[Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Anon Lister listeranon at gmail.com
Wed Jan 20 10:30:58 UTC 2016 

So I had the same problem. For me it ended up being that some attribute was
not created correctly in 389 using the instructions in the guide. I don't
remember what it was off the top of my head. Something about a default user
or group SID I think. Had to turn samba logging up. Eventually it shows the
attribute it is failing on. I ended up manually adding it with vildap and
it worked fine after that. If noone else gets it I'll poke around and see
if I can find what it was, took me several hours to debug due to the
somewhat misleading error message.
On Jan 19, 2016 1:37 PM, "Jon" <three18ti at gmail.com> wrote:

> Hello,
>
> While following the guide on setting up FreeIPA with AD
> <http://www.freeipa.org/page/Active_Directory_trust_setup>, I got to the
> step where I'm adding the AD trust to FreeIPA but I receive an error:
>
>   >> Active Directory domain administrator's password:
>   >> ipa: ERROR: CIFS server communication error: code "-1073741801",
>   >>                 message "Memory allocation error" (both may be "None")
>
> Thinking that the error was what was stated (my VM at the time only had
> 1GB of ram), I shutdown my VM (memory hot add was not enabled in VMware, it
> is now), bumped the RAM to 4GB, and booted the VM.
>
> Upon running the same command after reboot I received an error:
>
>   >> ipa: ERROR: did not receive Kerberos credentials
>
> kinit admin is also reporting an error:
>
>   >>  kinit: Cannot contact any KDC for realm 'myrealm'  while getting
> initial credentials
>
> trying to start FreeIPA in debug mode identified the samba service as at
> fault.
>
>   >> Jan 19 10:19:50 myfreeipaserver smbd[3676]:   kerberos error:
> code=-1765328203, message=Keytab contains no suitable keys for cifs/
> myfreeipaserver at SUB.DOMAIN.MYDOMAIN.COM
>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
> 10:19:51.261648,  0] ipa_sam.c:4520(pdb_init_ipasam)
>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   Failed to get base DN.
>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
> 10:19:51.262675,  0]
> ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   pdb backend
> ipasam:ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-MYDOMAIN-COM.socket did not
> correctly init (error was NT_STATUS_UNSUCCESSFUL)
>
> Googling for these errors turned up a few similar threads but none of the
> solutions seemed to work and all signs pointed to AD integration as the
> culprit...
>
> So I did what any good sysadmin would do and forced freeipa to start while
> ignoring any failures.  Every service except samba starts without issue.
>
> So I tried my trust connection again, and received the same error,
>
>   >> Active Directory domain administrator's password:
>   >> ipa: ERROR: CIFS server communication error: code "-1073741801",
>   >>                 message "Memory allocation error" (both may be "None")
>
> Which brought me to googling two bug reports opened on this exact issue:
>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=878168
> >> https://fedorahosted.org/freeipa/ticket/3266
>
> Both of these bug reports indicate there's an upstream bug in Samba, the
> bug has been closed and reopened at least once.  I did add the AD servers
> to /etc/hosts and rebooted the server.  I have to go through the same
> process of forcing freeipa to start after the server rebooted... However, I
> received the same error message.
>
> While the bug report is currently closed, I seem to be experiencing the
> same issues...
>
> Given this bug report, can you please answer me these questions three:
>
> 1)  Given the issues with Samba starting after reboot, is this bug report
> actually what's wrong or is the error message when trying to create a trust
> a red herring and it's actually samba that's the problem?
> 2)  Does this bug report mean that trusts between FreeIPA and AD are
> broken and can not be established until the upstream bug in Samba is fixed?
> 3)  Is there a workaround?  (as adding the domain controllers to
> /etc/hosts with IPv4 address does not appear to work)
>
> System Stats:
> - AD Server:  Win2k8R2
> - FreeIPA server:
>
> >> CentOS Linux release 7.2.1511 (Core)
>
>
> >> # uname -a
> >> Linux myserver 3.10.0-327.4.4.el7.x86_64 #1 SMP Tue Jan 5 16:07:00 UTC
> 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> >> # rpm -qa | grep ipa
> >> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
> >> ipa-server-4.2.0-15.el7.centos.3.x86_64
> >> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
> >> python-iniparse-0.4-9.el7.noarch
> >> libipa_hbac-1.13.0-40.el7_2.1.x86_64
> >> sssd-ipa-1.13.0-40.el7_2.1.x86_64
> >> ipa-python-4.2.0-15.el7.centos.3.x86_64
> >> ipa-client-4.2.0-15.el7.centos.3.x86_64
> >> ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64
> >> ipa-admintools-4.2.0-15.el7.centos.3.x86_64
>
>
> I appreciate any help.  I've been trying to get FreeIPA going for a couple
> of weeks now and have run into nothing but frustrations.  The funny thing
> is, I've never had a problem deploying FreeIPA by itself...  Microsoft
> seems to be the common denominator in my hair pulling lately... Correlation
> does not equal causation... but it sure is a coincidence...  :)
>
> Thanks for your time!
>
> Best Regards,
> Jon A
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160120/a44addaf/attachment.htm>

More information about the Freeipa-users mailing list