[Freeipa-users] installation of ipa-server successful but sssd fails..

lejeczek peljasz at yahoo.co.uk
Thu Feb 25 15:35:22 UTC 2016 

On 25/02/16 12:29, Sumit Bose wrote:
> On Thu, Feb 25, 2016 at 11:58:04AM +0000, lejeczek wrote:
>> On 25/02/16 09:32, Sumit Bose wrote:
>>> On Thu, Feb 25, 2016 at 09:21:06AM +0000, lejeczek wrote:
>>>> On 25/02/16 08:21, Sumit Bose wrote:
>>>>> On Wed, Feb 24, 2016 at 05:20:30PM +0000, lejeczek wrote:
>>>>>> On 24/02/16 14:22, Sumit Bose wrote:
>>>>>>> On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote:
>>>>>>>> On 24/02/16 11:26, Sumit Bose wrote:
>>>>>>>>> On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote:
>>>>>>>>>> he everybody,
>>>>>>>>>> my first tampering with install gets me:
>>>>>>>>>>
>>>>>>>>>> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
>>>>>>>>>> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
>>>>>>>>>> keytab [default]: Bad address
>>>>>>>>>> Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
>>>>>>>>>> restart critical service [host.fake].
>>>>>>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
>>>>>>>>>> exited, code=exited status=1
>>>>>>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
>>>>>>>>>> Services Daemon.
>>>>>>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
>>>>>>>>>> state.
>>>>>>>>>> Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
>>>>>>>>>>
>>>>>>>>>> And just after install process finishes I try:
>>>>>>>>>> $ kinit admin
>>>>>>>>>> kinit: Improper format of Kerberos configuration file while initializing
>>>>>>>>>> Kerberos 5 library
>>>>>>>>> I would recommend to check /etc/krb5.conf first. Since the library call
>>>>>>>>> SSSD uses the read the keytab will read /etc/krb5.conf as well, this
>>>>>>>>> might be the reason for the SSSD issue as well.
>>>>>>>> I said keytab, I meant config, which is below included.
>>>>>>> This is the SSSD config file /etc/sssd/sssd.conf, I really meant
>>>>>>> /etc/krb5.conf.
>>>>>> I wonder if it can be one use case where install script/process does not
>>>>>> realize it fails. I did run install on a virtually identical machine,
>>>>>> actually virtual kvm centos and it worked there, only exception is no sssd
>>>>>> there, not sure about 100% though.
>>>>>>
>>>>>> Most worryingly when I try to restart dirsrv@ I see this:
>>>>>>
>>>>>> [  762.293817] ns-slapd[8772]: segfault at 8 ip 00007f3186a02b29 sp
>>>>>> 00007ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
>>>>>> [  779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
>>>>>> SIDs
>>>>>> [  801.098886] ns-slapd[8958]: segfault at 8 ip 00007fe875c5ab29 sp
>>>>>> 00007ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
>>>>>>
>>>>>> I'm not an expert, it looks pretty regular to me, here krb config:
>>>>> unfortunately it is broken, nearly every line with a '#' is wrong and
>>>>> causes libkrb5 to fail parsing the file. I think this is caused by an
>>>>> issue with authconfig
>>>>> (https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
>>>>> upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
>>>>> neither authconfig nor ipa-client-install will be able to fix the broken
>>>>> file completely and you have to delete the following lines manually.
>>>> yes, indeed it seems that when I used authconf (not tui) to disable ldap &
>>>> ssd configs were cleared of # char. I cannot only be sure 100% as I had a
>>>> look at configs after ipa install.
>>>> But I'll also say it would be nice to have kerberos smart and able to digest
>>>> these special cases, handle these chars regardless, no?
>>> no, because it is not about the '#' character, this is handled properly
>>> as a comment. This means there is a dangling '}' because the '{' was
>>> commented out before. The other '#' seems to do no harm but I suggested
>>> to remove them to be on the safe side.
>>>
>>> bye,
>>> Sumit
>> thanks Sumit, should I make it a bug report?
> no, I think the authconfig ticket is sufficient here.
I'll insist on the claim that installer could do better, 
especially when it completes without any errors nor warnings.
I'm sure dev guys could easily resolve it in a number of 
ways, just to let them know.
