[Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi All, I have been messing around with AD trust installs mainly around doing ntlm_auth for a radius server. However, as I was unable to see some of the needed resources, I thought maybe IPA may need a kick. So I ran the following command `ipactl restart` # ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-otpd Service Starting smb Service Job for smb.service failed. See 'systemctl status smb.service' and 'journalctl -xn' for details. Failed to start smb Service Shutting down Aborting ipactl # systemctl status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44 PDT; 20s ago Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 16752 (code=exited, status=1/FAILURE) Status: Starting process... CGroup: /system.slice/smb.service Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba SMB Daemon... Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: [2015/07/22 11:01:43.956721, 0] ../source3/smbd/server.c:1269(main) Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 2 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. journalctl -xn provides no useful information, however journalctl does... sorta: Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory attribute ipaNTSecurityIdentifier. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824829, 0] ipa_sam.c:4526(pdb_init_ipasam) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of fallback group. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824878, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER) Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVr92bAAoJEJFMz73A1+zrgmAQAJp9DXynmqX89gWlacRmS/Hy HiwAaiHXmCG7cpWY0PE68l8XgUmpBtOWQJ7hPv83BG1DAyPX267npnFgtJ8t50j7 mwr9OyuKNiQs0ki4wOnnyNt2xGTgQimugQG0bQsIbP0QBoVAOu6RjK+ucGpagWv8 zcdIjVP1jjf7I9KtgYzSBT1siFfcP1NAVnd47WC7ombL0db0KIi9oWNy6xXx5rkq cSmfonN7jFmkn4gHPzNcqZAIVG+IFJfpqU/OAQrELjkcCXM57BRuzwffnI0DFt6d Wm7liuoZHRABlaQ+L9OazCFPGOzpTWKCICdW4Vq6ixpnBG5eRR24Yfqn0z+86R4u WmCz2aJEDa2zlZ4IYXZNnIxWkANg+cAxutBKPvyCmQxjxNz9YbPshhQBGG3JVf66 B3CquNAXNw5O5N/vlKl8RtA4/xArRfvvXtofVrOgRAsjLw2Xdw8tahfIJKptNyYO 86CDmyxgoK2ucdncJ5dC8GhX1ajBf5Mu8YnFC7MlfrS72TxsjCBMs5Y5rRmwZwA6 ZF8TkfaZJmQc/bNe9V/+Ol/qXZM28ZrvZTs68/jTlRlruNc2D9458mdajKxUZB3n OaIdE/hXqH7HB32qp9733TCtFxRoJlrD5tVURkHl9kqgnqKxcDZ56VPmNYRn4GYu Y7j1+rZUNTtgDUJDk+Jk =xQLh -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)
Bill, Can you let us know what version of FreeIPA you're using? The most likely due to the occurrence of NT_STATUS_INVALID_PARAMETER which is most likely a time skew issue between AD and IPA. Can you verify this? Thanks! -- Dave - Original Message - From: William Graboyes wgrabo...@cenic.org To: freeipa-users freeipa-users@redhat.com Sent: Wednesday, July 22, 2015 2:14:51 PM Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi All, I have been messing around with AD trust installs mainly around doing ntlm_auth for a radius server. However, as I was unable to see some of the needed resources, I thought maybe IPA may need a kick. So I ran the following command `ipactl restart` # ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-otpd Service Starting smb Service Job for smb.service failed. See 'systemctl status smb.service' and 'journalctl -xn' for details. Failed to start smb Service Shutting down Aborting ipactl # systemctl status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44 PDT; 20s ago Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 16752 (code=exited, status=1/FAILURE) Status: Starting process... CGroup: /system.slice/smb.service Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba SMB Daemon... Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: [2015/07/22 11:01:43.956721, 0] ../source3/smbd/server.c:1269(main) Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 2 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. journalctl -xn provides no useful information, however journalctl does... sorta: Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory attribute ipaNTSecurityIdentifier. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824829, 0] ipa_sam.c:4526(pdb_init_ipasam) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of fallback group. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824878, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER) Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVr92bAAoJEJFMz73A1+zrgmAQAJp9DXynmqX89gWlacRmS/Hy HiwAaiHXmCG7cpWY0PE68l8XgUmpBtOWQJ7hPv83BG1DAyPX267npnFgtJ8t50j7 mwr9OyuKNiQs0ki4wOnnyNt2xGTgQimugQG0bQsIbP0QBoVAOu6RjK+ucGpagWv8 zcdIjVP1jjf7I9KtgYzSBT1siFfcP1NAVnd47WC7ombL0db0KIi9oWNy6xXx5rkq cSmfonN7jFmkn4gHPzNcqZAIVG+IFJfpqU/OAQrELjkcCXM57BRuzwffnI0DFt6d Wm7liuoZHRABlaQ+L9OazCFPGOzpTWKCICdW4Vq6ixpnBG5eRR24Yfqn0z+86R4u WmCz2aJEDa2zlZ4IYXZNnIxWkANg+cAxutBKPvyCmQxjxNz9YbPshhQBGG3JVf66 B3CquNAXNw5O5N/vlKl8RtA4/xArRfvvXtofVrOgRAsjLw2Xdw8tahfIJKptNyYO 86CDmyxgoK2ucdncJ5dC8GhX1ajBf5Mu8YnFC7MlfrS72TxsjCBMs5Y5rRmwZwA6 ZF8TkfaZJmQc/bNe9V/+Ol/qXZM28ZrvZTs68/jTlRlruNc2D9458mdajKxUZB3n OaIdE/hXqH7HB32qp9733TCtFxRoJlrD5tVURkHl9kqgnqKxcDZ56VPmNYRn4GYu Y7j1+rZUNTtgDUJDk+Jk =xQLh -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Dave, There is no actual AD at this time. Thanks :) On 7/22/15 12:22 PM, Dave Sirrine wrote: Bill, Can you let us know what version of FreeIPA you're using? The most likely due to the occurrence of NT_STATUS_INVALID_PARAMETER which is most likely a time skew issue between AD and IPA. Can you verify this? Thanks! -- Dave - Original Message - From: William Graboyes wgrabo...@cenic.org To: freeipa-users freeipa-users@redhat.com Sent: Wednesday, July 22, 2015 2:14:51 PM Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to notstart!) Hi All, I have been messing around with AD trust installs mainly around doing ntlm_auth for a radius server. However, as I was unable to see some of the needed resources, I thought maybe IPA may need a kick. So I ran the following command `ipactl restart` # ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-otpd Service Starting smb Service Job for smb.service failed. See 'systemctl status smb.service' and 'journalctl -xn' for details. Failed to start smb Service Shutting down Aborting ipactl # systemctl status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44 PDT; 20s ago Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 16752 (code=exited, status=1/FAILURE) Status: Starting process... CGroup: /system.slice/smb.service Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba SMB Daemon... Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: [2015/07/22 11:01:43.956721, 0] ../source3/smbd/server.c:1269(main) Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 2 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. journalctl -xn provides no useful information, however journalctl does... sorta: Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory attribute ipaNTSecurityIdentifier. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824829, 0] ipa_sam.c:4526(pdb_init_ipasam) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of fallback group. