[Freeipa-users] Re: IPA healthcheck for older versions
Figured it out. I think it was this was because of I compiled checkipaconsistency on the replica. The errors pointed me towards pyasn1 and sure enough the pip versions on the first master and the replica differed: First master: pyasn1 0.1.9 pyasn1-modules 0.0.8 Replica: pyasn1 0.4.7 pyasn1-modules 0.2.6 After doing pip uninstall pyasn1 ; pip uninstall pyasn1-modules, pip list shows on the replica: pyasn1 0.1.9 pyasn1-modules 0.0.8 After this ipa-healthcheck --failures-only returns 0 issues. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Could not login with AD user
On Wed, Nov 06, 2019 at 12:20:21AM +0100, Ronald Wimmer via FreeIPA-users wrote: > Today I was not able to log in with an AD user to an IPA client within a > test setup. IPA users worked fine. > > DNS is managed externally. I figured out that the DNS-Record of that > particular IPA client has not been created correctly. After having corrected > the DNS entry and having dropped the SSSD cache on that client I could login > with my AD user. > > Do you have an explanation for that or was it just a coincidence? Hi, it depends on what 'not able to log in' means. If it e.g. means that you tried to log in from a Windows clients with putty or similar then with a broken DNS record putty will not be able to find or connect to the expected IPA client. bye, Sumit > > Cheers, > Ronald > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: IPA healthcheck for older versions
Hello Rob,
I saw this post last night (Finland time) and decided to give it a shot first
thing in the morning.
My setup:
2x CentOS 7.7 (ipa-server 4.6.5) with a cross forest trust to 2012 R2 AD domain.
Ran ipa-healthcheck --failures-only on the first master and it returned 0
issues as expected. Then I ran it on the replica and it printed out this:
[
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Request for certificate failed, not
in asn1Spec: ,
encoding iso-8859-1>",
"key": "20181207074138"
},
"uuid": "34135eaf-31be-49a2-b101-b449b904d5af",
"duration": "2.261236",
"when": "20191106055010Z",
"check": "IPACertRevocation",
"result": "ERROR"
},
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Request for certificate failed, not
in asn1Spec: ,
encoding iso-8859-1>",
"key": "20181207073914"
},
"uuid": "018787f8-dfc3-4b4b-ac16-777d3f651282",
"duration": "3.471975",
"when": "20191106055011Z",
"check": "IPACertRevocation",
"result": "ERROR"
},
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Request for certificate failed, not
in asn1Spec: ,
encoding iso-8859-1>",
"key": "20181207073850"
},
"uuid": "8e4573f8-9a74-4b6e-ac2c-45cddb181521",
"duration": "3.782566",
"when": "20191106055011Z",
"check": "IPACertRevocation",
"result": "ERROR"
},
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Request for certificate failed, not
in asn1Spec: ,
encoding iso-8859-1>",
"key": "20181207074203"
},
"uuid": "02628931-d6c6-479e-b473-e93f626841eb",
"duration": "4.037205",
"when": "20191106055012Z",
"check": "IPACertRevocation",
"result": "ERROR"
}
]
The replica has never had any problems and
https://github.com/peterpakos/checkipaconsistency reports no problems.
I was wondering if this is something that I should fix on the replica or
something that needs to be fixed in your magnificent tool that you so kindly
backported?
I can provide any diagnostics and/or logs as needed.
