| Summary: | IPA uninstall on a trust configured server exits with an error for samba | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> | ||||
| Component: | ipa | Assignee: | Martin Kosek <mkosek> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | dpal, nsoman, pviktori, rcritten | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-3.3.3-6.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 11:38:43 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4042 Correction in the the steps to reproduce this bug. Since ipa-adtrust-install needs to find samba service running when its executed, it should be run at least twice to set that samba running state, causing ipa-server uninstall to start it again. Steps to reproduce this issue. 1. Run ipa-adtrust-install 2 or more times on IPA server 2. Uninstall IPA Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/d361e12ae55f391a13b613a7220c164f503954cc ipa-3-3: https://fedorahosted.org/freeipa/changeset/6680572ad5c1419f094335c9f82a0e3763bf883e [root@tyan-gt24-01 ~]# ipa-adtrust-install -a Secret123 -U ; ipa-adtrust-install -a Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. WARNING: 3 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Unattended mode was selected, installer will NOT run ipa-sidgen task! Configuring CIFS [1/19]: stopping smbd [2/19]: creating samba domain object [3/19]: creating samba config registry [4/19]: writing samba config file [5/19]: adding cifs Kerberos principal [6/19]: check for cifs services defined on other replicas [7/19]: adding cifs principal to S4U2Proxy targets [8/19]: adding admin(group) SIDs [9/19]: adding RID bases [10/19]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [11/19]: activating CLDAP plugin [12/19]: activating sidgen plugin and task [13/19]: activating extdom plugin [14/19]: configuring smbd to start on boot [15/19]: adding special DNS service records [16/19]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [17/19]: adding fallback group [18/19]: setting SELinux booleans [19/19]: starting CIFS services Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the IPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. WARNING: 1 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Unattended mode was selected, installer will NOT run ipa-sidgen task! Configuring CIFS [1/19]: stopping smbd [2/19]: creating samba domain object Samba domain object already exists [3/19]: creating samba config registry [4/19]: writing samba config file [5/19]: adding cifs Kerberos principal [6/19]: check for cifs services defined on other replicas [7/19]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [8/19]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [9/19]: adding RID bases RID bases already set, nothing to do [10/19]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [11/19]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [12/19]: activating sidgen plugin and task Sidgen plugin already configured, nothing to do Sidgen task plugin already configured, nothing to do [13/19]: activating extdom plugin Extdom plugin already configured, nothing to do [14/19]: configuring smbd to start on boot [15/19]: adding special DNS service records [16/19]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [17/19]: adding fallback group Fallback group already set, nothing to do [18/19]: setting SELinux booleans [19/19]: starting CIFS services Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the IPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= [root@tyan-gt24-01 ~]# ipa-server-install --uninstall -U Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA Unconfiguring named Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring smb Unconfiguring ipa_memcached Unconfiguring ipa-otpd [root@tyan-gt24-01 ~]# echo $? 0 Verified in version [root@tyan-gt24-01 ~]# rpm -q ipa-server ipa-server-3.3.3-6.el7.x86_64 This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Created attachment 827211 [details] IPA Uninstall logs Description of problem: IPA uninstall on a trust configured server exits with an error as it tries to start Samba after tearing apart its configuration. Version-Release number of selected component (if applicable): ipa-server-trust-ad-3.3.3-4.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Run ipa-adtrust-install on IPA server 2. Uninstall IPA Actual results: [root@rhel7-b ipa-trust-cli]# ipa-server-install --uninstall -U Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA Unconfiguring named Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring smb Unexpected error - see /var/log/ipaserver-uninstall.log for details: CalledProcessError: Command '/bin/systemctl start smb.service' returned non-zero exit status 1 Expected results: No errors on uninstall Additional info: