I'd like to introduce a new tool for an IPA adminstrators tool kit we're working on, currently in a beta state and shipping in Fedora 29+.
ipa-healthcheck is proactive tool for identifying current, potential and future issues within an IPA installation.
It executes a series of checks in the areas of certificates, AD trust, replication and the filesystem (and a few others). These checks can return a success, warning or error. Any check executed will return a value, the idea being if something with the check blows up and causes it to not execute you'd otherwise not know and would have a false sense of security.
A systemd timer is configured which will execute this on a nightly basis, dumping the output in JSON format in /var/log/ipa/healthcheck/.
It can also be executed from the command-line as root and requires an admin Kerberos ticket. From the command-line it is probably most useful to use the --failures-only option in order to suppress the SUCCESS messages: no news is good news in this case.
It currently only works with IPA 4.7.2+. Will we backport to 4.6? I don't know yet.
I'd appreciate any feedback on whether it:
- is helpful - works - doesn't report false positives - is usable: a lot of the output is what I think would be useful but we won't know until applied in the real world - does what you need. We can add more checks so if you have ideas please let us know
Note that there are a few things we run that just produce output that needs to be analyzed separately. DNA range checking is an example. It is perfectly fine to not have a DNA range assigned on all masters but you'd want to know if you had none defined on all masters.
thanks
rob
Sounds great! Where do we find this tool? In an upcoming release or as a stand-alone package?
John
On 14 Jun 2019, at 16:29, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I'd like to introduce a new tool for an IPA adminstrators tool kit we're working on, currently in a beta state and shipping in Fedora 29+.
ipa-healthcheck is proactive tool for identifying current, potential and future issues within an IPA installation.
It executes a series of checks in the areas of certificates, AD trust, replication and the filesystem (and a few others). These checks can return a success, warning or error. Any check executed will return a value, the idea being if something with the check blows up and causes it to not execute you'd otherwise not know and would have a false sense of security.
A systemd timer is configured which will execute this on a nightly basis, dumping the output in JSON format in /var/log/ipa/healthcheck/.
It can also be executed from the command-line as root and requires an admin Kerberos ticket. From the command-line it is probably most useful to use the --failures-only option in order to suppress the SUCCESS messages: no news is good news in this case.
It currently only works with IPA 4.7.2+. Will we backport to 4.6? I don't know yet.
I'd appreciate any feedback on whether it:
- is helpful
- works
- doesn't report false positives
- is usable: a lot of the output is what I think would be useful but we
won't know until applied in the real world
- does what you need. We can add more checks so if you have ideas please
let us know
Note that there are a few things we run that just produce output that needs to be analyzed separately. DNA range checking is an example. It is perfectly fine to not have a DNA range assigned on all masters but you'd want to know if you had none defined on all masters.
thanks
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
John Keates via FreeIPA-users wrote:
Sounds great! Where do we find this tool? In an upcoming release or as a stand-alone package?
It's a standalone package, freeipa-healthcheck.
rob
John
On 14 Jun 2019, at 16:29, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I'd like to introduce a new tool for an IPA adminstrators tool kit we're working on, currently in a beta state and shipping in Fedora 29+.
ipa-healthcheck is proactive tool for identifying current, potential and future issues within an IPA installation.
It executes a series of checks in the areas of certificates, AD trust, replication and the filesystem (and a few others). These checks can return a success, warning or error. Any check executed will return a value, the idea being if something with the check blows up and causes it to not execute you'd otherwise not know and would have a false sense of security.
A systemd timer is configured which will execute this on a nightly basis, dumping the output in JSON format in /var/log/ipa/healthcheck/.
It can also be executed from the command-line as root and requires an admin Kerberos ticket. From the command-line it is probably most useful to use the --failures-only option in order to suppress the SUCCESS messages: no news is good news in this case.
It currently only works with IPA 4.7.2+. Will we backport to 4.6? I don't know yet.
I'd appreciate any feedback on whether it:
- is helpful
- works
- doesn't report false positives
- is usable: a lot of the output is what I think would be useful but we
won't know until applied in the real world
- does what you need. We can add more checks so if you have ideas please
let us know
Note that there are a few things we run that just produce output that needs to be analyzed separately. DNA range checking is an example. It is perfectly fine to not have a DNA range assigned on all masters but you'd want to know if you had none defined on all masters.
thanks
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello Rob,
for me it is not working. I installed the freeipa-healthcheck-0.2-3.fc31.noarch on a Fedora release 31 (Rawhide) and have on the VM the following packages installed:
freeipa-server-4.7.90.pre1-6.fc31.x86_6 and krb5-server-1.17-30.fc31.x86_64 krb5-workstation-1.17-30.fc31.x86_64
But after getting a TGT somethings is wrong:
ipa-healthcheck --failures-only --debug
...
raw: server_find('', sizelimit=0, version='2.231', no_members=False) server_find(None, sizelimit=0, all=False, raw=False, version='2.231', no_members=False, pkey_only=False) raw: topologysuffix_find(None, all=True, raw=True, version='2.231') topologysuffix_find(None, all=True, raw=True, version='2.231', pkey_only=False) raw: server_role_find(None, server_server='ipaserver.linux.fritz.box', status='enabled', include_master=True, version='2.231') server_role_find(None, server_server='ipaserver.linux.fritz.box', status='enabled', include_master=True, all=False, raw=False, version='2.231') raw: topologysegment_find('ca', None, sizelimit=0, version='2.231') topologysegment_find('ca', None, sizelimit=0, all=False, raw=False, version='2.231', pkey_only=False) Calling check <ipahealthcheck.ipa.trust.IPATrustAgentCheck object at 0x7f44008562b0> Not a trust agent, skipping Calling check <ipahealthcheck.ipa.trust.IPATrustDomainsCheck object at 0x7f44008264a8> Not a trust agent, skipping Calling check <ipahealthcheck.ipa.trust.IPATrustCatalogCheck object at 0x7f4400831780> Not a trust agent, skipping Calling check <ipahealthcheck.ipa.trust.IPAsidgenpluginCheck object at 0x7f44008260f0> Not a trust agent, skipping Calling check <ipahealthcheck.ipa.trust.IPATrustAgentMemberCheck object at 0x7f4400846e80> Not a trust agent, skipping Calling check <ipahealthcheck.ipa.trust.IPATrustControllerPrincipalCheck object at 0x7f44007d96d8> Not a trust controller, skipping Calling check <ipahealthcheck.ipa.trust.IPATrustControllerServiceCheck object at 0x7f4400846390> Not a trust controller, skipping Calling check <ipahealthcheck.ipa.trust.IPATrustControllerConfCheck object at 0x7f44007e6eb8> Not a trust controller, skipping Calling check <ipahealthcheck.ipa.trust.IPATrustControllerGroupSIDCheck object at 0x7f44007fb630> Not a trust controller, skipping Calling check <ipahealthcheck.meta.core.MetaCheck object at 0x7f4400806a58> Calling check <ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck object at 0x7f4400806b00> [{"source": "ipahealthcheck.ipa.host", "check": "IPAHostKeytab", "severity": 2, "uuid": "496bf36b-b455-45aa-b4fe-fb0ba7463f7a", "when": "20190614174442Z", "duration": "0.010664", "kw": {"msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639122): Pre-authentication failed: Invalid argument"}}][root@ipaserver ~]#
With another account the same error. Did i make something wrong?
Regards from Germany
Dirk
Am 14.06.19 um 19:20 schrieb Rob Crittenden via FreeIPA-users:
John Keates via FreeIPA-users wrote:
Sounds great! Where do we find this tool? In an upcoming release or as a stand-alone package?
It's a standalone package, freeipa-healthcheck.
rob
John
On 14 Jun 2019, at 16:29, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I'd like to introduce a new tool for an IPA adminstrators tool kit we're working on, currently in a beta state and shipping in Fedora 29+.
ipa-healthcheck is proactive tool for identifying current, potential and future issues within an IPA installation.
It executes a series of checks in the areas of certificates, AD trust, replication and the filesystem (and a few others). These checks can return a success, warning or error. Any check executed will return a value, the idea being if something with the check blows up and causes it to not execute you'd otherwise not know and would have a false sense of security.
A systemd timer is configured which will execute this on a nightly basis, dumping the output in JSON format in /var/log/ipa/healthcheck/.
It can also be executed from the command-line as root and requires an admin Kerberos ticket. From the command-line it is probably most useful to use the --failures-only option in order to suppress the SUCCESS messages: no news is good news in this case.
It currently only works with IPA 4.7.2+. Will we backport to 4.6? I don't know yet.
I'd appreciate any feedback on whether it:
- is helpful
- works
- doesn't report false positives
- is usable: a lot of the output is what I think would be useful but we
won't know until applied in the real world
- does what you need. We can add more checks so if you have ideas please
let us know
Note that there are a few things we run that just produce output that needs to be analyzed separately. DNA range checking is an example. It is perfectly fine to not have a DNA range assigned on all masters but you'd want to know if you had none defined on all masters.
thanks
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Dirk Streubel via FreeIPA-users wrote:
Hello Rob,
for me it is not working. I installed the freeipa-healthcheck-0.2-3.fc31.noarch on a Fedora release 31 (Rawhide) and have on the VM the following packages installed:
freeipa-server-4.7.90.pre1-6.fc31.x86_6 and krb5-server-1.17-30.fc31.x86_64 krb5-workstation-1.17-30.fc31.x86_64
But after getting a TGT somethings is wrong:
ipa-healthcheck --failures-only --debug
The debug context for that particular check is missing from the snippet. Can you run this and provide the output:
# ipa-healthcheck --source ipahealthcheck.pa.host --debug
This does the equivalent of: kinit -kt /etc/krb5.keytab
thanks
rob
Hello Rob,
here it comes :
[root@ipaserver ~]# kinit admin Passwort für admin@LINUX.FRITZ.BOX: [root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.pa.host --debug Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' importing all plugin modules in ipaserver.plugins... importing plugin module ipaserver.plugins.aci importing plugin module ipaserver.plugins.automember importing plugin module ipaserver.plugins.automount importing plugin module ipaserver.plugins.baseldap ipaserver.plugins.baseldap is not a valid plugin module importing plugin module ipaserver.plugins.baseuser importing plugin module ipaserver.plugins.batch importing plugin module ipaserver.plugins.ca importing plugin module ipaserver.plugins.caacl importing plugin module ipaserver.plugins.cert importing plugin module ipaserver.plugins.certmap importing plugin module ipaserver.plugins.certprofile importing plugin module ipaserver.plugins.config importing plugin module ipaserver.plugins.delegation importing plugin module ipaserver.plugins.dns importing plugin module ipaserver.plugins.dnsserver importing plugin module ipaserver.plugins.dogtag importing plugin module ipaserver.plugins.domainlevel importing plugin module ipaserver.plugins.group importing plugin module ipaserver.plugins.hbac ipaserver.plugins.hbac is not a valid plugin module importing plugin module ipaserver.plugins.hbacrule importing plugin module ipaserver.plugins.hbacsvc importing plugin module ipaserver.plugins.hbacsvcgroup importing plugin module ipaserver.plugins.hbactest importing plugin module ipaserver.plugins.host importing plugin module ipaserver.plugins.hostgroup importing plugin module ipaserver.plugins.idrange importing plugin module ipaserver.plugins.idviews importing plugin module ipaserver.plugins.internal importing plugin module ipaserver.plugins.join importing plugin module ipaserver.plugins.krbtpolicy importing plugin module ipaserver.plugins.ldap2 importing plugin module ipaserver.plugins.location importing plugin module ipaserver.plugins.migration importing plugin module ipaserver.plugins.misc importing plugin module ipaserver.plugins.netgroup importing plugin module ipaserver.plugins.otp ipaserver.plugins.otp is not a valid plugin module importing plugin module ipaserver.plugins.otpconfig importing plugin module ipaserver.plugins.otptoken importing plugin module ipaserver.plugins.passwd importing plugin module ipaserver.plugins.permission importing plugin module ipaserver.plugins.ping importing plugin module ipaserver.plugins.pkinit importing plugin module ipaserver.plugins.privilege importing plugin module ipaserver.plugins.pwpolicy importing plugin module ipaserver.plugins.rabase ipaserver.plugins.rabase is not a valid plugin module importing plugin module ipaserver.plugins.radiusproxy importing plugin module ipaserver.plugins.realmdomains importing plugin module ipaserver.plugins.role importing plugin module ipaserver.plugins.schema importing plugin module ipaserver.plugins.selfservice importing plugin module ipaserver.plugins.selinuxusermap importing plugin module ipaserver.plugins.server importing plugin module ipaserver.plugins.serverrole importing plugin module ipaserver.plugins.serverroles importing plugin module ipaserver.plugins.service importing plugin module ipaserver.plugins.servicedelegation importing plugin module ipaserver.plugins.session importing plugin module ipaserver.plugins.stageuser importing plugin module ipaserver.plugins.sudo ipaserver.plugins.sudo is not a valid plugin module importing plugin module ipaserver.plugins.sudocmd importing plugin module ipaserver.plugins.sudocmdgroup importing plugin module ipaserver.plugins.sudorule importing plugin module ipaserver.plugins.topology importing plugin module ipaserver.plugins.trust importing plugin module ipaserver.plugins.user importing plugin module ipaserver.plugins.vault importing plugin module ipaserver.plugins.virtual ipaserver.plugins.virtual is not a valid plugin module importing plugin module ipaserver.plugins.whoami importing plugin module ipaserver.plugins.xmlserver Created connection context.ldap2_139625196762000 Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Source 'ipahealthcheck.pa.host' not found
Did i make a mistake?
Regards
Dirk
Am 14.06.19 um 20:30 schrieb Rob Crittenden via FreeIPA-users:
Dirk Streubel via FreeIPA-users wrote:
Hello Rob,
for me it is not working. I installed the freeipa-healthcheck-0.2-3.fc31.noarch on a Fedora release 31 (Rawhide) and have on the VM the following packages installed:
freeipa-server-4.7.90.pre1-6.fc31.x86_6 and krb5-server-1.17-30.fc31.x86_64 krb5-workstation-1.17-30.fc31.x86_64
But after getting a TGT somethings is wrong:
ipa-healthcheck --failures-only --debug
The debug context for that particular check is missing from the snippet. Can you run this and provide the output:
# ipa-healthcheck --source ipahealthcheck.pa.host --debug
This does the equivalent of: kinit -kt /etc/krb5.keytab
thanks
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Dirk Streubel wrote:
Hello Rob,
here it comes :
[root@ipaserver ~]# kinit admin Passwort für admin@LINUX.FRITZ.BOX: [root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.pa.host --debug
Source 'ipahealthcheck.pa.host' not found
Did i make a mistake?
No, I did, I must have fat-fingered the paste in a surprising way. It should be:
ipa-healthcheck --source ipahealthcheck.ipa.host --debug
rob
Hello Rob,
second try ;)
[root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.ipa.host --debug Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' importing all plugin modules in ipaserver.plugins... importing plugin module ipaserver.plugins.aci importing plugin module ipaserver.plugins.automember importing plugin module ipaserver.plugins.automount importing plugin module ipaserver.plugins.baseldap ipaserver.plugins.baseldap is not a valid plugin module importing plugin module ipaserver.plugins.baseuser importing plugin module ipaserver.plugins.batch importing plugin module ipaserver.plugins.ca importing plugin module ipaserver.plugins.caacl importing plugin module ipaserver.plugins.cert importing plugin module ipaserver.plugins.certmap importing plugin module ipaserver.plugins.certprofile importing plugin module ipaserver.plugins.config importing plugin module ipaserver.plugins.delegation importing plugin module ipaserver.plugins.dns importing plugin module ipaserver.plugins.dnsserver importing plugin module ipaserver.plugins.dogtag importing plugin module ipaserver.plugins.domainlevel importing plugin module ipaserver.plugins.group importing plugin module ipaserver.plugins.hbac ipaserver.plugins.hbac is not a valid plugin module importing plugin module ipaserver.plugins.hbacrule importing plugin module ipaserver.plugins.hbacsvc importing plugin module ipaserver.plugins.hbacsvcgroup importing plugin module ipaserver.plugins.hbactest importing plugin module ipaserver.plugins.host importing plugin module ipaserver.plugins.hostgroup importing plugin module ipaserver.plugins.idrange importing plugin module ipaserver.plugins.idviews importing plugin module ipaserver.plugins.internal importing plugin module ipaserver.plugins.join importing plugin module ipaserver.plugins.krbtpolicy importing plugin module ipaserver.plugins.ldap2 importing plugin module ipaserver.plugins.location importing plugin module ipaserver.plugins.migration importing plugin module ipaserver.plugins.misc importing plugin module ipaserver.plugins.netgroup importing plugin module ipaserver.plugins.otp ipaserver.plugins.otp is not a valid plugin module importing plugin module ipaserver.plugins.otpconfig importing plugin module ipaserver.plugins.otptoken importing plugin module ipaserver.plugins.passwd importing plugin module ipaserver.plugins.permission importing plugin module ipaserver.plugins.ping importing plugin module ipaserver.plugins.pkinit importing plugin module ipaserver.plugins.privilege importing plugin module ipaserver.plugins.pwpolicy importing plugin module ipaserver.plugins.rabase ipaserver.plugins.rabase is not a valid plugin module importing plugin module ipaserver.plugins.radiusproxy importing plugin module ipaserver.plugins.realmdomains importing plugin module ipaserver.plugins.role importing plugin module ipaserver.plugins.schema importing plugin module ipaserver.plugins.selfservice importing plugin module ipaserver.plugins.selinuxusermap importing plugin module ipaserver.plugins.server importing plugin module ipaserver.plugins.serverrole importing plugin module ipaserver.plugins.serverroles importing plugin module ipaserver.plugins.service importing plugin module ipaserver.plugins.servicedelegation importing plugin module ipaserver.plugins.session importing plugin module ipaserver.plugins.stageuser importing plugin module ipaserver.plugins.sudo ipaserver.plugins.sudo is not a valid plugin module importing plugin module ipaserver.plugins.sudocmd importing plugin module ipaserver.plugins.sudocmdgroup importing plugin module ipaserver.plugins.sudorule importing plugin module ipaserver.plugins.topology importing plugin module ipaserver.plugins.trust importing plugin module ipaserver.plugins.user importing plugin module ipaserver.plugins.vault importing plugin module ipaserver.plugins.virtual ipaserver.plugins.virtual is not a valid plugin module importing plugin module ipaserver.plugins.whoami importing plugin module ipaserver.plugins.xmlserver Created connection context.ldap2_140379793781648 Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' Calling check <ipahealthcheck.ipa.host.IPAHostKeytab object at 0x7facb6a2ac50> Initializing principal host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX using keytab /etc/krb5.keytab using ccache /tmp/tmp_1g2c73d/ccache [{"source": "ipahealthcheck.ipa.host", "check": "IPAHostKeytab", "severity": 2, "uuid": "964f55b3-a12f-4282-b776-912892f8001a", "when": "20190614195109Z", "duration": "0.010907", "kw": {"msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code [root@ipaserver ~]#
Am 14.06.19 um 21:41 schrieb Rob Crittenden via FreeIPA-users:
Dirk Streubel wrote:
Hello Rob,
here it comes :
[root@ipaserver ~]# kinit admin Passwort für admin@LINUX.FRITZ.BOX: [root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.pa.host --debug Source 'ipahealthcheck.pa.host' not found
Did i make a mistake?
No, I did, I must have fat-fingered the paste in a surprising way. It should be:
ipa-healthcheck --source ipahealthcheck.ipa.host --debug
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Dirk Streubel wrote:
Hello Rob,
second try ;)
[root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.ipa.host --debug Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
...
Calling check <ipahealthcheck.ipa.host.IPAHostKeytab object at 0x7facb6a2ac50> Initializing principal host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX using keytab /etc/krb5.keytab using ccache /tmp/tmp_1g2c73d/ccache [{"source": "ipahealthcheck.ipa.host", "check": "IPAHostKeytab", "severity": 2, "uuid": "964f55b3-a12f-4282-b776-912892f8001a", "when": "20190614195109Z", "duration": "0.010907", "kw": {"msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code [root@ipaserver ~]#
Ok I'd check /var/log/krb5kdc.log on the master to see what the failure is.
Also:
# klist -kt /etc/krb5.keytab # kvno host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX
The kvno should match between the two.
You might also try manually: kinit -kt /etc/krb5.keytab
rob
Hello Rob,
Am 14.06.19 um 22:33 schrieb Rob Crittenden:
Dirk Streubel wrote:
Hello Rob,
second try ;)
[root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.ipa.host --debug Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
...
Calling check <ipahealthcheck.ipa.host.IPAHostKeytab object at 0x7facb6a2ac50> Initializing principal host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX using keytab /etc/krb5.keytab using ccache /tmp/tmp_1g2c73d/ccache [{"source": "ipahealthcheck.ipa.host", "check": "IPAHostKeytab", "severity": 2, "uuid": "964f55b3-a12f-4282-b776-912892f8001a", "when": "20190614195109Z", "duration": "0.010907", "kw": {"msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code [root@ipaserver ~]#
Ok I'd check /var/log/krb5kdc.log on the master to see what the failure is.
Also:
# klist -kt /etc/krb5.keytab
here is the output:
[root@ipaserver ~]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX
# kvno host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX
[root@ipaserver ~]# kvno host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX: KVNO = 2
The kvno should match between the two.
You might also try manually: kinit -kt /etc/krb5.keytab
root@ipaserver ~]# kinit -kt /etc/krb5.keytab kinit: Pre-authentication failed: Invalid argument bei Anfängliche Anmeldedaten werden geholt.
Dirk
Dirk Streubel via FreeIPA-users wrote:
Hello Rob,
Am 14.06.19 um 22:33 schrieb Rob Crittenden:
Dirk Streubel wrote:
Hello Rob,
second try ;)
[root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.ipa.host --debug Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
...
Calling check <ipahealthcheck.ipa.host.IPAHostKeytab object at 0x7facb6a2ac50> Initializing principal host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX using keytab /etc/krb5.keytab using ccache /tmp/tmp_1g2c73d/ccache [{"source": "ipahealthcheck.ipa.host", "check": "IPAHostKeytab", "severity": 2, "uuid": "964f55b3-a12f-4282-b776-912892f8001a", "when": "20190614195109Z", "duration": "0.010907", "kw": {"msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code [root@ipaserver ~]#
Ok I'd check /var/log/krb5kdc.log on the master to see what the failure is.
Also:
# klist -kt /etc/krb5.keytab
here is the output:
[root@ipaserver ~]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX
# kvno host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX
[root@ipaserver ~]# kvno host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX: KVNO = 2
The kvno should match between the two.
You might also try manually: kinit -kt /etc/krb5.keytab
root@ipaserver ~]# kinit -kt /etc/krb5.keytab kinit: Pre-authentication failed: Invalid argument bei Anfängliche Anmeldedaten werden geholt.
What about the krb5 log? Can you check for SELinux AVCs just in case?
You can get more output on the client side with:
# KRB5_TRACE=/dev/stdout kinit -kt /etc/krb5.keytab
rob
Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Dirk Streubel via FreeIPA-users wrote:
Hello Rob,
Am 14.06.19 um 22:33 schrieb Rob Crittenden:
Dirk Streubel wrote:
Hello Rob,
second try ;)
[root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.ipa.host --debug Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
...
Calling check <ipahealthcheck.ipa.host.IPAHostKeytab object at 0x7facb6a2ac50> Initializing principal host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX using keytab /etc/krb5.keytab using ccache /tmp/tmp_1g2c73d/ccache [{"source": "ipahealthcheck.ipa.host", "check": "IPAHostKeytab", "severity": 2, "uuid": "964f55b3-a12f-4282-b776-912892f8001a", "when": "20190614195109Z", "duration": "0.010907", "kw": {"msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code [root@ipaserver ~]#
Ok I'd check /var/log/krb5kdc.log on the master to see what the failure is.
Also:
# klist -kt /etc/krb5.keytab
here is the output:
[root@ipaserver ~]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX 2 30.05.2019 18:40:19 host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX
# kvno host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX
[root@ipaserver ~]# kvno host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX host/ipaserver.linux.fritz.box@LINUX.FRITZ.BOX: KVNO = 2
The kvno should match between the two.
You might also try manually: kinit -kt /etc/krb5.keytab
root@ipaserver ~]# kinit -kt /etc/krb5.keytab kinit: Pre-authentication failed: Invalid argument bei Anfängliche Anmeldedaten werden geholt.
What about the krb5 log? Can you check for SELinux AVCs just in case?
You can get more output on the client side with:
# KRB5_TRACE=/dev/stdout kinit -kt /etc/krb5.keytab
(And while I'm really excited to see the German localization getting used this soon after merging, it would be helpful to me if you could set LC_ALL=C as well.)
Thanks, --Robbie
On 14-06-19 16:29, Rob Crittenden via FreeIPA-users wrote:
I'd like to introduce a new tool for an IPA adminstrators tool kit we're working on, currently in a beta state and shipping in Fedora 29+.
ipa-healthcheck is proactive tool for identifying current, potential and future issues within an IPA installation.
[...] I'd appreciate any feedback on whether it:
- is helpful
Yes! :-)
- works
I don't know yet. I'm on Centos with IPA 4.6
freeipa-users@lists.fedorahosted.org
-
Dirk Streubel -
John Keates -
Kees Bakker -
Rob Crittenden -
Robbie Harwood