Hello, Thanks for your feedback.
So I reran `ipa-adtrust-install` and got a core dump from samba that there was no space left on the device...? A little digging showed that /var/log had filled up with files named "core.XXXXX" in /var/log/samba/cores/winbindd. So I removed all of them and reran `ipa-adtrust-install --add-sids` which continues to fail on starting CIFS services. Debug information shows that it's the smb service that isn't starting: >> [22/22]: starting CIFS services >> ipa : DEBUG Starting external process >> ipa : DEBUG args='/bin/systemctl' 'start' 'smb.service' >> ipa : DEBUG Process finished, return code=1 >> ipa : DEBUG stdout= >> ipa : DEBUG stderr=Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details. >> >> ipa : CRITICAL CIFS services failed to start >> ipa : DEBUG duration: 16 seconds >> ipa : DEBUG Done configuring CIFS. Looking at the samba logs, I see: >> Jan 27 13:19:48 freeipa01enwdco smbd[18300]: [2016/01/27 13:19:48.482378, 0] ipa_sam.c:4208(bind_callback_cleanup) >> Jan 27 13:19:48 freeipa01enwdco smbd[18300]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ [email protected] >> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27 13:19:49.482818, 0] ipa_sam.c:4520(pdb_init_ipasam) >> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: Failed to get base DN. >> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27 13:19:49.482909, 0] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) >> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) >> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE >> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Failed to start Samba SMB Daemon. >> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Unit smb.service entered failed state. >> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service failed. I tried following the trust debugging instructions here: http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust But it fails on the step `systemctl start smb winbind` >> # systemctl stop smb winbind >> # net conf setparm global 'log level' 100 >> # nano /usr/share/ipa/smb.conf.empty >> # rm /var/log/samba/log.* >> # systemctl start smb winbind >> Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details. Which produces the exact same error listed above. in /var/log/samba/log.smbd I see what appears to be a stack trace, I see the same exact error above as well as the error about the socket not initing correctly: >> [2016/01/27 13:26:21.606257, 0, pid=18344, effective(0, 0), real(0, 0)] ipa_sam.c:4208(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/[email protected] >> [2016/01/27 13:26:21.606422, 2, pid=18344, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:998(smbldap_connect_system) failed to bind to server ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket with dn="[Anonymous bind]" Error: Local error (unknown) >> [2016/01/27 13:26:22.606842, 0, pid=18344, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) So I think the problem is more fundamental than trusts as samba won't even start. Is there any documentation or does anyone have some good tricks for troubleshooting samba? Thanks, Jon A On Wed, Jan 20, 2016 at 4:57 AM, Alexander Bokovoy <[email protected]> wrote: > On Wed, 20 Jan 2016, Anon Lister wrote: > >> So I had the same problem. For me it ended up being that some attribute >> was >> not created correctly in 389 using the instructions in the guide. I don't >> remember what it was off the top of my head. Something about a default >> user >> or group SID I think. Had to turn samba logging up. Eventually it shows >> the >> attribute it is failing on. I ended up manually adding it with vildap and >> it worked fine after that. If noone else gets it I'll poke around and see >> if I can find what it was, took me several hours to debug due to the >> somewhat misleading error message. >> > The message is the only thing we get from Samba Python libraries, so it > is as good as what we get. > > Use > http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust > to produce debug output needed to find out where things happened. > > If your setup lacks 'Default SMB Group' group with a SID > (ipaNTSecurityIdentifier attribute), run ipa-adtrust-install --add-sids. > > ipa-adtrust-install can be re-run several times to fix missing parts. It > skips steps which were already done and only performs those that are > really needed. > > However, if your base IPA deployment does not work, like in the Jon's > case, there is little reason to run any of ipa-adtrust-install or other > trust-related functions. > > Additionally, DNS should be configured properly. ipa-adtrust-install > either automatically updates IPA DNS (if IPA manages the DNS zone) or > produces list of entries that should be added to the DNS zone whoever > manages it. This should not be overlooked -- when Active Directory > domain controller tries to validate the trust, it uses DNS SRV records > to find out IPA domain controllers ('trust controllers' in IPA speak, > the ones where ipa-adtrust-install was run) and only considers