Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On 25/02/16 12:29, Sumit Bose wrote:
On Thu, Feb 25, 2016 at 11:58:04AM +, lejeczek wrote:
On 25/02/16 09:32, Sumit Bose wrote:
On Thu, Feb 25, 2016 at 09:21:06AM +, lejeczek wrote:
On 25/02/16 08:21, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote:
On 24/02/16 14:22, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
On 24/02/16 11:26, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
he everybody,
my first tampering with install gets me:
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
keytab [default]: Bad address
Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
restart critical service [host.fake].
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
exited, code=exited status=1
Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
Services Daemon.
Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
state.
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
And just after install process finishes I try:
$ kinit admin
kinit: Improper format of Kerberos configuration file while initializing
Kerberos 5 library
I would recommend to check /etc/krb5.conf first. Since the library call
SSSD uses the read the keytab will read /etc/krb5.conf as well, this
might be the reason for the SSSD issue as well.
I said keytab, I meant config, which is below included.
This is the SSSD config file /etc/sssd/sssd.conf, I really meant
/etc/krb5.conf.
I wonder if it can be one use case where install script/process does not
realize it fails. I did run install on a virtually identical machine,
actually virtual kvm centos and it worked there, only exception is no sssd
there, not sure about 100% though.
Most worryingly when I try to restart dirsrv@ I see this:
[ 762.293817] ns-slapd[8772]: segfault at 8 ip 7f3186a02b29 sp
7ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
[ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
SIDs
[ 801.098886] ns-slapd[8958]: segfault at 8 ip 7fe875c5ab29 sp
7ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
I'm not an expert, it looks pretty regular to me, here krb config:
unfortunately it is broken, nearly every line with a '#' is wrong and
causes libkrb5 to fail parsing the file. I think this is caused by an
issue with authconfig
(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
neither authconfig nor ipa-client-install will be able to fix the broken
file completely and you have to delete the following lines manually.
yes, indeed it seems that when I used authconf (not tui) to disable ldap &
ssd configs were cleared of # char. I cannot only be sure 100% as I had a
look at configs after ipa install.
But I'll also say it would be nice to have kerberos smart and able to digest
these special cases, handle these chars regardless, no?
no, because it is not about the '#' character, this is handled properly
as a comment. This means there is a dangling '}' because the '{' was
commented out before. The other '#' seems to do no harm but I suggested
to remove them to be on the safe side.
bye,
Sumit
thanks Sumit, should I make it a bug report?
no, I think the authconfig ticket is sufficient here.
I'll insist on the claim that installer could do better,
especially when it completes without any errors nor warnings.
I'm sure dev guys could easily resolve it in a number of
ways, just to let them know.
bye,
Sumit
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = #
^^^ delete ^^^
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HOST.FAKE = {
kdc = my.host.fake:88
master_kdc = my.host.fake:88
admin_server = my.host.fake:749
default_domain = host.fake
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
# = {
^^^ delete ^^^
kdc = my.host.fake:88
^^^ delete ^^^
admin_server = my.host.fake:749
^^^ delete ^^^
}
^^^ delete ^^^
[domain_realm]
.host.fake = HOST.FAKE
host.fake = HOST.FAKE
# = #
^^^ delete ^^^
.# = #
^^^ delete ^^^
[dbmodules]
HOST.FAKE = {
db_library = ipadb.so
}
bye,
Sumit
bye,
Sumit
HTH
bye,
Sumit
here is keytab server installer created/amended: (one thing that I'm not
sure is the fact that my new "host.fake" domain is different from my
previously existing ldap search
"dc=xxx,dc=" - if it matters at all? Otherwise I have no clue.
[domain/host.fake]
cache_credentials = True
krb5_store_password_if_offline = True
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On Thu, Feb 25, 2016 at 11:58:04AM +, lejeczek wrote:
> On 25/02/16 09:32, Sumit Bose wrote:
> >On Thu, Feb 25, 2016 at 09:21:06AM +, lejeczek wrote:
> >>On 25/02/16 08:21, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote:
> On 24/02/16 14:22, Sumit Bose wrote:
> >On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
> >>On 24/02/16 11:26, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
> he everybody,
> my first tampering with install gets me:
>
> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to
> read
> keytab [default]: Bad address
> Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
> restart critical service [host.fake].
> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
> exited, code=exited status=1
> Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System
> Security
> Services Daemon.
> Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered
> failed
> state.
> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
>
> And just after install process finishes I try:
> $ kinit admin
> kinit: Improper format of Kerberos configuration file while
> initializing
> Kerberos 5 library
> >>>I would recommend to check /etc/krb5.conf first. Since the library call
> >>>SSSD uses the read the keytab will read /etc/krb5.conf as well, this
> >>>might be the reason for the SSSD issue as well.
> >>I said keytab, I meant config, which is below included.
> >This is the SSSD config file /etc/sssd/sssd.conf, I really meant
> >/etc/krb5.conf.
