[Freeipa-users] installation of ipa-server successful but sssd fails..

Sumit Bose sbose at redhat.com
Thu Feb 25 08:21:26 UTC 2016 

On Wed, Feb 24, 2016 at 05:20:30PM +0000, lejeczek wrote:
> On 24/02/16 14:22, Sumit Bose wrote:
> >On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote:
> >>On 24/02/16 11:26, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote:
> >>>>he everybody,
> >>>>my first tampering with install gets me:
> >>>>
> >>>>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
> >>>>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
> >>>>keytab [default]: Bad address
> >>>>Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
> >>>>restart critical service [host.fake].
> >>>>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
> >>>>exited, code=exited status=1
> >>>>Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
> >>>>Services Daemon.
> >>>>Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
> >>>>state.
> >>>>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
> >>>>
> >>>>And just after install process finishes I try:
> >>>>$ kinit admin
> >>>>kinit: Improper format of Kerberos configuration file while initializing
> >>>>Kerberos 5 library
> >>>I would recommend to check /etc/krb5.conf first. Since the library call
> >>>SSSD uses the read the keytab will read /etc/krb5.conf as well, this
> >>>might be the reason for the SSSD issue as well.
> >>I said keytab, I meant config, which is below included.
> >This is the SSSD config file /etc/sssd/sssd.conf, I really meant
> >/etc/krb5.conf.
> I wonder if it can be one use case where install script/process does not
> realize it fails. I did run install on a virtually identical machine,
> actually virtual kvm centos and it worked there, only exception is no sssd
> there, not sure about 100% though.
> 
> Most worryingly when I try to restart dirsrv@ I see this:
> 
> [  762.293817] ns-slapd[8772]: segfault at 8 ip 00007f3186a02b29 sp
> 00007ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
> [  779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
> SIDs
> [  801.098886] ns-slapd[8958]: segfault at 8 ip 00007fe875c5ab29 sp
> 00007ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
> 
> I'm not an expert, it looks pretty regular to me, here krb config:

unfortunately it is broken, nearly every line with a '#' is wrong and
causes libkrb5 to fail parsing the file. I think this is caused by an
issue with authconfig
(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
neither authconfig nor ipa-client-install will be able to fix the broken
file completely and you have to delete the following lines manually.

> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = #
   ^^^ delete ^^^
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = yes
>  udp_preference_limit = 0
>  default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
>  HOST.FAKE = {
>   kdc = my.host.fake:88
>   master_kdc = my.host.fake:88
>   admin_server = my.host.fake:749
>   default_domain = host.fake
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
> 
>  # = {
   ^^^ delete ^^^
>   kdc = my.host.fake:88
   ^^^ delete ^^^
>   admin_server = my.host.fake:749
   ^^^ delete ^^^
>  }
   ^^^ delete ^^^
> 
> [domain_realm]
>  .host.fake = HOST.FAKE
>  host.fake = HOST.FAKE
> 
>  # = #
   ^^^ delete ^^^
>  .# = #
   ^^^ delete ^^^
> [dbmodules]
>   HOST.FAKE = {
>     db_library = ipadb.so
>   }
> 

bye,
Sumit

> >
> >bye,
> >Sumit
> >
> >>>HTH
> >>>
> >>>bye,
> >>>Sumit
> >>>
> >>>>here is keytab server installer created/amended: (one thing that I'm not
> >>>>sure is the fact that my new "host.fake" domain is different from my
> >>>>previously existing ldap search
> >>>>"dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise I have no clue.
> >>>>
> >>>>[domain/host.fake]
> >>>>
> >>>>cache_credentials = True
> >>>>krb5_store_password_if_offline = True
> >>>>ipa_domain = host.fake
> >>>>id_provider = ipa
> >>>>auth_provider = ipa
> >>>>access_provider = ipa
> >>>>ipa_hostname = my.host.fake
> >>>>chpass_provider = ipa
> >>>>ipa_server = my.host.fake
> >>>>ipa_server_mode = True
> >>>>ldap_tls_cacert = /etc/ipa/ca.crt
> >>>>[domain/default]
> >>>>autofs_provider = ldap
> >>>>cache_credentials = True
> >>>>krb5_realm = #
> >>>>ldap_search_base = dc=xxx,dc=zzzzzzzz
> >>>>id_provider = ldap
> >>>>auth_provider = ldap
> >>>>chpass_provider = ldap
> >>>>ldap_uri = ldap://my.host.fake:1389/
> >>>>ldap_id_use_start_tls = True
> >>>>ldap_tls_cacertdir = /etc/openldap/cacerts
> >>>>
> >>>>krb5_server = my.host.fake:88
> >>>>[sssd]
> >>>>services = nss, sudo, pam, autofs, ssh
> >>>>config_file_version = 2
> >>>>
> >>>>domains = host.fake
> >>>>
> >>>>[nss]
> >>>>memcache_timeout = 600
> >>>>homedir_substring = /home
> >>>>
> >>>>
> >>>>regards.
> >>>>
> >>>>-- 
> >>>>Manage your subscription for the Freeipa-users mailing list:
> >>>>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>Go to http://freeipa.org for more info on the project
> >>-- 
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list