those > that are available via SRV records. If AD DC cannot find IPA DC via SRV > record, trust cannot be validated. > > On Jan 19, 2016 1:37 PM, "Jon" <[email protected]> wrote: >> >> Hello, >>> >>> While following the guide on setting up FreeIPA with AD >>> <http://www.freeipa.org/page/Active_Directory_trust_setup>, I got to the >>> >>> step where I'm adding the AD trust to FreeIPA but I receive an error: >>> >>> >> Active Directory domain administrator's password: >>> >> ipa: ERROR: CIFS server communication error: code "-1073741801", >>> >> message "Memory allocation error" (both may be >>> "None") >>> >>> Thinking that the error was what was stated (my VM at the time only had >>> 1GB of ram), I shutdown my VM (memory hot add was not enabled in VMware, >>> it >>> is now), bumped the RAM to 4GB, and booted the VM. >>> >>> Upon running the same command after reboot I received an error: >>> >>> >> ipa: ERROR: did not receive Kerberos credentials >>> >>> kinit admin is also reporting an error: >>> >>> >> kinit: Cannot contact any KDC for realm 'myrealm' while getting >>> initial credentials >>> >>> trying to start FreeIPA in debug mode identified the samba service as at >>> fault. >>> >>> >> Jan 19 10:19:50 myfreeipaserver smbd[3676]: kerberos error: >>> code=-1765328203, message=Keytab contains no suitable keys for cifs/ >>> [email protected] >>> >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19 >>> 10:19:51.261648, 0] ipa_sam.c:4520(pdb_init_ipasam) >>> >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: Failed to get base DN. >>> >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19 >>> 10:19:51.262675, 0] >>> ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) >>> >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: pdb backend >>> ipasam:ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-MYDOMAIN-COM.socket did >>> not >>> correctly init (error was NT_STATUS_UNSUCCESSFUL) >>> >>> Googling for these errors turned up a few similar threads but none of the >>> solutions seemed to work and all signs pointed to AD integration as the >>> culprit... >>> >>> So I did what any good sysadmin would do and forced freeipa to start >>> while >>> ignoring any failures. Every service except samba starts without issue. >>> >>> So I tried my trust connection again, and received the same error, >>> >>> >> Active Directory domain administrator's password: >>> >> ipa: ERROR: CIFS server communication error: code "-1073741801", >>> >> message "Memory allocation error" (both may be >>> "None") >>> >>> Which brought me to googling two bug reports opened on this exact issue: >>> >>> >> https://bugzilla.redhat.com/show_bug.cgi?id=878168 >>> >> https://fedorahosted.org/freeipa/ticket/3266 >>> >>> Both of these bug reports indicate there's an upstream bug in Samba, the >>> bug has been closed and reopened at least once. I did add the AD servers >>> to /etc/hosts and rebooted the server. I have to go through the same >>> process of forcing freeipa to start after the server rebooted... >>> However, I >>> received the same error message. >>> >>> While the bug report is currently closed, I seem to be experiencing the >>> same issues... >>> >>> Given this bug report, can you please answer me these questions three: >>> >>> 1) Given the issues with Samba starting after reboot, is this bug report >>> actually what's wrong or is the error message when trying to create a >>> trust >>> a red herring and it's actually samba that's the problem? >>> 2) Does this bug report mean that trusts between FreeIPA and AD are >>> broken and can not be established until the upstream bug in Samba is >>> fixed? >>> 3) Is there a workaround? (as adding the domain controllers to >>> /etc/hosts with IPv4 address does not appear to work) >>> >>> System Stats: >>> - AD Server: Win2k8R2 >>> - FreeIPA server: >>> >>> >> CentOS Linux release 7.2.1511 (Core) >>> >>> >>> >> # uname -a >>> >> Linux myserver 3.10.0-327.4.4.el7.x86_64 #1 SMP Tue Jan 5 16:07:00 UTC >>> 2016 x86_64 x86_64 x86_64 GNU/Linux >>> >>> >> # rpm -qa | grep ipa >>> >> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64 >>> >> ipa-server-4.2.0-15.el7.centos.3.x86_64 >>> >> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64 >>> >> python-iniparse-0.4-9.el7.noarch >>> >> libipa_hbac-1.13.0-40.el7_2.1.x86_64 >>> >> sssd-ipa-1.13.0-40.el7_2.1.x86_64 >>> >> ipa-python-4.2.0-15.el7.centos.3.x86_64 >>> >> ipa-client-4.2.0-15.el7.centos.3.x86_64 >>> >> ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64 >>> >> ipa-admintools-4.2.0-15.el7.centos.3.x86_64 >>> >>> >>> I appreciate any help. I've been trying to get FreeIPA going for a >>> couple >>> of weeks now and have run into nothing but frustrations. The funny thing >>> is, I've never had a problem deploying FreeIPA by itself... Microsoft >>> seems to be the common denominator in my hair pulling lately... >>> Correlation >>> does not equal causation... but it sure is a coincidence... :) >>> >>> Thanks for your time! >>> >>> Best Regards, >>> Jon A >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
