Skip to main content

Posts

Showing posts from April, 2021

Ansible - Host has the domain appended twice

There can be weird cases where the domain.tld is being appended twice in the ansible facts. This will most likely be caused by resolving the PTR Record in your DNS Zone which might append the zone twice if you forget the '.' at the end of the hostname: [22:43:26 - archy@stealth-falcon ~]$ ipa dnsrecord-show 10.31.172.in-addr.arpa 13 Record name: 13 PTR record: elk02.archyslife.lan.archyslife.lan. I'm using FreeIPA, so the fix is fairly straight forward: [23:44:47 - archy@stealth-falcon ~]$ ipa dnsrecord-mod 10.31.172.in-addr.arpa 13 --ptr-rec 'elk02.archyslife.lan.' Now, verify that the a and ptr records resolve as expected: [23:44:58 - archy@stealth-falcon ~]$ dig +short -x $(dig +short a elk02.archyslife.lan) elk02.archyslife.lan. TL,DR:  it was dns Feel free to comment and / or suggest a topic.

FreeIPA - Remove Replica

When upgrading your infrastructure, the decommissioning of servers is a common task. When it comes to FreeIPA, some preparations have to be accounted for. In order to ensure proper replication, first, you'll have to remove the server from FreeIPA: [archy@ipa02 ~]$ kinit archy [archy@ipa02 ~]$ ipa server-del ipa01.archyslife.lan --ignore-topology-disconnect Now that the server is removed including all the replication agreements, you can go ahead and uninstall the service from the server. [root@ipa01 ~]# ipa-server-install --uninstall Keep in mind that the server will need a reboot after completion. The server should now have been cleanly removed from your setup. Freel free to comment and / or suggest a topic.

Foreman - ERF12-5287 [ProxyAPI::ProxyException]: Unable to create realm entry

This error will most likely be caused when the ipa-server that originally issued the keytab is not reachable. In my case, the server has been decommissioned so the way to go is fix-forward. First, get a new keytab from one of your ipa-replicas: [root@katello ~]# mv /etc/foreman-proxy/freeipa.keytab /etc/foreman-proxy/freeipa.keytab.old [root@katello ~]# kinit admin [root@katello ~]# ipa-getkeytab -s ipa02.archyslife.lan -p katello-realm@ARCHYSLIFE.LAN -k /etc/foreman-proxy/freeipa.keytab With the keytab present, make sure the SELinux context is correct: [root@katello ~]# restorecon -v /etc/foreman-proxy/freeipa.keytab Now re-run the installer to ensure foreman's consistency: [root@katello ~]# foreman-installer --scenario katello Creating a host with the associated realm should now work. Feel free to comment and / or suggest a topic.

SSSD - sssd_kcm is causing huge cpu loads

SSSD-KCM is a service tool for managing kerberos caches obtained from pam_sso but it can sometimes cause huge cpu-loads (90%+). I'm not sure on why exactly this happens but I think it has something to do with the secrets.ldb (/var/lib/sss/secrets/secrets.ldb) mismatching the current dyanmic-db or cache. Anyway, the solution is fairly simple and takes less than a minute. First, stop both sssd-services: [root@server ~]# systemctl stop sssd.service sssd-kcm.socket Now, make a backup of the secrets.ldb, you know just in case: [root@server ~]# cp -r /var/lib/sss/secrets /var/lib/sss/secrets.bak [root@server ~]# rm -rf /var/lib/sss/secrets Start the sssd services again: [root@server ~]# systemctl start sssd.service sssd-kcm.socket The 'sssd_kcm' process should not be causing any huge cpu loads anymore. Feel free to comment and / or suggest a topic.