Hello I have fixed the problem myself. As it complained about the 2 records on LDAP, I did a bk of LDAP database and I deleted both records. I ran again ipa-adtrust-install and it created just 1 of them. Then I had another error: "Attribute [ipaNTSecurityIdentifier] not found", that is because I didn't put the parameter "--add-sids", so I reran ipa-adtrust-install with the parameter and it worked.
Thanks & Regards. ______________________________ From: SOLER SANGUESA Miguel Sent: Tuesday, April 11, 2017 8:51 To: 'freeipa-users@redhat.com' <freeipa-users@redhat.com> Subject: Problem starting smb service after ipa-adtrust-install hello I'm unable to start smb after executing ipa-adtrust-install. the execution of ipa-adtrust-install is: [root@hostname ~]# ipa-adtrust-install --enable-compat --add-agents -d The log file for this installation can be found in /var/log/ipaserver-install.log ipa : DEBUG /sbin/ipa-adtrust-install was invoked with options: {'enable_compat': True, 'add_agents': True, 'no_msdcs': False, 'rid_base': 1000, 'secondary_rid_base': 100000000, 'netbios_name': None, 'debug': True, 'add_sids': False, 'unattended': False} ipa : DEBUG missing options might be asked for interactively later ipa : DEBUG IPA version 4.4.0-14.el7_3.6 ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. ipa : DEBUG importing all plugin modules in ipaserver.plugins... ... ipa : DEBUG importing plugin module ipaserver.plugins.hbac ipa : DEBUG ipaserver.plugins.hbac is not a valid plugin module ... ipa : DEBUG importing plugin module ipaserver.plugins.otp ipa : DEBUG ipaserver.plugins.otp is not a valid plugin module ... ipa : DEBUG importing plugin module ipaserver.plugins.pkinit ipa : DEBUG ipaserver.plugins.pkinit is not a valid plugin module ... ipa : DEBUG Starting external process ipa : DEBUG args=klist -V ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout=Kerberos 5 version 1.14.1 ipa : DEBUG stderr= ipa : DEBUG importing plugin module ipaserver.plugins.rabase ipa : DEBUG ipaserver.plugins.rabase is not a valid plugin module ... ipa : DEBUG importing plugin module ipaserver.plugins.sudo ipa : DEBUG ipaserver.plugins.sudo is not a valid plugin module ... ipa : DEBUG importing plugin module ipaserver.plugins.virtual ipa : DEBUG ipaserver.plugins.virtual is not a valid plugin module ipa : DEBUG importing plugin module ipaserver.plugins.xmlserver IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: ipa : DEBUG Starting external process ipa : DEBUG args=kinit admin ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout=Password for ad...@my.ipa.SUBDOMAIN<mailto:ad...@my.ipa.SUBDOMAIN>: ipa : DEBUG stderr= ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_48972688 ipa.ipaserver.plugins.user.user_show: DEBUG raw: user_show(u'admin', version=u'2.213') ipa.ipaserver.plugins.user.user_show: DEBUG user_show(u'admin', rights=False, all=False, raw=False, version=u'2.213', no_members=False) ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-MY-IPA-SUBDOMAIN.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c4c9e0> ipa.ipaserver.plugins.group.group_show: DEBUG raw: group_show(u'admins', version=u'2.213') ipa.ipaserver.plugins.group.group_show: DEBUG group_show(u'admins', rights=False, all=False, raw=False, version=u'2.213', no_members=False) ipa : DEBUG Searching for objects with missing SID with filter=(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))(|(objectclass=posixaccount)(objectclass=posixgroup)(objectclass=ipaidobject))(!(ipantsecurityidentifier=*))), base_dn=dc=my,dc=ipa,dc=subdomain WARNING: 12 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: The following operations may take some minutes to complete. Please wait until the prompt is returned. ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing ldapi://%2fvar%2frun%2fslapd-MY-IPA-SUBDOMAIN.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-MY-IPA-SUBDOMAIN.