Change LDAP to AD Error

accounts-provider
v7

(Pasquale Inglese) #1

NethServer Version: NethServer release 7.5.1804 (final)
Module: Accout provider

Hello to all,
I need to switch from LDAP to AD.

I uninstalled LDAP as a local account and installed AD and I came across these errors:

Jun 22 19:27:25 gateway systemd: Starting NethServer Domain Controller container...
Jun 22 19:27:25 gateway systemd-nspawn: Failed to create directory /var/lib/machines/nsdc//sys/fs/selinux: Read-only file system
Jun 22 19:27:25 gateway systemd-nspawn: Failed to create directory /var/lib/machines/nsdc//sys/fs/selinux: Read-only file system
Jun 22 19:27:25 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): vb-nsdc: link is not ready


Jun 22 19:27:52 gateway esmith::event[9681]: Running as unit create-ldapservice-q8stdx.service.

...

Jun 22 19:27:54 gateway esmith::event[9681]: ERROR: Failed to set password for user 'ldapservice': (19, '0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!')
Jun 22 19:27:54 gateway esmith::event[9681]: + (( ++errors ))
Jun 22 19:27:54 gateway esmith::event[9681]: + (( errors > 0 ))
Jun 22 19:27:54 gateway esmith::event[9681]: + exit 1
Jun 22 19:27:54 gateway esmith::event[9681]: [ERROR] ldapservice creation task failed
Jun 22 19:27:54 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-createldapservice FAILED: 1 [2.614136]

...

Jun 22 19:27:58 gateway systemd: Started Cleanup of Temporary Directories.
Jun 22 19:28:00 gateway kernel: net[13580]: segfault at 2 ip 00005606c3ef8e1b sp 00007fff8ffad470 error 4 in net[5606c3e80000+d9000]
Jun 22 19:28:00 gateway realmd: Enter Administrator's password: ! Failed to enroll machine in realm: Process was terminated with signal: 11
Jun 22 19:28:00 gateway esmith::event[9681]: Password for Administrator: See: journalctl REALMD_OPERATION=r346500.13568
Jun 22 19:28:00 gateway esmith::event[9681]: realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.
Jun 22 19:28:00 gateway esmith::event[9681]: 
Jun 22 19:28:00 gateway esmith::event[9681]: [WARNING] DC join attempt 1 of 3 failed! Wait a few seconds...

...

Jun 22 19:28:22 gateway esmith::event[9681]: [ERROR] DC join failed
Jun 22 19:28:22 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-join FAILED: 1 [28.29036]
Jun 22 19:28:23 gateway esmith::event[9681]: Password complexity activated!
Jun 22 19:28:23 gateway esmith::event[9681]: Password history length changed!
Jun 22 19:28:23 gateway esmith::event[9681]: Minimum password age changed!
Jun 22 19:28:23 gateway esmith::event[9681]: Maximum password age changed!
Jun 22 19:28:23 gateway esmith::event[9681]: All changes applied successfully!
Jun 22 19:28:23 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-password-policy SUCCESS [0.846166]
Jun 22 19:28:23 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-set-upn SUCCESS [0.583932]
Jun 22 19:28:25 gateway esmith::event[9681]: User 'admin' created successfully
Jun 22 19:28:26 gateway esmith::event[9681]: Added members to group Domain Admins
Jun 22 19:28:27 gateway evebox: 2018-06-22 19:28:27 (evefileprocessor.go:176) <Info> -- Total: 6563; last minute: 3; EOFs: 59
Jun 22 19:28:27 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S98nethserver-dc-createadmins SUCCESS [4.09107]
Jun 22 19:28:28 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S98nethserver-dc-machine-grants SUCCESS [0.629064]
Jun 22 19:28:28 gateway esmith::event[9681]: Event: nethserver-dc-save FAILED
Jun 22 19:28:28 gateway esmith::event[9667]: Action: /etc/e-smith/events/nethserver-dc-update/S95nethserver-dc-firststart FAILED: 1 [383.245072]

What did I do wrong? :thinking:


(Davide Principi) #2

Could you attach the output of

 account-provider-test dump

Poor entropy? Out of luck?

