Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 104. Verifying your IdM and AD trust configuration using IdM Healthcheck
Learn more about identifying issues with a trust between Identity Management (IdM) and Active Directory (AD) by using the Healthcheck tool.
Prerequisites
- The Healthcheck tool is only available on RHEL 8.1 or newer
104.1. IdM and AD trust Healthcheck tests
The Healthcheck tool includes several tests for testing the status of the trust between Identity Management (IdM) and Active Directory (AD).
To see all trust tests, run ipa-healthcheck with the --list-sources option:
ipa-healthcheck --list-sources
# ipa-healthcheck --list-sources
You can find all trust-related tests under the ipahealthcheck.ipa.trust source:
- IPATrustAgentCheck
-
This test checks the SSSD configuration if the current host is configured as a trust agent. For each domain in
/etc/sssd/sssd.confwhereid_provider=ipaensure thatipa_server_modeisTrue. - IPATrustDomainsCheck
-
This test checks if the trust domains match SSSD domains by comparing the list of domains in
sssctl domain-listwith the list of domains fromipa trust-findexcluding the IdM domain. - IPATrustCatalogCheck
This test resolves an AD user,
Administrator@REALM. This populates the AD Global catalog and AD Domain Controller values insssctl domain-statusoutput.For each trust domain look up the user with the ID of the SID + 500, that is the administrator ID, and then check the output of
sssctl domain-status <domain> --active-serverto ensure that the domain is active.- IPAsidgenpluginCheck
-
This test verifies that the
sidgenplugin is enabled in the IdM 389-ds instance. The test also verifies that theIPA SIDGENandipa-sidgen-taskplugins incn=plugins,cn=configinclude thensslapd-pluginEnabledoption. - IPATrustAgentMemberCheck
-
This test verifies that the current host is a member of
cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX. - IPATrustControllerPrincipalCheck
-
This test verifies that the current host is a member of
cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX. - IPATrustControllerServiceCheck
- This test verifies that the current host starts the ADTRUST service in ipactl.
- IPATrustControllerConfCheck
-
This test verifies that
ldapiis enabled for the passdb backend in the output ofnet conflist. - IPATrustControllerGroupSIDCheck
-
This test verifies that the
adminsgroup’s SID ends with 512, which is the Domain Admins' RID. - IPATrustPackageCheck
-
This test verifies that the
trust-adpackage is installed if the trust controller and AD trust are not enabled.
104.2. Screening the trust with the Healthcheck tool
Follow this procedure to run a standalone manual test of an Identity Management (IdM) and Active Directory (AD) trust health check using the Healthcheck tool.
Procedure
Enter:
ipa-healthcheck --source=ipahealthcheck.ipa.trust --failures-only
# ipa-healthcheck --source=ipahealthcheck.ipa.trust --failures-onlyCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
The
--source=ipahealthcheck.ipa.trustoption ensures that IdM Healthcheck only performs the trust tests.
-
The
Successful test displays empty brackets:
ipa-healthcheck --source=ipahealthcheck.ipa.trust
# ipa-healthcheck --source=ipahealthcheck.ipa.trust
[]Run these tests on all IdM servers when trying to find an issue.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}