[Freeipa-users] IPA wont start, all services fail

Simpson Lachlan Lachlan.Simpson at petermac.org
Fri Jan 15 06:04:20 UTC 2016 

Hi

I’m not 100% sure where I've gone wrong, but I obviously have.

Running Centos 7.2, with FreeIPA 4.2.0 from the repos.

FreeIPA was set up per instructions (# ipa-server-install ), and we could surf to the website and interact with it. 

I set up a second server, yum install -y ipa-client, and then joined with authconfig successfully and logged in.

Our intention is to join an AD domain over which we have no control in a one way trust: co.org.au is trusted by unix.co.org.au.

In order to do this, I followed the instructions on redhat's documentation " 5.3.3.1. Preparing the IdM Server for Trust"

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#trust-set-up-idm

I installed "*ipa-server-trust-ad" samba, ran the ipa-adtrust-install script successfully, confirmed DNS was properly configured, confirmed smbclient was properly configured, then created a trust agreement successfully (this time yesterday I was cheering).

--------------------------------------------------------
Added Active Directory trust for realm "co.org.au"
--------------------------------------------------------
  Realm name: co.org.au
  Domain NetBIOS name: PMCI
  Domain Security Identifier: S-1-5-21-55386287-1424373824-1154838474
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified



Then I started to see some differentiation from the documented output, so I started investigating. In particular, kvno -S cifs adserver.example.com didn't work.

Eventually I turned off selinux and the firewall all together and rebooted. 

Now IPA doesn't start. When I look into it, this is what I see:


[root at vmts-linuxidm ~]# sc | grep failed
● dirsrv at unix.co.org.au.service  loaded failed failed    389 Directory Server unix.co.org.au.
● ipa.service                          loaded failed failed    Identity, Policy, Audit
● kadmin.service                       loaded failed failed    Kerberos 5 Password-changing and Administration
● kdump.service                        loaded failed failed    Crash recovery kernel arming
● smb.service                          loaded failed failed    Samba SMB Daemon


>From the numerous logs and web pages I've read, I think this means:

IPA doesn't start because samba fails to start. 

This is from jouirnalctl re samba:

Missing mandatory attribute ipaNTSecurityIdentifier
Cannot find SID of fallback group
pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER)
Server ldap/vmts-linuxidm at UNIX.CO.ORG.AU not found in Kerberos database


This is from the smb log:

[2016/01/15 14:53:03,  0] ../source3/smbd/server.c:1241(main)
  smbd version 4.2.3 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2014
[2016/01/15 14:53:03.538393,  0] ipa_sam.c:4208(bind_callback_cleanup)
  kerberos error: code=-1765328228, message=Cannot contact any KDC for realm 'UNIX.CO.ORG.AU'
[2016/01/15 14:53:03.538500,  0] ../source3/lib/smbldap.c:998(smbldap_connect_system)
  failed to bind to server ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket with dn="[Anonymous bind]" Error: Local error
        (unknown)

Samba seems to be failing because LDAP (dirsrv) is failing and it can't connect, or because Kerberos isn't running.

LDAP isn't running because Kerberos isn't running:

krb5kdc: cannot initialize realm UNIX.CO.ORG.AU - see log file for details

krb5kdc: Server error - while fetching master key K/M for realm UNIX.CO.ORG.AU


So. It looks like samba and IPA won't start because Kerberus and LDAP won't start.

It's hard to tell why they won't start, but it looks a little like Kerberos won't start because there aren't any values in LDAP, and LDAP won't start because Kerberos isn't started?



This is from the /var/log/dirsrv/slapd-UNIX-CO-ORG-AU/errors file:

SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
- 389-Directory/1.3.4.0 B2015.343.1254 starting up
- WARNING: changelog: entry cache size 2097152B is less than db size 4259840B; We recommend to increase the entry cache size nsslapd-cachememsize.
schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=unix,dc=co,dc=org,dc=au
schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=unix,dc=co,dc=org,dc=au
schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=unix,dc=co,dc=org,dc=au
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=groups,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=computers,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=ng,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target ou=sudoers,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=users,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=unix,dc=co,dc=org,dc=au does not exist

NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not exist
NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist


I don't understand why it's looking for dns.unix.co.org.au - I wanted the upstream DNS to serve this domain as well?

My brain hurts. I'm new to FreeIPA. Not to linux, and I have a passing knowledge of AD, SMB, LDAP, DNS. I think I'm further confused by so many new moving parts, and not seeing a clear way to solve any of the problems, or even which problem to start with.

Can anyone point me in a direction with regards to what I've done wrong, what I might look at to fix this, or some documentation that steps through the installation of a FreeIPA server, set up as a one way trust, where all clients authenticate against AD?

Cheers
L.






This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

More information about the Freeipa-users mailing list