On pe, 04 elo 2017, Yuri Moens via FreeIPA-users wrote:

I'm currently trying to setup a trust between IPA and Samba AD but I keep
running into some issues.

IPA is running on CentOS 7
VERSION: 4.4.0, API_VERSION: 2.213
ipa01.cloud.ymo.lab, Netbios CLOUD, domain cloud.ymo.lab

Samba is running on CentOS7
Version 4.6.6
dc01.win.ymo.lab, Netbios WIN, domain win.ymo.lab

Both are fresh installs. Samba is running Bind DLZ as DNS backend. DNS
forwarding is working correctly.

[root@ipa01 ~]# dig +short srv _ldap._tcp.{cloud,win}.ymo.lab
0 100 389 ipa01.cloud.ymo.lab.
0 100 389 dc01.win.ymo.lab.
[root@ipa01 ~]# dig +short {cloud,win}.ymo.lab

[root@dc01 bin]# dig +short srv _ldap._tcp.{cloud,win}.ymo.lab
0 100 389 ipa01.cloud.ymo.lab.
0 100 389 dc01.win.ymo.lab.
[root@dc01 bin]# dig +short {cloud,win}.ymo.lab

I'm currently stuck on adding the trust:

[root@ipa01 ~]# ipa trust-add --type=ad win.ymo.lab --admin Administrator
--password --two-way=true
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "1315", message
"WERR_INVALID_ACCOUNT_NAME" (both may be "None")

I've attached the /var/log/httpd/error_log on the IPA side and the output
of Samba running with debug level 7.

Does anyone know how I can get past this?
There are currently known bugs in Samba AD in using wrong salt for TDO
account. At least for Samba 4.7.0 release candidates one can establish
trust but it will fail to work.

Your issue looks a bit different though. Add [global]
 log level = 100

to /usr/share/ipa/smb.conf.empty and re-try 'ipa trust-add ..'

In /var/log/httpd/error_log you'll get debug log of what IPA side sees
when talking to AD DCs and to a local smbd instance. Show those logs.

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to