On ma, 25 kesä 2018, Chris Dagdigian via FreeIPA-users wrote:
Dealing with outsourced IT organization that manages an AD domain we
are tying to build an additional trust with so we can upgrade and
replace our fleet of IDM servers.
We got a webex work session going with a domain admin to build the
trust but we keep seeing this on the CLI and WebUI:
ipa: ERROR: Insufficient access: CIFS server XXXXXX.COMPANY.COM denied
your credentials
Running in debug or verbose mode does not reveal more error details
and I can't find much in the logs on the IPA server
The AD admin we were working with claims he used an account that is
part of the Enterprise Admin group and thus should be allowed to do
"all the things" -- they are asking for any docs or details we have on
what permissions the IPA server needs when trust building
Looking for info/tips on the following, thanks!
1) Any log locations or places where I can find more info about why
the ad-trust setup failed?
You have three locations where you can set increased debug info:
- A debug for IPA framework on the server side: /etc/ipa/server.conf
(create the file if not existing):
[global]
debug = True
- A debug for client-side Samba libraries in IPA framework:
/usr/share/ipa/smb.conf.empty:
[global]
log level = 10
- Increase of log level for Samba on IPA master:
net conf setparm global 'log level' 10
net conf setparm global 'maxlogsize' 0
The first will get log level increased in /var/log/httpd/error_log,
needs restart of httpd: systemctl restart httpd
The second one will get increased log details during 'ipa trust-add'
logged to /var/log/httpd/error_log. No need to restart httpd as that
file is read by 'ipa trust-add' dynamically.
The third part is crucial when you get messages like 'CIFS server denied
your credentials'. If there is no server name in the message or the
server name is IPA master, it makes sense to look at the detailed logs
in /var/log/samba/log.*
These are three primary sources of logs.
2) Any docs or listing of specific AD permissions needed by the AD
admin account used to establish the trust
AD is not my strong point - apologies if this is a dumb query!
See my other responses on this list in June, one of them was exactly
about it from Microsoft documentation point of view. I don't have a
reference handy.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GMG5ZGG2QT4AQ7WEIYAJWCVDTF4FDBKR/
