On Thu, Jun 01, 2017 at 04:41:52PM +0000, Marin BERNARD via FreeIPA-users wrote:
> Hi,
> 
> I'm trying to configure ad trust on a freshly installed FreeIPA server 4.4.0 
> running on an up-to-date instance of CentOS 7 (1611). The ipa-adtrust-install 
> command fails at step 17 (failed to add fallback group). As a consequence, 
> Samba cannot be started and AD trusts can't be established.
> 
> Here is an excerpt of the install log:
> 
> ````
> # ipa-adtrust-install --netbios-name=PEP06-IPA --add-sids --enable-compat
> 
> (...)
> 
> 2017-06-01T13:49:29Z DEBUG   [18/23]: adding fallback group
> 2017-06-01T13:49:29Z DEBUG flushing 
> ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket from SchemaCache
> 2017-06-01T13:49:29Z DEBUG retrieving schema for SchemaCache 
> url=ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket 
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x62107a0>
> 2017-06-01T13:49:30Z DEBUG Starting external process
> 2017-06-01T13:49:30Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpyj5xIJ -H 
> ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket -Y EXTERNAL
> 2017-06-01T13:49:30Z DEBUG Process finished, return code=1
> 2017-06-01T13:49:30Z DEBUG stdout=add cn:
>         Default SMB Group
> add description:
>         Fallback group for primary group RID, do not add users to this group
> add gidnumber:
>         -1
> add objectclass:
>         top
>         ipaobject
>         posixgroup
> adding new entry "cn=Default SMB 
> Group,cn=groups,cn=accounts,dc=ipa,dc=pep06,dc=fr"
> 
> 
> 2017-06-01T13:49:30Z DEBUG stderr=ldap_initialize( 
> ldapi://%2Fvar%2Frun%2Fslapd-IPA-PEP06-FR.socket/??base )
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> ldap_add: Operations error (1)
>         additional info: Allocation of a new value for range cn=posix 
> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! 
> Unable to proceed.

The DNA plugin (used to generate new UIDs and GIDs) has some issues.
Maybe https://blog-rcritten.rhcloud.com/?p=50 can help?

If the DNA plugin works again you can run ipa-adtrust-install which then
should properly generate the fallback group.

HTH

bye,
Sumit

> 
> 2017-06-01T13:49:30Z CRITICAL Failed to load default-smb-group.ldif: Command 
> '/usr/bin/ldapmodify -v -f /tmp/tmpyj5xIJ -H 
> ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket -Y EXTERNAL' returned 
> non-zero exit status 1
> 2017-06-01T13:49:30Z DEBUG Failed to add fallback group.
> 2017-06-01T13:49:30Z DEBUG   duration: 0 seconds
> 
> (...)
> 
> ````
> 
> In the end, Samba logically fails to start with the following error:
> 
> ````
> Missing mandatory attribute ipaNTFallbackPrimaryGroup.
> 
> ````
> 
> I ran the same command one week ago on another server and had no issue.
> Does anybody have an idea about what to do to make it work ?
> 
> Thanks,
> 
> Marin BERNARD
> Administrateur systèmes
> Pupilles de l’Enseignement Public 06
> 35 boulevard de la Madeleine — 06300 Nice
> marin.bernard[at]pep06.fr

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to