[Freeipa-users] Re: IPA healthcheck for older versions

Chris Welsh wrote: > Hi François, > > Thx for getting back to me. So far no luck.  > > On Fri, 21 Aug 2020 at 9:05 pm, François Cami > wrote: > > On Fri, Aug 21, 2020 at 1:08 AM Chris Welsh via FreeIPA-users > >

[Freeipa-users] Re: IPA healthcheck for older versions

Hi François, Thx for getting back to me. So far no luck. On Fri, 21 Aug 2020 at 9:05 pm, François Cami wrote: > On Fri, Aug 21, 2020 at 1:08 AM Chris Welsh via FreeIPA-users > > wrote: > > > > > > Hi Rob, > > > > > > Could this be because I removed the replica and there are records still > dan

[Freeipa-users] Re: IPA healthcheck for older versions

On Fri, Aug 21, 2020 at 1:08 AM Chris Welsh via FreeIPA-users wrote: > > Hi Rob, > > Could this be because I removed the replica and there are records still > dangling in the config? Is there a way to find out where they are and remove > them? At worst, use ldapsearch to identify remaining obje

[Freeipa-users] Re: IPA healthcheck for older versions

Hi Rob, Could this be because I removed the replica and there are records still dangling in the config? Is there a way to find out where they are and remove them? At the moment we have no active replicas, as I wanted to simplify the config so as to find the root cause of intermittent loss of grou

[Freeipa-users] Re: IPA healthcheck for older versions

Chris Welsh via FreeIPA-users wrote: > Hi Rob, > > I have run your tool and found it to report some issues. I wonder if you > could help me figure out what they are. Our problem is that we often have > staff who loose their groups and this has been happening for 3 years. > sss_cache -u username

[Freeipa-users] Re: IPA healthcheck for older versions

Hi Rob, I have run your tool and found it to report some issues. I wonder if you could help me figure out what they are. Our problem is that we often have staff who loose their groups and this has been happening for 3 years. sss_cache -u username sometimes fixes it. Any advise greatly welcome.

[Freeipa-users] Re: IPA healthcheck for older versions

Kees Bakker wrote: On 13-12-19 15:00, Rob Crittenden wrote: Kees Bakker wrote: On 06-11-19 17:16, Rob Crittenden wrote: Kees Bakker via FreeIPA-users wrote: Thanks Rob Here are my findings, mainly as an FYI. On the CA master it reports the following (which I have to investigate) [    {   

[Freeipa-users] Re: IPA healthcheck for older versions

On 13-12-19 15:00, Rob Crittenden wrote: > Kees Bakker wrote: >> On 06-11-19 17:16, Rob Crittenden wrote: >>> Kees Bakker via FreeIPA-users wrote: Thanks Rob Here are my findings, mainly as an FYI. On the CA master it reports the following (which I have to investigate)

[Freeipa-users] Re: IPA healthcheck for older versions

Kees Bakker wrote: On 06-11-19 17:16, Rob Crittenden wrote: Kees Bakker via FreeIPA-users wrote: Thanks Rob Here are my findings, mainly as an FYI. On the CA master it reports the following (which I have to investigate) [   {     "source": "ipahealthcheck.ipa.certs",     "kw": {   "ms

[Freeipa-users] Re: IPA healthcheck for older versions

On 06-11-19 17:16, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> Thanks Rob >> >> Here are my findings, mainly as an FYI. >> >> On the CA master it reports the following (which I have to investigate) >> [ >>   { >>     "source": "ipahealthcheck.ipa.certs", >>     "kw": { >>  

[Freeipa-users] Re: IPA healthcheck for older versions

OK, I just set up Nagios monitoring with ipa-healthcheck. In case someone wants to replicate, this is roughly what I did with Puppet: FreeIPA Puppet manifest: Install the package: + exec {'/usr/bin/curl https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/repo/epel-7/rcritten-ipa-he

[Freeipa-users] Re: IPA healthcheck for older versions

Alex Corcoles wrote: > On Mon, Nov 11, 2019 at 3:48 PM Rob Crittenden > wrote: > > Jones, Bob (rwj5d) via FreeIPA-users wrote: > > If you’re making these sorts of changes, might I suggest a flag to > generate Nagios safe output that is just a summary of how

[Freeipa-users] Re: IPA healthcheck for older versions

Wouldn’t that also expose the main web UI, and IPA commands? Seems like a much larger attack surface. On Nov 11, 2019, at 1:27 PM, Alex Corcoles mailto:a...@corcoles.net>> wrote: On Mon, Nov 11, 2019 at 5:45 PM Charles Hedrick mailto:hedr...@rutgers.edu>> wrote: I use Kerberos at home. So do a

[Freeipa-users] Re: IPA healthcheck for older versions

On Mon, Nov 11, 2019 at 5:45 PM Charles Hedrick wrote: > I use Kerberos at home. So do a couple of faculty. I have a Kerberos > https: proxy set up on one of our public web servers. This is less than > ideal, as it requires installing separate Kerberos software for both Mac > and Windows. The Ker

[Freeipa-users] Re: IPA healthcheck for older versions

I use Kerberos at home. So do a couple of faculty. I have a Kerberos https: proxy set up on one of our public web servers. This is less than ideal, as it requires installing separate Kerberos software for both Mac and Windows. The Kerberos protocol is standardized across OSs, but not the proxy s

[Freeipa-users] Re: IPA healthcheck for older versions

Yes, the checkipaconsistency normal output is something like this: ++--+--+--+---+ | FreeIPA servers: | host01 | host02 | host03 | STATE | ++--+--+--+---+ | Active Users | 8| 8

