[Freeipa-users] installation of ipa-server successful but sssd fails..

Sumit Bose sbose at redhat.com
Thu Feb 25 09:32:42 UTC 2016 

On Thu, Feb 25, 2016 at 09:21:06AM +0000, lejeczek wrote:
> On 25/02/16 08:21, Sumit Bose wrote:
> >On Wed, Feb 24, 2016 at 05:20:30PM +0000, lejeczek wrote:
> >>On 24/02/16 14:22, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote:
> >>>>On 24/02/16 11:26, Sumit Bose wrote:
> >>>>>On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote:
> >>>>>>he everybody,
> >>>>>>my first tampering with install gets me:
> >>>>>>
> >>>>>>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
> >>>>>>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
> >>>>>>keytab [default]: Bad address
> >>>>>>Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
> >>>>>>restart critical service [host.fake].
> >>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
> >>>>>>exited, code=exited status=1
> >>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
> >>>>>>Services Daemon.
> >>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
> >>>>>>state.
> >>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
> >>>>>>
> >>>>>>And just after install process finishes I try:
> >>>>>>$ kinit admin
> >>>>>>kinit: Improper format of Kerberos configuration file while initializing
> >>>>>>Kerberos 5 library
> >>>>>I would recommend to check /etc/krb5.conf first. Since the library call
> >>>>>SSSD uses the read the keytab will read /etc/krb5.conf as well, this
> >>>>>might be the reason for the SSSD issue as well.
> >>>>I said keytab, I meant config, which is below included.
> >>>This is the SSSD config file /etc/sssd/sssd.conf, I really meant
> >>>/etc/krb5.conf.
> >>I wonder if it can be one use case where install script/process does not
> >>realize it fails. I did run install on a virtually identical machine,
> >>actually virtual kvm centos and it worked there, only exception is no sssd
> >>there, not sure about 100% though.
> >>
> >>Most worryingly when I try to restart dirsrv@ I see this:
> >>
> >>[  762.293817] ns-slapd[8772]: segfault at 8 ip 00007f3186a02b29 sp
> >>00007ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
> >>[  779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
> >>SIDs
> >>[  801.098886] ns-slapd[8958]: segfault at 8 ip 00007fe875c5ab29 sp
> >>00007ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
> >>
> >>I'm not an expert, it looks pretty regular to me, here krb config:
> >unfortunately it is broken, nearly every line with a '#' is wrong and
> >causes libkrb5 to fail parsing the file. I think this is caused by an
> >issue with authconfig
> >(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
> >upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
> >neither authconfig nor ipa-client-install will be able to fix the broken
> >file completely and you have to delete the following lines manually.
> yes, indeed it seems that when I used authconf (not tui) to disable ldap &
> ssd configs were cleared of # char. I cannot only be sure 100% as I had a
> look at configs after ipa install.
> But I'll also say it would be nice to have kerberos smart and able to digest
> these special cases, handle these chars regardless, no?

no, because it is not about the '#' character, this is handled properly
as a comment. This means there is a dangling '}' because the '{' was
commented out before. The other '#' seems to do no harm but I suggested
to remove them to be on the safe side.

bye,
Sumit

> >>[logging]
> >>  default = FILE:/var/log/krb5libs.log
> >>  kdc = FILE:/var/log/krb5kdc.log
> >>  admin_server = FILE:/var/log/kadmind.log
> >>
> >>[libdefaults]
> >>  default_realm = #
> >    ^^^ delete ^^^
> >>  dns_lookup_realm = false
> >>  dns_lookup_kdc = true
> >>  rdns = false
> >>  ticket_lifetime = 24h
> >>  forwardable = yes
> >>  udp_preference_limit = 0
> >>  default_ccache_name = KEYRING:persistent:%{uid}
> >>
> >>[realms]
> >>  HOST.FAKE = {
> >>   kdc = my.host.fake:88
> >>   master_kdc = my.host.fake:88
> >>   admin_server = my.host.fake:749
> >>   default_domain = host.fake
> >>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> >>}
> >>
> >>  # = {
> >    ^^^ delete ^^^
> >>   kdc = my.host.fake:88
> >    ^^^ delete ^^^
> >>   admin_server = my.host.fake:749
> >    ^^^ delete ^^^
> >>  }
> >    ^^^ delete ^^^
> >>[domain_realm]
> >>  .host.fake = HOST.FAKE
> >>  host.fake = HOST.FAKE
> >>
> >>  # = #
> >    ^^^ delete ^^^
> >>  .# = #
> >    ^^^ delete ^^^
> >>[dbmodules]
> >>   HOST.FAKE = {
> >>     db_library = ipadb.so
> >>   }
> >>
> >bye,
> >Sumit
> >
> >>>bye,
> >>>Sumit
> >>>
> >>>>>HTH
> >>>>>
> >>>>>bye,
> >>>>>Sumit
> >>>>>
> >>>>>>here is keytab server installer created/amended: (one thing that I'm not
> >>>>>>sure is the fact that my new "host.fake" domain is different from my
> >>>>>>previously existing ldap search
> >>>>>>"dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise I have no clue.
> >>>>>>
> >>>>>>[domain/host.fake]
> >>>>>>
> >>>>>>cache_credentials = True
> >>>>>>krb5_store_password_if_offline = True
> >>>>>>ipa_domain = host.fake
> >>>>>>id_provider = ipa
> >>>>>>auth_provider = ipa
> >>>>>>access_provider = ipa
> >>>>>>ipa_hostname = my.host.fake
> >>>>>>chpass_provider = ipa
> >>>>>>ipa_server = my.host.fake
> >>>>>>ipa_server_mode = True
> >>>>>>ldap_tls_cacert = /etc/ipa/ca.crt
> >>>>>>[domain/default]
> >>>>>>autofs_provider = ldap
> >>>>>>cache_credentials = True
> >>>>>>krb5_realm = #
> >>>>>>ldap_search_base = dc=xxx,dc=zzzzzzzz
> >>>>>>id_provider = ldap
> >>>>>>auth_provider = ldap
> >>>>>>chpass_provider = ldap
> >>>>>>ldap_uri = ldap://my.host.fake:1389/
> >>>>>>ldap_id_use_start_tls = True
> >>>>>>ldap_tls_cacertdir = /etc/openldap/cacerts
> >>>>>>
> >>>>>>krb5_server = my.host.fake:88
> >>>>>>[sssd]
> >>>>>>services = nss, sudo, pam, autofs, ssh
> >>>>>>config_file_version = 2
> >>>>>>
> >>>>>>domains = host.fake
> >>>>>>
> >>>>>>[nss]
> >>>>>>memcache_timeout = 600
> >>>>>>homedir_substring = /home
> >>>>>>
> >>>>>>
> >>>>>>regards.
> >>>>>>
> >>>>>>-- 
> >>>>>>Manage your subscription for the Freeipa-users mailing list:
> >>>>>>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>Go to http://freeipa.org for more info on the project
> >>>>-- 
> >>>>Manage your subscription for the Freeipa-users mailing list:
> >>>>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list