[Freeipa-users] IPA wont start, all services fail
Simpson Lachlan
Lachlan.Simpson at petermac.org
Fri Jan 15 06:04:20 UTC 2016
Hi
I’m not 100% sure where I've gone wrong, but I obviously have.
Running Centos 7.2, with FreeIPA 4.2.0 from the repos.
FreeIPA was set up per instructions (# ipa-server-install ), and we could surf to the website and interact with it.
I set up a second server, yum install -y ipa-client, and then joined with authconfig successfully and logged in.
Our intention is to join an AD domain over which we have no control in a one way trust: co.org.au is trusted by unix.co.org.au.
In order to do this, I followed the instructions on redhat's documentation " 5.3.3.1. Preparing the IdM Server for Trust"
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#trust-set-up-idm
I installed "*ipa-server-trust-ad" samba, ran the ipa-adtrust-install script successfully, confirmed DNS was properly configured, confirmed smbclient was properly configured, then created a trust agreement successfully (this time yesterday I was cheering).
--------------------------------------------------------
Added Active Directory trust for realm "co.org.au"
--------------------------------------------------------
Realm name: co.org.au
Domain NetBIOS name: PMCI
Domain Security Identifier: S-1-5-21-55386287-1424373824-1154838474
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified
Then I started to see some differentiation from the documented output, so I started investigating. In particular, kvno -S cifs adserver.example.com didn't work.
Eventually I turned off selinux and the firewall all together and rebooted.
Now IPA doesn't start. When I look into it, this is what I see:
[root at vmts-linuxidm ~]# sc | grep failed
● dirsrv at unix.co.org.au.service loaded failed failed 389 Directory Server unix.co.org.au.
● ipa.service loaded failed failed Identity, Policy, Audit
● kadmin.service loaded failed failed Kerberos 5 Password-changing and Administration
● kdump.service loaded failed failed Crash recovery kernel arming
● smb.service loaded failed failed Samba SMB Daemon
>From the numerous logs and web pages I've read, I think this means:
IPA doesn't start because samba fails to start.
This is from jouirnalctl re samba:
Missing mandatory attribute ipaNTSecurityIdentifier
Cannot find SID of fallback group
pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER)
Server ldap/vmts-linuxidm at UNIX.CO.ORG.AU not found in Kerberos database
This is from the smb log:
[2016/01/15 14:53:03, 0] ../source3/smbd/server.c:1241(main)
smbd version 4.2.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2014
[2016/01/15 14:53:03.538393, 0] ipa_sam.c:4208(bind_callback_cleanup)
kerberos error: code=-1765328228, message=Cannot contact any KDC for realm 'UNIX.CO.ORG.AU'
[2016/01/15 14:53:03.538500, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system)
failed to bind to server ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket with dn="[Anonymous bind]" Error: Local error
(unknown)
Samba seems to be failing because LDAP (dirsrv) is failing and it can't connect, or because Kerberos isn't running.
LDAP isn't running because Kerberos isn't running:
krb5kdc: cannot initialize realm UNIX.CO.ORG.AU - see log file for details
krb5kdc: Server error - while fetching master key K/M for realm UNIX.CO.ORG.AU
So. It looks like samba and IPA won't start because Kerberus and LDAP won't start.
It's hard to tell why they won't start, but it looks a little like Kerberos won't start because there aren't any values in LDAP, and LDAP won't start because Kerberos isn't started?
This is from the /var/log/dirsrv/slapd-UNIX-CO-ORG-AU/errors file:
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
- 389-Directory/1.3.4.0 B2015.343.1254 starting up
- WARNING: changelog: entry cache size 2097152B is less than db size 4259840B; We recommend to increase the entry cache size nsslapd-cachememsize.
schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=unix,dc=co,dc=org,dc=au
schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=unix,dc=co,dc=org,dc=au
schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=unix,dc=co,dc=org,dc=au
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=groups,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=computers,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=ng,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target ou=sudoers,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=users,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist
I don't understand why it's looking for dns.unix.co.org.au - I wanted the upstream DNS to serve this domain as well?
My brain hurts. I'm new to FreeIPA. Not to linux, and I have a passing knowledge of AD, SMB, LDAP, DNS. I think I'm further confused by so many new moving parts, and not seeing a clear way to solve any of the problems, or even which problem to start with.
Can anyone point me in a direction with regards to what I've done wrong, what I might look at to fix this, or some documentation that steps through the installation of a FreeIPA server, set up as a one way trust, where all clients authenticate against AD?
Cheers
L.
This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee. If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email. Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.
More information about the Freeipa-users
mailing list