On 11/24/2014 02:23 PM, Alexander Bokovoy wrote:
> Hi,
>
> Trust validation requires AD DC to contact IPA server to verify that
> trust account actually works. It can fail due to DNS or firewall issue
> or if AD DC was able to resolve IPA master(s) via SRV records, it still
> may contact a replica that has no trust data replicated yet.
>
> In case AD DC still returns 'access denied', wait 5 seconds and try
> validation again.  Repeat validation until we hit a limit of 10
> attempts, at which point raise exception telling what's happening.
>
> https://fedorahosted.org/freeipa/ticket/4764
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

ACK, works fine.

In the broken setup, we now correctly output:

[tbabej@vm-093 labtool]$ echo $AD_PASSWORD | ipa trust-add --type=ad
$AD_DOMAIN --admin Administrator
--password                                                                      
                                                      

ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
likely it is a DNS or firewall issue

Pushed to:
master: ed3dddab870563b398400b05af3d945e8fc2ec9d
ipa-4-1: 538e023107ed307142ca7302ff34106c53afa932

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to