Hi,
On Mon, Jan 16, 2023 at 7:42 PM Jeremy Tourville via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> I have recently added a replica to my existing setup. Everything seems to
> work except for 2 issues that I have noted:
>
> #1 IPA health check generates a warning from the replica only (master is
> ok)
> similar to this:
>
> {
> "source": "ipahealthcheck.ipa.trust",
> "check": "IPATrustCatalogCheck",
> "result": "WARNING",
> "uuid": "my_uuid",
> "when": "20191121135331Z",
> "duration": "2.128808",
> "kw": {
> "key": "my_key",
> "error": "returned nothing",
> "msg": "Look up of {key} {error}"
> }
> },
>
> ipa-healthcheck is extracting the domain SID for the AD domain, then tries
to resolve <domainSID>-500 to a name as this should be the SID of the AD
administrator.
If this fails, enable SSSD debugging on the replica as explained in
https://docs.pagure.org/sssd.sssd/users/troubleshooting.html and check SSSD
logs.
#2 id some_user
> returns:
> id: 'some_user': no such user
>
> Is it failing for IPA users or AD users?
flo
> I have also noted that:
> ipa trust-fetch-domains "gsil.smil"
> return an error - Fetching domains from trusted forest failed
>
> ipa trustdomain-find is able to find the domain
>
> ipa idrange-find returns the same set of results for both the master and
> the replica
>
> ipa-replica-manage dnarange-show
> shows that the dna ranges are not overlapping (my understanding is this is
> a good thing)
>
> My environment:
> Rocky 8.7
> FreeIPA 4.9.10
>
> Master: gsil-ipa01
> Replica: gsil-ipa02
>
>
> Both master and replica are configured with server roles: AD trust agent,
> AD trust controller, CA server, DNS server, KRA server.
>
> Are issues #1 and #2 related? ie- fix one and the other will work as
> expected?
> I am still reviewing possible solutions for why ldap lookup using the id
> command is not working. But maybe it will never work unless I fix the
> healthcheck issue...
> Your input is greatly appreciated!
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
