1775199 – IPATrustCatalogCheck displays msg: Look up of {key} {error}

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1775199 - IPATrustCatalogCheck displays msg: Look up of {key} {error}

Summary: IPATrustCatalogCheck displays msg: Look up of {key} {error}

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa-healthcheck
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Michal Polovka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2188135
TreeView+	depends on / blocked

Reported:	2019-11-21 14:46 UTC by Sudhir Menon
Modified:	2023-11-14 16:50 UTC (History)
CC List:	21 users (show)
Fixed In Version:	ipa-healthcheck-0.12-2.module+el8.9.0+18911+94941f82
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2188135 (view as bug list)
Environment:
Last Closed:	2023-11-14 15:32:50 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7036	None	None	None	2022-03-24 14:09:22 UTC
Red Hat Knowledge Base (Solution)	6977745	None	None	None	2022-12-01 14:58:35 UTC
Red Hat Product Errata	RHBA-2023:6977	None	None	None	2023-11-14 15:33:36 UTC

Description Sudhir Menon 2019-11-21 14:46:28 UTC

Description of problem: IPATrustCatalogCheck displays msg: Look up of {key} {error} 

Version-Release number of selected component (if applicable):
ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
ipa-healthcheck-0.3-4.module+el8.1.0+4098+f286395e.noarch

How reproducible: Always

Steps to Reproduce:
1. Install IPA server and establish trust with AD
2. Run the command 
#ipa-healthcheck --source ipahealthcheck.ipa.trust
3. Check the IPATrustCatalogCheck output.

Actual results: 
[root@master ~]# ipa-healthcheck --source ipahealthcheck.ipa.trust
[
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustAgentCheck",
    "result": "SUCCESS",
    "uuid": "a9260ce9-2d2f-47b7-9850-f98fe334c633",
    "when": "20191121135331Z",
    "duration": "0.065208",
    "kw": {}
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustDomainsCheck",
    "result": "SUCCESS",
    "uuid": "4c23c517-ff95-457d-a9b6-5b3338f2025e",
    "when": "20191121135331Z",
    "duration": "0.216696",
    "kw": {
      "key": "domain-list",
      "sssd_domains": "win2k16.test",
      "trust_domains": "win2k16.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustDomainsCheck",
    "result": "SUCCESS",
    "uuid": "42a2ab36-2016-415c-a324-c1fd3c4f10f8",
    "when": "20191121135331Z",
    "duration": "0.249556",
    "kw": {
      "key": "domain-status",
      "domain": "win2k16.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustCatalogCheck",
    "result": "WARNING",
    "uuid": "5a974ae0-b3d8-4f6e-b642-6b49dabbd81d",
    "when": "20191121135331Z",
    "duration": "0.005240",
    "kw": {
      "key": "S-1-5-21-720774695-2048269649-614676435",
      "error": "returned nothing",
      "msg": "Look up of {key} {error}"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustCatalogCheck",
    "result": "SUCCESS",
    "uuid": "a7c99991-7b6a-4412-8890-70f827b928c7",
    "when": "20191121135331Z",
    "duration": "0.049028",
    "kw": {
      "key": "AD Global Catalog",
      "domain": "win2k16.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustCatalogCheck",
    "result": "SUCCESS",
    "uuid": "5fd7d270-4bc0-49b2-92de-0cf81cc7c343",
    "when": "20191121135331Z",
    "duration": "0.049066",
    "kw": {
      "key": "AD Domain Controller",
      "domain": "win2k16.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPAsidgenpluginCheck",
    "result": "SUCCESS",
    "uuid": "76a3fb31-360e-4e06-94f1-bdf123873d46",
    "when": "20191121135331Z",
    "duration": "0.001068",
    "kw": {
      "key": "IPA SIDGEN"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPAsidgenpluginCheck",
    "result": "SUCCESS",
    "uuid": "d05e8e4d-1466-4b89-a4ed-355007ed0649",
    "when": "20191121135331Z",
    "duration": "0.001447",
    "kw": {
      "key": "ipa-sidgen-task"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustAgentMemberCheck",
    "result": "SUCCESS",
    "uuid": "a7e3bc7e-5d8d-4fc8-8175-064fee1a5bc6",
    "when": "20191121135331Z",
    "duration": "0.001125",
    "kw": {
      "key": "master.rhel81.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerPrincipalCheck",
    "result": "SUCCESS",
    "uuid": "c0f97127-fcdb-48f3-be85-42166caca717",
    "when": "20191121135331Z",
    "duration": "0.000465",
    "kw": {
      "key": "cifs/master.rhel81.test"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerServiceCheck",
    "result": "SUCCESS",
    "uuid": "73e66bba-9c72-480a-b079-d81c569f5c1b",
    "when": "20191121135331Z",
    "duration": "0.000442",
    "kw": {
      "key": "ADTRUST"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerConfCheck",
    "result": "SUCCESS",
    "uuid": "aa5f115e-7d61-4861-a4a4-825798f6c125",
    "when": "20191121135331Z",
    "duration": "0.061139",
    "kw": {
      "key": "net conf list"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerGroupSIDCheck",
    "result": "SUCCESS",
    "uuid": "a059d062-d23d-41bb-9a05-110b3a07c798",
    "when": "20191121135331Z",
    "duration": "0.000714",
    "kw": {
      "rid": "S-1-5-21-3710514944-151342278-2953701344-512",
      "key": "ipantsecurityidentifier"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustPackageCheck",
    "result": "SUCCESS",
    "uuid": "025bb8ce-43d4-4db3-b5bb-1203807dd4bf",
    "when": "20191121135331Z",
    "duration": "0.000030",
    "kw": {}
  }
]

Expected results: Fix the look up key error.

