Hi,
(adding back the mailing list in CC)
On Tue, Jan 24, 2023 at 6:54 PM Tyler Zang <tyler.j.zang(a)gmail.com> wrote:
This brings up another "issue" that I am running into, that
might be
related. To give a quick back story, I am a windows admin pulled into
support Linux, and thus FreeIPA. So my knowledge is very limited on this
stuff.
We have 2 separate FreeIPA's running on our network, as one will be
retired soon. I feel like, starting about 2 months ago or so, my newest one
(the one this post is about) started to fail booting up because of "smb"
and "winbind" would not start. I had to use the --ignore-service-failure to
get freeipa to start which would let everything else start except those two
services. I don't recall the previous admin having samba or winbind
purposely installed so I suspected maybe a monthly update installed it or
something. I checked my other instance and it does not have those services
installed, so ipa starts up without those services. So I was looking last
week on how to stop freeipa from trying to boot those two services. As of
now, I just let those fail.
If the server is configured as a trust controller (ie you ran
ipa-adtrust-install), then it's expected that smb and winbind are running.
This FreeIPA does have a trust with AD, trusting the forest, but it is not
"joined" (net ads join) to my domain, which is why winbind and smb breaks
(I think). I open up the web gui and go to the network services > Trusts
and see my domains. The "old" freeipa does not even have the trust submenu.
Neither show up in ADUC.
So now it sounds like this trust issue might be potentially affecting this
upgrade. I am tempted to just join it into AD and see what happens.
No, an IPA machine cannot join an AD domain. You can ask for help on this
mailing list for troubleshooting the smb/winbind issues, if you provide
additional logs I'm sure someone will be able to help.
flo
On Tue, Jan 24, 2023 at 4:59 AM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
> Hi,
>
> On Mon, Jan 23, 2023 at 7:58 PM Ty zang via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> Thanks for the information. I will treat that as a false positive. The
>> error is failing due to something not found (no such file or directory) and
>> the only other error that stands out to me is maybe this.. (airgapped so I
>> cant just post the log sadly)
>>
>> args=/usr/bin/net -s /dev/null groupmap add sid=S-5-1-5-32-546
>> unixgroup=nobody type=builtin
>> process execution failed
>> destroyed connection context.ldap2_ (bunch of #)
>> upgrade failed with [Errno 2] no such file or directory.
>>
>> Does this file /usr/bin/net exist? It should be installed with the
> package samba-common-tools, that is required by ipa-server-trust-ad. This
> code should be executed only if adtrust is installed, is this your case?
> flo
>
> So maybe this is a missing account or something? Any suggestion on what
>> to look for regarding ldap? Ill google this to see what comes up
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam, report it:
>>
https://pagure.io/fedora-infrastructure/new_issue
>>
>
--
Regards,
Tyler Zang