Hi Florence,
Thank you for your help here!
Please see attached details. As you expected,
dn="fqdn=ipa2.example.com,cn=computers,cn=accounts,dc=example,dc=com".
How to correct this? Thanks.
Kathy.
[root@ipa2 ~]# klist -A
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@example.com
Valid starting Expires Service principal
08/19/2021 16:23:24 08/20/2021 16:22:52 HTTP/ipa2.example....@example.com
08/19/2021 16:23:17 08/20/2021 16:22:52 krbtgt/example....@example.com
[root@ipa2 ~]#
[root@ipa2 ~]# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/ipa2.example....@example.com
1 host/ipa2.example....@example.com
[root@ipa2 ~]#
[root@ipa2 tmp]# grep "cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config" access
[20/Aug/2021:10:29:27.781656511 -0700] conn=129591 op=3 SRCH base="cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" scope=0
filter="(objectClass=*)" attrs=ALL
[root@ipa2 tmp]#
[root@ipa2 tmp]# grep "conn=129591" access | grep "BIND dn="
[20/Aug/2021:10:29:27.774670410 -0700] conn=129591 op=0 BIND dn=""
method=sasl version=3 mech=GSSAPI
[20/Aug/2021:10:29:27.778256471 -0700] conn=129591 op=1 BIND dn=""
method=sasl version=3 mech=GSSAPI
[20/Aug/2021:10:29:27.780236168 -0700] conn=129591 op=2 BIND dn=""
method=sasl version=3 mech=GSSAPI
[root@ipa2 tmp]#
[root@ipa2 tmp]# grep "conn=129591 op=2" access | grep RESULT
[20/Aug/2021:10:29:27.780808034 -0700] conn=129591 op=2 RESULT err=0 tag=97
nentries=0 etime=0.000631206 dn="fqdn=ipa2.example.com
,cn=computers,cn=accounts,dc=example,dc=com"
[root@ipa2 tmp]#
[root@ipa2 ~]#
On Thu, Aug 19, 2021 at 11:25 PM Florence Renaud <f...@redhat.com> wrote:
> Hi,
>
> What is the output of
> klist -A
> klist -k /etc/krb5.keytab
> on the machine where ipa-healthcheck command fails?
> ipa-healthcheck is using a kerberos ticket to authenticate to the LDAP
> server (obtained from /etc/krb5.keytab), and has different access rights
> depending on the identity mapped to this ticket. I suspect that the LDAP
> operations don't return any entry because they are mapped to a wrong
> identity.
>
> You can also have a look at the directory server access logs to check
> which identity is used:
> 1. open /var/log/dirsrv/slapd-DOMAIN-COM/access
> 2. look for a line containing the following:
> SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config"
> 3. In this line, note the conn=<value>. In my machine I see for instance:
> [20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH
> base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
> 4. Go up in the logs and find the BIND operation that took place on this
> connection: the line must contain the same *conn=<value>* and *BIND dn=*:
> [20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND dn=*""
> method=sasl version=3 mech=GSSAPI
> 5. Find the correspond result: the line must contain the same *conn=<value>
> op=<value>* and will give you the dn used for the LDAP operation:
> [20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT err=0
> tag=97 nentries=0 wtime=0.000152828 optime=0.002257466 etime=0.002407324
> *dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"*
>
> In my example ipa-healthcheck fails to find the cn=Posix IDs entry
> because it is using a LDAP connection bound as uid=idmuser, who doesn't
> have the required read permissions.
>
> HTH,
> flo
>
> On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> I ran the same ldapsearch on a good server and compared the outputs. Here
>> are the differences:
>>
>> dnaMaxValue: 1889657499 |
>> dnaMaxValue: 1889607999
>>
>> dnaNextValue: 1889650758 |
>> dnaNextValue: 1889601276
>>
>>
>> Thanks.
>>
>>
>> Kathy.
