Travis West via FreeIPA-users wrote:
Thanks Rob! New certs are all replicated and all IPA services are started on all 6 servers. I can perform 'ipa cert-show 1' on all 6 and get the expected result.
As a sanity check I did run the ipa-healthcheck on all 6 servers. One of them came back fine, the other 5 returned
[ { "source": "ipahealthcheck.ipa.dna", "kw": { "msg": "No DNA range defined. If no masters define a range then users and groups cannot be created.", "range_start": 0, "next_start": 0, "next_max": 0, "range_max": 0 }, "uuid": "70636197-0b3e-4424-b509-1aa7f8be084d", "duration": "0.706384", "when": "20240405170045Z", "check": "IPADNARangeCheck", "result": "WARNING" } ]
Now it's just a WARNING, and since the one didn't return it (they're all denoted as MASTER) maybe it's okay?
It just means that when you add users or groups you do it against the same IPA server. If you do it on others then it will split the range between them as needed. Not a bad thing but it gets complex if you add and remove a lot of servers, particularly older ones. I made changes a few years ago to try to capture ranges that would otherwise be lost but it's sort of a best effort kind of thing.
The purpose if this is to ensure that at least one server has a range. Currently healthcheck only validates the server it is running on and doesn't do much cluster-wide checking.
rob