> I wonder if it can be one use case where install script/process does not
> realize it fails. I did run install on a virtually identical machine,
> actually virtual kvm centos and it worked there, only exception is no sssd
> there, not sure about 100% though.
>
> Most worryingly when I try to restart dirsrv@ I see this:
>
> [ 762.293817] ns-slapd[8772]: segfault at 8 ip 7f3186a02b29 sp
> 7ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
> [ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition
> SIDs
> [ 801.098886] ns-slapd[8958]: segfault at 8 ip 7fe875c5ab29 sp
> 7ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
>
> I'm not an expert, it looks pretty regular to me, here krb config:
> >>>unfortunately it is broken, nearly every line with a '#' is wrong and
> >>>causes libkrb5 to fail parsing the file. I think this is caused by an
> >>>issue with authconfig
> >>>(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
> >>>upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
> >>>neither authconfig nor ipa-client-install will be able to fix the broken
> >>>file completely and you have to delete the following lines manually.
> >>yes, indeed it seems that when I used authconf (not tui) to disable ldap &
> >>ssd configs were cleared of # char. I cannot only be sure 100% as I had a
> >>look at configs after ipa install.
> >>But I'll also say it would be nice to have kerberos smart and able to digest
> >>these special cases, handle these chars regardless, no?
> >no, because it is not about the '#' character, this is handled properly
> >as a comment. This means there is a dangling '}' because the '{' was
> >commented out before. The other '#' seems to do no harm but I suggested
> >to remove them to be on the safe side.
> >
> >bye,
> >Sumit
> thanks Sumit, should I make it a bug report?
no, I think the authconfig ticket is sufficient here.
bye,
Sumit
> >
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = #
> >>>^^^ delete ^^^
> dns_lookup_realm = false
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> HOST.FAKE = {
> kdc = my.host.fake:88
> master_kdc = my.host.fake:88
> admin_server = my.host.fake:749
> default_domain = host.fake
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> # = {
> >>>^^^ delete ^^^
> kdc = my.host.fake:88
> >>>^^^ delete ^^^
> admin_server = my.host.fake:749
> >>>^^^ delete ^^^
> }
> >>>^^^ delete ^^^
> [domain_realm]
> .host.fake = HOST.FAKE
> host.fake = HOST.FAKE
>
> # = #
> >>>^^^ delete ^^^
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On 25/02/16 09:32, Sumit Bose wrote:
On Thu, Feb 25, 2016 at 09:21:06AM +, lejeczek wrote:
On 25/02/16 08:21, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote:
On 24/02/16 14:22, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
On 24/02/16 11:26, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
he everybody,
my first tampering with install gets me:
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
keytab [default]: Bad address
Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
restart critical service [host.fake].
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
exited, code=exited status=1
Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
Services Daemon.
Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
state.
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
And just after install process finishes I try:
$ kinit admin
kinit: Improper format of Kerberos configuration file while initializing
Kerberos 5 library
I would recommend to check /etc/krb5.conf first. Since the library call
SSSD uses the read the keytab will read /etc/krb5.conf as well, this
might be the reason for the SSSD issue as well.
I said keytab, I meant config, which is below included.
This is the SSSD config file /etc/sssd/sssd.conf, I really meant
/etc/krb5.conf.
I wonder if it can be one use case where install script/process does not
realize it fails. I did run install on a virtually identical machine,
actually virtual kvm centos and it worked there, only exception is no sssd
there, not sure about 100% though.
Most worryingly when I try to restart dirsrv@ I see this:
[ 762.293817] ns-slapd[8772]: segfault at 8 ip 7f3186a02b29 sp
7ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
[ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
SIDs
[ 801.098886] ns-slapd[8958]: segfault at 8 ip 7fe875c5ab29 sp
7ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
I'm not an expert, it looks pretty regular to me, here krb config:
unfortunately it is broken, nearly every line with a '#' is wrong and
causes libkrb5 to fail parsing the file. I think this is caused by an
issue with authconfig
(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
neither authconfig nor ipa-client-install will be able to fix the broken
file completely and you have to delete the following lines manually.
yes, indeed it seems that when I used authconf (not tui) to disable ldap &
ssd configs were cleared of # char. I cannot only be sure 100% as I had a
look at configs after ipa install.
But I'll also say it would be nice to have kerberos smart and able to digest
these special cases, handle these chars regardless, no?
no, because it is not about the '#' character, this is handled properly
as a comment. This means there is a dangling '}' because the '{' was
commented out before. The other '#' seems to do no harm but I suggested
to remove them to be on the safe side.
bye,
Sumit
thanks Sumit, should I make it a bug report?
