> -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
Iām coming back to this thread for consistency, but is a result of me running ipactl on the system we got working a couple of hours ago. See email titled "idoverride-add gives incorrect, inconsistant results?" for leadup. Anyway, ipactl restart fails, again. [root@vmts-linuxidm ~]# ipactl restart Stopping pki-tomcatd Service Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting ipa_memcached Service Restarting httpd Service Restarting pki-tomcatd Service inconsistRestarting winbind Service Restarting ipa-otpd Service Starting smb Service Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details. Failed to start smb Service Shutting down Aborting ipactl Gah. Look in the samba log, and it's exactly the same issue. Right. [root@vmts-linuxidm ~]# ipa-adtrust-install --netbios-name=UNIX -a xxxxxxx The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes There was error to automatically re-kinit your admin user ticket. Proceeding with credentials that existed before Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket Huh? [root@vmts-linuxidm ~]# kdestroy [root@vmts-linuxidm ~]# kinit admin kinit: Cannot contact any KDC for realm 'UNIX.CO.ORG.AU' while getting initial credentials I check, and sure enough, dir...@unix.co.org.au has stopped again (should I call it 389, dirsrv, ldap or slapd? They are all the same thing, right?). I restart dirsrv, and try restarting smb, no joy. I try running ipa-adtrust-install again, without luck. I restart krb5kdc manually (sc start krb5kdc), and try all the above again, with no luck. kdestroy has a lovely little pause, but kinit admin fails. Some of the other errors I've received: ipa-adtrust-install There was error to automatically re-kinit your admin user ticket. Proceeding with credentials that existed before Must have Kerberos credentials to setup AD trusts on serve klist klist: Credentials cache keyring 'persistent:0:0' not found Ok, so I try sc start krb5kdc and that works. Now klist still returns the above error, but kinit admin works. And ipa-adtrust-install works as it did this AM (output at end for reference). FWIW: - I can now browse the IPA server via a web browser. - I can retrieve credentials for those that I've already retrieved credentials for (id testu...@co.org.au works) - I can't retrieve new credentials (id testuser_...@co.org.au does not work ("no such user") - if I sc --failed: UNIT LOAD ACTIVE SUB DESCRIPTION ā ipa.service loaded failed failed Identity, Policy, Audit ā kadmin.service loaded failed failed Kerberos 5 Password-changing and Administration ā smb.service loaded failed failed Samba SMB Daemon - None of these will start on their own (with sc start <name>.service) - trying to start ipa fails with the added bonus of shutting down krb5kdc / kadmin / dir...@domain.org.au as well? I'm finding I'm needing to restart these services after attempting an ipa start. Which is failing on smb still. - krb5kdc also doesn't start. I am so confused. Earlier in the day when it was "working", I noticed that there was a service running called ipa.memchached - I presume that's why I can get some id's and not others and can browse via web (well, that just means tomcat started correctly, right?). ipa.memcached has disappeared from the list of running services when I sc now. So. How can I create a situation where when I restart ipa, for whatever reason, this doesn't happen again? Secondary question: given that I have missed something seemingly integral, is there a document that describes the post install setup process I should go through to stop this error from re-occurring? Cheers L. Notes: root@vmts-linuxidm ~]# ipa-adtrust-install --netbios-name=UNIX -a xxxxxxx The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes WARNING: 2 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication Configuring CIFS [1/23]: stopping smbd [2/23]: creating samba domain object Samba domain object already exists [3/23]: creating samba config registry [4/23]: writing samba config file [5/23]: adding cifs Kerberos principal [6/23]: adding cifs and host Kerberos principals to the adtrust agents group [7/23]: check for cifs services defined on other replicas [8/23]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [9/23]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [10/23]: adding RID bases RID bases already set, nothing to do [11/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [12/23]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [13/23]: activating sidgen task Sidgen task plugin already configured, nothing to do [14/23]: configuring smbd to start on boot [15/23]: adding special DNS service records DNS management was not enabled at install time. Add the following service records to your DNS server for DNS zone unix.co.org.au: - _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs - _ldap._tcp.dc._msdcs - _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs - _kerberos._tcp.dc._msdcs - _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs - _kerberos._udp.dc._msdcs [16/23]: enabling trusted domains support for older clients via Schema Compatibility plugin [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [18/23]: adding fallback group Fallback group already set, nothing to do [19/23]: adding Default Trust View Default Trust View already exists. [20/23]: setting SELinux booleans [21/23]: enabling oddjobd [22/23]: starting CIFS services ipa : CRITICAL CIFS services failed to start [23/23]: adding SIDs to existing users and groups Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds ============================================================================= This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project