[Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Jon three18ti at gmail.com
Wed Jan 27 20:37:58 UTC 2016 

Hello,

Thanks for your feedback.

So I reran `ipa-adtrust-install` and got a core dump from samba that there
was no space left on the device...?

A little digging showed that /var/log had filled up with files named
"core.XXXXX" in /var/log/samba/cores/winbindd.  So I removed all of them
and reran `ipa-adtrust-install --add-sids` which continues to fail on
starting CIFS services.  Debug information shows that it's the smb service
that isn't starting:

>>   [22/22]: starting CIFS services
>> ipa         : DEBUG    Starting external process
>> ipa         : DEBUG    args='/bin/systemctl' 'start' 'smb.service'
>> ipa         : DEBUG    Process finished, return code=1
>> ipa         : DEBUG    stdout=
>> ipa         : DEBUG    stderr=Job for smb.service failed because the
control process exited with error code. See "systemctl status smb.service"
and "journalctl -xe" for details.
>>
>> ipa         : CRITICAL CIFS services failed to start
>> ipa         : DEBUG      duration: 16 seconds
>> ipa         : DEBUG    Done configuring CIFS.

Looking at the samba logs, I see:

>> Jan 27 13:19:48 freeipa01enwdco smbd[18300]: [2016/01/27
13:19:48.482378,  0] ipa_sam.c:4208(bind_callback_cleanup)
>> Jan 27 13:19:48 freeipa01enwdco smbd[18300]:   kerberos error:
code=-1765328203, message=Keytab contains no suitable keys for cifs/
freeipaserver at MY.SUB.DOMAIN.COM
>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27
13:19:49.482818,  0] ipa_sam.c:4520(pdb_init_ipasam)
>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]:   Failed to get base DN.
>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27
13:19:49.482909,  0]
../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]:   pdb backend
ipasam:ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket did not
correctly init (error was NT_STATUS_UNSUCCESSFUL)
>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service: main process
exited, code=exited, status=1/FAILURE
>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Failed to start Samba SMB
Daemon.
>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Unit smb.service entered
failed state.
>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service failed.


I tried following the trust debugging instructions here:
http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust

But it fails on the step `systemctl start smb winbind`

>> # systemctl stop smb winbind
>> # net conf setparm global 'log level' 100
>> # nano /usr/share/ipa/smb.conf.empty
>> # rm /var/log/samba/log.*
>> # systemctl start smb winbind
>> Job for smb.service failed because the control process exited with error
code. See "systemctl status smb.service" and "journalctl -xe" for details.

Which produces the exact same error listed above.


in /var/log/samba/log.smbd I see what appears to be a stack trace, I see
the same exact error above as well as the error about the socket not
initing correctly:

>> [2016/01/27 13:26:21.606257,  0, pid=18344, effective(0, 0), real(0, 0)]
ipa_sam.c:4208(bind_callback_cleanup)
  kerberos error: code=-1765328203, message=Keytab contains no suitable
keys for cifs/freeipaserver at MY.SUB.DOMAIN.COM
>> [2016/01/27 13:26:21.606422,  2, pid=18344, effective(0, 0), real(0, 0)]
../source3/lib/smbldap.c:998(smbldap_connect_system)
  failed to bind to server
ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket with dn="[Anonymous
bind]" Error: Local error
        (unknown)
>> [2016/01/27 13:26:22.606842,  0, pid=18344, effective(0, 0), real(0, 0),
class=passdb] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
  pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket
did not correctly init (error was NT_STATUS_UNSUCCESSFUL)

So I think the problem is more fundamental than trusts as samba won't even
start.

Is there any documentation or does anyone have some good tricks for
troubleshooting samba?

