On to, 31 touko 2018, Merritt, Todd R - (tmerritt) wrote:
On 5/30/18, 10:59 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote: > > >On 5/29/18, 7:59 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: > > On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote: > >Hi, > > I'm trying to establish a two way trust with an AD > > domain and seem to be running into some issues. I am > > able to establish a one way trust following the guide > > at > > https://www.freeipa.org/page/Active_Directory_trust_setup > > without any issues. When I destroy that trust and try > > to establish a new one with two-way specified to the > > same AD domain it throws what I believe to be a > > misleading error message and the trust is not > > established. > How did you destroy that trust? > > >[root@IPA.DOMAIN /]# ipa trust-add --type=ad AD_DOMAIN --admin AD_ADMIN_USER --password --two-way=true > >Active Directory domain administrator's password: > >ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue > > > >I've checked that both the AD DC and the free IPA hosts can resolve the > >service entries and verified that there are no firewall blocks in place > >between these two hosts. I believe the issue is an LDAP permission > >issue of some sort based on the following log snippet > Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try with > 'ipa trust-add'. You'll get additional debug information in httpd's > error_log. Provide that one off-list. > >Thanks, I removed it with trust-del > >[root@IPA.DOMAIN /]# ipa trust-del AD_DOMAIN >------------------------- >Deleted trust "AD_DOMAIN" >------------------------- > >I'll send you a copy of the http error log directly. Thanks. Looking at the error_log, I see two issues: Validation of trust failed because AD DCs were unable to reach to IPA DCs. This typically means AD DCs unable to discover IPA DCs over DNS SRV records -- they look up using standard Active Directory discovery means, e.g. trying to find out SRV record for _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPA_DOMAIN Can you show output of 'ipa dns-update-system-records --dry-run'? netr_LogonControl2Ex: struct netr_LogonControl2Ex out: struct netr_LogonControl2Ex query : * query : union netr_CONTROL_QUERY_INFORMATION(case 2) info2 : * info2: struct netr_NETLOGON_INFO_2 flags : 0x00000080 (128) 0: NETLOGON_REPLICATION_NEEDED 0: NETLOGON_REPLICATION_IN_PROGRESS 0: NETLOGON_FULL_SYNC_REPLICATION 0: NETLOGON_REDO_NEEDED 0: NETLOGON_HAS_IP 0: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE 1: NETLOGON_VERIFY_STATUS_RETURNED pdc_connection_status : WERR_NO_LOGON_SERVERS trusted_dc_name : * trusted_dc_name : '' tc_connection_status : WERR_NO_LOGON_SERVERS result : WERR_OK [root@IPA /]# rpm -q ipa-server ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 [root@IPA /]# ipa dns-update-system-records --dry-run ipa: ERROR: unknown command 'dns-update-system-records'
Ok, 4.2 doesn't have that command. On my single master setup it looks like this: # ipa dns-update-system-records --dry-run | sed -e 's/xs.ipa.cool/IPA_DOMAIN/g;s/nyx/ipa-server/g' IPA DNS records: _kerberos-master._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos-master._udp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos._udp.IPA_DOMAIN. 86400 IN SRV 0 100 88 ipa-server.IPA_DOMAIN. _kerberos.IPA_DOMAIN. 86400 IN TXT "IPA_DOMAIN" _kpasswd._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 464 ipa-server.IPA_DOMAIN. _kpasswd._udp.IPA_DOMAIN. 86400 IN SRV 0 100 464 ipa-server.IPA_DOMAIN. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. _ldap._tcp.dc._msdcs.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. _ldap._tcp.IPA_DOMAIN. 86400 IN SRV 0 100 389 ipa-server.IPA_DOMAIN. ipa-ca.IPA_DOMAIN. 86400 IN A some-ipv4-address ipa-ca.IPA_DOMAIN. 86400 IN AAAA some-ipv6-address You need entries that exist in _mscds.IPA_DOMAIN, these are the ones searched by AD DCs.
If I try to manually lookup that domain I get an NXDOMAIN [root@IPA /]# nslookup -type=srv ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN Server: 127.0.0.1 Address: 127.0.0.1#53 ** server can't find ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.IPA_DOMAIN: NXDOMAIN -- Thanks, Todd
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/U2MQXSNIGAEJB5FSCGRH5J253OZVA5V3/