I uninstalled LDAP as a local account and installed AD and I came across these errors:
Jun 22 19:27:25 gateway systemd: Starting NethServer Domain Controller container...
Jun 22 19:27:25 gateway systemd-nspawn: Failed to create directory /var/lib/machines/nsdc//sys/fs/selinux: Read-only file system
Jun 22 19:27:25 gateway systemd-nspawn: Failed to create directory /var/lib/machines/nsdc//sys/fs/selinux: Read-only file system
Jun 22 19:27:25 gateway kernel: IPv6: ADDRCONF(NETDEV_UP): vb-nsdc: link is not ready
Jun 22 19:27:52 gateway esmith::event[9681]: Running as unit create-ldapservice-q8stdx.service.
...
Jun 22 19:27:54 gateway esmith::event[9681]: ERROR: Failed to set password for user 'ldapservice': (19, '0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!')
Jun 22 19:27:54 gateway esmith::event[9681]: + (( ++errors ))
Jun 22 19:27:54 gateway esmith::event[9681]: + (( errors > 0 ))
Jun 22 19:27:54 gateway esmith::event[9681]: + exit 1
Jun 22 19:27:54 gateway esmith::event[9681]: [ERROR] ldapservice creation task failed
Jun 22 19:27:54 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-createldapservice FAILED: 1 [2.614136]
...
Jun 22 19:27:58 gateway systemd: Started Cleanup of Temporary Directories.
Jun 22 19:28:00 gateway kernel: net[13580]: segfault at 2 ip 00005606c3ef8e1b sp 00007fff8ffad470 error 4 in net[5606c3e80000+d9000]
Jun 22 19:28:00 gateway realmd: Enter Administrator's password: ! Failed to enroll machine in realm: Process was terminated with signal: 11
Jun 22 19:28:00 gateway esmith::event[9681]: Password for Administrator: See: journalctl REALMD_OPERATION=r346500.13568
Jun 22 19:28:00 gateway esmith::event[9681]: realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.
Jun 22 19:28:00 gateway esmith::event[9681]:
Jun 22 19:28:00 gateway esmith::event[9681]: [WARNING] DC join attempt 1 of 3 failed! Wait a few seconds...
...
Jun 22 19:28:22 gateway esmith::event[9681]: [ERROR] DC join failed
Jun 22 19:28:22 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S96nethserver-dc-join FAILED: 1 [28.29036]
Jun 22 19:28:23 gateway esmith::event[9681]: Password complexity activated!
Jun 22 19:28:23 gateway esmith::event[9681]: Password history length changed!
Jun 22 19:28:23 gateway esmith::event[9681]: Minimum password age changed!
Jun 22 19:28:23 gateway esmith::event[9681]: Maximum password age changed!
Jun 22 19:28:23 gateway esmith::event[9681]: All changes applied successfully!
Jun 22 19:28:23 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-password-policy SUCCESS [0.846166]
Jun 22 19:28:23 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S97nethserver-dc-set-upn SUCCESS [0.583932]
Jun 22 19:28:25 gateway esmith::event[9681]: User 'admin' created successfully
Jun 22 19:28:26 gateway esmith::event[9681]: Added members to group Domain Admins
Jun 22 19:28:27 gateway evebox: 2018-06-22 19:28:27 (evefileprocessor.go:176) <Info> -- Total: 6563; last minute: 3; EOFs: 59
Jun 22 19:28:27 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S98nethserver-dc-createadmins SUCCESS [4.09107]
Jun 22 19:28:28 gateway esmith::event[9681]: Action: /etc/e-smith/events/nethserver-dc-save/S98nethserver-dc-machine-grants SUCCESS [0.629064]
Jun 22 19:28:28 gateway esmith::event[9681]: Event: nethserver-dc-save FAILED
Jun 22 19:28:28 gateway esmith::event[9667]: Action: /etc/e-smith/events/nethserver-dc-update/S95nethserver-dc-firststart FAILED: 1 [383.245072]
I didn’t see this line… Well a segmentation fault (SIGSEGV) to realmd childs is really strange… As you said it’s reproducible: it could be a bug…
You could try this experiment:
Fire another VM with NethServer + local AD accounts provider
Jun 26 17:44:29 gateway realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SDVELZ -U Administrator ads join ad.evaluationlab.net
Jun 26 17:44:33 gateway kernel: net[12673]: segfault at 2 ip 000055c01d858e1b sp 00007ffdb258d000 error 4 in net[55c01d7e0000+d9000]
Jun 26 17:44:33 gateway realmd: Enter Administrator's password: ! Failed to enroll machine in realm: Process was terminated with signal: 11
Jun 26 17:44:33 gateway esmith::event[11639]: Password for Administrator: See: journalctl REALMD_OPERATION=r335115.12663
Jun 26 17:44:33 gateway esmith::event[11639]: realm: Couldn't join realm: Failed to enroll machine in realm. See diagnostics.
I don’t remember a similar issue. Could you ask for help on the Samba user ML?
Jun 26 17:44:28 gateway esmith::event[11639]: + samba-tool user setpassword ldapservice --newpassword=SFAgLgULDAYuIZKV
Jun 26 17:44:28 gateway esmith::event[11639]: ERROR: Failed to set password for user 'ldapservice': (19, '0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!')
Does the password need to meet the same criteria as for provisioning?
Passwords must contain characters from three of the following five categories:
Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
I’ve read to delete samba config files to get past this error when domain was already promoted or provisioned, but could be wrong.
We’re next to release Samba DC 4.7.8. I can’t find any bugfix around the net command in their changelog, however the problem could be caused by the server side…
If you want to check it out, uninstall the AD accounts provider, edit /etc/yum.repos.d/NethServer.repo and set enabled=1 under [nethserver-testing] section. Then try to install the AD accounts provider again.
Is it possible that your system is in short of RAM? Could you also share the output of
uptime
free -m
Another important log given by
journalctl -M nsdc
samba-tool is within the nsdc container/chroot. To enter it:
systemd-run -M nsdc -t /bin/bash
However the ldapservice account issue could be a consequence of another problem. I’d not investigate it further by now.
I encountered the same error on a testing machine:
samba-tool user setpassword ldapservice --newpassword=yYxBKyOMAVANOmnk
ERROR: Failed to set password for user 'ldapservice': (19, '0000052D: Constraint violation - check_password_restrictions: the password does not meet the complexity criteria!')
Obviously the password is missing at least a number.
This is my workaround (but you need to be lucky ):
You’re absolutely right! It’s always reproducible by @pasing because the account provider removal procedure never removes that file once it has been generated for the first time.
Please @pasing follow his workaround, probably the next generated password will be good. Just to be sure, I add more cleanup steps:
I was testing the solution but another problem arose:
# yum --enablerepo=nethserver-testing update nethserver-lib
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock error was
14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"
One of the configured repositories failed (Unknown),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=<repoid> ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable <repoid>
or
subscription-manager repos --disable=<repoid>
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true
Cannot find a valid baseurl for repo: base/7/x86_64
The identical problem described in this post. The solution identified here in my case does not solve the problem.