[Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Alexander Bokovoy abokovoy at redhat.com
Wed Jan 27 20:44:00 UTC 2016 

On Wed, 27 Jan 2016, Jon wrote:
>Hello,
>
>Thanks for your feedback.
>
>So I reran `ipa-adtrust-install` and got a core dump from samba that there
>was no space left on the device...?
>
>A little digging showed that /var/log had filled up with files named
>"core.XXXXX" in /var/log/samba/cores/winbindd.  So I removed all of them
>and reran `ipa-adtrust-install --add-sids` which continues to fail on
>starting CIFS services.  Debug information shows that it's the smb service
>that isn't starting:
>
>>>   [22/22]: starting CIFS services
>>> ipa         : DEBUG    Starting external process
>>> ipa         : DEBUG    args='/bin/systemctl' 'start' 'smb.service'
>>> ipa         : DEBUG    Process finished, return code=1
>>> ipa         : DEBUG    stdout=
>>> ipa         : DEBUG    stderr=Job for smb.service failed because the
>control process exited with error code. See "systemctl status smb.service"
>and "journalctl -xe" for details.
>>>
>>> ipa         : CRITICAL CIFS services failed to start
>>> ipa         : DEBUG      duration: 16 seconds
>>> ipa         : DEBUG    Done configuring CIFS.
>
>Looking at the samba logs, I see:
>
>>> Jan 27 13:19:48 freeipa01enwdco smbd[18300]: [2016/01/27
>13:19:48.482378,  0] ipa_sam.c:4208(bind_callback_cleanup)
>>> Jan 27 13:19:48 freeipa01enwdco smbd[18300]:   kerberos error:
>code=-1765328203, message=Keytab contains no suitable keys for cifs/
>freeipaserver at MY.SUB.DOMAIN.COM
^ is this the real name for the server? E.g. it is non-fully qualified
one here? What does your `hostname` command show?

>>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27
>13:19:49.482818,  0] ipa_sam.c:4520(pdb_init_ipasam)
>>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]:   Failed to get base DN.
>>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]: [2016/01/27
>13:19:49.482909,  0]
>../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
>>> Jan 27 13:19:49 freeipa01enwdco smbd[18300]:   pdb backend
>ipasam:ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket did not
>correctly init (error was NT_STATUS_UNSUCCESSFUL)
>>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service: main process
>exited, code=exited, status=1/FAILURE
>>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Failed to start Samba SMB
>Daemon.
>>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: Unit smb.service entered
>failed state.
>>> Jan 27 13:19:49 freeipa01enwdco systemd[1]: smb.service failed.
>
>
>I tried following the trust debugging instructions here:
>http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
>
>But it fails on the step `systemctl start smb winbind`
>
>>> # systemctl stop smb winbind
>>> # net conf setparm global 'log level' 100
>>> # nano /usr/share/ipa/smb.conf.empty
>>> # rm /var/log/samba/log.*
>>> # systemctl start smb winbind
>>> Job for smb.service failed because the control process exited with error
>code. See "systemctl status smb.service" and "journalctl -xe" for details.
>
>Which produces the exact same error listed above.
>
>
>in /var/log/samba/log.smbd I see what appears to be a stack trace, I see
>the same exact error above as well as the error about the socket not
>initing correctly:
>
>>> [2016/01/27 13:26:21.606257,  0, pid=18344, effective(0, 0), real(0, 0)]
>ipa_sam.c:4208(bind_callback_cleanup)
>  kerberos error: code=-1765328203, message=Keytab contains no suitable
>keys for cifs/freeipaserver at MY.SUB.DOMAIN.COM
>>> [2016/01/27 13:26:21.606422,  2, pid=18344, effective(0, 0), real(0, 0)]
>../source3/lib/smbldap.c:998(smbldap_connect_system)
>  failed to bind to server
>ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket with dn="[Anonymous
>bind]" Error: Local error
>        (unknown)
>>> [2016/01/27 13:26:22.606842,  0, pid=18344, effective(0, 0), real(0, 0),
>class=passdb] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
>  pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-MY-SUB-DOMAIN-COM.socket
>did not correctly init (error was NT_STATUS_UNSUCCESSFUL)
>
>So I think the problem is more fundamental than trusts as samba won't even
>start.
