[Freeipa-users] IPA wont start, all services fail
Simpson Lachlan
Lachlan.Simpson at petermac.org
Tue Jan 19 02:10:54 UTC 2016
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
I’m coming back to this thread for consistency, but is a result of me running ipactl on the system we got working a couple of hours ago. See email titled "idoverride-add gives incorrect, inconsistant results?" for leadup.
Anyway, ipactl restart fails, again.
[root at vmts-linuxidm ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
inconsistRestarting winbind Service
Restarting ipa-otpd Service
Starting smb Service
Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details.
Failed to start smb Service
Shutting down
Aborting ipactl
Gah. Look in the samba log, and it's exactly the same issue.
Right.
[root at vmts-linuxidm ~]# ipa-adtrust-install --netbios-name=UNIX -a xxxxxxx
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: yes
There was error to automatically re-kinit your admin user ticket.
Proceeding with credentials that existed before
Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket
Huh?
[root at vmts-linuxidm ~]# kdestroy
[root at vmts-linuxidm ~]# kinit admin
kinit: Cannot contact any KDC for realm 'UNIX.CO.ORG.AU' while getting initial credentials
I check, and sure enough, dirsrv at UNIX.CO.ORG.AU has stopped again (should I call it 389, dirsrv, ldap or slapd? They are all the same thing, right?).
I restart dirsrv, and try restarting smb, no joy. I try running ipa-adtrust-install again, without luck. I restart krb5kdc manually (sc start krb5kdc), and try all the above again, with no luck.
kdestroy has a lovely little pause, but kinit admin fails.
Some of the other errors I've received:
ipa-adtrust-install
There was error to automatically re-kinit your admin user ticket.
Proceeding with credentials that existed before
Must have Kerberos credentials to setup AD trusts on serve
klist
klist: Credentials cache keyring 'persistent:0:0' not found
Ok, so I try sc start krb5kdc and that works. Now klist still returns the above error, but kinit admin works. And ipa-adtrust-install works as it did this AM (output at end for reference).
FWIW:
- I can now browse the IPA server via a web browser.
- I can retrieve credentials for those that I've already retrieved credentials for (id testuser at co.org.au works)
- I can't retrieve new credentials (id testuser_new at co.org.au does not work ("no such user")
- if I sc --failed:
UNIT LOAD ACTIVE SUB DESCRIPTION
● ipa.service loaded failed failed Identity, Policy, Audit
● kadmin.service loaded failed failed Kerberos 5 Password-changing and Administration
● smb.service loaded failed failed Samba SMB Daemon
- None of these will start on their own (with sc start <name>.service)
- trying to start ipa fails with the added bonus of shutting down krb5kdc / kadmin / dirsrv at DOMAIN.ORG.AU as well? I'm finding I'm needing to restart these services after attempting an ipa start. Which is failing on smb still.
- krb5kdc also doesn't start.
I am so confused. Earlier in the day when it was "working", I noticed that there was a service running called ipa.memchached - I presume that's why I can get some id's and not others and can browse via web (well, that just means tomcat started correctly, right?). ipa.memcached has disappeared from the list of running services when I sc now.
So. How can I create a situation where when I restart ipa, for whatever reason, this doesn't happen again?
Secondary question: given that I have missed something seemingly integral, is there a document that describes the post install setup process I should go through to stop this error from re-occurring?
Cheers
L.
Notes:
root at vmts-linuxidm ~]# ipa-adtrust-install --netbios-name=UNIX -a xxxxxxx
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: yes
WARNING: 2 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, the in case of a high
number of users and groups, the operation might lead to high replication
Configuring CIFS
[1/23]: stopping smbd
[2/23]: creating samba domain object
Samba domain object already exists
[3/23]: creating samba config registry
[4/23]: writing samba config file
[5/23]: adding cifs Kerberos principal
[6/23]: adding cifs and host Kerberos principals to the adtrust agents group
[7/23]: check for cifs services defined on other replicas
[8/23]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
[9/23]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[10/23]: adding RID bases
RID bases already set, nothing to do
[11/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[12/23]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
[13/23]: activating sidgen task
Sidgen task plugin already configured, nothing to do
[14/23]: configuring smbd to start on boot
[15/23]: adding special DNS service records
DNS management was not enabled at install time.
Add the following service records to your DNS server for DNS zone unix.co.org.au:
- _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
- _ldap._tcp.dc._msdcs
- _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
- _kerberos._tcp.dc._msdcs
- _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
- _kerberos._udp.dc._msdcs
[16/23]: enabling trusted domains support for older clients via Schema Compatibility plugin
[17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[18/23]: adding fallback group
Fallback group already set, nothing to do
[19/23]: adding Default Trust View
Default Trust View already exists.
[20/23]: setting SELinux booleans
[21/23]: enabling oddjobd
[22/23]: starting CIFS services
ipa : CRITICAL CIFS services failed to start
[23/23]: adding SIDs to existing users and groups
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
=============================================================================
This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee. If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email. Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.
More information about the Freeipa-users
mailing list