[Freeipa-users] installation of ipa-server successful but sssd fails..

Sumit Bose sbose at redhat.com
Thu Feb 25 12:29:55 UTC 2016 

On Thu, Feb 25, 2016 at 11:58:04AM +0000, lejeczek wrote:
> On 25/02/16 09:32, Sumit Bose wrote:
> >On Thu, Feb 25, 2016 at 09:21:06AM +0000, lejeczek wrote:
> >>On 25/02/16 08:21, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 05:20:30PM +0000, lejeczek wrote:
> >>>>On 24/02/16 14:22, Sumit Bose wrote:
> >>>>>On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote:
> >>>>>>On 24/02/16 11:26, Sumit Bose wrote:
> >>>>>>>On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote:
> >>>>>>>>he everybody,
> >>>>>>>>my first tampering with install gets me:
> >>>>>>>>
> >>>>>>>>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
> >>>>>>>>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
> >>>>>>>>keytab [default]: Bad address
> >>>>>>>>Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
> >>>>>>>>restart critical service [host.fake].
> >>>>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
> >>>>>>>>exited, code=exited status=1
> >>>>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
> >>>>>>>>Services Daemon.
> >>>>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
> >>>>>>>>state.
> >>>>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
> >>>>>>>>
> >>>>>>>>And just after install process finishes I try:
> >>>>>>>>$ kinit admin
> >>>>>>>>kinit: Improper format of Kerberos configuration file while initializing
> >>>>>>>>Kerberos 5 library
> >>>>>>>I would recommend to check /etc/krb5.conf first. Since the library call
> >>>>>>>SSSD uses the read the keytab will read /etc/krb5.conf as well, this
> >>>>>>>might be the reason for the SSSD issue as well.
> >>>>>>I said keytab, I meant config, which is below included.
> >>>>>This is the SSSD config file /etc/sssd/sssd.conf, I really meant
> >>>>>/etc/krb5.conf.
> >>>>I wonder if it can be one use case where install script/process does not
> >>>>realize it fails. I did run install on a virtually identical machine,
> >>>>actually virtual kvm centos and it worked there, only exception is no sssd
> >>>>there, not sure about 100% though.
> >>>>
> >>>>Most worryingly when I try to restart dirsrv@ I see this:
> >>>>
> >>>>[  762.293817] ns-slapd[8772]: segfault at 8 ip 00007f3186a02b29 sp
> >>>>00007ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
> >>>>[  779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
> >>>>SIDs
> >>>>[  801.098886] ns-slapd[8958]: segfault at 8 ip 00007fe875c5ab29 sp
> >>>>00007ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
> >>>>
> >>>>I'm not an expert, it looks pretty regular to me, here krb config:
> >>>unfortunately it is broken, nearly every line with a '#' is wrong and
> >>>causes libkrb5 to fail parsing the file. I think this is caused by an
> >>>issue with authconfig
> >>>(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
> >>>upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
> >>>neither authconfig nor ipa-client-install will be able to fix the broken
> >>>file completely and you have to delete the following lines manually.
> >>yes, indeed it seems that when I used authconf (not tui) to disable ldap &
> >>ssd configs were cleared of # char. I cannot only be sure 100% as I had a
> >>look at configs after ipa install.
> >>But I'll also say it would be nice to have kerberos smart and able to digest
> >>these special cases, handle these chars regardless, no?
> >no, because it is not about the '#' character, this is handled properly
> >as a comment. This means there is a dangling '}' because the '{' was
> >commented out before. The other '#' seems to do no harm but I suggested
> >to remove them to be on the safe side.
> >
> >bye,
> >Sumit
> thanks Sumit, should I make it a bug report?

no, I think the authconfig ticket is sufficient here.

