[Freeipa-users] installation of ipa-server successful but sssd fails..

lejeczek peljasz at yahoo.co.uk
Wed Feb 24 17:20:30 UTC 2016 

On 24/02/16 14:22, Sumit Bose wrote:
> On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote:
>> On 24/02/16 11:26, Sumit Bose wrote:
>>> On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote:
>>>> he everybody,
>>>> my first tampering with install gets me:
>>>>
>>>> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
>>>> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
>>>> keytab [default]: Bad address
>>>> Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
>>>> restart critical service [host.fake].
>>>> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
>>>> exited, code=exited status=1
>>>> Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
>>>> Services Daemon.
>>>> Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
>>>> state.
>>>> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
>>>>
>>>> And just after install process finishes I try:
>>>> $ kinit admin
>>>> kinit: Improper format of Kerberos configuration file while initializing
>>>> Kerberos 5 library
>>> I would recommend to check /etc/krb5.conf first. Since the library call
>>> SSSD uses the read the keytab will read /etc/krb5.conf as well, this
>>> might be the reason for the SSSD issue as well.
>> I said keytab, I meant config, which is below included.
> This is the SSSD config file /etc/sssd/sssd.conf, I really meant
> /etc/krb5.conf.
I wonder if it can be one use case where install 
script/process does not realize it fails. I did run install 
on a virtually identical machine, actually virtual kvm 
centos and it worked there, only exception is no sssd there, 
not sure about 100% though.

Most worryingly when I try to restart dirsrv@ I see this:

[  762.293817] ns-slapd[8772]: segfault at 8 ip 
00007f3186a02b29 sp 00007ffe73055d60 error 4 in 
libipa_pwd_extop.so[7f31869f1000+2a000]
[  779.072156] SELinux: initialized (dev tmpfs, type tmpfs), 
uses transition SIDs
[  801.098886] ns-slapd[8958]: segfault at 8 ip 
00007fe875c5ab29 sp 00007ffc2c6c26e0 error 4 in 
libipa_pwd_extop.so[7fe875c49000+2a000]

I'm not an expert, it looks pretty regular to me, here krb 
config:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = #
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  HOST.FAKE = {
   kdc = my.host.fake:88
   master_kdc = my.host.fake:88
   admin_server = my.host.fake:749
   default_domain = host.fake
   pkinit_anchors = FILE:/etc/ipa/ca.crt
}

  # = {
   kdc = my.host.fake:88
   admin_server = my.host.fake:749
  }

[domain_realm]
  .host.fake = HOST.FAKE
  host.fake = HOST.FAKE

  # = #
  .# = #
[dbmodules]
   HOST.FAKE = {
     db_library = ipadb.so
   }

>
> bye,
> Sumit
>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>>
>>>> here is keytab server installer created/amended: (one thing that I'm not
>>>> sure is the fact that my new "host.fake" domain is different from my
>>>> previously existing ldap search
>>>> "dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise I have no clue.
>>>>
>>>> [domain/host.fake]
>>>>
>>>> cache_credentials = True
>>>> krb5_store_password_if_offline = True
>>>> ipa_domain = host.fake
>>>> id_provider = ipa
>>>> auth_provider = ipa
>>>> access_provider = ipa
>>>> ipa_hostname = my.host.fake
>>>> chpass_provider = ipa
>>>> ipa_server = my.host.fake
>>>> ipa_server_mode = True
>>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>>> [domain/default]
>>>> autofs_provider = ldap
>>>> cache_credentials = True
>>>> krb5_realm = #
>>>> ldap_search_base = dc=xxx,dc=zzzzzzzz
>>>> id_provider = ldap
>>>> auth_provider = ldap
>>>> chpass_provider = ldap
>>>> ldap_uri = ldap://my.host.fake:1389/
>>>> ldap_id_use_start_tls = True
>>>> ldap_tls_cacertdir = /etc/openldap/cacerts
>>>>
>>>> krb5_server = my.host.fake:88
>>>> [sssd]
>>>> services = nss, sudo, pam, autofs, ssh
>>>> config_file_version = 2
>>>>
>>>> domains = host.fake
>>>>
>>>> [nss]
>>>> memcache_timeout = 600
>>>> homedir_substring = /home
>>>>
>>>>
>>>> regards.
>>>>
>>>> -- 
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list