Bug 1775199
| Summary: | IPATrustCatalogCheck displays msg: Look up of {key} {error} | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sudhir Menon <sumenon> | |
| Component: | ipa-healthcheck | Assignee: | Rob Crittenden <rcritten> | |
| Status: | CLOSED ERRATA | QA Contact: | Michal Polovka <mpolovka> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 8.1 | CC: | abokovoy, aboscatt, atikhono, bthekkep, dcamilof, ekeck, fcami, frenaud, grajaiya, lslebodn, mpolovka, myusuf, mzidek, nsuryawa, pbrezina, pkettman, rcritten, rjeffman, sbose, tscherf, vmishra | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-healthcheck-0.12-2.module+el8.9.0+18911+94941f82 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2188135 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-14 15:32:50 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2188135 | |||
This is server a trust agent or controller? Can you provide re-run ipa-healthcheck and provide the debug log? Rob, This is a trust-controller and there is intermittent behaviour seen here. Also impacted due to #bz1751691 Calling check <ipahealthcheck.ipa.trust.IPATrustCatalogCheck object at 0x7f4114fcaf98> raw: trust_find(None, version='2.233') trust_find(None, all=False, raw=False, version='2.233', pkey_only=False) Starting external process args=['/usr/sbin/sssctl', 'domain-status', 'win2k16.test', '--active-server'] Process finished, return code=0 stdout=Active servers: AD Global Catalog: winsync.win2k16.test AD Domain Controller: winsync.win2k16.test IPA: master.rhel81.test { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "SUCCESS", "uuid": "69134c32-1d28-4947-987c-0ecef08e539d", "when": "20191209073131Z", "duration": "0.004775", "kw": { "key": "Domain Security Identifier", "sid": "S-1-5-21-720774695-2048269649-614676435" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "ERROR", "uuid": "620d554c-3f29-4862-9281-466288c4d8e3", "when": "20191209073324Z", "duration": "0.094163", "kw": { "key": "domain-status", "error": "CalledProcessError(Command ['/usr/sbin/sssctl', 'domain-status', 'win2k16.test', '--active-server'] returned non-zero exit status 1: 'Unable to get online status\\n')", "msg": "Execution of {key} failed: {error}" Calling check <ipahealthcheck.ipa.trust.IPATrustDomainsCheck object at 0x7f8463a9bfd0> Starting external process args=['/usr/sbin/sssctl', 'domain-list'] Process finished, return code=1 stdout= stderr= Calling check <ipahealthcheck.ipa.trust.IPATrustCatalogCheck object at 0x7f8463b0f438> raw: trust_find(None, version='2.233') trust_find(None, all=False, raw=False, version='2.233', pkey_only=False) Starting external process args=['/usr/sbin/sssctl', 'domain-status', 'win2k16.test', '--active-server'] Process finished, return code=0 stdout=Active servers: AD Global Catalog: not connected AD Domain Controller: not connected IPA: master.rhel81.test [root@master ~]# sssctl domain-list implicit_files rhel81.test win2k16.test Re-assigning to sssd so they can take a look at why sssctl isn't finding the SID. Hi, in the original case 02633145 there are neither SSSD logs not the sssd.conf in the sos reports. In the second case the SSSD debug_level is too öow to see any details but there are various authentication errors in the logs so that I assume SSSD cannot connect to AD. Logs with a higher debug_level are needed to understand why authentication is failing. bye, Sumit The issue is when the trust uses an Active Directory trust range with POSIX attributes (ipa-ad-trust-posix). What this failing check does is test that the trust is online by looking up a user. It uses Administrator (SID + "-500") because it has a fixed value. Resolving the user this should populate the 'AD Global catalog' and 'AD Domain Controller' in the sssctl domain-status output so we can report on the status. Since the environment is using idrange-type ipa-ad-trust-posix the Administrator user has no UID and GID defined in AD (not the default, has to be added manually) hence not resolvable. So the check will be skipped for domains configured with ipa-ad-trust-posix. Hello Team. I've created a new KCS for this issue. https://access.redhat.com/solutions/6977745 Very Respectfully, Daniel C. Filho upstream 30471ebdc9fe5871c115ca06f78a415275a320e6 in tag 0.12. c8s MR merged, https://gitlab.com/redhat/centos-stream/rpms/ipa-healthcheck/-/merge_requests/17 The idm module needs to reflect the new branch naming convention, stream-idm-DL1-rhel-8.9.0. Pre-verified using automation from test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::()::test_ipahealthcheck_trust_catalogcheck with ipa-healthcheck-0.12-2.module+el8.9.0+18911+94941f82.noarch Passed test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::()::test_ipahealthcheck_trust_catalogcheck Full test log is an attachment of this BZ. Marking as verified: tested. Verified using automation available at test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::test_ipahealthcheck_trust_catalogcheck with ipa-healthcheck-0.12-2.module+el8.9.0+18911+94941f82.noarch Passed test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::()::test_ipahealthcheck_trust_catalogcheck Full test run report is available as an attachment of this BZ. Marking as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6977 |
Description of problem: IPATrustCatalogCheck displays msg: Look up of {key} {error} Version-Release number of selected component (if applicable): ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64 ipa-healthcheck-0.3-4.module+el8.1.0+4098+f286395e.noarch How reproducible: Always Steps to Reproduce: 1. Install IPA server and establish trust with AD 2. Run the command #ipa-healthcheck --source ipahealthcheck.ipa.trust 3. Check the IPATrustCatalogCheck output. Actual results: [root@master ~]# ipa-healthcheck --source ipahealthcheck.ipa.trust [ { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustAgentCheck", "result": "SUCCESS", "uuid": "a9260ce9-2d2f-47b7-9850-f98fe334c633", "when": "20191121135331Z", "duration": "0.065208", "kw": {} }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustDomainsCheck", "result": "SUCCESS", "uuid": "4c23c517-ff95-457d-a9b6-5b3338f2025e", "when": "20191121135331Z", "duration": "0.216696", "kw": { "key": "domain-list", "sssd_domains": "win2k16.test", "trust_domains": "win2k16.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustDomainsCheck", "result": "SUCCESS", "uuid": "42a2ab36-2016-415c-a324-c1fd3c4f10f8", "when": "20191121135331Z", "duration": "0.249556", "kw": { "key": "domain-status", "domain": "win2k16.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "WARNING", "uuid": "5a974ae0-b3d8-4f6e-b642-6b49dabbd81d", "when": "20191121135331Z", "duration": "0.005240", "kw": { "key": "S-1-5-21-720774695-2048269649-614676435", "error": "returned nothing", "msg": "Look up of {key} {error}" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "SUCCESS", "uuid": "a7c99991-7b6a-4412-8890-70f827b928c7", "when": "20191121135331Z", "duration": "0.049028", "kw": { "key": "AD Global Catalog", "domain": "win2k16.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "SUCCESS", "uuid": "5fd7d270-4bc0-49b2-92de-0cf81cc7c343", "when": "20191121135331Z", "duration": "0.049066", "kw": { "key": "AD Domain Controller", "domain": "win2k16.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPAsidgenpluginCheck", "result": "SUCCESS", "uuid": "76a3fb31-360e-4e06-94f1-bdf123873d46", "when": "20191121135331Z", "duration": "0.001068", "kw": { "key": "IPA SIDGEN" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPAsidgenpluginCheck", "result": "SUCCESS", "uuid": "d05e8e4d-1466-4b89-a4ed-355007ed0649", "when": "20191121135331Z", "duration": "0.001447", "kw": { "key": "ipa-sidgen-task" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustAgentMemberCheck", "result": "SUCCESS", "uuid": "a7e3bc7e-5d8d-4fc8-8175-064fee1a5bc6", "when": "20191121135331Z", "duration": "0.001125", "kw": { "key": "master.rhel81.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustControllerPrincipalCheck", "result": "SUCCESS", "uuid": "c0f97127-fcdb-48f3-be85-42166caca717", "when": "20191121135331Z", "duration": "0.000465", "kw": { "key": "cifs/master.rhel81.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustControllerServiceCheck", "result": "SUCCESS", "uuid": "73e66bba-9c72-480a-b079-d81c569f5c1b", "when": "20191121135331Z", "duration": "0.000442", "kw": { "key": "ADTRUST" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustControllerConfCheck", "result": "SUCCESS", "uuid": "aa5f115e-7d61-4861-a4a4-825798f6c125", "when": "20191121135331Z", "duration": "0.061139", "kw": { "key": "net conf list" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustControllerGroupSIDCheck", "result": "SUCCESS", "uuid": "a059d062-d23d-41bb-9a05-110b3a07c798", "when": "20191121135331Z", "duration": "0.000714", "kw": { "rid": "S-1-5-21-3710514944-151342278-2953701344-512", "key": "ipantsecurityidentifier" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustPackageCheck", "result": "SUCCESS", "uuid": "025bb8ce-43d4-4db3-b5bb-1203807dd4bf", "when": "20191121135331Z", "duration": "0.000030", "kw": {} } ] Expected results: Fix the look up key error. Additional info: