On 24/02/16 17:20, lejeczek wrote:
On 24/02/16 14:22, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote:
On 24/02/16 11:26, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote:
he everybody,
my first tampering with install gets me:
Feb 24 11:04:22 my.host.fake
sssd[be[host.fake]][17425]: Starting up
Feb 24 11:04:22 my.host.fake
sssd[be[host.fake]][17425]: Failed to read
keytab [default]: Bad address
Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the
SSSD. Could not
restart critical service [host.fake].
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service:
control process
exited, code=exited status=1
Feb 24 11:04:22 my.host.fake systemd[1]: Failed to
start System Security
Services Daemon.
Feb 24 11:04:22 my.host.fake systemd[1]: Unit
sssd.service entered failed
state.
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service
failed.
And just after install process finishes I try:
$ kinit admin
kinit: Improper format of Kerberos configuration file
while initializing
Kerberos 5 library
I would recommend to check /etc/krb5.conf first. Since
the library call
SSSD uses the read the keytab will read /etc/krb5.conf
as well, this
might be the reason for the SSSD issue as well.
I said keytab, I meant config, which is below included.
This is the SSSD config file /etc/sssd/sssd.conf, I
really meant
/etc/krb5.conf.
I wonder if it can be one use case where install
script/process does not realize it fails. I did run
install on a virtually identical machine, actually virtual
kvm centos and it worked there, only exception is no sssd
there, not sure about 100% though.
ok, this problem seems to be a valid candidate for bugzilla,
and it should be easy to reproduce, I'd guess you Sumit
might be interested.
How to - just have your sssd already configured to use an
ldap backend for both password & users, have your (open)ldap
run on non-conflicting ports and then try:
$ ipa-server-install -p ${myPass} -a ${myPass} --setup-dns
--no-forwarders
process completes without errors but sssd fails and kerberos
won't work. Suffices to disable ldap & sssd in
authentication pipeline (prior to ipa installer run) and
installer successfully sets up sssd and kerberos works.
That error:
Failed to read keytab [default]: Bad address
was saying a lot, that was default domain in sssd conf which
was set up to ldap, and ipa installer was doing something
with it.
I'm only puzzled nobody stumbled upon it earlier.
What do you think Sumit?
I'm going to dive deeper into ipa to see if it really is
okey now.
Most worryingly when I try to restart dirsrv@ I see this:
[ 762.293817] ns-slapd[8772]: segfault at 8 ip
00007f3186a02b29 sp 00007ffe73055d60 error 4 in
libipa_pwd_extop.so[7f31869f1000+2a000]
[ 779.072156] SELinux: initialized (dev tmpfs, type
tmpfs), uses transition SIDs
[ 801.098886] ns-slapd[8958]: segfault at 8 ip
00007fe875c5ab29 sp 00007ffc2c6c26e0 error 4 in
libipa_pwd_extop.so[7fe875c49000+2a000]
I'm not an expert, it looks pretty regular to me, here krb
config:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = #
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HOST.FAKE = {
kdc = my.host.fake:88
master_kdc = my.host.fake:88
admin_server = my.host.fake:749
default_domain = host.fake
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
# = {
kdc = my.host.fake:88
admin_server = my.host.fake:749
}
[domain_realm]
.host.fake = HOST.FAKE
host.fake = HOST.FAKE
# = #
.# = #
[dbmodules]
HOST.FAKE = {
db_library = ipadb.so
}
bye,
Sumit
HTH
bye,
Sumit
here is keytab server installer created/amended: (one
thing that I'm not
sure is the fact that my new "host.fake" domain is
different from my
previously existing ldap search
"dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise
I have no clue.
[domain/host.fake]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = host.fake
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = my.host.fake
chpass_provider = ipa
ipa_server = my.host.fake
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=xxx,dc=zzzzzzzz
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.host.fake:1389/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server = my.host.fake:88
[sssd]
services = nss, sudo, pam, autofs, ssh
config_file_version = 2
domains = host.fake
[nss]
memcache_timeout = 600
homedir_substring = /home
regards.
--
Manage your subscription for the Freeipa-users mailing
list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing
list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