>>
>> On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu <k...@nuro.ai> wrote:
>>
>>> Hi Rob,
>>>
>>> Thanks for replying!
>>>
>>> It is not missing and I can create new user or group on it:
>>>
>>> [root@ipa2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=Posix
>>> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
>>>
>>> Enter LDAP Password:
>>>
>>> # extended LDIF
>>>
>>> #
>>>
>>> # LDAPv3
>>>
>>> # base <cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config> with scope subtree
>>>
>>> # filter: (objectclass=*)
>>>
>>> # requesting: ALL
>>>
>>> #
>>>
>>>
>>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>>>
>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config
>>>
>>> cn: Posix IDs
>>>
>>> dnaExcludeScope: cn=provisioning,dc=example,dc=com
>>>
>>> dnaFilter:
>>> (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
>>>
>>> aIDobject))
>>>
>>> dnaMagicRegen: -1
>>>
>>> dnaMaxValue: 1889657499
>>>
>>> dnaNextValue: 1889650758
>>>
>>> dnaScope: dc=example,dc=com
>>>
>>> dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
>>>
>>> dnaThreshold: 500
>>>
>>> dnaType: uidNumber
>>>
>>> dnaType: gidNumber
>>>
>>> objectClass: top
>>>
>>> objectClass: extensibleObject
>>>
>>>
>>> # search result
>>>
>>> search: 2
>>>
>>> result: 0 Success
>>>
>>>
>>> # numResponses: 2
>>>
>>> # numEntries: 1
>>>
>>> [root@ipa2 ~]#
>>>
>>>
>>>
>>>
>>> On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden <rcrit...@redhat.com>
>>> wrote:
>>>
>>>> Kathy Zhu via FreeIPA-users wrote:
>>>> > Hello,
>>>> >
>>>> > ipa-healthcheck is a great tool! Really appreciate Rob to make it
>>>> > working for Centos.
>>>> >
>>>> > When I ran it on all of our IPA servers, one server reported:
>>>> >
>>>> > [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human
>>>> >
>>>> > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry
>>>> found
>>>> >
>>>> > [root@ipa2 ~]#
>>>> >
>>>> >
>>>> > I created a user and a group on this server then deleted them,
>>>> > rerun ipa-healthcheck, I still get the same error. Here is the jason
>>>> > format of it:
>>>> >
>>>> > {
>>>> >
>>>> > "source": "ipahealthcheck.ipa.dna",
>>>> >
>>>> > "kw": {
>>>> >
>>>> > "exception": "no matching entry found"
>>>> >
>>>> > },
>>>> >
>>>> > "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e",
>>>> >
>>>> > "duration": "0.136489",
>>>> >
>>>> > "when": "20210819224225Z",
>>>> >
>>>> > "check": "IPADNARangeCheck",
>>>> >
>>>> > "result": "CRITICAL"
>>>> >
>>>> > }
>>>> >
>>>> >
>>>> > We have 7 ipa servers, this is the only server with this error.
>>>> >
>>>> > The success one looks like below:
>>>> >
>>>> > {
>>>> > "source": "ipahealthcheck.ipa.dna",
>>>> > "kw": {
>>>> > "range_start": 1889601184,
>>>> > "next_start": 0,
>>>> > "next_max": 0,
>>>> > "range_max": 1889625999
>>>> > },
>>>> > "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
>>>> > "duration": "0.309565",
>>>> > "when": "20210630231006Z",
>>>> > "check": "IPADNARangeCheck",
>>>> > "result": "SUCCESS"
>>>> > }
>>>> >
>>>> >
>>>> > Any suggestions/ideas to fix it?
>>>>
>>>> It looks in here for the configuration. It could thrown a not found if
>>>> it is missing (though why/how it could be I don't know):
>>>>
>>>> cn=Posix IDs,cn=Distributed Numeric Assignment
>>>> Plugin,cn=plugins,cn=config
>>>>
>>>> rob
>>>>
>>>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
