[Freeipa-users] Re: Problems with ipa-ods-exporter

[Yavor Marinov via FreeIPA-users]

Yes, I have similar output of the service entry in LDAP, but still the
service keep failing

ipa service-show --all --raw ipa-ods-exporter/login.example.net
 dn: krbprincipalname=ipa-ods-exporter/login.example....@example.net
,cn=services,cn=accounts,dc=example,dc=net
  krbcanonicalname: ipa-ods-exporter/login.example....@example.net
  krbprincipalname: ipa-ods-exporter/login.example....@example.net
  has_keytab: TRUE
  managedby: fqdn=login.example.net
,cn=computers,cn=accounts,dc=example,dc=net
  ipaKrbPrincipalAlias: ipa-ods-exporter/login.example....@example.net
  ipaUniqueID: 02db93da-d39b-11ed-90d4-0200d0cd8cc7
  krbExtraData:
AAJ+N+lmaXBhLW9kcy1leHBvcnRlci9sb2dpbi54M21lLm5ldEBYM01FLk5FVAA=
  krbLastPwdChange: 20240917080206Z
  krbLoginFailedCount: 0
  krbPwdPolicyReference: cn=Default Service Password
Policy,cn=services,cn=accounts,dc=example,dc=net
  krbTicketFlags: 128
  memberof: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=net
  memberof: cn=System: Read DNS
Configuration,cn=permissions,cn=pbac,dc=example,dc=net
  memberof: cn=System: Write DNS
Configuration,cn=permissions,cn=pbac,dc=example,dc=net
  memberof: cn=System: Read DNS Servers
Configuration,cn=permissions,cn=pbac,dc=example,dc=net
  memberof: cn=System: Add DNS
Entries,cn=permissions,cn=pbac,dc=example,dc=net
  memberof: cn=System: Manage DNSSEC
keys,cn=permissions,cn=pbac,dc=example,dc=net
  memberof: cn=System: Manage DNSSEC
metadata,cn=permissions,cn=pbac,dc=example,dc=net
  memberof: cn=System: Read DNS
Entries,cn=permissions,cn=pbac,dc=example,dc=net
  memberof: cn=System: Remove DNS
Entries,cn=permissions,cn=pbac,dc=example,dc=net
  memberof: cn=System: Update DNS
Entries,cn=permissions,cn=pbac,dc=example,dc=net
  objectClass: pkiuser
  objectClass: ipaobject
  objectClass: top
  objectClass: krbTicketPolicyAux
  objectClass: krbprincipalaux
  objectClass: ipaservice
  objectClass: krbprincipal
  objectClass: ipakrbprincipal

On Thu, Sep 19, 2024 at 6:09 PM Rob Crittenden <rcrit...@redhat.com> wrote:

> Yavor Marinov wrote:
> > Hey Rob,
> >
> > Yes, error was present before regenerating the keytab, and i've done it
> > using:
> >
> > kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab
> > ipa-ods-exporter/login.example.net
> >
> > Then I only chown-ed the tab so it can be readable.
>
> From what to what?
>
> A kinit refreshes a ticket, not the keytab.
>
> The ACI error is curious though. If it got that far then it was able to
> bind to LDAP. It just wasn't allowed to write. Which means that the
> keytab is ok.
>
> My guess is that a role or permission was removed. Run
>
> ipa service-show --all --raw ipa-ods-exporter/login.example.net
>
> It should look something like:
>
>   dn:
> krbprincipalname=ipa-ods-exporter/ipa.example.t...@example.test
> ,cn=services,cn=accounts,dc=example,dc=test
>   krbcanonicalname: ipa-ods-exporter/ipa.example.t...@example.test
>   krbprincipalname: ipa-ods-exporter/ipa.example.t...@example.test
>   has_keytab: TRUE
>   managedby:
> fqdn=ipa.example.test,cn=computers,cn=accounts,dc=example,dc=test
>   ipaUniqueID: da330668-7694-11ef-a557-52540030d651
>   krbExtraData: AAJrN+xmdHVzZXIvYWRtaW5ARVhBTVBMRS5URVNUAA==
>   krbLastPwdChange: 20240919143835Z
>   krbLoginFailedCount: 0
>   krbPwdPolicyReference: cn=Default Service Password
> Policy,cn=services,cn=accounts,dc=example,dc=test
>   memberof: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=test
>   memberof: cn=System: Read DNS
> Configuration,cn=permissions,cn=pbac,dc=example,dc=test
>   memberof: cn=System: Write DNS
> Configuration,cn=permissions,cn=pbac,dc=example,dc=test
>   memberof: cn=System: Read DNS Servers
> Configuration,cn=permissions,cn=pbac,dc=example,dc=test
>   memberof: cn=System: Add DNS
> Entries,cn=permissions,cn=pbac,dc=example,dc=test
>   memberof: cn=System: Manage DNSSEC
> keys,cn=permissions,cn=pbac,dc=example,dc=test
>   memberof: cn=System: Manage DNSSEC
> metadata,cn=permissions,cn=pbac,dc=example,dc=test
>   memberof: cn=System: Read DNS
> Entries,cn=permissions,cn=pbac,dc=example,dc=test
>   memberof: cn=System: Remove DNS
> Entries,cn=permissions,cn=pbac,dc=example,dc=test
>   memberof: cn=System: Update DNS
> Entries,cn=permissions,cn=pbac,dc=example,dc=test
>   objectClass: krbprincipalaux
>   objectClass: ipaobject
>   objectClass: krbprincipal
>   objectClass: krbTicketPolicyAux
>   objectClass: ipaservice
>   objectClass: top
>   objectClass: pkiuser
>
> rob
> >
> >
> >
> > On Wed, Sep 18, 2024 at 10:51 PM Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>> wrote:
> >
> >     Yavor Marinov via FreeIPA-users wrote:
> >     > Hello all,
> >     >
> >     > Last few weeks I've been having issues with ipa-ods-export
> >     because it's
> >     > failing to start. Our infra is not impacted by the problem but
> will be
> >     > glad to know what could be the issue as I've tried to regenerate
> the
> >     > keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab
> >
> >     Was it throwing this same error prior to regenerating the keytab? How
> >     did you do that?
> >
> >     rob
> >
> >     >
> >     > Below is the error message
> >     >
> >     >
> >     > ipa-ods-exporter[487019]: Traceback (most recent call last):
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line
> 1096, in
> >     > error_handler
> >     > ipa-ods-exporter[487019]:    yield
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line
> 1672, in
> >     > add_entry
> >     > ipa-ods-exporter[487019]:    self.conn.add_s(str(entry.dn),
> >     > list(attrs.items()))
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 236,
> >     in add_s
> >     > ipa-ods-exporter[487019]:    return
> >     self.add_ext_s(dn,modlist,None,None)
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 222,
> in
> >     > add_ext_s
> >     > ipa-ods-exporter[487019]:    resp_type, resp_data, resp_msgid,
> >     > resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 543,
> in
> >     > result3
> >     > ipa-ods-exporter[487019]:    resp_type, resp_data, resp_msgid,
> >     > decoded_resp_ctrls, retoid, retval = self.result4(
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 553,
> in
> >     > result4
> >     > ipa-ods-exporter[487019]:    ldap_result =
> >     >
> >
>  
> self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128,
> in
> >     > _ldap_call
> >     > ipa-ods-exporter[487019]:    result = func(*args,**kwargs)
> >     > ipa-ods-exporter[487019]: ldap.INSUFFICIENT_ACCESS: {'msgtype':
> 105,
> >     > 'msgid': 9, 'result': 50, 'desc': 'Insufficient access', 'ctrls':
> []}
> >     > ipa-ods-exporter[487019]: During handling of the above exception,
> >     > another exception occurred:
> >     > ipa-ods-exporter[487019]: Traceback (most recent call last):
> >     > ipa-ods-exporter[487019]:  File
> "/usr/libexec/ipa/ipa-ods-exporter",
> >     > line 719, in <module>
> >     > ipa-ods-exporter[487019]:
>  master2ldap_master_keys_sync(ldapkeydb,
> >     > localhsm)
> >     > ipa-ods-exporter[487019]:  File
> "/usr/libexec/ipa/ipa-ods-exporter",
> >     > line 346, in master2ldap_master_keys_sync
> >     > ipa-ods-exporter[487019]:    ldapkeydb.import_master_key(mkey)
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib/python3.9/site-packages/ipaserver/dnssec/ldapkeydb.py",
> line
> >     > 375, in import_master_key
> >     > ipa-ods-exporter[487019]:    self.ldap.add_entry(new_key.entry)
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line
> 1672, in
> >     > add_entry
> >     > ipa-ods-exporter[487019]:    self.conn.add_s(str(entry.dn),
> >     > list(attrs.items()))
> >     > ipa-ods-exporter[487019]:  File
> "/usr/lib64/python3.9/contextlib.py",
> >     > line 137, in __exit__
> >     > ipa-ods-exporter[487019]:    self.gen.throw(typ, value, traceback)
> >     > ipa-ods-exporter[487019]:  File
> >     > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line
> 1122, in
> >     > error_handler
> >     > ipa-ods-exporter[487019]:    raise errors.ACIError(info=info)
> >     > ipa-ods-exporter[487019]: ipalib.errors.ACIError: Insufficient
> access:
> >     >
> >     >
> >
>
>

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue