I have recently added a replica to my existing setup. Everything seems to work except for 2 issues that I have noted:
#1 IPA health check generates a warning from the replica only (master is ok) similar to this:
{ "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "WARNING", "uuid": "my_uuid", "when": "20191121135331Z", "duration": "2.128808", "kw": { "key": "my_key", "error": "returned nothing", "msg": "Look up of {key} {error}" } },
#2 id some_user returns: id: 'some_user': no such user
I have also noted that: ipa trust-fetch-domains "gsil.smil" return an error - Fetching domains from trusted forest failed
ipa trustdomain-find is able to find the domain
ipa idrange-find returns the same set of results for both the master and the replica
ipa-replica-manage dnarange-show shows that the dna ranges are not overlapping (my understanding is this is a good thing)
My environment: Rocky 8.7 FreeIPA 4.9.10
Master: gsil-ipa01 Replica: gsil-ipa02
Both master and replica are configured with server roles: AD trust agent, AD trust controller, CA server, DNS server, KRA server.
Are issues #1 and #2 related? ie- fix one and the other will work as expected? I am still reviewing possible solutions for why ldap lookup using the id command is not working. But maybe it will never work unless I fix the healthcheck issue... Your input is greatly appreciated!
One additional item I found-
https://access.redhat.com/solutions/6977745 - Check if the trust is relying on POSIX attributes coming from Active Directory.
That is NOT the case for me.
ipa idrange-find shows: 3 ranges
Range Name: GSILSMIL_id_range ... Range type: Active Directory domain_range
Range Name: IDM.GSIL.SMIL_id_range ... Range type: local_domain range
Range Name: GSILSMIL_subid_range ... Range type: Active Directory domain_range
Hi,
On Mon, Jan 16, 2023 at 7:42 PM Jeremy Tourville via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I have recently added a replica to my existing setup. Everything seems to work except for 2 issues that I have noted:
#1 IPA health check generates a warning from the replica only (master is ok) similar to this:
{ "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "WARNING", "uuid": "my_uuid", "when": "20191121135331Z", "duration": "2.128808", "kw": { "key": "my_key", "error": "returned nothing", "msg": "Look up of {key} {error}" } },
ipa-healthcheck is extracting the domain SID for the AD domain, then tries
to resolve <domainSID>-500 to a name as this should be the SID of the AD administrator. If this fails, enable SSSD debugging on the replica as explained in https://docs.pagure.org/sssd.sssd/users/troubleshooting.html and check SSSD logs.
#2 id some_user
returns: id: 'some_user': no such user
Is it failing for IPA users or AD users?
flo
I have also noted that: ipa trust-fetch-domains "gsil.smil" return an error - Fetching domains from trusted forest failed
ipa trustdomain-find is able to find the domain
ipa idrange-find returns the same set of results for both the master and the replica
ipa-replica-manage dnarange-show shows that the dna ranges are not overlapping (my understanding is this is a good thing)
My environment: Rocky 8.7 FreeIPA 4.9.10
Master: gsil-ipa01 Replica: gsil-ipa02
Both master and replica are configured with server roles: AD trust agent, AD trust controller, CA server, DNS server, KRA server.
Are issues #1 and #2 related? ie- fix one and the other will work as expected? I am still reviewing possible solutions for why ldap lookup using the id command is not working. But maybe it will never work unless I fix the healthcheck issue... Your input is greatly appreciated! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
OK, I fixed my SSSD issue. It turns out that DNSSEC needed to be turned off. We are not using that in our environment. Once I did that everything was good.
I also ran the ipa-healthcheck again and everything is good there too!
So, both problems were related, just not in the way I thought originally.
freeipa-users@lists.fedorahosted.org