Bug 1738314

Summary:	AD trust agent and controller not getting initialized
Product:	Red Hat Enterprise Linux 8	Reporter:	Rob Crittenden <rcritten>
Component:	ipa-healthcheck	Assignee:	Rob Crittenden <rcritten>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	8.1	CC:	fcami, ksiddiqu, ndehadra, sumenon
Target Milestone:	rc	Flags:	pm-rhel: mirror+
Target Release:	8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-healthcheck-0.3-3	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-11-05 20:53:27 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Rob Crittenden 2019-08-06 18:06:12 UTC

Description of problem:

https://github.com/freeipa/freeipa-healthcheck/issues/62

IPA provides two roles for AD trust: agent and controller.

These are looked up in the IPA Plugin initialization but ONLY if the api hasn't been finalized yet. If it was finalized elsewhere then these roles aren't being set.

The lookup of these should not be dependent upon the initialization status of the IPA API.

Version-Release number of selected component (if applicable):
ipa-healtcheck-0.3-2

Comment 1 Rob Crittenden 2019-08-08 12:37:09 UTC

Fixed in master:

ae70afc781098b628b40894f9e0e841d3ba5b585
0727c05df8e2b9cd6977bf076e88e5da0fd573a6
14c7619284c5d29507b74d87c01b7c2d362be5c5
5fb1b2049889705d2cda60d745be5b1dacb23146

Comment 5 Sudhir Menon 2019-09-12 13:25:44 UTC

Fix is seen. Verified on RHEL81.

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.1 Beta (Ootpa)

[root@master ~]# rpm -q ipa-server ipa-healthcheck sssd
ipa-server-4.8.0-10.module+el8.1.0+4098+f286395e.x86_64
ipa-healthcheck-0.3-4.module+el8.1.0+4098+f286395e.noarch
sssd-2.2.0-19.el8.x86_64


With Trust enabled on the system

#ipa-healthcheck --source ipahealthcheck.ipa.trust

[
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustAgentCheck",
    "result": "SUCCESS",
    "uuid": "4f37244e-efc9-4d3a-bce9-cac6b0cc828f",
    "when": "20190912131539Z",
    "duration": "0.068867",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustDomainsCheck",
    "result": "SUCCESS",
    "uuid": "0cb24735-494a-41de-8830-0209387f684f",
    "when": "20190912131539Z",
    "duration": "0.079331",
    "kw": {
      "key": "domain-list",
      "sssd_domains": "win2k16.test",
      "trust_domains": "win2k16.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustDomainsCheck",
    "result": "SUCCESS",
    "uuid": "c247186e-d86c-4e63-9e7b-268557eeff41",
    "when": "20190912131539Z",
    "duration": "0.113826",
    "kw": {
      "key": "domain-status",
      "domain": "win2k16.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustCatalogCheck",
    "result": "SUCCESS",
    "uuid": "05554015-2842-45ac-915e-7d0f5ac6b403",
    "when": "20190912131539Z",
    "duration": "0.061157",
    "kw": {
      "key": "Domain Security Identifier",
      "sid": "S-1-5-21-720774695-2048269649-614676435"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustCatalogCheck",
    "result": "SUCCESS",
    "uuid": "792b30c6-3f21-41e8-9602-d56d87564660",
    "when": "20190912131539Z",
    "duration": "0.157007",
    "kw": {
      "key": "AD Global Catalog",
      "domain": "win2k16.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustCatalogCheck",
    "result": "SUCCESS",
    "uuid": "518a5b73-7796-4c2f-863e-d4de22c7fa5a",
    "when": "20190912131539Z",
    "duration": "0.157251",
    "kw": {
      "key": "AD Domain Controller",
      "domain": "win2k16.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPAsidgenpluginCheck",
    "result": "SUCCESS",
    "uuid": "e70eaedf-2475-43cd-b262-3598c8beab10",
    "when": "20190912131539Z",
    "duration": "0.004395",
    "kw": {
      "key": "IPA SIDGEN"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPAsidgenpluginCheck",
    "result": "SUCCESS",
    "uuid": "80b7cda6-31f7-4ec1-bb65-8965be471bc2",
    "when": "20190912131539Z",
    "duration": "0.006314",
    "kw": {
      "key": "ipa-sidgen-task"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustAgentMemberCheck",
    "result": "SUCCESS",
    "uuid": "905c737f-40af-4c63-9543-97b1b5dd3377",
    "when": "20190912131539Z",
    "duration": "0.004109",
    "kw": {
      "key": "master.rhel81.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerPrincipalCheck",
    "result": "SUCCESS",
    "uuid": "cdd7fe17-2af0-44df-b564-5c70ac5cc470",
    "when": "20190912131539Z",
    "duration": "0.000099",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerServiceCheck",
    "result": "SUCCESS",
    "uuid": "7ef71edf-747b-470a-b36f-6ff27d4bd184",
    "when": "20190912131539Z",
    "duration": "0.000091",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerConfCheck",
    "result": "SUCCESS",
    "uuid": "86b44b0b-266b-492e-80f2-43e1ef990a17",
    "when": "20190912131539Z",
    "duration": "0.000105",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerGroupSIDCheck",
    "result": "SUCCESS",
    "uuid": "0fe3419d-4c5c-4088-9af2-16425b7cdc13",
    "when": "20190912131539Z",
    "duration": "0.000317",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustPackageCheck",
    "result": "SUCCESS",
    "uuid": "bc701c30-e46b-4aa6-90c7-ba58aaf7e488",
    "when": "20190912131539Z",
    "duration": "0.003156",
    "kw": {
      "key": "adtrustpackage"
    }
  }
]


2. Without trust enabled, but trust packages installed.

[
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustAgentCheck",
    "result": "SUCCESS",
    "uuid": "7fa114b5-921c-4242-a093-2e827f11bd08",
    "when": "20190912131823Z",
    "duration": "0.064412",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustDomainsCheck",
    "result": "SUCCESS",
    "uuid": "7058dfef-2f90-4aac-9707-87f63c88f2f4",
    "when": "20190912131823Z",
    "duration": "0.112718",
    "kw": {
      "key": "domain-list",
      "sssd_domains": "",
      "trust_domains": ""
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustCatalogCheck",
    "result": "SUCCESS",
    "uuid": "9d009dde-f85f-40b8-beb1-1b3453c7673c",
    "when": "20190912131823Z",
    "duration": "0.001014",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPAsidgenpluginCheck",
    "result": "SUCCESS",
    "uuid": "0f576a07-7f35-49e0-bd85-8390dad6c6dd",
    "when": "20190912131823Z",
    "duration": "0.000560",
    "kw": {
      "key": "IPA SIDGEN"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPAsidgenpluginCheck",
    "result": "SUCCESS",
    "uuid": "626fb093-608b-4eee-8450-6f2418013297",
    "when": "20190912131823Z",
    "duration": "0.000932",
    "kw": {
      "key": "ipa-sidgen-task"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustAgentMemberCheck",
    "result": "SUCCESS",
    "uuid": "9c0fedc6-89af-4269-ac7f-fccbe2b35679",
    "when": "20190912131823Z",
    "duration": "0.000982",
    "kw": {
      "key": "master.rhel81.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerPrincipalCheck",
    "result": "SUCCESS",
    "uuid": "9227d52e-e70a-41a5-8527-eae46c0e02c2",
    "when": "20190912131823Z",
    "duration": "0.000027",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerServiceCheck",
    "result": "SUCCESS",
    "uuid": "e0ed754b-2991-448b-8f52-c4dcd82acbf3",
    "when": "20190912131823Z",
    "duration": "0.000020",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerConfCheck",
    "result": "SUCCESS",
    "uuid": "0dc749a9-1be3-4913-a082-a35b8a976a46",
    "when": "20190912131823Z",
    "duration": "0.000021",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerGroupSIDCheck",
    "result": "SUCCESS",
    "uuid": "b4af3943-26e9-4a30-b8f6-2912518f5982",
    "when": "20190912131823Z",
    "duration": "0.000016",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustPackageCheck",
    "result": "SUCCESS",
    "uuid": "959db9fd-8a0e-48bd-8717-2a0325020782",
    "when": "20190912131823Z",
    "duration": "0.000916",
    "kw": {
      "key": "adtrustpackage"
    }
  }
]

Note: The IPATrustDomainsCheck for  "key": "domain-list" will report status as ERROR intermittently as show below. #bz1751691 has been raised for the same.

  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustDomainsCheck",
    "result": "ERROR",
    "uuid": "0b526516-258d-482d-9684-438a5a7d5250",
    "when": "20190912132349Z",
    "duration": "0.061075",
    "kw": {
      "key": "domain_list_error",
      "sssctl": "/usr/sbin/sssctl",
      "error": "",
      "msg": "Execution of {sssctl} failed: {error}"
    }

Comment 7 errata-xmlrpc 2019-11-05 20:53:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3348