[Freeipa-users] IPA wont start, all services fail

Alexander Bokovoy abokovoy at redhat.com
Fri Jan 15 06:58:47 UTC 2016 

On Fri, 15 Jan 2016, Simpson Lachlan wrote:
>Hi
>
>I’m not 100% sure where I've gone wrong, but I obviously have.
>
>Running Centos 7.2, with FreeIPA 4.2.0 from the repos.
>
>FreeIPA was set up per instructions (# ipa-server-install ), and we could surf to the website and interact with it.
>
>I set up a second server, yum install -y ipa-client, and then joined with authconfig successfully and logged in.
>
>Our intention is to join an AD domain over which we have no control in a one way trust: co.org.au is trusted by unix.co.org.au.
>
>In order to do this, I followed the instructions on redhat's documentation " 5.3.3.1. Preparing the IdM Server for Trust"
>
>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#trust-set-up-idm
>
>I installed "*ipa-server-trust-ad" samba, ran the ipa-adtrust-install script successfully, confirmed DNS was properly configured, confirmed smbclient was properly configured, then created a trust agreement successfully (this time yesterday I was cheering).
>
>--------------------------------------------------------
>Added Active Directory trust for realm "co.org.au"
>--------------------------------------------------------
>  Realm name: co.org.au
>  Domain NetBIOS name: PMCI
>  Domain Security Identifier: S-1-5-21-55386287-1424373824-1154838474
>  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  Trust direction: Trusting forest
>  Trust type: Active Directory domain
>  Trust status: Established and verified
>
>
>
>Then I started to see some differentiation from the documented output, so I started investigating. In particular, kvno -S cifs adserver.example.com didn't work.
>
>Eventually I turned off selinux and the firewall all together and rebooted.
>
>Now IPA doesn't start. When I look into it, this is what I see:
>
>
>[root at vmts-linuxidm ~]# sc | grep failed
>dirsrv at unix.co.org.au.service  loaded failed failed    389 Directory Server unix.co.org.au.
>● ipa.service                          loaded failed failed    Identity, Policy, Audit
>● kadmin.service                       loaded failed failed    Kerberos 5 Password-changing and Administration
>● kdump.service                        loaded failed failed    Crash recovery kernel arming
>● smb.service                          loaded failed failed    Samba SMB Daemon
>
>
>>From the numerous logs and web pages I've read, I think this means:
>
>IPA doesn't start because samba fails to start.
>
>This is from jouirnalctl re samba:
>
>Missing mandatory attribute ipaNTSecurityIdentifier
>Cannot find SID of fallback group
>pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER)
>Server ldap/vmts-linuxidm at UNIX.CO.ORG.AU not found in Kerberos database
>
>
>This is from the smb log:
>
>[2016/01/15 14:53:03,  0] ../source3/smbd/server.c:1241(main)
>  smbd version 4.2.3 started.
>  Copyright Andrew Tridgell and the Samba Team 1992-2014
>[2016/01/15 14:53:03.538393,  0] ipa_sam.c:4208(bind_callback_cleanup)
>  kerberos error: code=-1765328228, message=Cannot contact any KDC for realm 'UNIX.CO.ORG.AU'
>[2016/01/15 14:53:03.538500,  0] ../source3/lib/smbldap.c:998(smbldap_connect_system)
>  failed to bind to server ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket with dn="[Anonymous bind]" Error: Local error
>        (unknown)
>
>Samba seems to be failing because LDAP (dirsrv) is failing and it can't connect, or because Kerberos isn't running.
>
>LDAP isn't running because Kerberos isn't running:
>
>krb5kdc: cannot initialize realm UNIX.CO.ORG.AU - see log file for details
>
>krb5kdc: Server error - while fetching master key K/M for realm UNIX.CO.ORG.AU
>
>
>So. It looks like samba and IPA won't start because Kerberus and LDAP
>won't start.
>
>It's hard to tell why they won't start, but it looks a little like
>Kerberos won't start because there aren't any values in LDAP, and LDAP
>won't start because Kerberos isn't started?
No, LDAP server startup is not tied to Kerberos. It can perfectly start
without that, as Kerberos in 389-ds is only needed for replication to
happen.

Samba is failing because it cannot get access to LDAP server using
GSSAPI, that's right. 

KDC is failing because LDAP server is not available, that's right too.

>This is from the /var/log/dirsrv/slapd-UNIX-CO-ORG-AU/errors file:
>
>SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
>- 389-Directory/1.3.4.0 B2015.343.1254 starting up
>- WARNING: changelog: entry cache size 2097152B is less than db size 4259840B; We recommend to increase the entry cache size nsslapd-cachememsize.
>schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=unix,dc=co,dc=org,dc=au
>schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=unix,dc=co,dc=org,dc=au
>schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=unix,dc=co,dc=org,dc=au
>NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=dns,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=groups,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=computers,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=ng,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target ou=sudoers,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=users,cn=compat,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=unix,dc=co,dc=org,dc=au does not exist
>
>NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=unix,dc=co,dc=org,dc=au does not exist
>NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist
>
>
>I don't understand why it's looking for dns.unix.co.org.au - I wanted
>the upstream DNS to serve this domain as well?
You may ignore ACL's plugin output as it just mentions that there are
ACLs against entries which don't exist -- this is normal, because we
still have ACLs in place for cn=dns,$SUFFIX even if you don't configure
integrated DNS. These messages have nothing to do with your problem.

None of the above is revealing an issue.

Follow http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
to enable crashdumps for ns-slapd to see what happens in reality (check
systemd-enabled systems' recipes).
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list