On Mon, 18 Jan 2016, Simpson Lachlan wrote:
None of the above is revealing an issue.
Follow http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
to enable crashdumps for ns-slapd to see what happens in reality (check
systemd-enabled systems' recipes).
Here is where things got interesting - I was 20 minutes in before I realised I
had
no dirsrv core dumps.
New things I learnt while doing this though:
- I have 2.5 GB of core files in /var/log/samba/cores/winbindd ? To the best of
my
knowledge I was using SSSD, I have no idea what winbind is doing there. Can I
just
delete (yum remove samba-winbind*) it? From the look of it, I'm getting a new
winbind
core dump every 5 minutes.Could this be stopping samba from running?
smbd and winbindd are required for trust setup but their startup fails
because they cannot talk to LDAP server over LDAPI+GSSAPI. That's why
they coredump, to indicate issue. However, they are not the issue in
themselves, they are consequence of your LDAP server not being able to
start.
- /etc/nsswitch.conf is all "files sss" - there's no winbind anywhere.
winbindd has multiple operations and we are using trust topology part of
it, not identity management.
- while following the instructions to "set ulimit -c unlimited" on system I
found things
that *really* confused me:
As noted in the original email, this was in the failed list of systemctld:
dir...@unix.co.org.au.service
and it continues to fail this morning. So I tried running
sc start dirsrv.target
and that worked:
[root@vmts-linuxidm samba]# sc status dirsrv.target
● dirsrv.target - 389 Directory Server
Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; enabled; vendor
preset: disabled)
Active: active since Mon 2016-01-18 09:58:14 AEDT; 1h 20min ago
Jan 18 09:58:14 vmts-linuxidm.unix.co.org.au systemd[1]: Reached target 389
Directory Server.
Jan 18 09:58:14 vmts-linuxidm.unix.co.org.au systemd[1]: Starting 389 Directory
Server.
So I stopped it and started dir...@unix.co.org.au just to confirm, and yes it's
failing.
After some testing, I discovered that *this* would work:
sc start dirsrv@UNIX-CO-ORG-AU
My syntax was all wrong. (Does anyone know how can I clear out bad syntax from
the
systemctld output?)
what bad output?
systemctl start dirsrv@INSTANCE
is the correct syntax where INSTANCE is the same for /etc/dirsrv/slapd-INSTANCE
or /var/log/dirsrv/slapd-INSTANCE.
The name of instance is produced from the realm by replacing dots with
-.
Anyway, I have a running dirsrv, but SMB still fails, and it's failing on
winbind first (see
notes below). It looks like it's because there's no Kerberos server available.
Indeed,
kinit admin is still failing. I think that when I ran ipa-adtrust-install I
said no to creating
sids for local users.
[root@vmts-linuxidm samba]# sc status dirsrv@UNIX-CO-ORG-AU.service
● dirsrv@UNIX-CO-ORG-AU.service - 389 Directory Server UNIX-CO-ORG-AU.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor
preset: disabled)
Active: active (running) since Mon 2016-01-18 11:21:25 AEDT; 5min ago
Process: 11655 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited,
status=0/SUCCESS)
Main PID: 11656 (ns-slapd)
CGroup: /system.slice/system-dirsrv.slice/dirsrv@UNIX-CO-ORG-AU.service
└─11656 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-UNIX-CO-ORG-AU -i
/var/run/dirsrv/slapd-UNIX-CO-OR...
Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]:
[18/Jan/2016:11:21:25 +1100] - SSL alert: ...led
Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]:
[18/Jan/2016:11:21:25 +1100] - SSL alert: ...led
Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]:
[18/Jan/2016:11:21:25 +1100] - SSL alert: ...led
Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]:
[18/Jan/2016:11:21:25 +1100] - SSL alert: ...led
Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]:
[18/Jan/2016:11:21:25 +1100] - SSL alert: ...led
Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]:
[18/Jan/2016:11:21:25 +1100] - SSL alert: ...led
Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]:
[18/Jan/2016:11:21:25 +1100] SSL Initialization - ...1.2
Jan 18 11:25:06 vmts-linuxidm.unix.co.org.au ns-slapd[11656]: GSSAPI server
step 1
Jan 18 11:25:06 vmts-linuxidm.unix.co.org.au ns-slapd[11656]: GSSAPI server
step 2
Jan 18 11:25:06 vmts-linuxidm.unix.co.org.au ns-slapd[11656]: GSSAPI server
step 3
So, start KDC.
You can at this point simply try 'ipactl restart' -- it will attempt to
shutdown and restart all required IPA services, including KDC.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
