[Freeipa-users] Re: ipasam failure with BACKTRACE
On 24-10-2022 09:29, Alexander Bokovoy wrote: On pe, 21 loka 2022, Kees Bakker wrote: On 21-10-2022 16:10, Alexander Bokovoy wrote: On pe, 21 loka 2022, Kees Bakker via FreeIPA-users wrote: It turns out to be caused by missing SELinux permissions. As soon as I set selinux to permissive it started to work. Now, I've solved a few fcontext issues. samba-dcerpcd does not crash anymore. Still there are more things blocked by selinux, which I'm investigatign right now. I think this was fixed with https://bugzilla.redhat.com/show_bug.cgi?id=2096521 in Fedora and CentOS 9 Stream. Coming back to your original task. You should not use ipasam outside of IPA trust controllers at all. Instead, please follow the RHEL IdM guide which literally wants you to install ipa-client-samba package and run ipa-client-samba installer to generate proper configuration for a Samba server on IPA client. Have you tried that? No, I didn't know that was necessary. I am linking to RHEL IdM in RHEL 8 guide because RHEL 9 guides are not fully published yet. It is the same story there: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm Thanks for the pointer. I've done ipa-client-samba. To make it run I had to delete the already existing cifs/ service for this host. It was created at the time in CentOS7. Things aren't working yet. I'm now seeing NT_STATUS_NO_MEMORY errors in the samba logs for the connecting windows client. Oh, and selinux is still "permissive" so that can't be a problem (yet). You need to provide more details to give any useful comments. Yes, I am fully aware of that. I was just hoping that someone would recognize this error and would have the answer to all my trouble :-) Samba is a beast. Samba logging is close to being useless, except maybe for a small minority of Samba developers. Please see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/assembly_troubleshooting-authentication-with-sssd-in-idm_configuring-and-managing-idm for various troubleshooting suggestions. In addition I'd need Samba logs (log level = 10) on the IPA client where it is deployed and its configuration. The good news is: it working. So, what did I do to make it work? First I did setup a new Samba/Centos9 client from scratch. I followed the guideline [1] you gave before. That worked. This gave me something to compare with. Back to the troubled Samba server. I did do ipa-client-samba on it. The old cifs service prohibited completion, so I manually deleted it. Run ipa-client-samba again. Still, that didn't help. Then I saw the ipa-client-samba "uninstall" option. Tried that and ran the command again. Still, no luck. Increasing the samba log level. Logging is massive. The typical needle-in-haystack problem. I didn't find any useful hint to the cause of my problem. The last thing I remembered doing was a restart of the firewall. What? It's working? Why? No-one will ever know. [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm -- Kees -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipasam failure with BACKTRACE
On pe, 21 loka 2022, Kees Bakker wrote: On 21-10-2022 16:10, Alexander Bokovoy wrote: On pe, 21 loka 2022, Kees Bakker via FreeIPA-users wrote: It turns out to be caused by missing SELinux permissions. As soon as I set selinux to permissive it started to work. Now, I've solved a few fcontext issues. samba-dcerpcd does not crash anymore. Still there are more things blocked by selinux, which I'm investigatign right now. I think this was fixed with https://bugzilla.redhat.com/show_bug.cgi?id=2096521 in Fedora and CentOS 9 Stream. Coming back to your original task. You should not use ipasam outside of IPA trust controllers at all. Instead, please follow the RHEL IdM guide which literally wants you to install ipa-client-samba package and run ipa-client-samba installer to generate proper configuration for a Samba server on IPA client. Have you tried that? No, I didn't know that was necessary. I am linking to RHEL IdM in RHEL 8 guide because RHEL 9 guides are not fully published yet. It is the same story there: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm Thanks for the pointer. I've done ipa-client-samba. To make it run I had to delete the already existing cifs/ service for this host. It was created at the time in CentOS7. Things aren't working yet. I'm now seeing NT_STATUS_NO_MEMORY errors in the samba logs for the connecting windows client. Oh, and selinux is still "permissive" so that can't be a problem (yet). You need to provide more details to give any useful comments. Please see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/assembly_troubleshooting-authentication-with-sssd-in-idm_configuring-and-managing-idm for various troubleshooting suggestions. In addition I'd need Samba logs (log level = 10) on the IPA client where it is deployed and its configuration. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipasam failure with BACKTRACE
