After having installed the cockpit preview I was curious and went into the ActiveDirectory portion of it, just to be greeted by a error mentioning that I had no SSSD account provider…
I then went back to the normal nethserver gui (on port 980) and seen to my shock and horror that indeed, the whole AD had gone.
I tried simply re-runnning the wizard but this failed as mentioned below the following output:
“/etc/sssd/sssd.conf” is empty for some reason
I’ve followed the instructions here to do a factory reset of the DC and then re-run the “first-time wizard” for creating an AD based DC and it fails due to plexmediaserver (which i have removed and also done “config delete plexmediaserver && signal-event firewall-adjust”) and dovecot.
I’ve been at this for some hours now and cannot get back to a working DC, I don’t care if its empty I would just like to avoid a re-install from scratch.
If anything else is needed please let me know and I will provide information where available…
template-expand /etc/sssd/sssd.conf has now filled my sssd.conf as follows :
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#
[sssd]
domains = home.mitos-kalandiel.me
config_file_version = 2
services = nss, pam
default_domain_suffix = home.mitos-kalandiel.me
[domain/home.mitos-kalandiel.me]
use_fully_qualified_names = True
id_provider = ad
access_provider = ad
ad_domain = home.mitos-kalandiel.me
krb5_realm = HOME.MITOS-KALANDIEL.ME
krb5_store_password_if_offline = True
ldap_id_mapping = True
ad_maximum_machine_account_password_age = 0
ad_server = nsdc-daffy.home.mitos-kalandiel.me
cache_credentials = True
override_homedir = /var/lib/nethserver/home/%u
default_shell = /usr/libexec/openssh/sftp-server
realmd_tags = manages-system joined-with-samba
[nss]
filter_users = ldapservice
“systemctl restart sssd” yielded in an error as follows from “journalctl -xe”:
Sep 21 16:02:35 daffy.home.mitos-kalandiel.me sssd[be[home.mitos-kalandiel.me]][27869]: Failed to read keytab [default]: No such file or directory
Sep 21 16:02:35 daffy.home.mitos-kalandiel.me sssd[27778]: Exiting the SSSD. Could not restart critical service [home.mitos-kalandiel.me].
Sep 21 16:02:35 daffy.home.mitos-kalandiel.me systemd[1]: sssd.service: main process exited, code=exited, status=1/FAILURE
Sep 21 16:02:35 daffy.home.mitos-kalandiel.me systemd[1]: Failed to start System Security Services Daemon.
-- Subject: Unit sssd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sssd.service has failed.
--
-- The result is failed.
Sep 21 16:02:35 daffy.home.mitos-kalandiel.me systemd[1]: Unit sssd.service entered failed state.
Sep 21 16:02:35 daffy.home.mitos-kalandiel.me systemd[1]: sssd.service failed.
Sep 21 16:02:35 daffy.home.mitos-kalandiel.me polkitd[1004]: Unregistered Authentication Agent for unix-process:27771:310891 (system bus name :1.170, object path /org/freedesktop/Polic
The output from “/usr/sbin/sssd -i -d7” gave the following log output :
(Fri Sep 21 17:37:13:470332 2018) [sssd] [become_user] (0x0200): Already user [0].
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_process_init] (0x0400): Responder initialization complete (explicitly configured)
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'ldapservice' matched without domain, user is ldapservice
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [home.mitos-kalandiel.me]
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain home.mitos-kalandiel.me is Active
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/home.mitos-kalandiel.me/ldapservice@home.mitos-kalandiel.me] to negative cache permanently
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/home.mitos-kalandiel.me/root@home.mitos-kalandiel.me] to negative cache permanently
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/home.mitos-kalandiel.me/root@home.mitos-kalandiel.me] to negative cache permanently
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache permanently
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/0] to negative cache permanently
(Fri Sep 21 17:37:13 2018) [sssd] [mt_svc_exit_handler] (0x1000): SIGCHLD handler of service home.mitos-kalandiel.me called
(Fri Sep 21 17:37:13 2018) [sssd] [svc_child_info] (0x0040): Child [22202] exited with code [3]
(Fri Sep 21 17:37:13 2018) [sssd] [monitor_restart_service] (0x0010): Process [home.mitos-kalandiel.me], definitely stopped!
(Fri Sep 21 17:37:13 2018) [sssd] [monitor_quit] (0x0040): Returned with: 1
(Fri Sep 21 17:37:13 2018) [sssd] [monitor_quit] (0x0020): Terminating [nss][22212]
(Fri Sep 21 17:37:13:474053 2018) [sssd[pam]] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [confdb_get_domain_internal] (0x0400): No enumeration for [home.mitos-kalandiel.me]!
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [confdb_get_domain_internal] (0x0400): Please note that when enumeration is disabled `getent passwd` does not return all users by design. See sssd.conf man page for more detailed information
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [confdb_get_domain_internal] (0x0100): Default domain suffix set. Changing default for use_fully_qualified_names to True.
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_get_etc_shells] (0x0400): Found shell /bin/csh in /etc/shells
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_get_etc_shells] (0x0400): Found shell /bin/false in /etc/shells
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_get_etc_shells] (0x0400): Found shell /sbin/nologin in /etc/shells
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection 0x55cd5caf5e20
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sbus_opath_hash_add_iface] (0x0400): Registering interface org.freedesktop.sssd.service with path /org/freedesktop/sssd/service
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sbus_conn_register_path] (0x0400): Registering object path /org/freedesktop/sssd/service with D-Bus connection
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sbus_opath_hash_add_iface] (0x0400): Registering interface org.freedesktop.DBus.Properties with path /org/freedesktop/sssd/service
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sbus_opath_hash_add_iface] (0x0400): Registering interface org.freedesktop.DBus.Introspectable with path /org/freedesktop/sssd/service
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1)
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [check_file] (0x0400): lstat for [/var/lib/sss/pipes/private/sbus-dp_home.mitos-kalandiel.me] failed: [2][No such file or directory].
