Last week I was having SSSD issues and Sumit was sharp enough to pick out that
I didn't allow enough RIDs.
(
https://lists.fedorahosted.org/archives/list/[email protected]/message/SZ4UG23UAMPSUPQDCY3QA4JJBZH5AQRB/
)
I increase the range by 5,000,000 via the GUI, restarted all two SSSD services
(test ipa server, test client) after clearing their caches and it started to
work.
For reasons, the IPA test server was power cycled and when it came back up, IPA
wont start. `ipactl start` aborts because "Failed to start smb Service"
I am seeing the following in the samba logs:
[2021/02/23 14:57:23.259648, 0] ../../source3/smbd/server.c:1782(main)
smbd version 4.12.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2020
[2021/02/23 14:57:23.312207, 1]
../../source3/profile/profile.c:55(set_profile_level)
INFO: Profiling turned OFF from pid 2360
[2021/02/23 14:57:23.345139, 0] ipa_sam.c:3980(get_fallback_group_sid)
Missing mandatory attribute ipaNTSecurityIdentifier.
[2021/02/23 14:57:23.345184, 0] ipa_sam.c:4950(pdb_init_ipasam)
Cannot find SID of fallback group.
[2021/02/23 14:57:23.345194, 0]
../../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-TEST-IDM-COMPANY-COM.socket
did not correctly init (error was NT_STATUS_INVALID_PARAMETER)
[2021/02/23 15:05:11.201577, 0] ../../source3/smbd/server.c:1782(main)
smbd version 4.12.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2020
[2021/02/23 15:05:11.212856, 1]
../../source3/profile/profile.c:55(set_profile_level)
INFO: Profiling turned OFF from pid 3146
[2021/02/23 15:05:11.234448, 0] ipa_sam.c:3980(get_fallback_group_sid)
Missing mandatory attribute ipaNTSecurityIdentifier.
A quick search suggests that potentially my change of the RID has affected SMB
but I'm not 100% sure what to do next.
I guess I need to add an ipaNTSecurityIdentifier variable - but I'm not sure
where.
This page
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-ipa-subdomain.html
suggests that I need to add a sidgen to the FreeIPA users that exist, but
those users were created via the GUI - shouldn't the SID have been created then?
And if they didn't, how come I've been able to reboot successfully relatively
frequently without this issue happening before - is it because I changed the
value of that one domain's ID range?
Cheers
L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
