subject:"\[Freeipa\-users\] Re\: ipa\-healthcheck \- ipahealthcheck.ipa.dna.IPADNARangeCheck\: no matching entry found"

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

2021-08-20 Thread Kathy Zhu via FreeIPA-users

Yes, that is the fix!

After I added it to the ipaservers hostgroup, ran ipa-healthcheck, this
error is gone!

Thank you, Rob and Florence!

Kathy.

On Fri, Aug 20, 2021 at 11:12 AM Rob Crittenden  wrote:

> Kathy Zhu wrote:
> > Hi Florence,
> >
> > Thank you for your help here!
> >
> > Please see attached details. As you expected, dn="fqdn=ipa2.example.com
> > ,cn=computers,cn=accounts,dc=example,dc=com".
> > How to correct this? Thanks.
>
> See if this host is in the ipaservers host group. If not add it.
>
> rob
>
> >
> > Kathy.
> >
> > [root@ipa2 ~]# klist -A
> >
> > Ticket cache: KEYRING:persistent:0:0
> >
> > Default principal: ad...@example.com 
> >
> >
> > Valid starting   Expires  Service principal
> >
> > 08/19/2021 16:23:24  08/20/2021 16:22:52
> > HTTP/ipa2.example@example.com 
> >
> > 08/19/2021 16:23:17  08/20/2021 16:22:52  krbtgt/example@example.com
> > 
> >
> > [root@ipa2 ~]#
> >
> > [root@ipa2 ~]# klist -k /etc/krb5.keytab
> >
> > Keytab name: FILE:/etc/krb5.keytab
> >
> > KVNO Principal
> >
> > 
> >
> --
> >
> >1 host/ipa2.example@example.com  ipa2.example@example.com>
> >
> >1 host/ipa2.example@example.com  ipa2.example@example.com>
> >
> > [root@ipa2 ~]#
> >
> > [root@ipa2 tmp]# grep "cn=Posix IDs,cn=Distributed Numeric Assignment
> > Plugin,cn=plugins,cn=config" access
> >
> > [20/Aug/2021:10:29:27.781656511 -0700] conn=129591 op=3 SRCH
> > base="cn=Posix IDs,cn=Distributed Numeric Assignment
> > Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
> >
> > [root@ipa2 tmp]#
> >
> > [root@ipa2 tmp]# grep "conn=129591" access | grep "BIND dn="
> >
> > [20/Aug/2021:10:29:27.774670410 -0700] conn=129591 op=0 BIND dn=""
> > method=sasl version=3 mech=GSSAPI
> >
> > [20/Aug/2021:10:29:27.778256471 -0700] conn=129591 op=1 BIND dn=""
> > method=sasl version=3 mech=GSSAPI
> >
> > [20/Aug/2021:10:29:27.780236168 -0700] conn=129591 op=2 BIND dn=""
> > method=sasl version=3 mech=GSSAPI
> >
> > [root@ipa2 tmp]#
> >
> > [root@ipa2 tmp]# grep "conn=129591 op=2" access | grep RESULT
> >
> > [20/Aug/2021:10:29:27.780808034 -0700] conn=129591 op=2 RESULT err=0
> > tag=97 nentries=0 etime=0.000631206 dn="fqdn=ipa2.example.com
> > ,cn=computers,cn=accounts,dc=example,dc=com"
> >
> > [root@ipa2 tmp]#
> >
> > [root@ipa2 ~]#
> >
> >
> >
> > On Thu, Aug 19, 2021 at 11:25 PM Florence Renaud  > > wrote:
> >
> > Hi,
> >
> > What is the output of
> > klist -A
> > klist -k /etc/krb5.keytab
> > on the machine where ipa-healthcheck command fails?
> > ipa-healthcheck is using a kerberos ticket to authenticate to the
> > LDAP server (obtained from /etc/krb5.keytab), and has different
> > access rights depending on the identity mapped to this ticket. I
> > suspect that the LDAP operations don't return any entry because they
> > are mapped to a wrong identity.
> >
> > You can also have a look at the directory server access logs to
> > check which identity is used:
> > 1. open /var/log/dirsrv/slapd-DOMAIN-COM/access
> > 2. look for a line containing the following:
> > SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment
> > Plugin,cn=plugins,cn=config"
> > 3. In this line, note the conn=. In my machine I see for
> > instance:
> > [20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH
> > base="cn=Posix IDs,cn=Distributed Numeric Assignment
> > Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)"
> attrs=ALL
> > 4. Go up in the logs and find the BIND operation that took place on
> > this connection: the line must contain the same *conn=* and
> > *BIND dn=*:
> > [20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND
> > dn=*"" method=sasl version=3 mech=GSSAPI
> > 5. Find the correspond result: the line must contain the same
> > *conn= op=* and will give you the dn used for the LDAP
> > operation:
> > [20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT
> > err=0 tag=97 nentries=0 wtime=0.000152828 optime=0.002257466
> > etime=0.002407324
> > *dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"*
> >
> > In my example ipa-healthcheck fails to find the cn=Posix IDs entry
> > because it is using a LDAP connection bound as uid=idmuser, who
> > doesn't have the required read permissions.
> >
> > HTH,
> > flo
> >
> > On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users
> >  > > wrote:
> >
> > I ran the same ldapsearch on a good server and compared the
> > outputs. Here are the differences:
> >
> > dnaMaxValue: 1889657499

