[Freeipa-users] IPA wont start, all services fail

Wed Jan 20 22:29:00 UTC 2016

> -----Original Message-----
> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> Sent: Thursday, 21 January 2016 9:22 AM
> To: Simpson Lachlan
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA wont start, all services fail
> 
> On Wed, 20 Jan 2016, Simpson Lachlan wrote:
> >> -----Original Message-----
> >> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> >> Sent: Thursday, 21 January 2016 8:44 AM
> >> To: Simpson Lachlan
> >> Cc: tbordaz at redhat.com; freeipa-users at redhat.com
> >> Subject: Re: [Freeipa-users] IPA wont start, all services fail
> >>
> >> On Wed, 20 Jan 2016, Simpson Lachlan wrote:
> >> >> -----Original Message-----
> >> >>
> >> >> Is there any coredump available with 389-ds crashing? I've asked
> >> >> you to use
> >> >> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
> >> >> to
> >> enable coredumps for 389-ds in one of previous discussions, was it done?
> >> >> You seemed to get diverted to winbindd core (which was expected to
> >> >> coredump as 389-ds was not available), but if you see 389-ds
> >> >> disappearing in several hours without any logging, this means
> >> >> there was a crash and we'd like to see the coredump of it.
> >> >
> >> >Hi Alex,
> >> >
> >> >I did perform the "Debugging Crashes" steps when you asked, but
> >> >there are still no core dumps in /var/log/dirsrv/slapd-INSTANCENAME.
> >> Well, perhaps it takes longer to get a crash than what you are expecting.
> >>
> >> >> You can check also /var/log/audit/audit.log to see if there is a
> >> >> trace of a crash. It may take different ways but one crash type is following:
> >> >
> >> >> type=ANOM_ABEND msg=audit(1453212583.746:2337): auid=4294967295
> >> >> uid=983
> >> >> gid=980 ses=4294967295 subj=system_u:system_r:dirsrv_t:s0
> >> >> pid=26079 comm="ns-slapd" exe="/usr/sbin/ns-slapd" sig=11
> >> >
> >> >There are no instances of ns-slap in the audit.log, there are a
> >> >dozen sig=11s, all of them relate to a "memory violation" in
> >> >httpd_t, and all references to dirsrv look like this:
> >> >
> >> >type=SERVICE_STOP msg=audit(1453174960.933:209): pid=1 uid=0
> >> >auid=4294967295 ses=4294967295 subj=kernel
> >> >msg='unit=dirsrv at UNIX-CO-ORG-AU comm="systemd"
> >> >exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> >> >res=success'
> >> What are the memory violation for httpd_t? Can you show exact line
> >> from audit.log?
> >
> >
> >
> >type=ANOM_ABEND msg=audit(1452818553.235:5394): auid=4294967295
> uid=48
> >gid=48 ses=4294967295 subj=system_u:system_r:httpd_t:s0 pid=32704
> >comm="httpd" reason="memory violation" sig=11 type=ANOM_ABEND
> Ok, I see two problems above and they may be related to recently fixed issue with
> python-cryptography's use of python-cffi. However, this issue should not affect
> CentOS 7.2 as the broken python-cryptography code is not in RHEL 7.2 at all, so
> I'm a bit puzzled.

Me too. I can't even give SIDs to the smb default group with ipa-adtrust-install --add-sids (as mentioned in another email thread this morning). 

I tried this bc it reflects an obvious solution to the problem I seem to have? That everything starts except smb, and ipa also fails as a result of smb failing.

Smb fails with the error 

smbd[18615]: [2016/01/21 08:32:37.519517,  0] ipa_sam.c:3654(get_fallback_group_sid)
smbd[18615]:   Missing mandatory attribute ipaNTSecurityIdentifier.
smbd[18615]: [2016/01/21 08:32:37.519572,  0] ipa_sam.c:4606(pdb_init_ipasam)
smbd[18615]:   Cannot find SID of fallback group.
smbd[18615]: [2016/01/21 08:32:37.519593,  0] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
smbd[18615]:   pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-UNIX-CO-ORG-AU.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER)
systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Failed to start Samba SMB Daemon.

I know I keep coming back to this, but it really does seem to be the error that I am seeing most often.

Cheers
L.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.