Petros Triantafyllidis wrote:
> Thanks for healthcheck Rob,
>
> In our setup (2 CentOS 7.7 servers, running
> ipa-server-4.6.5-11.el7.centos.3.x86_64) I get the output below when
> ipa-healthcheck runs at the replica. The output is identical at master
> too, except the first warning ("No DNA range defined. If no masters
> define a range then users and groups cannot be created."). How serious
> is my case?
> Any recommendation is highly appreciated.
>
> Thanks again,
> Petros
>
> [
> {
> "source": "ipahealthcheck.ipa.dna",
> "kw": {
> "msg": "No DNA range defined. If no masters define a range then
> users and groups cannot be created.",
> "range_start": 0,
> "next_start": 0,
> "next_max": 0,
> "range_max": 0
> },
> "uuid": "f414f514-38b2-4381-a161-f43ea81ffbae",
> "duration": "0.578066",
> "when": "20191107160820Z",
> "check": "IPADNARangeCheck",
> "result": "WARNING"
> },
This is just a heads-up. It means that this master doesn't have a DNA
range. If your other master dies then you'll get the dreaded "ERROR:
Operations error: Allocation of a new value for range failed".
We don't allocate a range to every master because there are some users
that have a LOT of masters and each time a range is allocated it splits
in half.
So it may be perfectly fine, hence the warning.
> {
> "source": "ipahealthcheck.ipa.files",
> "kw": {
> "msg": "Permissions of /etc/dirsrv/slapd-GEO-SS-LAN/cert8.db are
> 0600 and should be 0640",
> "key": "_etc_dirsrv_slapd-GEO-SS-LAN_cert8.db_mode",
> "got": "0600",
> "expected": "0640",
> "path": "/etc/dirsrv/slapd-GEO-SS-LAN/cert8.db",
> "type": "mode"
> },
> "uuid": "5a4a4d41-0761-403e-82f2-485bcfff5dd9",
> "duration": "0.000125",
> "when": "20191107160820Z",
> "check": "IPAFileNSSDBCheck",
> "result": "WARNING"
> },
> {
> "source": "ipahealthcheck.ipa.files",
> "kw": {
> "msg": "Permissions of /etc/dirsrv/slapd-GEO-SS-LAN/key3.db are
> 0600 and should be 0640",
> "key": "_etc_dirsrv_slapd-GEO-SS-LAN_key3.db_mode",
> "got": "0600",
> "expected": "0640",
> "path": "/etc/dirsrv/slapd-GEO-SS-LAN/key3.db",
> "type": "mode"
> },
> "uuid": "8fd976a9-d011-4e2b-a77d-792f50b1f1e4",
> "duration": "0.000593",
> "when": "20191107160820Z",
> "check": "IPAFileNSSDBCheck",
> "result": "WARNING"
> },
> {
> "source": "ipahealthcheck.ipa.files",
> "kw": {
> "msg": "Permissions of /etc/dirsrv/slapd-GEO-SS-LAN/secmod.db are
> 0600 and should be 0640",
> "key": "_etc_dirsrv_slapd-GEO-SS-LAN_secmod.db_mode",
> "got": "0600",
> "expected": "0640",
> "path": "/etc/dirsrv/slapd-GEO-SS-LAN/secmod.db",
> "type": "mode"
> },
> "uuid": "a0f8da6d-79ec-419d-9288-144a3a33cd97",
> "duration": "0.000902",
> "when": "20191107160820Z",
> "check": "IPAFileNSSDBCheck",
> "result": "WARNING"
> },
Yeah, these are tricky. Also a warning. Permissions can be such that
stricter or looser perms work just fine and are relatively equivalent in
protection. We warn if it doesn't match the installed default but in
this case the warnings can probably be ignored.
> {
> "source": "ipahealthcheck.ds.replication",
> "kw": {
> "msg": "Replication conflict",
> "glue": false,
> "conflict": "namingConflict cn=certmap,dc=geo,dc=ss,dc=lan",
> "key":
> "cn=certmap+nsuniqueid=ebb8b88e-a2c811e7-8f22c768-d7e7aa51,dc=geo,dc=ss,dc=lan"
> },
> "uuid": "b9e9c71d-c97c-43be-806f-b37bdc3607c3",
> "duration": "0.005029",
> "when": "20191107160829Z",
> "check": "ReplicationConflictCheck",
> "result": "ERROR"
> },
[ snip ]
What you'll want to do is compare the conflict entry with the "real"
entry to see if there are any differences. Chances are there aren't and
the conflict entries can be deleted.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