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = #
^^^ delete ^^^
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HOST.FAKE = {
kdc = my.host.fake:88
master_kdc = my.host.fake:88
admin_server = my.host.fake:749
default_domain = host.fake
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
# = {
^^^ delete ^^^
kdc = my.host.fake:88
^^^ delete ^^^
admin_server = my.host.fake:749
^^^ delete ^^^
}
^^^ delete ^^^
[domain_realm]
.host.fake = HOST.FAKE
host.fake = HOST.FAKE
# = #
^^^ delete ^^^
.# = #
^^^ delete ^^^
[dbmodules]
HOST.FAKE = {
db_library = ipadb.so
}
bye,
Sumit
bye,
Sumit
HTH
bye,
Sumit
here is keytab server installer created/amended: (one thing that I'm not
sure is the fact that my new "host.fake" domain is different from my
previously existing ldap search
"dc=xxx,dc=" - if it matters at all? Otherwise I have no clue.
[domain/host.fake]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = host.fake
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = my.host.fake
chpass_provider = ipa
ipa_server = my.host.fake
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=xxx,dc=
id_provider = ldap
auth_provider =
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On Thu, Feb 25, 2016 at 09:21:06AM +, lejeczek wrote:
> On 25/02/16 08:21, Sumit Bose wrote:
> >On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote:
> >>On 24/02/16 14:22, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
> On 24/02/16 11:26, Sumit Bose wrote:
> >On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
> >>he everybody,
> >>my first tampering with install gets me:
> >>
> >>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
> >>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
> >>keytab [default]: Bad address
> >>Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
> >>restart critical service [host.fake].
> >>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
> >>exited, code=exited status=1
> >>Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
> >>Services Daemon.
> >>Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered
> >>failed
> >>state.
> >>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
> >>
> >>And just after install process finishes I try:
> >>$ kinit admin
> >>kinit: Improper format of Kerberos configuration file while initializing
> >>Kerberos 5 library
> >I would recommend to check /etc/krb5.conf first. Since the library call
> >SSSD uses the read the keytab will read /etc/krb5.conf as well, this
> >might be the reason for the SSSD issue as well.
> I said keytab, I meant config, which is below included.
> >>>This is the SSSD config file /etc/sssd/sssd.conf, I really meant
> >>>/etc/krb5.conf.
> >>I wonder if it can be one use case where install script/process does not
> >>realize it fails. I did run install on a virtually identical machine,
> >>actually virtual kvm centos and it worked there, only exception is no sssd
> >>there, not sure about 100% though.
> >>
> >>Most worryingly when I try to restart dirsrv@ I see this:
> >>
> >>[ 762.293817] ns-slapd[8772]: segfault at 8 ip 7f3186a02b29 sp
> >>7ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
> >>[ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
> >>SIDs
> >>[ 801.098886] ns-slapd[8958]: segfault at 8 ip 7fe875c5ab29 sp
> >>7ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
> >>
> >>I'm not an expert, it looks pretty regular to me, here krb config:
> >unfortunately it is broken, nearly every line with a '#' is wrong and
> >causes libkrb5 to fail parsing the file. I think this is caused by an
> >issue with authconfig
> >(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
> >upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
> >neither authconfig nor ipa-client-install will be able to fix the broken
> >file completely and you have to delete the following lines manually.
> yes, indeed it seems that when I used authconf (not tui) to disable ldap &
> ssd configs were cleared of # char. I cannot only be sure 100% as I had a
> look at configs after ipa install.
> But I'll also say it would be nice to have kerberos smart and able to digest
> these special cases, handle these chars regardless, no?
no, because it is not about the '#' character, this is handled properly
as a comment. This means there is a dangling '}' because the '{' was
commented out before. The other '#' seems to do no harm but I suggested
to remove them to be on the safe side.
bye,
Sumit
> >>[logging]
> >> default = FILE:/var/log/krb5libs.log
> >> kdc = FILE:/var/log/krb5kdc.log
> >> admin_server = FILE:/var/log/kadmind.log
> >>
> >>[libdefaults]
> >> default_realm = #
> >^^^ delete ^^^
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >> rdns = false
> >> ticket_lifetime = 24h
> >> forwardable = yes
> >> udp_preference_limit = 0
> >> default_ccache_name = KEYRING:persistent:%{uid}
> >>
> >>[realms]
> >> HOST.FAKE = {
> >> kdc = my.host.fake:88
> >> master_kdc = my.host.fake:88
> >> admin_server = my.host.fake:749
> >> default_domain = host.fake
> >> pkinit_anchors = FILE:/etc/ipa/ca.crt
> >>}
> >>
> >> # = {
> >^^^ delete ^^^
> >> kdc = my.host.fake:88
> >^^^ delete ^^^
> >> admin_server = my.host.fake:749
> >^^^ delete ^^^
> >> }
> >^^^ delete ^^^
> >>[domain_realm]
> >> .host.fake = HOST.FAKE
> >> host.fake = HOST.FAKE
> >>
> >> # = #
> >^^^ delete ^^^
> >> .# = #
> >^^^ delete ^^^
> >>[dbmodules]
> >> HOST.FAKE = {
> >> db_library = ipadb.so
> >> }
> >>
> >bye,
> >Sumit
> >
> >>>bye,
> >>>Sumit
> >>>
> >HTH
> >
> >bye,
> >Sumit
> >
> >>here is keytab server installer created/amended: (one thing that I'm not
> >>sure is the fact that my new "host.fake" domain is different from my
> >>previously existing ldap search
> >>"dc=xxx,dc=" - if it matters at all?