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824878, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER) Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. Thanks, Bill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVr/slAAoJEJFMz73A1+zr9i0P/ikhGkBsqX0zT6bqHjah7Gyy dvP2jd+WJeJxhH8jsLhUEGs26OcPdLVRc8MkvIeINcZd8dTz4l7gRVZZVk4dVho4 Tqg29EMbXh+5EOiOYd0LcFuZA1q0rFUaa9b56a3xnm9njwvKUwjnlRfUOMim3kKZ 6XfN1fAT7VVKqKJXyWn534ym/msivOuklbV5n0if0TAuIHe9X4Uwl8VvMiBsCtSv cpcpFEAZLygzW9qMxl9RgxYqPCN9gor8pW2ijO6BjJqfXTxQ0AxTCz+0C3mMizf7 lc4tdprS4hR1eWnrooBGahznm3usb4eRJvEAslHY7UUfsla9B4fgmJN4Nis8J7Mk CIRMZrFNI1YlVw8bfgxr3viq+lcVxFWAPghffmXfv1yu3Gx0OBa6bGD8fuNKVLU1 AoHZL6z0cHgGH6RsWjgC7APutssE6JqhWDTxa9cDcUozpN9R4fOH3H7uFAhJkSOU ZbslxHnmLOaLRXIDAyx9oAfp4ndYxMQH1mZ5scRHGkIZEv49mJtUOfgka67X/3xB bh78q/nxMibomteFZiWIXeCtxTOKaZ2wZLqPuhd/HS+689C9ONADsGcP8Tae/f35 nSBJEbZXzsrcWy3CN4iYtZ4dQK55FSBfW5GCyvnrBMO4MGsw48UzPOS1WiQ63NPd s0tJA1c/IO2kPzQzCaFM =KNGl -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)
On Wed, Jul 22, 2015 at 11:14:51AM -0700, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi All, I have been messing around with AD trust installs mainly around doing ntlm_auth for a radius server. However, as I was unable to see some of the needed resources, I thought maybe IPA may need a kick. So I ran the following command `ipactl restart` # ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting ipa_memcached Service Restarting httpd Service Restarting ipa-otpd Service Starting smb Service Job for smb.service failed. See 'systemctl status smb.service' and 'journalctl -xn' for details. Failed to start smb Service Shutting down Aborting ipactl # systemctl status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44 PDT; 20s ago Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 16752 (code=exited, status=1/FAILURE) Status: Starting process... CGroup: /system.slice/smb.service Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba SMB Daemon... Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: [2015/07/22 11:01:43.956721, 0] ../source3/smbd/server.c:1269(main) Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 2 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. journalctl -xn provides no useful information, however journalctl does... sorta: Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory attribute ipaNTSecurityIdentifier. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824829, 0] ipa_sam.c:4526(pdb_init_ipasam) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of fallback group. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824878, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER) Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service entered failed state. You can try and run 'ipa-adtrust-install' a second time. This might add all attributes smbd needs. HTH bye, Sumit Thanks, Bill -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVr92bAAoJEJFMz73A1+zrgmAQAJp9DXynmqX89gWlacRmS/Hy HiwAaiHXmCG7cpWY0PE68l8XgUmpBtOWQJ7hPv83BG1DAyPX267npnFgtJ8t50j7 mwr9OyuKNiQs0ki4wOnnyNt2xGTgQimugQG0bQsIbP0QBoVAOu6RjK+ucGpagWv8 zcdIjVP1jjf7I9KtgYzSBT1siFfcP1NAVnd47WC7ombL0db0KIi9oWNy6xXx5rkq cSmfonN7jFmkn4gHPzNcqZAIVG+IFJfpqU/OAQrELjkcCXM57BRuzwffnI0DFt6d Wm7liuoZHRABlaQ+L9OazCFPGOzpTWKCICdW4Vq6ixpnBG5eRR24Yfqn0z+86R4u WmCz2aJEDa2zlZ4IYXZNnIxWkANg+cAxutBKPvyCmQxjxNz9YbPshhQBGG3JVf66 B3CquNAXNw5O5N/vlKl8RtA4/xArRfvvXtofVrOgRAsjLw2Xdw8tahfIJKptNyYO 86CDmyxgoK2ucdncJ5dC8GhX1ajBf5Mu8YnFC7MlfrS72TxsjCBMs5Y5rRmwZwA6 ZF8TkfaZJmQc/bNe9V/+Ol/qXZM28ZrvZTs68/jTlRlruNc2D9458mdajKxUZB3n OaIdE/hXqH7HB32qp9733TCtFxRoJlrD5tVURkHl9kqgnqKxcDZ56VPmNYRn4GYu Y7j1+rZUNTtgDUJDk+Jk =xQLh -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Alexander, Thank you for the pointers, However it seems that I am still not getting the ipaNTSecurityIdentifier returned. Even after re-running the ipa-adtrust-install --add-sids (which I believe it gave me the option for on initial install, and i said yes). I followed the steps on this site (I believe you directed me there) http://firstyear.id.au/entry/22 and the output from the commands: [root@ipa-server-2 ~]# kinit admin Password for ad...