Hi,
What is the output of
klist -A
klist -k /etc/krb5.keytab
on the machine where ipa-healthcheck command fails?
ipa-healthcheck is using a kerberos ticket to authenticate to the LDAP
server (obtained from /etc/krb5.keytab), and has different access rights
depending on the identity mapped to this ticket. I suspect that the LDAP
operations don't return any entry because they are mapped to a wrong
identity.
You can also have a look at the directory server access logs to check which
identity is used:
1. open /var/log/dirsrv/slapd-DOMAIN-COM/access
2. look for a line containing the following:
SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config"
3. In this line, note the conn=<value>. In my machine I see for instance:
[20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH
base="cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
4. Go up in the logs and find the BIND operation that took place on this
connection: the line must contain the same *conn=<value>* and *BIND dn=*:
[20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND dn=*""
method=sasl version=3 mech=GSSAPI
5. Find the correspond result: the line must contain the same *conn=<value>
op=<value>* and will give you the dn used for the LDAP operation:
[20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT err=0
tag=97 nentries=0 wtime=0.000152828 optime=0.002257466 etime=0.002407324
*dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"*
In my example ipa-healthcheck fails to find the cn=Posix IDs entry because
it is using a LDAP connection bound as uid=idmuser, who doesn't have the
required read permissions.
HTH,
flo
On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> I ran the same ldapsearch on a good server and compared the outputs. Here
> are the differences:
>
> dnaMaxValue: 1889657499 |
> dnaMaxValue: 1889607999
>
> dnaNextValue: 1889650758 |
> dnaNextValue: 1889601276
>
>
> Thanks.
>
>
> Kathy.
>
> On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu <k...@nuro.ai> wrote:
>
>> Hi Rob,
>>
>> Thanks for replying!
>>
>> It is not missing and I can create new user or group on it:
>>
>> [root@ipa2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=Posix
>> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
>>
>> Enter LDAP Password:
>>
>> # extended LDIF
>>
>> #
>>
>> # LDAPv3
>>
>> # base <cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config> with scope subtree
>>
>> # filter: (objectclass=*)
>>
>> # requesting: ALL
>>
>> #
>>
>>
>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
>>
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>>
>> cn: Posix IDs
>>
>> dnaExcludeScope: cn=provisioning,dc=example,dc=com
>>
>> dnaFilter:
>> (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
>>
>> aIDobject))
>>
>> dnaMagicRegen: -1
>>
>> dnaMaxValue: 1889657499
>>
>> dnaNextValue: 1889650758
>>
>> dnaScope: dc=example,dc=com
>>
>> dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
>>
>> dnaThreshold: 500
>>
>> dnaType: uidNumber
>>
>> dnaType: gidNumber
>>
>> objectClass: top
>>
>> objectClass: extensibleObject
>>
>>
>> # search result
>>
>> search: 2
>>
>> result: 0 Success
>>
>>
>> # numResponses: 2
>>
>> # numEntries: 1
>>
>> [root@ipa2 ~]#
>>
>>
>>
>>
>> On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden <rcrit...@redhat.com>
>> wrote:
>>
>>> Kathy Zhu via FreeIPA-users wrote:
>>> > Hello,
>>> >
>>> > ipa-healthcheck is a great tool! Really appreciate Rob to make it
>>> > working for Centos.
>>> >
>>> > When I ran it on all of our IPA servers, one server reported:
>>> >
>>> > [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human
>>> >
>>> > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry
>>> found
>>> >
>>> > [root@ipa2 ~]#
>>> >
>>> >
>>> > I created a user and a group on this server then deleted them,
>>> > rerun ipa-healthcheck, I still get the same error. Here is the jason
>>> > format of it:
>>> >
>>> > {
>>> >
>>> > "source": "ipahealthcheck.ipa.dna",
>>> >
>>> > "kw": {
>>> >
>>> > "exception": "no matching entry found"
>>> >
>>> > },
>>> >
>>> > "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e",
>>> >
>>> > "duration": "0.136489",
>>> >
>>> > "when": "20210819224225Z",
>>> >
>>> > "check": "IPADNARangeCheck",
>>> >
>>> > "result": "CRITICAL"
>>> >
>>> > }
>>> >
>>> >
>>> > We have 7 ipa servers, this is the only server with this error.
>>> >
>>> > The success one looks like below:
>>> >
>>> > {
>>> > "source": "ipahealthcheck.ipa.dna",
>>> > "kw": {
>>> > "range_start": 1889601184,
>>> > "next_start": 0,
>>> > "next_max": 0,
>>> > "range_max": 1889625999
>>> > },
>>> > "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63",
>>> > "duration": "0.309565",
>>> > "when": "20210630231006Z",
>>> > "check": "IPADNARangeCheck",
>>> > "result": "SUCCESS"
>>> > }
>>> >
>>> >
>>> > Any suggestions/ideas to fix it?
>>>
>>> It looks in here for the configuration. It could thrown a not found if
>>> it is missing (though why/how it could be I don't know):
>>>
>>> cn=Posix IDs,cn=Distributed Numeric Assignment
>>> Plugin,cn=plugins,cn=config
>>>
>>> rob
>>>
>>> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