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4d5ccf8> ipa : DEBUG Configuring CIFS Configuring CIFS ipa : DEBUG [1/22]: stopping smbd [1/22]: stopping smbd ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl is-active smb.service ipa : DEBUG Process finished, return code=3 ipa : DEBUG stdout=failed ipa : DEBUG stderr= ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl stop winbind.service ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl stop smb.service ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG duration: 0 seconds ipa : DEBUG [2/22]: creating samba domain object [2/22]: creating samba domain object ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing ldapi://%2fvar%2frun%2fslapd-MY-IPA-SUBDOMAIN.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-MY-IPA-SUBDOMAIN.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4d5bd40> ipa : DEBUG Samba domain object already exists Samba domain object already exists ipa : DEBUG duration: 0 seconds ipa : DEBUG [3/22]: creating samba config registry [3/22]: creating samba config registry ipa : DEBUG Starting external process ipa : DEBUG args=/usr/bin/net conf import /tmp/tmpTiRBM4 ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG duration: 0 seconds ipa : DEBUG [4/22]: writing samba config file [4/22]: writing samba config file ipa : DEBUG duration: 0 seconds ipa : DEBUG [5/22]: adding cifs Kerberos principal [5/22]: adding cifs Kerberos principal ipa.ipaserver.plugins.service.service_add: DEBUG raw: service_add(u'cifs/hostname.my.ipa.subdom...@my.ipa.SUBDOMAIN', version=u'2.213') ipa.ipaserver.plugins.service.service_add: DEBUG service_add(<ipapython.kerberos.Principal object at 0x4d63110>, force=False, all=False, raw=False, version=u'2.213', no_members=False) ipa.ipaserver.plugins.host.host_show: DEBUG raw: host_show(u'hostname.MY.IPA.SUBDOMAIN', version=u'2.213') ipa.ipaserver.plugins.host.host_show: DEBUG host_show(u'hostname.MY.IPA.SUBDOMAIN', rights=False, all=False, raw=False, version=u'2.213', no_members=False) ipa : DEBUG found 1 A records for hostname.MY.IPA.SUBDOMAIN.: XX.XX.XX.XX ipa : DEBUG The DNS response does not contain an answer to the question: hostname.MY.IPA.SUBDOMAIN. IN AAAA ipa : DEBUG Starting external process ipa : DEBUG args=ipa-rmkeytab --principal cifs/hostname.my.ipa.subdom...@my.ipa.SUBDOMAIN<mailto:cifs/hostname.my.ipa.subdom...@my.ipa.SUBDOMAIN> -k /etc/samba/samba.keytab ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr=Removing principal cifs/hostname.my.ipa.subdom...@my.ipa.SUBDOMAIN<mailto:cifs/hostname.my.ipa.subdom...@my.ipa.SUBDOMAIN> ipa : DEBUG Removing service credentials cache ipa : DEBUG Ccache path: '/var/run/samba/krb5cc_samba' ipa : DEBUG Starting external process ipa : DEBUG args=/usr/bin/kdestroy -c /var/run/samba/krb5cc_samba ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG Starting external process ipa : DEBUG args=ipa-getkeytab --server hostname.MY.IPA.SUBDOMAIN --principal cifs/hostname.my.ipa.subdom...@my.ipa.SUBDOMAIN<mailto:cifs/hostname.my.ipa.subdom...@my.ipa.SUBDOMAIN> -k /etc/samba/samba.keytab ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr=Keytab successfully retrieved and stored in: /etc/samba/samba.keytab ipa : DEBUG duration: 0 seconds ipa : DEBUG [6/22]: adding cifs and host Kerberos principals to the adtrust agents group [6/22]: adding cifs and host Kerberos principals to the adtrust agents group ipa : DEBUG duration: 0 seconds ipa : DEBUG [7/22]: check for cifs services defined on other replicas [7/22]: check for cifs services defined on other replicas ipa : DEBUG duration: 0 seconds ipa : DEBUG [8/22]: adding cifs principal to S4U2Proxy targets [8/22]: adding cifs principal to S4U2Proxy targets ipa : DEBUG cifs principal already targeted, nothing to do. cifs principal already targeted, nothing to do. ipa : DEBUG duration: 0 seconds ipa : DEBUG [9/22]: adding admin(group) SIDs [9/22]: adding admin(group) SIDs ipa : DEBUG Admin SID already set, nothing to do Admin SID already set, nothing to do ipa : DEBUG Admin group SID already set, nothing to do Admin group SID already set, nothing to do ipa : DEBUG duration: 0 seconds ipa : DEBUG [10/22]: adding RID bases [10/22]: adding RID bases ipa : DEBUG RID bases already set, nothing to do RID bases already set, nothing to do ipa : DEBUG duration: 0 seconds ipa : DEBUG [11/22]: updating Kerberos config [11/22]: updating Kerberos config ipa : DEBUG 'dns_lookup_kdc' already set to 'true', nothing to do. 