> bye,
> Sumit
>
>>>>>> [logging]
>>>>>>   default = FILE:/var/log/krb5libs.log
>>>>>>   kdc = FILE:/var/log/krb5kdc.log
>>>>>>   admin_server = FILE:/var/log/kadmind.log
>>>>>>
>>>>>> [libdefaults]
>>>>>>   default_realm = #
>>>>>     ^^^ delete ^^^
>>>>>>   dns_lookup_realm = false
>>>>>>   dns_lookup_kdc = true
>>>>>>   rdns = false
>>>>>>   ticket_lifetime = 24h
>>>>>>   forwardable = yes
>>>>>>   udp_preference_limit = 0
>>>>>>   default_ccache_name = KEYRING:persistent:%{uid}
>>>>>>
>>>>>> [realms]
>>>>>>   HOST.FAKE = {
>>>>>>    kdc = my.host.fake:88
>>>>>>    master_kdc = my.host.fake:88
>>>>>>    admin_server = my.host.fake:749
>>>>>>    default_domain = host.fake
>>>>>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>>>> }
>>>>>>
>>>>>>   # = {
>>>>>     ^^^ delete ^^^
>>>>>>    kdc = my.host.fake:88
>>>>>     ^^^ delete ^^^
>>>>>>    admin_server = my.host.fake:749
>>>>>     ^^^ delete ^^^
>>>>>>   }
>>>>>     ^^^ delete ^^^
>>>>>> [domain_realm]
>>>>>>   .host.fake = HOST.FAKE
>>>>>>   host.fake = HOST.FAKE
>>>>>>
>>>>>>   # = #
>>>>>     ^^^ delete ^^^
>>>>>>   .# = #
>>>>>     ^^^ delete ^^^
>>>>>> [dbmodules]
>>>>>>    HOST.FAKE = {
>>>>>>      db_library = ipadb.so
>>>>>>    }
>>>>>>
>>>>> bye,
>>>>> Sumit
>>>>>
>>>>>>> bye,
>>>>>>> Sumit
>>>>>>>
>>>>>>>>> HTH
>>>>>>>>>
>>>>>>>>> bye,
>>>>>>>>> Sumit
>>>>>>>>>
>>>>>>>>>> here is keytab server installer created/amended: (one thing that I'm not
>>>>>>>>>> sure is the fact that my new "host.fake" domain is different from my
>>>>>>>>>> previously existing ldap search
>>>>>>>>>> "dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise I have no clue.
>>>>>>>>>>
>>>>>>>>>> [domain/host.fake]
>>>>>>>>>>
>>>>>>>>>> cache_credentials = True
>>>>>>>>>> krb5_store_password_if_offline = True
>>>>>>>>>> ipa_domain = host.fake
>>>>>>>>>> id_provider = ipa
>>>>>>>>>> auth_provider = ipa
>>>>>>>>>> access_provider = ipa
>>>>>>>>>> ipa_hostname = my.host.fake
>>>>>>>>>> chpass_provider = ipa
>>>>>>>>>> ipa_server = my.host.fake
>>>>>>>>>> ipa_server_mode = True
>>>>>>>>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>>>>>>>>> [domain/default]
>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>> cache_credentials = True
>>>>>>>>>> krb5_realm = #
>>>>>>>>>> ldap_search_base = dc=xxx,dc=zzzzzzzz
>>>>>>>>>> id_provider = ldap
>>>>>>>>>> auth_provider = ldap
>>>>>>>>>> chpass_provider = ldap
>>>>>>>>>> ldap_uri = ldap://my.host.fake:1389/
>>>>>>>>>> ldap_id_use_start_tls = True
>>>>>>>>>> ldap_tls_cacertdir = /etc/openldap/cacerts
>>>>>>>>>>
>>>>>>>>>> krb5_server = my.host.fake:88
>>>>>>>>>> [sssd]
>>>>>>>>>> services = nss, sudo, pam, autofs, ssh
>>>>>>>>>> config_file_version = 2
>>>>>>>>>>
>>>>>>>>>> domains = host.fake
>>>>>>>>>>
>>>>>>>>>> [nss]
>>>>>>>>>> memcache_timeout = 600
>>>>>>>>>> homedir_substring = /home
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> regards.
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>> -- 
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list