Installed FreeIPA 4.2 on a fresh CentOS 7.2. After initial setup and
configuration a one way trust was added to windows AD. Server was shut down
and moved to a different rack. When it was started back up IPA no longer
runs.

ipa-admintools.x86_64           4.2.0-15.0.1.el7.centos.19
ipa-client.x86_64               4.2.0-15.0.1.el7.centos.19
ipa-python.x86_64               4.2.0-15.0.1.el7.centos.19
ipa-server.x86_64               4.2.0-15.0.1.el7.centos.19
ipa-server-dns.x86_64           4.2.0-15.0.1.el7.centos.19
ipa-server-trust-ad.x86_64      4.2.0-15.0.1.el7.centos.19
libipa_hbac.x86_64              1.13.0-40.el7_2.12
python-iniparse.noarch          0.4-9.el7
python-libipa_hbac.x86_64       1.13.0-40.el7_2.12
sssd-ipa.x86_64                 1.13.0-40.el7_2.12

In the service list IPA, polkit. postfix, and smb service are currently
failed. kadmin is also failed sometimes, however I'm able to start it
occasionally without explanation.

running IPA restart results in the following error:

[root@SERVER ~]# ipactl restart
Starting Directory Service
Stopping pki-tomcatd Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Starting smb Service
Job for smb.service failed because the control process exited with error
code. See "systemctl status smb.service" and "journalctl -xe" for details.
Failed to start smb Service
Shutting down
Aborting ipactl

Checking the SMB service I get the following

[root@SERVER ~]# systemctl status smb
‚óŹ smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor
preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-09-28 17:15:50 EDT;
43s ago
  Process: 7186 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited,
status=1/FAILURE)
 Main PID: 7186 (code=exited, status=1/FAILURE)
   Status: "Starting process..."

Sep 28 17:15:49 SERVER.SUB.DOMAIN.COM smbd[7186]: [2016/09/28
17:15:49.718669,  0] ipa_sam.c:4208(bind_callback_cleanup)
Sep 28 17:15:49 SERVER.SUB.DOMAIN.COM smbd[7186]:   kerberos error:
code=-1765328203, message=Keytab contains no suitable keys for cifs/
server.sub.domain....@sub.domain.com
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]: [2016/09/28
17:15:50.718869,  0] ipa_sam.c:4520(pdb_init_ipasam)
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]:   Failed to get base DN.
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]: [2016/09/28
17:15:50.718900,  0]
../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]:   pdb backend
ipasam:ldapi://%2fvar%2frun%2fslapd-SUB.DOMAIN.COM.socket did not correctly
init (error was NT_STATUS_UNSUCCESSFUL)
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: smb.service: main process
exited, code=exited, status=1/FAILURE
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: Failed to start Samba SMB
Daemon.
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: Unit smb.service entered
failed state.
Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: smb.service failed.


I had issues when first trying to add one way trust with SMB but I was able
to restart the service and move forward. That doesn't appear to be
happening this time. I've also tried using kinit to obtain a ticket but
that doesn't work. I'm not sure if that should work at this juncture or
not. After restarting ipa the kadmin service also fails to start some of
the time.

if kadmin is running
=======================
[root@SERVER ~]# kinit -V admin
Using default cache: persistent:0:0
Using principal: ad...@sub.domain.com
kinit: Generic error (see e-text) while getting initial credentials


if kadmin isn't running
=======================
[root@SERVER ~]# kinit -V admin
Using default cache: persistent:0:0
Using principal: ad...@sub.domain.com
kinit: Cannot contact any KDC for realm 'SUB.DOMAIN.COM' while getting
initial credentials


Attempts to get kadmin to run
=======================
[root@SERVER ~]# systemctl start kadmin
Job for kadmin.service failed because the control process exited with error
code. See "systemctl status kadmin.service" and "journalctl -xe" for
details.


Journal for kadmin attempt
======================
-- Subject: Unit kadmin.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kadmin.service has begun starting up.
Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM _kadmind[7978]: kadmind: kadmind:
Server error while initializing, aborting
Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: kadmin.service: control
process exited, code=exited status=1
Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: Failed to start Kerberos
5 Password-changing and Administration.
-- Subject: Unit kadmin.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit kadmin.service has failed.
--
-- The result is failed.
Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: Unit kadmin.service
entered failed state.
Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: kadmin.service failed.
Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM polkitd[6092]: Unregistered
Authentication Agent for unix-process:7973:9203783 (system bus name :1.639,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8) (dis
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to