'dns_lookup_kdc' already set to 'true', nothing to do. ipa : DEBUG duration: 0 seconds ipa : DEBUG [12/22]: activating CLDAP plugin [12/22]: activating CLDAP plugin ipa : DEBUG CLDAP plugin already configured, nothing to do CLDAP plugin already configured, nothing to do ipa : DEBUG duration: 0 seconds ipa : DEBUG [13/22]: activating sidgen task [13/22]: activating sidgen task ipa : DEBUG Sidgen task plugin already configured, nothing to do Sidgen task plugin already configured, nothing to do ipa : DEBUG duration: 0 seconds ipa : DEBUG [14/22]: configuring smbd to start on boot [14/22]: configuring smbd to start on boot ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl is-enabled smb.service ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout=disabled ipa : DEBUG stderr= ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl disable smb.service ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG service ADTRUST startup entry already enabled ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl disable smb.service ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG service EXTID startup entry already enabled ipa : DEBUG duration: 1 seconds ipa : DEBUG [15/22]: adding special DNS service records [15/22]: adding special DNS service records ipa.ipaserver.plugins.dns.dns_is_enabled: DEBUG raw: dns_is_enabled(version=u'2.213') ipa.ipaserver.plugins.dns.dns_is_enabled: DEBUG dns_is_enabled(version=u'2.213') ipa.ipaserver.plugins.dns.dnszone_show: DEBUG raw: dnszone_show(u'MY.IPA.SUBDOMAIN', version=u'2.213') ipa.ipaserver.plugins.dns.dnszone_show: DEBUG dnszone_show(<DNS name MY.IPA.SUBDOMAIN.>, rights=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dns_update_system_records: DEBUG raw: dns_update_system_records(version=u'2.213') ipa.ipaserver.plugins.dns.dns_update_system_records: DEBUG dns_update_system_records(dry_run=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.server.server_find: DEBUG raw: server_find(None, version=u'2.213', no_members=False) ipa.ipaserver.plugins.server.server_find: DEBUG server_find(None, all=False, raw=False, version=u'2.213', no_members=False, pkey_only=False) ipa.ipaserver.plugins.topology.topologysuffix_find: DEBUG raw: topologysuffix_find(None, all=True, raw=True, version=u'2.213') ipa.ipaserver.plugins.topology.topologysuffix_find: DEBUG topologysuffix_find(None, all=True, raw=True, version=u'2.213', pkey_only=False) ipa.ipaserver.plugins.serverrole.server_role_find: DEBUG raw: server_role_find(None, server_server=u'hostname.MY.IPA.SUBDOMAIN', status=u'enabled', version=u'2.213') ipa.ipaserver.plugins.serverrole.server_role_find: DEBUG server_role_find(None, server_server=u'hostname.MY.IPA.SUBDOMAIN', status=u'enabled', all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.serverrole.server_role_find: DEBUG raw: server_role_find(None, server_server=u'OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN', status=u'enabled', version=u'2.213') ipa.ipaserver.plugins.serverrole.server_role_find: DEBUG server_role_find(None, server_server=u'OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN', status=u'enabled', all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnszone_show: DEBUG raw: dnszone_show(<DNS name MY.IPA.SUBDOMAIN.>, version=u'2.213') ipa.ipaserver.plugins.dns.dnszone_show: DEBUG dnszone_show(<DNS name MY.IPA.SUBDOMAIN.>, rights=False, all=False, raw=False, version=u'2.213') ipa : DEBUG found 1 1 records for hostname.MY.IPA.SUBDOMAIN.: XX.XX.XX.XX ipa : DEBUG The DNS response does not contain an answer to the question: hostname.MY.IPA.SUBDOMAIN. IN AAAA ipa : DEBUG found 1 1 records for OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.: YY.YY.YY.YY ipa : DEBUG The DNS response does not contain an answer to the question: OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN. IN AAAA ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos.MY.IPA.SUBDOMAIN.