@foo.bar: [root@ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)' SASL/GSSAPI authentication started SASL username: ad...@foo.bar SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=foo,dc=bar (default) with scope subtree # filter: (cn=Default SMB Group) # requesting: ALL # # Default SMB Group, groups, compat, foo.bar dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar gidNumber: 3512 objectClass: posixGroup objectClass: top cn: Default SMB Group # Default SMB Group, groups, accounts, foo.bar dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar cn: Default SMB Group description: Fallback group for primary group RID, do not add users to this gr oup objectClass: top objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04 gidNumber: 3512 # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 [root@ipa-server-2 ~]# kdestroy [root@ipa-server-2 ~]# kinit -kt /etc/samba/samba.keytab cifs/`hostname` [root@ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)' SASL/GSSAPI authentication started SASL username: cifs/ipa-server-2.foo@foo.bar SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=foo,dc=bar (default) with scope subtree # filter: (cn=Default SMB Group) # requesting: ALL # # Default SMB Group, groups, compat, foo.bar dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar gidNumber: 3512 objectClass: posixGroup objectClass: top cn: Default SMB Group # Default SMB Group, groups, accounts, foo.bar dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar cn: Default SMB Group description: Fallback group for primary group RID, do not add users to this gr oup objectClass: top objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04 gidNumber: 3512 # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 Thanks, Bill Graboyes On 7/22/15 12:53 PM, Alexander Bokovoy wrote: On Wed, 22 Jul 2015, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi All, I have been messing around with AD trust installs mainly around doing ntlm_auth for a radius server. However, as I was unable to see some of the needed resources, I thought maybe IPA may need a kick. This is your problem: Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory attribute ipaNTSecurityIdentifier. What did you do? Try to search as admin and as cifs/`hostname`: # kinit admin # ldapsearch -Y GSSAPI '(cn=Default SMB Group)' # kdestroy # kinit -kt /etc/samba/samba.keytab cifs/`hostname` # ldapsearch -Y GSSAPI '(cn=Default SMB Group)' If the first one gives you a proper entry with ipaNTSecurityIdentifier and the second one does not return the same entry, you've broke ACIs. If both of them are failing, you need to re-run ipa-adtrust-install --add-sids to fix that. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVr/+oAAoJEJFMz73A1+zr+BIP/2+77QZnSWSI38Wz47kUr6Uh kOhv3gIAPlIq1ClJClbISOjwdpGBP0AUETsrbBixW7mMFswywDrLij7axbDh8MkO 8PLTH3Sv75foAUmAMH4ZIpB5NA8WNre5+gWuHAhLQnZBbedx0fm6ieuZvZBDHaFw 2rj+w8zkw0TWaf7ZmwTvawZwoy/OTfhkKLqfRvUfSxvpOeRl4AE/yUjje5rvacCK tuYwCM8Y4B0aDqRbOjbL4hyWiIVAmV5PhaVa8Qu5AwbOXV2+G5Mt6MxxMRmWBrE2 +ZwATAlqqomsZ1FYOVKgMn1ylO/SzaNde3u5rvE4vdWzP8mr/+APNIcxmp27GnWr cMGEOapdzehMVvVyW0FJ4gA+BxwhNzpGc+vo+98WeDq49yW/g3vwO/BQKqFkMaZW HZM784EAxRAEXEiAJ9bB2bOGfY/EVrvWZVjDO10Hu99kIFqN8hbjfSKlqEH00fV7 ihqHJf0lcOU4lIBH5vUxRZSHfUjMCv6TySdWZSlblO5dtTGRjgpe7Kwj2pRgCo3P PUagvJY4gkZ4ZbxIq+qkPHCNY90B+pGheVuJRfDA+Pl7bFY24/tbhnJ0kzuNQtYu K8UlD4o34AlDQr60I0bxYkwprtJneVPfVkW1+6LUDWw4eNGf1zjXQH9Jl8uQcir4 Eq5AtMD/ef8TjxQwWaHr =HkdM -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project