>
>Is there any documentation or does anyone have some good tricks for
>troubleshooting samba?
>
>Thanks,
>Jon A
>
>On Wed, Jan 20, 2016 at 4:57 AM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On Wed, 20 Jan 2016, Anon Lister wrote:
>>
>>> So I had the same problem. For me it ended up being that some attribute
>>> was
>>> not created correctly in 389 using the instructions in the guide. I don't
>>> remember what it was off the top of my head. Something about a default
>>> user
>>> or group SID I think. Had to turn samba logging up. Eventually it shows
>>> the
>>> attribute it is failing on. I ended up manually adding it with vildap and
>>> it worked fine after that. If noone else gets it I'll poke around and see
>>> if I can find what it was, took me several hours to debug due to the
>>> somewhat misleading error message.
>>>
>> The message is the only thing we get from Samba Python libraries, so it
>> is as good as what we get.
>>
>> Use
>> http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
>> to produce debug output needed to find out where things happened.
>>
>> If your setup lacks 'Default SMB Group' group with a SID
>> (ipaNTSecurityIdentifier attribute), run ipa-adtrust-install --add-sids.
>>
>> ipa-adtrust-install can be re-run several times to fix missing parts. It
>> skips steps which were already done and only performs those that are
>> really needed.
>>
>> However, if your base IPA deployment does not work, like in the Jon's
>> case, there is little reason to run any of ipa-adtrust-install or other
>> trust-related functions.
>>
>> Additionally, DNS should be configured properly. ipa-adtrust-install
>> either automatically updates IPA DNS (if IPA manages the DNS zone) or
>> produces list of entries that should be added to the DNS zone whoever
>> manages it. This should not be overlooked -- when Active Directory
>> domain controller tries to validate the trust, it uses DNS SRV records
>> to find out IPA domain controllers ('trust controllers' in IPA speak,
>> the ones where ipa-adtrust-install was run) and only considers those
>> that are available via SRV records. If AD DC cannot find IPA DC via SRV
>> record, trust cannot be validated.
>>
>> On Jan 19, 2016 1:37 PM, "Jon" <three18ti at gmail.com> wrote:
>>>
>>> Hello,
>>>>
>>>> While following the guide on setting up FreeIPA with AD
>>>> <http://www.freeipa.org/page/Active_Directory_trust_setup>, I got to the
>>>>
>>>> step where I'm adding the AD trust to FreeIPA but I receive an error:
>>>>
>>>>   >> Active Directory domain administrator's password:
>>>>   >> ipa: ERROR: CIFS server communication error: code "-1073741801",
>>>>   >>                 message "Memory allocation error" (both may be
>>>> "None")
>>>>
>>>> Thinking that the error was what was stated (my VM at the time only had
>>>> 1GB of ram), I shutdown my VM (memory hot add was not enabled in VMware,
>>>> it
>>>> is now), bumped the RAM to 4GB, and booted the VM.
>>>>
>>>> Upon running the same command after reboot I received an error:
>>>>
>>>>   >> ipa: ERROR: did not receive Kerberos credentials
>>>>
>>>> kinit admin is also reporting an error:
>>>>
>>>>   >>  kinit: Cannot contact any KDC for realm 'myrealm'  while getting
>>>> initial credentials
>>>>
>>>> trying to start FreeIPA in debug mode identified the samba service as at
>>>> fault.
>>>>
>>>>   >> Jan 19 10:19:50 myfreeipaserver smbd[3676]:   kerberos error:
>>>> code=-1765328203, message=Keytab contains no suitable keys for cifs/
>>>> myfreeipaserver at SUB.DOMAIN.MYDOMAIN.COM
>>>>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
>>>> 10:19:51.261648,  0] ipa_sam.c:4520(pdb_init_ipasam)
>>>>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   Failed to get base DN.
>>>>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]: [2016/01/19
>>>> 10:19:51.262675,  0]
>>>> ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
>>>>   >> Jan 19 10:19:51 myfreeipaserver smbd[3676]:   pdb backend
>>>> ipasam:ldapi://%2fvar%2frun%2fslapd-SUB-DOMAIN-MYDOMAIN-COM.socket did
>>>> not
>>>> correctly init (error was NT_STATUS_UNSUCCESSFUL)
>>>>
>>>> Googling for these errors turned up a few similar threads but none of the
>>>> solutions seemed to work and all signs pointed to AD integration as the
>>>> culprit...
>>>>
>>>> So I did what any good sysadmin would do and forced freeipa to start
>>>> while
>>>> ignoring any failures.  Every service except samba starts without issue.
>>>>
>>>> So I tried my trust connection again, and received the same error,
>>>>
>>>>   >> Active Directory domain administrator's password:
>>>>   >> ipa: ERROR: CIFS server communication error: code "-1073741801",
>>>>   >>                 message "Memory allocation error" (both may be
>>>> "None")
>>>>
>>>> Which brought me to googling two bug reports opened on this exact issue:
>>>>
>>>> >> https://bugzilla.redhat.com/show_bug.cgi?id=878168
>>>> >> https://fedorahosted.org/freeipa/ticket/3266
>>>>
>>>> Both of these bug reports indicate there's an upstream bug in Samba, the
>>>> bug has been closed and reopened at least once.  I did add the AD servers
>>>> to /etc/hosts and rebooted the server.  I have to go through the same
>>>> process of forcing freeipa to start after the server rebooted...
>>>> However, I
>>>> received the same error message.
>>>>
>>>> While the bug report is currently closed, I seem to be experiencing the
>>>> same issues...
>>>>
>>>> Given this bug report, can you please answer me these questions three:
>>>>
>>>> 1)  Given the issues with Samba starting after reboot, is this bug report
>>>> actually what's wrong or is the error message when trying to create a
>>>> trust
>>>> a red herring and it's actually samba that's the problem?
>>>> 2)  Does this bug report mean that trusts between FreeIPA and AD are
>>>> broken and can not be established until the upstream bug in Samba is
>>>> fixed?
>>>> 3)  Is there a workaround?  (as adding the domain controllers to
>>>> /etc/hosts with IPv4 address does not appear to work)
>>>>
>>>> System Stats:
>>>> - AD Server:  Win2k8R2
>>>> - FreeIPA server:
>>>>
>>>> >> CentOS Linux release 7.2.1511 (Core)
>>>>
>>>>
>>>> >> # uname -a
>>>> >> Linux myserver 3.10.0-327.4.4.el7.x86_64 #1 SMP Tue Jan 5 16:07:00 UTC
>>>> 2016 x86_64 x86_64 x86_64 GNU/Linux
>>>>
>>>> >> # rpm -qa | grep ipa
>>>> >> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
>>>> >> ipa-server-4.2.0-15.el7.centos.3.x86_64
>>>> >> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
>>>> >> python-iniparse-0.4-9.el7.noarch
>>>> >> libipa_hbac-1.13.0-40.el7_2.1.x86_64
>>>> >> sssd-ipa-1.13.0-40.el7_2.1.x86_64
>>>> >> ipa-python-4.2.0-15.el7.centos.3.x86_64
>>>> >> ipa-client-4.2.0-15.el7.centos.3.x86_64
>>>> >> ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64
>>>> >> ipa-admintools-4.2.0-15.el7.centos.3.x86_64
>>>>
>>>>
>>>> I appreciate any help.  I've been trying to get FreeIPA going for a
>>>> couple
>>>> of weeks now and have run into nothing but frustrations.  The funny thing
>>>> is, I've never had a problem deploying FreeIPA by itself...  Microsoft
>>>> seems to be the common denominator in my hair pulling lately...
>>>> Correlation
>>>> does not equal causation... but it sure is a coincidence...  :)
>>>>
>>>> Thanks for your time!
>>>>
>>>> Best Regards,
>>>> Jon A
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> / Alexander Bokovoy
>>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list