After installing freeipa-server-trust-ad ipa tries to start smb.service which doesn't exist

Bug #1543230 reported by moritz.kuehner on 2016-02-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Medium
Unassigned

Bug Description

Installing freeipa-server-trust-ad (and running ipa-adtrust-install) will degrade the ipa server and brake the enter system, including dns server (bind9). The reason is that ipactl tries to start samba by explicitly calling systemctl start 'smb.service'.
Calling systemctl start 'smb.service' however results in:

Failed to start smb.service: Unit smb.service failed to load: No such file or directory.

debug output of "ipactl -d start":

[...]

ipa: DEBUG: stderr=
Starting pki-tomcatd Service
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'start' 'pki-tomcatd.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'pki-tomcatd.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
Starting smb Service
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'start' 'smb.service'
Failed to start smb.service: Unit smb.service failed to load: No such file or directory.
ipa: DEBUG: Process finished, return code=6
Failed to start smb Service
Shutting down
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/sbin/service' 'krb5-kdc' 'stop' ''
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/sbin/service' 'krb5-admin-server' 'stop' ''
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/sbin/service' 'bind9' 'stop' ''
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'stop' 'ipa_memcached.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/sbin/service' 'apache2' 'stop' ''
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'stop' 'pki-tomcatd.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'stop' 'smb.service'
Failed to stop smb.service: Unit smb.service not loaded.
ipa: DEBUG: Process finished, return code=5
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'stop' 'winbind.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'stop' 'ipa-otpd.socket' '--ignore-dependencies'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'stop' 'dirsrv@##########.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: File "/usr/lib/python2.7/dist-packages/ipaserver/install/installutils.py", line 642, in run_script
    return_value = main_function()

  File "/usr/sbin/ipactl", line 505, in main
    ipa_start(options)

  File "/usr/sbin/ipactl", line 273, in ipa_start
    raise IpactlError("Aborting ipactl")

ipa: DEBUG: The ipactl command failed, exception: IpactlError: Aborting ipactl
Aborting ipactl

This also affects 15.10! I updated to 16.04 to see if it was fixed already.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: freeipa-server-trust-ad 4.1.4-1
ProcVersionSignature: Ubuntu 4.4.0-2.16-generic 4.4.0
Uname: Linux 4.4.0-2-generic x86_64
ApportVersion: 2.19.4-0ubuntu2
Architecture: amd64
Date: Mon Feb 8 18:25:11 2016
InstallationDate: Installed on 2016-01-19 (20 days ago)
InstallationMedia: Ubuntu-Server 15.10 "Wily Werewolf" - Release amd64 (20151021)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: freeipa
UpgradeStatus: Upgraded to xenial on 2016-02-05 (3 days ago)

moritz.kuehner (moritz-kuehner) wrote :
Timo Aaltonen (tjaalton) wrote :

right, I don't know if ipa-adtrust-install needs an actual AD instance to test against, or samba.. I don't have either so this part is untested

it's fairly trivial to fix that smb.service part though, but there might be other bugs still

Changed in freeipa (Ubuntu):
status: New → Triaged
moritz.kuehner (moritz-kuehner) wrote :

You don't need anything really but a virtual machine. I would actually hope that you give it a try. I have been trying to set up a free ipa server based on Ubuntu 15.10/16.04 and it has been a uphill battle all the way. So match so that I am thinking about giving up and rolling it in a docker container or just installing a CentOS server. I'm not saying this as a threat but just to get my level of frustration across.

Steps:
1.) Install freeipa server:
sudo apt-get install freeipa-server

2.) configure ipa:
sudo ipa-server-install

2.a)
Opt to install DNS server

3.)
Dns will not work because AppArmor blocks bind9 from reading the freeipa domain. ← easy fix.
Also you will hit this bug: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1509484

4.)
Install freeipa-server-trust-ad
and run ipa-adtrust-install

I'm not sure what options I set exactly, but it shouldn't matter to match. Is there a log file created by the installer somewhere?

Timo Aaltonen (tjaalton) wrote :

the logs are in /var/log/ipa* but I know how to fix this

I'm the one packaging ipa for debian/ubuntu and currently trying to get 4.3 to fully replicate, which none of the earlier versions were able to even start..