>, txtrecord=[u'"MY.IPA.SUBDOMAIN"'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos.MY.IPA.SUBDOMAIN.>, txtrecord=(u'"MY.IPA.SUBDOMAIN"',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._tcp.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kerberos._tcp.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._tcp.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kerberos._tcp.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos-master._tcp.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kerberos-master._tcp.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos-master._tcp.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kerberos-master._tcp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._udp.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kerberos._udp.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._udp.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kerberos._udp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._udp.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kerberos._udp.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._udp.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kerberos._udp.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 389 hostname.MY.IPA.SUBDOMAIN.', u'0 100 389 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 389 hostname.MY.IPA.SUBDOMAIN.', u'0 100 389 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._tcp.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kerberos._tcp.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._tcp.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kerberos._tcp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kpasswd._udp.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 464 hostname.MY.IPA.SUBDOMAIN.', u'0 100 464 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kpasswd._udp.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kpasswd._udp.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 464 hostname.MY.IPA.SUBDOMAIN.', u'0 100 464 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kpasswd._udp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kpasswd._tcp.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 464 hostname.MY.IPA.SUBDOMAIN.', u'0 100 464 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kpasswd._tcp.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kpasswd._tcp.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 464 hostname.MY.IPA.SUBDOMAIN.', u'0 100 464 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kpasswd._tcp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _ntp._udp.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 123 hostname.MY.IPA.SUBDOMAIN.', u'0 100 123 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_ntp._udp.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _ntp._udp.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 123 hostname.MY.IPA.SUBDOMAIN.', u'0 100 123 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_ntp._udp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name ipa-ca.MY.IPA.SUBDOMAIN.>, arecord=[u'XX.XX.XX.XX', u'YY.YY.YY.YY'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name ipa-ca.MY.IPA.SUBDOMAIN.>, arecord=(u'XX.XX.XX.XX', u'YY.YY.YY.YY'), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _ldap._tcp.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 389 hostname.MY.IPA.SUBDOMAIN.', u'0 100 389 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_ldap._tcp.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _ldap._tcp.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 389 hostname.MY.IPA.SUBDOMAIN.', u'0 100 389 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_ldap._tcp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _ldap._tcp.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 389 hostname.MY.IPA.SUBDOMAIN.', u'0 100 389 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_ldap._tcp.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _ldap._tcp.dc._msdcs.