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

2021-08-20 Thread Rob Crittenden via FreeIPA-users

Kathy Zhu wrote:
> Hi Florence,
> 
> Thank you for your help here! 
> 
> Please see attached details. As you expected, dn="fqdn=ipa2.example.com
> ,cn=computers,cn=accounts,dc=example,dc=com".
> How to correct this? Thanks. 

See if this host is in the ipaservers host group. If not add it.

rob

> 
> Kathy. 
> 
> [root@ipa2 ~]# klist -A
> 
> Ticket cache: KEYRING:persistent:0:0
> 
> Default principal: ad...@example.com 
> 
> 
> Valid starting       Expires              Service principal
> 
> 08/19/2021 16:23:24  08/20/2021 16:22:52 
> HTTP/ipa2.example@example.com 
> 
> 08/19/2021 16:23:17  08/20/2021 16:22:52  krbtgt/example@example.com
> 
> 
> [root@ipa2 ~]#
> 
> [root@ipa2 ~]# klist -k /etc/krb5.keytab
> 
> Keytab name: FILE:/etc/krb5.keytab
> 
> KVNO Principal
> 
> 
> --
> 
>    1 host/ipa2.example@example.com 
> 
>    1 host/ipa2.example@example.com 
> 
> [root@ipa2 ~]# 
> 
> [root@ipa2 tmp]# grep "cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" access 
> 
> [20/Aug/2021:10:29:27.781656511 -0700] conn=129591 op=3 SRCH
> base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
> 
> [root@ipa2 tmp]# 
> 
> [root@ipa2 tmp]# grep "conn=129591" access | grep "BIND dn=" 
> 
> [20/Aug/2021:10:29:27.774670410 -0700] conn=129591 op=0 BIND dn=""
> method=sasl version=3 mech=GSSAPI
> 
> [20/Aug/2021:10:29:27.778256471 -0700] conn=129591 op=1 BIND dn=""
> method=sasl version=3 mech=GSSAPI
> 
> [20/Aug/2021:10:29:27.780236168 -0700] conn=129591 op=2 BIND dn=""
> method=sasl version=3 mech=GSSAPI
> 
> [root@ipa2 tmp]# 
> 
> [root@ipa2 tmp]# grep "conn=129591 op=2" access | grep RESULT 
> 
> [20/Aug/2021:10:29:27.780808034 -0700] conn=129591 op=2 RESULT err=0
> tag=97 nentries=0 etime=0.000631206 dn="fqdn=ipa2.example.com
> ,cn=computers,cn=accounts,dc=example,dc=com"
> 
> [root@ipa2 tmp]# 
> 
> [root@ipa2 ~]# 
> 
> 
> 
> On Thu, Aug 19, 2021 at 11:25 PM Florence Renaud  > wrote:
> 
> Hi,
> 
> What is the output of
> klist -A
> klist -k /etc/krb5.keytab
> on the machine where ipa-healthcheck command fails?
> ipa-healthcheck is using a kerberos ticket to authenticate to the
> LDAP server (obtained from /etc/krb5.keytab), and has different
> access rights depending on the identity mapped to this ticket. I
> suspect that the LDAP operations don't return any entry because they
> are mapped to a wrong identity.
> 
> You can also have a look at the directory server access logs to
> check which identity is used:
> 1. open /var/log/dirsrv/slapd-DOMAIN-COM/access
> 2. look for a line containing the following:
> SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config"
> 3. In this line, note the conn=. In my machine I see for
> instance:
> [20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH
> base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
> 4. Go up in the logs and find the BIND operation that took place on
> this connection: the line must contain the same *conn=* and
> *BIND dn=*:
> [20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND
> dn=*"" method=sasl version=3 mech=GSSAPI
> 5. Find the correspond result: the line must contain the same
> *conn= op=* and will give you the dn used for the LDAP
> operation:
> [20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT
> err=0 tag=97 nentries=0 wtime=0.000152828 optime=0.002257466
> etime=0.002407324
> *dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"*
> 
> In my example ipa-healthcheck fails to find the cn=Posix IDs entry
> because it is using a LDAP connection bound as uid=idmuser, who
> doesn't have the required read permissions.
> 
> HTH,
> flo
> 
> On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users
>  > wrote:
> 
> I ran the same ldapsearch on a good server and compared the
> outputs. Here are the differences: 
> 
> dnaMaxValue: 1889657499                                       |
> dnaMaxValue: 1889607999
> 
> dnaNextValue: 1889650758                                      |
> dnaNextValue: 1889601276 
> 
> 
> Thanks. 
> 
> 
> Kathy. 
> 
> 
> On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu  > wrote:
> 
> Hi Rob, 
> 
> Thanks for replying! 
> 
> It is not missing

