Hi,
I'm trying to configure ad trust on a freshly installed FreeIPA server 4.4.0 running on an up-to-date instance of CentOS 7 (1611). The ipa-adtrust-install command fails at step 17 (failed to add fallback group). As a consequence, Samba cannot be started and AD trusts can't be established.
Here is an excerpt of the install log:
```` # ipa-adtrust-install --netbios-name=PEP06-IPA --add-sids --enable-compat
(...)
2017-06-01T13:49:29Z DEBUG [18/23]: adding fallback group 2017-06-01T13:49:29Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket from SchemaCache 2017-06-01T13:49:29Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x62107a0> 2017-06-01T13:49:30Z DEBUG Starting external process 2017-06-01T13:49:30Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpyj5xIJ -H ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket -Y EXTERNAL 2017-06-01T13:49:30Z DEBUG Process finished, return code=1 2017-06-01T13:49:30Z DEBUG stdout=add cn: Default SMB Group add description: Fallback group for primary group RID, do not add users to this group add gidnumber: -1 add objectclass: top ipaobject posixgroup adding new entry "cn=Default SMB Group,cn=groups,cn=accounts,dc=ipa,dc=pep06,dc=fr"
2017-06-01T13:49:30Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-IPA-PEP06-FR.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_add: Operations error (1) additional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.
2017-06-01T13:49:30Z CRITICAL Failed to load default-smb-group.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpyj5xIJ -H ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket -Y EXTERNAL' returned non-zero exit status 1 2017-06-01T13:49:30Z DEBUG Failed to add fallback group. 2017-06-01T13:49:30Z DEBUG duration: 0 seconds
(...)
````
In the end, Samba logically fails to start with the following error:
```` Missing mandatory attribute ipaNTFallbackPrimaryGroup.
````
I ran the same command one week ago on another server and had no issue. Does anybody have an idea about what to do to make it work ?
Thanks,
Marin BERNARD Administrateur systèmes Pupilles de l’Enseignement Public 06 35 boulevard de la Madeleine — 06300 Nice marin.bernard[at]pep06.fr
On Thu, Jun 01, 2017 at 04:41:52PM +0000, Marin BERNARD via FreeIPA-users wrote:
Hi,
I'm trying to configure ad trust on a freshly installed FreeIPA server 4.4.0 running on an up-to-date instance of CentOS 7 (1611). The ipa-adtrust-install command fails at step 17 (failed to add fallback group). As a consequence, Samba cannot be started and AD trusts can't be established.
Here is an excerpt of the install log:
# ipa-adtrust-install --netbios-name=PEP06-IPA --add-sids --enable-compat (...) 2017-06-01T13:49:29Z DEBUG [18/23]: adding fallback group 2017-06-01T13:49:29Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket from SchemaCache 2017-06-01T13:49:29Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x62107a0> 2017-06-01T13:49:30Z DEBUG Starting external process 2017-06-01T13:49:30Z DEBUG args=/usr/bin/ldapmodify -v -f /tmp/tmpyj5xIJ -H ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket -Y EXTERNAL 2017-06-01T13:49:30Z DEBUG Process finished, return code=1 2017-06-01T13:49:30Z DEBUG stdout=add cn: Default SMB Group add description: Fallback group for primary group RID, do not add users to this group add gidnumber: -1 add objectclass: top ipaobject posixgroup adding new entry "cn=Default SMB Group,cn=groups,cn=accounts,dc=ipa,dc=pep06,dc=fr" 2017-06-01T13:49:30Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-IPA-PEP06-FR.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_add: Operations error (1) additional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.
The DNA plugin (used to generate new UIDs and GIDs) has some issues. Maybe https://blog-rcritten.rhcloud.com/?p=50 can help?
If the DNA plugin works again you can run ipa-adtrust-install which then should properly generate the fallback group.
HTH
bye, Sumit
2017-06-01T13:49:30Z CRITICAL Failed to load default-smb-group.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpyj5xIJ -H ldapi://%2fvar%2frun%2fslapd-IPA-PEP06-FR.socket -Y EXTERNAL' returned non-zero exit status 1 2017-06-01T13:49:30Z DEBUG Failed to add fallback group. 2017-06-01T13:49:30Z DEBUG duration: 0 seconds
(...)
In the end, Samba logically fails to start with the following error:
Missing mandatory attribute ipaNTFallbackPrimaryGroup.
I ran the same command one week ago on another server and had no issue. Does anybody have an idea about what to do to make it work ? Thanks, Marin BERNARD Administrateur systèmes Pupilles de l’Enseignement Public 06 35 boulevard de la Madeleine — 06300 Nice marin.bernard[at]pep06.fr
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org