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On 25/02/16 08:21, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote:
On 24/02/16 14:22, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
On 24/02/16 11:26, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
he everybody,
my first tampering with install gets me:
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
keytab [default]: Bad address
Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
restart critical service [host.fake].
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
exited, code=exited status=1
Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
Services Daemon.
Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
state.
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
And just after install process finishes I try:
$ kinit admin
kinit: Improper format of Kerberos configuration file while initializing
Kerberos 5 library
I would recommend to check /etc/krb5.conf first. Since the library call
SSSD uses the read the keytab will read /etc/krb5.conf as well, this
might be the reason for the SSSD issue as well.
I said keytab, I meant config, which is below included.
This is the SSSD config file /etc/sssd/sssd.conf, I really meant
/etc/krb5.conf.
I wonder if it can be one use case where install script/process does not
realize it fails. I did run install on a virtually identical machine,
actually virtual kvm centos and it worked there, only exception is no sssd
there, not sure about 100% though.
Most worryingly when I try to restart dirsrv@ I see this:
[ 762.293817] ns-slapd[8772]: segfault at 8 ip 7f3186a02b29 sp
7ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
[ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
SIDs
[ 801.098886] ns-slapd[8958]: segfault at 8 ip 7fe875c5ab29 sp
7ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
I'm not an expert, it looks pretty regular to me, here krb config:
unfortunately it is broken, nearly every line with a '#' is wrong and
causes libkrb5 to fail parsing the file. I think this is caused by an
issue with authconfig
(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
neither authconfig nor ipa-client-install will be able to fix the broken
file completely and you have to delete the following lines manually.
yes, indeed it seems that when I used authconf (not tui) to
disable ldap & ssd configs were cleared of # char. I cannot
only be sure 100% as I had a look at configs after ipa install.
But I'll also say it would be nice to have kerberos smart
and able to digest these special cases, handle these chars
regardless, no?
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = #
^^^ delete ^^^
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HOST.FAKE = {
kdc = my.host.fake:88
master_kdc = my.host.fake:88
admin_server = my.host.fake:749
default_domain = host.fake
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
# = {
^^^ delete ^^^
kdc = my.host.fake:88
^^^ delete ^^^
admin_server = my.host.fake:749
^^^ delete ^^^
}
^^^ delete ^^^
[domain_realm]
.host.fake = HOST.FAKE
host.fake = HOST.FAKE
# = #
^^^ delete ^^^
.# = #
^^^ delete ^^^
[dbmodules]
HOST.FAKE = {
db_library = ipadb.so
}
bye,
Sumit
bye,
Sumit
HTH
bye,
Sumit
here is keytab server installer created/amended: (one thing that I'm not
sure is the fact that my new "host.fake" domain is different from my
previously existing ldap search
"dc=xxx,dc=" - if it matters at all? Otherwise I have no clue.
[domain/host.fake]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = host.fake
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = my.host.fake
chpass_provider = ipa
ipa_server = my.host.fake
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=xxx,dc=
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.host.fake:1389/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server = my.host.fake:88
[sssd]
services = nss, sudo, pam, autofs, ssh
config_file_version = 2
domains = host.fake
[nss]
memcache_timeout = 600
homedir_substring = /home
regards.
--
Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On Wed, Feb 24, 2016 at 10:27:36PM +, lejeczek wrote:
>
>
> On 24/02/16 17:20, lejeczek wrote:
> >On 24/02/16 14:22, Sumit Bose wrote:
> >>On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
> >>>On 24/02/16 11:26, Sumit Bose wrote:
> On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
> >he everybody,
> >my first tampering with install gets me:
> >
> >Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting
> >up
> >Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to
> >read
> >keytab [default]: Bad address
> >Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could
> >not
> >restart critical service [host.fake].
> >Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control
> >process
> >exited, code=exited status=1
> >Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System
> >Security
> >Services Daemon.
> >Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered
> >failed
> >state.
> >Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
> >
> >And just after install process finishes I try:
> >$ kinit admin
> >kinit: Improper format of Kerberos configuration file while
> >initializing
> >Kerberos 5 library
> I would recommend to check /etc/krb5.conf first. Since the library
> call
> SSSD uses the read the keytab will read /etc/krb5.conf as well, this
> might be the reason for the SSSD issue as well.
> >>>I said keytab, I meant config, which is below included.
