On la, 11 helmi 2023, Grant Janssen via FreeIPA-users wrote:
users were reporting password change issues.
ipa_check_consistency and cipa showed synchronization issues.
grant@ef-idm04:~[20230211-7:01][#211]$ ipa-replica-manage re-initialize --from
ef-idm01.production.efilm.com<http://ef-idm01.production.efilm.com>
ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] Permission
denied: '/var/log/ipa/cli.log'
Update in progress, 6 seconds elapsed
Update succeeded
grant@ef-idm04:~[20230211-7:02][#212]$
I am in the middle of a migration from 7 —> 8 (3 of 5 servers are still CentOS
7)
The almalinux 8 systems showed an issue with log permissions when I executed
the sync. The CentOS 7 systems did not output any error.
ipa_check_consistency and cipa show these are all “in sync” now.
what can I do to resolve these log issues, so next time I won’t see these again?
ipa-*-manage tools expect to be run as root on IPA servers. You are
running ipa-replica-manage as non-root and it cannot write to
/var/log/ipa/cli.log because only root can write there.
Granted, man page for ipa-replica-manage(1) does not explicitly state
this but examples of using the command in the man page point to root's
session.
Same applies to all IPA tools from freeipa-server (ipa-server in
RHEL/CentOS) package. They all are part of /usr/sbin and hence (at least
traditionally) aim for administrative use as root.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
