Duncan Mortimer via FreeIPA-users wrote:
> Hi,
>
> We have a three node Centos 8 IPA domain which we upgraded from Centos 8.3 to
> 8.4 (IPA version 4.9.2) yesterday. This appeared to succeed without issue,
> with clients continuing to operate as expected. To give us confidence that
> all was well we ran ipa-healthcheck on each node post upgrade and this found
> no issues on our two client facing servers ipa0 and ipa1 but on the third
> machine, ipa2, which is configured as a hidden replica (and is used to take
> disaster recovery backups) we received the following error:
>
> [
> {
> "source": "ipahealthcheck.ipa.trust",
> "check": "IPATrustControllerServiceCheck",
> "result": "ERROR",
> "uuid": "f5d524a3-43c3-4320-92cb-c984727243d9",
> "when": "20210624085009Z",
> "duration": "0.000512",
> "kw": {
> "key": "ADTRUST",
> "msg": "{key} service is not enabled"
> }
> }
> ]
>
> We have Samba services setup for Centos based SMB file sharing - there is no
> Active Directory install on our network.
>
> Is this error a concern or is it a consequence of being a hidden replica. If
> it is a problem, how might we go about fixing the issue? As a first step I've
> tried re-running ipa-adtrust and this didn't seem to need to make any changes:
>
>
> The log file for this installation can be found in
> /var/log/ipaserver-adtrust-install.log
> ==============================================================================
> This program will setup components needed to establish trust to AD domains for
> the IPA Server.
>
> This includes:
> * Configure Samba
> * Add trust related objects to IPA LDAP server
>
> To accept the default shown in brackets, press the Enter key.
>
> Configuring cross-realm trusts for IPA server requires password for user
> 'admin'.
> This user is a regular system account used for IPA server administration.
>
> admin password:
>
> IPA generated smb.conf detected.
> Overwrite smb.conf? [no]: yes
>
> The following operations may take some minutes to complete.
> Please wait until the prompt is returned.
>
> Configuring CIFS
> [1/24]: validate server hostname
> [2/24]: stopping smbd
> [3/24]: creating samba domain object
> Samba domain object already exists
> [4/24]: retrieve local idmap range
> [5/24]: writing samba config file
> [6/24]: creating samba config registry
> [7/24]: adding cifs Kerberos principal
> [8/24]: adding cifs and host Kerberos principals to the adtrust agents group
> [9/24]: check for cifs services defined on other replicas
> [10/24]: adding cifs principal to S4U2Proxy targets
> cifs principal already targeted, nothing to do.
> [11/24]: adding admin(group) SIDs
> Admin SID already set, nothing to do
> Admin group SID already set, nothing to do
> [12/24]: adding RID bases
> RID bases already set, nothing to do
> [13/24]: updating Kerberos config
> 'dns_lookup_kdc' already set to 'true', nothing to do.
> [14/24]: activating CLDAP plugin
> CLDAP plugin already configured, nothing to do
> [15/24]: activating sidgen task
> Sidgen task plugin already configured, nothing to do
> [16/24]: map BUILTIN\Guests to nobody group
> [17/24]: configuring smbd to start on boot
> [18/24]: enabling trusted domains support for older clients via Schema
> Compatibility plugin
> [19/24]: restarting Directory Server to take MS PAC and LDAP plugins
> changes into account
> [20/24]: adding fallback group
> Fallback group already set, nothing to do
> [21/24]: adding Default Trust View
> Default Trust View already exists.
> [22/24]: setting SELinux booleans
> [23/24]: starting CIFS services
> [24/24]: restarting smbd
> Done configuring CIFS.
>
> =============================================================================
> Setup complete
>
> You must make sure these network ports are open:
> TCP Ports:
> * 135: epmap
> * 138: netbios-dgm
> * 139: netbios-ssn
> * 445: microsoft-ds
> * 1024..1300: epmap listener range
> * 3268: msft-gc
> UDP Ports:
> * 138: netbios-dgm
> * 139: netbios-ssn
> * 389: (C)LDAP
> * 445: microsoft-ds
>
> See the ipa-adtrust-install(1) man page for more details
>
> =============================================================================
>
> But there is no change in ipahealthcheck output.
This particular check is only run on trust controllers, those machines
with the server role of AD trust controller. (ipa server-role-show
<hostname> 'AD trust controller')
It makes sure that the ADTRUST service is marked as enabled, so that the
services will be started by ipactl (smb).
You can see it with:
kinit admin
ldapsearch -Y GSSAPI -b
cn=ADTRUST,cn=`hostname`,cn=masters,cn=ipa,cn=etc,dc=example,dc=test
So since it's a trust server and doesn't have ADTRUST enabled it means
that ipactl won't manage smb.
Now given your use case it's possible this is a false positive.
Alexander, what do you think?
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