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

2021-08-20 Thread Kathy Zhu via FreeIPA-users

Hi Florence,

Thank you for your help here!

Please see attached details. As you expected,
dn="fqdn=ipa2.example.com,cn=computers,cn=accounts,dc=example,dc=com".
How to correct this? Thanks.

Kathy.

[root@ipa2 ~]# klist -A

Ticket cache: KEYRING:persistent:0:0

Default principal: ad...@example.com


Valid starting   Expires  Service principal

08/19/2021 16:23:24  08/20/2021 16:22:52  HTTP/ipa2.example@example.com

08/19/2021 16:23:17  08/20/2021 16:22:52  krbtgt/example@example.com

[root@ipa2 ~]#

[root@ipa2 ~]# klist -k /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab

KVNO Principal


--

   1 host/ipa2.example@example.com

   1 host/ipa2.example@example.com

[root@ipa2 ~]#

[root@ipa2 tmp]# grep "cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config" access

[20/Aug/2021:10:29:27.781656511 -0700] conn=129591 op=3 SRCH base="cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" scope=0
filter="(objectClass=*)" attrs=ALL

[root@ipa2 tmp]#

[root@ipa2 tmp]# grep "conn=129591" access | grep "BIND dn="

[20/Aug/2021:10:29:27.774670410 -0700] conn=129591 op=0 BIND dn=""
method=sasl version=3 mech=GSSAPI

[20/Aug/2021:10:29:27.778256471 -0700] conn=129591 op=1 BIND dn=""
method=sasl version=3 mech=GSSAPI

[20/Aug/2021:10:29:27.780236168 -0700] conn=129591 op=2 BIND dn=""
method=sasl version=3 mech=GSSAPI

[root@ipa2 tmp]#

[root@ipa2 tmp]# grep "conn=129591 op=2" access | grep RESULT

[20/Aug/2021:10:29:27.780808034 -0700] conn=129591 op=2 RESULT err=0 tag=97
nentries=0 etime=0.000631206 dn="fqdn=ipa2.example.com
,cn=computers,cn=accounts,dc=example,dc=com"

[root@ipa2 tmp]#

[root@ipa2 ~]#



On Thu, Aug 19, 2021 at 11:25 PM Florence Renaud  wrote:

> Hi,
>
> What is the output of
> klist -A
> klist -k /etc/krb5.keytab
> on the machine where ipa-healthcheck command fails?
> ipa-healthcheck is using a kerberos ticket to authenticate to the LDAP
> server (obtained from /etc/krb5.keytab), and has different access rights
> depending on the identity mapped to this ticket. I suspect that the LDAP
> operations don't return any entry because they are mapped to a wrong
> identity.
>
> You can also have a look at the directory server access logs to check
> which identity is used:
> 1. open /var/log/dirsrv/slapd-DOMAIN-COM/access
> 2. look for a line containing the following:
> SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config"
> 3. In this line, note the conn=. In my machine I see for instance:
> [20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH
> base="cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
> 4. Go up in the logs and find the BIND operation that took place on this
> connection: the line must contain the same *conn=* and *BIND dn=*:
> [20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND dn=*""
> method=sasl version=3 mech=GSSAPI
> 5. Find the correspond result: the line must contain the same *conn=
> op=* and will give you the dn used for the LDAP operation:
> [20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT err=0
> tag=97 nentries=0 wtime=0.000152828 optime=0.002257466 etime=0.002407324
> *dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"*
>
> In my example ipa-healthcheck fails to find the cn=Posix IDs entry
> because it is using a LDAP connection bound as uid=idmuser, who doesn't
> have the required read permissions.
>
> HTH,
> flo
>
> On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> I ran the same ldapsearch on a good server and compared the outputs. Here
>> are the differences:
>>
>> dnaMaxValue: 1889657499   |
>> dnaMaxValue: 1889607999
>>
>> dnaNextValue: 1889650758  |
>> dnaNextValue: 1889601276
>>
>>
>> Thanks.
>>
>>
>> Kathy.
>>
>> On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu  wrote:
>>
>>> Hi Rob,
>>>
>>> Thanks for replying!
>>>
>>> It is not missing and I can create new user or group on it:
>>>
>>> [root@ipa2 ~]#  ldapsearch -D "cn=directory manager" -W -b "cn=Posix
>>> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
>>>
>>> Enter LDAP Password:
>>>
>>> # extended LDIF
>>>
>>> #
>>>
>>> # LDAPv3
>>>
>>> # base >> Plugin,cn=plugins,cn=config> with scope subtree
>>>
>>> # filter: (objectclass=*)
>>>
>>> # requesting: ALL
>>>
>>> #
>>>
>>>
>>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>>>
>>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config
>>>
>>> cn: Posix IDs
>>>
>>> dnaExcludeScope: cn=provisioning,dc=example,dc=com
>>>
>>> dnaFilter:
>>> (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
>>>
>>>  aIDobject))
>>>
>>> dnaMagicRegen: -1
>>>
>>> dnaMaxValue:

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

2021-08-20 Thread Florence Renaud via FreeIPA-users

Hi,

What is the output of
klist -A
klist -k /etc/krb5.keytab
on the machine where ipa-healthcheck command fails?
ipa-healthcheck is using a kerberos ticket to authenticate to the LDAP
server (obtained from /etc/krb5.keytab), and has different access rights
depending on the identity mapped to this ticket. I suspect that the LDAP
operations don't return any entry because they are mapped to a wrong
identity.

You can also have a look at the directory server access logs to check which
identity is used:
1. open /var/log/dirsrv/slapd-DOMAIN-COM/access
2. look for a line containing the following:
SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config"
3. In this line, note the conn=. In my machine I see for instance:
[20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH
base="cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
4. Go up in the logs and find the BIND operation that took place on this
connection: the line must contain the same *conn=* and *BIND dn=*:
[20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND dn=*""
method=sasl version=3 mech=GSSAPI
5. Find the correspond result: the line must contain the same *conn=
op=* and will give you the dn used for the LDAP operation:
[20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT err=0
tag=97 nentries=0 wtime=0.000152828 optime=0.002257466 etime=0.002407324
*dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"*

In my example ipa-healthcheck fails to find the cn=Posix IDs entry because
it is using a LDAP connection bound as uid=idmuser, who doesn't have the
required read permissions.

