[Freeipa-users] FreeIPA and Samba4

Troels Hansen th at casalogic.dk
Wed Nov 4 14:34:49 UTC 2015 

OK, i have gotten my SID generation to run.
However, on the migrated users I'm unable to do a pdbedit -L
I get:

pdbedit -Lv th
doing parameter max log size = 50
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
doing parameter printing = cups
doing parameter printcap name = /etc/printcap
doing parameter load printers = no
pm_process() returned Yes
No builtin backend found, trying to load plugin
Module 'ipasam' loaded
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain casalogic.lan
init_sam_from_ldap: Entry found for user: th
Segmentation fault

on the users generated directly in IPA it works.

[root at tinkerbell ~]# pdbedit -Lv kk

I get the same error when calling pdbedit on IPA or differnet Samba server connected with ipasam.

Only difference I can see is that the users causing segfault have a RID from primary range, and the users working have from secondary range, so I suspect that something have gone wrong in my shifting round in the ranges and this somehow causes ipasam to segfault.

Could I just delete the ipaNTSecurityIdentifier directly in LDAP and let the SID generation run again, or do someone have a good idea to have the SID's reset?

----- On Nov 3, 2015, at 8:06 PM, Troels Hansen th at casalogic.dk wrote:

> Hi, I got a bit further.
> I fount the error, being that I had some groups from the old LDAP with gid aroud
> 500, and current ID range i IPA sat to start at 2000, which was my start UID on
> the old LDAP.
> 
> Is it possible to "reset" the base UID/GID that IPA assigns to the next user? I
> can't find it saved in the LDAP anywhere?
> 
> ----- On Nov 3, 2015, at 1:36 PM, Sumit Bose sbose at redhat.com wrote:
> 
>> On Tue, Nov 03, 2015 at 01:09:53PM +0100, Troels Hansen wrote:
>>> Hi again, so I finally got time to look further into this.
>>> 
>>> This task works:
>>> 
>>> dn: cn=$TIME-$FQDN-$LIBARCH,cn=ipa-sidgen-task,cn=tasks,cn=config
>>> add:objectclass:top,extensibleObject
>>> add:cn:$TIME-$FQDN-$LIBARCH
>>> add:nsslapd-basedn:"$SUFFIX"
>>> add:delay:0
>>> add:ttl:3600
>>> 
>>> However, the task gets generated, but no output can be pulled from the task:
>>> 
>>> ldapsearch -D "cn=Directory Manager" -W -b
>>> 'cn=1446551851-kenai.casalogic.lan-64,cn=ipa-sidgen-task,cn=tasks,cn=config'
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base
>>> <cn=1446551851-kenai.casalogic.lan-64,cn=ipa-sidgen-task,cn=tasks,cn=config>
>>> with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> #
>>> 
>>> # 1446551851-kenai.casalogic.lan-64, ipa-sidgen-task, tasks, config
>>> dn: cn=1446551851-kenai.casalogic.lan-64,cn=ipa-sidgen-task,cn=tasks,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> nsslapd-basedn: dc=casalogic,dc=lan
>>> delay: 0
>>> cn: 1446551851-kenai.casalogic.lan-64
>>> ttl: 3600
>>> nstaskcurrentitem: 1
>>> nstasktotalitems: 1
>>> nstaskexitcode: 32
>>> 
>>> # search result
>>> search: 2
>>> result: 0 Success
>>> 
>>> # numResponses: 2
>>> # numEntries:
>>> 
>>> Only a exitcode 32
>>> The nstaskcurrentitem and nstasktotalitems remains the same till the task
>>> disappeares.
>>> Any way do debug these taske further to find out which user it stops at, as it
>>> looks like it detects an error at one user and stops the task?
>> 
>> You can activate 'Plug-in debugging' by setting the
>> nsslapd-errorlog-level attribute of cn=config to 65536, see
>> http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting for
>> details. Make sure to switch it back to 0 after running the sidgen task
>> because the logging is quite expensive.
>> 
>> HTH
>> 
>> bye,
>> Sumit
>> 
>>> 
>>> ----- On Oct 30, 2015, at 3:19 PM, Alexander Bokovoy abokovoy at redhat.com wrote:
>>> 
>>> > On Fri, 30 Oct 2015, Troels Hansen wrote:
>>> >>
>>> >>
>>> >>
>>> >>> I think it should be
>>> >>> add:nsslapd-basedn: cn=accounts,$SUFFIX
>>> >>> not
>>> >>> add:basedn:"cn=accounts,$SUFFIX"
>>> >>>
>>> >>> this is what sidgen task expects and it returns constraint violation
>>> >>> error if parameters are wrong:
>>> >>>
>>> >>>    str = fetch_attr(e, "nsslapd-basedn", NULL);
>>> >>>    if (str == NULL) {
>>> >>>        LOG_FATAL("Missing nsslapd-basedn!\n");
>>> >>>        *returncode = LDAP_CONSTRAINT_VIOLATION;
>>> >>>        ret = SLAPI_DSE_CALLBACK_ERROR;
>>> >>>        goto done;
>>> >>>    }
>>> >>>
>>> >>
>>> >>I think you are right.
>>> >>Don't know what I have tested, but it brings me a different error, that I didn't
>>> >>see before:
>>> >>
>>> >>ipa.ipapython.ipaldap.IPAdmin: DEBUG: Unhandled LDAPError: OPERATIONS_ERROR:
>>> >>{'desc': 'Operations error'}
>>> >>ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR: Add failure Operations
>>> >>error:
>>> >>ipa.ipaserver.install.ipa_ldap_updater.LDAPUpdater_NonUpgrade: INFO: The
>>> >>ipa-ldap-updater command was successful
>>> >>
>>> >>Where did you find the source for the sidgen task? I could try  looking at at it
>>> >>myself, but can't find it.
>>> > You can check it here:
>>> > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c#n221
>>> > 
>>> > --
>>> > / Alexander Bokovoy
>>> 
>>> --
>>> Med venlig hilsen
>>> 
>>> Troels Hansen
>>> 
>>> Systemkonsulent
>>> 
>>> Casalogic A/S
>>> 
>>> 
>>> T (+45) 70 20 10 63
>>> 
>>> M (+45) 22 43 71 57
>>> 
>>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>>> meget mere.
>>> 
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
> 
> --
> Med venlig hilsen
> 
> Troels Hansen
> 
> Systemkonsulent
> 
> Casalogic A/S
> 
> 
> T (+45) 70 20 10 63
> 
> M (+45) 22 43 71 57
> 
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
> meget mere.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.

More information about the Freeipa-users mailing list