On Thu, Feb 25, 2016 at 11:58:04AM +0000, lejeczek wrote: > On 25/02/16 09:32, Sumit Bose wrote: > >On Thu, Feb 25, 2016 at 09:21:06AM +0000, lejeczek wrote: > >>On 25/02/16 08:21, Sumit Bose wrote: > >>>On Wed, Feb 24, 2016 at 05:20:30PM +0000, lejeczek wrote: > >>>>On 24/02/16 14:22, Sumit Bose wrote: > >>>>>On Wed, Feb 24, 2016 at 12:45:55PM +0000, lejeczek wrote: > >>>>>>On 24/02/16 11:26, Sumit Bose wrote: > >>>>>>>On Wed, Feb 24, 2016 at 11:21:13AM +0000, lejeczek wrote: > >>>>>>>>he everybody, > >>>>>>>>my first tampering with install gets me: > >>>>>>>> > >>>>>>>>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up > >>>>>>>>Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to > >>>>>>>>read > >>>>>>>>keytab [default]: Bad address > >>>>>>>>Feb 24 11:04:22 my.host.fake sssd[17406]: Exiting the SSSD. Could not > >>>>>>>>restart critical service [host.fake]. > >>>>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service: control process > >>>>>>>>exited, code=exited status=1 > >>>>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: Failed to start System > >>>>>>>>Security > >>>>>>>>Services Daemon. > >>>>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: Unit sssd.service entered > >>>>>>>>failed > >>>>>>>>state. > >>>>>>>>Feb 24 11:04:22 my.host.fake systemd[1]: sssd.service failed. > >>>>>>>> > >>>>>>>>And just after install process finishes I try: > >>>>>>>>$ kinit admin > >>>>>>>>kinit: Improper format of Kerberos configuration file while > >>>>>>>>initializing > >>>>>>>>Kerberos 5 library > >>>>>>>I would recommend to check /etc/krb5.conf first. Since the library call > >>>>>>>SSSD uses the read the keytab will read /etc/krb5.conf as well, this > >>>>>>>might be the reason for the SSSD issue as well. > >>>>>>I said keytab, I meant config, which is below included. > >>>>>This is the SSSD config file /etc/sssd/sssd.conf, I really meant > >>>>>/etc/krb5.conf. > >>>>I wonder if it can be one use case where install script/process does not > >>>>realize it fails. I did run install on a virtually identical machine, > >>>>actually virtual kvm centos and it worked there, only exception is no sssd > >>>>there, not sure about 100% though. > >>>> > >>>>Most worryingly when I try to restart dirsrv@ I see this: > >>>> > >>>>[ 762.293817] ns-slapd[8772]: segfault at 8 ip 00007f3186a02b29 sp > >>>>00007ffe73055d60 error 4 in libipa_pwd_extop.so[7f31869f1000+2a000] > >>>>[ 779.072156] SELinux: initialized (dev tmpfs, type tmpfs), uses > >>>>transition > >>>>SIDs > >>>>[ 801.098886] ns-slapd[8958]: segfault at 8 ip 00007fe875c5ab29 sp > >>>>00007ffc2c6c26e0 error 4 in libipa_pwd_extop.so[7fe875c49000+2a000] > >>>> > >>>>I'm not an expert, it looks pretty regular to me, here krb config: > >>>unfortunately it is broken, nearly every line with a '#' is wrong and > >>>causes libkrb5 to fail parsing the file. I think this is caused by an > >>>issue with authconfig > >>>(https://bugzilla.redhat.com/show_bug.cgi?id=1184639). Please try to > >>>upgrade to authconfig-6.2.8-10.el7 or higher. Nevertheless I think > >>>neither authconfig nor ipa-client-install will be able to fix the broken > >>>file completely and you have to delete the following lines manually. > >>yes, indeed it seems that when I used authconf (not tui) to disable ldap & > >>ssd configs were cleared of # char. I cannot only be sure 100% as I had a > >>look at configs after ipa install. > >>But I'll also say it would be nice to have kerberos smart and able to digest > >>these special cases, handle these chars regardless, no? > >no, because it is not about the '#' character, this is handled properly > >as a comment. This means there is a dangling '}' because the '{' was > >commented out before. The other '#' seems to do no harm but I suggested > >to remove them to be on the safe side. > > > >bye, > >Sumit > thanks Sumit, should I make it a bug report?
