Thanks Florence,
I ran ipa-adtrust-install again, but this time with the `--debug` option, but I don't
really see the reason for the error:
[12/25]: adding RID bases
ipaserver.install.adtrustinstance: DEBUG
[LDAPEntry(ipapython.dn.DN('cn=IPA.MYDOMAIN_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain'),
{'ipaSecondaryBaseRID': [b'100000000'], 'ipaBaseRID':
['0'], 'objectClass': [b'top', b'ipaIDrange',
b'ipaDomainIDRange'], 'cn': [b'IPA.MYDOMAIN_id_range'],
'ipaBaseID': [b'1987000000'], 'ipaIDRangeSize':
[b'200000'], 'ipaRangeType': [b'ipa-local']})]
ipaserver.install.adtrustinstance: DEBUG []
ipaserver.install.service: DEBUG RID bases already set, nothing to do
RID bases already set, nothing to do
ipaserver.install.service: DEBUG step duration: smb __add_rid_bases 0.00 sec
ipaserver.install.service: DEBUG [13/25]: updating Kerberos config
[13/25]: updating Kerberos config
ipaserver.install.service: DEBUG 'dns_lookup_kdc' already set to
'true', nothing to do.
'dns_lookup_kdc' already set to 'true', nothing to do.
ipaserver.install.service: DEBUG step duration: smb __update_krb5_conf 0.00 sec
ipaserver.install.service: DEBUG [14/25]: activating CLDAP plugin
[14/25]: activating CLDAP plugin
ipaserver.install.service: DEBUG CLDAP plugin already configured, nothing to do
CLDAP plugin already configured, nothing to do
ipaserver.install.service: DEBUG step duration: smb __add_cldap_module 0.00 sec
ipaserver.install.service: DEBUG [15/25]: activating sidgen task
[15/25]: activating sidgen task
ipaserver.install.service: DEBUG Sidgen task plugin already configured, nothing to do
Sidgen task plugin already configured, nothing to do
ipaserver.install.service: DEBUG step duration: smb __add_sidgen_task 0.00 sec
ipaserver.install.service: DEBUG [16/25]: map BUILTIN\Guests to nobody group
[16/25]: map BUILTIN\Guests to nobody group
ipaserver.install.adtrustinstance: DEBUG Map BUILTIN\Guests to a group
'nobody'
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/usr/bin/net', '-s',
'/dev/null', 'groupmap', 'add', 'sid=S-1-5-32-546',
'unixgroup=nobody', 'type=builtin']
ipapython.ipautil: DEBUG Process finished, return code=255
ipapython.ipautil: DEBUG stdout=Unix group nobody already mapped to SID S-1-5-32-546
ipapython.ipautil: DEBUG stderr=
ipaserver.install.service: DEBUG step duration: smb __map_Guests_to_nobody 0.07 sec
ipaserver.install.service: DEBUG [17/25]: configuring smbd to start on boot
[17/25]: configuring smbd to start on boot
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/bin/systemctl', 'is-enabled',
'smb.service']
ipapython.ipautil: DEBUG Process finished, return code=1
ipapython.ipautil: DEBUG stdout=disabled
ipapython.ipautil: DEBUG stderr=
ipalib.sysrestore: DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.sysrestore: DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/bin/systemctl', 'unmask',
'smb.service']
ipapython.ipautil: DEBUG Process finished, return code=0
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/bin/systemctl', 'disable',
'smb.service']
ipapython.ipautil: DEBUG Process finished, return code=0
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=
ipapython.ipaldap: DEBUG update_entry modlist [(0, 'ipaconfigstring',
[b'configuredService'])]
ipaserver.install.service: DEBUG service ADTRUST has all config values set
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/bin/systemctl', 'unmask',
'smb.service']
ipapython.ipautil: DEBUG Process finished, return code=0
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/bin/systemctl', 'disable',
'smb.service']
ipapython.ipautil: DEBUG Process finished, return code=0
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=
ipapython.ipaldap: DEBUG update_entry modlist [(0, 'ipaconfigstring',
[b'configuredService'])]
ipaserver.install.service: DEBUG service EXTID has all config values set
ipaserver.install.service: DEBUG step duration: smb __enable 1.58 sec
ipaserver.install.service: DEBUG [18/25]: enabling trusted domains support for older
clients via Schema Compatibility plugin
[18/25]: enabling trusted domains support for older clients via Schema Compatibility
plugin
ipaserver.install.service: DEBUG step duration: smb __enable_compat_tree 0.00 sec
ipaserver.install.service: DEBUG [19/25]: restarting Directory Server to take MS PAC
and LDAP plugins changes into account
[19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into
