Installed FreeIPA 4.2 on a fresh CentOS 7.2. After initial setup and configuration a one way trust was added to windows AD. Server was shut down and moved to a different rack. When it was started back up IPA no longer runs.
ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.19 ipa-client.x86_64 4.2.0-15.0.1.el7.centos.19 ipa-python.x86_64 4.2.0-15.0.1.el7.centos.19 ipa-server.x86_64 4.2.0-15.0.1.el7.centos.19 ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.19 ipa-server-trust-ad.x86_64 4.2.0-15.0.1.el7.centos.19 libipa_hbac.x86_64 1.13.0-40.el7_2.12 python-iniparse.noarch 0.4-9.el7 python-libipa_hbac.x86_64 1.13.0-40.el7_2.12 sssd-ipa.x86_64 1.13.0-40.el7_2.12 In the service list IPA, polkit. postfix, and smb service are currently failed. kadmin is also failed sometimes, however I'm able to start it occasionally without explanation. running IPA restart results in the following error: [root@SERVER ~]# ipactl restart Starting Directory Service Stopping pki-tomcatd Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting pki-tomcatd Service Starting smb Service Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details. Failed to start smb Service Shutting down Aborting ipactl Checking the SMB service I get the following [root@SERVER ~]# systemctl status smb ● smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-09-28 17:15:50 EDT; 43s ago Process: 7186 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 7186 (code=exited, status=1/FAILURE) Status: "Starting process..." Sep 28 17:15:49 SERVER.SUB.DOMAIN.COM smbd[7186]: [2016/09/28 17:15:49.718669, 0] ipa_sam.c:4208(bind_callback_cleanup) Sep 28 17:15:49 SERVER.SUB.DOMAIN.COM smbd[7186]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ server.sub.domain....@sub.domain.com Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]: [2016/09/28 17:15:50.718869, 0] ipa_sam.c:4520(pdb_init_ipasam) Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]: Failed to get base DN. Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]: [2016/09/28 17:15:50.718900, 0] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM smbd[7186]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-SUB.DOMAIN.COM.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: Failed to start Samba SMB Daemon. Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: Unit smb.service entered failed state. Sep 28 17:15:50 SERVER.SUB.DOMAIN.COM systemd[1]: smb.service failed. I had issues when first trying to add one way trust with SMB but I was able to restart the service and move forward. That doesn't appear to be happening this time. I've also tried using kinit to obtain a ticket but that doesn't work. I'm not sure if that should work at this juncture or not. After restarting ipa the kadmin service also fails to start some of the time. if kadmin is running ======================= [root@SERVER ~]# kinit -V admin Using default cache: persistent:0:0 Using principal: ad...@sub.domain.com kinit: Generic error (see e-text) while getting initial credentials if kadmin isn't running ======================= [root@SERVER ~]# kinit -V admin Using default cache: persistent:0:0 Using principal: ad...@sub.domain.com kinit: Cannot contact any KDC for realm 'SUB.DOMAIN.COM' while getting initial credentials Attempts to get kadmin to run ======================= [root@SERVER ~]# systemctl start kadmin Job for kadmin.service failed because the control process exited with error code. See "systemctl status kadmin.service" and "journalctl -xe" for details. Journal for kadmin attempt ====================== -- Subject: Unit kadmin.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit kadmin.service has begun starting up. Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM _kadmind[7978]: kadmind: kadmind: Server error while initializing, aborting Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: kadmin.service: control process exited, code=exited status=1 Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: Failed to start Kerberos 5 Password-changing and Administration. -- Subject: Unit kadmin.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit kadmin.service has failed. -- -- The result is failed. Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: Unit kadmin.service entered failed state. Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM systemd[1]: kadmin.service failed. Sep 28 17:22:38 SERVER.SUB.DOMAIN.COM polkitd[6092]: Unregistered Authentication Agent for unix-process:7973:9203783 (system bus name :1.639, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (dis
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project