IdM fails to start. Samba logged: Missing mandatory attribute ipaNTSecurityIdentifier

Solution Verified - Updated -

Issue

After attempting to establish AD trust, IdM server fails to start.

  • IdM server failed to start

    # ipactl restart --ignore-service-failure
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting smb Service
Failed to start smb Service
Forced start, ignoring smb Service, continuing normal operation
Starting winbind Service
Failed to start winbind Service
Forced start, ignoring winbind Service, continuing normal operation
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

  • Samba log shows Missing mandatory attribute ipaNTSecurityIdentifier:

    [2022/07/21 07:22:09.841355,  0, pid=7811] ../../source3/smbd/server.c:1734(main)
 smbd version 4.15.5 started.
 Copyright Andrew Tridgell and the Samba Team 1992-2021
[2022/07/21 07:22:09.970847,  0, pid=7811] ipa_sam.c:4212(get_fallback_group_sid)
 Missing mandatory attribute ipaNTSecurityIdentifier.                        <<<<<=====
[2022/07/21 07:22:09.970909,  0, pid=7811] ipa_sam.c:5182(pdb_init_ipasam)
 Cannot find SID of fallback group.
[2022/07/21 07:22:09.970929,  0, pid=7811] ../../source3/passdb/pdb_interface.c:182(make_pdb_method_name)
 pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket did not correctly init (error was NT_STATUS_INVALID_PARAMETER)

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Identity Management (IdM) / FreeIPA

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content