Description of problem: IPATrustCatalogCheck displays msg: Look up of {key} {error} Version-Release number of selected component (if applicable): ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64 ipa-healthcheck-0.3-4.module+el8.1.0+4098+f286395e.noarch How reproducible: Always Steps to Reproduce: 1. Install IPA server and establish trust with AD 2. Run the command #ipa-healthcheck --source ipahealthcheck.ipa.trust 3. Check the IPATrustCatalogCheck output. Actual results: [root@master ~]# ipa-healthcheck --source ipahealthcheck.ipa.trust [ { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustAgentCheck", "result": "SUCCESS", "uuid": "a9260ce9-2d2f-47b7-9850-f98fe334c633", "when": "20191121135331Z", "duration": "0.065208", "kw": {} }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustDomainsCheck", "result": "SUCCESS", "uuid": "4c23c517-ff95-457d-a9b6-5b3338f2025e", "when": "20191121135331Z", "duration": "0.216696", "kw": { "key": "domain-list", "sssd_domains": "win2k16.test", "trust_domains": "win2k16.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustDomainsCheck", "result": "SUCCESS", "uuid": "42a2ab36-2016-415c-a324-c1fd3c4f10f8", "when": "20191121135331Z", "duration": "0.249556", "kw": { "key": "domain-status", "domain": "win2k16.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "WARNING", "uuid": "5a974ae0-b3d8-4f6e-b642-6b49dabbd81d", "when": "20191121135331Z", "duration": "0.005240", "kw": { "key": "S-1-5-21-720774695-2048269649-614676435", "error": "returned nothing", "msg": "Look up of {key} {error}" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "SUCCESS", "uuid": "a7c99991-7b6a-4412-8890-70f827b928c7", "when": "20191121135331Z", "duration": "0.049028", "kw": { "key": "AD Global Catalog", "domain": "win2k16.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "SUCCESS", "uuid": "5fd7d270-4bc0-49b2-92de-0cf81cc7c343", "when": "20191121135331Z", "duration": "0.049066", "kw": { "key": "AD Domain Controller", "domain": "win2k16.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPAsidgenpluginCheck", "result": "SUCCESS", "uuid": "76a3fb31-360e-4e06-94f1-bdf123873d46", "when": "20191121135331Z", "duration": "0.001068", "kw": { "key": "IPA SIDGEN" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPAsidgenpluginCheck", "result": "SUCCESS", "uuid": "d05e8e4d-1466-4b89-a4ed-355007ed0649", "when": "20191121135331Z", "duration": "0.001447", "kw": { "key": "ipa-sidgen-task" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustAgentMemberCheck", "result": "SUCCESS", "uuid": "a7e3bc7e-5d8d-4fc8-8175-064fee1a5bc6", "when": "20191121135331Z", "duration": "0.001125", "kw": { "key": "master.rhel81.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustControllerPrincipalCheck", "result": "SUCCESS", "uuid": "c0f97127-fcdb-48f3-be85-42166caca717", "when": "20191121135331Z", "duration": "0.000465", "kw": { "key": "cifs/master.rhel81.test" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustControllerServiceCheck", "result": "SUCCESS", "uuid": "73e66bba-9c72-480a-b079-d81c569f5c1b", "when": "20191121135331Z", "duration": "0.000442", "kw": { "key": "ADTRUST" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustControllerConfCheck", "result": "SUCCESS", "uuid": "aa5f115e-7d61-4861-a4a4-825798f6c125", "when": "20191121135331Z", "duration": "0.061139", "kw": { "key": "net conf list" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustControllerGroupSIDCheck", "result": "SUCCESS", "uuid": "a059d062-d23d-41bb-9a05-110b3a07c798", "when": "20191121135331Z", "duration": "0.000714", "kw": { "rid": "S-1-5-21-3710514944-151342278-2953701344-512", "key": "ipantsecurityidentifier" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustPackageCheck", "result": "SUCCESS", "uuid": "025bb8ce-43d4-4db3-b5bb-1203807dd4bf", "when": "20191121135331Z", "duration": "0.000030", "kw": {} } ] Expected results: Fix the look up key error. Additional info:
This is server a trust agent or controller? Can you provide re-run ipa-healthcheck and provide the debug log?
