[Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Jon three18ti at gmail.com
Tue Jan 19 18:34:21 UTC 2016 

Hello,

While following the guide on setting up FreeIPA with AD
<http://www.freeipa.org/page/Active_Directory_trust_setup>, I got to the
step where I'm adding the AD trust to FreeIPA but I receive an error:

  >> Active Directory domain administrator's password:
  >> ipa: ERROR: CIFS server communication error: code "-1073741801",
  >>                 message "Memory allocation error" (both may be "None")

Thinking that the error was what was stated (my VM at the time only had 1GB
of ram), I shutdown my VM (memory hot add was not enabled in VMware, it is
now), bumped the RAM to 4GB, and booted the VM.

Upon running the same command after reboot I received an error:

  >> ipa: ERROR: did not receive Kerberos credentials

kinit admin is also reporting an error:

  >>  kinit: Cannot contact any KDC for realm 'myrealm'  while getting
initial credentials

trying to start FreeIPA in debug mode identified the samba service as at
fault.

  >> Jan 19 10:19:50 myfreeipaserver smbd[3676]:   kerberos error:
code=-1765328203, message=Keytab contains no suitable keys for cifs/
myfreeipaserver at SUB.DOMAIN.MYDOMAIN.COM
  >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
10:19:51.261648,  0] ipa_sam.c:4520(pdb_init_ipasam)
  >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   Failed to get base DN.
  >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
10:19:51.262675,  0]
../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
  >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   pdb backend
ipasam:ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-MYDOMAIN-COM.socket did not
correctly init (error was NT_STATUS_UNSUCCESSFUL)

Googling for these errors turned up a few similar threads but none of the
solutions seemed to work and all signs pointed to AD integration as the
culprit...

So I did what any good sysadmin would do and forced freeipa to start while
ignoring any failures.  Every service except samba starts without issue.

So I tried my trust connection again, and received the same error,

  >> Active Directory domain administrator's password:
  >> ipa: ERROR: CIFS server communication error: code "-1073741801",
  >>                 message "Memory allocation error" (both may be "None")

Which brought me to googling two bug reports opened on this exact issue:

>> https://bugzilla.redhat.com/show_bug.cgi?id=878168
>> https://fedorahosted.org/freeipa/ticket/3266

Both of these bug reports indicate there's an upstream bug in Samba, the
bug has been closed and reopened at least once.  I did add the AD servers
to /etc/hosts and rebooted the server.  I have to go through the same
process of forcing freeipa to start after the server rebooted... However, I
received the same error message.

While the bug report is currently closed, I seem to be experiencing the
same issues...

Given this bug report, can you please answer me these questions three:

1)  Given the issues with Samba starting after reboot, is this bug report
actually what's wrong or is the error message when trying to create a trust
a red herring and it's actually samba that's the problem?
2)  Does this bug report mean that trusts between FreeIPA and AD are broken
and can not be established until the upstream bug in Samba is fixed?
3)  Is there a workaround?  (as adding the domain controllers to /etc/hosts
with IPv4 address does not appear to work)

System Stats:
- AD Server:  Win2k8R2
- FreeIPA server:

>> CentOS Linux release 7.2.1511 (Core)


>> # uname -a
>> Linux myserver 3.10.0-327.4.4.el7.x86_64 #1 SMP Tue Jan 5 16:07:00 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux

>> # rpm -qa | grep ipa
>> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
>> ipa-server-4.2.0-15.el7.centos.3.x86_64
>> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
>> python-iniparse-0.4-9.el7.noarch
>> libipa_hbac-1.13.0-40.el7_2.1.x86_64
>> sssd-ipa-1.13.0-40.el7_2.1.x86_64
>> ipa-python-4.2.0-15.el7.centos.3.x86_64
>> ipa-client-4.2.0-15.el7.centos.3.x86_64
>> ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64
>> ipa-admintools-4.2.0-15.el7.centos.3.x86_64


I appreciate any help.  I've been trying to get FreeIPA going for a couple
of weeks now and have run into nothing but frustrations.  The funny thing
is, I've never had a problem deploying FreeIPA by itself...  Microsoft
seems to be the common denominator in my hair pulling lately... Correlation
does not equal causation... but it sure is a coincidence...  :)

Thanks for your time!

Best Regards,
Jon A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160119/255bf82f/attachment.htm>

More information about the Freeipa-users mailing list