bye,
Sumit

> >
> >>>>[logging]
> >>>>  default = FILE:/var/log/krb5libs.log
> >>>>  kdc = FILE:/var/log/krb5kdc.log
> >>>>  admin_server = FILE:/var/log/kadmind.log
> >>>>
> >>>>[libdefaults]
> >>>>  default_realm = #
> >>>    ^^^ delete ^^^
> >>>>  dns_lookup_realm = false
> >>>>  dns_lookup_kdc = true
> >>>>  rdns = false
> >>>>  ticket_lifetime = 24h
> >>>>  forwardable = yes
> >>>>  udp_preference_limit = 0
> >>>>  default_ccache_name = KEYRING:persistent:%{uid}
> >>>>
> >>>>[realms]
> >>>>  HOST.FAKE = {
> >>>>   kdc = my.host.fake:88
> >>>>   master_kdc = my.host.fake:88
> >>>>   admin_server = my.host.fake:749
> >>>>   default_domain = host.fake
> >>>>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> >>>>}
> >>>>
> >>>>  # = {
> >>>    ^^^ delete ^^^
> >>>>   kdc = my.host.fake:88
> >>>    ^^^ delete ^^^
> >>>>   admin_server = my.host.fake:749
> >>>    ^^^ delete ^^^
> >>>>  }
> >>>    ^^^ delete ^^^
> >>>>[domain_realm]
> >>>>  .host.fake = HOST.FAKE
> >>>>  host.fake = HOST.FAKE
> >>>>
> >>>>  # = #
> >>>    ^^^ delete ^^^
> >>>>  .# = #
> >>>    ^^^ delete ^^^
> >>>>[dbmodules]
> >>>>   HOST.FAKE = {
> >>>>     db_library = ipadb.so
> >>>>   }
> >>>>
> >>>bye,
> >>>Sumit
> >>>
> >>>>>bye,
> >>>>>Sumit
> >>>>>
> >>>>>>>HTH
> >>>>>>>
> >>>>>>>bye,
> >>>>>>>Sumit
> >>>>>>>
> >>>>>>>>here is keytab server installer created/amended: (one thing that I'm not
> >>>>>>>>sure is the fact that my new "host.fake" domain is different from my
> >>>>>>>>previously existing ldap search
> >>>>>>>>"dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise I have no clue.
> >>>>>>>>
> >>>>>>>>[domain/host.fake]
> >>>>>>>>
> >>>>>>>>cache_credentials = True
> >>>>>>>>krb5_store_password_if_offline = True
> >>>>>>>>ipa_domain = host.fake
> >>>>>>>>id_provider = ipa
> >>>>>>>>auth_provider = ipa
> >>>>>>>>access_provider = ipa
> >>>>>>>>ipa_hostname = my.host.fake
> >>>>>>>>chpass_provider = ipa
> >>>>>>>>ipa_server = my.host.fake
> >>>>>>>>ipa_server_mode = True
> >>>>>>>>ldap_tls_cacert = /etc/ipa/ca.crt
> >>>>>>>>[domain/default]
> >>>>>>>>autofs_provider = ldap
> >>>>>>>>cache_credentials = True
> >>>>>>>>krb5_realm = #
> >>>>>>>>ldap_search_base = dc=xxx,dc=zzzzzzzz
> >>>>>>>>id_provider = ldap
> >>>>>>>>auth_provider = ldap
> >>>>>>>>chpass_provider = ldap
> >>>>>>>>ldap_uri = ldap://my.host.fake:1389/
> >>>>>>>>ldap_id_use_start_tls = True
> >>>>>>>>ldap_tls_cacertdir = /etc/openldap/cacerts
> >>>>>>>>
> >>>>>>>>krb5_server = my.host.fake:88
> >>>>>>>>[sssd]
> >>>>>>>>services = nss, sudo, pam, autofs, ssh
> >>>>>>>>config_file_version = 2
> >>>>>>>>
> >>>>>>>>domains = host.fake
> >>>>>>>>
> >>>>>>>>[nss]
> >>>>>>>>memcache_timeout = 600
> >>>>>>>>homedir_substring = /home
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>regards.
> >>>>>>>>
> >>>>>>>>-- 
> >>>>>>>>Manage your subscription for the Freeipa-users mailing list:
> >>>>>>>>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>>>Go to http://freeipa.org for more info on the project
> >>>>>>-- 
> >>>>>>Manage your subscription for the Freeipa-users mailing list:
> >>>>>>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list