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 389 hostname.MY.IPA.SUBDOMAIN.', u'0 100 389 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_ldap._tcp.dc._msdcs.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG raw: dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos-master._udp.MY.IPA.SUBDOMAIN.>, srvrecord=[u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'], setattr=[u'idnsTemplateAttribute;cnamerecord=_kerberos-master._udp.\\{substitutionvariable_ipalocation\\}._locations'], addattr=[u'objectclass=idnsTemplateObject'], version=u'2.213') ipa.ipaserver.plugins.dns.dnsrecord_mod: DEBUG dnsrecord_mod(<DNS name MY.IPA.SUBDOMAIN.>, <DNS name _kerberos-master._udp.MY.IPA.SUBDOMAIN.>, srvrecord=(u'0 100 88 hostname.MY.IPA.SUBDOMAIN.', u'0 100 88 OTHER_IDM_SERVER.MY.IPA.SUBDOMAIN.'), setattr=(u'idnsTemplateAttribute;cnamerecord=_kerberos-master._udp.\\{substitutionvariable_ipalocation\\}._locations',), addattr=(u'objectclass=idnsTemplateObject',), rights=False, structured=False, all=False, raw=False, version=u'2.213') ipa.ipaserver.plugins.server.server_find: DEBUG raw: server_find(None, version=u'2.213', pkey_only=True) ipa.ipaserver.plugins.server.server_find: DEBUG server_find(None, all=False, raw=False, version=u'2.213', no_members=True, pkey_only=True) ipa.ipaserver.plugins.topology.topologysuffix_find: DEBUG raw: topologysuffix_find(None, all=True, raw=True, version=u'2.213') ipa.ipaserver.plugins.topology.topologysuffix_find: DEBUG topologysuffix_find(None, all=True, raw=True, version=u'2.213', pkey_only=False) ipa.ipaserver.plugins.location.location_find: DEBUG raw: location_find(None, version=u'2.213') ipa.ipaserver.plugins.location.location_find: DEBUG location_find(None, all=False, raw=False, version=u'2.213', pkey_only=False) ipa : DEBUG duration: 0 seconds ipa : DEBUG [16/22]: enabling trusted domains support for older clients via Schema Compatibility plugin [16/22]: enabling trusted domains support for older clients via Schema Compatibility plugin ipa : DEBUG duration: 0 seconds ipa : DEBUG [17/22]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [17/22]: restarting Directory Server to take MS PAC and LDAP plugins changes into account ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl restart dirsrv@MY-IPA-SUBDOMAIN.service<mailto:dirsrv@MY-IPA-SUBDOMAIN.service> ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl is-active dirsrv@MY-IPA-SUBDOMAIN.service<mailto:dirsrv@MY-IPA-SUBDOMAIN.service> ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout=active ipa : DEBUG stderr= ipa : DEBUG wait_for_open_ports: localhost [389] timeout 300 ipa : DEBUG duration: 5 seconds ipa : DEBUG [18/22]: adding fallback group [18/22]: adding fallback group ipa.ipapython.ipaldap.SchemaCache: DEBUG flushing ldapi://%2fvar%2frun%2fslapd-MY-IPA-SUBDOMAIN.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-MY-IPA-SUBDOMAIN.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4d5ce60> ipa : DEBUG Fallback group already set, nothing to do Fallback group already set, nothing to do ipa : DEBUG duration: 0 seconds ipa : DEBUG [19/22]: adding Default Trust View [19/22]: adding Default Trust View ipa : DEBUG Default Trust View already exists. Default Trust View already exists. ipa : DEBUG duration: 0 seconds ipa : DEBUG [20/22]: setting SELinux booleans [20/22]: setting SELinux booleans ipa : DEBUG Starting external process ipa : DEBUG args=/usr/sbin/selinuxenabled ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG duration: 0 seconds ipa : DEBUG [21/22]: starting CIFS services [21/22]: starting CIFS services ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl start smb.service ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout= ipa : DEBUG stderr=Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details. ipa : CRITICAL CIFS services failed to start ipa : DEBUG duration: 6 seconds ipa : DEBUG [22/22]: restarting smbd [22/22]: restarting smbd ipa : DEBUG duration: 0 seconds ipa : DEBUG Done configuring CIFS. Done configuring CIFS. ... ipa : DEBUG Starting external process ipa : DEBUG args=kinit admin ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout=Password for ad...