no, I think the authconfig ticket is sufficient here. bye, Sumit > > > >>>>[logging] > >>>> default = FILE:/var/log/krb5libs.log > >>>> kdc = FILE:/var/log/krb5kdc.log > >>>> admin_server = FILE:/var/log/kadmind.log > >>>> > >>>>[libdefaults] > >>>> default_realm = # > >>> ^^^ delete ^^^ > >>>> dns_lookup_realm = false > >>>> dns_lookup_kdc = true > >>>> rdns = false > >>>> ticket_lifetime = 24h > >>>> forwardable = yes > >>>> udp_preference_limit = 0 > >>>> default_ccache_name = KEYRING:persistent:%{uid} > >>>> > >>>>[realms] > >>>> HOST.FAKE = { > >>>> kdc = my.host.fake:88 > >>>> master_kdc = my.host.fake:88 > >>>> admin_server = my.host.fake:749 > >>>> default_domain = host.fake > >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt > >>>>} > >>>> > >>>> # = { > >>> ^^^ delete ^^^ > >>>> kdc = my.host.fake:88 > >>> ^^^ delete ^^^ > >>>> admin_server = my.host.fake:749 > >>> ^^^ delete ^^^ > >>>> } > >>> ^^^ delete ^^^ > >>>>[domain_realm] > >>>> .host.fake = HOST.FAKE > >>>> host.fake = HOST.FAKE > >>>> > >>>> # = # > >>> ^^^ delete ^^^ > >>>> .# = # > >>> ^^^ delete ^^^ > >>>>[dbmodules] > >>>> HOST.FAKE = { > >>>> db_library = ipadb.so > >>>> } > >>>> > >>>bye, > >>>Sumit > >>> > >>>>>bye, > >>>>>Sumit > >>>>> > >>>>>>>HTH > >>>>>>> > >>>>>>>bye, > >>>>>>>Sumit > >>>>>>> > >>>>>>>>here is keytab server installer created/amended: (one thing that I'm > >>>>>>>>not > >>>>>>>>sure is the fact that my new "host.fake" domain is different from my > >>>>>>>>previously existing ldap search > >>>>>>>>"dc=xxx,dc=zzzzzzzz" - if it matters at all? Otherwise I have no clue. > >>>>>>>> > >>>>>>>>[domain/host.fake] > >>>>>>>> > >>>>>>>>cache_credentials = True > >>>>>>>>krb5_store_password_if_offline = True > >>>>>>>>ipa_domain = host.fake > >>>>>>>>id_provider = ipa > >>>>>>>>auth_provider = ipa > >>>>>>>>access_provider = ipa > >>>>>>>>ipa_hostname = my.host.fake > >>>>>>>>chpass_provider = ipa > >>>>>>>>ipa_server = my.host.fake > >>>>>>>>ipa_server_mode = True > >>>>>>>>ldap_tls_cacert = /etc/ipa/ca.crt > >>>>>>>>[domain/default] > >>>>>>>>autofs_provider = ldap > >>>>>>>>cache_credentials = True > >>>>>>>>krb5_realm = # > >>>>>>>>ldap_search_base = dc=xxx,dc=zzzzzzzz > >>>>>>>>id_provider = ldap > >>>>>>>>auth_provider = ldap > >>>>>>>>chpass_provider = ldap > >>>>>>>>ldap_uri = ldap://my.host.fake:1389/ > >>>>>>>>ldap_id_use_start_tls = True > >>>>>>>>ldap_tls_cacertdir = /etc/openldap/cacerts > >>>>>>>> > >>>>>>>>krb5_server = my.host.fake:88 > >>>>>>>>[sssd] > >>>>>>>>services = nss, sudo, pam, autofs, ssh > >>>>>>>>config_file_version = 2 > >>>>>>>> > >>>>>>>>domains = host.fake > >>>>>>>> > >>>>>>>>[nss] > >>>>>>>>memcache_timeout = 600 > >>>>>>>>homedir_substring = /home > >>>>>>>> > >>>>>>>> > >>>>>>>>regards. > >>>>>>>> > >>>>>>>>-- > >>>>>>>>Manage your subscription for the Freeipa-users mailing list: > >>>>>>>>https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>>Go to http://freeipa.org for more info on the project > >>>>>>-- > >>>>>>Manage your subscription for the Freeipa-users mailing list: > >>>>>>https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project