> >>This is the SSSD config file /etc/sssd/sssd.conf, I really meant
> >>/etc/krb5.conf.
> >I wonder if it can be one use case where install script/process does not
> >realize it fails. I did run install on a virtually identical machine,
> >actually virtual kvm centos and it worked there, only exception is no sssd
> >there, not sure about 100% though.
> >
> ok, this problem seems to be a valid candidate for bugzilla, and it should
> be easy to reproduce, I'd guess you Sumit might be interested.
> How to - just have your sssd already configured to use an ldap backend for
> both password & users, have your (open)ldap run on non-conflicting ports and
> then try:
> $ ipa-server-install -p ${myPass} -a ${myPass} --setup-dns --no-forwarders
> process completes without errors but sssd fails and kerberos won't work.
> Suffices to disable ldap & sssd in authentication pipeline (prior to ipa
> installer run) and installer successfully sets up sssd and kerberos works.
> That error:
> Failed to read keytab [default]: Bad address
> was saying a lot, that was default domain in sssd conf which was set up to
> ldap, and ipa installer was doing something with it.
> I'm only puzzled nobody stumbled upon it earlier.
> What do you think Sumit?
> I'm going to dive deeper into ipa to see if it really is okey now.
Please see my other email about the issues in krb5.conf and authconfig.
Kerberos is one of the most basic parts of IPA and a broken krb5.conf
may cause all kind of issue. Please fix krb5.conf first before trying
anything else.
bye,
Sumit
>
> >Most worryingly when I try to restart dirsrv@ I see this:
> >
> >[ 762.293817] ns-slapd[8772]: segfault at 8 ip 7f3186a02b29 sp
> >7ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
> >[ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses
> >transition SIDs
> >[ 801.098886] ns-slapd[8958]: segfault at 8 ip 7fe875c5ab29 sp
> >7ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
> >
> >I'm not an expert, it looks pretty regular to me, here krb config:
> >
> >[logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> >[libdefaults]
> > default_realm = #
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > rdns = false
> > ticket_lifetime = 24h
> > forwardable = yes
> > udp_preference_limit = 0
> > default_ccache_name = KEYRING:persistent:%{uid}
> >
> >[realms]
> > HOST.FAKE = {
> > kdc = my.host.fake:88
> > master_kdc = my.host.fake:88
> > admin_server = my.host.fake:749
> > default_domain = host.fake
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> >}
> >
> > # = {
> > kdc = my.host.fake:88
> > admin_server = my.host.fake:749
> > }
> >
> >[domain_realm]
> > .host.fake = HOST.FAKE
> > host.fake = HOST.FAKE
> >
> > # = #
> > .# = #
> >[dbmodules]
> > HOST.FAKE = {
> >db_library = ipadb.so
> > }
> >
> >>
> >>bye,
> >>Sumit
> >>
> HTH
>
> bye,
> Sumit
>
> >here is keytab server installer created/amended: (one thing that
> >I'm not
> >sure is the fact that my new "host.fake" domain is different from
> >my
> >previously existing ldap search
> >"dc=xxx,dc=" - if it matters at all? Otherwise I have no
> >clue.
> >
> >[domain/host.fake]
> >
> >cache_credentials = True
> >krb5_store_password_if_offline =
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote:
> On 24/02/16 14:22, Sumit Bose wrote:
> >On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
> >>On 24/02/16 11:26, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
> he everybody,
> my first tampering with install gets me:
>
> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
> keytab [default]: Bad address
> Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
> restart critical service [host.fake].
> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
> exited, code=exited status=1
> Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
> Services Daemon.
> Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
> state.
> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
>
> And just after install process finishes I try:
> $ kinit admin
> kinit: Improper format of Kerberos configuration file while initializing
> Kerberos 5 library
> >>>I would recommend to check /etc/krb5.conf first. Since the library call
> >>>SSSD uses the read the keytab will read /etc/krb5.conf as well, this
> >>>might be the reason for the SSSD issue as well.
> >>I said keytab, I meant config, which is below included.
> >This is the SSSD config file /etc/sssd/sssd.conf, I really meant
> >/etc/krb5.conf.
> I wonder if it can be one use case where install script/process does not
> realize it fails. I did run install on a virtually identical machine,
> actually virtual kvm centos and it worked there, only exception is no sssd
> there, not sure about 100% though.
>
> Most worryingly when I try to restart dirsrv@ I see this:
>
> [ 762.293817] ns-slapd[8772]: segfault at 8 ip 7f3186a02b29 sp
> 7ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
> [ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
> SIDs
> [ 801.098886] ns-slapd[8958]: segfault at 8 ip 7fe875c5ab29 sp
> 7ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
>
> I'm not an expert, it looks pretty regular to me, here krb config:
unfortunately it is broken, nearly every line with a '#' is wrong and
causes libkrb5 to fail parsing the file. I think this is caused by an
issue with authconfig
(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
neither authconfig nor ipa-client-install will be able to fix the broken
file completely and you have to delete the following lines manually.