HTH,
flo

On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I ran the same ldapsearch on a good server and compared the outputs. Here
> are the differences:
>
> dnaMaxValue: 1889657499   |
> dnaMaxValue: 1889607999
>
> dnaNextValue: 1889650758  |
> dnaNextValue: 1889601276
>
>
> Thanks.
>
>
> Kathy.
>
> On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu  wrote:
>
>> Hi Rob,
>>
>> Thanks for replying!
>>
>> It is not missing and I can create new user or group on it:
>>
>> [root@ipa2 ~]#  ldapsearch -D "cn=directory manager" -W -b "cn=Posix
>> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
>>
>> Enter LDAP Password:
>>
>> # extended LDIF
>>
>> #
>>
>> # LDAPv3
>>
>> # base > Plugin,cn=plugins,cn=config> with scope subtree
>>
>> # filter: (objectclass=*)
>>
>> # requesting: ALL
>>
>> #
>>
>>
>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>>
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>>
>> cn: Posix IDs
>>
>> dnaExcludeScope: cn=provisioning,dc=example,dc=com
>>
>> dnaFilter:
>> (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
>>
>>  aIDobject))
>>
>> dnaMagicRegen: -1
>>
>> dnaMaxValue: 1889657499
>>
>> dnaNextValue: 1889650758
>>
>> dnaScope: dc=example,dc=com
>>
>> dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
>>
>> dnaThreshold: 500
>>
>> dnaType: uidNumber
>>
>> dnaType: gidNumber
>>
>> objectClass: top
>>
>> objectClass: extensibleObject
>>
>>
>> # search result
>>
>> search: 2
>>
>> result: 0 Success
>>
>>
>> # numResponses: 2
>>
>> # numEntries: 1
>>
>> [root@ipa2 ~]#
>>
>>
>>
>>
>> On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden 
>> wrote:
>>
>>> Kathy Zhu via FreeIPA-users wrote:
>>> > Hello,
>>> >
>>> > ipa-healthcheck is a great tool! Really appreciate Rob to make it
>>> > working for Centos.
>>> >
>>> > When I ran it on all of our IPA servers, one server reported:
>>> >
>>> > [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human
>>> >
>>> > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry
>>> found
>>> >
>>> > [root@ipa2 ~]#
>>> >
>>> >
>>> > I created a user and a group on this server then deleted them,
>>> > rerun ipa-healthcheck, I still get the same error. Here is the jason
>>> > format of it:
>>> >
>>> >   {
>>> >
>>> > "source": "ipahealthcheck.ipa.dna",
>>> >
>>> > "kw": {
>>> >
>>> >   "exception": "no matching entry found"
>>> >
>>> > },
>>> >
>>> > "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e",
>>> >
>>> > "duration": "0.136489",
>>> >
>>> > "when": "20210819224225Z",
>>> >
>>> > "check": "IPADNARangeCheck",
>>> >
>>> > "result": "CRITICAL"
>>> >
>>> >   }
>>> >
>>> >
>>> > We have 7 ipa servers, this is the only server with this error.
>>> >
>>> > The success one looks like below:
>>> >
>>> >   {
>>> > "source": "ipahealthcheck.ipa.dna",
>>> > "kw": {
>>> >   "range_start": 1889601184,
>>> >   "next_start": 0,
>>> >   "next_max": 0,
>>> >   "range_max": 1889625999
>>> > },
>>> > "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
>>> > "duration": "0.309565",
>>> > "when":

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

2021-08-19 Thread Kathy Zhu via FreeIPA-users

I ran the same ldapsearch on a good server and compared the outputs. Here
are the differences:

dnaMaxValue: 1889657499   |
dnaMaxValue: 1889607999

dnaNextValue: 1889650758  |
dnaNextValue: 1889601276


Thanks.


Kathy.

On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu  wrote:

> Hi Rob,
>
> Thanks for replying!
>
> It is not missing and I can create new user or group on it:
>
> [root@ipa2 ~]#  ldapsearch -D "cn=directory manager" -W -b "cn=Posix
> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
>
> Enter LDAP Password:
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base  Plugin,cn=plugins,cn=config> with scope subtree
>
> # filter: (objectclass=*)
>
> # requesting: ALL
>
> #
>
>
> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>
> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
>
> cn: Posix IDs
>
> dnaExcludeScope: cn=provisioning,dc=example,dc=com
>
> dnaFilter:
> (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
>
>  aIDobject))
>
> dnaMagicRegen: -1
>
> dnaMaxValue: 1889657499
>
> dnaNextValue: 1889650758
>
> dnaScope: dc=example,dc=com
>
> dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
>
> dnaThreshold: 500
>
> dnaType: uidNumber
>
> dnaType: gidNumber
>
> objectClass: top
>
> objectClass: extensibleObject
>
>
> # search result
>
> search: 2
>
> result: 0 Success
>
>
> # numResponses: 2
>
> # numEntries: 1
>
> [root@ipa2 ~]#
>
>
>
>
> On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden 
> wrote:
>
>> Kathy Zhu via FreeIPA-users wrote:
>> > Hello,
>> >
>> > ipa-healthcheck is a great tool! Really appreciate Rob to make it
>> > working for Centos.
>> >
>> > When I ran it on all of our IPA servers, one server reported:
>> >
>> > [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human
>> >
>> > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry
>> found
>> >
>> > [root@ipa2 ~]#
>> >
>> >
>> > I created a user and a group on this server then deleted them,
>> > rerun ipa-healthcheck, I still get the same error. Here is the jason
>> > format of it:
>> >
>> >   {
>> >
>> > "source": "ipahealthcheck.ipa.dna",
>> >
>> > "kw": {
>> >
>> >   "exception": "no matching entry found"
>> >
>> > },
>> >
>> > "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e",
>> >
>> > "duration": "0.136489",
>> >
>> > "when": "20210819224225Z",
>> >
>> > "check": "IPADNARangeCheck",
>> >
>> > "result": "CRITICAL"
>> >
>> >   }
>> >
>> >
>> > We have 7 ipa servers, this is the only server with this error.
>> >
>> > The success one looks like below:
>> >
>> >   {
>> > "source": "ipahealthcheck.ipa.dna",
>> > "kw": {
>> >   "range_start": 1889601184,
>> >   "next_start": 0,
>> >   "next_max": 0,
>> >   "range_max": 1889625999
>> > },
>> > "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
>> > "duration": "0.309565",
>> > "when": "20210630231006Z",
>> > "check": "IPADNARangeCheck",
>> > "result": "SUCCESS"
>> >   }
>> >
>> >
>> > Any suggestions/ideas to fix it?
>>
>> It looks in here for the configuration. It could thrown a not found if
>> it is missing (though why/how it could be I don't know):
>>
>> cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
>>
>> rob
>>
>>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

