[Freeipa-users] installation of ipa-server successful but sssd fails..

lejeczek peljasz at yahoo.co.uk
Wed Feb 24 22:27:36 UTC 2016 


On 24/02/16 17:20, lejeczek wrote:
> On 24/02/16 14:22, Sumit Bose wrote:
>> On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote:
>>> On 24/02/16 11:26, Sumit Bose wrote:
>>>> On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote:
>>>>> he everybody,
>>>>> my first tampering with install gets me:
>>>>>
>>>>> Feb 24 11:04:22 my.host.fake 
>>>>> sssd[be[host.fake]][17425]: Starting up
>>>>> Feb 24 11:04:22 my.host.fake 
>>>>> sssd[be[host.fake]][17425]: Failed to read
>>>>> keytab [default]: Bad address
>>>>> Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the 
>>>>> SSSD. Could not
>>>>> restart critical service [host.fake].
>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: 
>>>>> control process
>>>>> exited, code=exited status=1
>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: Failed to 
>>>>> start System Security
>>>>> Services Daemon.
>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: Unit 
>>>>> sssd.service entered failed
>>>>> state.
>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service 
>>>>> failed.
>>>>>
>>>>> And just after install process finishes I try:
>>>>> $ kinit admin
>>>>> kinit: Improper format of Kerberos configuration file 
>>>>> while initializing
>>>>> Kerberos 5 library
>>>> I would recommend to check /etc/krb5.conf first. Since 
>>>> the library call
>>>> SSSD uses the read the keytab will read /etc/krb5.conf 
>>>> as well, this
>>>> might be the reason for the SSSD issue as well.
>>> I said keytab, I meant config, which is below included.
>> This is the SSSD config file /etc/sssd/sssd.conf, I 
>> really meant
>> /etc/krb5.conf.
> I wonder if it can be one use case where install 
> script/process does not realize it fails. I did run 
> install on a virtually identical machine, actually virtual 
> kvm centos and it worked there, only exception is no sssd 
> there, not sure about 100% though.
>
ok, this problem seems to be a valid candidate for bugzilla, 
and it should be easy to reproduce, I'd guess you Sumit 
might be interested.
How to - just have your sssd already configured to use an 
ldap backend for both password & users, have your (open)ldap 
run on non-conflicting ports and then try:
$ ipa-server-install -p ${myPass} -a ${myPass} --setup-dns 
--no-forwarders
process completes without errors but sssd fails and kerberos 
won't work. Suffices to disable ldap & sssd in 
authentication pipeline (prior to ipa installer run) and 
installer successfully sets up sssd and kerberos works.
That error:
Failed to read keytab [default]: Bad address
was saying a lot, that was default domain in sssd conf which 
was set up to ldap, and ipa installer was doing something 
with it.
I'm only puzzled nobody stumbled upon it earlier.
What do you think Sumit?
I'm going to dive deeper into ipa to see if it really is 
okey now.

> Most worryingly when I try to restart dirsrv@ I see this:
>
> [  762.293817] ns-slapd[8772]: segfault at 8 ip 
> 00007f3186a02b29 sp 00007ffe73055d60 error 4 in 
> libipa_pwd_extop.so[7f31869f1000+2a000]
> [  779.072156] SELinux: initialized (dev tmpfs, type 
> tmpfs), uses transition SIDs
> [  801.098886] ns-slapd[8958]: segfault at 8 ip 
> 00007fe875c5ab29 sp 00007ffc2c6c26e0 error 4 in 
> libipa_pwd_extop.so[7fe875c49000+2a000]
>
> I'm not an expert, it looks pretty regular to me, here krb 
> config:
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = #
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = yes
>  udp_preference_limit = 0
>  default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>  HOST.FAKE = {
>   kdc = my.host.fake:88
>   master_kdc = my.host.fake:88
>   admin_server = my.host.fake:749
>   default_domain = host.fake
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
>  # = {
>   kdc = my.host.fake:88
>   admin_server = my.host.fake:749
>  }
>
> [domain_realm]
>  .host.fake = HOST.FAKE
>  host.fake = HOST.FAKE
>
>  # = #
>  .# = #
> [dbmodules]
>   HOST.FAKE = {
>     db_library = ipadb.so
>   }
>
>>
>> bye,
>> Sumit
>>
>>>> HTH
>>>>
>>>> bye,
>>>> Sumit
>>>>
>>>>> here is keytab server installer created/amended: (one 
>>>>> thing that I'm not
>>>>> sure is the fact that my new "host.fake" domain is 
>>>>> different from my
>>>>> previously existing ldap search
>>>>> "dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise 
>>>>> I have no clue.
>>>>>
>>>>> [domain/host.fake]
>>>>>
>>>>> cache_credentials = True
>>>>> krb5_store_password_if_offline = True
>>>>> ipa_domain = host.fake
>>>>> id_provider = ipa
>>>>> auth_provider = ipa
>>>>> access_provider = ipa
>>>>> ipa_hostname = my.host.fake
>>>>> chpass_provider = ipa
>>>>> ipa_server = my.host.fake
>>>>> ipa_server_mode = True
>>>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>>>> [domain/default]
>>>>> autofs_provider = ldap
>>>>> cache_credentials = True
>>>>> krb5_realm = #
>>>>> ldap_search_base = dc=xxx,dc=zzzzzzzz
>>>>> id_provider = ldap
>>>>> auth_provider = ldap
>>>>> chpass_provider = ldap
>>>>> ldap_uri = ldap://my.host.fake:1389/
>>>>> ldap_id_use_start_tls = True
>>>>> ldap_tls_cacertdir = /etc/openldap/cacerts
>>>>>
>>>>> krb5_server = my.host.fake:88
>>>>> [sssd]
>>>>> services = nss, sudo, pam, autofs, ssh
>>>>> config_file_version = 2
>>>>>
>>>>> domains = host.fake
>>>>>
>>>>> [nss]
>>>>> memcache_timeout = 600
>>>>> homedir_substring = /home
>>>>>
>>>>>
>>>>> regards.
>>>>>
>>>>> -- 
>>>>> Manage your subscription for the Freeipa-users mailing 
>>>>> list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing 
>>> list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list