Jeremy Tourville via FreeIPA-users wrote:
> Question: Why are these healthcheck issues present? IPA03 can run a trust
> show and the Domain Security Identifier matches the kw key.
> Should the uuid be the same or different between IPA02 and IPA03?
The first U in UUID is unique.
>
> Scenario:
>
> 3 IPA servers
>
> Replication pattern:
> 1 -> 2 & 3
> 2 -> 1 & 3
> 3 -> 1 & 2
>
> All servers are:
> AD trust agent
> AD trust controller
> CA server
> DNS server
>
> health check on IPA01 is completely healthy
>
> [root@gsil-ipa03 ~]# ipa-healthcheck --failures-only
> CN=GSIL-CA,DC=gsil,DC=smil not found, assuming 3rd party
> [
> {
> "source": "ipahealthcheck.ipa.trust",
> "check": "IPATrustDomainsCheck",
> "result": "WARNING",
> "uuid": "82ff4156-efd4-4bab-a092-ce5d5736c7e8",
> "when": "20230324133158Z",
> "duration": "0.235919",
> "kw": {
> "key": "domain-status",
> "domain": "gsil.x",
> "msg": "Domain {domain} is not online"
> }
> },
> {
> "source": "ipahealthcheck.ipa.trust",
> "check": "IPATrustCatalogCheck",
> "result": "WARNING",
> "uuid": "c8a1bebe-fd44-4ea6-8d98-f20ad6726d00",
> "when": "20230324133158Z",Domain Security Identifier
> "duration": "0.008165",
> "kw": {
> "key": "S-1-5-21-3568498085-2952124370-1649233135",
> "error": "returned nothing",
> "msg": "Look up of {key} {error}"
> }
> },
> {
> "source": "ipahealthcheck.ipa.trust",
> "check": "IPATrustCatalogCheck",
> "result": "ERROR",
> "uuid": "c0aed85c-9c0a-42df-83ab-d69b4bc054a5",
> "when": "20230324133158Z",
> "duration": "0.114333",
> "kw": {
> "key": "AD Global Catalog",
> "output": "Active servers:\nIPA: gsil-ipa03.idm.x.x",
> "sssctl": "/usr/sbin/sssctl",
> "domain": "gsil.x",
> "msg": "{key} not found in {sssctl} 'domain-status' output: {output}"
> }
> },
> {
> "source": "ipahealthcheck.ipa.trust",
> "check": "IPATrustCatalogCheck",
> "result": "ERROR",
> "uuid": "6542b352-88ae-4524-ba76-94960adfe9a7",
> "when": "20230324133158Z",
> "duration": "0.114378",
> "kw": {
> "key": "AD Domain Controller",
> "output": "Active servers:\nIPA: gsil-ipa03.idm.x.x",
> "sssctl": "/usr/sbin/sssctl",
> "domain": "gsil.x",
> "msg": "{key} not found in {sssctl} 'domain-status' output: {output}"
> }
> }
> ]
>
> [root@gsil-ipa03 ~]# ipa trust-show
> Realm name: gsil.x
> Realm name: gsil.x
> Domain NetBIOS name: GSIL
> Domain Security Identifier: S-1-5-21-3568498085-2952124370-1649233135
> Trust direction: Trusting forest
> Trust type: Active Directory domain
SSSD on this machine cannot communicate with the AD server for some
reason. You'll need to dive into the SSSD logs to find out why.
Having a trust in IPA is no guarantee that the trust is working now,
just that it was working at the time the trust agreement was created.
rob
>
> [root@gsil-ipa02 ~]# ipa-healthcheck --failures-only
> caSigningCert External CA not found, assuming 3rd party
> [
> {
> "source": "ipahealthcheck.ipa.trust",
> "check": "IPATrustDomainsCheck",
> "result": "WARNING",
> "uuid": "319ec55d-6d71-48fa-bb80-4ab5acb9a62b",
> "when": "20230324133810Z",
> "duration": "0.281341",
> "kw": {
> "key": "domain-status",
> "domain": "gsil.x",
> "msg": "Domain {domain} is not online"
> }
> }
> ]
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