Changed in freeipa (Ubuntu):
importance: Undecided → Medium
Timo Aaltonen (tjaalton) wrote :

default samba installation doesn't install /etc/samba/smb.conf, so ipa-adtrust-install fails right away because of that.. but after adding that file and the fix for ipaplatform/services.py it installs fine

Timo Aaltonen (tjaalton) wrote :

sorry, it's actually server or client uninstall that deletes it.. which is a bug of course, should restore the original file there

Alexander Bokovoy (abbra) wrote :

Note that trust to AD is not available in FreeIPA on Debian/Ubuntu platforms. To make that working, Samba in Debian/Ubuntu needs to be compiled against MIT Kerberos as ipasam module in FreeIPA only supports MIT Kerberos and Python bindings to Samba are expected to be loaded into MIT Kerberos-enabled FreeIPA Python framework in Apache.

Samba is not compiled against MIT Kerberos in Debain/Ubuntu because it is not possible to do so for Samba AD build. We are working upstream to make Samba AD ported to MIT Kerberos but this work is still ongoing.

moritz.kuehner (moritz-kuehner) wrote :

So freeipa-server-trust-ad is not expected to actually work? Fine. All I really need is to authenticate samba file shares with my local freeipa server. Is that at least possible?

Launchpad Janitor (janitor) wrote :
Download full text (4.5 KiB)

This bug was fixed in the package freeipa - 4.3.1-0ubuntu1

---------------
freeipa (4.3.1-0ubuntu1) xenial; urgency=medium

  * Sync from Debian.

freeipa (4.3.1-1) unstable; urgency=medium

  * New upstream release. (Closes: #781607, #786411) (LP: #1449304)
    - drop no-test-lang.diff, obsolete
  * fix-match-hostname.diff, control: Drop the patch and python-openssl
    deps, not needed anymore
  * rules, platform, server.dirs, server.install:
    Add support for DNSSEC.
  * control, rules: Add support for kdcproxy.
  * control, server: Migrate to mod-auth-gssapi.
  * control, rules, fix-ipa-conf.diff: Add support for custodia.
  * control:
    - Add python-cryptography to build-deps and python-freeipa deps.
    - Add libp11-kit-dev to build-deps, p11-kit to server deps.
    - Depend on python-gssapi instead of python-kerberos/-krbV.
    - Add libini-config-dev and python-dbus to build-deps, replace wget
      with curl.
    - Bump libkrb5-dev build-dep.
    - Add pki-base to build-deps and pki-kra to server deps, bump pki-ca
      version.
    - Drop python-m2crypto from deps, obsolete.
    - Bump sssd deps to 1.13.1.
    - Add python-six to build-deps and python-freeipa deps.
    - Split python stuff from server, client, tests to python-
      ipa{server,client,tests}, rename python-freeipa to match and move
      translations to freeipa-common. Mark them Arch:all where possible,
      and add Breaks/Replaces.
    - Add oddjob to server and oddjob-mkhomedir to client deps.
    - Add python-setuptools to python-ipalib deps.
    - Bump 389-ds-base* deps.
    - Bump server and python-ipaserver dependency on python-ldap to 2.4.22
      to fix a bug on ipa-server-upgrade.
    - Add pki-tools to python-ipaserver deps.
    - Add zip to python-ipaserver depends.
    - Add python-systemd to server depends.
    - Add opendnssec to freeipa-server-dns depends.
    - Add python-cffi to python-ipalib depends.
    - Bump dep on bind9-dyndb-ldap.
    - Bump certmonger dependency to version that has helpers in the correct
      place.
  * patches:
    - prefix.patch: Fix ipalib install too.
    - Drop bits of platform.diff and other patches that are now upstream.
    - fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs.
    - fix-oddjobs.diff: Fix paths and uids in oddjob configs.
    - fix-replicainstall.diff: Use ldap instead of ldaps for conncheck.
    - fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
      exporter units.
    - create-sysconfig-ods.diff: Create an empty file for opendnssec
      daemons, until opendnssec itself is fixed.
    - purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi.
    - enable-mod-nss-during-setup.diff: Split from platform.diff, call
      a2enmod/a2dismod from httpinstance.py.
    - fix-memcached.diff: Split from platform.diff, debianize memcached
      conf & unit.
    - hack-libarch.diff: Don't use fedora libpaths.
  * add-debian-platform.diff:
    - Update paths.py to include all variables, comment out ones we don't
      modify.
    - Use systemwide certificate store; put ipa-ca.crt in
      /usr/local/share/ca-certificates, and run update-ca-certificates
    - Map smb service to smbd (...

Read more...

Changed in freeipa (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.