[Freeipa-users] ipa-adtrust-install failing at samba restart

Rolf Brusletto rolf at glptrading.com
Tue Jul 26 14:26:09 UTC 2016 

I've been following the doc here:
https://www.freeipa.org/page/Active_Directory_trust_setup

To get AD Trust setup for auth of our windows users and vice-versae.

I'm getting to the point of running ipa-adtrust-install and getting the
following:


[root at awse-util1 ~]# ipa-adtrust-install --netbios-name=<NETBIOSNAME>

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains
for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility
plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work
with trusted users.

Enable trusted domains support in slapi-nis? [no]: yes

Configuring cross-realm trusts for IPA server requires password for user
'admin'.
This user is a regular system account used for IPA server administration.

admin password:


WARNING: 52 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, the in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man
page
for details.

Do you want to run the ipa-sidgen task? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/23]: stopping smbd
  [2/23]: creating samba domain object
Samba domain object already exists
  [3/23]: creating samba config registry
  [4/23]: writing samba config file
  [5/23]: adding cifs Kerberos principal
  [6/23]: adding cifs and host Kerberos principals to the adtrust agents
group
  [7/23]: check for cifs services defined on other replicas
  [8/23]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
  [9/23]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [10/23]: adding RID bases
RID bases already set, nothing to do
  [11/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [12/23]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
  [13/23]: activating sidgen task
Sidgen task plugin already configured, nothing to do
  [14/23]: configuring smbd to start on boot
  [15/23]: adding special DNS service records
  [16/23]: enabling trusted domains support for older clients via Schema
Compatibility plugin
  [17/23]: restarting Directory Server to take MS PAC and LDAP plugins
changes into account
  [18/23]: adding fallback group
Fallback group already set, nothing to do
  [19/23]: adding Default Trust View
Default Trust View already exists.
  [20/23]: setting SELinux booleans
  [21/23]: enabling oddjobd
  [22/23]: starting CIFS services
ipa         : CRITICAL CIFS services failed to start
  [23/23]: adding SIDs to existing users and groups
ipa         : CRITICAL Failed to load ipa-sidgen-task-run.ldif: Command
''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpiM6PLp' '-H'
'ldapi://%2fvar%2frun%2fslapd-GLPTRADING-NET.socket' '-Y' 'EXTERNAL''
returned non-zero exit status 1
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
TCP Ports:
  * 138: netbios-dgm
  * 139: netbios-ssn
  * 445: microsoft-ds
UDP Ports:
  * 138: netbios-dgm
  * 139: netbios-ssn
  * 389: (C)LDAP
  * 445: microsoft-ds

=============================================================================


As well, if I run it with the default settings smbd doesn't start either.

[root at awse-util1 ~]# ipa-adtrust-install --netbios-name=<NETBIOS_NAME>

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains
for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility
plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work
with trusted users.

Enable trusted domains support in slapi-nis? [no]:

Configuring cross-realm trusts for IPA server requires password for user
'admin'.
This user is a regular system account used for IPA server administration.

admin password:


WARNING: 52 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, the in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man
page
for details.

Do you want to run the ipa-sidgen task? [no]:

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/21]: stopping smbd
  [2/21]: creating samba domain object
Samba domain object already exists
  [3/21]: creating samba config registry
  [4/21]: writing samba config file
  [5/21]: adding cifs Kerberos principal
  [6/21]: adding cifs and host Kerberos principals to the adtrust agents
group
  [7/21]: check for cifs services defined on other replicas
  [8/21]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
  [9/21]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [10/21]: adding RID bases
RID bases already set, nothing to do
  [11/21]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [12/21]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
  [13/21]: activating sidgen task
Sidgen task plugin already configured, nothing to do
  [14/21]: configuring smbd to start on boot
  [15/21]: adding special DNS service records
  [16/21]: restarting Directory Server to take MS PAC and LDAP plugins
changes into account
  [17/21]: adding fallback group
Fallback group already set, nothing to do
  [18/21]: adding Default Trust View
Default Trust View already exists.
  [19/21]: setting SELinux booleans
  [20/21]: enabling oddjobd
  [21/21]: starting CIFS services
ipa         : CRITICAL CIFS services failed to start
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
TCP Ports:
  * 138: netbios-dgm
  * 139: netbios-ssn
  * 445: microsoft-ds
UDP Ports:
  * 138: netbios-dgm
  * 139: netbios-ssn
  * 389: (C)LDAP
  * 445: microsoft-ds

=============================================================================

Hostname is fqdn.

Packages:

ipa-admintools.x86_64                4.2.0-15.0.1.el7.centos.17 @updates
ipa-client.x86_64                    4.2.0-15.0.1.el7.centos.17 @updates
ipa-python.x86_64                    4.2.0-15.0.1.el7.centos.17 @updates
ipa-server.x86_64                    4.2.0-15.0.1.el7.centos.17 @updates
ipa-server-dns.x86_64                4.2.0-15.0.1.el7.centos.17 @updates
ipa-server-trust-ad.x86_64           4.2.0-15.0.1.el7.centos.17 @updates
libipa_hbac.x86_64                   1.13.0-40.el7_2.9          @updates
python-libipa_hbac.x86_64            1.13.0-40.el7_2.9          @updates
sssd-ipa.x86_64                      1.13.0-40.el7_2.9          @updates



-------------------------------

If I restart smb, I get the following log entries in
/var/log/samba/log.smbd:

[2016/07/22 15:00:17,  0] ../source3/smbd/server.c:1241(main)
  smbd version 4.2.10 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2014
[2016/07/22 15:00:17.486910,  0] ipa_sam.c:3703(ipasam_search_domain_info)
  iapsam_search_domain_info: Got [5] domain info entries, but expected only
1.
[2016/07/22 15:00:17.487212,  0] ipa_sam.c:4558(pdb_init_ipasam)
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain. We cannot work reliably without it.
[2016/07/22 15:00:17.487407,  0]
../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
  pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-<IPA_DOMAIN>.socket did
not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)



Does anybody have any ideas here?

Best regards,

Rolf Brusletto

-- 


 

*Confidentiality Notice:  This email, including attachments, may include 
non-public, proprietary, confidential or legally privileged information.  
If you are not an intended recipient or an authorized agent of an intended 
recipient, you are hereby notified that any dissemination, distribution or 
copying of the information contained in or transmitted with this e-mail is 
unauthorized and strictly prohibited.  If you have received this email in 
error, please notify the sender by replying to this message and permanently 
delete this e-mail, its attachments, and any copies of it immediately.  You 
should not retain, copy or use this e-mail or any attachment for any 
purpose, nor disclose all or any part of the contents to any other person.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160726/7935d050/attachment.htm>

More information about the Freeipa-users mailing list