[Freeipa-users] Re: Hidden replica ipa-healthcheck error ADTRUST service is not enabled

Mon, 28 Jun 2021 01:00:48 -0700 

Hi,

LDAP search on the node in question results in the following.

ldapsearch -Y GSSAPI -b 
cn=ADTRUST,cn=`hostname`,cn=masters,cn=ipa,cn=etc,dc=my,dc=domain
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=ADTRUST,cn=ipa2.my.domain,cn=masters,cn=ipa,cn=etc,dc=my,dc=domain> 
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ADTRUST, ipa2.my.domain, masters, ipa, etc, my.domain
dn: cn=ADTRUST,cn=ipa2.my.domain,cn=masters,cn=ipa,cn=etc,dc=my,dc=domain
objectClass: nsContainer
objectClass: ipaConfigObject
objectClass: top
cn: ADTRUST
ipaConfigString: startOrder 60
ipaConfigString: hiddenService

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


If this isn’t a false positive, what steps should I take to try to resolve this?

Regards,

Duncan

-- 
Duncan Mortimer


On 28/06/2021, 07:27, "Alexander Bokovoy" <[email protected]> wrote:

    On to, 24 kesä 2021, Rob Crittenden wrote:
    >> But there is no change in ipahealthcheck output.
    >
    >This particular check is only run on trust controllers, those machines
    >with the server role of AD trust controller. (ipa server-role-show
    ><hostname> 'AD trust controller')
    >
    >It makes sure that the ADTRUST service is marked as enabled, so that the
    >services will be started by ipactl (smb).
    >
    >You can see it with:
    >
    >kinit admin
    >ldapsearch -Y GSSAPI -b
    >cn=ADTRUST,cn=`hostname`,cn=masters,cn=ipa,cn=etc,dc=example,dc=test
    >
    >So since it's a trust server and doesn't have ADTRUST enabled it means
    >that ipactl won't manage smb.
    >
    >Now given your use case it's possible this is a false positive.
    >Alexander, what do you think?

    ADTRUST service should be present and active if ipa-adtrust-install was
    run. If it doesn't that's an error and ipa-healthcheck highlights it
    correctly.


    -- 
    / Alexander Bokovoy
    Sr. Principal Software Engineer
    Security / Identity Management Engineering
    Red Hat Limited, Finland


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to