Travis West via FreeIPA-users wrote:
> Thanks Rob! New certs are all replicated and all IPA services are started on
> all 6 servers.
> I can perform 'ipa cert-show 1' on all 6 and get the expected result.
>
> As a sanity check I did run the ipa-healthcheck on all 6 servers. One of
> them came back fine, the other 5 returned
>
> [
> {
> "source": "ipahealthcheck.ipa.dna",
> "kw": {
> "msg": "No DNA range defined. If no masters define a range then users
> and groups cannot be created.",
> "range_start": 0,
> "next_start": 0,
> "next_max": 0,
> "range_max": 0
> },
> "uuid": "70636197-0b3e-4424-b509-1aa7f8be084d",
> "duration": "0.706384",
> "when": "20240405170045Z",
> "check": "IPADNARangeCheck",
> "result": "WARNING"
> }
> ]
>
> Now it's just a WARNING, and since the one didn't return it (they're all
> denoted as MASTER) maybe it's okay?
It just means that when you add users or groups you do it against the
same IPA server. If you do it on others then it will split the range
between them as needed. Not a bad thing but it gets complex if you add
and remove a lot of servers, particularly older ones. I made changes a
few years ago to try to capture ranges that would otherwise be lost but
it's sort of a best effort kind of thing.
The purpose if this is to ensure that at least one server has a range.
Currently healthcheck only validates the server it is running on and
doesn't do much cluster-wide checking.
rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