Rob, This is a trust-controller and there is intermittent behaviour seen here. Also impacted due to #bz1751691 Calling check <ipahealthcheck.ipa.trust.IPATrustCatalogCheck object at 0x7f4114fcaf98> raw: trust_find(None, version='2.233') trust_find(None, all=False, raw=False, version='2.233', pkey_only=False) Starting external process args=['/usr/sbin/sssctl', 'domain-status', 'win2k16.test', '--active-server'] Process finished, return code=0 stdout=Active servers: AD Global Catalog: winsync.win2k16.test AD Domain Controller: winsync.win2k16.test IPA: master.rhel81.test { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "SUCCESS", "uuid": "69134c32-1d28-4947-987c-0ecef08e539d", "when": "20191209073131Z", "duration": "0.004775", "kw": { "key": "Domain Security Identifier", "sid": "S-1-5-21-720774695-2048269649-614676435" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "ERROR", "uuid": "620d554c-3f29-4862-9281-466288c4d8e3", "when": "20191209073324Z", "duration": "0.094163", "kw": { "key": "domain-status", "error": "CalledProcessError(Command ['/usr/sbin/sssctl', 'domain-status', 'win2k16.test', '--active-server'] returned non-zero exit status 1: 'Unable to get online status\\n')", "msg": "Execution of {key} failed: {error}" Calling check <ipahealthcheck.ipa.trust.IPATrustDomainsCheck object at 0x7f8463a9bfd0> Starting external process args=['/usr/sbin/sssctl', 'domain-list'] Process finished, return code=1 stdout= stderr= Calling check <ipahealthcheck.ipa.trust.IPATrustCatalogCheck object at 0x7f8463b0f438> raw: trust_find(None, version='2.233') trust_find(None, all=False, raw=False, version='2.233', pkey_only=False) Starting external process args=['/usr/sbin/sssctl', 'domain-status', 'win2k16.test', '--active-server'] Process finished, return code=0 stdout=Active servers: AD Global Catalog: not connected AD Domain Controller: not connected IPA: master.rhel81.test [root@master ~]# sssctl domain-list implicit_files rhel81.test win2k16.test
Re-assigning to sssd so they can take a look at why sssctl isn't finding the SID.
Hi, in the original case 02633145 there are neither SSSD logs not the sssd.conf in the sos reports. In the second case the SSSD debug_level is too öow to see any details but there are various authentication errors in the logs so that I assume SSSD cannot connect to AD. Logs with a higher debug_level are needed to understand why authentication is failing. bye, Sumit
The issue is when the trust uses an Active Directory trust range with POSIX attributes (ipa-ad-trust-posix). What this failing check does is test that the trust is online by looking up a user. It uses Administrator (SID + "-500") because it has a fixed value. Resolving the user this should populate the 'AD Global catalog' and 'AD Domain Controller' in the sssctl domain-status output so we can report on the status. Since the environment is using idrange-type ipa-ad-trust-posix the Administrator user has no UID and GID defined in AD (not the default, has to be added manually) hence not resolvable. So the check will be skipped for domains configured with ipa-ad-trust-posix.
Hello Team. I've created a new KCS for this issue. https://access.redhat.com/solutions/6977745 Very Respectfully, Daniel C. Filho
upstream 30471ebdc9fe5871c115ca06f78a415275a320e6 in tag 0.12.
c8s MR merged, https://gitlab.com/redhat/centos-stream/rpms/ipa-healthcheck/-/merge_requests/17 The idm module needs to reflect the new branch naming convention, stream-idm-DL1-rhel-8.9.0.
Pre-verified using automation from test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::()::test_ipahealthcheck_trust_catalogcheck with ipa-healthcheck-0.12-2.module+el8.9.0+18911+94941f82.noarch Passed test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::()::test_ipahealthcheck_trust_catalogcheck Full test log is an attachment of this BZ. Marking as verified: tested.
Verified using automation available at test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::test_ipahealthcheck_trust_catalogcheck with ipa-healthcheck-0.12-2.module+el8.9.0+18911+94941f82.noarch Passed test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust::()::test_ipahealthcheck_trust_catalogcheck Full test run report is available as an attachment of this BZ. Marking as verified.