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = #
^^^ delete ^^^
> dns_lookup_realm = false
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> HOST.FAKE = {
> kdc = my.host.fake:88
> master_kdc = my.host.fake:88
> admin_server = my.host.fake:749
> default_domain = host.fake
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> # = {
^^^ delete ^^^
> kdc = my.host.fake:88
^^^ delete ^^^
> admin_server = my.host.fake:749
^^^ delete ^^^
> }
^^^ delete ^^^
>
> [domain_realm]
> .host.fake = HOST.FAKE
> host.fake = HOST.FAKE
>
> # = #
^^^ delete ^^^
> .# = #
^^^ delete ^^^
> [dbmodules]
> HOST.FAKE = {
> db_library = ipadb.so
> }
>
bye,
Sumit
> >
> >bye,
> >Sumit
> >
> >>>HTH
> >>>
> >>>bye,
> >>>Sumit
> >>>
> here is keytab server installer created/amended: (one thing that I'm not
> sure is the fact that my new "host.fake" domain is different from my
> previously existing ldap search
> "dc=xxx,dc=" - if it matters at all? Otherwise I have no clue.
>
> [domain/host.fake]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = host.fake
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = my.host.fake
> chpass_provider = ipa
> ipa_server = my.host.fake
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> [domain/default]
> autofs_provider = ldap
> cache_credentials = True
> krb5_realm = #
> ldap_search_base = dc=xxx,dc=
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_uri = ldap://my.host.fake:1389/
> ldap_id_use_start_tls = True
> ldap_tls_cacertdir = /etc/openldap/cacerts
>
> krb5_server = my.host.fake:88
> [sssd]
> services = nss, sudo, pam, autofs, ssh
> config_file_version = 2
>
> domains = host.fake
>
> [nss]
> memcache_timeout =
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On 24/02/16 17:20, lejeczek wrote:
On 24/02/16 14:22, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
On 24/02/16 11:26, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
he everybody,
my first tampering with install gets me:
Feb 24 11:04:22 my.host.fake
sssd[be[host.fake]][17425]: Starting up
Feb 24 11:04:22 my.host.fake
sssd[be[host.fake]][17425]: Failed to read
keytab [default]: Bad address
Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the
SSSD. Could not
restart critical service [host.fake].
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service:
control process
exited, code=exited status=1
Feb 24 11:04:22 my.host.fake systemd[1]: Failed to
start System Security
Services Daemon.
Feb 24 11:04:22 my.host.fake systemd[1]: Unit
sssd.service entered failed
state.
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service
failed.
And just after install process finishes I try:
$ kinit admin
kinit: Improper format of Kerberos configuration file
while initializing
Kerberos 5 library
I would recommend to check /etc/krb5.conf first. Since
the library call
SSSD uses the read the keytab will read /etc/krb5.conf
as well, this
might be the reason for the SSSD issue as well.
I said keytab, I meant config, which is below included.
This is the SSSD config file /etc/sssd/sssd.conf, I
really meant
/etc/krb5.conf.
I wonder if it can be one use case where install
script/process does not realize it fails. I did run
install on a virtually identical machine, actually virtual
kvm centos and it worked there, only exception is no sssd
there, not sure about 100% though.
ok, this problem seems to be a valid candidate for bugzilla,
and it should be easy to reproduce, I'd guess you Sumit
might be interested.
How to - just have your sssd already configured to use an
ldap backend for both password & users, have your (open)ldap
run on non-conflicting ports and then try:
$ ipa-server-install -p ${myPass} -a ${myPass} --setup-dns
--no-forwarders
process completes without errors but sssd fails and kerberos
won't work. Suffices to disable ldap & sssd in
authentication pipeline (prior to ipa installer run) and
installer successfully sets up sssd and kerberos works.
That error:
Failed to read keytab [default]: Bad address
was saying a lot, that was default domain in sssd conf which
was set up to ldap, and ipa installer was doing something
with it.
I'm only puzzled nobody stumbled upon it earlier.
What do you think Sumit?
I'm going to dive deeper into ipa to see if it really is
okey now.
Most worryingly when I try to restart dirsrv@ I see this:
[ 762.293817] ns-slapd[8772]: segfault at 8 ip
7f3186a02b29 sp 7ffe73055d60 error 4 in
libipa_pwd_extop.so[7f31869f1000+2a000]
[ 779.072156] SELinux: initialized (dev tmpfs, type
tmpfs), uses transition SIDs
[ 801.098886] ns-slapd[8958]: segfault at 8 ip
7fe875c5ab29 sp 7ffc2c6c26e0 error 4 in
libipa_pwd_extop.so[7fe875c49000+2a000]
I'm not an expert, it looks pretty regular to me, here krb
config:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = #
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HOST.FAKE = {
kdc = my.host.fake:88
master_kdc = my.host.fake:88
admin_server = my.host.fake:749
default_domain = host.fake
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
# = {
kdc = my.host.fake:88
admin_server = my.host.fake:749
}
[domain_realm]
.host.fake = HOST.FAKE
host.fake = HOST.FAKE
# = #
.# = #
[dbmodules]
HOST.FAKE = {
db_library = ipadb.so
}
bye,
Sumit
HTH
bye,
Sumit
here is keytab server installer created/amended: (one
thing that I'm not
sure is the fact that my new "host.fake" domain is
different from my
previously existing ldap search
"dc=xxx,dc=" - if it matters at all? Otherwise
I have no clue.
