Hello Rob,
for me it is not working. I installed the
freeipa-healthcheck-0.2-3.fc31.noarch on a Fedora release 31 (Rawhide)
and have on the VM the following packages installed:
freeipa-server-4.7.90.pre1-6.fc31.x86_6 and
krb5-server-1.17-30.fc31.x86_64 krb5-workstation-1.17-30.fc31.x86_64
But after getting a TGT somethings is wrong:
ipa-healthcheck --failures-only --debug
...
raw: server_find('', sizelimit=0, version='2.231', no_members=False)
server_find(None, sizelimit=0, all=False, raw=False, version='2.231',
no_members=False, pkey_only=False)
raw: topologysuffix_find(None, all=True, raw=True, version='2.231')
topologysuffix_find(None, all=True, raw=True, version='2.231',
pkey_only=False)
raw: server_role_find(None, server_server='ipaserver.linux.fritz.box',
status='enabled', include_master=True, version='2.231')
server_role_find(None, server_server='ipaserver.linux.fritz.box',
status='enabled', include_master=True, all=False, raw=False,
version='2.231')
raw: topologysegment_find('ca', None, sizelimit=0, version='2.231')
topologysegment_find('ca', None, sizelimit=0, all=False, raw=False,
version='2.231', pkey_only=False)
Calling check <ipahealthcheck.ipa.trust.IPATrustAgentCheck object at
0x7f44008562b0>
Not a trust agent, skipping
Calling check <ipahealthcheck.ipa.trust.IPATrustDomainsCheck object at
0x7f44008264a8>
Not a trust agent, skipping
Calling check <ipahealthcheck.ipa.trust.IPATrustCatalogCheck object at
0x7f4400831780>
Not a trust agent, skipping
Calling check <ipahealthcheck.ipa.trust.IPAsidgenpluginCheck object at
0x7f44008260f0>
Not a trust agent, skipping
Calling check <ipahealthcheck.ipa.trust.IPATrustAgentMemberCheck object
at 0x7f4400846e80>
Not a trust agent, skipping
Calling check <ipahealthcheck.ipa.trust.IPATrustControllerPrincipalCheck
object at 0x7f44007d96d8>
Not a trust controller, skipping
Calling check <ipahealthcheck.ipa.trust.IPATrustControllerServiceCheck
object at 0x7f4400846390>
Not a trust controller, skipping
Calling check <ipahealthcheck.ipa.trust.IPATrustControllerConfCheck
object at 0x7f44007e6eb8>
Not a trust controller, skipping
Calling check <ipahealthcheck.ipa.trust.IPATrustControllerGroupSIDCheck
object at 0x7f44007fb630>
Not a trust controller, skipping
Calling check <ipahealthcheck.meta.core.MetaCheck object at 0x7f4400806a58>
Calling check
<ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck object at
0x7f4400806b00>
[{"source": "ipahealthcheck.ipa.host", "check":
"IPAHostKeytab",
"severity": 2, "uuid":
"496bf36b-b455-45aa-b4fe-fb0ba7463f7a", "when":
"20190614174442Z", "duration": "0.010664", "kw":
{"msg": "Failed to
obtain host TGT: Major (851968): Unspecified GSS failure. Minor code
may provide more information, Minor (2529639122): Pre-authentication
failed: Invalid argument"}}][root@ipaserver ~]#
With another account the same error. Did i make something wrong?
Regards from Germany
Dirk
Am 14.06.19 um 19:20 schrieb Rob Crittenden via FreeIPA-users:
John Keates via FreeIPA-users wrote:
> Sounds great! Where do we find this tool? In an upcoming release or as a stand-alone
package?
It's a standalone package, freeipa-healthcheck.
rob
> John
>
>> On 14 Jun 2019, at 16:29, Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>> I'd like to introduce a new tool for an IPA adminstrators tool kit we're
>> working on, currently in a beta state and shipping in Fedora 29+.
>>
>> ipa-healthcheck is proactive tool for identifying current, potential and
>> future issues within an IPA installation.
>>
>> It executes a series of checks in the areas of certificates, AD trust,
>> replication and the filesystem (and a few others). These checks can
>> return a success, warning or error. Any check executed will return a
>> value, the idea being if something with the check blows up and causes it
>> to not execute you'd otherwise not know and would have a false sense of
>> security.
>>
>> A systemd timer is configured which will execute this on a nightly
>> basis, dumping the output in JSON format in /var/log/ipa/healthcheck/.
>>
>> It can also be executed from the command-line as root and requires an
>> admin Kerberos ticket. From the command-line it is probably most useful
>> to use the --failures-only option in order to suppress the SUCCESS
>> messages: no news is good news in this case.
>>
>> It currently only works with IPA 4.7.2+. Will we backport to 4.6? I
>> don't know yet.
>>
>> I'd appreciate any feedback on whether it:
>>
>> - is helpful
>> - works
>> - doesn't report false positives
>> - is usable: a lot of the output is what I think would be useful but we
>> won't know until applied in the real world
>> - does what you need. We can add more checks so if you have ideas please
>> let us know
>>
>> Note that there are a few things we run that just produce output that
>> needs to be analyzed separately. DNA range checking is an example. It is
>> perfectly fine to not have a DNA range assigned on all masters but you'd
>> want to know if you had none defined on all masters.
>>
>> thanks
>>
>> rob
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...