On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote:
Hi, I'm trying to establish a two way trust with an AD domain and seem to be running into some issues. I am able to establish a one way trust following the guide at https://www.freeipa.org/page/Active_Directory_trust_setup without any issues. When I destroy that trust and try to establish a new one with two-way specified to the same AD domain it throws what I believe to be a misleading error message and the trust is not established.
How did you destroy that trust?
[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true Active Directory domain administrator's password: ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue I've checked that both the AD DC and the free IPA hosts can resolve the service entries and verified that there are no firewall blocks in place between these two hosts. I believe the issue is an LDAP permission issue of some sort based on the following log snippet
Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with 'ipa trust-add'. You'll get additional debug information in httpd's error_log. Provide that one off-list. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/JW7VEVA3GTQEYALME3ZLW7YBUPO66UHL/