@my.ipa.SUBDOMAIN<mailto:ad...@my.ipa.SUBDOMAIN>: ipa : DEBUG stderr= ipa : INFO The ipa-adtrust-install command was successful On the smb logs I can see: ... [2017/04/10 16:27:58.896485, 11, pid=22584, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:1067(smbldap_open) smbldap_open: already connected to the LDAP server [2017/04/10 16:27:58.898224, 0, pid=22584, effective(0, 0), real(0, 0)] ipa_sam.c:3688(ipasam_search_domain_info) iapsam_search_domain_info: Got [2] domain info entries, but expected only 1. <*************************************************************** [2017/04/10 16:27:58.898278, 0, pid=22584, effective(0, 0), real(0, 0)] ipa_sam.c:4543(pdb_init_ipasam) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. <**************************************** [2017/04/10 16:27:58.898302, 0, pid=22584, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name) pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-MY-IPA-SUBDOMAIN.socket did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) I have traced the ipa-adtrust-install and systemctl start smb, but I couldn't get the "domain info entries". Checking the LDAP directory I showed: [root@HOSTNAME]# ldapsearch -w XXXXXXXX -h localhost -s sub -b 'dc=MY,dc=IPA,dc=SUBDOMAIN' -D "cn=Directory Manager" "objectclass=ipaNTDomainAttrs" # extended LDIF # # LDAPv3 # base <dc=MY,dc=IPA,dc=SUBDOMAIN> with scope subtree # filter: objectclass=ipaNTDomainAttrs # requesting: ALL # # my.ipa.subdomain, ad + 773d9684-12f211e7-b1abe436-0243208c, etc, my.ipa.subdomain dn: cn=my.ipa.subdomain,cn=ad+nsuniqueid=773d9684-12f211e7-b1abe436-0243208c,cn=etc,dc=MY,dc=IPA,dc=SUBDOMAIN objectClass: nsContainer objectClass: ipaNTDomainAttrs objectClass: top ipaNTSecurityIdentifier: S-1-5-21-3119812475-2647440479-1423840280 cn: my.ipa.subdomain ipaNTDomainGUID: 449b23da-6e30-4fa9-9d34-3426bcec8d0f ipaNTFlatName: IPA # my.ipa.subdomain, ad, etc, my.ipa.subdomain dn: cn=my.ipa.subdomain,cn=ad,cn=etc,dc=MY,dc=IPA,dc=SUBDOMAIN ipaNTFallbackPrimaryGroup: cn=editors,cn=groups,cn=accounts,dc=MY,dc=IPA,dc=SUBDOMAIN objectClass: nsContainer objectClass: ipaNTDomainAttrs objectClass: top ipaNTSecurityIdentifier: S-1-5-21-1187620393-3629609531-1738010010 cn: my.ipa.subdomain ipaNTDomainGUID: 09ec963b-ca7d-4a04-b533-7283d0fac036 ipaNTFlatName: IPA # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 But not sure if those are the 2 "Domains info entries". Can you please let me know how to fix this problem? ################ The environment: ##################### Red Hat Enterprise Linux Server release 7.3 (Maipo) SELinux status: disabled Domain level 1 ipa-admintools-4.4.0-14.el7_3.6.noarch ipa-client-4.4.0-14.el7_3.6.x86_64 ipa-client-common-4.4.0-14.el7_3.6.noarch ipa-common-4.4.0-14.el7_3.6.noarch ipa-debuginfo-4.4.0-14.el7_3.6.x86_64 ipa-python-compat-4.4.0-14.el7_3.6.noarch ipa-server-4.4.0-14.el7_3.6.x86_64 ipa-server-common-4.4.0-14.el7_3.6.noarch ipa-server-dns-4.4.0-14.el7_3.6.noarch ipa-server-trust-ad-4.4.0-14.el7_3.6.x86_64 libipa_hbac-1.14.0-43.el7_3.11.x86_64 python2-ipaclient-4.4.0-14.el7_3.6.noarch python2-ipalib-4.4.0-14.el7_3.6.noarch python2-ipaserver-4.4.0-14.el7_3.6.noarch python-iniparse-0.4-9.el7.noarch python-ipaddress-1.0.16-2.el7.noarch python-libipa_hbac-1.14.0-43.el7_3.11.x86_64 sssd-ipa-1.14.0-43.el7_3.11.x86_64 samba-winbind-modules-4.4.4-12.el7_3.x86_64 samba-client-4.4.4-12.el7_3.x86_64 samba-winbind-clients-4.4.4-12.el7_3.x86_64 samba-libs-4.4.4-12.el7_3.x86_64 samba-common-tools-4.4.4-12.el7_3.x86_64 samba-debuginfo-4.4.4-12.el7_3.x86_64 samba-common-4.4.4-12.el7_3.noarch samba-common-libs-4.4.4-12.el7_3.x86_64 samba-4.4.4-12.el7_3.x86_64 samba-winbind-4.4.4-12.el7_3.x86_64 samba-python-4.4.4-12.el7_3.x86_64 samba-client-libs-4.4.4-12.el7_3.x86_64 Thank you very much. ______________________________ Miguel Soler Sangüesa Consultant - Linux Administrator
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project