account
ipalib.backend: DEBUG Destroyed connection context.ldap2_140433696891056
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/bin/systemctl', 'restart',
'dirsrv(a)IPA-MYDOMAIN.service']
ipapython.ipautil: DEBUG Process finished, return code=0
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=
ipaplatform.base.services: DEBUG Restart of dirsrv(a)IPA-MYDOMAIN.service complete
ipalib.backend: DEBUG Created connection context.ldap2_140433696891056
ipaserver.install.service: DEBUG step duration: smb __restart_dirsrv 3.46 sec
ipaserver.install.service: DEBUG [20/25]: adding fallback group
[20/25]: adding fallback group
ipapython.ipaldap: DEBUG flushing ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket from
SchemaCache
ipapython.ipaldap: DEBUG retrieving schema for SchemaCache
url=ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket conn=<ldap.ldapobject.SimpleLDAPObject
object at 0x7fb9440e57e0>
ipaserver.install.service: DEBUG Fallback group already set, nothing to do
Fallback group already set, nothing to do
ipaserver.install.service: DEBUG step duration: smb __add_fallback_group 0.25 sec
ipaserver.install.service: DEBUG [21/25]: adding Default Trust View
[21/25]: adding Default Trust View
ipaserver.install.service: DEBUG Default Trust View already exists.
Default Trust View already exists.
ipaserver.install.service: DEBUG step duration: smb __add_default_trust_view 0.00 sec
ipaserver.install.service: DEBUG [22/25]: setting SELinux booleans
[22/25]: setting SELinux booleans
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/usr/sbin/selinuxenabled']
ipapython.ipautil: DEBUG Process finished, return code=0
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/usr/sbin/getsebool',
'samba_portmapper']
ipapython.ipautil: DEBUG Process finished, return code=0
ipapython.ipautil: DEBUG stdout=samba_portmapper --> on
ipapython.ipautil: DEBUG stderr=
ipalib.sysrestore: DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.sysrestore: DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
ipaserver.install.service: DEBUG step duration: smb __configure_selinux_for_smbd 0.01
sec
ipaserver.install.service: DEBUG [23/25]: starting CIFS services
[23/25]: starting CIFS services
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/bin/systemctl', 'start',
'smb.service']
ipapython.ipautil: DEBUG Process finished, return code=1
ipapython.ipautil: DEBUG stdout=
ipapython.ipautil: DEBUG stderr=Job for smb.service failed because the control process
exited with error code.
See "systemctl status smb.service" and "journalctl -xeu smb.service"
for details.
ipaserver.install.adtrustinstance: CRITICAL CIFS services failed to start
ipaserver.install.service: DEBUG step duration: smb __start 0.12 sec
ipaserver.install.service: DEBUG [24/25]: adding SIDs to existing users and groups
[24/25]: adding SIDs to existing users and groups
ipapython.ipautil: DEBUG Starting external process
ipapython.ipautil: DEBUG args=['/usr/bin/ldapmodify', '-v',
'-f', '/tmp/tmp5rp8yzq6', '-H',
'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y', 'EXTERNAL']
ipapython.ipautil: DEBUG Process finished, return code=1
ipapython.ipautil: DEBUG stdout=add objectClass:
top
extensibleObject
add cn:
sidgen
add nsslapd-basedn:
dc=ipa,dc=mydomain
add delay:
0
adding new entry "cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config"
ipapython.ipautil: DEBUG stderr=ldap_initialize(
ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Operations error (1)
ipaserver.install.service: CRITICAL Failed to load ipa-sidgen-task-run.ldif:
CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f',
'/tmp/tmp5rp8yzq6', '-H',
'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y', 'EXTERNAL']
returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n')
ipaserver.install.adtrustinstance: WARNING Exception occured during SID generation:
CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f',
'/tmp/tmp5rp8yzq6', '-H',
'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y', 'EXTERNAL']
returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n')
ipaserver.install.service: DEBUG step duration: smb __add_sids 0.01 sec
ipaserver.install.service: DEBUG [25/25]: restarting smbd
[25/25]: restarting smbd
ipaserver.install.service: DEBUG step duration: smb __restart_smb 0.00 sec
ipaserver.install.service: DEBUG Done configuring CIFS.
