On 25/02/16 08:21, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 05:20:30PM +0000, lejeczek wrote:
On 24/02/16 14:22, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote:
On 24/02/16 11:26, Sumit Bose wrote:
On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote:
he everybody,
my first tampering with install gets me:
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
keytab [default]: Bad address
Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not
restart critical service [host.fake].
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process
exited, code=exited status=1
Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System Security
Services Daemon.
Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered failed
state.
Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed.
And just after install process finishes I try:
$ kinit admin
kinit: Improper format of Kerberos configuration file while initializing
Kerberos 5 library
I would recommend to check /etc/krb5.conf first. Since the library call
SSSD uses the read the keytab will read /etc/krb5.conf as well, this
might be the reason for the SSSD issue as well.
I said keytab, I meant config, which is below included.
This is the SSSD config file /etc/sssd/sssd.conf, I really meant
/etc/krb5.conf.
I wonder if it can be one use case where install script/process does not
realize it fails. I did run install on a virtually identical machine,
actually virtual kvm centos and it worked there, only exception is no sssd
there, not sure about 100% though.
Most worryingly when I try to restart dirsrv@ I see this:
[ 762.293817] ns-slapd[8772]: segfault at 8 ip 00007f3186a02b29 sp
00007ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000]
[ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses transition
SIDs
[ 801.098886] ns-slapd[8958]: segfault at 8 ip 00007fe875c5ab29 sp
00007ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000]
I'm not an expert, it looks pretty regular to me, here krb config:
unfortunately it is broken, nearly every line with a '#' is wrong and
causes libkrb5 to fail parsing the file. I think this is caused by an
issue with authconfig
(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to
upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think
neither authconfig nor ipa-client-install will be able to fix the broken
file completely and you have to delete the following lines manually.
yes, indeed it seems that when I used authconf (not tui) to
disable ldap & ssd configs were cleared of # char. I cannot
only be sure 100% as I had a look at configs after ipa install.
But I'll also say it would be nice to have kerberos smart
and able to digest these special cases, handle these chars
regardless, no?
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = #
^^^ delete ^^^
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HOST.FAKE = {
kdc = my.host.fake:88
master_kdc = my.host.fake:88
admin_server = my.host.fake:749
default_domain = host.fake
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
# = {
^^^ delete ^^^
kdc = my.host.fake:88
^^^ delete ^^^
admin_server = my.host.fake:749
^^^ delete ^^^
}
^^^ delete ^^^
[domain_realm]
.host.fake = HOST.FAKE
host.fake = HOST.FAKE
# = #
^^^ delete ^^^
.# = #
^^^ delete ^^^
[dbmodules]
HOST.FAKE = {
db_library = ipadb.so
}
bye,
Sumit
bye,
Sumit
HTH
bye,
Sumit
here is keytab server installer created/amended: (one thing that I'm not
sure is the fact that my new "host.fake" domain is different from my
previously existing ldap search
"dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise I have no clue.
[domain/host.fake]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = host.fake
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = my.host.fake
chpass_provider = ipa
ipa_server = my.host.fake
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=xxx,dc=zzzzzzzz
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.host.fake:1389/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server = my.host.fake:88
[sssd]
services = nss, sudo, pam, autofs, ssh
config_file_version = 2
domains = host.fake
[nss]
memcache_timeout = 600
homedir_substring = /home
regards.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
