Hi Florence, Thank you for your help here!
Please see attached details. As you expected, dn="fqdn=ipa2.example.com,cn=computers,cn=accounts,dc=example,dc=com". How to correct this? Thanks. Kathy. [root@ipa2 ~]# klist -A Ticket cache: KEYRING:persistent:0:0 Default principal: [email protected] Valid starting Expires Service principal 08/19/2021 16:23:24 08/20/2021 16:22:52 HTTP/[email protected] 08/19/2021 16:23:17 08/20/2021 16:22:52 krbtgt/[email protected] [root@ipa2 ~]# [root@ipa2 ~]# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/[email protected] 1 host/[email protected] [root@ipa2 ~]# [root@ipa2 tmp]# grep "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" access [20/Aug/2021:10:29:27.781656511 -0700] conn=129591 op=3 SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL [root@ipa2 tmp]# [root@ipa2 tmp]# grep "conn=129591" access | grep "BIND dn=" [20/Aug/2021:10:29:27.774670410 -0700] conn=129591 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Aug/2021:10:29:27.778256471 -0700] conn=129591 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [20/Aug/2021:10:29:27.780236168 -0700] conn=129591 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [root@ipa2 tmp]# [root@ipa2 tmp]# grep "conn=129591 op=2" access | grep RESULT [20/Aug/2021:10:29:27.780808034 -0700] conn=129591 op=2 RESULT err=0 tag=97 nentries=0 etime=0.000631206 dn="fqdn=ipa2.example.com ,cn=computers,cn=accounts,dc=example,dc=com" [root@ipa2 tmp]# [root@ipa2 ~]# On Thu, Aug 19, 2021 at 11:25 PM Florence Renaud <[email protected]> wrote: > Hi, > > What is the output of > klist -A > klist -k /etc/krb5.keytab > on the machine where ipa-healthcheck command fails? > ipa-healthcheck is using a kerberos ticket to authenticate to the LDAP > server (obtained from /etc/krb5.keytab), and has different access rights > depending on the identity mapped to this ticket. I suspect that the LDAP > operations don't return any entry because they are mapped to a wrong > identity. > > You can also have a look at the directory server access logs to check > which identity is used: > 1. open /var/log/dirsrv/slapd-DOMAIN-COM/access > 2. look for a line containing the following: > SRCH base="cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" > 3. In this line, note the conn=<value>. In my machine I see for instance: > [20/Aug/2021:08:14:03.982502295 +0200] *conn=17816* op=3 SRCH > base="cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL > 4. Go up in the logs and find the BIND operation that took place on this > connection: the line must contain the same *conn=<value>* and *BIND dn=*: > [20/Aug/2021:08:14:03.978879492 +0200] *conn=17816* *op=2* *BIND dn=*"" > method=sasl version=3 mech=GSSAPI > 5. Find the correspond result: the line must contain the same *conn=<value> > op=<value>* and will give you the dn used for the LDAP operation: > [20/Aug/2021:08:14:03.981131807 +0200] *conn=17816 op=2* RESULT err=0 > tag=97 nentries=0 wtime=0.000152828 optime=0.002257466 etime=0.002407324 > *dn="uid=idmuser,cn=users,cn=accounts,dc=domain,dc=com"* > > In my example ipa-healthcheck fails to find the cn=Posix IDs entry > because it is using a LDAP connection bound as uid=idmuser, who doesn't > have the required read permissions. > > HTH, > flo > > On Fri, Aug 20, 2021 at 3:19 AM Kathy Zhu via FreeIPA-users < > [email protected]> wrote: > >> I ran the same ldapsearch on a good server and compared the outputs. Here >> are the differences: >> >> dnaMaxValue: 