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sbus_client_init] (0x0020): check_file failed for [/var/lib/sss/pipes/private/sbus-dp_home.mitos-kalandiel.me].
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_dp_init] (0x0010): Failed to connect to monitor services.
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_process_init] (0x0010): fatal error setting up backend connector
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down
(Fri Sep 21 17:37:13 2018) [sssd[pam]] [pam_process_init] (0x0010): sss_process_init() failed
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(Fri Sep 21 17:37:13 2018) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down
(Fri Sep 21 17:37:13 2018) [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully
(Fri Sep 21 17:37:13 2018) [sssd] [monitor_quit] (0x0020): Terminating [pam][22211]
(Fri Sep 21 17:37:13 2018) [sssd] [monitor_quit] (0x0020): Child [pam] exited gracefully
(Fri Sep 21 17:37:13 2018) [sssd] [monitor_cleanup] (0x0010): Error removing pidfile! (2 [No such file or directory])
I have then gone and done a full DC reset as per the documentation, and then when I try to re-run the wizard for samba AD, it tries to kick off the process and then shows me this error:
Error 404
Nethgui:
404 - Not found
1405612090+1405613538
Since this was unsucessful, I have then gone, removed the br0 interface manually from /var/lib/nethserver/db/networks so I was left with only the local loopback interface and my two hardware interfaces enp2s0 and enp3s0. After a reboot I have then attempted to run the AD Wizard again, have gave it the information required : domain: home.mitos-kalandiel.me netbios name: HOME ip address: 172.24.2.2
The wizard then runs a few things, creates the br0 interface again (as expected) and then gets stuck at ‘adjust-services’ for a long while until it errors out with :
Task completed with errors
S95nethserver-dc-waitstart #23 (exit status 256)
S96nethserver-dc-join #25 (exit status 256)
Adjust service sssd #203 (exit status 1)
failed
Interestingly when I then go visit “Account Provider” I get this output:
Samba DC version
4.7.10
DNS domain name
home.mitos-kalandiel.me
NetBIOS domain name
HOME
Domain Controller IP address
172.24.2.2
Authentication credentials for LDAP applications
Bind DN
ldapservice@HOME.MITOS-KALANDIEL.ME
Bind Password
xxx
however when i then go and visit ‘Domain Accounts’ i simply get a message saying ‘Could not connect to accounts provider!’
Where is the AD portion, I tried to reproduce but couldn’t find it… I did yum --enablerepo=nethserver-testing install nethserver-cockpit to install cockpit.
Does /etc/krb5.keytab exist?
Are there errors in /var/log/messages or in AD container log?
To be honest Markus, I believe my AD was broken before that, but I simply went to Users and Groups and then got greeted with a similar message as this “Cannot connect to Account provider” but looking back through my own “logs” [I keep notes when i visit one of my servers and see things that are wrong and/or could be done better, to then on my next visit fix those issues.]
And i do see a note from a few months ago that when I went to the dashboard I got a red banner, mentioning that sssd had exited with result 1 (or something to that effect) so I don’t think that cockpit broke my AD but rather pointed out to me that AD was broken already… But at that point SMB and user authentication still worked so I didn’t see a need to go and touch anything. I have changed the posts title accordingly…
I have not touched my smb config manually at all, so those entries would have been created by the NS gui
Funny enough, even after a re-run of the AD wizard the only file I see is /etc/krb5.conf with this content
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#
#
# 10base
#
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = AD.HOME.MITOS-KALANDIEL.ME
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = yes
My config show sssd output is slightly different after a re-run of the wizard
so I’ve done as suggested, but still get the following:
Task completed with errors
S95nethserver-dc-waitstart #23 (exit status 256)
S96nethserver-dc-join #25 (exit status 256)
Adjust service sssd #203 (exit status 1)
failed
I can’t see anything in /var/log/messages that indicates errors, but then again its full of shorewall events, since my NS is in a DMZ lol
Ok yesterday night ad stopped working, so I deleted and tried again not installing again via my own method I must of missed something out in the method I wrote trying to go back to cli history but ive done mounting of things on the cli before and after I got it to work lmao
im gonna getting it working again today lmao and document everything as I go
Make sure in your domain hosting company there is actually a subdomian for your ad mine is ad.webhost.dtjholdings.co.uk it takes around 20 mins for the dns to resolv so check top left in the gui
if it is
root@something.dtjholdings.tld
create a subdomain called
ad.something.dtjholdings.tld
i think this is a important because when ad installs it connects to the ad via external dns check so do not reinstall untill after 20 min just incase
oh i also removed opnvpn as it was throwing errors when i installed ad not sure if this was the problem as i never finished setting openvpn so i deleted just incase
Remove ad from gui
yum reinstall krb5-server krb5-libs
cli
rm /etc/krb5.conf.d/krb5.keytab
cli
rm /etc/krb5.keytab
delete everyfolder file in /var/kerberos/krb5kdc except kdc.conf do not delete kdc.conf
yum was successful, however still no krb5.keytab and after following the rest of your instructions I still get :
Task completed with errors
S95nethserver-dc-waitstart #23 (exit status 256)
S96nethserver-dc-join #25 (exit status 256)
Adjust service sssd #203 (exit status 1)
failed