On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote:
Hi,
I'm trying to establish a two way trust with an AD
domain and seem to be running into some issues. I am
able to establish a one way trust following the guide
at
https://www.freeipa.org/page/Active_Directory_trust_setup
without any issues. When I destroy that trust and try
to establish a new one with two-way specified to the
same AD domain it throws what I believe to be a
misleading error message and the trust is not
established.
How did you destroy that trust?
[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER
--password --two-way=true
Active Directory domain administrator's password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it
is a DNS or firewall issue
I've checked that both the AD DC and the free IPA hosts can resolve the
service entries and verified that there are no firewall blocks in place
between these two hosts. I believe the issue is an LDAP permission
issue of some sort based on the following log snippet
Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with
'ipa trust-add'. You'll get additional debug information in httpd's
error_log. Provide that one off-list.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/JW7VEVA3GTQEYALME3ZLW7YBUPO66UHL/
