Hi,
(adding back the mailing list in CC)

On Tue, Jan 24, 2023 at 6:54 PM Tyler Zang <tyler.j.zang@gmail.com> wrote:
This brings up another "issue" that I am running into, that might be related. To give a quick back story, I am a windows admin pulled into support Linux, and thus FreeIPA. So my knowledge is very limited on this stuff. 

We have 2 separate FreeIPA's running on our network, as one will be retired soon. I feel like, starting about 2 months ago or so, my newest one (the one this post is about) started to fail booting up because of "smb" and "winbind" would not start. I had to use the --ignore-service-failure to get freeipa to start which would let everything else start except those two services. I don't recall the previous admin having samba or winbind purposely installed so I suspected maybe a monthly update installed it or something. I checked my other instance and it does not have those services installed, so ipa starts up without those services. So I was looking last week on how to stop freeipa from trying to boot those two services. As of now, I just let those fail.
If the server is configured as a trust controller (ie you ran ipa-adtrust-install), then it's expected that smb and winbind are running.
 

This FreeIPA does have a trust with AD, trusting the forest, but it is not "joined" (net ads join) to my domain, which is why winbind and smb breaks (I think). I open up the web gui and go to the network services > Trusts and see my domains. The "old" freeipa does not even have the trust submenu. Neither show up in ADUC.

So now it sounds like this trust issue might be potentially affecting this upgrade. I am tempted to just join it into AD and see what happens.
No, an IPA machine cannot join an AD domain. You can ask for help on this mailing list for troubleshooting the smb/winbind issues, if you provide additional logs I'm sure someone will be able to help.

flo 

On Tue, Jan 24, 2023 at 4:59 AM Florence Blanc-Renaud <flo@redhat.com> wrote:
Hi,

On Mon, Jan 23, 2023 at 7:58 PM Ty zang via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Thanks for the information. I will treat that as a false positive. The error is failing due to something not found (no such file or directory) and the only other error that stands out to me is maybe this.. (airgapped so I cant just post the log sadly)

args=/usr/bin/net -s /dev/null groupmap add sid=S-5-1-5-32-546 unixgroup=nobody type=builtin
process execution failed
destroyed connection context.ldap2_ (bunch of #)
upgrade failed with [Errno 2] no such file or directory.

Does this file /usr/bin/net exist? It should be installed with the package samba-common-tools, that is required by ipa-server-trust-ad. This code should be executed only if adtrust is installed, is this your case?
flo

So maybe this is a missing account or something? Any suggestion on what to look for regarding ldap? Ill google this to see what comes up
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--
Regards,
Tyler Zang