[Freeipa-users] installation of ipa-server successful but sssd fails..

lejeczek peljasz at yahoo.co.uk
Thu Feb 25 11:58:04 UTC 2016 

On 25/02/16 09:32, Sumit Bose wrote:
> On Thu, Feb 25, 2016 at 09:21:06AM +0000, lejeczek wrote:
>> On 25/02/16 08:21, Sumit Bose wrote:
>>> On Wed, Feb 24, 2016 at 05:20:30PM +0000, lejeczek wrote:
>>>> On 24/02/16 14:22, Sumit Bose wrote:
>>>>> On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote:
>>>>>> On 24/02/16 11:26, Sumit Bose wrote:
>>>>>>> On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote:
>>>>>>>> he everybody,
>>>>>>>> my first tampering with install gets me:
>>>>>>>>
>>>>>>>> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
>>>>>>>> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
>>>>>>>> keytab [default]: Bad address
>>>>>>>> Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
>>>>>>>> restart critical service [host.fake].
>>>>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
>>>>>>>> exited, code=exited status=1
>>>>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
>>>>>>>> Services Daemon.
>>>>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
>>>>>>>> state.
>>>>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
>>>>>>>>
>>>>>>>> And just after install process finishes I try:
>>>>>>>> $ kinit admin
>>>>>>>> kinit: Improper format of Kerberos configuration file while initializing
>>>>>>>> Kerberos 5 library
>>>>>>> I would recommend to check /etc/krb5.conf first. Since the library call
>>>>>>> SSSD uses the read the keytab will read /etc/krb5.conf as well, this
>>>>>>> might be the reason for the SSSD issue as well.
>>>>>> I said keytab, I meant config, which is below included.
>>>>> This is the SSSD config file /etc/sssd/sssd.conf, I really meant
>>>>> /etc/krb5.conf.
>>>> I wonder if it can be one use case where install script/process does not
>>>> realize it fails. I did run install on a virtually identical machine,
>>>> actually virtual kvm centos and it worked there, only exception is no sssd
>>>> there, not sure about 100% though.
>>>>
>>>> Most worryingly when I try to restart dirsrv@ I see this:
>>>>
>>>> [  762.293817] ns-slapd[8772]: segfault at 8 ip 00007f3186a02b29 sp
>>>> 00007ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
>>>> [  779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
>>>> SIDs
>>>> [  801.098886] ns-slapd[8958]: segfault at 8 ip 00007fe875c5ab29 sp
>>>> 00007ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
>>>>
>>>> I'm not an expert, it looks pretty regular to me, here krb config:
>>> unfortunately it is broken, nearly every line with a '#' is wrong and
>>> causes libkrb5 to fail parsing the file. I think this is caused by an
>>> issue with authconfig
>>> (https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
>>> upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
>>> neither authconfig nor ipa-client-install will be able to fix the broken
>>> file completely and you have to delete the following lines manually.
>> yes, indeed it seems that when I used authconf (not tui) to disable ldap &
>> ssd configs were cleared of # char. I cannot only be sure 100% as I had a
>> look at configs after ipa install.
>> But I'll also say it would be nice to have kerberos smart and able to digest
>> these special cases, handle these chars regardless, no?
> no, because it is not about the '#' character, this is handled properly
> as a comment. This means there is a dangling '}' because the '{' was
> commented out before. The other '#' seems to do no harm but I suggested
> to remove them to be on the safe side.
>
> bye,
> Sumit
thanks Sumit, should I make it a bug report?
>
>>>> [logging]
>>>>   default = FILE:/var/log/krb5libs.log
>>>>   kdc = FILE:/var/log/krb5kdc.log
>>>>   admin_server = FILE:/var/log/kadmind.log
>>>>
>>>> [libdefaults]
>>>>   default_realm = #
>>>     ^^^ delete ^^^
>>>>   dns_lookup_realm = false
>>>>   dns_lookup_kdc = true
>>>>   rdns = false
>>>>   ticket_lifetime = 24h
>>>>   forwardable = yes
>>>>   udp_preference_limit = 0
>>>>   default_ccache_name = KEYRING:persistent:%{uid}
>>>>
>>>> [realms]
>>>>   HOST.FAKE = {
>>>>    kdc = my.host.fake:88
>>>>    master_kdc = my.host.fake:88
>>>>    admin_server = my.host.fake:749
>>>>    default_domain = host.fake
>>>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>> }
>>>>
>>>>   # = {
>>>     ^^^ delete ^^^
>>>>    kdc = my.host.fake:88
>>>     ^^^ delete ^^^
>>>>    admin_server = my.host.fake:749
>>>     ^^^ delete ^^^
>>>>   }
>>>     ^^^ delete ^^^
>>>> [domain_realm]
>>>>   .host.fake = HOST.FAKE
>>>>   host.fake = HOST.FAKE
>>>>
>>>>   # = #
>>>     ^^^ delete ^^^
>>>>   .# = #
>>>     ^^^ delete ^^^
>>>> [dbmodules]
>>>>    HOST.FAKE = {
>>>>      db_library = ipadb.so
>>>>    }
>>>>
>>> bye,
>>> Sumit
>>>
>>>>> bye,
>>>>> Sumit
>>>>>
>>>>>>> HTH
>>>>>>>
>>>>>>> bye,
>>>>>>> Sumit
>>>>>>>
>>>>>>>> here is keytab server installer created/amended: (one thing that I'm not
>>>>>>>> sure is the fact that my new "host.fake" domain is different from my
>>>>>>>> previously existing ldap search
>>>>>>>> "dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise I have no clue.
>>>>>>>>
>>>>>>>> [domain/host.fake]
>>>>>>>>
>>>>>>>> cache_credentials = True
>>>>>>>> krb5_store_password_if_offline = True
>>>>>>>> ipa_domain = host.fake
>>>>>>>> id_provider = ipa
>>>>>>>> auth_provider = ipa
>>>>>>>> access_provider = ipa
>>>>>>>> ipa_hostname = my.host.fake
>>>>>>>> chpass_provider = ipa
>>>>>>>> ipa_server = my.host.fake
>>>>>>>> ipa_server_mode = True
>>>>>>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>>>>>>> [domain/default]
>>>>>>>> autofs_provider = ldap
>>>>>>>> cache_credentials = True
>>>>>>>> krb5_realm = #
>>>>>>>> ldap_search_base = dc=xxx,dc=zzzzzzzz
>>>>>>>> id_provider = ldap
>>>>>>>> auth_provider = ldap
>>>>>>>> chpass_provider = ldap
>>>>>>>> ldap_uri = ldap://my.host.fake:1389/
>>>>>>>> ldap_id_use_start_tls = True
>>>>>>>> ldap_tls_cacertdir = /etc/openldap/cacerts
>>>>>>>>
>>>>>>>> krb5_server = my.host.fake:88
>>>>>>>> [sssd]
>>>>>>>> services = nss, sudo, pam, autofs, ssh
>>>>>>>> config_file_version = 2
>>>>>>>>
>>>>>>>> domains = host.fake
>>>>>>>>
>>>>>>>> [nss]
>>>>>>>> memcache_timeout = 600
>>>>>>>> homedir_substring = /home
>>>>>>>>
>>>>>>>>
>>>>>>>> regards.
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>> -- 
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list