[domain/host.fake]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = host.fake
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = my.host.fake
chpass_provider = ipa
ipa_server = my.host.fake
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=xxx,dc=
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.host.fake:1389/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server = my.host.fake:88
[sssd]
services = nss, sudo, pam, autofs, ssh
config_file_version = 2
domains = host.fake
[nss]
memcache_timeout = 600
homedir_substring = /home
regards.
--
Manage your subscription for the Freeipa-users mailing
list:
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On 24/02/16 14:22, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
On 24/02/16 11:26, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
he everybody,
my first tampering with install gets me:
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
keytab [default]: Bad address
Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
restart critical service [host.fake].
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
exited, code=exited status=1
Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
Services Daemon.
Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
state.
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
And just after install process finishes I try:
$ kinit admin
kinit: Improper format of Kerberos configuration file while initializing
Kerberos 5 library
I would recommend to check /etc/krb5.conf first. Since the library call
SSSD uses the read the keytab will read /etc/krb5.conf as well, this
might be the reason for the SSSD issue as well.
I said keytab, I meant config, which is below included.
This is the SSSD config file /etc/sssd/sssd.conf, I really meant
/etc/krb5.conf.
I wonder if it can be one use case where install
script/process does not realize it fails. I did run install
on a virtually identical machine, actually virtual kvm
centos and it worked there, only exception is no sssd there,
not sure about 100% though.
Most worryingly when I try to restart dirsrv@ I see this:
[ 762.293817] ns-slapd[8772]: segfault at 8 ip
7f3186a02b29 sp 7ffe73055d60 error 4 in
libipa_pwd_extop.so[7f31869f1000+2a000]
[ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs),
uses transition SIDs
[ 801.098886] ns-slapd[8958]: segfault at 8 ip
7fe875c5ab29 sp 7ffc2c6c26e0 error 4 in
libipa_pwd_extop.so[7fe875c49000+2a000]
I'm not an expert, it looks pretty regular to me, here krb
config:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = #
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HOST.FAKE = {
kdc = my.host.fake:88
master_kdc = my.host.fake:88
admin_server = my.host.fake:749
default_domain = host.fake
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
# = {
kdc = my.host.fake:88
admin_server = my.host.fake:749
}
[domain_realm]
.host.fake = HOST.FAKE
host.fake = HOST.FAKE
# = #
.# = #
[dbmodules]
HOST.FAKE = {
db_library = ipadb.so
}
bye,
Sumit
HTH
bye,
Sumit
here is keytab server installer created/amended: (one thing that I'm not
sure is the fact that my new "host.fake" domain is different from my
previously existing ldap search
"dc=xxx,dc=" - if it matters at all? Otherwise I have no clue.
[domain/host.fake]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = host.fake
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = my.host.fake
chpass_provider = ipa
ipa_server = my.host.fake
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=xxx,dc=
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.host.fake:1389/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server = my.host.fake:88
[sssd]
services = nss, sudo, pam, autofs, ssh
config_file_version = 2
domains = host.fake
[nss]
memcache_timeout = 600
homedir_substring = /home
regards.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote: > On 24/02/16 11:26, Sumit Bose wrote: > >On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote: > >>he everybody, > >>my first tampering with install gets me: > >> > >>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up > >>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read > >>keytab [default]: Bad address > >>Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not > >>restart critical service [host.fake]. > >>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process > >>exited, code=exited status=1 > >>Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security > >>Services Daemon. > >>Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed > >>state. > >>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed. > >> > >>And just after install process finishes I try: > >>$ kinit admin > >>kinit: Improper format of Kerberos configuration file while initializing > >>Kerberos 5 library > >I would recommend to check /etc/krb5.conf first. Since the library call > >SSSD uses the read the keytab will read /etc/krb5.conf as well, this > >might be the reason for the SSSD issue as well. > I said keytab, I meant config, which is below included. This is the SSSD config file /etc/sssd/sssd.conf, I really meant /etc/krb5.conf. bye, Sumit > > > >HTH > > > >bye, > >Sumit > > > >>here is keytab server installer created/amended: (one thing that I'm not > >>sure is the fact that my new "host.fake" domain is different from my > >>previously existing ldap search > >>"dc=xxx,dc=" - if it matters at all? Otherwise I have no clue. > >> > >>[domain/host.fake] > >> > >>cache_credentials = True > >>krb5_store_password_if_offline = True > >>ipa_domain = host.fake > >>id_provider = ipa > >>auth_provider = ipa > >>access_provider = ipa > >>ipa_hostname = my.host.fake > >>chpass_provider = ipa > >>ipa_server = my.host.fake > >>ipa_server_mode = True > >>ldap_tls_cacert = /etc/ipa/ca.crt > >>[domain/default] > >>autofs_provider = ldap > >>cache_credentials = True > >>krb5_realm = # > >>ldap_search_base = dc=xxx,dc= > >>id_provider = ldap > >>auth_provider = ldap > >>chpass_provider = ldap > >>ldap_uri = ldap://my.host.fake:1389/ > >>ldap_id_use_start_tls = True > >>ldap_tls_cacertdir = /etc/openldap/cacerts > >> > >>krb5_server = my.host.fake:88 > >>[sssd] > >>services = nss, sudo, pam, autofs, ssh > >>config_file_version = 2 > >> > >>domains = host.fake > >> > >>[nss] > >>memcache_timeout = 600 > >>homedir_substring = /home > >> > >> > >>regards. > >> > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On 24/02/16 11:26, Sumit Bose wrote: On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote: he everybody, my first tampering with install gets me: Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read keytab [default]: Bad address Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not restart critical service [host.fake]. Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process exited, code=exited status=1 Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security Services Daemon. Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed state. Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed. And just after install process finishes I try: $ kinit admin kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library I would recommend to check /etc/krb5.conf first. Since the library call SSSD uses the read the keytab will read /etc/krb5.conf as well, this might be the reason for the SSSD issue as well. I said keytab, I meant config, which is below included. HTH bye, Sumit here is keytab server installer created/amended: (one thing that I'm not sure is the fact that my new "host.fake" domain is different from my previously existing ldap search "dc=xxx,dc=" - if it matters at all? Otherwise I have no clue. [domain/host.fake] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = host.fake id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = my.host.fake chpass_provider = ipa ipa_server = my.host.fake ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [domain/default] autofs_provider = ldap cache_credentials = True krb5_realm = # ldap_search_base = dc=xxx,dc= id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://my.host.fake:1389/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts krb5_server = my.host.fake:88 [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = host.fake [nss] memcache_timeout = 600 homedir_substring = /home regards. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] installation of ipa-server successful but sssd fails..
On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote: > he everybody, > my first tampering with install gets me: > > Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up > Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read > keytab [default]: Bad address > Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not > restart critical service [host.fake]. > Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process > exited, code=exited status=1 > Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security > Services Daemon. > Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed > state. > Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed. > > And just after install process finishes I try: > $ kinit admin > kinit: Improper format of Kerberos configuration file while initializing > Kerberos 5 library I would recommend to check /etc/krb5.conf first. Since the library call SSSD uses the read the keytab will read /etc/krb5.conf as well, this might be the reason for the SSSD issue as well. HTH bye, Sumit > > here is keytab server installer created/amended: (one thing that I'm not > sure is the fact that my new "host.fake" domain is different from my > previously existing ldap search > "dc=xxx,dc=" - if it matters at all? Otherwise I have no clue. > > [domain/host.fake] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = host.fake > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = my.host.fake > chpass_provider = ipa > ipa_server = my.host.fake > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > [domain/default] > autofs_provider = ldap > cache_credentials = True > krb5_realm = # > ldap_search_base = dc=xxx,dc= > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_uri = ldap://my.host.fake:1389/ > ldap_id_use_start_tls = True > ldap_tls_cacertdir = /etc/openldap/cacerts > > krb5_server = my.host.fake:88 > [sssd] > services = nss, sudo, pam, autofs, ssh > config_file_version = 2 > > domains = host.fake > > [nss] > memcache_timeout = 600 > homedir_substring = /home > > > regards. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] installation of ipa-server successful but sssd fails..
he everybody, my first tampering with install gets me: Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read keytab [default]: Bad address Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not restart critical service [host.fake]. Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process exited, code=exited status=1 Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security Services Daemon. Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed state. Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed. And just after install process finishes I try: $ kinit admin kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library here is keytab server installer created/amended: (one thing that I'm not sure is the fact that my new "host.fake" domain is different from my previously existing ldap search "dc=xxx,dc=" - if it matters at all? Otherwise I have no clue. [domain/host.fake] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = host.fake id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = my.host.fake chpass_provider = ipa ipa_server = my.host.fake ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [domain/default] autofs_provider = ldap cache_credentials = True krb5_realm = # ldap_search_base = dc=xxx,dc= id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://my.host.fake:1389/ ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts krb5_server = my.host.fake:88 [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = host.fake [nss] memcache_timeout = 600 homedir_substring = /home regards. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