Thanks,
Jon A

On Wed, Jan 20, 2016 at 4:57 AM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Wed, 20 Jan 2016, Anon Lister wrote:
>
>> So I had the same problem. For me it ended up being that some attribute
>> was
>> not created correctly in 389 using the instructions in the guide. I don't
>> remember what it was off the top of my head. Something about a default
>> user
>> or group SID I think. Had to turn samba logging up. Eventually it shows
>> the
>> attribute it is failing on. I ended up manually adding it with vildap and
>> it worked fine after that. If noone else gets it I'll poke around and see
>> if I can find what it was, took me several hours to debug due to the
>> somewhat misleading error message.
>>
> The message is the only thing we get from Samba Python libraries, so it
> is as good as what we get.
>
> Use
> http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
> to produce debug output needed to find out where things happened.
>
> If your setup lacks 'Default SMB Group' group with a SID
> (ipaNTSecurityIdentifier attribute), run ipa-adtrust-install --add-sids.
>
> ipa-adtrust-install can be re-run several times to fix missing parts. It
> skips steps which were already done and only performs those that are
> really needed.
>
> However, if your base IPA deployment does not work, like in the Jon's
> case, there is little reason to run any of ipa-adtrust-install or other
> trust-related functions.
>
> Additionally, DNS should be configured properly. ipa-adtrust-install
> either automatically updates IPA DNS (if IPA manages the DNS zone) or
> produces list of entries that should be added to the DNS zone whoever
> manages it. This should not be overlooked -- when Active Directory
> domain controller tries to validate the trust, it uses DNS SRV records
> to find out IPA domain controllers ('trust controllers' in IPA speak,
> the ones where ipa-adtrust-install was run) and only considers those
> that are available via SRV records. If AD DC cannot find IPA DC via SRV
> record, trust cannot be validated.
>
> On Jan 19, 2016 1:37 PM, "Jon" <three18ti at gmail.com> wrote:
>>
>> Hello,
>>>
>>> While following the guide on setting up FreeIPA with AD
>>> <http://www.freeipa.org/page/Active_Directory_trust_setup>, I got to the
>>>
>>> step where I'm adding the AD trust to FreeIPA but I receive an error:
>>>
>>>   >> Active Directory domain administrator's password:
>>>   >> ipa: ERROR: CIFS server communication error: code "-1073741801",
>>>   >>                 message "Memory allocation error" (both may be
>>> "None")
>>>
>>> Thinking that the error was what was stated (my VM at the time only had
>>> 1GB of ram), I shutdown my VM (memory hot add was not enabled in VMware,
>>> it
>>> is now), bumped the RAM to 4GB, and booted the VM.
>>>
>>> Upon running the same command after reboot I received an error:
>>>
>>>   >> ipa: ERROR: did not receive Kerberos credentials
>>>
>>> kinit admin is also reporting an error:
>>>
>>>   >>  kinit: Cannot contact any KDC for realm 'myrealm'  while getting
>>> initial credentials
>>>
>>> trying to start FreeIPA in debug mode identified the samba service as at
>>> fault.
>>>
>>>   >> Jan 19 10:19:50 myfreeipaserver smbd[3676]:   kerberos error:
>>> code=-1765328203, message=Keytab contains no suitable keys for cifs/
>>> myfreeipaserver at SUB.DOMAIN.MYDOMAIN.COM
>>>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
>>> 10:19:51.261648,  0] ipa_sam.c:4520(pdb_init_ipasam)
>>>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   Failed to get base DN.
>>>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
>>> 10:19:51.262675,  0]
>>> ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
>>>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   pdb backend
>>> ipasam:ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-MYDOMAIN-COM.socket did
>>> not
>>> correctly init (error was NT_STATUS_UNSUCCESSFUL)
>>>
>>> Googling for these errors turned up a few similar threads but none of the
>>> solutions seemed to work and all signs pointed to AD integration as the
>>> culprit...
>>>
>>> So I did what any good sysadmin would do and forced freeipa to start
>>> while
>>> ignoring any failures.  Every service except samba starts without issue.
>>>
>>> So I tried my trust connection again, and received the same error,
>>>
>>>   >> Active Directory domain administrator's password:
>>>   >> ipa: ERROR: CIFS server communication error: code "-1073741801",
>>>   >>                 message "Memory allocation error" (both may be
>>> "None")
>>>
>>> Which brought me to googling two bug reports opened on this exact issue:
>>>
>>> >> https://bugzilla.redhat.com/show_bug.cgi?id=878168
>>> >> https://fedorahosted.org/freeipa/ticket/3266
>>>
>>> Both of these bug reports indicate there's an upstream bug in Samba, the
>>> bug has been closed and reopened at least once.  I did add the AD servers
>>> to /etc/hosts and rebooted the server.  I have to go through the same
>>> process of forcing freeipa to start after the server rebooted...
>>> However, I
>>> received the same error message.
>>>
>>> While the bug report is currently closed, I seem to be experiencing the
>>> same issues...
>>>
>>> Given this bug report, can you please answer me these questions three:
>>>
>>> 1)  Given the issues with Samba starting after reboot, is this bug report
>>> actually what's wrong or is the error message when trying to create a
>>> trust
>>> a red herring and it's actually samba that's the problem?
>>> 2)  Does this bug report mean that trusts between FreeIPA and AD are
>>> broken and can not be established until the upstream bug in Samba is
>>> fixed?
>>> 3)  Is there a workaround?  (as adding the domain controllers to
>>> /etc/hosts with IPv4 address does not appear to work)
>>>
>>> System Stats:
>>> - AD Server:  Win2k8R2
>>> - FreeIPA server:
>>>
>>> >> CentOS Linux release 7.2.1511 (Core)
>>>
>>>
>>> >> # uname -a
>>> >> Linux myserver 3.10.0-327.4.4.el7.x86_64 #1 SMP Tue Jan 5 16:07:00 UTC
>>> 2016 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> >> # rpm -qa | grep ipa
>>> >> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
>>> >> ipa-server-4.2.0-15.el7.centos.3.x86_64
>>> >> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
>>> >> python-iniparse-0.4-9.el7.noarch
>>> >> libipa_hbac-1.13.0-40.el7_2.1.x86_64
>>> >> sssd-ipa-1.13.0-40.el7_2.1.x86_64
>>> >> ipa-python-4.2.0-15.el7.centos.3.x86_64
>>> >> ipa-client-4.2.0-15.el7.centos.3.x86_64
>>> >> ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64
>>> >> ipa-admintools-4.2.0-15.el7.centos.3.x86_64
>>>
>>>
>>> I appreciate any help.  I've been trying to get FreeIPA going for a
>>> couple
>>> of weeks now and have run into nothing but frustrations.  The funny thing
>>> is, I've never had a problem deploying FreeIPA by itself...  Microsoft
>>> seems to be the common denominator in my hair pulling lately...
>>> Correlation
>>> does not equal causation... but it sure is a coincidence...  :)
>>>
>>> Thanks for your time!
>>>
>>> Best Regards,
>>> Jon A
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160127/61136d64/attachment.htm>

More information about the Freeipa-users mailing list