[Freeipa-users] Two way trust setup issue

Tue, 29 May 2018 10:15:31 -0700 

Hi,
                I'm trying to establish a two way trust with an AD domain and 
seem to be running into some issues. I am able to establish a one way trust 
following the guide at 
https://www.freeipa.org/page/Active_Directory_trust_setup without any issues. 
When I destroy that trust and try to establish a new one with two-way specified 
to the same AD domain it throws what I believe to be a misleading error message 
and the trust is not established.

[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER 
--password --two-way=true
Active Directory domain administrator's password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it 
is a DNS or firewall issue

I've checked that both the AD DC and the free IPA hosts can resolve the service 
entries and verified that there are no firewall blocks in place between these 
two hosts. I believe the issue is an LDAP permission issue of some sort based 
on the following log snippet

[29/May/2018:16:59:07 +0000] conn=1227 op=25 ADD 
dn="krbPrincipalName=krbtgt/AD_DOMAIN@IPA.DOMAIN,cn=AD_DOMAIN,cn=ad,cn=trusts,dc=arizona,dc=cui"
[29/May/2018:16:59:07 +0000] conn=1227 op=25 RESULT err=0 tag=105 nentries=0 
etime=0 csn=5b0d876e000c00040000
[29/May/2018:16:59:07 +0000] conn=1227 op=26 EXT 
oid="2.16.840.1.113730.3.8.10.1" name="Keytab Retrieval Extended Operation"
[29/May/2018:16:59:07 +0000] conn=1227 op=26 RESULT err=0 tag=120 nentries=0 
etime=0
[29/May/2018:16:59:07 +0000] conn=1227 op=27 SRCH 
base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 
filter="(&(objectClass=ipaNTTrustedDomain)(|(ipaNTFlatName=AD_DOMAIN)(ipaNTTrustPartner=AD_DOMAIN)(cn=AD_DOMAIN)))"
 attrs=ALL
[29/May/2018:16:59:07 +0000] conn=1227 op=27 RESULT err=0 tag=101 nentries=1 
etime=0
[29/May/2018:16:59:07 +0000] conn=1227 op=28 SRCH 
base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 
filter="(&(objectClass=ipaNTTrustedDomain)(ipaNTTrustedDomainSID=S-1-5-21-3264147221-199175665-3033697611))"
 attrs=ALL
[29/May/2018:16:59:07 +0000] conn=1227 op=28 RESULT err=0 tag=101 nentries=1 
etime=0
[29/May/2018:16:59:07 +0000] conn=1227 op=29 SRCH 
base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 
filter="(&(objectClass=ipaNTTrustedDomain)(|(ipaNTFlatName=AD_DOMAIN)(ipaNTTrustPartner=AD_DOMAIN)(cn=AD_DOMAIN)))"
 attrs=ALL
[29/May/2018:16:59:07 +0000] conn=1227 op=29 RESULT err=0 tag=101 nentries=1 
etime=0
[29/May/2018:16:59:07 +0000] conn=1227 op=30 MOD 
dn="cn=AD_DOMAIN,cn=ad,cn=trusts,dc=IPA,dc=DOMAIN"
[29/May/2018:16:59:07 +0000] conn=1227 op=30 RESULT err=50 tag=103 nentries=0 
etime=0 csn=5b0d876e000f00040000
[29/May/2018:16:59:07 +0000] conn=1227 op=31 SRCH 
base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 
filter="(&(objectClass=ipaNTTrustedDomain)(ipaNTTrustedDomainSID=S-1-5-21-3264147221-199175665-3033697611))"
 attrs=ALL
[29/May/2018:16:59:07 +0000] conn=1227 op=31 RESULT err=0 tag=101 nentries=1 
etime=0
[29/May/2018:16:59:07 +0000] conn=1227 op=32 SRCH 
base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 
filter="(&(objectClass=ipaNTTrustedDomain)(ipaNTTrustedDomainSID=S-1-5-21-3264147221-199175665-3033697611))"
 attrs=ALL
[29/May/2018:16:59:07 +0000] conn=1227 op=32 RESULT err=0 tag=101 nentries=1 
etime=0
[29/May/2018:16:59:07 +0000] conn=1227 op=33 SRCH 
base="cn=ad,cn=trusts,dc=IPA,dc=DOMAIN" scope=2 
filter="(&(objectClass=ipaNTTrustedDomain)(|(ipaNTFlatName=AD_DOMAIN)(ipaNTTrustPartner=AD_DOMAIN)(cn=AD_DOMAIN)))"
 attrs=ALL
[29/May/2018:16:59:07 +0000] conn=1227 op=33 RESULT err=0 tag=101 nentries=1 
etime=0
[29/May/2018:16:59:07 +0000] conn=1227 op=34 MOD 
dn="cn=AD_DOMAIN,cn=ad,cn=trusts,dc=IPA,dc=DOMAIN"
[29/May/2018:16:59:07 +0000] conn=1227 op=34 RESULT err=50 tag=103 nentries=0 
etime=0 csn=5b0d876e001000040000

I have run kinit prior to issuing the trust-add in both the two-way and one-way 
setup commands.

Any thoughts where I should go from here?

Thanks,
Todd

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZVQWO54SEPTSRCCTE2HU7DJ7CDEIYBQS/
  • [Freeipa-users] Two way tru... Merritt, Todd R - (tmerritt) via FreeIPA-users

Reply via email to