- Kimmo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Could not login with AD user
Today I was not able to log in with an AD user to an IPA client within a test setup. IPA users worked fine. DNS is managed externally. I figured out that the DNS-Record of that particular IPA client has not been created correctly. After having corrected the DNS entry and having dropped the SSSD cache on that client I could login with my AD user. Do you have an explanation for that or was it just a coincidence? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Disaster Recovery Architecture for IPA servers setup replicating in full mesh
On Nov 5, 2019, at 2:25 AM, Florence Blanc-Renaud via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: As a general rule, we recommend rebuilding from an existing replica, rather than using backup-restore. Right. Our strategy is * all of our systems are VMs. We take snapshots periodically. So in a failure we would start from a snapshot rather than trying to restore in some way. You could then reinitialize the data from another replica * installing a replica seems to be more reliable than it used to be. I’ve been playing with IPA on Centos 8. I’ve found that remove and recreating replicas works fine, even after errors, though before creating a replica after deleting it, I look through the configuration file and remove some old info before reinstalling. My experience with replicas is documented at https://github.com/clhedrick/kerberos/wiki/Setting-up-new-server-%28replica%29-in-an-existing-system#Clearing_remains_of_old_servers * In general you should be able take a VM snapshot and start it. however I’ve noticed a tendency for /etc/dirsrv/slapd-NAME/dse.ldif to be missing. I now copy this file somewhere safe every few minutes with a cron job. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: IPA healthcheck for older versions
Rob, thanks for the efforts on this! highly appreciated I will try it out on some setups I have around and will give you some feedback. best regards, JP El mar., 5 nov. 2019 a las 12:35, Rob Crittenden via FreeIPA-users (< freeipa-users@lists.fedorahosted.org>) escribió: > Over the summer we announced the freeipa-healthcheck project which is > designed to look at an IdM cluster and look for common problems so you > can have some level of assurance that the system is running as it should. > > It was built against the IPA 4.8.x branch and originally released only > for Fedora 29+. It is also included in the newly released RHEL 8.1.0. > > My curious nature led me to see if it would also work in in the IPA > 4.6.x branch. It was a bit of a challenge backing down to Python 2 but I > was able to get something working. I tested primarily on Fedora 27 but > it should also work in RHEL/CentOS 7 (I smoke tested 7.8). > > I made an EPEL 7 build in COPR, > https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/ > > Enable the repo and do: yum install freeipa-healthcheck > > Then run: ipa-healthcheck --failures-only > > Ideally there will be no output but an empty list []. Otherwise the > output is JSON and hopefully has enough information to point you in the > right direction. Feel free to ask if need help. > > False positives are always a possibility and many of the checks run > independently so it's possible to get multiple issues from a single root > problem. It's hard to predict all possible installations so some > fine-tuning may be required. > > I'd recommend running it every now and then at least, like prior to > updating IPA packages, creating a new master, etc, if not daily. It > will, for example, warn of impending cert expiration. > > The more feedback I get on it the better and more useful I can make it. > > This is my own personal backport and is not officially supported by > anyone but me. It's preferred to report issues on this mailing list. > I'll see them and others may be able to chime in as well. > > rob > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] IPA healthcheck for older versions
Over the summer we announced the freeipa-healthcheck project which is designed to look at an IdM cluster and look for common problems so you can have some level of assurance that the system is running as it should. It was built against the IPA 4.8.x branch and originally released only for Fedora 29+. It is also included in the newly released RHEL 8.1.0. My curious nature led me to see if it would also work in in the IPA 4.6.x branch. It was a bit of a challenge backing down to Python 2 but I was able to get something working. I tested primarily on Fedora 27 but it should also work in RHEL/CentOS 7 (I smoke tested 7.8). I made an EPEL 7 build in COPR, https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/ Enable the repo and do: yum install freeipa-healthcheck Then run: ipa-healthcheck --failures-only Ideally there will be no output but an empty list []. Otherwise the output is JSON and hopefully has enough information to point you in the right direction. Feel free to ask if need help. False positives are always a possibility and many of the checks run independently so it's possible to get multiple issues from a single root problem. It's hard to predict all possible installations so some fine-tuning may be required. I'd recommend running it every now and then at least, like prior to updating IPA packages, creating a new master, etc, if not daily. It will, for example, warn of impending cert expiration. The more feedback I get on it the better and more useful I can make it. This is my own personal backport and is not officially supported by anyone but me. It's preferred to report issues on this mailing list. I'll see them and others may be able to chime in as well. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
Hello Alex, On 2019-11-04 18:20, Alex Scheel via FreeIPA-users wrote: 2019-11-02T10:57:00Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded. See "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details. However, the pki-tomcat-ca-debug.2019-11-02.log you posted doesn't have any entries from around this time. That's weird - it should have been in there. Maybe I've missed a log; in order to fix that, I've tried starting FreeIPA again and have uploaded the resulting new logs: https://mailstation.de/ipa-logs/new/ Unfortunately, I basically only understand that the connection to LDAP fails but I don't understand why. Best regards, Wulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
