[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

Hi, What is the output of klist -A klist -k /etc/krb5.keytab on the machine where ipa-healthcheck command fails? ipa-healthcheck is using a kerberos ticket to authenticate to the LDAP server (obtained from /etc/krb5.keytab), and has different access rights depending on the identity mapped to this

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

I ran the same ldapsearch on a good server and compared the outputs. Here are the differences: dnaMaxValue: 1889657499 | dnaMaxValue: 1889607999 dnaNextValue: 1889650758 | dnaNextValue: 1889601276 Thanks. Kathy. On Th

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

Thanks. In my case, I can create a user or group. On Thu, Aug 19, 2021 at 4:37 PM Vinícius Ferrão wrote: > Take a look at this blog article: > > > https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ > > Sent from my iPhone > > On 19 Aug 2021, at 20:35, Kathy Zhu via FreeIPA-users

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname Replication conflict

Yes, I want to delete the zone. I tried a few ways, none worked so far. On Thu, Aug 19, 2021 at 5:15 PM Rob Crittenden wrote: > Kathy Zhu via FreeIPA-users wrote: > > Hi List, > > > > When I run ipa-healthcheck on all of our ipa servers, they all reported > > following: > > > > [root@ipa0 ~]# ip

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

Hi Rob, Thanks for replying! It is not missing and I can create new user or group on it: [root@ipa2 ~]# ldapsearch -D "cn=directory manager" -W -b "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname Replication conflict

Kathy Zhu via FreeIPA-users wrote: > Hi List,  > > When I run ipa-healthcheck on all of our ipa servers, they all reported > following:  > > [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human > > ERROR: > ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-a

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

Kathy Zhu via FreeIPA-users wrote: > Hello,  > > ipa-healthcheck is a great tool! Really appreciate Rob to make it > working for Centos.  > > When I ran it on all of our IPA servers, one server reported:  > > [root@ipa2 ~]# ipa-healthcheck--failures-only --output-type human > > CRITICAL: ipahea

[Freeipa-users] ipa-healthcheck - ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname Replication conflict

Hi List, When I run ipa-healthcheck on all of our ipa servers, they all reported following: [root@ipa0 ~]# ipa-healthcheck --failures-only --output-type human ERROR: ipahealthcheck.ds.replication.ReplicationConflictCheck.idnsname=1.1.10.in-addr.arpa.,cn=dns,dc=example,dc=com: Replication conflic

[Freeipa-users] Re: ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

Take a look at this blog article: https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ Sent from my iPhone On 19 Aug 2021, at 20:35, Kathy Zhu via FreeIPA-users wrote:  Hello, ipa-healthcheck is a great tool! Really appreciate Rob to make it working for Centos. When I ran

[Freeipa-users] ipa-healthcheck - ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry found

Hello, ipa-healthcheck is a great tool! Really appreciate Rob to make it working for Centos. When I ran it on all of our IPA servers, one server reported: [root@ipa2 ~]# ipa-healthcheck --failures-only --output-type human CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: no matching entry foun

[Freeipa-users] Re: UI can't list certs on fedora latest. Java bug?

Flo, Yes, that's it exactly.  Thanks.  Paging the certificate list really ought to have been been lifted from other code, it's already standard in the DNS entry listings, for example. To anyone: In my case, it seems several hundred certificates were 'automatically' created and are of no use to a

[Freeipa-users] AD Trust not working after IPA server reinstall

Hello, I had to reinstall our IPA server since we had Filesystem corruption beyond repair on it. After the reinstall (with ipa-replica-install) AD Trust does not seems to be working anymore. I tried to delete the trust and them re add it but there's no effect. Here's the outputs: [root@idm1

[Freeipa-users] Re: UI can't list certs on fedora latest. Java bug?

Hi, you may be hitting *Bug 1959057* - An error has ocorred (IPA Error 4301:CertificateOperationError) The error happens when there are more entries to return than the configured nsSizeLimit. The workaround is to raise the nsSizeLimit as descri

[Freeipa-users] Fwd: WebUI plugin not working on new replica

-- Forwarded message - From: Kristian Petersen Date: Wed, Aug 18, 2021 at 4:29 PM Subject: Re: [Freeipa-users] WebUI plugin not working on new replica To: Rob Crittenden Have locations where those files belong for the web ui changed at all? On Wed, Aug 18, 2021, 4:21 PM Rob Cri

[Freeipa-users] generic linux clients configuration

Hello , I try to enrol some old linux clients (sssd 1.9.4) to ipaserver using the settings as mentioned in ipa-advise. I used ldap provider in sssd and I can query the accounts defined in ipa server but not the Active Directory accounts . I use AD trust and views in IPA, therefore the questio

[Freeipa-users] generic linux clients configuration

Hello , I try to enrol some old linux clients (sssd 1.9.4) to ipaserver using the settings as mentioned in ipa-advise. I used ldap provider in sssd and I can query the accounts defined in ipa server but not the Active Directory accounts . I use AD trust and views in IPA, therefore the questio