1889657499 | >> dnaMaxValue: 1889607999 >> >> dnaNextValue: 1889650758 | >> dnaNextValue: 1889601276 >> >> >> Thanks. >> >> >> Kathy. >> >> On Thu, Aug 19, 2021 at 6:02 PM Kathy Zhu <[email protected]> wrote: >> >>> Hi Rob, >>> >>> Thanks for replying! >>> >>> It is not missing and I can create new user or group on it: >>> >>> [root@ipa2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=Posix >>> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" >>> >>> Enter LDAP Password: >>> >>> # extended LDIF >>> >>> # >>> >>> # LDAPv3 >>> >>> # base <cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config> with scope subtree >>> >>> # filter: (objectclass=*) >>> >>> # requesting: ALL >>> >>> # >>> >>> >>> # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config >>> >>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> >>> cn: Posix IDs >>> >>> dnaExcludeScope: cn=provisioning,dc=example,dc=com >>> >>> dnaFilter: >>> (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip >>> >>> aIDobject)) >>> >>> dnaMagicRegen: -1 >>> >>> dnaMaxValue: 1889657499 >>> >>> dnaNextValue: 1889650758 >>> >>> dnaScope: dc=example,dc=com >>> >>> dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com >>> >>> dnaThreshold: 500 >>> >>> dnaType: uidNumber >>> >>> dnaType: gidNumber >>> >>> objectClass: top >>> >>> objectClass: extensibleObject >>> >>> >>> # search result >>> >>> search: 2 >>> >>> result: 0 Success >>> >>> >>> # numResponses: 2 >>> >>> # numEntries: 1 >>> >>> [root@ipa2 ~]# >>> >>> >>> >>> >>> On Thu, Aug 19, 2021 at 5:14 PM Rob Crittenden <[email protected]> >>> wrote: >>> >>>> Kathy Zhu via FreeIPA-users wrote: >>>> > Hello, >>>> > >>>> > ipa-healthcheck is a great tool! Really appreciate Rob to make it >>>> > working for Centos. >>>> > >>>> > When I ran it on all of our IPA servers, one server reported: >>>> > >>>> > [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human >>>> > >>>> > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry >>>> found >>>> > >>>> > [root@ipa2 ~]# >>>> > >>>> > >>>> > I created a user and a group on this server then deleted them, >>>> > rerun ipa-healthcheck, I still get the same error. Here is the jason >>>> > format of it: >>>> > >>>> > { >>>> > >>>> > "source": "ipahealthcheck.ipa.dna", >>>> > >>>> > "kw": { >>>> > >>>> > "exception": "no matching entry found" >>>> > >>>> > }, >>>> > >>>> > "uuid": "aaf4da70-64ca-435f-8011-b40da74b874e", >>>> > >>>> > "duration": "0.136489", >>>> > >>>> > "when": "20210819224225Z", >>>> > >>>> > "check": "IPADNARangeCheck", >>>> > >>>> > "result": "CRITICAL" >>>> > >>>> > } >>>> > >>>> > >>>> > We have 7 ipa servers, this is the only server with this error. >>>> > >>>> > The success one looks like below: >>>> > >>>> > { >>>> > "source": "ipahealthcheck.ipa.dna", >>>> > "kw": { >>>> > "range_start": 1889601184, >>>> > "next_start": 0, >>>> > "next_max": 0, >>>> > "range_max": 1889625999 >>>> > }, >>>> > "uuid": "1ce671b9-76cf-46ce-b7d2-d5eec4079d63", >>>> > "duration": "0.309565", >>>> > "when": "20210630231006Z", >>>> > "check": "IPADNARangeCheck", >>>> > "result": "SUCCESS" >>>> > } >>>> > >>>> > >>>> > Any suggestions/ideas to fix it? >>>> >>>> It looks in here for the configuration. It could thrown a not found if >>>> it is missing (though why/how it could be I don't know): >>>> >>>> cn=Posix IDs,cn=Distributed Numeric Assignment >>>> Plugin,cn=plugins,cn=config >>>> >>>> rob >>>> >>>> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
