac4-9b08-eccdbafeca30", >> > "duration": "0.040348", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Expected SRV record missing", >> > "key": >> > "_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.unix.foo.org.au.:vmpr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "3c38ad1e-96a5-41fd-a161-56dde9601896", >> > "duration": "0.041473", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "Expected SRV record missing", >> > "key": >> > "_kerberos._udp.dc._msdcs.unix.foo.org.au.:vmpr-linuxidm.unix.foo.org.au." >> > }, >> > "uuid": "fd6a163f-a338-4ff0-a2f2-9fb00064ab93", >> > "duration": "0.042447", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "msg": "expected ipa-ca IPAddr missing", >> > "key": "10.126.18.129" >> > }, >> > "uuid": "59581cec-e08f-4e67-aed1-697698d66e92", >> > "duration": "0.044304", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.idns", >> > "kw": { >> > "expected": 1, >> > "count": 2, >> > "msg": "Got {count} ipa-ca A records, expected {expected}" >> > }, >> > "uuid": "6852b70e-b366-44a3-bc1f-6bde42f79209", >> > "duration": "0.044392", >> > "when": "20200820104327Z", >> > "check": "IPADNSSystemRecordsCheck", >> > "result": "WARNING" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.topology", >> > "kw": { >> > "msg": "topologysuffix-verify domain failed, Topology management requires >> > minimum domain level 1 " >> > }, >> > "uuid": "e5386d69-3028-4c71-8a93-87de8e954682", >> > "duration": "0.002170", >> > "when": "20200820104332Z", >> > "check": "IPATopologyDomainCheck", >> > "result": "ERROR" >> > }, >> > { >> > "source": "ipahealthcheck.ipa.topology", >> > "kw": { >> > "msg": "topologysuffix-verify domain failed, Topology management requires >> > minimum domain level 1 " >> > }, >> > "uuid": "c50ccc80-d031-4a52-a097-43b6b09c46c6", >> > "duration": "0.005159", >> > "when": "20200820104332Z", >> > "check": "IPATopologyDomainCheck", >> > "result": "ERROR" >> > } >> > ] >> > _______________________________________________ >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> > Fedora Code of Conduct: >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> > >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
