[Freeipa-users] Re: Problem with AD users after upgrade

Tuesday, 16 June 2020

Hi Rob,

ipa-healthcheck revealed several errors. I do not want to discuss all of 
them in public because I do not want do disclose the domain/subdomain 
names of our AD. (If you think the topic is worth to be discussed on the 
mailing list, I will obfuscate them before posting.)

I would highly appreciate if you could take a quick look and tell me how 
severe they are and what I can possibly do to fix them. I do not care 
about KRA because we did not use the feature at this point in time. KRA 
could be set up from scratch again - if possible. The replication 
conflicts sound much more troubeling...

Cheers,
Ronald

   {
     "source": "pki.server.healthcheck.meta.csconfig",
     "check": "DogtagCertsConfigCheck",
     "result": "ERROR",
     "uuid": "29b240d3-a221-4bd5-a3d9-bae309ed33a7",
     "when": "20200616210039Z",
     "duration": "0.197320",
     "kw": {
       "key": "kra_transport",
       "nickname": "transportCert cert-pki-kra",
       "directive": "kra.transport.cert",
       "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
       "msg": "Certificate 'transportCert cert-pki-kra' does not
match 
the value of kra.transport.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
     }
--
   {
     "source": "pki.server.healthcheck.meta.csconfig",
     "check": "DogtagCertsConfigCheck",
     "result": "ERROR",
     "uuid": "c946f181-3745-499e-ab9c-289a4ffd36e9",
     "when": "20200616210039Z",
     "duration": "0.228105",
     "kw": {
       "key": "kra_storage",
       "nickname": "storageCert cert-pki-kra",
       "directive": "kra.storage.cert",
       "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
       "msg": "Certificate 'storageCert cert-pki-kra' does not
match the 
value of kra.storage.cert in /var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
     }
--
   {
     "source": "pki.server.healthcheck.meta.csconfig",
     "check": "DogtagCertsConfigCheck",
     "result": "ERROR",
     "uuid": "0e59c252-53d8-449e-bc51-96b59e1a8acc",
     "when": "20200616210039Z",
     "duration": "0.260174",
     "kw": {
       "key": "kra_audit_signing",
       "nickname": "auditSigningCert cert-pki-kra",
       "directive": "kra.audit_signing.cert",
       "configfile": "/var/lib/pki/pki-tomcat/kra/conf/CS.cfg",
       "msg": "Certificate 'auditSigningCert cert-pki-kra' does not

