On Fri, 15 Jan 2016, Simpson Lachlan wrote:
Hi
I’m not 100% sure where I've gone wrong, but I obviously have.
Running Centos 7.2, with FreeIPA 4.2.0 from the repos.
FreeIPA was set up per instructions (# ipa-server-install ), and we could surf
to the website and interact with it.
I set up a second server, yum install -y ipa-client, and then joined with
authconfig successfully and logged in.
Our intention is to join an AD domain over which we have no control in a one
way trust: co.org.au is trusted by unix.co.org.au.
In order to do this, I followed the instructions on redhat's documentation "
5.3.3.1. Preparing the IdM Server for Trust"
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#trust-set-up-idm
I installed "*ipa-server-trust-ad" samba, ran the ipa-adtrust-install script
successfully, confirmed DNS was properly configured, confirmed smbclient was properly
configured, then created a trust agreement successfully (this time yesterday I was
cheering).
--------------------------------------------------------
Added Active Directory trust for realm "co.org.au"
--------------------------------------------------------
Realm name: co.org.au
Domain NetBIOS name: PMCI
Domain Security Identifier: S-1-5-21-55386287-1424373824-1154838474
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6,
S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19,
S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6,
S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19,
S-1-5-18
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified
Then I started to see some differentiation from the documented output, so I
started investigating. In particular, kvno -S cifs adserver.example.com didn't
work.
Eventually I turned off selinux and the firewall all together and rebooted.
Now IPA doesn't start. When I look into it, this is what I see:
[root@vmts-linuxidm ~]# sc | grep failed
● dir...@unix.co.org.au.service loaded failed failed 389 Directory Server
unix.co.org.au.
● ipa.service loaded failed failed Identity,
Policy, Audit
● kadmin.service loaded failed failed Kerberos 5
Password-changing and Administration
● kdump.service loaded failed failed Crash recovery
kernel arming
● smb.service loaded failed failed Samba SMB Daemon
From the numerous logs and web pages I've read, I think this means:
IPA doesn't start because samba fails to start.
This is from jouirnalctl re samba:
Missing mandatory attribute ipaNTSecurityIdentifier
Cannot find SID of fallback group
pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket did not
correctly init (error was NT_STATUS_INVALID_PARAMETER)
Server ldap/vmts-linux...@unix.co.org.au not found in Kerberos database
This is from the smb log:
[2016/01/15 14:53:03, 0] ../source3/smbd/server.c:1241(main)
smbd version 4.2.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2014
[2016/01/15 14:53:03.538393, 0] ipa_sam.c:4208(bind_callback_cleanup)
kerberos error: code=-1765328228, message=Cannot contact any KDC for realm
'UNIX.CO.ORG.AU'
[2016/01/15 14:53:03.538500, 0]
../source3/lib/smbldap.c:998(smbldap_connect_system)
failed to bind to server ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket with
dn="[Anonymous bind]" Error: Local error
(unknown)
Samba seems to be failing because LDAP (dirsrv) is failing and it can't
connect, or because Kerberos isn't running.
LDAP isn't running because Kerberos isn't running:
krb5kdc: cannot initialize realm UNIX.CO.ORG.AU - see log file for details
krb5kdc: Server error - while fetching master key K/M for realm UNIX.CO.ORG.AU
So. It looks like samba and IPA won't start because Kerberus and LDAP
won't start.
It's hard to tell why they won't start, but it looks a little like
Kerberos won't start because there aren't any values in LDAP, and LDAP
won't start because Kerberos isn't started?
No, LDAP server startup is not tied to Kerberos. It can perfectly start
without that, as Kerberos in 389-ds is only needed for replication to
happen.
Samba is failing because it cannot get access to LDAP server using
GSSAPI, that's right.
KDC is failing because LDAP server is not available, that's right too.
This is from the /var/log/dirsrv/slapd-UNIX-CO-ORG-AU/errors file:
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
- 389-Directory/1.3.4.0 B2015.343.1254 starting up
- WARNING: changelog: entry cache size 2097152B is less than db size 4259840B;
We recommend to increase the entry cache size nsslapd-cachememsize.
schema-compat-plugin - warning: no entries set up under cn=computers,
cn=compat,dc=unix,dc=co,dc=org,dc=au
schema-compat-plugin - warning: no entries set up under cn=ng,
cn=compat,dc=unix,dc=co,dc=org,dc=au
schema-compat-plugin - warning: no entries set up under
ou=sudoers,dc=unix,dc=co,dc=org,dc=au
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=unix,dc=co,dc=org,dc=au
does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=groups,cn=compat,dc=unix,dc=co,dc=org,dc=au
does not exist
NSACLPlugin - The ACL target cn=computers,cn=compat,dc=unix,dc=co,dc=org,dc=au
does not exist
NSACLPlugin - The ACL target cn=ng,cn=compat,dc=unix,dc=co,dc=org,dc=au does
not exist
NSACLPlugin - The ACL target ou=sudoers,dc=unix,dc=co,dc=org,dc=au does not
exist
NSACLPlugin - The ACL target cn=users,cn=compat,dc=unix,dc=co,dc=org,dc=au does
not exist
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=unix,dc=co,dc=org,dc=au does
not exist
NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not
exist
NSACLPlugin - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not
exist
NSACLPlugin - The ACL target cn=automember rebuild
membership,cn=tasks,cn=config does not exist
I don't understand why it's looking for dns.unix.co.org.au - I wanted
the upstream DNS to serve this domain as well?
You may ignore ACL's plugin output as it just mentions that there are
ACLs against entries which don't exist -- this is normal, because we
still have ACLs in place for cn=dns,$SUFFIX even if you don't configure
integrated DNS. These messages have nothing to do with your problem.
None of the above is revealing an issue.
Follow http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
to enable crashdumps for ns-slapd to see what happens in reality (check
systemd-enabled systems' recipes).
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
