You can try to see where in the 389-ds logs the bind happened but I imagine it's going to have err=49 which won't tell you much except what entry it is trying to modify.
I assume that reads are working, you can verify with: # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods-exporter/[email protected] # ldapsearch -Q -Y GSSAPI -LLL -b dc=example,dc=test -b cn=dns,dc=example,dc=test If you can get a quiet system then you can try enabling ACI debugging which might tell you what is denying the write. See https://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting . You want level 262144 I'm not completely sure how to triger the exporter but perhaps restarting the service will do it. Once done you'll want to disable the debugging. It can be pretty verbose. rob Yavor Marinov wrote: > Yes, I have similar output of the service entry in LDAP, but still the > service keep failing > > ipa service-show --all --raw ipa-ods-exporter/login.example.net > <http://login.example.net> > dn: krbprincipalname=ipa-ods-exporter/[email protected] > <mailto:[email protected]>,cn=services,cn=accounts,dc=example,dc=net > krbcanonicalname: ipa-ods-exporter/[email protected] > <mailto:[email protected]> > krbprincipalname: ipa-ods-exporter/[email protected] > <mailto:[email protected]> > has_keytab: TRUE > managedby: fqdn=login.example.net > <http://login.example.net>,cn=computers,cn=accounts,dc=example,dc=net > ipaKrbPrincipalAlias: ipa-ods-exporter/[email protected] > <mailto:[email protected]> > ipaUniqueID: 02db93da-d39b-11ed-90d4-0200d0cd8cc7 > krbExtraData: > AAJ+N+lmaXBhLW9kcy1leHBvcnRlci9sb2dpbi54M21lLm5ldEBYM01FLk5FVAA= > krbLastPwdChange: 20240917080206Z > krbLoginFailedCount: 0 > krbPwdPolicyReference: cn=Default Service Password > Policy,cn=services,cn=accounts,dc=example,dc=net > krbTicketFlags: 128 > memberof: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=net > memberof: cn=System: Read DNS > Configuration,cn=permissions,cn=pbac,dc=example,dc=net > memberof: cn=System: Write DNS > Configuration,cn=permissions,cn=pbac,dc=example,dc=net > memberof: cn=System: Read DNS Servers > Configuration,cn=permissions,cn=pbac,dc=example,dc=net > memberof: cn=System: Add DNS > Entries,cn=permissions,cn=pbac,dc=example,dc=net > memberof: cn=System: Manage DNSSEC > keys,cn=permissions,cn=pbac,dc=example,dc=net > memberof: cn=System: Manage DNSSEC > metadata,cn=permissions,cn=pbac,dc=example,dc=net > memberof: cn=System: Read DNS > Entries,cn=permissions,cn=pbac,dc=example,dc=net > memberof: cn=System: Remove DNS > Entries,cn=permissions,cn=pbac,dc=example,dc=net > memberof: cn=System: Update DNS > Entries,cn=permissions,cn=pbac,dc=example,dc=net > objectClass: pkiuser > objectClass: ipaobject > objectClass: top > objectClass: krbTicketPolicyAux > objectClass: krbprincipalaux > objectClass: ipaservice > objectClass: krbprincipal > objectClass: ipakrbprincipal > > On Thu, Sep 19, 2024 at 6:09 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Yavor Marinov wrote: > > Hey Rob, > > > > Yes, error was present before regenerating the keytab, and i've > done it > > using: > > > > kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab > > ipa-ods-exporter/login.example.net <http://login.example.net> > > > > Then I only chown-ed the tab so it can be readable. > > From what to what? > > A kinit refreshes a ticket, not the keytab. > > The ACI error is curious though. If it got that far then it was able to > bind to LDAP. It just wasn't allowed to write. Which means that the > keytab is ok. > > My guess is that a role or permission was removed. Run > > ipa service-show --all --raw ipa-ods-exporter/login.example.net > <http://login.example.net> > > It should look something like: > > dn: > > krbprincipalname=ipa-ods-exporter/[email protected],cn=services,cn=accounts,dc=example,dc=test > krbcanonicalname: ipa-ods-exporter/[email protected] > krbprincipalname: ipa-ods-exporter/[email protected] > has_keytab: TRUE > managedby: > fqdn=ipa.example.test,cn=computers,cn=accounts,dc=example,dc=test > ipaUniqueID: da330668-7694-11ef-a557-52540030d651 > krbExtraData: AAJrN+xmdHVzZXIvYWRtaW5ARVhBTVBMRS5URVNUAA== > krbLastPwdChange: 20240919143835Z > krbLoginFailedCount: 0 > krbPwdPolicyReference: cn=Default Service Password > Policy,cn=services,cn=accounts,dc=example,dc=test > memberof: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=test > memberof: cn=System: Read DNS > Configuration,cn=permissions,cn=pbac,dc=example,dc=test > memberof: cn=System: Write DNS > Configuration,cn=permissions,cn=pbac,dc=example,dc=test > memberof: cn=System: Read DNS Servers > Configuration,cn=permissions,cn=pbac,dc=example,dc=test > memberof: cn=System: Add DNS > Entries,cn=permissions,cn=pbac,dc=example,dc=test > memberof: cn=System: Manage DNSSEC > keys,cn=permissions,cn=pbac,dc=example,dc=test > memberof: cn=System: Manage DNSSEC > metadata,cn=permissions,cn=pbac,dc=example,dc=test > memberof: cn=System: Read DNS > Entries,cn=permissions,cn=pbac,dc=example,dc=test > memberof: cn=System: Remove DNS > Entries,cn=permissions,cn=pbac,dc=example,dc=test > memberof: cn=System: Update DNS > Entries,cn=permissions,cn=pbac,dc=example,dc=test > objectClass: krbprincipalaux > objectClass: ipaobject > objectClass: krbprincipal > objectClass: krbTicketPolicyAux > objectClass: ipaservice > objectClass: top > objectClass: pkiuser > > rob > > > > > > > > On Wed, Sep 18, 2024 at 10:51 PM Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Yavor Marinov via FreeIPA-users wrote: > > > Hello all, > > > > > > Last few weeks I've been having issues with ipa-ods-export > > because it's > > > failing to start. Our infra is not impacted by the problem > but will be > > > glad to know what could be the issue as I've tried to > regenerate the > > > keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab > > > > Was it throwing this same error prior to regenerating the > keytab? How > > did you do that? > > > > rob > > > > > > > > Below is the error message > > > > > > > > > ipa-ods-exporter[487019]: Traceback (most recent call last): > > > ipa-ods-exporter[487019]: File > > > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", > line 1096, in > > > error_handler > > > ipa-ods-exporter[487019]: yield > > > ipa-ods-exporter[487019]: File > > > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", > line 1672, in > > > add_entry > > > ipa-ods-exporter[487019]: self.conn.add_s(str(entry.dn), > > > list(attrs.items())) > > > ipa-ods-exporter[487019]: File > > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", > line 236, > > in add_s > > > ipa-ods-exporter[487019]: return > > self.add_ext_s(dn,modlist,None,None) > > > ipa-ods-exporter[487019]: File > > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", > line 222, in > > > add_ext_s > > > ipa-ods-exporter[487019]: resp_type, resp_data, resp_msgid, > > > resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) > > > ipa-ods-exporter[487019]: File > > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", > line 543, in > > > result3 > > > ipa-ods-exporter[487019]: resp_type, resp_data, resp_msgid, > > > decoded_resp_ctrls, retoid, retval = self.result4( > > > ipa-ods-exporter[487019]: File > > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", > line 553, in > > > result4 > > > ipa-ods-exporter[487019]: ldap_result = > > > > > > > self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) > > > ipa-ods-exporter[487019]: File > > > "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", > line 128, in > > > _ldap_call > > > ipa-ods-exporter[487019]: result = func(*args,**kwargs) > > > ipa-ods-exporter[487019]: ldap.INSUFFICIENT_ACCESS: > {'msgtype': 105, > > > 'msgid': 9, 'result': 50, 'desc': 'Insufficient access', > 'ctrls': []} > > > ipa-ods-exporter[487019]: During handling of the above > exception, > > > another exception occurred: > > > ipa-ods-exporter[487019]: Traceback (most recent call last): > > > ipa-ods-exporter[487019]: File > "/usr/libexec/ipa/ipa-ods-exporter", > > > line 719, in <module> > > > ipa-ods-exporter[487019]: > master2ldap_master_keys_sync(ldapkeydb, > > > localhsm) > > > ipa-ods-exporter[487019]: File > "/usr/libexec/ipa/ipa-ods-exporter", > > > line 346, in master2ldap_master_keys_sync > > > ipa-ods-exporter[487019]: ldapkeydb.import_master_key(mkey) > > > ipa-ods-exporter[487019]: File > > > > "/usr/lib/python3.9/site-packages/ipaserver/dnssec/ldapkeydb.py", line > > > 375, in import_master_key > > > ipa-ods-exporter[487019]: self.ldap.add_entry(new_key.entry) > > > ipa-ods-exporter[487019]: File > > > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", > line 1672, in > > > add_entry > > > ipa-ods-exporter[487019]: self.conn.add_s(str(entry.dn), > > > list(attrs.items())) > > > ipa-ods-exporter[487019]: File > "/usr/lib64/python3.9/contextlib.py", > > > line 137, in __exit__ > > > ipa-ods-exporter[487019]: self.gen.throw(typ, value, > traceback) > > > ipa-ods-exporter[487019]: File > > > "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", > line 1122, in > > > error_handler > > > ipa-ods-exporter[487019]: raise errors.ACIError(info=info) > > > ipa-ods-exporter[487019]: ipalib.errors.ACIError: > Insufficient access: > > > > > > > > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
