Hi

I’m not 100% sure where I've gone wrong, but I obviously have.

Running Centos 7.2, with FreeIPA 4.2.0 from the repos.

FreeIPA was set up per instructions (# ipa-server-install ), and we could surf 
to the website and interact with it. 

I set up a second server, yum install -y ipa-client, and then joined with 
authconfig successfully and logged in.

Our intention is to join an AD domain over which we have no control in a one 
way trust: co.org.au is trusted by unix.co.org.au.

In order to do this, I followed the instructions on redhat's documentation " 
5.3.3.1. Preparing the IdM Server for Trust"

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#trust-set-up-idm

I installed "*ipa-server-trust-ad" samba, ran the ipa-adtrust-install script 
successfully, confirmed DNS was properly configured, confirmed smbclient was 
properly configured, then created a trust agreement successfully (this time 
yesterday I was cheering).

--------------------------------------------------------
Added Active Directory trust for realm "co.org.au"
--------------------------------------------------------
  Realm name: co.org.au
  Domain NetBIOS name: PMCI
  Domain Security Identifier: S-1-5-21-55386287-1424373824-1154838474
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, 
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, 
S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, 
S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, 
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, 
S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, 
S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified



Then I started to see some differentiation from the documented output, so I 
started investigating. In particular, kvno -S cifs adserver.example.com didn't 
work.

Eventually I turned off selinux and the firewall all together and rebooted. 

Now IPA doesn't start. When I look into it, this is what I see:


[root@vmts-linuxidm ~]# sc | grep failed
● dir...@unix.co.org.au.service  loaded failed failed    389 Directory Server 
unix.co.org.au.
● ipa.service                          loaded failed failed    Identity, 
Policy, Audit
● kadmin.service                       loaded failed failed    Kerberos 5 
Password-changing and Administration
● kdump.service                        loaded failed failed    Crash recovery 
kernel arming
● smb.service                          loaded failed failed    Samba SMB Daemon


>From the numerous logs and web pages I've read, I think this means:

IPA doesn't start because samba fails to start. 

This is from jouirnalctl re samba:

Missing mandatory attribute ipaNTSecurityIdentifier
Cannot find SID of fallback group
pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket did not 
correctly init (error was NT_STATUS_INVALID_PARAMETER)
Server ldap/vmts-linux...@unix.co.org.au not found in Kerberos database


This is from the smb log:

[2016/01/15 14:53:03,  0] ../source3/smbd/server.c:1241(main)
  smbd version 4.2.3 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2014
[2016/01/15 14:53:03.538393,  0] ipa_sam.c:4208(bind_callback_cleanup)
  kerberos error: code=-1765328228, message=Cannot contact any KDC for realm 
'UNIX.CO.ORG.AU'
[2016/01/15 14:53:03.538500,  0] 
../source3/lib/smbldap.c:998(smbldap_connect_system)
  failed to bind to server ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket 
with dn="[Anonymous bind]" Error: Local error
        (unknown)

Samba seems to be failing because LDAP (dirsrv) is failing and it can't 
connect, or because Kerberos isn't running.

LDAP isn't running because Kerberos isn't running:

krb5kdc: cannot initialize realm UNIX.CO.ORG.AU - see log file for details

krb5kdc: Server error - while fetching master key K/M for realm UNIX.CO.ORG.AU


So. It looks like samba and IPA won't start because Kerberus and LDAP won't 
start.

It's hard to tell why they won't start, but it looks a little like Kerberos 
won't start because there aren't any values in LDAP, and LDAP won't start 
because Kerberos isn't started?



This is from the /var/log/dirsrv/slapd-UNIX-CO-ORG-AU/errors file:

SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
- 389-Directory/1.3.4.0 B2015.343.1254 starting up
- WARNING: changelog: entry cache size 2097152B is less than db size 4259840B; 
We recommend to increase the entry cache size nsslapd-cachememsize.
schema-compat-plugin - warning: no entries set up under cn=computers, 
cn=compat,dc=unix,dc=co,dc=org,dc=au
schema-compat-plugin - warning: no entries set up under cn=ng, 
cn=compat,dc=unix,dc=co,dc=org,dc=au
schema-compat-plugin - warning: no entries set up under 
ou=sudoers,dc=unix,dc=co,dc=org,dc=au
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=unix,dc=co,dc=org,dc=au 
does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=groups,cn=compat,dc=unix,dc=co,dc=org,dc=au 
does not exist
NSACLPlugin - The ACL target cn=computers,cn=compat,dc=unix,dc=co,dc=org,dc=au 
does not exist
NSACLPlugin - The ACL target cn=ng,cn=compat,dc=unix,dc=co,dc=org,dc=au does 
not exist
NSACLPlugin - The ACL target ou=sudoers,dc=unix,dc=co,dc=org,dc=au does not 
exist
NSACLPlugin - The ACL target cn=users,cn=compat,dc=unix,dc=co,dc=org,dc=au does 
not exist
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=unix,dc=co,dc=org,dc=au does 
not exist

NSACLPlugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not 
exist
NSACLPlugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not 
exist
NSACLPlugin - The ACL target cn=automember rebuild 
membership,cn=tasks,cn=config does not exist


I don't understand why it's looking for dns.unix.co.org.au - I wanted the 
upstream DNS to serve this domain as well?

My brain hurts. I'm new to FreeIPA. Not to linux, and I have a passing 
knowledge of AD, SMB, LDAP, DNS. I think I'm further confused by so many new 
moving parts, and not seeing a clear way to solve any of the problems, or even 
which problem to start with.

Can anyone point me in a direction with regards to what I've done wrong, what I 
might look at to fix this, or some documentation that steps through the 
installation of a FreeIPA server, set up as a one way trust, where all clients 
authenticate against AD?

Cheers
L.






This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to