AccountProvider_Error_82 stopping everything!

activedirectory
v7

(Mjbbus) #1

NethServer release 7.4.1708 / Accounts Provider / Users

I have been playing with nethserver on an off for a few weeks. I kept getting the account provider 82 error when going to the users and groups config so today I have tried a few clean installs but to no result.

The most basic version I did was an interactive install with a really short domain name “locald” and setting the root password. After the intitial setup steps once logged into the server page I did the software updates, made the network IP fixed and then installed local active directory.

ad.local.com
WORKGROUP for the netbios as I need windows PC’s to join (I have tried leaving this as default but that didn’t help)
10.1.1.22 for the domain controller address.

The AD setup shows successfully installed but when when I go to set up users, it can’t, as it reports the AccountsProvider_Error_82.

I don’t know if it’s related but when I go to “Domain Accounts” in the Status area it says “Could not connect to accounts provider!”

I have searched google and this forum, the solution for this for another person was a disparity between the hardware clock and the server clock. I have checked that and they are the same.

I’m using a Thinkpad L530 laptop.

Please Help!


(Markus Neuberger) #2

Hi @Mjbbus,

did you follow these steps for AD installation?

http://docs.nethserver.org/en/v7/accounts.html#samba-active-directory-local-provider-installation

You may try to uninstall/reinstall the Account Provider:


(Mjbbus) #3

Hi yes, followed to the letter. Have also uninstalled a re-installed the Account Provider numerous times.


(Mjbbus) #4

Is there any documentation or knowledge on what this error actually means?


(Davide Principi) #5

No, ATM. Could you see any relevant error message in /var/log/messages?

Please, open a root shell and paste also the output of

config show sssd
config show nsdc
account-provider-test dump
/usr/libexec/nethserver/list-users >/dev/null; echo $?

Unexpected upgrade to 7.5.1804 beta
(Mjbbus) #6

I looked through every log file that looked like it could be relevant and couldn’t see anything unfortunately.

sssd=service
addns=10.1.1.21
BindDN=ldapservice@AD.LOCALD.COM
BindPassword=dAk_r1gBjP8EQNYv
LdapURI=
Provider=ad
Realm=AD.LOCALD.COM
workgroup=WORKGROUP
status=enabled

nsdc=service
IpAddress=10.1.1.22
ProvisionType=newdomain
bridge=
status=enabled

test dump:
“BindDN” : "ldapservice@AD.LOCALD.COM",
“LdapURI : :ldaps://ad.locald.com”,
StartTIs" : “”,
“port” : 636,
“host” : “ad.locald…com”
(------the extra dots are so that it isn’t a link(limited to 2, same for first line next section))
"isAD : "1"
“isLDap” : “”,
“UserDN : “dc=ad,dc=locald,dc=com”,
“GroupDN” : “dc=ad,dc=locald,dc=com”,
“BindPassword” : “dAk_r1gBjP8EQNYv”,
BaseDN” : “dc=ad,dc=locald,dc=com”,
“LdapUriDn” : “ldap:///dc%3Dad%2Cdc%3Dlocald%2Cdc%3Dcom”

4th line:

kinit: Client “LOCALSHOST$AD.LOCALD…COM” not found in kerberos database while getting initial credentials (82) GSSAPI Error (init): Unspecified GSS failure. Minor code may provide more information
No kerberos credentials available (default cache: /tmp/krb5cc_0)
82


(Davide Principi) #7

This should be bridge=br0 or similar. Probably there was a problem with the network bridge creation. Paste also the output of

 db networks show
 ip addr
 systemctl status nsdc

Please look in past log files /var/log/messages-*. Look up nethserver-dc-create-bridge: there can be useful information near that. Any ERROR or FAIL string?

Once we understand the cause of the problem you’ll need to uninstall/reinstall the AD local provider.


(Mjbbus) #8

Well, I learned something new today, yesterday I ran the commands on the actual PC and typed the result into this. Today I found pUTTY and can do it from my laptop.


br0=bridge
gateway=10.1.1.1
upaddre=10.1.1.173
netmask-255.255.225.0
role=green
emp12s0=ethernet
FwInbandwidth=
FwOutBandwidth=
bridge=br0
role=bridged
ppp0=xdsl-disabled
AuthType=Auto
FwInBandwidth=
FwOutBadwidth=
Password=
name=PPPoE
provider=xDSL provider
role=red
user=
wlp60=ethernet
role=