match the value of kra.audit_signing.cert in 
/var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
     }
--
   {
     "source": "ipahealthcheck.dogtag.ca",
     "check": "DogtagCertsConfigCheck",
     "result": "ERROR",
     "uuid": "01b18546-b473-40fb-9923-bfb23f152038",
     "when": "20200616210039Z",
     "duration": "0.260025",
     "kw": {
       "key": "transportCert cert-pki-kra",
       "directive": "ca.connector.KRA.transportCert",
       "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
       "msg": "Certificate 'transportCert cert-pki-kra' does not
match 
the value of ca.connector.KRA.transportCert in 
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
     }
   },
--
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "3dca4913-3a30-4bff-8326-3c51b0aeda8c",
     "when": "20200616210039Z",
     "duration": "0.003225",
     "kw": {
       "key": 
"cn=certmap+nsuniqueid=46562a35-994311e7-bcd9e321-1436c40f,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict
cn=certmap,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "58623e97-e913-433a-9793-6bb233afdcc9",
     "when": "20200616210039Z",
     "duration": "0.003316",
     "kw": {
       "key": "cn=Certificate Identity Mapping 
Administrators+nsuniqueid=46562a39-994311e7-bcd9e321-1436c40f,cn=privileges,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=Certificate Identity Mapping 
Administrators,cn=privileges,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "7a76e510-8b3a-41f6-b329-fc474ca6202f",
     "when": "20200616210039Z",
     "duration": "0.003397",
     "kw": {
       "key": "cn=System: Modify Certmap 
Configuration+nsuniqueid=46562a41-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=System: Modify Certmap 
Configuration,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "e7588c0d-52d8-44d2-beec-4e3c31be3f4b",
     "when": "20200616210039Z",
     "duration": "0.003475",
     "kw": {
       "key": "cn=System: Read Certmap 
Configuration+nsuniqueid=46562a45-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=System: Read Certmap 
Configuration,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "f18f8d2e-b304-4345-8625-55e62ea0a6ca",
     "when": "20200616210039Z",
     "duration": "0.003552",
     "kw": {
       "key": "cn=System: Add Certmap 
Rules+nsuniqueid=46562a48-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=System: Add Certmap 
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "6509b40b-af09-4813-bd4f-330d8bc2ad07",
     "when": "20200616210039Z",
     "duration": "0.003626",
     "kw": {
       "key": "cn=System: Delete Certmap 
Rules+nsuniqueid=46562a4c-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=System: Delete Certmap 
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "8d2acff4-40ce-4275-ae63-a7a98be207c2",
     "when": "20200616210039Z",
     "duration": "0.003701",
     "kw": {
       "key": "cn=System: Modify Certmap 
Rules+nsuniqueid=46562a50-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=System: Modify Certmap 
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "0cf56b18-9f8f-47d1-b086-0ba928709bfc",
     "when": "20200616210039Z",
     "duration": "0.003794",
     "kw": {
       "key": "cn=System: Read Certmap 
Rules+nsuniqueid=46562a54-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=System: Read Certmap 
Rules,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "6eea376a-1e81-4c31-98b4-fd3d72695951",
     "when": "20200616210039Z",
     "duration": "0.003873",
     "kw": {
       "key": "cn=System: Modify External Group 
Membership+nsuniqueid=46562a5d-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=System: Modify External Group 
Membership,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "a4c35d33-31ca-452a-b13c-02ffd6d8eea3",
     "when": "20200616210039Z",
     "duration": "0.003953",
     "kw": {
       "key": "cn=System: Read External Group 
Membership+nsuniqueid=46562a64-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=System: Read External Group 
Membership,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "22033461-49bb-4836-ab2f-0a989d046c3f",
     "when": "20200616210039Z",
     "duration": "0.004030",
     "kw": {
       "key": "cn=System: Manage User Certificate 
Mappings+nsuniqueid=46562a6b-994311e7-bcd9e321-1436c40f,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict cn=System: Manage User Certificate 
Mappings,cn=permissions,cn=pbac,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "86a73d33-7c33-49b5-bf25-4d175fb45180",
     "when": "20200616210039Z",
     "duration": "0.004114",
     "kw": {
       "key": 
&quot;krbPrincipalName=WELLKNOWN/ANONYMOUS(a)LINUX.MYDOMAIN.AT+nsuniqueid=64bc25a5-994311e7-bcd9e321-1436c40f,cn=LINUX.MYDOMAIN.AT,cn=kerberos,dc=linux,dc=mydomain,dc=at&quot;,
       "glue": false,
       "conflict": "namingConflict 
krbPrincipalName=WELLKNOWN/ANONYMOUS(a)LINUX.MYDOMAIN.AT,cn=LINUX.MYDOMAIN.AT,cn=kerberos,dc=linux,dc=mydomain,dc=at&quot;,
       "msg": "Replication conflict"
     }
   },
   {
     "source": "ipahealthcheck.ds.replication",
     "check": "ReplicationConflictCheck",
     "result": "ERROR",
     "uuid": "98d8b851-1d33-4b0f-9b6b-c204abe9a721",
     "when": "20200616210039Z",
     "duration": "0.004185",
     "kw": {
       "key": 
"cn=KDCs_PKINIT_Certs+nsuniqueid=64bc259d-994311e7-bcd9e321-1436c40f,cn=certprofiles,cn=ca,dc=linux,dc=mydomain,dc=at",
       "glue": false,
       "conflict": "namingConflict 
cn=KDCs_PKINIT_Certs,cn=certprofiles,cn=ca,dc=linux,dc=mydomain,dc=at",
       "msg": "Replication conflict"
     }
   },
--
   {
     "source": "ipahealthcheck.ipa.certs",
     "check": "IPACertRevocation",
     "result": "ERROR",
     "uuid": "09f846de-b933-417b-a5b8-c018c7892e61",
     "when": "20200616210043Z",
     "duration": "2.086729",
     "kw": {
       "key": "20200603161155",
       "msg": "Request for certificate failed, Certificate operation 
cannot be completed: EXCEPTION (Certificate serial number 0xffd0008 not 
found)"
     }
   },
   {
     "source": "ipahealthcheck.ipa.certs",
     "check": "IPACertRevocation",
     "result": "ERROR",
     "uuid": "2060d0c2-b602-4487-b5d9-6320c8488464",
     "when": "20200616210043Z",
     "duration": "2.158848",
     "kw": {
       "key": "20200603161428",
       "msg": "Request for certificate failed, Certificate operation 
cannot be completed: EXCEPTION (Certificate serial number 0xffd0009 not 
found)"
     }
   },
   {
     "source": "ipahealthcheck.ipa.certs",
--
   {
     "source": "ipahealthcheck.ipa.trust",
     "check": "IPATrustDomainsCheck",
     "result": "ERROR",
     "uuid": "589666e0-0426-4dcd-8576-15ec5e1e37e0",
     "when": "20200616210043Z",
     "duration": "0.226474",
     "kw": {
       "key": "domain-list",
       "sssctl": "/usr/sbin/sssctl",
       "sssd_domains": "mydomain.at, buero.mydomain.at, org.mydomain.at, 
tk.mydomain.at",
       "trust_domains": "mydomain.at",
       "msg": "{sssctl} {key} reports mismatch: sssd domains 
{sssd_domains} trust domains {trust_domains}"
     }

2024

2023

2022

2021

2020

2019

2018

2017

[Freeipa-users] Re: Problem with AD users after upgrade