On 21-10-2022 16:10, Alexander Bokovoy wrote: On pe, 21 loka 2022, Kees Bakker via FreeIPA-users wrote: It turns out to be caused by missing SELinux permissions. As soon as I set selinux to permissive it started to work. Now, I've solved a few fcontext issues. samba-dcerpcd does not crash anymore. Still there are more things blocked by selinux, which I'm investigatign right now. I think this was fixed with https://bugzilla.redhat.com/show_bug.cgi?id=2096521 in Fedora and CentOS 9 Stream. Coming back to your original task. You should not use ipasam outside of IPA trust controllers at all. Instead, please follow the RHEL IdM guide which literally wants you to install ipa-client-samba package and run ipa-client-samba installer to generate proper configuration for a Samba server on IPA client. Have you tried that? No, I didn't know that was necessary. I am linking to RHEL IdM in RHEL 8 guide because RHEL 9 guides are not fully published yet. It is the same story there: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm Thanks for the pointer. I've done ipa-client-samba. To make it run I had to delete the already existing cifs/ service for this host. It was created at the time in CentOS7. Things aren't working yet. I'm now seeing NT_STATUS_NO_MEMORY errors in the samba logs for the connecting windows client. Oh, and selinux is still "permissive" so that can't be a problem (yet). -- Kees ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipasam failure with BACKTRACE
On pe, 21 loka 2022, Kees Bakker via FreeIPA-users wrote: It turns out to be caused by missing SELinux permissions. As soon as I set selinux to permissive it started to work. Now, I've solved a few fcontext issues. samba-dcerpcd does not crash anymore. Still there are more things blocked by selinux, which I'm investigatign right now. I think this was fixed with https://bugzilla.redhat.com/show_bug.cgi?id=2096521 in Fedora and CentOS 9 Stream. Coming back to your original task. You should not use ipasam outside of IPA trust controllers at all. Instead, please follow the RHEL IdM guide which literally wants you to install ipa-client-samba package and run ipa-client-samba installer to generate proper configuration for a Samba server on IPA client. Have you tried that? I am linking to RHEL IdM in RHEL 8 guide because RHEL 9 guides are not fully published yet. It is the same story there: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm -- Kees On 17-10-2022 11:45, Kees Bakker via FreeIPA-users wrote: Hi, This weekend I installed CentOS 9 stream on a server that had CentOS 7 on it. One on it's main tasks is to be a Samba server. I completely reinstalled and set up Samba. I used ipasam before and it was working. I copied the smb.conf from the old system. But now it gives me a fatal error. Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.614868, 0] ipa_sam.c:5174(pdb_init_ipasam) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: Failed to get base DN. Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615001, 0] ../../source3/passdb/pdb_interface.c:181(make_pdb_method_name) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: pdb backend ipasam:ldaps://rotte.example.com did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615111, 0] ../../lib/util/fault.c:172(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: === Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615185, 0] ../../lib/util/fault.c:173(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: INTERNAL ERROR: pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in pid 271493 (4.16.4) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615268, 0] ../../lib/util/fault.c:177(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615322, 0] ../../lib/util/fault.c:182(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: === Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615373, 0] ../../lib/util/fault.c:183(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: PANIC (pid 271493): pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in 4.16.4 Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615940, 0] ../../lib/util/fault.c:287(log_stack_trace) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: BACKTRACE: 13 stack frames: Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #0 /lib64/libsamba-util.so.0(log_stack_trace+0x34) [0x7f2c94aebd74] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #1 /lib64/libsamba-util.so.0(smb_panic+0xd) [0x7f2c94aebfcd] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #2 /lib64/libsamba-passdb.so.0(+0x1c6df) [0x7f2c94a8f6df] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #3 /lib64/libsamba-passdb.so.0(pdb_get_aliasinfo+0x16) [0x7f2c94a8ff86] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #4 /usr/libexec/samba/samba-dcerpcd(finalize_local_nt_token+0x16a) [0x559ea4bed72a] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #5 /usr/libexec/samba/samba-dcerpcd(create_local_nt_token_from_info3+0x30c) [0x559ea4bee03c] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #6 /usr/libexec/samba/samba-dcerpcd(+0x175f3) [0x559ea4bf05f3] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #7 /usr/libexec/samba/samba-dcerpcd(+0x1f42c) [0x559ea4bf842c] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #8
[Freeipa-users] Re: ipasam failure with BACKTRACE
It turns out to be caused by missing SELinux permissions. As soon as I set selinux to permissive it started to work. Now, I've solved a few fcontext issues. samba-dcerpcd does not crash anymore. Still there are more things blocked by selinux, which I'm investigatign right now. -- Kees On 17-10-2022 11:45, Kees Bakker via FreeIPA-users wrote: Hi, This weekend I installed CentOS 9 stream on a server that had CentOS 7 on it. One on it's main tasks is to be a Samba server. I completely reinstalled and set up Samba. I used ipasam before and it was working. I copied the smb.conf from the old system. But now it gives me a fatal error. Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.614868, 0] ipa_sam.c:5174(pdb_init_ipasam) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: Failed to get base DN. Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615001, 0] ../../source3/passdb/pdb_interface.c:181(make_pdb_method_name) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: pdb backend ipasam:ldaps://rotte.example.com did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615111, 0] ../../lib/util/fault.c:172(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: === Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615185, 0] ../../lib/util/fault.c:173(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: INTERNAL ERROR: pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in pid 271493 (4.16.4) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615268, 0] ../../lib/util/fault.c:177(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615322, 0] ../../lib/util/fault.c:182(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: === Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615373, 0] ../../lib/util/fault.c:183(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: PANIC (pid 271493): pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in 4.16.4 Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615940, 0] ../../lib/util/fault.c:287(log_stack_trace) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: BACKTRACE: 13 stack frames: Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #0 /lib64/libsamba-util.so.0(log_stack_trace+0x34) [0x7f2c94aebd74] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #1 /lib64/libsamba-util.so.0(smb_panic+0xd) [0x7f2c94aebfcd] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #2 /lib64/libsamba-passdb.so.0(+0x1c6df) [0x7f2c94a8f6df] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #3 /lib64/libsamba-passdb.so.0(pdb_get_aliasinfo+0x16) [0x7f2c94a8ff86] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #4 /usr/libexec/samba/samba-dcerpcd(finalize_local_nt_token+0x16a) [0x559ea4bed72a] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #5 /usr/libexec/samba/samba-dcerpcd(create_local_nt_token_from_info3+0x30c) [0x559ea4bee03c] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #6 /usr/libexec/samba/samba-dcerpcd(+0x175f3) [0x559ea4bf05f3] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #7 /usr/libexec/samba/samba-dcerpcd(+0x1f42c) [0x559ea4bf842c] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #8 /usr/libexec/samba/samba-dcerpcd(init_guest_session_info+0x21) [0x559ea4beaa71] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #9 /usr/libexec/samba/samba-dcerpcd(main+0x54a) [0x559ea4be5dba] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #10 /lib64/libc.so.6(+0x3feb0) [0x7f2c94333eb0] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #11 /lib64/libc.so.6(__libc_start_main+0x80) [0x7f2c94333f60] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #12 /usr/libexec/samba/samba-dcerpcd(_start+0x25) [0x559ea4be78e5] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.616354, 0] ../../source3/lib/dumpcore.c:317(dump_core) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern The versions of some