[Freeipa-users] multi homed environment

Alexander Bokovoy abokovoy at redhat.com
Fri May 8 13:39:40 UTC 2015 

On Fri, 08 May 2015, Andy Thompson wrote:
>> -----Original Message-----
>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>> Sent: Friday, May 8, 2015 8:17 AM
>> To: Andy Thompson
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] multi homed environment
>>
>> On Fri, 08 May 2015, Andy Thompson wrote:
>> >I'm trying to roll out IPA in an existing windows environment where
>> >everything is multi homed.  I did not put my IPA server on all the
>> >subnets.
>> >
>> >I'm having an issue with adding a trust to the domain with the error
>> >below
>> >
>> >ipa: ERROR: CIFS server communication error: code "-1073741801",
>> >                  message "Memory allocation error" (both may be
>> >"None")
>> >
>> >DNS I think since it round robins all the existing A records and is
>> >returning IPs out of the local subnet.  I don't know much about windows
>> >dns services but it's got netmask optimization enabled and doing digs
>> >against the service returns the local IP first every time, but pings
>> >return them in any order.
>> >
>> >I've considered adding the DCs to the local hosts file but I'm not sure
>> >if that will solve the problem or not.  Is that a viable fix?
>> >
>> >Anyone have any experience in an environment like this?   Really not
>> >sure what additional problems I will run into with all this multi homed
>> >nonsense.
>> Stop here and make sure you obtained the debugging information as
>> described in
>> http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_tru
>> st
>>
>> Without that information it is hard to tell what is happening.
>>
>> Make also sure to tell exact environment (distribution, version, package
>> versions, etc).
>>
>
>Well things got ugly.  I enabled debug and pointed in the right
>direction, smb failed to start.  Came down to the cifs service was not
>added when I did the adtrust-install.  I tried adding it and it
>complained that it could not find the A record for the host even though
>it was there.  Thinking something was hung up in resolver cache
>possibly I restarted the ipa service and it failed completely.
>
>Ipactl start fails starting smb because of the missing service and
>everything fails from there.
>
>Is there any way to recover from this mess I just made? :)
I assume you have IPA 4.x, i.e. systemd-based environment.

1. Start manually dirsrv at INSTANCE-NAME.service

2. Disable ADTRUST and EXTID services with ipa-ldap-updater.
Note that you SHOULD NOT replace $FOO variables below, they should be as
specified in the resulting file. For ipa-ldap-updater use see its
manual page and my blog:
https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/

# cat <END >88-disable-adtrust-extid.update
dn: cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
remove:ipaConfigString:enabledService

dn: cn=EXTID,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
remove:ipaConfigString:enabledService
END

# ipa-ldap-updater -l ./88-disable-adtrust-extid.update

3. Restart IPA

4. Re-run ipa-adtrust-install and look at the output, including what it
appends to /var/log/ipaserver-install.log.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list