When modifying LDAP entries, you may get the following error: [root@idmipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF > dn: cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz > changetype: modify > replace: ipaBaseID > ipaBaseID: 155600000 > EOF SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz" ldap_modify: Object class violation (65)         additional info: attribute […]

You may run into the following when trying to modify the FreeIPA ID Ranges: [root@ipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF > dn: cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz > changetype: modify > add: ipaBaseRID > ipaBaseRID: 200000000 > EOF SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz" ldap_modify: Object class violation (65)       […]

There is a tool available that does a verification of the replication of each FreeIPA host: yum install git -y; git clone https://github.com/peterpakos/checkipaconsistency.git # ./cipa -d mws.mds.xyz -W "SECRET" +——————–+————+————-+——-+ | FreeIPA servers:   | idmipa03   | idmipa04    | STATE | +——————–+————+————-+——-+ | Active Users       | 1       […]

You receive the following two errors when dealing with apparent group lookups using getent group <USER GROUP> : [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [994].  [resolv_discover_srv_done] (0x0040): SRV query failed [11]: Could not contact DNS servers

When you get this: Feb 17 00:35:37 idmipa04 ns-slapd: [17/Feb/2019:00:35:37.251117736 -0500] – ERR – agmt="cn=meToidmipa03.mws.mds.xyz" (idmipa03:389) – clcache_load_buffer – Can't locate CSN 5c593ee3000200050000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. Run this on the replica throwing the above error: [root@idmipa04 ~]# ipa-replica-manage re-initialize –from idmipa03.mws.mds.xyz Directory Manager […]

Zabbix error: [Z3001] connection to database ‘zabbix’ failed: [2003] Can't connect to MySQL server on 'mysql-01.abc.xyz.123' (13) related to: audit.log:type=AVC msg=audit(1549949080.977:11328): avc:  denied  { name_connect } for  pid=9115 comm="zabbix_server" dest=3306 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket is solved by: # grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow; semodule -i systemd-allow.pp Cheers, TK

Zabbix error:  10272:20190212:003104.073 cannot start preprocessing service: Cannot bind socket to "/var/run/zabbix/zabbix_server_preprocessing.sock": [98] Address already in use.  10239:20190212:003104.078 One child process died (PID:10272,exitcode/signal:1). Exiting … related to: # cat ../audit/audit.log|grep -Ei denied|tail type=AVC msg=audit(1549949530.062:12551): avc:  denied  { unlink } for  pid=10521 comm="zabbix_server" name="zabbix_server_preprocessing.sock" dev="tmpfs" ino=3998803 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zabbix_var_run_t:s0 tclass=sock_file is solved by: # grep AVC /var/log/audit/audit.log* […]

Zabbix error:  10587:20190212:003514.676 using configuration file: /etc/zabbix/zabbix_server.conf  10587:20190212:003514.676 cannot set resource limit: [13] Permission denied relates to: [root@host01 zabbix]# cat ../audit/audit.log|grep -Ei denied|tail type=AVC msg=audit(1549949714.675:12570): avc:  denied  { setrlimit } for  pid=10587 comm="zabbix_server" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process [root@host01 zabbix]# and is solved by: [root@host01 zabbix]# grep AVC /var/log/audit/audit.log* | audit2allow -M systemd-allow; semodule -i systemd-allow.pp Cheers, […]

In this post, we are setting up an IPA server on a separate domain than the one we had configured earlier ( nix.mds.xyz ) .   We do so because IPA comes not only with Authentication and DNS but also with a built in KDC to which we will be connnecting various pieces of software that […]

In this post we'll install RabbitMQ in High Availability on 3 nodes.  We'll do this to share out the instance with third party applications that need it while providing fault tolerance. We will reference the following post but instead on CentOS 7. So let's get started. HOSTS COMMANDS DESCRIPTION rmq01 / rmq02 / rmq03 CentOS […]