Done configuring CIFS.
On the slapd-log, I see this:
[04/Apr/2022:20:07:54.828098373 +0200] - ERR - attrcrypt_init - All prepared ciphers are
not available. Please disable attribute encryption.
[04/Apr/2022:20:07:54.844695320 +0200] - ERR - schema-compat-plugin - scheduled
schema-compat-plugin tree scan in about 5 seconds after the server startup!
[04/Apr/2022:20:07:54.856522312 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=groups,cn=compat,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.856929472 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=computers,cn=compat,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.857286367 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=ng,cn=compat,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.857672999 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
ou=sudoers,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.858007707 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=users,cn=compat,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.858348091 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.858638364 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.858950689 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.859255492 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.859553514 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.859861969 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.860156797 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.860440335 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.860731517 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.861042554 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.861348651 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=vaults,cn=kra,dc=ipa,dc=mydomain does not exist
[04/Apr/2022:20:07:54.868233352 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=mydomain does not
exist
[04/Apr/2022:20:07:54.868647453 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=mydomain does not
exist
[04/Apr/2022:20:07:54.985338170 +0200] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=automember rebuild membership,cn=tasks,cn=config does not exist
[04/Apr/2022:20:07:54.989418976 +0200] - INFO - slapi_vattrspi_regattr - Because
krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs
was set to 'off'
[04/Apr/2022:20:07:54.990156062 +0200] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS
Definition cn=Password Policy,cn=accounts,dc=ipa,dc=mydomain--no CoS Templates found,
which should be added before the CoS Definition.
[04/Apr/2022:20:07:55.034170781 +0200] - ERR - schema-compat-plugin - schema-compat-plugin
tree scan will start in about 5 seconds!
[04/Apr/2022:20:07:55.037033585 +0200] - INFO - slapd_daemon - slapd started. Listening
on All Interfaces port 389 for LDAP requests
[04/Apr/2022:20:07:55.037335986 +0200] - INFO - slapd_daemon - Listening on All Interfaces
port 636 for LDAPS requests
[04/Apr/2022:20:07:55.037547183 +0200] - INFO - slapd_daemon - Listening on
/var/run/slapd-IPA-MYDOMAIN.socket for LDAPI requests
[04/Apr/2022:20:07:55.442844902 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c,
line 276]: Failed to convert LDAP entry to range struct.
[04/Apr/2022:20:07:55.443441310 +0200] - ERR - sidgen_task_add - [file ipa_sidgen_task.c,
line 283]: Cannot find ranges.
[04/Apr/2022:20:07:55.443923241 +0200] - ERR - ipa_sidgen_add_post_op - [file
ipa_sidgen.c, line 128]: Missing target entry.
[04/Apr/2022:20:08:00.047149067 +0200] - ERR - schema-compat-plugin - warning: no entries
set up under cn=ng, cn=compat,dc=ipa,dc=mydomain
[04/Apr/2022:20:08:00.054062694 +0200] - ERR - schema-compat-plugin - warning: no entries
set up under cn=computers, cn=compat,dc=ipa,dc=mydomain
[04/Apr/2022:20:08:00.055120875 +0200] - ERR - schema-compat-plugin - Finished plugin
initialization.
Does it point to something?
Best,
Francis