You can try to reinstall the accounts provider…


(Pasquale Inglese) #3

Maybe I could launch the command!
I’ve been trying to connect remotely for two days, but it’s not reachable!:triumph:

Since I upgraded to 7.5 it has already happened twice more, then it comes back on its own.

As soon as he comes back to life, I’ll update you!
Thanks anyway!


(Pasquale Inglese) #4

This is the output of command:

# account-provider-test dump
Traceback (most recent call last):
  File "<stdin>", line 3, in <module>
KeyError: 'SECRETS/MACHINE_PASSWORD/WORKGROUP'
Traceback (most recent call last):
  File "<stdin>", line 3, in <module>
KeyError: 'SECRETS/MACHINE_PASSWORD/WORKGROUP'
{
   "BindDN" : "WORKGROUP\\GATEWAY$",
   "LdapURI" : "ldaps://ad.evaluationlab.net",
   "StartTls" : null,
   "port" : 636,
   "host" : "ad.evaluationlab.net",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "dc=ad,dc=evaluationlab,dc=net",
   "GroupDN" : "dc=ad,dc=evaluationlab,dc=net",
   "BindPassword" : null,
   "BaseDN" : "dc=ad,dc=evaluationlab,dc=net",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Devaluationlab%2Cdc%3Dnet"
}

I tried to reinstall but the result is always the same:


(Davide Principi) #5

Can you find any error in /var/log/messages? Please share it on gist.github.com (or similar pastebin services)!


(Pasquale Inglese) #6

Hi @davidep,
sorry for my delay.

This is the /var/log/message extract.


(Davide Principi) #7

I didn’t see this line… Well a segmentation fault (SIGSEGV) to realmd childs is really strange… As you said it’s reproducible: it could be a bug…

You could try this experiment:

  • Fire another VM with NethServer + local AD accounts provider
  • Join the domain with this NethServer

(Pasquale Inglese) #8

Hi @davidep, the line you are looking for is here.

If I uninstall and reinstall the AD account provider the same problem occurs again.

Right now I’m not in a condition to test the experiment.
Do I have any chance of solving the problem or do I have to go back to LDAP?


(Davide Principi) #9

The commad that crashes is Samba net

Jun 26 17:44:29 gateway realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SDVELZ -U Administrator ads join ad.evaluationlab.net
Jun 26 17:44:33 gateway kernel: net[12673]: segfault at 2 ip 000055c01d858e1b sp 00007ffdb258d000 error 4 in net[55c01d7e0000+d9000]
Jun 26 17:44:33 gateway realmd: Enter Administrator's password: ! Failed to enroll machine in realm: Process was terminated with signal: 11
Jun 26 17:44:33 gateway esmith::event[11639]: Password for Administrator: See: journalctl REALMD_OPERATION=r335115.12663
Jun 26 17:44:33 gateway esmith::event[11639]: realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.

I don’t remember a similar issue. Could you ask for help on the Samba user ML?


(Marc) #10

Just rolling the dices:

Also:

Jun 26 17:44:28 gateway esmith::event[11639]: + samba-tool user setpassword ldapservice --newpassword=SFAgLgULDAYuIZKV
Jun 26 17:44:28 gateway esmith::event[11639]: ERROR: Failed to set password for user 'ldapservice': (19, '0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!')

Does the password need to meet the same criteria as for provisioning?

Passwords must contain characters from three of the following five categories:

  • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Nonalphanumeric characters: ~!@#$%^&*_-+=`|(){}[]:;"’<>,.?/
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

I’ve read to delete samba config files to get past this error when domain was already promoted or provisioned, but could be wrong.

Not much info around about the segfault.


(Pasquale Inglese) #11

Hi Marc,
Thanks for your help.
I followed your suggestions but I did not have positive results.

The samba-tool command does not result in the system
-bash: samba-tool: command not found

Can I try to use authconfig-tui to reconfigure AD?


