Chris Welsh wrote: > Hi François, > > Thx for getting back to me. So far no luck. > > On Fri, 21 Aug 2020 at 9:05 pm, François Cami <[email protected] > <mailto:[email protected]>> wrote: > > On Fri, Aug 21, 2020 at 1:08 AM Chris Welsh via FreeIPA-users > > <[email protected] > <mailto:[email protected]>> wrote: > > > > > > Hi Rob, > > > > > > Could this be because I removed the replica and there are records > still dangling in the config? Is there a way to find out where they > are and remove them? > > > > At worst, use ldapsearch to identify remaining objects. > > > I have now moved to domain level “1” and re-joined the replica (2nd > master with ca), but got the original message beck in the new masters > logs which was the reason why I removed it (tried to simplify to get to > the root cause of intermittent loss of groups for users). And > unfortunately this did not solve the issue with users looking their > group creds (I do not enumerate groups) . (6 users today). :-(
Got what original message back? What issue with looking for groups? > Aug 21 19:22:38 vmdr-linuxidm ns-slapd: [21/Aug/2020:19:22:38.153428704 > +1000] - ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1647]: Not > allowed to retrieve keytab on [[email protected] > <mailto:[email protected]>] as user [ > fqdn=vmdr-linuxidm.unix.foo.org.au > <http://vmdr-linuxidm.unix.petermac.org.au/>,cn=computers,cn=accounts,dc=unix,dc=foo,dc=org,dc=au]! > Aug 21 19:22:38 vmdr-linuxidm sssd: Failed to parse result: Insufficient > access rights > Aug 21 19:22:38 vmdr-linuxidm sssd: Failed to get keytab > Aug 21 19:22:38 vmdr-linuxidm ns-slapd: [21/Aug/2020:19:22:38.254032634 > +1000] - ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line > 787]: slapi_access_allowed does not allow READ to ipaProtectedOpe > ration;read_keys! What is the context of this error? rob > > > > > > > At the moment we have no active replicas, > > > > So you have a single instance? OK. Please don't run that for too long. > > > Thx > > > > > > > as I wanted to simplify the config so as to find the root cause of > intermittent loss of groups. Looks like this could be adding to my > headaches. > > > > > > And finally, having domain level not set to one will prevent me > from creating replicas on the first place? > > > > Domain Level 0 (DL0) support has been removed. You will be able to > > create replicas using old versions, but ideally, once the above > > problem is sorted out, you might be better off updating to DL1. > > > Thx > > > > > > > On Fri, 21 Aug 2020, 6:42 am Rob Crittenden, <[email protected] > <mailto:[email protected]>> wrote: > > >> > > >> Chris Welsh via FreeIPA-users wrote: > > >> > Hi Rob, > > >> > > > >> > I have run your tool and found it to report some issues. I > wonder if you could help me figure out what they are. Our problem is > that we often have staff who loose their groups and this has been > happening for 3 years. sss_cache -u username sometimes fixes it. Any > advise greatly welcome. Note that I have removed our send are master > “vmpdr-linuxidm......” > > >> > > > >> > Really ken to solve this but no expert. > > >> > Centos 7.8 server and clients > > >> > ipa-server-4.6.6 > > >> > > >> The "Unexpected SRV entry in DNS" warnings mean that some servers are > > >> defined in the IPA domain with services that IPA provides but those > > >> servers aren't IPA servers. > > >> > > >> Similarly, "Expected SRV record missing", a SRV record is missing > for an > > >> IPA service for one or more IPA servers. > > >> > > >> "expected ipa-ca IPAddr missing" means that the IPA server at > > >> 10.126.18.129 is not in the ipa-ca CNAME (and also caught with > the count > > >> of ipa-ca records). > > >> > > >> The final errors are due to your installation still using domain > level > > >> 0. You can ignore these if you don't want to or can't update domain > > >> levels. https://www.freeipa.org/page/Domain_Levels > > >> > > >> rob > > >> > > >> > > > >> > > > >> > [ > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Unexpected SRV entry in DNS", > > >> > "key": "_ntp._udp.unix.foo.org.au > <http://udp.unix.foo.org.au>.:vmdr-linuxidm.unix.foo.org.au > <http://vmdr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "57735f69-6d98-4ae1-9f0a-dd848bbfa1f7", > > >> > "duration": "0.024868", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Expected SRV record missing", > > >> > "key": "_kerberos._tcp.dc._msdcs.unix.foo.org.au > <http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au > <http://vmpr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "3b789068-16ff-4684-bb5e-3add8a62b2b8", > > >> > "duration": "0.025853", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Unexpected SRV entry in DNS", > > >> > "key": "_kerberos._tcp.unix.foo.org > <http://tcp.unix.foo.org>.au.:vmpr-linuxidm.unix.foo.org.au > <http://vmpr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "bab58235-1a9b-48bc-9b4c-b0e75b91d619", > > >> > "duration": "0.027710", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Unexpected SRV entry in DNS", > > >> > "key": "_kerberos._tcp.unix.foo.org > <http://tcp.unix.foo.org>.au.:vmdr-linuxidm.unix.foo.org.au > <http://vmdr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "44a47316-ba13-4226-9625-2f29f369cdd4", > > >> > "duration": "0.027825", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Expected SRV record missing", > > >> > "key": > "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.unix.foo.org.au > <http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au > <http://vmpr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "313a97f5-9f05-4465-a50f-27996c22c306", > > >> > "duration": "0.028995", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Unexpected SRV entry in DNS", > > >> > "key": "_kerberos._udp.unix.foo.org > <http://udp.unix.foo.org>.au.:vmdr-linuxidm.unix.foo.org.au > <http://vmdr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "d00274ff-12a9-465f-957e-392c4edd7e5a", > > >> > "duration": "0.030514", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Unexpected SRV entry in DNS", > > >> > "key": "_kerberos-master._udp.unix.foo.org.au > <http://foo.org.au>.:vmdr-linuxidm.unix.foo.org.au > <http://vmdr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "0e50f8e7-6321-429a-b84e-3a88922ec07b", > > >> > "duration": "0.031876", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Unexpected SRV entry in DNS", > > >> > "key": "_kpasswd._udp.unix.foo.org > <http://udp.unix.foo.org>.au.:vmdr-linuxidm.unix.foo.org.au > <http://vmdr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "011bf574-e7ea-4f5d-8bf6-f5ecdd722ecd", > > >> > "duration": "0.033430", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Unexpected SRV entry in DNS", > > >> > "key": "_kpasswd._tcp.unix.foo.org > <http://tcp.unix.foo.org>.au.:vmdr-linuxidm.unix.foo.org.au > <http://vmdr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "d00839d9-6e83-481d-9685-8eaca6caea14", > > >> > "duration": "0.034777", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Expected SRV record missing", > > >> > "key": > "_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.unix.foo.org.au > <http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au > <http://vmpr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "8bff3eb5-521d-4029-b368-c1b4cd39047c", > > >> > "duration": "0.036379", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Unexpected SRV entry in DNS", > > >> > "key": "_ldap._tcp.unix.foo.org.au > <http://tcp.unix.foo.org.au>.:vmdr-linuxidm.unix.foo.org.au > <http://vmdr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "2091880e-5777-4854-abb4-bc14c032b1af", > > >> > "duration": "0.037861", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Expected SRV record missing", > > >> > "key": "_ldap._tcp.dc._msdcs.unix.foo.org.au > <http://foo.org.au>.:vmpr-linuxidm.unix.foo.org.au > <http://vmpr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "8f9862fa-45a0-4bdd-b561-93a6a15ac7f1", > > >> > "duration": "0.038836", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Unexpected SRV entry in DNS", > > >> > "key": "_kerberos-master._tcp.unix.foo.org.au > <http://foo.org.au>.:vmdr-linuxidm.unix.foo.org.au > <http://vmdr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "cfd7b896-da90-4ac4-9b08-eccdbafeca30", > > >> > "duration": "0.040348", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Expected SRV record missing", > > >> > "key": > "_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.unix.foo.org.au > <http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au > <http://vmpr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "3c38ad1e-96a5-41fd-a161-56dde9601896", > > >> > "duration": "0.041473", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "Expected SRV record missing", > > >> > "key": "_kerberos._udp.dc._msdcs.unix.foo.org.au > <http://unix.foo.org.au>.:vmpr-linuxidm.unix.foo.org.au > <http://vmpr-linuxidm.unix.foo.org.au>." > > >> > }, > > >> > "uuid": "fd6a163f-a338-4ff0-a2f2-9fb00064ab93", > > >> > "duration": "0.042447", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "msg": "expected ipa-ca IPAddr missing", > > >> > "key": "10.126.18.129" > > >> > }, > > >> > "uuid": "59581cec-e08f-4e67-aed1-697698d66e92", > > >> > "duration": "0.044304", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.idns", > > >> > "kw": { > > >> > "expected": 1, > > >> > "count": 2, > > >> > "msg": "Got {count} ipa-ca A records, expected {expected}" > > >> > }, > > >> > "uuid": "6852b70e-b366-44a3-bc1f-6bde42f79209", > > >> > "duration": "0.044392", > > >> > "when": "20200820104327Z", > > >> > "check": "IPADNSSystemRecordsCheck", > > >> > "result": "WARNING" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.topology", > > >> > "kw": { > > >> > "msg": "topologysuffix-verify domain failed, Topology > management requires minimum domain level 1 " > > >> > }, > > >> > "uuid": "e5386d69-3028-4c71-8a93-87de8e954682", > > >> > "duration": "0.002170", > > >> > "when": "20200820104332Z", > > >> > "check": "IPATopologyDomainCheck", > > >> > "result": "ERROR" > > >> > }, > > >> > { > > >> > "source": "ipahealthcheck.ipa.topology", > > >> > "kw": { > > >> > "msg": "topologysuffix-verify domain failed, Topology > management requires minimum domain level 1 " > > >> > }, > > >> > "uuid": "c50ccc80-d031-4a52-a097-43b6b09c46c6", > > >> > "duration": "0.005159", > > >> > "when": "20200820104332Z", > > >> > "check": "IPATopologyDomainCheck", > > >> > "result": "ERROR" > > >> > } > > >> > ] > > >> > _______________________________________________ > > >> > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > > >> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > > >> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > >> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >> > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > >> > > > >> > > > _______________________________________________ > > > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > > > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > -- > regards, Christopher Welsh _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
