Yavor Marinov wrote: > Hey Rob, > > Yes, error was present before regenerating the keytab, and i've done it > using: > > kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab > ipa-ods-exporter/login.example.net > > Then I only chown-ed the tab so it can be readable.
>From what to what? A kinit refreshes a ticket, not the keytab. The ACI error is curious though. If it got that far then it was able to bind to LDAP. It just wasn't allowed to write. Which means that the keytab is ok. My guess is that a role or permission was removed. Run ipa service-show --all --raw ipa-ods-exporter/login.example.net It should look something like: dn: krbprincipalname=ipa-ods-exporter/[email protected],cn=services,cn=accounts,dc=example,dc=test krbcanonicalname: ipa-ods-exporter/[email protected] krbprincipalname: ipa-ods-exporter/[email protected] has_keytab: TRUE managedby: fqdn=ipa.example.test,cn=computers,cn=accounts,dc=example,dc=test ipaUniqueID: da330668-7694-11ef-a557-52540030d651 krbExtraData: AAJrN+xmdHVzZXIvYWRtaW5ARVhBTVBMRS5URVNUAA== krbLastPwdChange: 20240919143835Z krbLoginFailedCount: 0 krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,dc=example,dc=test memberof: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=test memberof: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=test memberof: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=test memberof: cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=test memberof: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=example,dc=test memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=example,dc=test memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=example,dc=test memberof: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=example,dc=test memberof: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=example,dc=test memberof: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=example,dc=test objectClass: krbprincipalaux objectClass: ipaobject objectClass: krbprincipal objectClass: krbTicketPolicyAux objectClass: ipaservice objectClass: top objectClass: pkiuser rob > > > > On Wed, Sep 18, 2024 at 10:51 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Yavor Marinov via FreeIPA-users wrote: > > Hello all, > > > > Last few weeks I've been having issues with ipa-ods-export > because it's > > failing to start. Our infra is not impacted by the problem but will be > > glad to know what could be the issue as I've tried to regenerate the > > keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab > > Was it throwing this same error prior to regenerating the keytab? How > did you do that? > > rob > > > > > Below is the error message > > > > > > ipa-ods-exporter[487019]: Traceback (most recent call last): > > ipa-ods-exporter[487019]: File > > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1096, in > > error_handler > > ipa-ods-exporter[487019]: yield > > ipa-ods-exporter[487019]: File > > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1672, in > > add_entry > > ipa-ods-exporter[487019]: self.conn.add_s(str(entry.dn), > > list(attrs.items())) > > ipa-ods-exporter[487019]: File > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236, > in add_s > > ipa-ods-exporter[487019]: return > self.add_ext_s(dn,modlist,None,None) > > ipa-ods-exporter[487019]: File > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 222, in > > add_ext_s > > ipa-ods-exporter[487019]: resp_type, resp_data, resp_msgid, > > resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) > > ipa-ods-exporter[487019]: File > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 543, in > > result3 > > ipa-ods-exporter[487019]: resp_type, resp_data, resp_msgid, > > decoded_resp_ctrls, retoid, retval = self.result4( > > ipa-ods-exporter[487019]: File > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 553, in > > result4 > > ipa-ods-exporter[487019]: ldap_result = > > > > self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) > > ipa-ods-exporter[487019]: File > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in > > _ldap_call > > ipa-ods-exporter[487019]: result = func(*args,**kwargs) > > ipa-ods-exporter[487019]: ldap.INSUFFICIENT_ACCESS: {'msgtype': 105, > > 'msgid': 9, 'result': 50, 'desc': 'Insufficient access', 'ctrls': []} > > ipa-ods-exporter[487019]: During handling of the above exception, > > another exception occurred: > > ipa-ods-exporter[487019]: Traceback (most recent call last): > > ipa-ods-exporter[487019]: File "/usr/libexec/ipa/ipa-ods-exporter", > > line 719, in <module> > > ipa-ods-exporter[487019]: master2ldap_master_keys_sync(ldapkeydb, > > localhsm) > > ipa-ods-exporter[487019]: File "/usr/libexec/ipa/ipa-ods-exporter", > > line 346, in master2ldap_master_keys_sync > > ipa-ods-exporter[487019]: ldapkeydb.import_master_key(mkey) > > ipa-ods-exporter[487019]: File > > "/usr/lib/python3.9/site-packages/ipaserver/dnssec/ldapkeydb.py", line > > 375, in import_master_key > > ipa-ods-exporter[487019]: self.ldap.add_entry(new_key.entry) > > ipa-ods-exporter[487019]: File > > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1672, in > > add_entry > > ipa-ods-exporter[487019]: self.conn.add_s(str(entry.dn), > > list(attrs.items())) > > ipa-ods-exporter[487019]: File "/usr/lib64/python3.9/contextlib.py", > > line 137, in __exit__ > > ipa-ods-exporter[487019]: self.gen.throw(typ, value, traceback) > > ipa-ods-exporter[487019]: File > > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1122, in > > error_handler > > ipa-ods-exporter[487019]: raise errors.ACIError(info=info) > > ipa-ods-exporter[487019]: ipalib.errors.ACIError: Insufficient access: > > > > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