(Davide Principi) #12

We’re next to release Samba DC 4.7.8. I can’t find any bugfix around the net command in their changelog, however the problem could be caused by the server side…

If you want to check it out, uninstall the AD accounts provider, edit /etc/yum.repos.d/NethServer.repo and set enabled=1 under [nethserver-testing] section. Then try to install the AD accounts provider again.

Is it possible that your system is in short of RAM? Could you also share the output of

 uptime
 free -m

Another important log given by

journalctl -M nsdc

samba-tool is within the nsdc container/chroot. To enter it:

 systemd-run -M nsdc -t /bin/bash

However the ldapservice account issue could be a consequence of another problem. I’d not investigate it further by now.

The problem is not in the nss/sssd configuration.


(Pasquale Inglese) #13

Hi @davidep,
this is the output of commands you asked me:

[root@gateway ~]# uptime
 19:09:40 up 12 days, 22:30,  1 user,  load average: 0.13, 0.14, 0.10
[root@gateway ~]# free -m
              total        used        free      shared  buff/cache   available
Mem:           9830        2766        1469         393        5594        6281
Swap:          6015           0        6015

here you find the log to the command journalctl -M nsdc


(Giacomo Sanchietti) #14

I encountered the same error on a testing machine:

samba-tool user setpassword ldapservice --newpassword=yYxBKyOMAVANOmnk
ERROR: Failed to set password for user 'ldapservice': (19, '0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!')

Obviously the password is missing at least a number.
This is my workaround (but you need to be lucky :wink: ):

rm -f /var/lib/nethserver/secrets/ldapservice
/etc/e-smith/events/actions/nethserver-dc-createldapservice

And this is my new password containing at least a number: FAk2d16b8Hx7HlAJ
Maybe we should resume this PR @davidep? https://github.com/NethServer/nethserver-lib/pull/12

Edit: also we should remove the “set -x” from nsdc script …


(Davide Principi) #15

You’re absolutely right! It’s always reproducible by @pasing because the account provider removal procedure never removes that file once it has been generated for the first time.

Please @pasing follow his workaround, probably the next generated password will be good. Just to be sure, I add more cleanup steps:

  1. Remove ad provider
  2. config delete nsdc
  3. config delete sssd
  4. rm -f /var/lib/nethserver/secrets/ldapservice
  5. signal-event nethserver-sssd-update
  6. Reinstall local ad provider

You’ve been out of luck too :smile:

Yes, we can reopen it…


(Giacomo Sanchietti) #16

Issue opened: https://github.com/NethServer/dev/issues/5545

Pasquale, do you have time to test the fix?
Just follow the steps described by Davide, but before the last step execute:

yum --enablerepo=nethserver-testing update nethserver-lib

(Pasquale Inglese) #17

I was testing the solution but another problem arose:

# yum --enablerepo=nethserver-testing update nethserver-lib
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock error was
14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: base/7/x86_64

The identical problem described in this post. The solution identified here in my case does not solve the problem.


(Giacomo Sanchietti) #18

You have DNS problems, please fix them before proceed.

By the way, I already released the update.


(Pasquale Inglese) #19

Fixed the DNS problem and tested the solution but with a negative result:

systemctl status -l sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset:                                             disabled)
   Active: failed (Result: exit-code) since Sat 2018-07-14 09:23:09 CEST; 8min ago
 Main PID: 20767 (code=exited, status=4)

Jul 14 09:23:08 gateway.evaluationlab.net systemd[1]: Starting System Security Services Daemon...
Jul 14 09:23:09 gateway.evaluationlab.net sssd[20767]: SSSD couldn't load the configuration database [5]: Input/output error.
Jul 14 09:23:09 gateway.evaluationlab.net systemd[1]: sssd.service: main process exited, code=exited, status=4/NOPERMISSION
Jul 14 09:23:09 gateway.evaluationlab.net systemd[1]: Failed to start System Security Services Daemon.
Jul 14 09:23:09 gateway.evaluationlab.net systemd[1]: Unit sssd.service entered failed state.
Jul 14 09:23:09 gateway.evaluationlab.net systemd[1]: sssd.service failed.