[Freeipa-users] Re: Problem with AD users after upgrade

Tue, 16 Jun 2020 14:28:14 -0700 

Hi Rob,
ipa-healthcheck revealed several errors. I do not want to discuss all of them in public because I do not want do disclose the domain/subdomain names of our AD. (If you think the topic is worth to be discussed on the mailing list, I will obfuscate them before posting.) 


I would highly appreciate if you could take a quick look and tell me how 
severe they are and what I can possibly do to fix them. I do not care 
about KRA because we did not use the feature at this point in time. KRA 
could be set up from scratch again - if possible. The replication 
conflicts sound much more troubeling...


Cheers,
Ronald

  {
    "source": "pki.server.healthcheck.meta.csconfig",
    "check": "DogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "29b240d3-a221-4bd5-a3d9-bae309ed33a7",
    "when": "20200616210039Z",
    "duration": "0.197320",
    "kw": {
      "key": "kra_transport",
      "nickname": "transportCert cert-pki-kra",
      "directive": "kra.transport.cert",
      "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",

      "msg": "Certificate 'transportCert cert-pki-kra' does not match 
the value of kra.transport.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"

    }
--
  {
    "source": "pki.server.healthcheck.meta.csconfig",
    "check": "DogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "c946f181-3745-499e-ab9c-289a4ffd36e9",
    "when": "20200616210039Z",
    "duration": "0.228105",
    "kw": {
      "key": "kra_storage",
      "nickname": "storageCert cert-pki-kra",
      "directive": "kra.storage.cert",
      "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",

      "msg": "Certificate 'storageCert cert-pki-kra' does not match the 
value of kra.storage.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"

    }
--
  {
    "source": "pki.server.healthcheck.meta.csconfig",
    "check": "DogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "0e59c252-53d8-449e-bc51-96b59e1a8acc",
    "when": "20200616210039Z",
    "duration": "0.260174",
    "kw": {
      "key": "kra_audit_signing",
      "nickname": "auditSigningCert cert-pki-kra",
      "directive": "kra.audit_signing.cert",
      "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",

      "msg": "Certificate 'auditSigningCert cert-pki-kra' does not 
match the value of kra.audit_signing.cert in 
/var/lib/pki/pki-tomcat/kra/conf/CS.cfg"

    }
--
  {
    "source": "ipahealthcheck.dogtag.ca",
    "check": "DogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "01b18546-b473-40fb-9923-bfb23f152038",
    "when": "20200616210039Z",
    "duration": "0.260025",
    "kw": {
      "key": "transportCert cert-pki-kra",
      "directive": "ca.connector.KRA.transportCert",
      "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",

      "msg": "Certificate 'transportCert cert-pki-kra' does not match 
the value of ca.connector.KRA.transportCert in 
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"

    }
  },
--
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "3dca4913-3a30-4bff-8326-3c51b0aeda8c",
    "when": "20200616210039Z",
    "duration": "0.003225",
    "kw": {

      "key": 
"cn=certmap+nsuniqueid=46562a35-994311e7-bcd9e321-1436c40f,dc=linux,dc=mydomain,dc=at",

      "glue": false,
      "conflict": "namingConflict cn=certmap,dc=linux,dc=mydomain,dc=at",
      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "58623e97-e913-433a-9793-6bb233afdcc9",
    "when": "20200616210039Z",
    "duration": "0.003316",
    "kw": {

      "key": "cn=Certificate Identity Mapping 
Administrators+nsuniqueid=46562a39-994311e7-bcd9e321-1436c40f,cn=privileges,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=Certificate Identity Mapping 
Administrators,cn=privileges,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "7a76e510-8b3a-41f6-b329-fc474ca6202f",
    "when": "20200616210039Z",
    "duration": "0.003397",
    "kw": {

      "key": "cn=System: Modify Certmap 
Configuration+nsuniqueid=46562a41-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=System: Modify Certmap 
Configuration,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "e7588c0d-52d8-44d2-beec-4e3c31be3f4b",
    "when": "20200616210039Z",
    "duration": "0.003475",
    "kw": {

      "key": "cn=System: Read Certmap 
Configuration+nsuniqueid=46562a45-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=System: Read Certmap 
Configuration,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "f18f8d2e-b304-4345-8625-55e62ea0a6ca",
    "when": "20200616210039Z",
    "duration": "0.003552",
    "kw": {

