[Freeipa-users] ipa-adtrust-install failing at samba restart
Hello, I have the same error, can you explain how did you fixed, please? Thanks & Regards. __ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-adtrust-install failing at samba restart
I've been following the doc here: https://www.freeipa.org/page/Active_Directory_trust_setup To get AD Trust setup for auth of our windows users and vice-versae. I'm getting to the point of running ipa-adtrust-install and getting the following: [root@awse-util1 ~]# ipa-adtrust-install --netbios-name= The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: WARNING: 52 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/23]: stopping smbd [2/23]: creating samba domain object Samba domain object already exists [3/23]: creating samba config registry [4/23]: writing samba config file [5/23]: adding cifs Kerberos principal [6/23]: adding cifs and host Kerberos principals to the adtrust agents group [7/23]: check for cifs services defined on other replicas [8/23]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [9/23]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [10/23]: adding RID bases RID bases already set, nothing to do [11/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [12/23]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [13/23]: activating sidgen task Sidgen task plugin already configured, nothing to do [14/23]: configuring smbd to start on boot [15/23]: adding special DNS service records [16/23]: enabling trusted domains support for older clients via Schema Compatibility plugin [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [18/23]: adding fallback group Fallback group already set, nothing to do [19/23]: adding Default Trust View Default Trust View already exists. [20/23]: setting SELinux booleans [21/23]: enabling oddjobd [22/23]: starting CIFS services ipa : CRITICAL CIFS services failed to start [23/23]: adding SIDs to existing users and groups ipa : CRITICAL Failed to load ipa-sidgen-task-run.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpiM6PLp' '-H' 'ldapi://%2fvar%2frun%2fslapd-GLPTRADING-NET.socket' '-Y' 'EXTERNAL'' returned non-zero exit status 1 Done configuring CIFS. = Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds = As well, if I run it with the default settings smbd doesn't start either. [root@awse-util1 ~]# ipa-adtrust-install --netbios-name= The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: WARNING: 52 existing users or groups do not have a SID identifier assigned.
[Freeipa-users] ipa-adtrust-install failing at samba restart
I've been following the doc here: https://www.freeipa.org/page/Active_Directory_trust_setup To get AD Trust setup for auth of our windows users and vice-versae. I'm getting to the point of running ipa-adtrust-install and getting the following: [root@awse-util1 ~]# ipa-adtrust-install --netbios-name= The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: WARNING: 52 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/23]: stopping smbd [2/23]: creating samba domain object Samba domain object already exists [3/23]: creating samba config registry [4/23]: writing samba config file [5/23]: adding cifs Kerberos principal [6/23]: adding cifs and host Kerberos principals to the adtrust agents group [7/23]: check for cifs services defined on other replicas [8/23]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [9/23]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [10/23]: adding RID bases RID bases already set, nothing to do [11/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [12/23]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [13/23]: activating sidgen task Sidgen task plugin already configured, nothing to do [14/23]: configuring smbd to start on boot [15/23]: adding special DNS service records [16/23]: enabling trusted domains support for older clients via Schema Compatibility plugin [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [18/23]: adding fallback group Fallback group already set, nothing to do [19/23]: adding Default Trust View Default Trust View already exists. [20/23]: setting SELinux booleans [21/23]: enabling oddjobd [22/23]: starting CIFS services ipa : CRITICAL CIFS services failed to start [23/23]: adding SIDs to existing users and groups ipa : CRITICAL Failed to load ipa-sidgen-task-run.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpiM6PLp' '-H' 'ldapi://%2fvar%2frun%2fslapd-GLPTRADING-NET.socket' '-Y' 'EXTERNAL'' returned non-zero exit status 1 Done configuring CIFS. = Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds = As well, if I run it with the default settings smbd doesn't start either. [root@awse-util1 ~]# ipa-adtrust-install --netbios-name= The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: WARNING: 52 existing users or groups do not have a SID identifier assigned. Installer
