On 11/24/2014 02:23 PM, Alexander Bokovoy wrote:
> Trust validation requires AD DC to contact IPA server to verify that
> trust account actually works. It can fail due to DNS or firewall issue
> or if AD DC was able to resolve IPA master(s) via SRV records, it still
> may contact a replica that has no trust data replicated yet.
> In case AD DC still returns 'access denied', wait 5 seconds and try
> validation again. Repeat validation until we hit a limit of 10
> attempts, at which point raise exception telling what's happening.
> Freeipa-devel mailing list
ACK, works fine.
In the broken setup, we now correctly output:
[tbabej@vm-093 labtool]$ echo $AD_PASSWORD | ipa trust-add --type=ad
$AD_DOMAIN --admin Administrator
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
likely it is a DNS or firewall issue
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
Freeipa-devel mailing list