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp12s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
    link/ether 3c:97:0e:d2:dd:1a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3e97:eff:fed2:dd1a/64 scope link
       valid_lft forever preferred_lft forever
3: wlp6s0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether e0:9d:31:13:fd:1c brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 3c:97:0e:d2:dd:1a brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.173/24 brd 10.1.1.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fd31:5daf:d54d:0:3e97:eff:fed2:dd1a/64 scope global mngtmpaddr dynamic
       valid_lft forever preferred_lft forever
    inet6 fe80::3e97:eff:fed2:dd1a/64 scope link
       valid_lft forever preferred_lft forever
5: vb-nsdc@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP qlen 1000
    link/ether 7e:28:82:65:1a:5f brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::7c28:82ff:fe65:1a5f/64 scope link
       valid_lft forever preferred_lft forever

nsdc.service - NethServer Domain Controller container
Loaded: loaded (/usr/lib/systemd/system/nsdc.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-04-10 12:18:55 AEST; 20h ago
Docs: man:systemd-nspawn(1)
Main PID: 1340 (systemd-nspawn)
Status: "Container running."
Tasks: 29
Memory: 185.1M
CGroup: /machine.slice/nsdc.service
├─1340 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --network-bridge=br0 --machine=nsdc --capability=CAP_SYS_TIME
├─1341 /usr/lib/systemd/systemd
└─system.slice
├─samba.service
│ ├─1617 /usr/sbin/samba -i --debug-stderr
│ ├─1788 /usr/sbin/samba -i --debug-stderr
│ ├─1789 /usr/sbin/samba -i --debug-stderr
│ ├─1790 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─1791 /usr/sbin/samba -i --debug-stderr
│ ├─1792 /usr/sbin/samba -i --debug-stderr
│ ├─1793 /usr/sbin/samba -i --debug-stderr
│ ├─1794 /usr/sbin/samba -i --debug-stderr
│ ├─1795 /usr/sbin/samba -i --debug-stderr
│ ├─1796 /usr/sbin/samba -i --debug-stderr
│ ├─1797 /usr/sbin/samba -i --debug-stderr
│ ├─1798 /usr/sbin/samba -i --debug-stderr
│ ├─1799 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─1800 /usr/sbin/samba -i --debug-stderr
│ ├─1801 /usr/sbin/samba -i --debug-stderr
│ ├─1802 /usr/sbin/samba -i --debug-stderr
│ ├─1831 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─1832 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─1833 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
│ ├─1836 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ ├─1837 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
│ └─1838 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
├─console-getty.service
│ └─1611 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
├─dbus.service
│ └─1596 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
├─systemd-logind.service
│ └─1594 /usr/lib/systemd/systemd-logind
├─ntpd.service
│ └─1612 /usr/sbin/ntpd -u ntp:ntp -g
└─systemd-journald.service
└─1556 /usr/lib/systemd/systemd-journald

Apr 10 12:19:01 localhost.locald.com systemd-nspawn[1340]: [  OK  ] Started Network Service.
Apr 10 12:19:01 localhost.locald.com systemd-nspawn[1340]: [  OK  ] Reached target Network.
Apr 10 12:19:01 localhost.locald.com systemd-nspawn[1340]: [  OK  ] Started Samba domain controller daemon.
Apr 10 12:19:01 localhost.locald.com systemd-nspawn[1340]: Starting Samba domain controller daemon...
Apr 10 12:19:01 localhost.locald.com systemd-nspawn[1340]: [  OK  ] Reached target Multi-User System.
Apr 10 12:19:01 localhost.locald.com systemd-nspawn[1340]: [  OK  ] Reached target Graphical Interface.
Apr 10 12:19:01 localhost.locald.com systemd-nspawn[1340]: Starting Update UTMP about System Runlevel Changes...
Apr 10 12:19:01 localhost.locald.com systemd-nspawn[1340]: [  OK  ] Started Update UTMP about System Runlevel Changes.
Apr 10 12:19:03 localhost.locald.com systemd-nspawn[1340]: CentOS Linux 7 (Core)
Apr 10 12:19:03 localhost.locald.com systemd-nspawn[1340]: Kernel 3.10.0-693.21.1.el7.x86_64 on an x86_64

I read through the log from system build-registering the hardware, initial startup, then restarts, software updates and package installations. Everything was virtually perfecr, all success not fail except a few odd messages below (up to 12:58)

Then I think I hit the active directory install and lots of things seems to go wrong, that’s the sections below at 13:01. It’s not all that helpful though for me, I can see the result but it doesn’t seem to explain the cause.

Apr  9 12:40:33 localhost esmith::event[4574]: [INFO] service lsm is disabled: skipped

Apr  9 12:57:57 localhost /sbin/e-smith/db[32046]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||LdapURI||Provider|none|Realm|AD.LOCALD.COM|Workgroup||status|disabled
Apr  9 12:57:57 localhost /sbin/e-smith/db[32046]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||LdapURI||Provider|none|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled


Apr  9 12:58:16 localhost S01nethserver-dc-create-bridge: Action: /etc/e-smith/events/interface-update/S61nethserver-dnsmasq-signalsave SUCCESS [0.589248]


Apr  9 12:58:23 localhost kernel: ipt_ULOG: ULOG: fail to register logger.
Apr  9 12:58:23 localhost kernel: ipt_ULOG: ULOG: fail to register logger.


