On Fri, 08 May 2015, Andy Thompson wrote:
-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Friday, May 8, 2015 8:17 AM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] multi homed environment

On Fri, 08 May 2015, Andy Thompson wrote:
>I'm trying to roll out IPA in an existing windows environment where
>everything is multi homed.  I did not put my IPA server on all the
>subnets.
>
>I'm having an issue with adding a trust to the domain with the error
>below
>
>ipa: ERROR: CIFS server communication error: code "-1073741801",
>                  message "Memory allocation error" (both may be
>"None")
>
>DNS I think since it round robins all the existing A records and is
>returning IPs out of the local subnet.  I don't know much about windows
>dns services but it's got netmask optimization enabled and doing digs
>against the service returns the local IP first every time, but pings
>return them in any order.
>
>I've considered adding the DCs to the local hosts file but I'm not sure
>if that will solve the problem or not.  Is that a viable fix?
>
>Anyone have any experience in an environment like this?   Really not
>sure what additional problems I will run into with all this multi homed
>nonsense.
Stop here and make sure you obtained the debugging information as
described in
http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_tru
st

Without that information it is hard to tell what is happening.

Make also sure to tell exact environment (distribution, version, package
versions, etc).


Well things got ugly.  I enabled debug and pointed in the right
direction, smb failed to start.  Came down to the cifs service was not
added when I did the adtrust-install.  I tried adding it and it
complained that it could not find the A record for the host even though
it was there.  Thinking something was hung up in resolver cache
possibly I restarted the ipa service and it failed completely.

Ipactl start fails starting smb because of the missing service and
everything fails from there.

Is there any way to recover from this mess I just made? :)
I assume you have IPA 4.x, i.e. systemd-based environment.

1. Start manually dirsrv@INSTANCE-NAME.service

2. Disable ADTRUST and EXTID services with ipa-ldap-updater.
Note that you SHOULD NOT replace $FOO variables below, they should be as
specified in the resulting file. For ipa-ldap-updater use see its
manual page and my blog:
https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/

# cat <END >88-disable-adtrust-extid.update
dn: cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
remove:ipaConfigString:enabledService

dn: cn=EXTID,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
remove:ipaConfigString:enabledService
END

# ipa-ldap-updater -l ./88-disable-adtrust-extid.update

3. Restart IPA

4. Re-run ipa-adtrust-install and look at the output, including what it
appends to /var/log/ipaserver-install.log.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to