AccountProvider_Error_82?

fausp (fpausp) 2018-05-12 04:51:50 UTC #1

NethServer Version: NethServer release 7.4.1708

[root@neth13 ~]# cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)

What does AccountProvider_Error_82 mean ?

May 12 07:00:33 neth13 [sssd[ldap_child[1733]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm 'AD.xxxxxxxxxx.AT'. Unable to create GSSAPI-encrypted LDAP connection.

robb (Rob Bosch) 2018-05-12 09:34:42 UTC #2

Is it the DC for your domain or did you join another domain as a member? I have seen this on a server that joined a domain. There are several topics in the forums with the same error message.
https://community.nethserver.org/search?q=accountprovider%20error%2082

davidep (Davide Principi) 2018-05-12 10:09:55 UTC #3

@robb is right, there are many conditions that can raise that error (a generic LDAP client library failure probably connected to Kerberos authentication process). That’s the reason why it’s still untranslated. Look in past threads for more info.

BTW I opened a PR to translate it to human language: ldap client internal error

https://github.com/NethServer/nethserver-sssd/pull/98/files#diff-d4b7634ca945567a192ce22e0440bdc6R17

fausp (fpausp) 2018-05-12 11:52:17 UTC #4

I like to migrate a SME9.2 to NethServer 7.4 (centos 7.5)… They are running in the same subnet, atm…

fausp (fpausp) 2018-05-13 06:29:19 UTC #5

I tought abt to reinstall accountsprovider… What abt ibays, are they going to be deleted ?

grafik

fausp (fpausp) 2018-05-13 07:13:36 UTC #6

I took the risk to lose the share but after the reinstallation it is still there…

The GUI told me that everything is fine:

but I found some errors in the log:

May 13 08:54:24 neth13 systemd: Started System Security Services Daemon.
May 13 08:54:24 neth13 realmd: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /      usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
May 13 08:54:25 neth13 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Min      or = Server not found in Kerberos database.
May 13 08:54:25 neth13 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Min      or = Server not found in Kerberos database.
May 13 08:54:26 neth13 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Min      or = Server not found in Kerberos database.
May 13 08:54:26 neth13 systemd: Reloading.
May 13 08:54:26 neth13 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Min      or = Server not found in Kerberos database.
May 13 08:54:26 neth13 systemd: Reloading.
May 13 08:54:26 neth13 realmd: * Successfully enrolled machine in realm
May 13 08:54:26 neth13 sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Min      or = Server not found in Kerberos database.

...

May 13 08:55:24 neth13 esmith::event[5390]: expanding /etc/shorewall/snat
May 13 08:55:24 neth13 esmith::event[5390]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [3.076049]
May 13 08:55:24 neth13 systemd: Reloading.
May 13 08:55:27 neth13 kernel: nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded
May 13 08:55:27 neth13 kernel: ipt_ULOG: ULOG: fail to register logger.
May 13 08:55:28 neth13 kernel: nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded
May 13 08:55:28 neth13 kernel: ipt_ULOG: ULOG: fail to register logger.


[root@neth13 ~]# journalctl -u sssd | grep 'tkey query'

May 13 08:54:25 neth13.mydomain.at sssd[4660]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
May 13 08:54:25 neth13.mydomain.at sssd[4660]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
May 13 08:54:26 neth13.mydomain.at sssd[4660]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
May 13 08:54:26 neth13.mydomain.at sssd[4660]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
May 13 08:54:26 neth13.mydomain.at sssd[4660]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
May 13 08:54:43 neth13.mydomain.at sssd[4809]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
May 13 08:54:43 neth13.mydomain.at sssd[4809]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
May 13 08:54:43 neth13.mydomain.at sssd[4809]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
May 13 08:54:43 neth13.mydomain.at sssd[4809]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
May 13 08:54:44 neth13.mydomain.at sssd[4809]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.

davidep (Davide Principi) 2018-05-13 07:27:15 UTC #7

Seems this old (non) issue:

fausp (fpausp) 2018-05-13 07:44:12 UTC #8

Thank you Davide. If I understand you correctly, it will be OK to ignore this msg ?

davidep (Davide Principi) 2018-05-13 08:26:44 UTC #9

…I tend to ignore them

fausp (fpausp) 2018-05-13 12:25:27 UTC #10

OK, thank you…

robb (Rob Bosch) 2018-05-15 11:18:14 UTC #11

I just ran into another error_82 too. I had to remove Samba4 account provider and re-add the accountprovider. Then recreate the users and groups.
Fortunately all data for mail (SOGo) was still in place and accessible for the new useraccounts.

What’s more important is that this can happen but shouldn’t happen again. Loosing the accountprovider ‘suddenly’ is a very bad thing. And instead of recreating the Samba4 AD environment, it should be ‘repairable’. In my case it was just 5 users and 3 groups that needed re-creation. But in a environment with many users and email addresses, this is a situation you don’t want to get into.
BTW, this server does have ‘crostino service plan’ (delayed updates).

davidep (Davide Principi) 2018-05-15 12:22:07 UTC #12

I’m sorry, as said above, there are many conditions that can raise that error but unbind+reinstall is not a valid solution for all of them.

Absolutely!

I believe it’s always repairable, but how to do it depends on finding the root of the problem.

Yesterday @indra raised a #bug – SOGO (and AD LDAP clients) not working after upgrade – for AD. He has a #subscription installation too: did you saw it?

robb (Rob Bosch) 2018-05-15 15:56:17 UTC #13

Thnx for pointing to @indra’s topic. Reading through it now.
Agreed on finding the root problem is essential. In my case the quickest way was re-installing samba4 AD account provider. But I also agree this is the worst option possible.