[Freeipa-users] Re: IPA healthcheck for older versions

On Mon, Nov 11, 2019 at 3:48 PM Rob Crittenden wrote: > Jones, Bob (rwj5d) via FreeIPA-users wrote: > > If you’re making these sorts of changes, might I suggest a flag to > generate Nagios safe output that is just a summary of how many > warnings/errors were found like the way checkipaconsistency

[Freeipa-users] Re: IPA healthcheck for older versions

Jones, Bob (rwj5d) via FreeIPA-users wrote: > On Nov 10, 2019, at 7:30 PM, Rob Crittenden via FreeIPA-users > wrote: >> >> You can probably get away with running it once a day. With the exception >> of the replication checks these aren't all that dynamic. You would catch >> things like permission

[Freeipa-users] Re: IPA healthcheck for older versions

On Nov 10, 2019, at 7:30 PM, Rob Crittenden via FreeIPA-users wrote: > > You can probably get away with running it once a day. With the exception > of the replication checks these aren't all that dynamic. You would catch > things like permission and FS space issues earlier I suppose. > > I'll m

[Freeipa-users] Re: IPA healthcheck for older versions

On Mon, Nov 11, 2019 at 1:30 AM Rob Crittenden wrote: > I'm open to suggestions on this. I don't mean for it to scare anyone but > the consequences can be head scratching. I have a blog entry on it that > gets quite a few views. > Well, I think the ideal would be to prevent this from happening i

[Freeipa-users] Re: IPA healthcheck for older versions

Alex Corcoles via FreeIPA-users wrote: > Hi Rob, > > On Tue, Nov 5, 2019 at 4:35 PM Rob Crittenden via FreeIPA-users > > wrote: > > I made an EPEL 7 build in COPR, > https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/ > > Th

[Freeipa-users] Re: IPA healthcheck for older versions

Hi Rob, On Tue, Nov 5, 2019 at 4:35 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I made an EPEL 7 build in COPR, > https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/ > > The more feedback I get on it the better and more useful I can make it.

[Freeipa-users] Re: IPA healthcheck for older versions

Petros Triantafyllidis wrote: > Thanks for your response Rob. Please see my questions inline. > > On 11/7/19 6:48 PM, Rob Crittenden via FreeIPA-users wrote: >> Petros Triantafyllidis wrote: >>> Thanks for healthcheck Rob, >>> >>> In our setup (2 CentOS 7.7 servers, running >>> ipa-server-4.6.5-11

[Freeipa-users] Re: IPA healthcheck for older versions

Thanks for your response Rob. Please see my questions inline. On 11/7/19 6:48 PM, Rob Crittenden via FreeIPA-users wrote: Petros Triantafyllidis wrote: Thanks for healthcheck Rob, In our setup (2 CentOS 7.7 servers, running ipa-server-4.6.5-11.el7.centos.3.x86_64) I get the output below when i

[Freeipa-users] Re: IPA healthcheck for older versions

Petros Triantafyllidis wrote: > Thanks for healthcheck Rob, > > In our setup (2 CentOS 7.7 servers, running > ipa-server-4.6.5-11.el7.centos.3.x86_64) I get the output below when > ipa-healthcheck runs at the replica. The output is identical at master > too, except the first warning ("No DNA range

[Freeipa-users] Re: IPA healthcheck for older versions

Thanks for healthcheck Rob, In our setup (2 CentOS 7.7 servers, running ipa-server-4.6.5-11.el7.centos.3.x86_64) I get the output below when ipa-healthcheck runs at the replica. The output is identical at master too, except the first warning ("No DNA range defined. If no masters define a rang

[Freeipa-users] Re: IPA healthcheck for older versions

Kees Bakker via FreeIPA-users wrote: > Thanks Rob > > Here are my findings, mainly as an FYI. > > On the CA master it reports the following (which I have to investigate) > [ >   { >     "source": "ipahealthcheck.ipa.certs", >     "kw": { >   "msg": "Unknown certmonger id 20190412141828", >   

[Freeipa-users] Re: IPA healthcheck for older versions

Kimmo Rantala via FreeIPA-users wrote: > Figured it out. > I think it was this was because of I compiled checkipaconsistency on the > replica. The errors pointed me towards pyasn1 and sure enough the pip > versions on the first master and the replica differed: > > First master: > pyasn1

[Freeipa-users] Re: IPA healthcheck for older versions

Thanks Rob Here are my findings, mainly as an FYI. On the CA master it reports the following (which I have to investigate) [   {     "source": "ipahealthcheck.ipa.certs",     "kw": {   "msg": "Unknown certmonger id 20190412141828",   "key": "20190412141828"     },     "uuid": "f3d6ccb9-fb

[Freeipa-users] Re: IPA healthcheck for older versions

Figured it out. I think it was this was because of I compiled checkipaconsistency on the replica. The errors pointed me towards pyasn1 and sure enough the pip versions on the first master and the replica differed: First master: pyasn1 0.1.9 pyasn1-modules

[Freeipa-users] Re: IPA healthcheck for older versions

Hello Rob, I saw this post last night (Finland time) and decided to give it a shot first thing in the morning. My setup: 2x CentOS 7.7 (ipa-server 4.6.5) with a cross forest trust to 2012 R2 AD domain. Ran ipa-healthcheck --failures-only on the first master and it returned 0 issues as expected.

[Freeipa-users] Re: IPA healthcheck for older versions

Rob, thanks for the efforts on this! highly appreciated I will try it out on some setups I have around and will give you some feedback. best regards, JP El mar., 5 nov. 2019 a las 12:35, Rob Crittenden via FreeIPA-users (< freeipa-users@lists.fedorahosted.org>) escribió: > Over the summer we ann