Apr  9 13:01:37 localhost /sbin/e-smith/db[1434]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||LdapURI||Provider|none|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled
Apr  9 13:01:37 localhost /sbin/e-smith/db[1434]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN|ldapservice@AD.LOCALD.COM|LdapURI||Provider|none|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled
Apr  9 13:01:37 localhost /sbin/e-smith/db[1434]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN|ldapservice@AD.LOCALD.COM|LdapURI||Provider|none|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled
Apr  9 13:01:37 localhost /sbin/e-smith/db[1434]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns||BindDN|ldapservice@AD.LOCALD.COM|BindPassword|dAk_r1gBjP8EQNYv|LdapURI||Provider|none|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled
Apr  9 13:01:37 localhost esmith::event[32091]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-createldapservice SUCCESS [2.715784]
Apr  9 13:01:37 localhost /sbin/e-smith/db[1438]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns||BindDN|ldapservice@AD.LOCALD.COM|BindPassword|dAk_r1gBjP8EQNYv|LdapURI||Provider|none|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled
Apr  9 13:01:37 localhost /sbin/e-smith/db[1438]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|10.1.1.21|BindDN|ldapservice@AD.LOCALD.COM|BindPassword|dAk_r1gBjP8EQNYv|LdapURI||Provider|none|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled
Apr  9 13:01:38 localhost /sbin/e-smith/db[1438]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|10.1.1.21|BindDN|ldapservice@AD.LOCALD.COM|BindPassword|dAk_r1gBjP8EQNYv|LdapURI||Provider|none|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled
Apr  9 13:01:38 localhost /sbin/e-smith/db[1438]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|10.1.1.21|BindDN|ldapservice@AD.LOCALD.COM|BindPassword|dAk_r1gBjP8EQNYv|LdapURI||Provider|ad|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled
Apr  9 13:01:38 localhost /sbin/e-smith/db[1438]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|10.1.1.21|BindDN|ldapservice@AD.LOCALD.COM|BindPassword|dAk_r1gBjP8EQNYv|LdapURI||Provider|ad|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|disabled
Apr  9 13:01:38 localhost /sbin/e-smith/db[1438]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|10.1.1.21|BindDN|ldapservice@AD.LOCALD.COM|BindPassword|dAk_r1gBjP8EQNYv|LdapURI||Provider|ad|Realm|AD.LOCALD.COM|Workgroup|WORKGROUP|status|enabled
Apr  9 13:01:38 localhost systemd: Stopping DNS caching server....


Apr  9 13:01:43 localhost esmith::event[32091]: Password for Administrator: See: journalctl REALMD_OPERATION=r1624.1464
Apr  9 13:01:43 localhost esmith::event[32091]: realm: Couldn't join realm: This computer's host name is not set correctly.
Apr  9 13:01:43 localhost esmith::event[32091]: 
Apr  9 13:01:43 localhost esmith::event[32091]: [WARNING] DC join attempt 2 of 3 failed! Wait a few seconds...
Apr  9 13:01:48 localhost realmd: * Resolving: _ldap._tcp.ad.locald.com
Apr  9 13:01:48 localhost realmd: * Performing LDAP DSE lookup on: 10.1.1.21
Apr  9 13:01:48 localhost realmd: * Performing LDAP DSE lookup on: fd31:5daf:d54d:0:1c8b:35ff:fe81:40c0
Apr  9 13:01:48 localhost realmd: * Successfully discovered: ad.locald.com
Apr  9 13:01:48 localhost esmith::event[32091]: Password for Administrator: See: journalctl REALMD_OPERATION=r1629.1472
Apr  9 13:01:48 localhost esmith::event[32091]: realm: Couldn't join realm: This computer's host name is not set correctly.
Apr  9 13:01:48 localhost esmith::event[32091]: 
Apr  9 13:01:48 localhost esmith::event[32091]: [WARNING] DC join attempt 3 of 3 failed! Wait a few seconds...
Apr  9 13:01:53 localhost esmith::event[32091]: [ERROR] DC join failed
Apr  9 13:01:53 localhost esmith::event[32091]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-join FAILED: 1 [16.255495]
Apr  9 13:01:54 localhost esmith::event[32091]: Password complexity activated!
Apr  9 13:01:54 localhost esmith::event[32091]: Password history length changed!
Apr  9 13:01:54 localhost esmith::event[32091]: Minimum password age changed!
Apr  9 13:01:54 localhost esmith::event[32091]: Maximum password age changed!
Apr  9 13:01:54 localhost esmith::event[32091]: All changes applied successfully!
Apr  9 13:01:54 localhost esmith::event[32091]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-password-policy SUCCESS [0.953321]
Apr  9 13:01:55 localhost esmith::event[32091]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-set-upn SUCCESS [0.507811]
Apr  9 13:01:56 localhost esmith::event[32091]: kinit: Client 'LOCALHOST$@AD.LOCALD.COM' not found in Kerberos database while getting initial credentials
Apr  9 13:01:56 localhost esmith::event[32091]: (82) GSSAPI Error (init): Unspecified GSS failure.  Minor code may provide more information
Apr  9 13:01:56 localhost esmith::event[32091]: No Kerberos credentials available (default cache: /tmp/krb5cc_0)
Apr  9 13:01:56 localhost esmith::event[32091]: User 'admin' created successfully
Apr  9 13:01:57 localhost esmith::event[32091]: Added members to group Domain Admins
Apr  9 13:01:57 localhost esmith::event[32091]: Action: /etc/e-smith/events/nethserver-dc-save/S98nethserver-dc-createadmins SUCCESS [2.517832]
Apr  9 13:01:58 localhost esmith::event[32091]: Action: /etc/e-smith/events/nethserver-dc-save/S98nethserver-dc-machine-grants SUCCESS [0.422464]
Apr  9 13:01:58 localhost esmith::event[32091]: Event: nethserver-dc-save FAILED
Apr  9 13:01:58 localhost esmith::event[32078]: Action: /etc/e-smith/events/nethserver-dc-update/S95nethserver-dc-firststart FAILED: 1 [224.307386]
Apr  9 13:01:58 localhost esmith::event[32078]: Action: /etc/e-smith/events/nethserver-dc-update/S96nethserver-dc-createldapservice SUCCESS [0.323102]
Apr  9 13:01:59 localhost esmith::event[32078]: Action: /etc/e-smith/events/nethserver-dc-update/S96nethserver-dc-machine-grants SUCCESS [0.38024]
Apr  9 13:01:59 localhost esmith::event[32078]: Event: nethserver-dc-update FAILED
Apr  9 13:01:59 localhost esmith::event[1600]: Event: runlevel-adjust
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Reloading.
Apr  9 13:01:59 localhost systemd: Starting System Security Services Daemon...
Apr  9 13:01:59 localhost sssd: SSSD couldn't load the configuration database [5]: Input/output error.
Apr  9 13:01:59 localhost systemd: sssd.service: main process exited, code=exited, status=4/NOPERMISSION
Apr  9 13:01:59 localhost systemd: Failed to start System Security Services Daemon.
Apr  9 13:01:59 localhost systemd: Unit sssd.service entered failed state.
Apr  9 13:01:59 localhost systemd: sssd.service failed.
Apr  9 13:01:59 localhost esmith::event[1600]: Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details.
Apr  9 13:01:59 localhost esmith::event[1600]: Action: /etc/e-smith/events/runlevel-adjust/S20runlevel-adjust FAILED: 1 [0.833537]
Apr  9 13:01:59 localhost esmith::event[1600]: Event: runlevel-adjust FAILED

(Mjbbus) #9

today i started from scratch on a different machine, same result. so then i downloaded the iso image again and started with a fresh install disc. Same result, someone please help.

it seems like it has to be something to do with registering the server in the kerberos config.


(Davide Principi) #10

Did you try different parameters? IP, domain name (and suffix…)

Are you running a VM?

http://docs.nethserver.org/en/v7/accounts.html#installing-on-a-virtual-machine


(Mjbbus) #11

Thanks, yes I have tried multiple IP’s, multiple domains and .com.au as well as .com

I’m running on physical boxes not VM’s


(Davide Principi) #12

I’m sorry I was on mobile and didn’t see it! :blush:

You cannot call your system “localhost”: it’s a big no! Nobody can contact a system with that name because it’s always resolved as 127.0.0.1

  • Remove the accounts provider
  • Change the host name FQDN like server1.locald.com
  • Configure AD local accounts provider

BTW here it was initially “localshost” :thinking: Was it a typo before using putty?


(Mjbbus) #13

LEGEND! (get that I’m happy???).

Uninstalled the domain, changed the server name, reinstalled the domain and bang, users all working.

As a suggestion… the install defaults to localhost, maybe should default to something else?

One final question while I have your attention, I have set the shared drives as browseable, used the windows WORKGROUP for netbios and I can map a network drive manually from my windows machines to the share using the IP address but they won’t resolve the name and the server is not visible in the network area on windows machines. Is there an easy / typical fix for this?

cheers


(Davide Principi) #14

I’m glad it works! Please mark this topic solved.

You’re right, it is the CentOS default, which is not really good for AD. We usually strive to keep upstream defaults. I’d like to enhance the host name checking in the FQDN or AD set up page.

Yes, you always get attention from the whole community :blush: Please open a new topic for your new question and I’m sure you’ll get an answer quickly!