2021-08-19 Thread Kathy Zhu via FreeIPA-users

Thanks. In my case, I can create a user or group.

On Thu, Aug 19, 2021 at 4:37 PM Vinícius Ferrão 
wrote:

> Take a look at this blog article:
>
>
> https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/
>
> Sent from my iPhone
>
> On 19 Aug 2021, at 20:35, Kathy Zhu via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> 
> Hello,
>
> ipa-healthcheck is a great tool! Really appreciate Rob to make it working
> for Centos.
>
> When I ran it on all of our IPA servers, one server reported:
>
> [root@ipa2 ~]# ipa-healthcheck --failures-only --output-type human
>
> CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found
>
> [root@ipa2 ~]#
>
>
> I created a user and a group on this server then deleted them,
> rerun ipa-healthcheck, I still get the same error. Here is the jason format
> of it:
>
>   {
>
> "source": "ipahealthcheck.ipa.dna",
>
> "kw": {
>
>   "exception": "no matching entry found"
>
> },
>
> "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e",
>
> "duration": "0.136489",
>
> "when": "20210819224225Z",
>
> "check": "IPADNARangeCheck",
>
> "result": "CRITICAL"
>
>   }
>
> We have 7 ipa servers, this is the only server with this error.
>
> The success one looks like below:
>
>   {
> "source": "ipahealthcheck.ipa.dna",
> "kw": {
>   "range_start": 1889601184,
>   "next_start": 0,
>   "next_max": 0,
>   "range_max": 1889625999
> },
> "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
> "duration": "0.309565",
> "when": "20210630231006Z",
> "check": "IPADNARangeCheck",
> "result": "SUCCESS"
>   }
>
>
> Any suggestions/ideas to fix it?
>
> Thank you!
>
> Kathy
>
>
>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

2021-08-19 Thread Kathy Zhu via FreeIPA-users

Hi Rob,

Thanks for replying!

It is not missing and I can create new user or group on it:

[root@ipa2 ~]#  ldapsearch -D "cn=directory manager" -W -b "cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base  with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#


# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config

dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config

cn: Posix IDs

dnaExcludeScope: cn=provisioning,dc=example,dc=com

dnaFilter:
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip

 aIDobject))

dnaMagicRegen: -1

dnaMaxValue: 1889657499

dnaNextValue: 1889650758

dnaScope: dc=example,dc=com

dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com

dnaThreshold: 500

dnaType: uidNumber

dnaType: gidNumber

objectClass: top

objectClass: extensibleObject


# search result

search: 2

result: 0 Success


# numResponses: 2

# numEntries: 1

[root@ipa2 ~]#




On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden  wrote:

> Kathy Zhu via FreeIPA-users wrote:
> > Hello,
> >
> > ipa-healthcheck is a great tool! Really appreciate Rob to make it
> > working for Centos.
> >
> > When I ran it on all of our IPA servers, one server reported:
> >
> > [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human
> >
> > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry
> found
> >
> > [root@ipa2 ~]#
> >
> >
> > I created a user and a group on this server then deleted them,
> > rerun ipa-healthcheck, I still get the same error. Here is the jason
> > format of it:
> >
> >   {
> >
> > "source": "ipahealthcheck.ipa.dna",
> >
> > "kw": {
> >
> >   "exception": "no matching entry found"
> >
> > },
> >
> > "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e",
> >
> > "duration": "0.136489",
> >
> > "when": "20210819224225Z",
> >
> > "check": "IPADNARangeCheck",
> >
> > "result": "CRITICAL"
> >
> >   }
> >
> >
> > We have 7 ipa servers, this is the only server with this error.
> >
> > The success one looks like below:
> >
> >   {
> > "source": "ipahealthcheck.ipa.dna",
> > "kw": {
> >   "range_start": 1889601184,
> >   "next_start": 0,
> >   "next_max": 0,
> >   "range_max": 1889625999
> > },
> > "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
> > "duration": "0.309565",
> > "when": "20210630231006Z",
> > "check": "IPADNARangeCheck",
> > "result": "SUCCESS"
> >   }
> >
> >
> > Any suggestions/ideas to fix it?
>
> It looks in here for the configuration. It could thrown a not found if
> it is missing (though why/how it could be I don't know):
>
> cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
>
> rob
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

2021-08-19 Thread Rob Crittenden via FreeIPA-users

Kathy Zhu via FreeIPA-users wrote:
> Hello, 
> 
> ipa-healthcheck is a great tool! Really appreciate Rob to make it
> working for Centos. 
> 
> When I ran it on all of our IPA servers, one server reported: 
> 
> [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human
> 
> CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found
> 
> [root@ipa2 ~]# 
> 
> 
> I created a user and a group on this server then deleted them,
> rerun ipa-healthcheck, I still get the same error. Here is the jason
> format of it: 
> 
>   {
> 
>     "source": "ipahealthcheck.ipa.dna", 
> 
>     "kw": {
> 
>       "exception": "no matching entry found"
> 
>     }, 
> 
>     "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e", 
> 
>     "duration": "0.136489", 
> 
>     "when": "20210819224225Z", 
> 
>     "check": "IPADNARangeCheck", 
> 
>     "result": "CRITICAL"
> 
>   }
> 
> 
> We have 7 ipa servers, this is the only server with this error. 
> 
> The success one looks like below: 
> 
>   {
>     "source": "ipahealthcheck.ipa.dna",
>     "kw": {
>       "range_start": 1889601184,
>       "next_start": 0,
>       "next_max": 0,
>       "range_max": 1889625999
>     },
>     "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
>     "duration": "0.309565",
>     "when": "20210630231006Z",
>     "check": "IPADNARangeCheck",
>     "result": "SUCCESS"
>   }
> 
> 
> Any suggestions/ideas to fix it? 

It looks in here for the configuration. It could thrown a not found if
it is missing (though why/how it could be I don't know):

cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

2021-08-19 Thread Vinícius Ferrão via FreeIPA-users

Take a look at this blog article:


https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/

Sent from my iPhone

On 19 Aug 2021, at 20:35, Kathy Zhu via FreeIPA-users 
 wrote:


Hello,

ipa-healthcheck is a great tool! Really appreciate Rob to make it working for 
Centos.

When I ran it on all of our IPA servers, one server reported:


[root@ipa2 ~]# ipa-healthcheck --failures-only --output-type human





CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found




[root@ipa2 ~]#

I created a user and a group on this server then deleted them, rerun 
ipa-healthcheck, I still get the same error. Here is the jason format of it:


  {

"source": "ipahealthcheck.ipa.dna",

"kw": {

  "exception": "no matching entry found"

},

"uuid": "aaf4da70-64ca-435f-8011-b40da74b874e",

"duration": "0.136489",

"when": "20210819224225Z",

"check": "IPADNARangeCheck",

"result": "CRITICAL"

  }

We have 7 ipa servers, this is the only server with this error.

The success one looks like below:


  {
"source": "ipahealthcheck.ipa.dna",
"kw": {
  "range_start": 1889601184,
  "next_start": 0,
  "next_max": 0,
  "range_max": 1889625999
},
"uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
"duration": "0.309565",
"when": "20210630231006Z",
"check": "IPADNARangeCheck",
"result": "SUCCESS"
  }

Any suggestions/ideas to fix it?

Thank you!

Kathy





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

9 matches

Site Navigation

Mail list logo

Footer information