Hi, On Mon, Jan 16, 2023 at 7:42 PM Jeremy Tourville via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> I have recently added a replica to my existing setup. Everything seems to > work except for 2 issues that I have noted: > > #1 IPA health check generates a warning from the replica only (master is > ok) > similar to this: > > { > "source": "ipahealthcheck.ipa.trust", > "check": "IPATrustCatalogCheck", > "result": "WARNING", > "uuid": "my_uuid", > "when": "20191121135331Z", > "duration": "2.128808", > "kw": { > "key": "my_key", > "error": "returned nothing", > "msg": "Look up of {key} {error}" > } > }, > > ipa-healthcheck is extracting the domain SID for the AD domain, then tries to resolve <domainSID>-500 to a name as this should be the SID of the AD administrator. If this fails, enable SSSD debugging on the replica as explained in https://docs.pagure.org/sssd.sssd/users/troubleshooting.html and check SSSD logs. #2 id some_user > returns: > id: 'some_user': no such user > > Is it failing for IPA users or AD users? flo > I have also noted that: > ipa trust-fetch-domains "gsil.smil" > return an error - Fetching domains from trusted forest failed > > ipa trustdomain-find is able to find the domain > > ipa idrange-find returns the same set of results for both the master and > the replica > > ipa-replica-manage dnarange-show > shows that the dna ranges are not overlapping (my understanding is this is > a good thing) > > My environment: > Rocky 8.7 > FreeIPA 4.9.10 > > Master: gsil-ipa01 > Replica: gsil-ipa02 > > > Both master and replica are configured with server roles: AD trust agent, > AD trust controller, CA server, DNS server, KRA server. > > Are issues #1 and #2 related? ie- fix one and the other will work as > expected? > I am still reviewing possible solutions for why ldap lookup using the id > command is not working. But maybe it will never work unless I fix the > healthcheck issue... > Your input is greatly appreciated! > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue