subject:"\[Freeipa\-users\] ipa trust\-fetch\-domains failing."

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-07-19 Thread pgb205

Alexander, 
regarding your comment about putting stanza on each client.In our case clients 
are not on the same network as the Active Directory domain controller.My plan 
was to have the Freeipa server as the bridge-head server 
AD DC <-> FIPA server  <-> Linux clients
as it sits on the network that has access to both environments.
1. If each client has to go out to AD DC to authenticate than what is the 
purpose of FreeIPA server ? I thought it would act as a proxy to forward 
authentication requests to AD.
2. What would be my options in the above situation to get around this 
requirement -- direct connectivity to Active Directoryenvironment by clients?
thanks 

  From: Alexander Bokovoy <aboko...@redhat.com>
 To: pgb205 <pgb...@yahoo.com> 
Cc: Freeipa-users <freeipa-users@redhat.com>
 Sent: Monday, July 4, 2016 12:02 AM
 Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing.

On Mon, 04 Jul 2016, pgb205 wrote:
>Selinux is disabled on the server. However, I managed to fix the problem buy 
>adding the AD.DOMAIN {} 
>section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like 
>[realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...}
>AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...}
>this had the desired effect although I am not 100 clear on why this worked.
>My theory is that we have multiple domain controllers and of course the
>addomain.com forward zone that was configured prior returns a full
>list. Only the ports to the one ad.dc.addomain.com server have been
>opened between the ipa and ad servers and so when trust command is
>executed connection goes to some domain controller that IPA can't
>connect to, eventually generating an error.  Just a theory for now.
It is a totally plausible theory -- when we do trust-fetch-domains, we
try to use Kerberos authentication against AD DCs. Forcing IPA master to
use specific domain controller via krb5.conf should help here.

Note that you'll need to have a similar stanza on each IPA client as
well because authentication happens directly to AD DCs and SSSD on IPA
clients will have to do the same job using AD user credentials in case
of password logons.

>thanks
>
>      From: Alexander Bokovoy <aboko...@redhat.com>
> To: pgb205 <pgb...@yahoo.com>
>Cc: "bentech4...@gmail.com" <bentech4...@gmail.com>; Freeipa-users 
><freeipa-users@redhat.com>
> Sent: Friday, July 1, 2016 3:37 AM
> Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing.
>
>On Thu, 30 Jun 2016, pgb205 wrote:
>>Ben, do you mind sharing your solution as I am affected by the exact same 
>>error when fetching AD domains.
>I'm currently on vacation and don't have access to my lab, but you need
>to check if there are any problems with SELinux. 'ipa
>trust-fetch-domains' calls out via DBus to another script. It is
>functionally equivalent to the following command run as root:
>
># oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust 
>com.redhat.idm.trust.fetch_domains ad.test
>
>where ad.test is your AD root domain.
>
>If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this
>run will generate a lot of debug information.
>
>
>-- 
>/ Alexander Bokovoy
>
>
>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-07-03 Thread Alexander Bokovoy


On Mon, 04 Jul 2016, pgb205 wrote:

Selinux is disabled on the server. However, I managed to fix the problem buy 
adding the AD.DOMAIN {} 
section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like 
[realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...}
AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...}
this had the desired effect although I am not 100 clear on why this worked.
My theory is that we have multiple domain controllers and of course the
addomain.com forward zone that was configured prior returns a full
list. Only the ports to the one ad.dc.addomain.com server have been
opened between the ipa and ad servers and so when trust command is
executed connection goes to some domain controller that IPA can't
connect to, eventually generating an error.  Just a theory for now.

It is a totally plausible theory -- when we do trust-fetch-domains, we
try to use Kerberos authentication against AD DCs. Forcing IPA master to
use specific domain controller via krb5.conf should help here.

Note that you'll need to have a similar stanza on each IPA client as
well because authentication happens directly to AD DCs and SSSD on IPA
clients will have to do the same job using AD user credentials in case
of password logons.




thanks

 From: Alexander Bokovoy <aboko...@redhat.com>
To: pgb205 <pgb...@yahoo.com>
Cc: "bentech4...@gmail.com" <bentech4...@gmail.com>; Freeipa-users 
<freeipa-users@redhat.com>
Sent: Friday, July 1, 2016 3:37 AM
Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing.

On Thu, 30 Jun 2016, pgb205 wrote:

Ben, do you mind sharing your solution as I am affected by the exact same error 
when fetching AD domains.

I'm currently on vacation and don't have access to my lab, but you need
to check if there are any problems with SELinux. 'ipa
trust-fetch-domains' calls out via DBus to another script. It is
functionally equivalent to the following command run as root:

# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust 
com.redhat.idm.trust.fetch_domains ad.test

where ad.test is your AD root domain.

If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this
run will generate a lot of debug information.


--
/ Alexander Bokovoy






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-07-03 Thread pgb205

Selinux is disabled on the server. However, I managed to fix the problem buy 
adding the AD.DOMAIN {} 
section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like 
[realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...}
AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...}
this had the desired effect although I am not 100 clear on why this worked.
My theory is that we have multiple domain controllers and of course the 
addomain.com forward zone that was configured prior returns a full list. Only 
the ports to the one ad.dc.addomain.com server have been opened between the ipa 
and ad servers and so when trust command is executed connection goes to some 
domain controller that IPA can't connect to, eventually generating an error.
Just a theory for now.
thanks

  From: Alexander Bokovoy <aboko...@redhat.com>
 To: pgb205 <pgb...@yahoo.com> 
Cc: "bentech4...@gmail.com" <bentech4...@gmail.com>; Freeipa-users 
<freeipa-users@redhat.com>
 Sent: Friday, July 1, 2016 3:37 AM
 Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing.

On Thu, 30 Jun 2016, pgb205 wrote:
>Ben, do you mind sharing your solution as I am affected by the exact same 
>error when fetching AD domains.
I'm currently on vacation and don't have access to my lab, but you need
to check if there are any problems with SELinux. 'ipa
trust-fetch-domains' calls out via DBus to another script. It is
functionally equivalent to the following command run as root:

# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust 
com.redhat.idm.trust.fetch_domains ad.test

where ad.test is your AD root domain.

If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this
run will generate a lot of debug information.

-- 
/ Alexander Bokovoy

  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-07-01 Thread Alexander Bokovoy


On Thu, 30 Jun 2016, pgb205 wrote:

Ben, do you mind sharing your solution as I am affected by the exact same error 
when fetching AD domains.

I'm currently on vacation and don't have access to my lab, but you need
to check if there are any problems with SELinux. 'ipa
trust-fetch-domains' calls out via DBus to another script. It is
functionally equivalent to the following command run as root:

# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust 
com.redhat.idm.trust.fetch_domains ad.test

where ad.test is your AD root domain.

If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this
run will generate a lot of debug information.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-06-30 Thread pgb205

Ben, do you mind sharing your solution as I am affected by the exact same error 
when fetching AD domains.
thanks
On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George  wrote:

when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am getting 
below error in error_log
[Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed to 
call com.redhat.idm.trust.fetch_domains helper.DBus exception is 
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes 
include: the remote application did not send a reply, the message bus security 
policy blocked the reply, the reply timeout expired, or the network connection 
was broken..[Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO: 
[jsonserver_session] admin IDM LOCAL: trust_fetch_domains(u'kwttestdc.com.kw', 
rights=False, all=False, raw=False, version=u'2.156'): ServerCommandError
On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George  wrote:

Hi 
Anyone please help me to fix this issue.
i have created new group in AD( 4 hours back) and while i was mapping this 
group as --external, i am getting below error.

[root freeipa sysctl.d]# ipa group-add --external ad_admins_external --desc 
"KWTTESTDC.com.KW AD 
Administrators-External"--Added group 
"ad_admins_external"--  Group name: 
ad_admins_external  Description: KWTTESTDC.com.KW AD 
Administrators-External[root freeipa sysctl.d]# ipa group-add-member 
ad_admins_external --external "KWTTESTDC\test admins"[member user]:[member 
group]:  Group name: ad_admins_external  Description: KWTTESTDC.com.KW AD 
Administrators-External  Failed members:    member user:    member group: 
KWTTESTDC\test admins: Cannot find specified domain or server 
name-Number of members added 0-


On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George  wrote:

Hi
while issuing ipa trust-fetch-domains, i am getting below error.
i have created new security group in AD and i want to add this to external 
group.
[root freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"ipa: ERROR: error 
on server 'freeipa.idm.local': Fetching domains from trusted fo                 
                                     rest failed. See details in the error_log
help me to fi/expalin more about this error
Regards



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-05-02 Thread Martin Kosek

Thanks for confirmation. Can you share with the list what was the root cause of
your problem? Maybe it helps someone else.

Thanks,
Martin

On 04/30/2016 08:23 AM, Ben .T.George wrote:
> HI All
> 
> this issue has solved
> 
> On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George  > wrote:
> 
> when i am running ipa trust-fetch-domains "kwttestdc.com.kw
> " , i am getting below error in error_log
> 
> [Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed 
> to
> call com.redhat.idm.trust.fetch_domains helper.DBus exception is
> org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible 
> causes
> include: the remote application did not send a reply, the message bus
> security policy blocked the reply, the reply timeout expired, or the 
> network
> connection was broken..
> [Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO:
> [jsonserver_session] admin@IDM.LOCAL: 
> trust_fetch_domains(u'kwttestdc.com.kw
> ', rights=False, all=False, raw=False,
> version=u'2.156'): ServerCommandError
> 
> On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George  > wrote:
> 
> Hi
> 
> Anyone please help me to fix this issue.
> 
> i have created new group in AD( 4 hours back) and while i was mapping
> this group as --external, i am getting below error.
> 
> 
> /[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external
> --desc "KWTTESTDC.com.KW  AD
> Administrators-External"/
> /--/
> /Added group "ad_admins_external"/
> /--/
> /  Group name: ad_admins_external/
> /  Description: KWTTESTDC.com.KW  AD
> Administrators-External/
> /[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external
> --external "KWTTESTDC\test admins"/
> /[member user]:/
> /[member group]:/
> /  Group name: ad_admins_external/
> /  Description: KWTTESTDC.com.KW  AD
> Administrators-External/
> /  Failed members:/
> /member user:/
> /member group: KWTTESTDC\test admins: Cannot find specified domain
> or server name/
> /-/
> /Number of members added 0/
> -
> 
> 
> 
> On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George  > wrote:
> 
> Hi
> 
> while issuing ipa trust-fetch-domains, i am getting below error.
> 
> i have created new security group in AD and i want to add this to
> external group.
> 
> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw
> "
> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains
> from trusted fo   
>  
>   rest failed. See details in the error_log
> 
> help me to fi/expalin more about this error
> 
> Regards
> 
> 
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-04-30 Thread Ben .T.George

HI All

this issue has solved

On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George 
wrote:

> when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am
> getting below error in error_log
>
> [Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed
> to call com.redhat.idm.trust.fetch_domains helper.DBus exception is
> org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
> causes include: the remote application did not send a reply, the message
> bus security policy blocked the reply, the reply timeout expired, or the
> network connection was broken..
> [Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO:
> [jsonserver_session] admin@IDM.LOCAL: trust_fetch_domains(u'
> kwttestdc.com.kw', rights=False, all=False, raw=False, version=u'2.156'):
> ServerCommandError
>
> On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George 
> wrote:
>
>> Hi
>>
>> Anyone please help me to fix this issue.
>>
>> i have created new group in AD( 4 hours back) and while i was mapping
>> this group as --external, i am getting below error.
>>
>>
>> *[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external
>> --desc "KWTTESTDC.com.KW  AD
>> Administrators-External"*
>> *--*
>> *Added group "ad_admins_external"*
>> *--*
>> *  Group name: ad_admins_external*
>> *  Description: KWTTESTDC.com.KW  AD
>> Administrators-External*
>> *[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external
>> --external "KWTTESTDC\test admins"*
>> *[member user]:*
>> *[member group]:*
>> *  Group name: ad_admins_external*
>> *  Description: KWTTESTDC.com.KW  AD
>> Administrators-External*
>> *  Failed members:*
>> *member user:*
>> *member group: KWTTESTDC\test admins: Cannot find specified domain or
>> server name*
>> *-*
>> *Number of members added 0*
>> -
>>
>>
>>
>> On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George 
>> wrote:
>>
>>> Hi
>>>
>>> while issuing ipa trust-fetch-domains, i am getting below error.
>>>
>>> i have created new security group in AD and i want to add this to
>>> external group.
>>>
>>> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
>>> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
>>> trusted fo  rest
>>> failed. See details in the error_log
>>>
>>> help me to fi/expalin more about this error
>>>
>>> Regards
>>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-04-30 Thread Ben .T.George

when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am getting
below error in error_log

[Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed to
call com.redhat.idm.trust.fetch_domains helper.DBus exception is
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
causes include: the remote application did not send a reply, the message
bus security policy blocked the reply, the reply timeout expired, or the
network connection was broken..
[Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO:
[jsonserver_session] admin@IDM.LOCAL: trust_fetch_domains(u'kwttestdc.com.kw',
rights=False, all=False, raw=False, version=u'2.156'): ServerCommandError

On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George 
wrote:

> Hi
>
> Anyone please help me to fix this issue.
>
> i have created new group in AD( 4 hours back) and while i was mapping this
> group as --external, i am getting below error.
>
>
> *[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external
> --desc "KWTTESTDC.com.KW  AD
> Administrators-External"*
> *--*
> *Added group "ad_admins_external"*
> *--*
> *  Group name: ad_admins_external*
> *  Description: KWTTESTDC.com.KW  AD
> Administrators-External*
> *[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external
> --external "KWTTESTDC\test admins"*
> *[member user]:*
> *[member group]:*
> *  Group name: ad_admins_external*
> *  Description: KWTTESTDC.com.KW  AD
> Administrators-External*
> *  Failed members:*
> *member user:*
> *member group: KWTTESTDC\test admins: Cannot find specified domain or
> server name*
> *-*
> *Number of members added 0*
> -
>
>
>
> On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George 
> wrote:
>
>> Hi
>>
>> while issuing ipa trust-fetch-domains, i am getting below error.
>>
>> i have created new security group in AD and i want to add this to
>> external group.
>>
>> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
>> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
>> trusted fo  rest
>> failed. See details in the error_log
>>
>> help me to fi/expalin more about this error
>>
>> Regards
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-04-29 Thread Ben .T.George

Hi

Anyone please help me to fix this issue.

i have created new group in AD( 4 hours back) and while i was mapping this
group as --external, i am getting below error.


*[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external
--desc "KWTTESTDC.com.KW  AD
Administrators-External"*
*--*
*Added group "ad_admins_external"*
*--*
*  Group name: ad_admins_external*
*  Description: KWTTESTDC.com.KW  AD
Administrators-External*
*[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external
--external "KWTTESTDC\test admins"*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: KWTTESTDC.com.KW  AD
Administrators-External*
*  Failed members:*
*member user:*
*member group: KWTTESTDC\test admins: Cannot find specified domain or
server name*
*-*
*Number of members added 0*
-



On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George 
wrote:

> Hi
>
> while issuing ipa trust-fetch-domains, i am getting below error.
>
> i have created new security group in AD and i want to add this to external
> group.
>
> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
> trusted fo  rest
> failed. See details in the error_log
>
> help me to fi/expalin more about this error
>
> Regards
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa trust-fetch-domains failing.

2016-04-29 Thread Ben .T.George

Hi

while issuing ipa trust-fetch-domains, i am getting below error.

i have created new security group in AD and i want to add this to external
group.

[root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
trusted fo  rest
failed. See details in the error_log

help me to fi/expalin more about this error

Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Re: [Freeipa-users] ipa trust-fetch-domains failing.

[Freeipa-users] ipa trust-fetch-domains failing.

10 matches

Site Navigation

Mail list logo

Footer information