On to, 09 marras 2017, Justin Smith via FreeIPA-users wrote:
Oh, right - I had forgotten about that.

It still throws the same error. I even tried turning the firewalls
completely off in case I accidentally missed something.
You need to generate debug logs to see what's happening and share they
off-list. Unfortunately, I'm pretty busy at work this week and would be
able to look at them only next week or so. Weekend is a traditional
Father's Day in Finland so I'd try to stay away from computers.

See https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
for details. It may be helpful to record network traffic between IPA and
AD domain controllers too.


---
Justin Smith
IT Analyst
MIM Software, Inc.
[ https://www.mimsoftware.com/ | https://www.mimsoftware.com ]

----- Original Message -----
From: "Alexander Bokovoy" <aboko...@redhat.com>
To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
Cc: "Justin Smith" <jsm...@mimsoftware.com>
Sent: Thursday, November 9, 2017 1:54:16 PM
Subject: Re: [Freeipa-users] Trouble with AD Trust

On to, 09 marras 2017, Justin Smith via FreeIPA-users wrote:
I have FreeIPA and Active Directory on our network and am attempting to
follow the [ https://www.freeipa.org/page/Active_Directory_trust_setup
| official instructions ] for getting a trust set up.

I'm down to the section where I run ipa trust-add to set up the trust.
I've set up and verified DNS forwarding on both ends.

Here is the output I'm stuck on:

[root@ipa2 conf.d]# ipa -v trust-add --type ad ad.mimsoftware.com --admin 
Administrator --password
ipa: INFO: trying https://ipa2.mimsoftware.com/ipa/json
ipa: INFO: [try 1]: Forwarding 'schema' to json server 
'https://ipa2.mimsoftware.com/ipa/json'
ipa: INFO: trying https://ipa2.mimsoftware.com/ipa/session/json
Active Directory domain administrator's password:
ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 
'https://ipa2.mimsoftware.com/ipa/session/json'
ipa: ERROR: an internal error has occurred

Any ideas where to begin troubleshooting? If I try this same process in
the browser interface, it throws an error:

"AD DC was unable to reach any IPA domain controller. Most likely it is
a DNS or firewall issue"

However, I've verified that it can't be DNS. What about firewall
configuration on the Windows end? The official instructions just say
"to be added."
?

See man page for ipa-adtrust-install, it has all firewall requirements
listed. More to that, when you run ipa-adtrust-intall, it actually
prints you a list of ports that need to be open on both sides.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to