Additional info:

Comment 3 Rob Crittenden 2019-12-06 19:50:19 UTC

This is server a trust agent or controller? Can you provide re-run ipa-healthcheck and provide the debug log?

Comment 4 Sudhir Menon 2019-12-09 08:27:21 UTC

Rob, 
This is a trust-controller and there is intermittent behaviour seen here.
Also impacted due to #bz1751691

Calling check <ipahealthcheck.ipa.trust.IPATrustCatalogCheck object at 0x7f4114fcaf98>
raw: trust_find(None, version='2.233')
trust_find(None, all=False, raw=False, version='2.233', pkey_only=False)
Starting external process
args=['/usr/sbin/sssctl', 'domain-status', 'win2k16.test', '--active-server']
Process finished, return code=0
stdout=Active servers:
AD Global Catalog: winsync.win2k16.test
AD Domain Controller: winsync.win2k16.test
IPA: master.rhel81.test


  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustCatalogCheck",
    "result": "SUCCESS",
    "uuid": "69134c32-1d28-4947-987c-0ecef08e539d",
    "when": "20191209073131Z",
    "duration": "0.004775",
    "kw": {
      "key": "Domain Security Identifier",
      "sid": "S-1-5-21-720774695-2048269649-614676435"
    }
  },


  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustCatalogCheck",
    "result": "ERROR",
    "uuid": "620d554c-3f29-4862-9281-466288c4d8e3",
    "when": "20191209073324Z",
    "duration": "0.094163",
    "kw": {
      "key": "domain-status",
      "error": "CalledProcessError(Command ['/usr/sbin/sssctl', 'domain-status', 'win2k16.test', '--active-server'] returned non-zero exit status 1: 'Unable to get online status\\n')",
      "msg": "Execution of {key} failed: {error}"


Calling check <ipahealthcheck.ipa.trust.IPATrustDomainsCheck object at 0x7f8463a9bfd0>
Starting external process
args=['/usr/sbin/sssctl', 'domain-list']
Process finished, return code=1
stdout=
stderr=
Calling check <ipahealthcheck.ipa.trust.IPATrustCatalogCheck object at 0x7f8463b0f438>
raw: trust_find(None, version='2.233')
trust_find(None, all=False, raw=False, version='2.233', pkey_only=False)
Starting external process
args=['/usr/sbin/sssctl', 'domain-status', 'win2k16.test', '--active-server']
Process finished, return code=0
stdout=Active servers:
AD Global Catalog: not connected
AD Domain Controller: not connected
IPA: master.rhel81.test


[root@master ~]# sssctl domain-list
implicit_files
rhel81.test
win2k16.test

Comment 12 Rob Crittenden 2021-11-02 14:56:47 UTC

Re-assigning to sssd so they can take a look at why sssctl isn't finding the SID.

Comment 13 Sumit Bose 2021-11-03 07:41:12 UTC

Hi,

in the original case 02633145 there are neither SSSD logs not the sssd.conf in the sos reports. In the second case the SSSD debug_level is too öow to see any details but there are various authentication errors in the logs so that I assume SSSD cannot connect to AD. Logs with a higher debug_level are needed to understand why authentication is failing.

bye,
Sumit

Comment 24 Rob Crittenden 2022-06-14 19:22:15 UTC

The issue is when the trust uses an Active Directory trust range with POSIX attributes (ipa-ad-trust-posix).

What this failing check does is test that the trust is online by looking up a user. It uses Administrator (SID + "-500") because it has a fixed value. Resolving the user this should populate the 'AD Global catalog' and 'AD Domain Controller' in the sssctl domain-status output so we can report on the status.

Since the environment is using idrange-type ipa-ad-trust-posix the Administrator user has no UID and GID defined in AD (not the default, has to be added manually) hence not resolvable.

So the check will be skipped for domains configured with ipa-ad-trust-posix.

Comment 27 Daniel Filho 2022-09-28 20:19:49 UTC

Hello Team.

I've created a new KCS for this issue.

https://access.redhat.com/solutions/6977745

Very Respectfully,
Daniel C. Filho

Comment 29 Rob Crittenden 2023-04-19 02:22:33 UTC

upstream 30471ebdc9fe5871c115ca06f78a415275a320e6 in tag 0.12.

Comment 31 Rob Crittenden 2023-05-03 15:15:41 UTC

c8s MR merged, https://gitlab.com/redhat/centos-stream/rpms/ipa-healthcheck/-/merge_requests/17

The idm module needs to reflect the new branch naming convention, stream-idm-DL1-rhel-8.9.0.

Comment 38 Michal Polovka 2023-06-07 13:10:17 UTC

Pre-verified using automation from test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::()::test_ipahealthcheck_trust_catalogcheck with ipa-healthcheck-0.12-2.module+el8.9.0+18911+94941f82.noarch

Passed 	test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::()::test_ipahealthcheck_trust_catalogcheck 	

Full test log is an attachment of this BZ. Marking as verified: tested.

Comment 42 Michal Polovka 2023-06-08 08:30:46 UTC

Verified using automation available at test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::test_ipahealthcheck_trust_catalogcheck with ipa-healthcheck-0.12-2.module+el8.9.0+18911+94941f82.noarch

Passed 	test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::()::test_ipahealthcheck_trust_catalogcheck

Full test run report is available as an attachment of this BZ. Marking as verified.

Comment 46 errata-xmlrpc 2023-11-14 15:32:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6977

Note You need to log in before you can comment on or make changes to this bug.

abokovoy
aboscatt
atikhono
bthekkep
dcamilof
ekeck
fcami
frenaud
grajaiya
lslebodn
mpolovka
myusuf
mzidek
nsuryawa
pbrezina
pkettman
rcritten
rjeffman
sbose
tscherf
vmishra