Create a tool that would help with diagnosis and collecting information about server/client deployment.
The tool should have at least following features:
- Validate that keytabs are ok (known only, /etc/krb5.keytab, /etc/httpd/conf/ipa.keytab and /etc/dirsrv/ds.keytab)
- Get a host TGT
- Verify that the certificates are ok (start with HTTP and DS, maybe machine cert) - see #6302
- Connectivity, perhaps using the conncheck tool.
- Replication status
Existing tools related tools (like https://github.com/peterpakos/checkipaconsistency or ds-replcheck) should be also evaluated.
Optionally, the tool could make log collection easier for further debugs on freeipa-users list for example.
- Version of the packages
- Is CA installed?
- Is it chained, self signed etc.
- How many replicas?
- Do replicas run DNS, CAs?
- What is the topology?
- Is NIS/Compat enabled?
- Is migration mode is on?
- What is the status of the internal certificates? How soon they expire? Is certmonger configured to renew them?
- Are trusts enabled?
- Home many trusts are three?
- Is sync is enabled?
- Collect install logs
We should investigate whether Ansible and related FreeIPA Ansible work would not be the best way for discovering the information.
Starting to shape next release
Bumping up a priority for 3.5. I think it will help us to better troubleshoot issues.
Related (and closed as duplicate) ticket with more information: #3631.
I was thinking more about this topic and I thought it may be nice to design this with a nice pluggable API to add the particular checks as code snippets instead of hardcoding it all one long single script. Part of the check (it may be one check per file, or several grouped checkes like all Kerberos related) should be a remediation advise. Something like what OpenScap does.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1152084
Also see #3327
Too late to be included in 4.2 - moving to later release.
Current POC by tbabej:
Metadata Update from @dpal:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @mbasti:
- Issue assigned to fbarreto (was: mbasti)
- Issue close_status updated to: None
Currently POC by fbarreto:
It should check SELinux booleans as well.
Metadata Update from @ftweedal:
- Assignee reset
to comment on this ticket.