      "key": "cn=System: Add Certmap 
Rules+nsuniqueid=46562a48-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=System: Add Certmap 
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "6509b40b-af09-4813-bd4f-330d8bc2ad07",
    "when": "20200616210039Z",
    "duration": "0.003626",
    "kw": {

      "key": "cn=System: Delete Certmap 
Rules+nsuniqueid=46562a4c-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=System: Delete Certmap 
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "8d2acff4-40ce-4275-ae63-a7a98be207c2",
    "when": "20200616210039Z",
    "duration": "0.003701",
    "kw": {

      "key": "cn=System: Modify Certmap 
Rules+nsuniqueid=46562a50-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=System: Modify Certmap 
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "0cf56b18-9f8f-47d1-b086-0ba928709bfc",
    "when": "20200616210039Z",
    "duration": "0.003794",
    "kw": {

      "key": "cn=System: Read Certmap 
Rules+nsuniqueid=46562a54-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=System: Read Certmap 
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "6eea376a-1e81-4c31-98b4-fd3d72695951",
    "when": "20200616210039Z",
    "duration": "0.003873",
    "kw": {

      "key": "cn=System: Modify External Group 
Membership+nsuniqueid=46562a5d-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=System: Modify External Group 
Membership,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "a4c35d33-31ca-452a-b13c-02ffd6d8eea3",
    "when": "20200616210039Z",
    "duration": "0.003953",
    "kw": {

      "key": "cn=System: Read External Group 
Membership+nsuniqueid=46562a64-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=System: Read External Group 
Membership,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "22033461-49bb-4836-ab2f-0a989d046c3f",
    "when": "20200616210039Z",
    "duration": "0.004030",
    "kw": {

      "key": "cn=System: Manage User Certificate 
Mappings+nsuniqueid=46562a6b-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict cn=System: Manage User Certificate 
Mappings,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "86a73d33-7c33-49b5-bf25-4d175fb45180",
    "when": "20200616210039Z",
    "duration": "0.004114",
    "kw": {

      "key": 
"krbPrincipalName=WELLKNOWN/anonym...@linux.mydomain.at+nsuniqueid=64bc25a5-994311e7-bcd9e321-1436c40f,cn=LINUX.MYDOMAIN.AT,cn=kerberos,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict 
krbPrincipalName=WELLKNOWN/anonym...@linux.mydomain.at,cn=LINUX.MYDOMAIN.AT,cn=kerberos,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationConflictCheck",
    "result": "ERROR",
    "uuid": "98d8b851-1d33-4b0f-9b6b-c204abe9a721",
    "when": "20200616210039Z",
    "duration": "0.004185",
    "kw": {

      "key": 
"cn=KDCs_PKINIT_Certs+nsuniqueid=64bc259d-994311e7-bcd9e321-1436c40f,cn=certprofiles,cn=ca,dc=linux,dc=mydomain,dc=at",

      "glue": false,

      "conflict": "namingConflict 
cn=KDCs_PKINIT_Certs,cn=certprofiles,cn=ca,dc=linux,dc=mydomain,dc=at",

      "msg": "Replication conflict"
    }
  },
--
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPACertRevocation",
    "result": "ERROR",
    "uuid": "09f846de-b933-417b-a5b8-c018c7892e61",
    "when": "20200616210043Z",
    "duration": "2.086729",
    "kw": {
      "key": "20200603161155",

      "msg": "Request for certificate failed, Certificate operation 
cannot be completed: EXCEPTION (Certificate serial number 0xffd0008 not 
found)"

    }
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPACertRevocation",
    "result": "ERROR",
    "uuid": "2060d0c2-b602-4487-b5d9-6320c8488464",
    "when": "20200616210043Z",
    "duration": "2.158848",
    "kw": {
      "key": "20200603161428",

      "msg": "Request for certificate failed, Certificate operation 
cannot be completed: EXCEPTION (Certificate serial number 0xffd0009 not 
found)"

    }
  },
  {
    "source": "ipahealthcheck.ipa.certs",
--
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustDomainsCheck",
    "result": "ERROR",
    "uuid": "589666e0-0426-4dcd-8576-15ec5e1e37e0",
    "when": "20200616210043Z",
    "duration": "0.226474",
    "kw": {
      "key": "domain-list",
      "sssctl": "/usr/sbin/sssctl",

      "sssd_domains": "mydomain.at, buero.mydomain.at, org.mydomain.at, 
tk.mydomain.at",

      "trust_domains": "mydomain.at",

      "msg": "{sssctl} {key} reports mismatch: sssd domains 
{sssd_domains} trust domains {trust_domains}"

    }
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to